RHEL 10 SRG GPOS PAM Hashing Update #13421
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Skipping CI for Draft Pull Request. |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
@@ -19,10 +19,10 @@
SRG-OS-000120-GPOS-00061
[rationale]:
-Passwords need to be protected at all times, and encryption is the standard
-method for protecting passwords. If passwords are not encrypted, they can
+Passwords need to be protected at all times, and hashing is the standard
+method for protecting passwords. If passwords are not hashed, they can
be plainly read (i.e., clear text) and easily compromised. Passwords
-that are encrypted with a weak algorithm are no more protected than if
+that are hashed with a weak algorithm are no more protected than if
they are kept in plain text.
|
…SRG GPOS These rules don't work well with yescript.
2f641ee to
9e5d6ff
Compare
jan-cerny
requested changes
May 2, 2025
Comment on lines
6
to
7
| In <tt>/etc/login.defs</tt>, ensure <tt>YESCRYPT_COST_FACTOR</tt> and | ||
| <tt>YESCRYPT_COST_FACTOR</tt> has the minimum value of <tt>{{{ xccdf_value("var_password_yescrypt_cost_factor_login_defs") }}}</tt>. |
There was a problem hiding this comment.
Why is YESCRYPT_COST_FACTOR written twice here?
| <pre>YESCRYPT_COST_FACTOR {{{ xccdf_value("var_password_yescrypt_cost_factor_login_defs") }}} | ||
| YESCRYPT_COST_FACTOR {{{ xccdf_value("var_password_yescrypt_cost_factor_login_defs") }}}</pre> |
|
|
||
| ocil: |- | ||
| Inspect <tt>/etc/login.defs</tt> and ensure that if either | ||
| <tt>YESCRYPT_COST_FACTOR</tt> or <tt>SHA_CRYPT_MAX_ROUNDS</tt> |
There was a problem hiding this comment.
Here we check 2 different keys but the templated OVAL checks only the first one.
9e5d6ff to
6398afe
Compare
|
Code Climate has analyzed commit 6398afe and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
jan-cerny
approved these changes
May 5, 2025
There was a problem hiding this comment.
I have run the automatus tests locally.
jcerny@fedora:~/work/git/scap-security-guide (pr/13421)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 set_password_hashing_yescrypt_cost_factor_logindefs
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-05-05-0957/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_set_password_hashing_yescrypt_cost_factor_logindefs
INFO - Script commented_value.fail.sh using profile (all) OK
INFO - Script conflicting_values.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script missing_value.fail.sh using profile (all) OK
INFO - Script missing_file.fail.sh using profile (all) OK
INFO - Script duplicate_values.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/13421)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 --remediate-using ansible set_password_hashing_yescrypt_cost_factor_logindefs
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-05-05-1002/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_set_password_hashing_yescrypt_cost_factor_logindefs
INFO - Script conflicting_values.fail.sh using profile (all) OK
INFO - Script missing_value.fail.sh using profile (all) OK
INFO - Script missing_file.fail.sh using profile (all) OK
INFO - Script commented_value.fail.sh using profile (all) OK
INFO - Script duplicate_values.pass.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Move RHEL 10 to use yescrypt.
See each commit for more details.
Rationale:
Update content to match profiles.