Update 5.4.1.4 set_password_hashing_algorithm_logindefs for Ubuntu 24.04

controls/cis_ubuntu2404.yml

@@ -2052,10 +2052,11 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
+    rules:
       - set_password_hashing_algorithm_logindefs
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.4.4.
+      - var_password_hashing_algorithm=cis_ubuntu2404
+    status: automated
+    notes: Rule allows either SHA512 or YESCRYPT
 
   - id: 5.4.1.5
     title: Ensure inactive password lock is configured (Automated)

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml

@@ -9,6 +9,6 @@
   lineinfile:
       dest: /etc/login.defs
       regexp: ^#?ENCRYPT_METHOD
-      line: ENCRYPT_METHOD {{ var_password_hashing_algorithm }}
+      line: ENCRYPT_METHOD {{ var_password_hashing_algorithm.split('|')[0] }}
       state: present
       create: yes

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh

@@ -1,4 +1,9 @@
 # platform = multi_platform_all
 
 {{{ bash_instantiate_variables("var_password_hashing_algorithm") }}}
+
+# Allow multiple algorithms, but choose the first one for remediation
+#
+var_password_hashing_algorithm="$(echo $var_password_hashing_algorithm | cut -d \| -f 1)"
+
 {{{ bash_replace_or_append('/etc/login.defs', '^ENCRYPT_METHOD', "$var_password_hashing_algorithm", '%s %s') }}}

linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var

@@ -17,3 +17,4 @@ options:
     SHA512: SHA512
     SHA256: SHA256
     yescrypt: YESCRYPT
+    cis_ubuntu2404: SHA512|YESCRYPT