Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.

An XCCDF Rule

Description

Cryptographic hashes provide quick password authentication while not actually storing the password.

ID: SV-216098r1016291_rule
Version: SOL-11.1-040130
Severity: Medium
References: CCI-000196 CCI-004062
Updated: about 2 months ago

Remediation Templates

The root role is required.

Configure the system to disallow the use of UNIX encryption and enable SHA256 as the default encryption hash.

# pfedit /etc/security/policy.conf
Check that the following lines exist and are not commented out:

CRYPT_DEFAULT=6
CRYPT_ALGORITHMS_ALLOW=5,6