Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Stabilization]: fix set_password_hashing_min_rounds_logindefs #12998

Merged
merged 2 commits into from
Feb 7, 2025
Merged

[Stabilization]: fix set_password_hashing_min_rounds_logindefs #12998

merged 2 commits into from
Feb 7, 2025

Conversation

vojtapolasek
Copy link
Collaborator

Description:

  • use correct variable in RHEL 8 STIG profiles
  • remove a variable which was not used in the profile but had a confusing name, suggesting that it is used with this rule
  • fix Ansible remediation of the rule so that it is more robust

Rationale:

  • remediation of the rule was not working properly
  • thanks to the wrong variable (default value) the content was not aligned with DISA

Review Hints:

  • remediate with Bash / Ansible and verify with the latest STIG SCAP content

@vojtapolasek
replace wrong variable with the correct one
89f5bbc 
in RHEL 8 STIG, there was a wrong variable used for the rule set_password_hashing_min_rounds_logindefs.
The variable was actually not included in the profile at all and therefore its default value of 5000 was used.
However, stig requires values of 100000.
Also, the variable var_password_pam_unix_rounds was used in the file, but in fact it is not used by any rule in the profile.It got removed to reduce confusion.
@vojtapolasek
fix ansible remediation
ffba247 
the regex was overly complicated and it did not match values as expected.
Also conditionals were enhanced so that they check if variables containing values slurped from the file actually exist at all.
@vojtapolasek vojtapolasek added bugfix Fixes to reported bugs. Ansible Ansible remediation update. backported-into-stabilization PRs which were cherry-picked during stabilization process. RHEL8 Red Hat Enterprise Linux 8 product related. STIG STIG Benchmark related. labels Feb 7, 2025
@vojtapolasek vojtapolasek added this to the 0.1.76 milestone Feb 7, 2025
@vojtapolasek vojtapolasek requested a review from a team as a code owner February 7, 2025 16:06
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 7, 2025

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs' differs.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
@@ -55,11 +55,12 @@
     has Minimum Value of 5000
   ansible.builtin.replace:
     path: /etc/login.defs
-    regexp: (^\s*SHA_CRYPT_MIN_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)
+    regexp: (^\s*SHA_CRYPT_MIN_ROUNDS\s+)(?:\d+)(.*$)
     replace: \g<1>{{ var_password_hashing_min_rounds_login_defs }}\g<2>
     backup: false
-  when: etc_login_defs_sha_crypt_min_rounds | length > 0 and etc_login_defs_sha_crypt_min_rounds
-    | first | int < var_password_hashing_min_rounds_login_defs | int
+  when: etc_login_defs_sha_crypt_min_rounds is defined and etc_login_defs_sha_crypt_min_rounds
+    | length > 0 and etc_login_defs_sha_crypt_min_rounds | first | int < var_password_hashing_min_rounds_login_defs
+    | int
   tags:
   - CCE-89707-4
   - DISA-STIG-RHEL-08-010130
@@ -74,11 +75,12 @@
     has Minimum Value of 5000
   ansible.builtin.replace:
     path: /etc/login.defs
-    regexp: (^\s*SHA_CRYPT_MAX_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)
+    regexp: (^\s*SHA_CRYPT_MAX_ROUNDS\s+)(?:\d+)(.*$)
     replace: \g<1>{{ var_password_hashing_min_rounds_login_defs }}\g<2>
     backup: false
-  when: etc_login_defs_sha_crypt_max_rounds | length > 0 and etc_login_defs_sha_crypt_max_rounds
-    | first | int < var_password_hashing_min_rounds_login_defs | int
+  when: etc_login_defs_sha_crypt_max_rounds is defined and etc_login_defs_sha_crypt_max_rounds
+    | length > 0 and etc_login_defs_sha_crypt_max_rounds | first | int < var_password_hashing_min_rounds_login_defs
+    | int
   tags:
   - CCE-89707-4
   - DISA-STIG-RHEL-08-010130
@@ -89,7 +91,8 @@
   - restrict_strategy
   - set_password_hashing_min_rounds_logindefs
 
-- name: '{{ rule_title }} - SHA_CRYPT_MIN_ROUNDS add configuration if not found'
+- name: Set Password Hashing Rounds in /etc/login.defs - SHA_CRYPT_MIN_ROUNDS add
+    configuration if not found
   ansible.builtin.lineinfile:
     line: SHA_CRYPT_MIN_ROUNDS {{ var_password_hashing_min_rounds_login_defs }}
     path: /etc/login.defs
@@ -105,7 +108,8 @@
   - restrict_strategy
   - set_password_hashing_min_rounds_logindefs
 
-- name: '{{ rule_title }} - SHA_CRYPT_MAX_ROUNDS add configuration if not found'
+- name: Set Password Hashing Rounds in /etc/login.defs - SHA_CRYPT_MAX_ROUNDS add
+    configuration if not found
   ansible.builtin.lineinfile:
     line: SHA_CRYPT_MAX_ROUNDS {{ var_password_hashing_min_rounds_login_defs }}
     path: /etc/login.defs

@Mab879 Mab879 self-assigned this Feb 7, 2025
@Mab879
Copy link
Member

Mab879 commented Feb 7, 2025

Waving Automatus tests as they are only failing due missing tests.

@Mab879 Mab879 merged commit 6a3228c into ComplianceAsCode:stabilization-v0.1.76 Feb 7, 2025
93 of 96 checks passed
@vojtapolasek vojtapolasek mentioned this pull request Feb 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
Ansible Ansible remediation update. backported-into-stabilization PRs which were cherry-picked during stabilization process. bugfix Fixes to reported bugs. RHEL8 Red Hat Enterprise Linux 8 product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
0.1.76
Development

Successfully merging this pull request may close these issues.
2 participants
@vojtapolasek @Mab879