Skip to content

Commit

Permalink
Merge pull request #12948 from vojtapolasek/rhel8_stig_update_rounds
Browse files Browse the repository at this point in the history
rhel8 STIG: update password hashing rounds
Mab879 authored Jan 31, 2025
2 parents 89453c5 + 2c80fa7 commit 24396fe
Showing 15 changed files with 113 additions and 16 deletions.
Original file line number Diff line number Diff line change
@@ -4,16 +4,48 @@
# complexity = low
# disruption = low

{{{ ansible_instantiate_variables("var_password_hashing_min_rounds_login_defs") }}}

- name: "{{{ rule_title }}} - extract contents of the file /etc/login.defs"
ansible.builtin.slurp:
src: "/etc/login.defs"
register: etc_login_defs

- name: "{{{ rule_title }}} - extract the value of SHA_CRYPT_MIN_ROUNDS if present"
ansible.builtin.set_fact:
etc_login_defs_sha_crypt_min_rounds: "{{ etc_login_defs['content'] | b64decode | regex_search('^\\s*SHA_CRYPT_MIN_ROUNDS\\s+(\\d+)', '\\1', multiline=True) | default([], true) }}"

- name: "{{{ rule_title }}} - extract the value of SHA_CRYPT_MAX_ROUNDS if present"
ansible.builtin.set_fact:
etc_login_defs_sha_crypt_max_rounds: "{{ etc_login_defs['content'] | b64decode | regex_search('^\\s*SHA_CRYPT_MAX_ROUNDS\\s+(\\d+)', '\\1', multiline=True) | default([], true) }}"

- name: "{{{ rule_title }}} - Ensure SHA_CRYPT_MIN_ROUNDS has Minimum Value of 5000"
ansible.builtin.replace:
path: /etc/login.defs
regexp: '(^\s*SHA_CRYPT_MIN_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)'
replace: '\g<1>5000\g<2>'
replace: '\g<1>{{ var_password_hashing_min_rounds_login_defs }}\g<2>'
backup: no
when: etc_login_defs_sha_crypt_min_rounds | length > 0 and etc_login_defs_sha_crypt_min_rounds | first | int < var_password_hashing_min_rounds_login_defs | int

- name: "{{{ rule_title }}} - Ensure SHA_CRYPT_MAX_ROUNDS has Minimum Value of 5000"
ansible.builtin.replace:
path: /etc/login.defs
regexp: '(^\s*SHA_CRYPT_MAX_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)'
replace: '\g<1>5000\g<2>'
replace: '\g<1>{{ var_password_hashing_min_rounds_login_defs }}\g<2>'
backup: no
when: etc_login_defs_sha_crypt_max_rounds | length > 0 and etc_login_defs_sha_crypt_max_rounds | first | int < var_password_hashing_min_rounds_login_defs | int

- name: "{{ rule_title }} - SHA_CRYPT_MIN_ROUNDS add configuration if not found"
ansible.builtin.lineinfile:
line: "SHA_CRYPT_MIN_ROUNDS {{ var_password_hashing_min_rounds_login_defs }}"
path: /etc/login.defs
state: present
when: etc_login_defs_sha_crypt_min_rounds | length == 0

- name: "{{ rule_title }} - SHA_CRYPT_MAX_ROUNDS add configuration if not found"
ansible.builtin.lineinfile:
line: "SHA_CRYPT_MAX_ROUNDS {{ var_password_hashing_min_rounds_login_defs }}"
path: /etc/login.defs
state: present
when: etc_login_defs_sha_crypt_max_rounds | length == 0

Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
# platform = multi_platform_all

{{{ bash_instantiate_variables("var_password_hashing_min_rounds_login_defs") }}}

{{{ set_config_file(path="/etc/login.defs",
parameter="SHA_CRYPT_MIN_ROUNDS",
value="5000",
value="$var_password_hashing_min_rounds_login_defs",
separator=" ",
separator_regex="\s*") }}}
Original file line number Diff line number Diff line change
@@ -3,17 +3,31 @@
{{{ oval_metadata("The password hashing minimum rounds should be set correctly in /etc/login.defs.", title="Set Password Hashing Minimum Rounds in /etc/login.defs") }}}
<criteria operator="AND">
<criteria operator="OR">
<criterion test_ref="test_etc_login_defs_sha_crypt_min_rounds_default" />
<criteria operator="AND">
<criterion test_ref="test_etc_login_defs_sha_crypt_min_rounds_default" />
<criterion test_ref="test_var_password_hashing_min_rounds_login_defs_le_5000" />
</criteria>
<criterion test_ref="test_etc_login_defs_sha_crypt_min_rounds_present" />
</criteria>
<criteria operator="OR">
<criterion test_ref="test_etc_login_defs_sha_crypt_max_rounds_default" />
<criteria operator="AND">
<criterion test_ref="test_var_password_hashing_min_rounds_login_defs_le_5000" />
<criterion test_ref="test_etc_login_defs_sha_crypt_max_rounds_default" />
</criteria>
<criterion test_ref="test_etc_login_defs_sha_crypt_min_rounds_default" negate="true"/>
<criterion test_ref="test_etc_login_defs_sha_crypt_max_rounds_present" />
</criteria>
</criteria>
</definition>

<local_variable id="local_var_password_hashing_min_rounds_login_defs"
comment="variable storing number of password hashing rounds"
datatype="int" version="1">
<variable_component var_ref="var_password_hashing_min_rounds_login_defs" />
</local_variable>

<external_variable comment="Variable defining the value the argument should have" datatype="int" id="var_password_hashing_min_rounds_login_defs" version="1" />

<ind:textfilecontent54_test id="test_etc_login_defs_sha_crypt_min_rounds_default" check="all" check_existence="none_exist" comment="SHA_CRYPT_MIN_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value" version="1">
<ind:object object_ref="object_etc_login_defs_sha_crypt_min_rounds_default" />
</ind:textfilecontent54_test>
@@ -54,7 +68,22 @@

<ind:textfilecontent54_state id="state_etc_login_defs_sha_crypt_rounds"
comment="Rounds should be set to more than 5000" version="1">
<ind:subexpression datatype="int" operation="greater than or equal">5000</ind:subexpression>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="local_var_password_hashing_min_rounds_login_defs" />
</ind:textfilecontent54_state>

<ind:variable_test check="all" check_existence="all_exist"
comment="Check if the variable is set to 5000 or lower"
id="test_var_password_hashing_min_rounds_login_defs_le_5000" version="1">
<ind:object object_ref="object_var_password_hashing_min_rounds_login_defs_le_5000" />
<ind:state state_ref="state_var_password_hashing_min_rounds_login_defs_le_5000" />
</ind:variable_test>

<ind:variable_object id="object_var_password_hashing_min_rounds_login_defs_le_5000" version="1">
<ind:var_ref>local_var_password_hashing_min_rounds_login_defs</ind:var_ref>
</ind:variable_object>

<ind:variable_state id="state_var_password_hashing_min_rounds_login_defs_le_5000" version="1">
<ind:value operation="less than or equal" datatype="int">5000</ind:value>
</ind:variable_state>

</def-group>
Original file line number Diff line number Diff line change
@@ -11,12 +11,12 @@ checktext: |-
$ grep -i sha_crypt /etc/login.defs
If "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is less than "5000", this is a finding.
If "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is less than "{{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}", this is a finding.
fixtext: |-
Configure {{{ full_name }}} to encrypt all stored passwords with a strong cryptographic hash.
Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000":
Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "{{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}":
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MIN_ROUNDS {{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}
Original file line number Diff line number Diff line change
@@ -5,12 +5,12 @@ title: 'Set Password Hashing Rounds in /etc/login.defs'

description: |-
In <tt>/etc/login.defs</tt>, ensure <tt>SHA_CRYPT_MIN_ROUNDS</tt> and
<tt>SHA_CRYPT_MAX_ROUNDS</tt> has the minimum value of <tt>5000</tt>.
<tt>SHA_CRYPT_MAX_ROUNDS</tt> has the minimum value of <tt>{{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}</tt>.
For example:
<pre>SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000</pre>
<pre>SHA_CRYPT_MIN_ROUNDS {{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}
SHA_CRYPT_MAX_ROUNDS {{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}</pre>
Notice that if neither are set, they already have the default value of 5000.
If either is set, they must have the minimum value of 5000.
If either is set, they must have the minimum value of {{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}.
rationale: |-
Passwords need to be protected at all times, and encryption is the standard
@@ -43,9 +43,9 @@ references:
ocil_clause: 'it does not'

ocil: |-
Inspect <tt>/etc/login.defs</tt> and ensure that if eihter
Inspect <tt>/etc/login.defs</tt> and ensure that if either
<tt>SHA_CRYPT_MIN_ROUNDS</tt> or <tt>SHA_CRYPT_MAX_ROUNDS</tt>
are set, they must have the minimum value of <tt>5000</tt>.
are set, they must have the minimum value of <tt>{{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}</tt>.
srg_requirement: '{{{ full_name }}} shadow password suite must be configured to use a sufficient number of hashing rounds.'

@@ -54,4 +54,4 @@ fixtext: |-
Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000":
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MIN_ROUNDS {{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# variables = var_password_hashing_min_rounds_login_defs=5000

echo "SHA_CRYPT_MIN_ROUNDS 5000" > "/etc/login.defs"
echo "SHA_CRYPT_MAX_ROUNDS 5000" >> "/etc/login.defs"
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# variables = var_password_hashing_min_rounds_login_defs=5000

# Default values are 5000 if the parameters are not defined.
echo "SHA_CRYPT_MIN_ROUNDS 5000" > "/etc/login.defs"
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# variables = var_password_hashing_min_rounds_login_defs=5000

# Default values are 5000 if the parameters are not defined.
echo "SHA_CRYPT_MAX_ROUNDS 5000" > "/etc/login.defs"
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/bin/bash
# variables = var_password_hashing_min_rounds_login_defs=100000

# Default values are 5000 if the parameters are not defined.
echo "SHA_CRYPT_MAX_ROUNDS 5000" > "/etc/login.defs"
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# variables = var_password_hashing_min_rounds_login_defs=5000

# Default values are 5000 if the parameters are not defined.
truncate -s 0 "/etc/login.defs"
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/bin/bash
# variables = var_password_hashing_min_rounds_login_defs=100000

# Default values are 5000 if the parameters are not defined.
truncate -s 0 "/etc/login.defs"
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# variables = var_password_hashing_min_rounds_login_defs=5000

echo "SHA_CRYPT_MIN_ROUNDS 5000" > "/etc/login.defs"
echo "SHA_CRYPT_MAX_ROUNDS 4999" >> "/etc/login.defs"
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# variables = var_password_hashing_min_rounds_login_defs=5000

echo "SHA_CRYPT_MIN_ROUNDS 4999" > "/etc/login.defs"
echo "SHA_CRYPT_MAX_ROUNDS 5000" >> "/etc/login.defs"
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# variables = var_password_hashing_min_rounds_login_defs=5000

echo "SHA_CRYPT_MIN_ROUNDS 4999" > "/etc/login.defs"
echo "SHA_CRYPT_MAX_ROUNDS 4999" >> "/etc/login.defs"
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
documentation_complete: true

title: "Minimum number of password hashing rounds configured through /etc/login.defs"

description: |-
Minimum number of password hashing rounds configured through /etc/login.defs

type: number

operator: equals

interactive: false

options:
default: 5000
"5000": 5000
"100000": 100000

0 comments on commit 24396fe

Please sign in to comment.