The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22304	GEN000595	SV-40790r1_rule	DCNR-1 IAIA-1 IAIA-2	Medium

Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.

STIG	Date
Solaris 10 X86 Security Technical Implementation Guide	2014-06-27

Details

Check Text ( None )
None

Fix Text (F-34652r1_fix)
If the /etc/security/crypt.conf file does not support FIPS 140-2 approved cryptographic hashing algorithms, upgrade to at least the Solaris 10 8/07 release. Edit the /etc/security/policy.conf file. # vi /etc/security/policy.conf Uncomment the CRYPT_ALGORITHMS_DEPRECATE line and set it to "__unix__". Update the CRYPT_DEFAULT default line to be equal to 5 or 6. The following lines are acceptable. CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=6 Update passwords for all accounts with non-compliant password hashes.

Fix Text (F-34652r1_fix)

If the /etc/security/crypt.conf file does not support FIPS 140-2 approved cryptographic hashing algorithms, upgrade to at least the Solaris 10 8/07 release.

Edit the /etc/security/policy.conf file.
# vi /etc/security/policy.conf
Uncomment the CRYPT_ALGORITHMS_DEPRECATE line and set it to "__unix__". Update the CRYPT_DEFAULT default line to be equal to 5 or 6. The following lines are acceptable.

CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=6

Update passwords for all accounts with non-compliant password hashes.