Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only yescrypt is accepted as hashing algorithm #9

Closed
fgierlinger opened this issue Jun 20, 2024 · 2 comments
Closed

Only yescrypt is accepted as hashing algorithm #9

fgierlinger opened this issue Jun 20, 2024 · 2 comments
Assignees
Labels
bug Something isn't working

Comments

@fgierlinger
Copy link

fgierlinger commented Jun 20, 2024

Describe the Issue
The task "Check debian11cis_grub_user password variable has been changed | if password blank or incorrect type and not being set" in tasks/main.yml checks if the password contains $y$. This prefix signifies a yescrypt hashed password. But the CIS hardening guide specifies, that either SHA512 or yescrypt are acceptable hashing algorithms.

- name: Check debian11cis_grub_user password variable has been changed | if password blank or incorrect type and not being set
ansible.builtin.assert:
that: ( debian11cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in debian11cis_password_set_grub_user.stdout
fail_msg: "Grub User {{ debian11cis_grub_user }} has no password set or incorrect encryption"
success_msg: "Grub User {{ debian11cis_grub_user }} has a valid password set to be used in single user mode"
when:
- not debian11cis_set_grub_user_pass

Expected Behavior
All hashing algorithms stated in the hardening guide should be accepted. The task should check for either a $6$ prefix (SHA-512) or a $y$ prefix (yescrypt).

Actual Behavior
Only yescrypt is accepted as hashing algorithm.

Control(s) Affected
5.4.1.4 Ensure strong password hashing algorithm is configured (Automated)

Environment (please complete the following information):

  • branch being used: devel
  • Ansible Version: 2.15.12
  • Host Python Version: Python 3.9.6
  • Ansible Server Python Version: Python 3.9.2
@fgierlinger fgierlinger added the bug Something isn't working label Jun 20, 2024
@uk-bolly uk-bolly self-assigned this Jul 12, 2024
@uk-bolly
Copy link
Member

hi @fgierlinger

Thank you for taking the time to highlight this issue. I am raising a PR which should fix this issue and hope to get merged into devel asap.

Many thanks

uk-bolly

uk-bolly added a commit that referenced this issue Jul 12, 2024
Signed-off-by: Mark Bolwell <[email protected]>
@uk-bolly
Copy link
Member

hi @fgierlinger

Thank you again for your time regarding this issue. You should find that this fix was merged into devel and is now in the main branch. I will close this issue, please feel free to reopen if this is not resolved as expected.

Many thanks

uk-bolly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants