The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-22303 | GEN000590 | SV-25950r1_rule | DCNR-1 IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise. |
| STIG | Date |
|---|---|
| VMware ESX 3 Server | 2016-05-13 |
Details
| Check Text ( C-29094r1_chk ) |
|---|
| Determine if the system creates password hashes using a FIPS 140-2 approved cryptographic hashing algorithm. Consult OS documentation to determine the necessary configuration settings. If the system is not configured to generate password hashes using a FIPS 140-2 approved algorithm, this is a finding. |
| Fix Text (F-26093r1_fix) |
|---|
| Configure the system to use a FIPS 140-2 approved cryptographic hash algorithm for creating password hashes. |