Skip to content

Add new variable to set_password_hashing_min_rounds_logindefs rule #12923

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mab879 merged 2 commits into from
Feb 3, 2025
Merged

Add new variable to set_password_hashing_min_rounds_logindefs rule #12923

Mab879 merged 2 commits into from
Feb 3, 2025

Conversation

@mrkanon
Copy link
Contributor

@mrkanon mrkanon commented Jan 28, 2025

Description:

  • Add new variable to set_password_hashing_min_rounds_logindefs and update remediations, oval file, rule and policy files.
  • Add two new test to check the new possible values of the variable
  • Update oval file, ansible and bash remediation to support values large than the default
  • Add the correct value to ol8 stig

Rationale:

Add variable to manage different values of SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS in /etc/login.defs

@mrkanon mrkanon requested a review from a team as a code owner January 28, 2025 22:55
@openshift-ci
Copy link

openshift-ci bot commented Jan 28, 2025

Hi @mrkanon. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Jan 28, 2025
@github-actions
Copy link

github-actions bot commented Jan 28, 2025
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs' differs.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
@@ -2,18 +2,42 @@
 var_password_hashing_min_rounds_login_defs=''
 
 
-if [ -e "/etc/login.defs" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs"
-else
-    printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2
-    return 1
+config_file="/etc/login.defs"
+current_min_rounds=$(grep -Po '^\s*SHA_CRYPT_MIN_ROUNDS\s+\K\d+' "$config_file")
+current_max_rounds=$(grep -Po '^\s*SHA_CRYPT_MAX_ROUNDS\s+\K\d+' "$config_file")
+
+if [[ -z "$current_min_rounds" || "$current_min_rounds" -le "$var_password_hashing_min_rounds_login_defs" ]]; then
+    if [ -e "/etc/login.defs" ] ; then
+        
+        LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs"
+    else
+        printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2
+        return 1
+    fi
+    # make sure file has newline at the end
+    sed -i -e '$a\' "/etc/login.defs"
+
+    cp "/etc/login.defs" "/etc/login.defs.bak"
+    # Insert at the end of the file
+    printf '%s\n' "SHA_CRYPT_MIN_ROUNDS $var_password_hashing_min_rounds_login_defs" >> "/etc/login.defs"
+    # Clean up after ourselves.
+    rm "/etc/login.defs.bak"
 fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/login.defs"
 
-cp "/etc/login.defs" "/etc/login.defs.bak"
-# Insert at the end of the file
-printf '%s\n' "SHA_CRYPT_MIN_ROUNDS $var_password_hashing_min_rounds_login_defs" >> "/etc/login.defs"
-# Clean up after ourselves.
-rm "/etc/login.defs.bak"
+if [[ -n "$current_max_rounds" && "$current_max_rounds" -le "$var_password_hashing_min_rounds_login_defs" ]]; then
+    if [ -e "/etc/login.defs" ] ; then
+        
+        LC_ALL=C sed -i "/^\s*SHA_CRYPT_MAX_ROUNDS\s*/Id" "/etc/login.defs"
+    else
+        printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2
+        return 1
+    fi
+    # make sure file has newline at the end
+    sed -i -e '$a\' "/etc/login.defs"
+
+    cp "/etc/login.defs" "/etc/login.defs.bak"
+    # Insert at the end of the file
+    printf '%s\n' "SHA_CRYPT_MAX_ROUNDS $var_password_hashing_min_rounds_login_defs" >> "/etc/login.defs"
+    # Clean up after ourselves.
+    rm "/etc/login.defs.bak"
+fi

@github-actions
Copy link

github-actions bot commented Jan 28, 2025

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

@Xeicker
Copy link
Contributor

Xeicker commented Jan 28, 2025

@ComplianceAsCode/red-hatters I think this is also applicable to RHEL8, Could you take a look?

@Xeicker Xeicker added Oracle Linux Oracle Linux product related. Update Rule Issues or pull requests related to Rules updates. Update Profile Issues or pull requests related to Profiles updates. STIG STIG Benchmark related. labels Jan 28, 2025
@Xeicker Xeicker added this to the 0.1.76 milestone Jan 28, 2025
@mrkanon
Add variable value to OL8 stig profile
315b400 
Add value of var_password_hashing_min_rounds_login_defs

Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
@mrkanon
Update bash remediation set_password_hashing_min_rounds_logindefs
506de40 
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
@qlty-cloud-legacy
Copy link

qlty-cloud-legacy bot commented Jan 31, 2025

Code Climate has analyzed commit 506de40 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

Xeicker
Xeicker approved these changes Jan 31, 2025
View reviewed changes
Copy link
Contributor

@Xeicker Xeicker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see this was updated taking into account #12948

So it was indeed needed by RHEL, it LGTM now

@ggbecker
Copy link
Member

ggbecker commented Feb 3, 2025

/packit retest-failed

@ggbecker
Copy link
Member

ggbecker commented Feb 3, 2025

I've restarted failing packit jobs and below are the old failed packit logs in case it's needed (for reference)
Dashboard https://dashboard.packit.dev/jobs/testing-farm/768737
Testing Farm https://artifacts.dev.testing-farm.io/74d2a431-f6ef-4e34-8180-60afe1dcc9f9

Dashboard https://dashboard.packit.dev/jobs/testing-farm/768736
Testing Farm https://artifacts.dev.testing-farm.io/67a8f887-0d9a-4cb2-8fff-fbe52696b239

@Mab879 Mab879 merged commit d8173da into ComplianceAsCode:master Feb 3, 2025
96 of 100 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

+1 more reviewer

@Xeicker Xeicker Xeicker approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

needs-ok-to-test Used by openshift-ci bot. Oracle Linux Oracle Linux product related. STIG STIG Benchmark related. Update Profile Issues or pull requests related to Profiles updates. Update Rule Issues or pull requests related to Rules updates.

Projects

None yet

Milestone

0.1.76

Development

Successfully merging this pull request may close these issues.

4 participants

@mrkanon @Xeicker @ggbecker @Mab879