RHEL 10 CIS: improve controls related to pwd hashing algos

controls/cis_rhel10.yml

@@ -2126,7 +2126,7 @@ controls:
       rules:
           - set_password_hashing_algorithm_systemauth
           - set_password_hashing_algorithm_passwordauth
-          - var_password_hashing_algorithm_pam=yescrypt
+          - var_password_hashing_algorithm_pam=cis_rhel10
 
     - id: 5.3.2.4.4
       title: Ensure pam_unix includes use_authtok (Automated)
@@ -2180,13 +2180,9 @@ controls:
           - l1_server
           - l1_workstation
       status: automated
-      notes: |-
-          There's a "new" set of options in /etc/login.defs file to define the number of iterations
-          performed during the hashing process.
       rules:
-          - set_password_hashing_algorithm_libuserconf
           - set_password_hashing_algorithm_logindefs
-          - var_password_hashing_algorithm=yescrypt
+          - var_password_hashing_algorithm=cis_rhel10
 
     - id: 5.4.1.5
       title: Ensure inactive password lock is configured (Automated)

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/ansible/shared.yml

@@ -7,7 +7,7 @@
 {{%- set pam_file="/etc/pam.d/password-auth" %}}
 
 {{{ ansible_instantiate_variables("var_password_hashing_algorithm_pam") }}}
-{{{ ansible_ensure_pam_module_configuration(pam_file, 'password', 'sufficient', 'pam_unix.so', '{{ var_password_hashing_algorithm_pam }}', '', '', rule_id=rule_id, rule_title=rule_title) }}}
+{{{ ansible_ensure_pam_module_configuration(pam_file, 'password', 'sufficient', 'pam_unix.so', '{{ var_password_hashing_algorithm_pam.split("|")[0] }}', '', '', rule_id=rule_id, rule_title=rule_title) }}}
 
 - name: '{{{ rule_title }}} - Check if {{{ pam_file }}} File is Present'
   ansible.builtin.stat:
@@ -29,7 +29,7 @@
         regexp: (^\s*password.*pam_unix\.so.*)\b{{ item }}\b\s*(.*)
         replace: '\1\2'
       when:
-        - item != var_password_hashing_algorithm_pam
+        - item != var_password_hashing_algorithm_pam.split('|')[0]
         - pam_file_path_present.stat.exists
       loop:
         - 'sha512'

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh

@@ -1,6 +1,10 @@
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhv,multi_platform_ol,multi_platform_almalinux
 
 {{{ bash_instantiate_variables("var_password_hashing_algorithm_pam") }}}
+
+# Allow multiple algorithms, but choose the first one for remediation
+var_password_hashing_algorithm_pam="$(echo $var_password_hashing_algorithm_pam | cut -d \| -f 1)"
+
 PAM_FILE_PATH="/etc/pam.d/password-auth"
 
 {{{ bash_ensure_pam_module_configuration("$PAM_FILE_PATH", 'password', 'sufficient', 'pam_unix.so', "$var_password_hashing_algorithm_pam", '', '') }}}

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml

@@ -24,10 +24,18 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_state id="state_set_password_hashing_algorithm_passwordauth" version="1">
-    <ind:subexpression operation="equals" datatype="string" var_ref="var_password_hashing_algorithm_pam"/>
+  <ind:textfilecontent54_state id="state_set_password_hashing_algorithm_passwordauth" version="2">
+    <ind:subexpression operation="pattern match" datatype="string" var_ref="var_password_hashing_algorithm_pam_regex"/>
   </ind:textfilecontent54_state>
 
+  <local_variable datatype="string" id="var_password_hashing_algorithm_pam_regex" version="1" comment="Limit regex">
+    <concat>
+      <literal_component>^</literal_component>
+      <variable_component var_ref="var_password_hashing_algorithm_pam"/>
+      <literal_component>$</literal_component>
+    </concat>
+  </local_variable>
+
   <external_variable id="var_password_hashing_algorithm_pam" datatype="string" version="1"
     comment="hashing algorithm for pam_unix.so"/>
 

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/multivalue.fail.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+# packages = authselect
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
+# variables = var_password_hashing_algorithm_pam=sha512|yescrypt
+
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_PASSWORD_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
+
+# Test that having a different value fails
+var_password_hashing_algorithm_pam="sha256"
+declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blowfish" "sha256" "md5" "bigcrypt")
+
+for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do
+    if [ "$hash_option" != "$var_password_hashing_algorithm_pam" ]; then
+        if grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$hash_option\b" "$CUSTOM_PASSWORD_AUTH"; then
+            sed -i -E --follow-symlinks "s/(.*password\s+.*\s+pam_unix.so.*)$hash_option\s*(.*)/\1\2/g" "$CUSTOM_PASSWORD_AUTH"
+        fi
+    fi
+done
+
+if ! $(grep -q "^\s*password.*sufficient.*pam_unix\.so.*$var_password_hashing_algorithm_pam" "$CUSTOM_PASSWORD_AUTH"); then
+    sed -i --follow-symlinks "/^password.*sufficient.*pam_unix\.so/ s/$/ $var_password_hashing_algorithm_pam/" "$CUSTOM_PASSWORD_AUTH"
+fi
+authselect apply-changes -b

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/multivalue.pass.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+# packages = authselect
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
+# variables = var_password_hashing_algorithm_pam=sha512|yescrypt
+
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_PASSWORD_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
+
+# Test that having the second value in the multi-value variable passes
+var_password_hashing_algorithm_pam="yescrypt"
+declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blowfish" "sha256" "md5" "bigcrypt")
+
+for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do
+    if [ "$hash_option" != "$var_password_hashing_algorithm_pam" ]; then
+        if grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$hash_option\b" "$CUSTOM_PASSWORD_AUTH"; then
+            sed -i -E --follow-symlinks "s/(.*password\s+.*\s+pam_unix.so.*)$hash_option\s*(.*)/\1\2/g" "$CUSTOM_PASSWORD_AUTH"
+        fi
+    fi
+done
+
+if ! $(grep -q "^\s*password.*sufficient.*pam_unix\.so.*$var_password_hashing_algorithm_pam" "$CUSTOM_PASSWORD_AUTH"); then
+    sed -i --follow-symlinks "/^password.*sufficient.*pam_unix\.so/ s/$/ $var_password_hashing_algorithm_pam/" "$CUSTOM_PASSWORD_AUTH"
+fi
+authselect apply-changes -b

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/multivalue2.pass.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+# packages = authselect
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
+# variables = var_password_hashing_algorithm_pam=sha512|yescrypt
+
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_PASSWORD_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
+
+# Test that having the first value in the multi-value variable passes
+var_password_hashing_algorithm_pam="sha512"
+declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blowfish" "sha256" "md5" "bigcrypt")
+
+for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do
+    if [ "$hash_option" != "$var_password_hashing_algorithm_pam" ]; then
+        if grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$hash_option\b" "$CUSTOM_PASSWORD_AUTH"; then
+            sed -i -E --follow-symlinks "s/(.*password\s+.*\s+pam_unix.so.*)$hash_option\s*(.*)/\1\2/g" "$CUSTOM_PASSWORD_AUTH"
+        fi
+    fi
+done
+
+if ! $(grep -q "^\s*password.*sufficient.*pam_unix\.so.*$var_password_hashing_algorithm_pam" "$CUSTOM_PASSWORD_AUTH"); then
+    sed -i --follow-symlinks "/^password.*sufficient.*pam_unix\.so/ s/$/ $var_password_hashing_algorithm_pam/" "$CUSTOM_PASSWORD_AUTH"
+fi
+authselect apply-changes -b

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/ansible/shared.yml

@@ -13,7 +13,7 @@
 {{%- endif %}}
 
 {{{ ansible_instantiate_variables("var_password_hashing_algorithm_pam") }}}
-{{{ ansible_ensure_pam_module_configuration(pam_file, 'password', control, 'pam_unix.so', '{{ var_password_hashing_algorithm_pam }}', '', '', rule_id=rule_id, rule_title=rule_title) }}}
+{{{ ansible_ensure_pam_module_configuration(pam_file, 'password', control, 'pam_unix.so', '{{ var_password_hashing_algorithm_pam.split("|")[0] }}', '', '', rule_id=rule_id, rule_title=rule_title) }}}
 
 - name: '{{{ rule_title }}} - Check if {{{ pam_file }}} File is Present'
   ansible.builtin.stat:
@@ -35,7 +35,7 @@
         regexp: (^\s*password.*pam_unix\.so.*)\b{{ item }}\b\s*(.*)
         replace: '\1\2'
       when:
-        - item != var_password_hashing_algorithm_pam
+        - item != var_password_hashing_algorithm_pam.split('|')[0]
         - pam_file_path_present.stat.exists
       loop:
         - 'sha512'

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh

@@ -2,6 +2,9 @@
 
 {{{ bash_instantiate_variables("var_password_hashing_algorithm_pam") }}}
 
+# Allow multiple algorithms, but choose the first one for remediation
+var_password_hashing_algorithm_pam="$(echo $var_password_hashing_algorithm_pam | cut -d \| -f 1)"
+
 {{% if 'sle' in product or 'slmicro' in product -%}}
 PAM_FILE_PATH="/etc/pam.d/common-password"
 {{% set control = "required" %}}

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml

@@ -49,10 +49,18 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_state id="state_pam_unix_hashing_algorithm_systemauth" version="1">
-    <ind:subexpression operation="equals" datatype="string" var_ref="var_password_hashing_algorithm_pam"/>
+  <ind:textfilecontent54_state id="state_pam_unix_hashing_algorithm_systemauth" version="2">
+    <ind:subexpression operation="pattern match" datatype="string" var_ref="var_password_hashing_algorithm_pam_regex"/>
   </ind:textfilecontent54_state>
 
+  <local_variable datatype="string" id="var_password_hashing_algorithm_pam_regex" version="1" comment="Limit regex">
+    <concat>
+      <literal_component>^</literal_component>
+      <variable_component var_ref="var_password_hashing_algorithm_pam"/>
+      <literal_component>$</literal_component>
+    </concat>
+  </local_variable>
+
   <external_variable id="var_password_hashing_algorithm_pam" datatype="string" version="1"
     comment="hashing algorithm for pam_unix.so"/>
 </def-group>

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/multivalue.fail.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+# packages = authselect
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
+# variables = var_password_hashing_algorithm_pam=sha512|yescrypt
+
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
+
+# Test that having a different value fails
+var_password_hashing_algorithm_pam="sha256"
+declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blowfish" "sha256" "md5" "bigcrypt")
+
+for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do
+    if [ "$hash_option" != "$var_password_hashing_algorithm_pam" ]; then
+        if grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$hash_option\b" "$CUSTOM_SYSTEM_AUTH"; then
+            sed -i -E --follow-symlinks "s/(.*password\s+.*\s+pam_unix.so.*)$hash_option\s*(.*)/\1\2/g" "$CUSTOM_SYSTEM_AUTH"
+        fi
+    fi
+done
+
+if ! $(grep -q "^\s*password.*sufficient.*pam_unix\.so.*$var_password_hashing_algorithm_pam" "$CUSTOM_SYSTEM_AUTH"); then
+    sed -i --follow-symlinks "/^password.*sufficient.*pam_unix\.so/ s/$/ $var_password_hashing_algorithm_pam/" "$CUSTOM_SYSTEM_AUTH"
+fi
+authselect apply-changes -b

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/multivalue.pass.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+# packages = authselect
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
+# variables = var_password_hashing_algorithm_pam=sha512|yescrypt
+
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
+
+# Test that having the second value in the multi-value variable passes
+var_password_hashing_algorithm_pam="yescrypt"
+declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blowfish" "sha256" "md5" "bigcrypt")
+
+for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do
+    if [ "$hash_option" != "$var_password_hashing_algorithm_pam" ]; then
+        if grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$hash_option\b" "$CUSTOM_SYSTEM_AUTH"; then
+            sed -i -E --follow-symlinks "s/(.*password\s+.*\s+pam_unix.so.*)$hash_option\s*(.*)/\1\2/g" "$CUSTOM_SYSTEM_AUTH"
+        fi
+    fi
+done
+
+if ! $(grep -q "^\s*password.*sufficient.*pam_unix\.so.*$var_password_hashing_algorithm_pam" "$CUSTOM_SYSTEM_AUTH"); then
+    sed -i --follow-symlinks "/^password.*sufficient.*pam_unix\.so/ s/$/ $var_password_hashing_algorithm_pam/" "$CUSTOM_SYSTEM_AUTH"
+fi
+authselect apply-changes -b

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/multivalue2.pass.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+# packages = authselect
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
+# variables = var_password_hashing_algorithm_pam=sha512|yescrypt
+
+authselect create-profile hardening -b sssd
+CUSTOM_PROFILE="custom/hardening"
+authselect select $CUSTOM_PROFILE --force
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
+
+# Test that having the first value in the multi-value variable passes
+var_password_hashing_algorithm_pam="sha512"
+declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blowfish" "sha256" "md5" "bigcrypt")
+
+for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do
+    if [ "$hash_option" != "$var_password_hashing_algorithm_pam" ]; then
+        if grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$hash_option\b" "$CUSTOM_SYSTEM_AUTH"; then
+            sed -i -E --follow-symlinks "s/(.*password\s+.*\s+pam_unix.so.*)$hash_option\s*(.*)/\1\2/g" "$CUSTOM_SYSTEM_AUTH"
+        fi
+    fi
+done
+
+if ! $(grep -q "^\s*password.*sufficient.*pam_unix\.so.*$var_password_hashing_algorithm_pam" "$CUSTOM_SYSTEM_AUTH"); then
+    sed -i --follow-symlinks "/^password.*sufficient.*pam_unix\.so/ s/$/ $var_password_hashing_algorithm_pam/" "$CUSTOM_SYSTEM_AUTH"
+fi
+authselect apply-changes -b

linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var

@@ -19,3 +19,4 @@ options:
     yescrypt: YESCRYPT
     cis_ubuntu2204: SHA512|YESCRYPT
     cis_ubuntu2404: SHA512|YESCRYPT
+    cis_rhel10: YESCRYPT|SHA512

linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var

@@ -16,3 +16,4 @@ options:
     default: sha512
     sha512: sha512
     yescrypt: yescrypt
+    cis_rhel10: yescrypt|sha512

tests/data/profile_stability/rhel10/cis.profile

@@ -376,7 +376,6 @@ service_nfs_disabled
 service_rpcbind_disabled
 service_systemd-journal-upload_enabled
 service_systemd-journald_enabled
-set_password_hashing_algorithm_libuserconf
 set_password_hashing_algorithm_logindefs
 set_password_hashing_algorithm_passwordauth
 set_password_hashing_algorithm_systemauth
@@ -481,8 +480,8 @@ var_auditd_space_left_action=cis_rhel10
 var_authselect_profile=local
 var_multiple_time_servers=rhel
 var_pam_wheel_group_for_su=cis
-var_password_hashing_algorithm=yescrypt
-var_password_hashing_algorithm_pam=yescrypt
+var_password_hashing_algorithm=cis_rhel10
+var_password_hashing_algorithm_pam=cis_rhel10
 var_password_pam_dictcheck=1
 var_password_pam_difok=2
 var_password_pam_maxrepeat=3

tests/data/profile_stability/rhel10/cis_server_l1.profile

@@ -269,7 +269,6 @@ service_nfs_disabled
 service_rpcbind_disabled
 service_systemd-journal-upload_enabled
 service_systemd-journald_enabled
-set_password_hashing_algorithm_libuserconf
 set_password_hashing_algorithm_logindefs
 set_password_hashing_algorithm_passwordauth
 set_password_hashing_algorithm_systemauth
@@ -360,8 +359,8 @@ var_accounts_user_umask=027
 var_authselect_profile=local
 var_multiple_time_servers=rhel
 var_pam_wheel_group_for_su=cis
-var_password_hashing_algorithm=yescrypt
-var_password_hashing_algorithm_pam=yescrypt
+var_password_hashing_algorithm=cis_rhel10
+var_password_hashing_algorithm_pam=cis_rhel10
 var_password_pam_dictcheck=1
 var_password_pam_difok=2
 var_password_pam_maxrepeat=3

tests/data/profile_stability/rhel10/cis_workstation_l1.profile

@@ -260,7 +260,6 @@ service_nfs_disabled
 service_rpcbind_disabled
 service_systemd-journal-upload_enabled
 service_systemd-journald_enabled
-set_password_hashing_algorithm_libuserconf
 set_password_hashing_algorithm_logindefs
 set_password_hashing_algorithm_passwordauth
 set_password_hashing_algorithm_systemauth
@@ -354,8 +353,8 @@ var_accounts_user_umask=027
 var_authselect_profile=local
 var_multiple_time_servers=rhel
 var_pam_wheel_group_for_su=cis
-var_password_hashing_algorithm=yescrypt
-var_password_hashing_algorithm_pam=yescrypt
+var_password_hashing_algorithm=cis_rhel10
+var_password_hashing_algorithm_pam=cis_rhel10
 var_password_pam_dictcheck=1
 var_password_pam_difok=2
 var_password_pam_maxrepeat=3

tests/data/profile_stability/rhel10/cis_workstation_l2.profile

@@ -372,7 +372,6 @@ service_nfs_disabled
 service_rpcbind_disabled
 service_systemd-journal-upload_enabled
 service_systemd-journald_enabled
-set_password_hashing_algorithm_libuserconf
 set_password_hashing_algorithm_logindefs
 set_password_hashing_algorithm_passwordauth
 set_password_hashing_algorithm_systemauth
@@ -477,8 +476,8 @@ var_auditd_space_left_action=cis_rhel10
 var_authselect_profile=local
 var_multiple_time_servers=rhel
 var_pam_wheel_group_for_su=cis
-var_password_hashing_algorithm=yescrypt
-var_password_hashing_algorithm_pam=yescrypt
+var_password_hashing_algorithm=cis_rhel10
+var_password_hashing_algorithm_pam=cis_rhel10
 var_password_pam_dictcheck=1
 var_password_pam_difok=2
 var_password_pam_maxrepeat=3