You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the Issue
The task "Check debian11cis_grub_user password variable has been changed | if password blank or incorrect type and not being set" in tasks/main.yml checks if the password contains $y$. This prefix signifies a yescrypt hashed password. But the CIS hardening guide specifies, that either SHA512 or yescrypt are acceptable hashing algorithms.
- name: Check debian11cis_grub_user password variable has been changed | if password blank or incorrect type and not being set
ansible.builtin.assert:
that: ( debian11cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in debian11cis_password_set_grub_user.stdout
fail_msg: "Grub User {{ debian11cis_grub_user }} has no password set or incorrect encryption"
success_msg: "Grub User {{ debian11cis_grub_user }} has a valid password set to be used in single user mode"
when:
- not debian11cis_set_grub_user_pass
Expected Behavior
All hashing algorithms stated in the hardening guide should be accepted. The task should check for either a $6$ prefix (SHA-512) or a $y$ prefix (yescrypt).
Actual Behavior
Only yescrypt is accepted as hashing algorithm.
Thank you again for your time regarding this issue. You should find that this fix was merged into devel and is now in the main branch. I will close this issue, please feel free to reopen if this is not resolved as expected.
Describe the Issue
The task "Check debian11cis_grub_user password variable has been changed | if password blank or incorrect type and not being set" in tasks/main.yml checks if the password contains
$y$
. This prefix signifies a yescrypt hashed password. But the CIS hardening guide specifies, that either SHA512 or yescrypt are acceptable hashing algorithms.DEBIAN11-CIS/tasks/main.yml
Lines 69 to 75 in e2b418d
Expected Behavior
All hashing algorithms stated in the hardening guide should be accepted. The task should check for either a
$6$
prefix (SHA-512) or a$y$
prefix (yescrypt).Actual Behavior
Only yescrypt is accepted as hashing algorithm.
Control(s) Affected
5.4.1.4 Ensure strong password hashing algorithm is configured (Automated)
Environment (please complete the following information):
The text was updated successfully, but these errors were encountered: