CCI-004062

For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.

1 rule found Severity: Low

1 rule found Severity: High

2 rules found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

12 rules found Severity: Medium

22 rules found Severity: Medium

13 rules found Severity: Medium

12 rules found Severity: Medium

16 rules found Severity: Medium

10 rules found Severity: Medium

12 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

CCI-004062

The Ubuntu operating system must prohibit password reuse for a minimum of five generations.

If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords.

The Cisco switch must only store cryptographic representations of passwords.

If passwords are used for authentication, the EDB Postgres Advanced Server must store only hashed, salted representations of passwords.

The DNS server implementation must, for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.

If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.

The WebSphere Liberty Server must store only encrypted representations of user passwords.

The AIX system must have no .netrc files on the system.

The Apache Tomcat Manager Web app password must be cryptographically hashed with a DOD-approved algorithm.

A unique database name and a unique MySQL user with a secure password must be created for use in Jamf Pro EMM.

The Juniper EX switch must be configured to only store cryptographic representations of passwords.

Secrets in Kubernetes must not be stored as environment variables.

Swarm Secrets or Kubernetes Secrets must be used.

Reversible password encryption must be disabled.

The system must be configured to prevent the storage of the LAN Manager hash of passwords.

The network device must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash for password-based authentication.

The Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.

The Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.

The Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.

The Oracle Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.

If passwords are used for authentication, the MySQL Database Server 8.0 must store only hashed, salted representations of passwords.

The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.

If passwords are used for authentication, Redis Enterprise DBMS must store only hashed, salted representations of passwords.

TOSS must store only encrypted representations of passwords.

The web server must, for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.

Set PAM''s Password Hashing Algorithm - password-auth

Set PAM''s Password Hashing Algorithm

Set number of Password Hashing Rounds - password-auth

Set number of Password Hashing Rounds - system-auth

Set Password Hashing Algorithm in /etc/libuser.conf

Set Password Hashing Algorithm in /etc/login.defs

Set Password Hashing Rounds in /etc/login.defs

Verify All Account Password Hashes are Shadowed with SHA512

NixOS must store only encrypted representations of passwords.

For password-based authentication, AAA Services must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash.

The application server must for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.

The application must only store cryptographic representations of passwords.

Ubuntu 22.04 LTS must store only encrypted representations of passwords.

The Cisco router must only store cryptographic representations of passwords.

For accounts using password authentication, the Central Log Server must be configured to store only cryptographic representations of passwords.

AlmaLinux OS 9 PAM must be configured to use a sufficient number of password hashing rounds.

AlmaLinux OS 9 must be configured so that libuser is configured to store only encrypted representations of passwords.

AlmaLinux OS 9 must be configured so that the system's shadow file is configured to store only encrypted representations of passwords.

AlmaLinux OS 9 must be configured so that the Pluggable Authentication Module is configured to store only encrypted representations of passwords.

AlmaLinux OS 9 must be configured so that interactive user account passwords are using strong password hashes.

For container platform using password authentication, the application must store only cryptographic representations of passwords.

The DBMS must for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.

The operating system must store only encrypted representations of passwords.

ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.

NIST FIPS-validated cryptography must be used to protect passwords in the security database.

IBM Passtickets must be configured to be KeyEncrypted.

IBM z/OS must use NIST FIPS-validated cryptography to protect passwords in the security database.

The Mainframe Product must store only cryptographically protected passwords.

If passwords are used for authentication, MariaDB must store only hashed, salted representations of passwords.

Windows Server 2019 reversible password encryption must be disabled.

Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.

Windows Server 2022 reversible password encryption must be disabled.

The DBMS must support organizational requirements to enforce password encryption for storage.

Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords.

OL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.

OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.

The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.

Rancher RKE2 must store only cryptographic representations of passwords.

OpenShift must use FIPS validated LDAP or OpenIDConnect.

RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.

RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.

The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.

RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.

RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.

RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.

RHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords.

The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.

The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.

The SUSE operating system must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.

RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.

RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.

For UEM server using password authentication, the application must store only cryptographic representations of passwords.

The VMM must store only encrypted representations of passwords.