8000 Rule `set_password_hashing_yescrypt_cost_factor_logindefs` fails SCAP validation (SRC-38-1) · Issue #13545 · ComplianceAsCode/content · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Rule set_password_hashing_yescrypt_cost_factor_logindefs fails SCAP validation (SRC-38-1) #13545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
evgenyz opened this issue Jun 6, 2025 · 3 comments
Open

Rule set_password_hashing_yescrypt_cost_factor_logindefs fails SCAP validation (SRC-38-1) #13545

evgenyz opened this issue Jun 6, 2025 · 3 comments
Labels
OVAL OVAL update. Related to the systems assessments. productization-issue Issue found in upstream stabilization process. RHEL Red Hat Enterprise Linux product related. RHEL10 Red Hat Enterprise Linux 10 product related. standards Benchmarks related. triaged

Comments

@evgenyz
Copy link
Member
evgenyz commented Jun 6, 2025

Description of problem:

Valid SCAP content must correctly coerce XCCDF and OVAL datatypes for external variables. The variable var_password_yescrypt_cost_factor_login_defs is defined as number but imported in the set_password_hashing_yescrypt_cost_factor_logindefs as string because of the template (key_value_pair_in_file).

SCAP Security Guide Version:

master, stabilization-0.1.77

Operating System Version:

RHEL10

Steps to Reproduce:

  1. Build the content
  2. Run scapval

Actual Results:

SRC-38-1 failure.

Expected Results:

No SRC-38 failures.

Additional Information/Debugging Steps:

Resulting external variable definition that violates type coercion:

<oval-def:external_variable id="oval:ssg-var_password_yescrypt_cost_factor_login_defs:var:1" version="1" datatype="string" comment="Variable defining the value the argument should have"/>
@evgenyz evgenyz added RHEL Red Hat Enterprise Linux product related. OVAL OVAL update. Related to the systems assessments. standards Benchmarks related. RHEL10 Red Hat Enterprise Linux 10 product related. productization-issue Issue found in upstream stabilization process. labels Jun 6, 2025
@Mab879
Copy link
Member
Mab879 commented Jun 6, 2025

There are two ways we would solve this.

  1. The easy way, set var_password_yescrypt_cost_factor_login_defs to string
  2. Create a custom oval that accounts for numbers. This would allow us to have smarter logic for allowing bigger cost factor than the variable is set to.

@evgenyz
Copy link
Member Author
evgenyz commented Jun 8, 2025
edited
Loading

Option 1 is good as a patch for the release, option 2 is the right way to do it. Another possible variety of the option 2 is to introduce type and operation parameters to the template.

@Mab879 Mab879 mentioned this issue Jun 9, 2025
Merged
@Mab879
Copy link
Member
Mab879 commented Jun 11, 2025

This rule is now removed from the STIG profile. It is now in the default profile only now.

@Mab879 Mab879 added the triaged label Jun 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
48CA
OVAL OVAL update. Related to the systems assessments. productization-issue Issue found in upstream stabilization process. RHEL Red Hat Enterprise Linux product related. RHEL10 Red Hat Enterprise Linux 10 product related. standards Benchmarks related. triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mab879 @evgenyz
0