Audits
Settings
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Theme
Light
Dark
Auto
Help
Plugins
Overview
Plugins Pipeline
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Release Notes
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Links
Tenable Cloud
Tenable Community & Support
Tenable University
Settings
Theme
Light
Dark
Auto
Detections
Plugins
Overview
Plugins Pipeline
Release Notes
Newest
Updated
Search
Nessus Families
WAS Families
NNM Families
LCE Families
Tenable OT Security Families
About Plugin Families
Audits
Overview
Newest
Updated
Search Audit Files
Search Items
References
Authorities
Documentation
Download All Audit Files
Indicators
Overview
Search
Indicators of Attack
Indicators of Exposure
Analytics
CVEs
Overview
Newest
Updated
Search
Attack Path Techniques
Overview
Search
Audits
References
CCI
CCI-004062
CCI
CCI|CCI-004062
Title
For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.
Reference Item Details
Reference:
CCI - DISA Control Correlation Identifier
Category:
2024
Audit Items
View all Reference Audit Items
Name
Plugin
Audit Name
AIX7-00-001007 - If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
Unix
DISA STIG AIX 7.x v3r1
AIX7-00-003101 - The AIX system must have no .netrc files on the system.
Unix
DISA STIG AIX 7.x v3r1
CD12-00-009500 - If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords.
PostgreSQLDB
DISA STIG Crunchy Data PostgreSQL DB v3r1
CISC-ND-000620 - The Cisco router must only store cryptographic representations of passwords.
Cisco
DISA STIG Cisco IOS Router NDM v3r2
CISC-ND-000620 - The Cisco router must only store cryptographic representations of passwords.
Cisco
DISA STIG Cisco IOS XE Router NDM v3r2
CISC-ND-000620 - The Cisco switch must only store cryptographic representations of passwords.
Cisco
DISA STIG Cisco IOS Switch NDM v3r2
CISC-ND-000620 - The Cisco switch must only store cryptographic representations of passwords.
Cisco
DISA STIG Cisco IOS XE Switch NDM v3r2
CNTR-K8-001160 - Secrets in Kubernetes must not be stored as environment variables.
Unix
DISA STIG Kubernetes v2r2
CNTR-R2-000800 Rancher RKE2 must store only cryptographic representations of passwords.
Unix
DISA Rancher Government Solutions RKE2 STIG v2r2
EPAS-00-004300 - If passwords are used for authentication, the EDB Postgres Advanced Server must store only hashed, salted representations of passwords.
PostgreSQLDB
EnterpriseDB PostgreSQL Advanced Server DB v2r1
JUEX-NM-000330 - The Juniper EX switch must be configured to only store cryptographic representations of passwords.
Juniper
DISA Juniper EX Series Network Device Management v2r2
MADB-10-003800 - If passwords are used for authentication, MariaDB must store only hashed, salted representations of passwords.
MySQLDB
DISA MariaDB Enterprise 10.x v2r2 DB
MYS8-00-005100 - If passwords are used for authentication, the MySQL Database Server 8.0 must store only hashed, salted representations of passwords.
MySQLDB
DISA Oracle MySQL 8.0 v2r2 DB
O112-C2-014600 - The DBMS must support organizational requirements to enforce password encryption for storage.
Unix
DISA STIG Oracle 11.2g v2r5 Linux
O112-C2-014600 - The DBMS must support organizational requirements to enforce password encryption for storage.
Windows
DISA STIG Oracle 11.2g v2r5 Windows
O121-C2-014600 - The DBMS must support organizational requirements to enforce password encryption for storage.
Unix
DISA STIG Oracle 12c v3r2 Linux
O121-C2-014600 - The DBMS must support organizational requirements to enforce password encryption for storage.
Windows
DISA STIG Oracle 12c v3r2 Windows
OL07-00-010199 - The Oracle Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.
Unix
DISA Oracle Linux 7 STIG v3r1
OL07-00-010200 - The Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.
Unix
DISA Oracle Linux 7 STIG v3r1
OL07-00-010210 - The Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.
Unix
DISA Oracle Linux 7 STIG v3r1
OL07-00-010220 - The Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
Unix
DISA Oracle Linux 7 STIG v3r1
OL08-00-010110 - OL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
Unix
DISA Oracle Linux 8 STIG v2r2
OL08-00-010120 - OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
Unix
DISA Oracle Linux 8 STIG v2r2
OL08-00-010130 - The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
Unix
DISA Oracle Linux 8 STIG v2r2
PHTN-40-000039 The operating system must store only encrypted representations of passwords.
Unix
DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1
RHEL-08-010110 - RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
Unix
DISA Red Hat Enterprise Linux 8 STIG v2r1
RHEL-08-010120 - RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
Unix
DISA Red Hat Enterprise Linux 8 STIG v2r1
RHEL-08-010130 - The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
Unix
DISA Red Hat Enterprise Linux 8 STIG v2r1
RHEL-09-611050 - RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-611055 - RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-611135 - RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-611140 - RHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-671015 - RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-671025 - RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
Unix
DISA Red Hat Enterprise Linux 9 STIG v2r2
SLES-12-010220 - The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
Unix
DISA SLES 12 STIG v3r1
SLES-12-010230 - The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
Unix
DISA SLES 12 STIG v3r1
SLES-12-010240 - The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
Unix
DISA SLES 12 STIG v3r1
SLES-15-020170 - The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords - PAM to only store encrypted representations of passwords.
Unix
DISA SLES 15 STIG v2r2
SLES-15-020180 - The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
Unix
DISA SLES 15 STIG v2r2
SLES-15-020190 - The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
Unix
DISA SLES 15 STIG v2r2
SOL-11.1-040130 - Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.
Unix
DISA STIG Solaris 11 SPARC v3r1
SOL-11.1-040130 - Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.
Unix
DISA STIG Solaris 11 X86 v3r1
UBTU-20-010070 - The Ubuntu operating system must prohibit password reuse for a minimum of five generations.
Unix
DISA STIG Ubuntu 20.04 LTS v2r1
UBTU-22-611055 - Ubuntu 22.04 LTS must store only encrypted representations of passwords.
Unix
DISA STIG Canonical Ubuntu 22.04 LTS v2r2
WN10-AC-000045 - Reversible password encryption must be disabled.
Windows
DISA Windows 10 STIG v3r2
WN10-SO-000195 - The system must be configured to prevent the storage of the LAN Manager hash of passwords.
Windows
DISA Windows 10 STIG v3r2
WN11-AC-000045 - Reversible password encryption must be disabled.
Windows
DISA Windows 11 STIG v2r2
WN11-SO-000195 - The system must be configured to prevent the storage of the LAN Manager hash of passwords.
Windows
DISA Windows 11 STIG v2r2
WN19-AC-000090 - Windows Server 2019 reversible password encryption must be disabled.
Windows
DISA Windows Server 2019 STIG v3r2
WN19-SO-000300 - Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.
Windows
DISA Windows Server 2019 STIG v3r2
