The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22303	GEN000590	SV-44864r1_rule		Medium

Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.

STIG	Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide	2018-09-19

Details

Check Text ( C-42326r1_chk )
Check the /etc/default/passwd file for the CRYPT_FILES variable setting. Procedure: # grep -v '^#' /etc/default/passwd \| grep -i crypt_files CRYPT_FILES must be set to SHA256 or SHA512. If it is not set, or it is set to some other value this is a finding.

Fix Text (F-38297r1_fix)
Edit the /etc/default/passwd file and add or change the CRYPT_FILES variable setting so that it contains: CRYPT_FILES=sha256 OR CRYPT_FILES=sha512 In SLES 11 SP2 this option can also be configured with the YaST ‘Security and Users’ module. Run the ‘Security Center and Hardening’ application, then select ‘Password Settings’. Use the ‘Password Encryption Method’ drop-down to select either ‘SHA-256’ or ‘SHA-512’.

Fix Text (F-38297r1_fix)

Edit the /etc/default/passwd file and add or change the CRYPT_FILES variable setting so that it contains:
CRYPT_FILES=sha256
OR
CRYPT_FILES=sha512

In SLES 11 SP2 this option can also be configured with the YaST ‘Security and Users’ module. Run the ‘Security Center and Hardening’ application, then select ‘Password Settings’. Use the ‘Password Encryption Method’ drop-down to select either ‘SHA-256’ or ‘SHA-512’.