Skip to content

Commit

Permalink
Review and update set_password_hashing_algorithm_libuserconf
Browse files Browse the repository at this point in the history
Aligned to other rules related to hashing algorithm in order to use
variable instead of a hardcoded sha512 value.

Signed-off-by: Marcus Burghardt <[email protected]>
  • Loading branch information
marcusburghardt committed Jul 16, 2024
1 parent ad33854 commit f3aed6e
Show file tree
Hide file tree
Showing 7 changed files with 45 additions and 33 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,14 @@
# strategy = restrict
# complexity = low
# disruption = low
- name: Set Password Hashing Algorithm in /etc/libuser.conf
lineinfile:

{{{ ansible_instantiate_variables("var_password_hashing_algorithm_pam") }}}

- name: "{{{ rule_title }}} - Set Password Hashing Algorithm in /etc/libuser.conf"
ansible.builtin.lineinfile:
dest: /etc/libuser.conf
insertafter: '^\s*\[defaults]'
regexp: ^#?crypt_style
line: crypt_style = sha512
line: crypt_style = {{ var_password_hashing_algorithm_pam }}
state: present
create: yes
create: true
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle

{{{ bash_instantiate_variables("var_password_hashing_algorithm_pam") }}}
LIBUSER_CONF="/etc/libuser.conf"
CRYPT_STYLE_REGEX='[[:space:]]*\[defaults](.*(\n)+)+?[[:space:]]*crypt_style[[:space:]]*'

# Try find crypt_style in [defaults] section. If it is here, then change algorithm to sha512.
# If it isn't here, then add it to [defaults] section.
if grep -qzosP $CRYPT_STYLE_REGEX $LIBUSER_CONF ; then
sed -i "s/\(crypt_style[[:space:]]*=[[:space:]]*\).*/\1sha512/g" $LIBUSER_CONF
sed -i "s/\(crypt_style[[:space:]]*=[[:space:]]*\).*/\1$var_password_hashing_algorithm_pam/g" $LIBUSER_CONF
elif grep -qs "\[defaults]" $LIBUSER_CONF ; then
sed -i "/[[:space:]]*\[defaults]/a crypt_style = sha512" $LIBUSER_CONF
sed -i "/[[:space:]]*\[defaults]/a crypt_style = $var_password_hashing_algorithm_pam" $LIBUSER_CONF
else
echo -e "[defaults]\ncrypt_style = sha512" >> $LIBUSER_CONF
echo -e "[defaults]\ncrypt_style = $var_password_hashing_algorithm_pam" >> $LIBUSER_CONF
fi
Original file line number Diff line number Diff line change
@@ -1,21 +1,29 @@
<def-group>
<definition class="compliance" id="set_password_hashing_algorithm_libuserconf" version="1">
<definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/libuser.conf.") }}}
<criteria operator="AND">
<criterion test_ref="test_etc_libuser_conf_cryptstyle" />
<criterion test_ref="test_set_password_hashing_algorithm_libuserconf" />
</criteria>
</definition>

<ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
comment="The password hashing algorithm should be set correctly in /etc/libuser.conf"
id="test_etc_libuser_conf_cryptstyle" version="1">
<ind:object object_ref="object_etc_libuser_conf_cryptstyle" />
<ind:textfilecontent54_test id="test_set_password_hashing_algorithm_libuserconf" version="2"
check="all" check_existence="at_least_one_exists"
comment="check if /etc/libuser.conf hashing algorithm option is correct">
<ind:object object_ref="object_set_password_hashing_algorithm_libuserconf"/>
<ind:state state_ref="state_set_password_hashing_algorithm_libuserconf"/>
</ind:textfilecontent54_test>

<ind:textfilecontent54_object comment="The password hashing algorithm should be set correctly in /etc/libuser.conf"
id="object_etc_libuser_conf_cryptstyle" version="1">
<ind:textfilecontent54_object id="object_set_password_hashing_algorithm_libuserconf" version="2"
comment="only one hashing algorithm option for pam_unix.so is found in /etc/pam.d/password-auth">
<ind:filepath>/etc/libuser.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$</ind:pattern>
<ind:pattern operation="pattern match">^[\s]*crypt_style[\s]*=[\s]*(\w*)[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>

<ind:textfilecontent54_state id="state_set_password_hashing_algorithm_libuserconf" version="1">
<ind:subexpression operation="equals" datatype="string" var_ref="var_password_hashing_algorithm_pam"/>
</ind:textfilecontent54_state>

<external_variable id="var_password_hashing_algorithm_pam" datatype="string" version="1"
comment="hashing algorithm for pam_unix.so"/>
</def-group>
Original file line number Diff line number Diff line change
@@ -1,26 +1,23 @@
documentation_complete: true


title: 'Set Password Hashing Algorithm in /etc/libuser.conf'

description: |-
In <tt>/etc/libuser.conf</tt>, add or correct the following line in its
<tt>[defaults]</tt> section to ensure the system will use the SHA-512
In <tt>/etc/libuser.conf</tt>, add or correct the following line in its <tt>[defaults]</tt>
section to ensure the system will use the {{{ xccdf_value("var_password_hashing_algorithm_pam") }}}
algorithm for password hashing:
<pre>crypt_style = sha512</pre>
<pre>crypt_style = {{{ xccdf_value("var_password_hashing_algorithm_pam") }}}</pre>
rationale: |-
Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm
are no more protected than if they are kept in plain text.
<br /><br />
This setting ensures user and group account administration utilities are
configured to store only encrypted representations of passwords.
Additionally, the <tt>crypt_style</tt> configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult.
This setting ensures user and group account administration utilities are configured to store
only encrypted representations of passwords. Additionally, the <tt>crypt_style</tt>
configuration option in <tt>/etc/libuser.conf</tt> ensures the use of a strong hashing
algorithm that makes password cracking attacks more difficult.
severity: medium

Expand Down Expand Up @@ -60,16 +57,16 @@ ocil: |-
$ sudo grep -i crypt_style /etc/libuser.conf
crypt_style = sha512
crypt_style = {{{ xccdf_value("var_password_hashing_algorithm_pam") }}}
platform: package[libuser]

fixtext: |-
Configure {{{ full_name }}} to use the SHA-512 algorithm for password hashing.
Configure {{{ full_name }}} to use the {{{ xccdf_value("var_password_hashing_algorithm_pam") }}} algorithm for password hashing.
Add or change the following line in the "[default]" section of "/etc/libuser.conf" file:
crypt_style = sha512
crypt_style = {{{ xccdf_value("var_password_hashing_algorithm_pam") }}}
{{% if product in ['ol9', 'rhel9'] -%}}
srg_requirement: '{{{ full_name }}} must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# variables = var_password_hashing_algorithm_pam=sha512

# example libuser.conf has set 'crypt_style = sha512'
cp libuser.conf /etc/
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# variables = var_password_hashing_algorithm_pam=sha512

cp libuser.conf /etc/
sed -i "/crypt_style/d" /etc/libuser.conf
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# variables = var_password_hashing_algorithm_pam=sha512

cp libuser.conf /etc/
sed -i "s/crypt_style = sha512/crypt_style = md5/" /etc/libuser.conf

0 comments on commit f3aed6e

Please sign in to comment.