The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

An XCCDF Rule

Description

<VulnDiscussion>Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-215230r508663_rule
Severity: Medium
References: CCI-000366
Updated: 8 months ago

Set the system wide password algorithm to "ssha256" or "ssha512" by running the following command:

# chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512

Change the passwords for all accounts using non-compliant password hashes by running the following command: 
$ passwd [user_name]

The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

Description

Remediation - Manual Procedure