Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change default hashing algorithm settings in ANSSI profiles for RHEL #12127

Merged
merged 1 commit into from
Jul 4, 2024
Merged

Change default hashing algorithm settings in ANSSI profiles for RHEL #12127

merged 1 commit into from
Jul 4, 2024

Conversation

marcusburghardt
Copy link
Member

Description:

ANSSI allows two hashing algorithms with pam_unix.so: sha512 and yescrypt.
Currently, RHEL products use sha512 by default, which is already compliant.
Therefore, the respective ANSSI profiles were updated to check for sha512 values instead of yescrypt.
This will better align to system default settings and avoid unnecessary changes.

Rationale:

Review Hints:

After applying the remediation for accounts_password_pam_unix_rounds_system_auth rule from ANSSI profiles for RHEL, the number of rounds configured for pam_unix.so in /etc/pam.d/system-auth is now appropriated to sha512.

The most relevant variable is var_password_pam_unix_rounds but I also updated var_password_hashing_algorithm variable option to ensure /etc/login.defs is also aligned with default settings.

@marcusburghardt
Change default hashing algorithm in ANSSI profiles for RHEL
0effad1 
ANSSI allows two hashing algorithms with pam_unix.so, sha512 and
yescrypt. Currently, RHEL products use sha512 by default, which is
already compliant so the respective ANSSI profiles were updated to
check for sha512 instead of yescrypt. This will better align to system
default settings and avoid unnecessary changes.

Signed-off-by: Marcus Burghardt <[email protected]>
@marcusburghardt marcusburghardt added the bugfix Fixes to reported bugs. label Jul 4, 2024
@marcusburghardt marcusburghardt added this to the 0.1.74 milestone Jul 4, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 4, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 4, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@marcusburghardt marcusburghardt marked this pull request as ready for review July 4, 2024 08:01
@marcusburghardt marcusburghardt requested a review from a team as a code owner July 4, 2024 08:01
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 4, 2024
@marcusburghardt marcusburghardt added the ANSSI ANSSI Benchmark related. label Jul 4, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 4, 2024

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 4, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12127
This image was built from commit: 0effad1

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12127

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12127 make deploy-local

@codeclimate CodeClimate
Copy link

codeclimate bot commented Jul 4, 2024

Code Climate has analyzed commit 0effad1 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

@vojtapolasek vojtapolasek self-assigned this Jul 4, 2024
vojtapolasek
vojtapolasek approved these changes Jul 4, 2024
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you.
I am waiving the failing test, the test fails on OL7 container while changes are related to RHEL 8 and 9.

@vojtapolasek vojtapolasek merged commit f913f5b into ComplianceAsCode:master Jul 4, 2024
93 of 94 checks passed
@marcusburghardt marcusburghardt deleted the anssi_rounds branch July 4, 2024 11:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vojtapolasek vojtapolasek vojtapolasek approved these changes

@Mab879 Mab879 Awaiting requested review from Mab879

@jan-cerny jan-cerny Awaiting requested review from jan-cerny

Assignees

@vojtapolasek vojtapolasek

Labels
ANSSI ANSSI Benchmark related. bugfix Fixes to reported bugs.
Projects
None yet
Milestone
0.1.74
Development

Successfully merging this pull request may close these issues.

ANSSI profile configures unsupported password hashing algorithm on RHEL 8
2 participants
@marcusburghardt @vojtapolasek