The Juniper SRX Services Gateway must use the SHA256 or later protocol for password authentication for local accounts using password authentication (i.e., the root account and the account of last resort).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-223223	JUSX-DM-000136	SV-223223r1056174_rule	CCI-000197	high
Description
Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
STIG			Date
Juniper SRX Services Gateway NDM Security Technical Implementation Guide			2024-12-20

Related Frameworks

6 paths across 3 frameworks

NIST 800-531 mapping

IA-5(1)

1.00

DISA · V3R3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1714 mappings

3.5.10

1.00

DISA · V3R3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.5.7

1.00

DISA · V3R3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.5.8

1.00

DISA · V3R3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.5.9

1.00

DISA · V3R3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000197

1.00

DISA · V3R3 · disa_xccdf · related

Details

Check Text (C-223223r1056174_chk)

Verify the default local password enforces this requirement by entering the following in configuration mode. [edit] show system login password If the password format is not set to SHA256 or higher, this is a finding.

Fix Text (F-24884r1056103_fix)

Enter the following example command from the configuration mode. [edit] set system login password format sha256