STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

DISA Rule

SV-215230r508663_rule

Vulnerability Number

V-215230

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

AIX7-00-001134

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Set the system wide password algorithm to "ssha256" or "ssha512" by running the following command:

# chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512

Change the passwords for all accounts using non-compliant password hashes by running the following command:

$ passwd [user_name]

Check Contents

Verify that the system wide password algorithm is set to {ssha256} or {ssha512} by running the following command:

# lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm
usw pwd_algorithm=ssha512

If the "pwd_algorithm" is not set to "ssha256" or "ssha512", this is a finding.

Verify no password hashes in /etc/passwd by running the following command:

# cat /etc/passwd | cut -f2,2 -d":"
!
!
!
!
*
*
*
*

If there are password hashes present, this is a finding.

Verify all password hashes in "/etc/security/passwd" begin with {ssha256} or {ssha512} by running commands:

# cat /etc/security/passwd | grep password
password = {ssha512}06$e58YOawe/7UhChqh$hZEWlP4040jarX1NeOujmcxd.7qerUvjW9lM9djJsDITtdjFvVpLX.r04xieOWrbH0qb0SJJ98a0tmgZBzPP..
password = {ssha512}06$Y6ztvMxKGdITxPex$B81/GDTEPt0xwp.BX1VhY9mAPaWHXdNoLI9D0T6dBExgo6r87X0etnfjxWODT73.udrbAY.F4HzaBR68lN5/..
password = {ssha512}06$iIXQQqs.mdGpC9Wu$cXSajikWYKAUacbF50FNlFgYYSgTklGf4uhXb1J/GyBGF5j5aWa4YG5Ah2uaAHv/Jmbmx.7yBm8iXz9Pz1LM..
password = {ssha512}06$3Sw24rPVdqDFFCIl$d1dZs7GYmTXnD9i270SxozIBxN0pqq/bNn0YbyKeDq0o6Y.j9qfkeH373DwkHBWgrifNcgj/K0pVyzjMg6QN..

If any password hashes are present not beginning with {ssha256} or {ssha512}, this is a finding.

Vulnerability Number

V-215230

Documentable

False

Rule Version

AIX7-00-001134

Severity Override Guidance

Verify that the system wide password algorithm is set to {ssha256} or {ssha512} by running the following command:

# lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm
usw pwd_algorithm=ssha512

If the "pwd_algorithm" is not set to "ssha256" or "ssha512", this is a finding.

Verify no password hashes in /etc/passwd by running the following command:

# cat /etc/passwd | cut -f2,2 -d":"
!
!
!
!
*
*
*
*

If there are password hashes present, this is a finding.

Verify all password hashes in "/etc/security/passwd" begin with {ssha256} or {ssha512} by running commands:

# cat /etc/security/passwd | grep password
password = {ssha512}06$e58YOawe/7UhChqh$hZEWlP4040jarX1NeOujmcxd.7qerUvjW9lM9djJsDITtdjFvVpLX.r04xieOWrbH0qb0SJJ98a0tmgZBzPP..
password = {ssha512}06$Y6ztvMxKGdITxPex$B81/GDTEPt0xwp.BX1VhY9mAPaWHXdNoLI9D0T6dBExgo6r87X0etnfjxWODT73.udrbAY.F4HzaBR68lN5/..
password = {ssha512}06$iIXQQqs.mdGpC9Wu$cXSajikWYKAUacbF50FNlFgYYSgTklGf4uhXb1J/GyBGF5j5aWa4YG5Ah2uaAHv/Jmbmx.7yBm8iXz9Pz1LM..
password = {ssha512}06$3Sw24rPVdqDFFCIl$d1dZs7GYmTXnD9i270SxozIBxN0pqq/bNn0YbyKeDq0o6Y.j9qfkeH373DwkHBWgrifNcgj/K0pVyzjMg6QN..

If any password hashes are present not beginning with {ssha256} or {ssha512}, this is a finding.

Check Content Reference

M

Target Key

4012

Comments