UCF STIG Viewer Logo

The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22304 GEN000595 SV-25951r1_rule DCNR-1 IAIA-1 IAIA-2 Medium
Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.
STIG Date
VMware ESX 3 Server 2016-05-13

Details

Check Text ( C-29095r1_chk )
Determine if any password hashes stored on the system were not generated using a FIPS 140-2 approved cryptographic hashing algorithm.

Generally, a hash prefix of $5$ or $6$ indicates approved hashes. Consult OS documentation to determine the actual prefixes or other methods used by the OS to indicate approved hash algorithms.

Procedure:
# cut -d ':' -f2 /etc/passwd
# cut -d ':' -f2 /etc/shadow

If any password hashes are present not beginning with $5$ or $6$, or have other indications of the use of approved hash algorithms consistent with vendor documentation, this is a finding.
Fix Text (F-26094r1_fix)
Replace password hashes with those created using a FIPS 140-2 approved cryptographic hashing algorithm.