STIGQter: STIG Summary: Solaris 10 X86 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.

DISA Rule

SV-227585r603266_rule

Vulnerability Number

V-227585

Group Title

SRG-OS-000120

Rule Version

GEN000590

Severity

CAT II

CCI(s)

• CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Weight

10

Fix Recommendation

Edit the /etc/security/policy.conf file.
# vi /etc/security/policy.conf
Uncomment or add the CRYPT_ALGORITHMS_ALLOW line and set it to "5,6". Update the CRYPT_DEFAULT default line to be equal to 5 or 6. The following lines are acceptable.

CRYPT_ALGORITHMS_ALLOW=5,6
CRYPT_DEFAULT=6

Check Contents

Verify the traditional UNIX crypt algorithm is deprecated.
# egrep CRYPT_ALGORITHMS_ALLOW /etc/security/policy.conf
If CRYPT_ALGORITHMS_ALLOW is not set, is not set to "6", or is not set to "5,6", this is a finding.

Verify new password hashes are generated using either the SHA-256 or SHA-512 cryptographic hashing algorithm.
# egrep CRYPT_DEFAULT /etc/security/policy.conf
If CRYPT_DEFAULT is not set or is not equal to 5 or 6, this is a finding.

Vulnerability Number

V-227585

Documentable

False

Rule Version

GEN000590

Severity Override Guidance

Verify the traditional UNIX crypt algorithm is deprecated.
# egrep CRYPT_ALGORITHMS_ALLOW /etc/security/policy.conf
If CRYPT_ALGORITHMS_ALLOW is not set, is not set to "6", or is not set to "5,6", this is a finding.

Verify new password hashes are generated using either the SHA-256 or SHA-512 cryptographic hashing algorithm.
# egrep CRYPT_DEFAULT /etc/security/policy.conf
If CRYPT_DEFAULT is not set or is not equal to 5 or 6, this is a finding.

Check Content Reference

M

Target Key

4061

Comments