Change default hashing algorithm in ANSSI profiles for RHEL

ANSSI allows two hashing algorithms with pam_unix.so, sha512 and
yescrypt. Currently, RHEL products use sha512 by default, which is
already compliant so the respective ANSSI profiles were updated to
check for sha512 instead of yescrypt. This will better align to system
default settings and avoid unnecessary changes.

Signed-off-by: Marcus Burghardt <[email protected]>

linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var

@@ -16,4 +16,4 @@ options:
     default: SHA512
     SHA512: SHA512
     SHA256: SHA256
-    yescrypt: yescrypt
+    yescrypt: YESCRYPT

linux_os/guide/system/accounts/accounts-restrictions/password_storage/var_password_pam_unix_rounds.var

@@ -3,7 +3,7 @@ documentation_complete: true
 title: Password Hashing algorithm
 
 description: |-
-    Specify the number of SHA rounds for the system password encryption algorithm.
+    Specify the number of rounds for the system password encryption algorithm.
     Defines the value set in <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>
 
 type: number

products/rhel8/profiles/anssi_bp28_enhanced.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
     - anssi:all:enhanced
+    - var_password_hashing_algorithm=SHA512
+    - var_password_pam_unix_rounds=65536
     - '!timer_logrotate_enabled'
     # Following rules once had a prodtype incompatible with the rhel8 product
     - '!cracklib_accounts_password_pam_minlen'

products/rhel8/profiles/anssi_bp28_high.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
     - anssi:all:high
+    - var_password_hashing_algorithm=SHA512
+    - var_password_pam_unix_rounds=65536
     # the following rule renders UEFI systems unbootable
     - '!sebool_secure_mode_insmod'
     - '!timer_logrotate_enabled'

products/rhel8/profiles/anssi_bp28_intermediary.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
   - anssi:all:intermediary
+  - var_password_hashing_algorithm=SHA512
+  - var_password_pam_unix_rounds=65536
   # Following rules once had a prodtype incompatible with the rhel8 product
   - '!cracklib_accounts_password_pam_minlen'
   - '!accounts_passwords_pam_tally2_deny_root'

products/rhel8/profiles/anssi_bp28_minimal.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
   - anssi:all:minimal
+  - var_password_hashing_algorithm=SHA512
+  - var_password_pam_unix_rounds=65536
   # Following rules once had a prodtype incompatible with the rhel8 product
   - '!cracklib_accounts_password_pam_minlen'
   - '!accounts_passwords_pam_tally2_deny_root'

products/rhel9/profiles/anssi_bp28_enhanced.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
     - anssi:all:enhanced
+    - var_password_hashing_algorithm=SHA512
+    - var_password_pam_unix_rounds=65536
     # Following rules once had a prodtype incompatible with the rhel9 product
     - '!partition_for_opt'
     - '!accounts_passwords_pam_tally2_deny_root'

products/rhel9/profiles/anssi_bp28_high.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
     - anssi:all:high
+    - var_password_hashing_algorithm=SHA512
+    - var_password_pam_unix_rounds=65536
     # the following rule renders UEFI systems unbootable
     - '!sebool_secure_mode_insmod'
     # Following rules once had a prodtype incompatible with the rhel9 product

products/rhel9/profiles/anssi_bp28_intermediary.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
   - anssi:all:intermediary
+  - var_password_hashing_algorithm=SHA512
+  - var_password_pam_unix_rounds=65536
   # Following rules once had a prodtype incompatible with the rhel9 product
   - '!partition_for_opt'
   - '!cracklib_accounts_password_pam_minlen'

products/rhel9/profiles/anssi_bp28_minimal.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
   - anssi:all:minimal
+  - var_password_hashing_algorithm=SHA512
+  - var_password_pam_unix_rounds=65536
   # Following rules once had a prodtype incompatible with the rhel9 product
   - '!cracklib_accounts_password_pam_minlen'
   - '!accounts_passwords_pam_tally2_deny_root'