UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22303 GEN000590 SV-40776r1_rule DCNR-1 IAIA-1 IAIA-2 Medium
Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.
STIG Date
Solaris 10 X86 Security Technical Implementation Guide 2012-05-25

Details

Check Text ( C-39521r2_chk )
Verify the traditional UNIX crypt algorithm is deprecated.
# egrep CRYPT_ALGORITHMS_DEPRECATE /etc/security/policy.conf
If CRYPT_ALGORITHMS_DEPRECATE is not set or does not include "__unix__", this is a finding.

Verify new password hashes are generated using either the SHA-256 or SHA-512 cryptographic hashing algorithm.
# egrep CRYPT_DEFAULT /etc/security/policy.conf
If CRYPT_DEFAULT is not set or is not equal to 5 or 6, this is a finding.
Fix Text (F-34635r1_fix)
Edit the /etc/security/policy.conf file.
# vi /etc/security/policy.conf
Uncomment the CRYPT_ALGORITHMS_DEPRECATE line and set it to "__unix__". Update the CRYPT_DEFAULT default line to be equal to 5 or 6. The following lines are acceptable.

CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=6