Detections
Analytics

5.4.1.9 Ensure existing passwords use FIPS 140-2 approved cryptographic hashing algorithm

Information

A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password.

NIST Federal Information Processing Standard (FIPS) 140-2 "Security Requirements for Cryptographic Modules"

Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.

The SHA-512 algorithm provides a strong FIPS 140-2 approved hash for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local group passwords.

The operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and data may be compromised.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.

Solution

Run the following script to lock all local interactive user accounts with a password that is not using the sha512 hashing algorithm until the passwords can be regenerated using sha512 :

#!/usr/bin/env bash

{
 a_output2=()
 l_valid_shells="^($(awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
 while IFS= read -r l_user; do
 while IFS= read -r l_fuser; do
 a_output2+=(" - User: \"$l_fuser\" password was not hashed using the sha512 hashing algorithm")
 if [ "$l_fuser" = "root" ]; then
 a_output2+=(" The root user needs a new password" \
 " Either create a new password or lock the root account")
 else
 a_output2+=(" * Locking user: \"$l_fuser\"")
 passwd -l "$l_fuser"
 fi
 done < <(awk -F: '($1=="'"$l_user"'" && $2 !~ /^\!/ && $2 !~ /^!?\$6\$/) {print $1}' /etc/shadow)
 done < <(awk -v pat="$l_valid_shells" -F: '($(NF) ~ pat) {print $1}' /etc/passwd)
 if [ "${#a_output2[@]}" -le 0 ]; then
 printf '%s\n' "" " - Remediation complete" " No remediation required" ""
 else
 printf '%s\n' "" "${a_output2[@]}" ""
 fi
}

Ensure all accounts that are locked either have a new password generated using the SHA512 hashing algorithm

- OR -

Ensure the account(s) are removed in accordance with local site account deletion policy

Important: The root account will not be locked by the remediator script. If the Audit returned the root account as requiring an update to it's password hash, please manually update the root account password or lock the root account in accordance with local site policy

See Also

https://workbench.cisecurity.org/benchmarks/19886

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: 13579c20caa277cef3abe8a9108d70d9d70336a6f61c451717e885b8defe645f