From 0effad1dfb6beafc5f0bcfda57e365d19dee473a Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 28 Jun 2024 15:15:29 +0200 Subject: [PATCH] Change default hashing algorithm in ANSSI profiles for RHEL ANSSI allows two hashing algorithms with pam_unix.so, sha512 and yescrypt. Currently, RHEL products use sha512 by default, which is already compliant so the respective ANSSI profiles were updated to check for sha512 instead of yescrypt. This will better align to system default settings and avoid unnecessary changes. Signed-off-by: Marcus Burghardt --- .../accounts/accounts-pam/var_password_hashing_algorithm.var | 2 +- .../password_storage/var_password_pam_unix_rounds.var | 2 +- products/rhel8/profiles/anssi_bp28_enhanced.profile | 2 ++ products/rhel8/profiles/anssi_bp28_high.profile | 2 ++ products/rhel8/profiles/anssi_bp28_intermediary.profile | 2 ++ products/rhel8/profiles/anssi_bp28_minimal.profile | 2 ++ products/rhel9/profiles/anssi_bp28_enhanced.profile | 2 ++ products/rhel9/profiles/anssi_bp28_high.profile | 2 ++ products/rhel9/profiles/anssi_bp28_intermediary.profile | 2 ++ products/rhel9/profiles/anssi_bp28_minimal.profile | 2 ++ 10 files changed, 18 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var index 59e7047bb6b..a7ca858e731 100644 --- a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var +++ b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var @@ -16,4 +16,4 @@ options: default: SHA512 SHA512: SHA512 SHA256: SHA256 - yescrypt: yescrypt + yescrypt: YESCRYPT diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/var_password_pam_unix_rounds.var b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/var_password_pam_unix_rounds.var index d2b1522a646..5dd4c7d7c19 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/var_password_pam_unix_rounds.var +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/var_password_pam_unix_rounds.var @@ -3,7 +3,7 @@ documentation_complete: true title: Password Hashing algorithm description: |- - Specify the number of SHA rounds for the system password encryption algorithm. + Specify the number of rounds for the system password encryption algorithm. Defines the value set in /etc/pam.d/system-auth and /etc/pam.d/password-auth type: number diff --git a/products/rhel8/profiles/anssi_bp28_enhanced.profile b/products/rhel8/profiles/anssi_bp28_enhanced.profile index b2a2419ee21..e7e8bd2f937 100644 --- a/products/rhel8/profiles/anssi_bp28_enhanced.profile +++ b/products/rhel8/profiles/anssi_bp28_enhanced.profile @@ -21,6 +21,8 @@ description: |- selections: - anssi:all:enhanced + - var_password_hashing_algorithm=SHA512 + - var_password_pam_unix_rounds=65536 - '!timer_logrotate_enabled' # Following rules once had a prodtype incompatible with the rhel8 product - '!cracklib_accounts_password_pam_minlen' diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile index 12bd1563827..e0c3140ea84 100644 --- a/products/rhel8/profiles/anssi_bp28_high.profile +++ b/products/rhel8/profiles/anssi_bp28_high.profile @@ -21,6 +21,8 @@ description: |- selections: - anssi:all:high + - var_password_hashing_algorithm=SHA512 + - var_password_pam_unix_rounds=65536 # the following rule renders UEFI systems unbootable - '!sebool_secure_mode_insmod' - '!timer_logrotate_enabled' diff --git a/products/rhel8/profiles/anssi_bp28_intermediary.profile b/products/rhel8/profiles/anssi_bp28_intermediary.profile index f99e4622afd..091b2567347 100644 --- a/products/rhel8/profiles/anssi_bp28_intermediary.profile +++ b/products/rhel8/profiles/anssi_bp28_intermediary.profile @@ -21,6 +21,8 @@ description: |- selections: - anssi:all:intermediary + - var_password_hashing_algorithm=SHA512 + - var_password_pam_unix_rounds=65536 # Following rules once had a prodtype incompatible with the rhel8 product - '!cracklib_accounts_password_pam_minlen' - '!accounts_passwords_pam_tally2_deny_root' diff --git a/products/rhel8/profiles/anssi_bp28_minimal.profile b/products/rhel8/profiles/anssi_bp28_minimal.profile index aa606b38baa..c07e2651dff 100644 --- a/products/rhel8/profiles/anssi_bp28_minimal.profile +++ b/products/rhel8/profiles/anssi_bp28_minimal.profile @@ -21,6 +21,8 @@ description: |- selections: - anssi:all:minimal + - var_password_hashing_algorithm=SHA512 + - var_password_pam_unix_rounds=65536 # Following rules once had a prodtype incompatible with the rhel8 product - '!cracklib_accounts_password_pam_minlen' - '!accounts_passwords_pam_tally2_deny_root' diff --git a/products/rhel9/profiles/anssi_bp28_enhanced.profile b/products/rhel9/profiles/anssi_bp28_enhanced.profile index a85a8412007..06d0a1185d4 100644 --- a/products/rhel9/profiles/anssi_bp28_enhanced.profile +++ b/products/rhel9/profiles/anssi_bp28_enhanced.profile @@ -21,6 +21,8 @@ description: |- selections: - anssi:all:enhanced + - var_password_hashing_algorithm=SHA512 + - var_password_pam_unix_rounds=65536 # Following rules once had a prodtype incompatible with the rhel9 product - '!partition_for_opt' - '!accounts_passwords_pam_tally2_deny_root' diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile index 6a0d74b6138..f94f706a42d 100644 --- a/products/rhel9/profiles/anssi_bp28_high.profile +++ b/products/rhel9/profiles/anssi_bp28_high.profile @@ -21,6 +21,8 @@ description: |- selections: - anssi:all:high + - var_password_hashing_algorithm=SHA512 + - var_password_pam_unix_rounds=65536 # the following rule renders UEFI systems unbootable - '!sebool_secure_mode_insmod' # Following rules once had a prodtype incompatible with the rhel9 product diff --git a/products/rhel9/profiles/anssi_bp28_intermediary.profile b/products/rhel9/profiles/anssi_bp28_intermediary.profile index 6ea26cae699..3444fb82868 100644 --- a/products/rhel9/profiles/anssi_bp28_intermediary.profile +++ b/products/rhel9/profiles/anssi_bp28_intermediary.profile @@ -21,6 +21,8 @@ description: |- selections: - anssi:all:intermediary + - var_password_hashing_algorithm=SHA512 + - var_password_pam_unix_rounds=65536 # Following rules once had a prodtype incompatible with the rhel9 product - '!partition_for_opt' - '!cracklib_accounts_password_pam_minlen' diff --git a/products/rhel9/profiles/anssi_bp28_minimal.profile b/products/rhel9/profiles/anssi_bp28_minimal.profile index b58ee599046..9d739a5c029 100644 --- a/products/rhel9/profiles/anssi_bp28_minimal.profile +++ b/products/rhel9/profiles/anssi_bp28_minimal.profile @@ -21,6 +21,8 @@ description: |- selections: - anssi:all:minimal + - var_password_hashing_algorithm=SHA512 + - var_password_pam_unix_rounds=65536 # Following rules once had a prodtype incompatible with the rhel9 product - '!cracklib_accounts_password_pam_minlen' - '!accounts_passwords_pam_tally2_deny_root'