Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22304 | GEN000595 | SV-25951r1_rule | DCNR-1 IAIA-1 IAIA-2 | Medium |
Description |
---|
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise. |
STIG | Date |
---|---|
VMware ESX 3 Server | 2016-05-13 |
Check Text ( C-29095r1_chk ) |
---|
Determine if any password hashes stored on the system were not generated using a FIPS 140-2 approved cryptographic hashing algorithm. Generally, a hash prefix of $5$ or $6$ indicates approved hashes. Consult OS documentation to determine the actual prefixes or other methods used by the OS to indicate approved hash algorithms. Procedure: # cut -d ':' -f2 /etc/passwd # cut -d ':' -f2 /etc/shadow If any password hashes are present not beginning with $5$ or $6$, or have other indications of the use of approved hash algorithms consistent with vendor documentation, this is a finding. |
Fix Text (F-26094r1_fix) |
---|
Replace password hashes with those created using a FIPS 140-2 approved cryptographic hashing algorithm. |