STIGQter: STIG Summary: Authentication, Authorization, and Accounting Services (AAA) Security Requirements Guide Version: 1 Release: 2 Benchmark Date: 24 Jan 2020:

AAA Services must be configured to encrypt locally stored credentials using a FIPS-validated cryptographic module.

DISA Rule

SV-95663r1_rule

Vulnerability Number

V-80953

Group Title

SRG-APP-000171-AAA-000510

Rule Version

SRG-APP-000171-AAA-000510

Severity

CAT I

CCI(s)

• CCI-000196 - The information system, for password-based authentication, stores only cryptographically-protected passwords.

Weight

10

Fix Recommendation

Configure AAA Services to encrypt locally stored credentials using a FIPS-validated cryptographic module.

Configure all associated databases, configuration files, and audit files to use only encrypted representations for all passwords and so that no password strings are readable/discernable.

Check Contents

Where passwords are used, verify AAA Services are configured to encrypt locally stored credentials using a FIPS-validated cryptographic module. AAA Services may leverage the capability of an operating system or purpose-built module for this purpose.

Confirm that databases, configuration files, and log files have encrypted representations for all passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a related database table.

Review AAA Services configuration for use of the MD5 algorithm to create password hashes.

If AAA Services are not configured to encrypt locally stored credentials using a FIPS-validated cryptographic module, this is a finding.

If AAA Services are configured to use MD5 to create password hashes, this is a finding.

Note: FIPS-validated cryptographic modules are listed on the NIST Cryptographic Module Validation Program's (CMVP) validation list.

Vulnerability Number

V-80953

Documentable

False

Rule Version

SRG-APP-000171-AAA-000510

Severity Override Guidance

Where passwords are used, verify AAA Services are configured to encrypt locally stored credentials using a FIPS-validated cryptographic module. AAA Services may leverage the capability of an operating system or purpose-built module for this purpose.

Confirm that databases, configuration files, and log files have encrypted representations for all passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a related database table.

Review AAA Services configuration for use of the MD5 algorithm to create password hashes.

If AAA Services are not configured to encrypt locally stored credentials using a FIPS-validated cryptographic module, this is a finding.

If AAA Services are configured to use MD5 to create password hashes, this is a finding.

Note: FIPS-validated cryptographic modules are listed on the NIST Cryptographic Module Validation Program's (CMVP) validation list.

Check Content Reference

M

Target Key

3357

Comments