From f3aed6e564122ec43ce8c8f7175a531eda12cac8 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 16 Jul 2024 15:49:47 +0200 Subject: [PATCH] Review and update set_password_hashing_algorithm_libuserconf Aligned to other rules related to hashing algorithm in order to use variable instead of a hardcoded sha512 value. Signed-off-by: Marcus Burghardt --- .../ansible/shared.yml | 11 ++++--- .../bash/shared.sh | 7 +++-- .../oval/shared.xml | 26 ++++++++++------ .../rule.yml | 31 +++++++++---------- .../tests/correct_crypt_style.pass.sh | 1 + .../tests/no_crypt_style.fail.sh | 1 + .../tests/weak_algorithm.fail.sh | 1 + 7 files changed, 45 insertions(+), 33 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/ansible/shared.yml index b3e32aa312e..662c3641e2a 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/ansible/shared.yml @@ -3,11 +3,14 @@ # strategy = restrict # complexity = low # disruption = low -- name: Set Password Hashing Algorithm in /etc/libuser.conf - lineinfile: + +{{{ ansible_instantiate_variables("var_password_hashing_algorithm_pam") }}} + +- name: "{{{ rule_title }}} - Set Password Hashing Algorithm in /etc/libuser.conf" + ansible.builtin.lineinfile: dest: /etc/libuser.conf insertafter: '^\s*\[defaults]' regexp: ^#?crypt_style - line: crypt_style = sha512 + line: crypt_style = {{ var_password_hashing_algorithm_pam }} state: present - create: yes + create: true diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/bash/shared.sh index 115273566ac..f6b461789d8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/bash/shared.sh @@ -1,14 +1,15 @@ # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +{{{ bash_instantiate_variables("var_password_hashing_algorithm_pam") }}} LIBUSER_CONF="/etc/libuser.conf" CRYPT_STYLE_REGEX='[[:space:]]*\[defaults](.*(\n)+)+?[[:space:]]*crypt_style[[:space:]]*' # Try find crypt_style in [defaults] section. If it is here, then change algorithm to sha512. # If it isn't here, then add it to [defaults] section. if grep -qzosP $CRYPT_STYLE_REGEX $LIBUSER_CONF ; then - sed -i "s/\(crypt_style[[:space:]]*=[[:space:]]*\).*/\1sha512/g" $LIBUSER_CONF + sed -i "s/\(crypt_style[[:space:]]*=[[:space:]]*\).*/\1$var_password_hashing_algorithm_pam/g" $LIBUSER_CONF elif grep -qs "\[defaults]" $LIBUSER_CONF ; then - sed -i "/[[:space:]]*\[defaults]/a crypt_style = sha512" $LIBUSER_CONF + sed -i "/[[:space:]]*\[defaults]/a crypt_style = $var_password_hashing_algorithm_pam" $LIBUSER_CONF else - echo -e "[defaults]\ncrypt_style = sha512" >> $LIBUSER_CONF + echo -e "[defaults]\ncrypt_style = $var_password_hashing_algorithm_pam" >> $LIBUSER_CONF fi diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/oval/shared.xml index b09f9eed60e..498129349c2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/oval/shared.xml @@ -1,21 +1,29 @@ - + {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/libuser.conf.") }}} - + - - + + + - + /etc/libuser.conf - ^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$ + ^[\s]*crypt_style[\s]*=[\s]*(\w*)[\s]*$ 1 + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml index dbd1a033b47..73769890fef 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml @@ -1,26 +1,23 @@ documentation_complete: true - title: 'Set Password Hashing Algorithm in /etc/libuser.conf' description: |- - In /etc/libuser.conf, add or correct the following line in its - [defaults] section to ensure the system will use the SHA-512 + In /etc/libuser.conf, add or correct the following line in its [defaults] + section to ensure the system will use the {{{ xccdf_value("var_password_hashing_algorithm_pam") }}} algorithm for password hashing: - 
crypt_style = sha512
+ 
crypt_style = {{{ xccdf_value("var_password_hashing_algorithm_pam") }}}
rationale: |- - Passwords need to be protected at all times, and encryption is the standard - method for protecting passwords. If passwords are not encrypted, they can - be plainly read (i.e., clear text) and easily compromised. Passwords that - are encrypted with a weak algorithm are no more protected than if they are - kepy in plain text. + Passwords need to be protected at all times, and encryption is the standard method for + protecting passwords. If passwords are not encrypted, they can be plainly read + (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm + are no more protected than if they are kept in plain text.

- This setting ensures user and group account administration utilities are - configured to store only encrypted representations of passwords. - Additionally, the crypt_style configuration option ensures the use - of a strong hashing algorithm that makes password cracking attacks more - difficult. + This setting ensures user and group account administration utilities are configured to store + only encrypted representations of passwords. Additionally, the crypt_style + configuration option in /etc/libuser.conf ensures the use of a strong hashing + algorithm that makes password cracking attacks more difficult. severity: medium @@ -60,16 +57,16 @@ ocil: |- $ sudo grep -i crypt_style /etc/libuser.conf - crypt_style = sha512 + crypt_style = {{{ xccdf_value("var_password_hashing_algorithm_pam") }}} platform: package[libuser] fixtext: |- - Configure {{{ full_name }}} to use the SHA-512 algorithm for password hashing. + Configure {{{ full_name }}} to use the {{{ xccdf_value("var_password_hashing_algorithm_pam") }}} algorithm for password hashing. Add or change the following line in the "[default]" section of "/etc/libuser.conf" file: - crypt_style = sha512 + crypt_style = {{{ xccdf_value("var_password_hashing_algorithm_pam") }}} {{% if product in ['ol9', 'rhel9'] -%}} srg_requirement: '{{{ full_name }}} must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.' diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/tests/correct_crypt_style.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/tests/correct_crypt_style.pass.sh index 9d5ad0ff1ab..1e1ba4d3610 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/tests/correct_crypt_style.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/tests/correct_crypt_style.pass.sh @@ -1,4 +1,5 @@ #!/bin/bash +# variables = var_password_hashing_algorithm_pam=sha512 # example libuser.conf has set 'crypt_style = sha512' cp libuser.conf /etc/ diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/tests/no_crypt_style.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/tests/no_crypt_style.fail.sh index 50e62bcf807..d2a1fdade50 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/tests/no_crypt_style.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/tests/no_crypt_style.fail.sh @@ -1,4 +1,5 @@ #!/bin/bash +# variables = var_password_hashing_algorithm_pam=sha512 cp libuser.conf /etc/ sed -i "/crypt_style/d" /etc/libuser.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/tests/weak_algorithm.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/tests/weak_algorithm.fail.sh index cce04cb987a..b6ff306f106 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/tests/weak_algorithm.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/tests/weak_algorithm.fail.sh @@ -1,4 +1,5 @@ #!/bin/bash +# variables = var_password_hashing_algorithm_pam=sha512 cp libuser.conf /etc/ sed -i "s/crypt_style = sha512/crypt_style = md5/" /etc/libuser.conf