Free DISA STIG and SRG Library | Vaulted

V-81285

For accounts using password authentication, the Central Log Server must use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process.

Finding ID
SRG-APP-000172-AU-002550
Rule ID
SV-95999r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000172-AU-002550
CCI
CCI-000197
Target Key
(None)
Documentable
No
Discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. The information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This requirement applies to all accounts, including authentication server; Authorization, Authentication, and Accounting (AAA); and local accounts such as the root account and the account of last resort. This requirement only applies to components where this is specific to the function of the device (e.g., TLS VPN or ALG). This does not apply to authentication for the purpose of configuring the device itself (management).

Fix Text

Configure the Central Log Server to use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process.

Check Content

Examine the configuration. Verify the Central Log Server is configured to use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process. If the Central Log Server is not configured to use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process, this is a finding.