Rule ID
SV-279604r1192604_rule
Version
V1R1
CCIs
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
1. Verify Nutanix OS is configured to store encrypted representation of passwords and that the encryption meets required standards using the following command. $ sudo grep -i encrypt /etc/login.defs ENCRYPT_METHOD SHA512 If the /etc/login.defs file does not contain the required output, this is a finding. 2. Confirm that the interactive user account passwords are using a strong password hash using the following command. $ sudo cut -d: -f2 /etc/shadow $6$hMKOdbToveIPcp$ybbhyd/bY/.nbce5H1Qc8Ji7ECmTZvs50ASDFHSY9XEW/TkK7Xer5xUYp7AHYzrk815rkJecsCDIMIgYXBQ9C/ Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user passwords do not begin with "$6$", this is a finding. 3. Check that a minimum number of hash rounds is configured using the following command. $ sudo grep -iE "^SHA_CRYPT_" /etc/login.defs SHA_CRYPT_MAX_ROUNDS 5000 If the value of "SHA_CRYPT_MAX_ROUNDS" is not set to 5000 or more, this is a finding.
Configure Nutanix OS to use complex password using the following command. 1. For AOS, enter the following command. $ sudo salt-call state.sls security/CVM/pamCVM.sls 2. For Prism Central, enter the following command. $ sudo salt-call state.sls security/PCVM/pamPCVM.sls 3. For Files, enter the following command. $ sudo salt-call state.sls security/AFS/pamAFS.sls