The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22304	GEN000595	SV-25951r1_rule	DCNR-1 IAIA-1 IAIA-2	Medium

Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.

STIG	Date
UNIX SRG	2013-03-26

Details

Check Text ( C-29095r1_chk )
Determine if any password hashes stored on the system were not generated using a FIPS 140-2 approved cryptographic hashing algorithm. Generally, a hash prefix of $5$ or $6$ indicates approved hashes. Consult OS documentation to determine the actual prefixes or other methods used by the OS to indicate approved hash algorithms. Procedure: # cut -d ':' -f2 /etc/passwd # cut -d ':' -f2 /etc/shadow If any password hashes are present not beginning with $5$ or $6$, or have other indications of the use of approved hash algorithms consistent with vendor documentation, this is a finding.

Check Text ( C-29095r1_chk )

Determine if any password hashes stored on the system were not generated using a FIPS 140-2 approved cryptographic hashing algorithm.

Generally, a hash prefix of $5$ or $6$ indicates approved hashes. Consult OS documentation to determine the actual prefixes or other methods used by the OS to indicate approved hash algorithms.

Procedure:
# cut -d ':' -f2 /etc/passwd
# cut -d ':' -f2 /etc/shadow

If any password hashes are present not beginning with $5$ or $6$, or have other indications of the use of approved hash algorithms consistent with vendor documentation, this is a finding.

Fix Text (F-26094r1_fix)
Replace password hashes with those created using a FIPS 140-2 approved cryptographic hashing algorithm.