Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22303 | GEN000590 | SV-44864r1_rule | DCNR-1 IAIA-1 IAIA-2 | Medium |
Description |
---|
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise. |
STIG | Date |
---|---|
SUSE Linux Enterprise Server v11 for System z | 2015-05-27 |
Check Text ( C-42326r1_chk ) |
---|
Check the /etc/default/passwd file for the CRYPT_FILES variable setting. Procedure: # grep -v '^#' /etc/default/passwd | grep -i crypt_files CRYPT_FILES must be set to SHA256 or SHA512. If it is not set, or it is set to some other value this is a finding. |
Fix Text (F-38297r1_fix) |
---|
Edit the /etc/default/passwd file and add or change the CRYPT_FILES variable setting so that it contains: CRYPT_FILES=sha256 OR CRYPT_FILES=sha512 In SLES 11 SP2 this option can also be configured with the YaST ‘Security and Users’ module. Run the ‘Security Center and Hardening’ application, then select ‘Password Settings’. Use the ‘Password Encryption Method’ drop-down to select either ‘SHA-256’ or ‘SHA-512’. |