U2404 5414

[ericeberry]

Description:

Implement CIS Ubuntu 24.02v1 - 5.4.1.4 Ensure strong password hashing algorithm is configured

Rationale:

• Implement CIS Ubuntu 24.02v1

[openshift-ci]

Hi @ericeberry. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs' differs.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
@@ -2,6 +2,11 @@
 if rpm --quiet -q shadow-utils; then
 
 var_password_hashing_algorithm=''
+
+
+# Allow multiple algorithms, but choose the first one for remediation
+#
+var_password_hashing_algorithm="$(echo $var_password_hashing_algorithm | cut -d \| -f 1)"
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs' differs.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
@@ -28,7 +28,7 @@
   lineinfile:
     dest: /etc/login.defs
     regexp: ^#?ENCRYPT_METHOD
-    line: ENCRYPT_METHOD {{ var_password_hashing_algorithm }}
+    line: ENCRYPT_METHOD {{ var_password_hashing_algorithm.split('|')[0] }}
     state: present
     create: true
   when: '"shadow-utils" in ansible_facts.packages'

[mpurg]

Please also add a test for the new functionality.

[mpurg]

The tests should check for multiple values, e.g. "YESCRYPT|SHA512".

[dodys]

need a few more tests, @mpurg found some issues with OVAL

[codeclimate]

Code Climate has analyzed commit 2e2b964 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

[dodys]

lgtm, thanks!