From 222e56014f012ae43808f045f1c4f6aad034f20c Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Wed, 20 Nov 2024 14:24:05 -0800 Subject: [PATCH] Update 5.4.1.4 set_password_hashing_algorithm_logindefs for Ubuntu 24.04 --- controls/cis_ubuntu2404.yml | 7 ++++--- .../ansible/shared.yml | 2 +- .../bash/shared.sh | 5 +++++ .../accounts-pam/var_password_hashing_algorithm.var | 1 + 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 07869e17a53..a8d68d805d8 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -2052,10 +2052,11 @@ controls: levels: - l1_server - l1_workstation - related_rules: + rules: - set_password_hashing_algorithm_logindefs - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.4.4. + - var_password_hashing_algorithm=cis_ubuntu2404 + status: automated + notes: Rule allows either SHA512 or YESCRYPT - id: 5.4.1.5 title: Ensure inactive password lock is configured (Automated) diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml index e0b6d68db53..ff6e962100a 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml @@ -9,6 +9,6 @@ lineinfile: dest: /etc/login.defs regexp: ^#?ENCRYPT_METHOD - line: ENCRYPT_METHOD {{ var_password_hashing_algorithm }} + line: ENCRYPT_METHOD {{ var_password_hashing_algorithm.split('|')[0] }} state: present create: yes diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh index c8a246b9048..2508c43d03c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh @@ -1,4 +1,9 @@ # platform = multi_platform_all {{{ bash_instantiate_variables("var_password_hashing_algorithm") }}} + +# Allow multiple algorithms, but choose the first one for remediation +# +var_password_hashing_algorithm="$(echo $var_password_hashing_algorithm | cut -d \| -f 1)" + {{{ bash_replace_or_append('/etc/login.defs', '^ENCRYPT_METHOD', "$var_password_hashing_algorithm", '%s %s') }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var index a7ca858e731..6e3148bb804 100644 --- a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var +++ b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var @@ -17,3 +17,4 @@ options: SHA512: SHA512 SHA256: SHA256 yescrypt: YESCRYPT + cis_ubuntu2404: SHA512|YESCRYPT