Merge pull request #12948 from vojtapolasek/rhel8_stig_update_rounds

rhel8 STIG: update password hashing rounds

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/ansible/shared.yml

@@ -4,16 +4,48 @@
 # complexity = low
 # disruption = low
 
+{{{ ansible_instantiate_variables("var_password_hashing_min_rounds_login_defs") }}}
+
+- name: "{{{ rule_title }}} - extract contents of the file /etc/login.defs"
+  ansible.builtin.slurp:
+    src: "/etc/login.defs"
+  register: etc_login_defs
+
+- name: "{{{ rule_title }}} - extract the value of SHA_CRYPT_MIN_ROUNDS if present"
+  ansible.builtin.set_fact:
+    etc_login_defs_sha_crypt_min_rounds: "{{ etc_login_defs['content'] | b64decode | regex_search('^\\s*SHA_CRYPT_MIN_ROUNDS\\s+(\\d+)', '\\1', multiline=True) | default([], true) }}"
+
+- name: "{{{ rule_title }}} - extract the value of SHA_CRYPT_MAX_ROUNDS if present"
+  ansible.builtin.set_fact:
+    etc_login_defs_sha_crypt_max_rounds: "{{ etc_login_defs['content'] | b64decode | regex_search('^\\s*SHA_CRYPT_MAX_ROUNDS\\s+(\\d+)', '\\1', multiline=True) | default([], true) }}"
+
 - name: "{{{ rule_title }}} - Ensure SHA_CRYPT_MIN_ROUNDS has Minimum Value of 5000"
   ansible.builtin.replace:
     path: /etc/login.defs
     regexp: '(^\s*SHA_CRYPT_MIN_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)'
-    replace: '\g<1>5000\g<2>'
+    replace: '\g<1>{{ var_password_hashing_min_rounds_login_defs }}\g<2>'
     backup: no
+  when: etc_login_defs_sha_crypt_min_rounds | length > 0 and etc_login_defs_sha_crypt_min_rounds | first | int < var_password_hashing_min_rounds_login_defs | int
 
 - name: "{{{ rule_title }}} - Ensure SHA_CRYPT_MAX_ROUNDS has Minimum Value of 5000"
   ansible.builtin.replace:
     path: /etc/login.defs
     regexp: '(^\s*SHA_CRYPT_MAX_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)'
-    replace: '\g<1>5000\g<2>'
+    replace: '\g<1>{{ var_password_hashing_min_rounds_login_defs }}\g<2>'
     backup: no
+  when: etc_login_defs_sha_crypt_max_rounds | length > 0 and etc_login_defs_sha_crypt_max_rounds | first | int < var_password_hashing_min_rounds_login_defs | int
+
+- name: "{{ rule_title }} - SHA_CRYPT_MIN_ROUNDS add configuration if not found"
+  ansible.builtin.lineinfile:
+    line: "SHA_CRYPT_MIN_ROUNDS {{ var_password_hashing_min_rounds_login_defs }}"
+    path: /etc/login.defs
+    state: present
+  when: etc_login_defs_sha_crypt_min_rounds | length == 0
+
+- name: "{{ rule_title }} - SHA_CRYPT_MAX_ROUNDS add configuration if not found"
+  ansible.builtin.lineinfile:
+    line: "SHA_CRYPT_MAX_ROUNDS {{ var_password_hashing_min_rounds_login_defs }}"
+    path: /etc/login.defs
+    state: present
+  when: etc_login_defs_sha_crypt_max_rounds | length == 0
+

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/bash/shared.sh

@@ -1,7 +1,9 @@
 # platform = multi_platform_all
 
+{{{ bash_instantiate_variables("var_password_hashing_min_rounds_login_defs") }}}
+
 {{{ set_config_file(path="/etc/login.defs",
                     parameter="SHA_CRYPT_MIN_ROUNDS",
-                    value="5000",
+                    value="$var_password_hashing_min_rounds_login_defs",
                     separator=" ",
                     separator_regex="\s*") }}}

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/oval/shared.xml

@@ -3,17 +3,31 @@
     {{{ oval_metadata("The password hashing minimum rounds should be set correctly in /etc/login.defs.", title="Set Password Hashing Minimum Rounds in /etc/login.defs") }}}
     <criteria operator="AND">
         <criteria operator="OR">
-          <criterion test_ref="test_etc_login_defs_sha_crypt_min_rounds_default" />
+          <criteria operator="AND">
+            <criterion test_ref="test_etc_login_defs_sha_crypt_min_rounds_default" />
+            <criterion test_ref="test_var_password_hashing_min_rounds_login_defs_le_5000" />
+          </criteria>
           <criterion test_ref="test_etc_login_defs_sha_crypt_min_rounds_present" />
         </criteria>
         <criteria operator="OR">
-          <criterion test_ref="test_etc_login_defs_sha_crypt_max_rounds_default" />
+          <criteria operator="AND">
+            <criterion test_ref="test_var_password_hashing_min_rounds_login_defs_le_5000" />
+            <criterion test_ref="test_etc_login_defs_sha_crypt_max_rounds_default" />
+          </criteria>
           <criterion test_ref="test_etc_login_defs_sha_crypt_min_rounds_default" negate="true"/>
           <criterion test_ref="test_etc_login_defs_sha_crypt_max_rounds_present" />
         </criteria>
     </criteria>
   </definition>
 
+  <local_variable id="local_var_password_hashing_min_rounds_login_defs"
+  comment="variable storing number of password hashing rounds"
+  datatype="int" version="1">
+      <variable_component var_ref="var_password_hashing_min_rounds_login_defs" />
+  </local_variable>
+
+  <external_variable comment="Variable defining the value the argument should have" datatype="int" id="var_password_hashing_min_rounds_login_defs" version="1" />
+
   <ind:textfilecontent54_test id="test_etc_login_defs_sha_crypt_min_rounds_default" check="all" check_existence="none_exist" comment="SHA_CRYPT_MIN_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value" version="1">
     <ind:object object_ref="object_etc_login_defs_sha_crypt_min_rounds_default" />
   </ind:textfilecontent54_test>
@@ -54,7 +68,22 @@
 
   <ind:textfilecontent54_state id="state_etc_login_defs_sha_crypt_rounds"
   comment="Rounds should be set to more than 5000" version="1">
-    <ind:subexpression datatype="int" operation="greater than or equal">5000</ind:subexpression>
+    <ind:subexpression datatype="int" operation="greater than or equal" var_ref="local_var_password_hashing_min_rounds_login_defs" />
   </ind:textfilecontent54_state>
 
+  <ind:variable_test check="all" check_existence="all_exist"
+  comment="Check if the variable is set to 5000 or lower"
+  id="test_var_password_hashing_min_rounds_login_defs_le_5000" version="1">
+    <ind:object object_ref="object_var_password_hashing_min_rounds_login_defs_le_5000" />
+    <ind:state state_ref="state_var_password_hashing_min_rounds_login_defs_le_5000" />
+  </ind:variable_test>
+
+  <ind:variable_object id="object_var_password_hashing_min_rounds_login_defs_le_5000" version="1">
+    <ind:var_ref>local_var_password_hashing_min_rounds_login_defs</ind:var_ref>
+  </ind:variable_object>
+
+  <ind:variable_state id="state_var_password_hashing_min_rounds_login_defs_le_5000" version="1">
+    <ind:value operation="less than or equal" datatype="int">5000</ind:value>
+  </ind:variable_state>
+
 </def-group>

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/policy/stig/shared.yml

@@ -11,12 +11,12 @@ checktext: |-
 
     $ grep -i sha_crypt /etc/login.defs
 
-    If "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is less than "5000", this is a finding.
+    If "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is less than "{{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}", this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to encrypt all stored passwords with a strong cryptographic hash.
 
-    Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000":
+    Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "{{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}":
 
-    SHA_CRYPT_MIN_ROUNDS 5000
+    SHA_CRYPT_MIN_ROUNDS {{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}
 

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml

@@ -5,12 +5,12 @@ title: 'Set Password Hashing Rounds in /etc/login.defs'
 
 description: |-
     In <tt>/etc/login.defs</tt>, ensure <tt>SHA_CRYPT_MIN_ROUNDS</tt> and
-    <tt>SHA_CRYPT_MAX_ROUNDS</tt> has the minimum value of <tt>5000</tt>.
+    <tt>SHA_CRYPT_MAX_ROUNDS</tt> has the minimum value of <tt>{{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}</tt>.
     For example:
-    <pre>SHA_CRYPT_MIN_ROUNDS 5000
-    SHA_CRYPT_MAX_ROUNDS 5000</pre>
+    <pre>SHA_CRYPT_MIN_ROUNDS {{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}
+    SHA_CRYPT_MAX_ROUNDS {{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}</pre>
     Notice that if neither are set, they already have the default value of 5000.
-    If either is set, they must have the minimum value of 5000.
+    If either is set, they must have the minimum value of {{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}.
 
 rationale: |-
     Passwords need to be protected at all times, and encryption is the standard
@@ -43,9 +43,9 @@ references:
 ocil_clause: 'it does not'
 
 ocil: |-
-    Inspect <tt>/etc/login.defs</tt> and ensure that if eihter
+    Inspect <tt>/etc/login.defs</tt> and ensure that if either
     <tt>SHA_CRYPT_MIN_ROUNDS</tt> or <tt>SHA_CRYPT_MAX_ROUNDS</tt>
-    are set, they must have the minimum value of <tt>5000</tt>.
+    are set, they must have the minimum value of <tt>{{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}</tt>.
 
 srg_requirement: '{{{ full_name }}} shadow password suite must be configured to use a sufficient number of hashing rounds.'
 
@@ -54,4 +54,4 @@ fixtext: |-
 
     Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000":
 
-    SHA_CRYPT_MIN_ROUNDS 5000
+    SHA_CRYPT_MIN_ROUNDS {{{ xccdf_value("var_password_hashing_min_rounds_login_defs") }}}

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/tests/correct_values.pass.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# variables = var_password_hashing_min_rounds_login_defs=5000
 
 echo "SHA_CRYPT_MIN_ROUNDS 5000" > "/etc/login.defs"
 echo "SHA_CRYPT_MAX_ROUNDS 5000" >> "/etc/login.defs"

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/tests/missing_max_parameter.pass.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# variables = var_password_hashing_min_rounds_login_defs=5000
 
 # Default values are 5000 if the parameters are not defined.
 echo "SHA_CRYPT_MIN_ROUNDS 5000" > "/etc/login.defs"

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/tests/missing_min_parameter.pass.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# variables = var_password_hashing_min_rounds_login_defs=5000
 
 # Default values are 5000 if the parameters are not defined.
 echo "SHA_CRYPT_MAX_ROUNDS 5000" > "/etc/login.defs"

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/tests/missing_min_parameter_higher_value.fail.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# variables = var_password_hashing_min_rounds_login_defs=100000
+
+# Default values are 5000 if the parameters are not defined.
+echo "SHA_CRYPT_MAX_ROUNDS 5000" > "/etc/login.defs"

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/tests/missing_parameters.pass.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# variables = var_password_hashing_min_rounds_login_defs=5000
 
 # Default values are 5000 if the parameters are not defined.
 truncate -s 0 "/etc/login.defs"

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/tests/missing_parameters_higher_value.fail.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# variables = var_password_hashing_min_rounds_login_defs=100000
+
+# Default values are 5000 if the parameters are not defined.
+truncate -s 0 "/etc/login.defs"

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/tests/only_max_value_wrong.pass.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# variables = var_password_hashing_min_rounds_login_defs=5000
 
 echo "SHA_CRYPT_MIN_ROUNDS 5000" > "/etc/login.defs"
 echo "SHA_CRYPT_MAX_ROUNDS 4999" >> "/etc/login.defs"

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/tests/only_min_value_wrong.fail.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# variables = var_password_hashing_min_rounds_login_defs=5000
 
 echo "SHA_CRYPT_MIN_ROUNDS 4999" > "/etc/login.defs"
 echo "SHA_CRYPT_MAX_ROUNDS 5000" >> "/etc/login.defs"

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/tests/wrong_values.fail.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# variables = var_password_hashing_min_rounds_login_defs=5000
 
 echo "SHA_CRYPT_MIN_ROUNDS 4999" > "/etc/login.defs"
 echo "SHA_CRYPT_MAX_ROUNDS 4999" >> "/etc/login.defs"

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/var_password_hashing_min_rounds_login_defs.var

@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: "Minimum number of password hashing rounds configured through /etc/login.defs"
+
+description: |-
+    Minimum number of password hashing rounds configured through /etc/login.defs
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+    default: 5000
+    "5000": 5000
+    "100000": 100000