UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22303 GEN000590 SV-44864r1_rule Medium
Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.
STIG Date
SUSE Linux Enterprise Server v11 for System z 2016-12-20

Details

Check Text ( C-42326r1_chk )
Check the /etc/default/passwd file for the CRYPT_FILES variable setting.
Procedure:
# grep -v '^#' /etc/default/passwd | grep -i crypt_files

CRYPT_FILES must be set to SHA256 or SHA512. If it is not set, or it is set to some other value this is a finding.
Fix Text (F-38297r1_fix)
Edit the /etc/default/passwd file and add or change the CRYPT_FILES variable setting so that it contains:
CRYPT_FILES=sha256
OR
CRYPT_FILES=sha512

In SLES 11 SP2 this option can also be configured with the YaST ‘Security and Users’ module. Run the ‘Security Center and Hardening’ application, then select ‘Password Settings’. Use the ‘Password Encryption Method’ drop-down to select either ‘SHA-256’ or ‘SHA-512’.