← Back to SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

V-22303

CAT II (Medium)

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.

Rule ID

SV-44864r1_rule

STIG

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

CCIs

CCI-000803

Discussion

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.

Check Content

Check the /etc/default/passwd file for the CRYPT_FILES variable setting.  
Procedure:
# grep -v '^#' /etc/default/passwd | grep -i crypt_files

CRYPT_FILES must be set to SHA256 or SHA512.  If it is not set, or it is set to some other value this is a finding.

Fix Text

Edit the /etc/default/passwd file and add or change the CRYPT_FILES variable setting so that it contains:
   CRYPT_FILES=sha256
             OR 
   CRYPT_FILES=sha512

In SLES 11 SP2 this option can also be configured with the YaST ‘Security and Users’ module.  Run the ‘Security Center and Hardening’ application, then select ‘Password Settings’.  Use the ‘Password Encryption Method’ drop-down to select either ‘SHA-256’ or ‘SHA-512’.