Merge pull request #12636 from ericeberry/u2404-5414

U2404 5414
ComplianceAsCode · Dec 4, 2024 · edcb42a · edcb42a
2 parents 35c3b82 + 2e2b964
commit edcb42a
Show file tree

Hide file tree

Showing 10 changed files with 62 additions and 5 deletions.
diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
@@ -2079,10 +2079,11 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
+    rules:
       - set_password_hashing_algorithm_logindefs
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.4.4.
+      - var_password_hashing_algorithm=cis_ubuntu2404
+    status: automated
+    notes: Rule allows either SHA512 or YESCRYPT
 
   - id: 5.4.1.5
     title: Ensure inactive password lock is configured (Automated)

diff --git a/...et_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml b/...et_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml
@@ -9,6 +9,6 @@
   lineinfile:
       dest: /etc/login.defs
       regexp: ^#?ENCRYPT_METHOD
-      line: ENCRYPT_METHOD {{ var_password_hashing_algorithm }}
+      line: ENCRYPT_METHOD {{ var_password_hashing_algorithm.split('|')[0] }}
       state: present
       create: yes
diff --git a/...am/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh b/...am/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh
@@ -1,4 +1,9 @@
 # platform = multi_platform_all
 
 {{{ bash_instantiate_variables("var_password_hashing_algorithm") }}}
+
+# Allow multiple algorithms, but choose the first one for remediation
+#
+var_password_hashing_algorithm="$(echo $var_password_hashing_algorithm | cut -d \| -f 1)"
+
 {{{ bash_replace_or_append('/etc/login.defs', '^ENCRYPT_METHOD', "$var_password_hashing_algorithm", '%s %s') }}}
diff --git a/...m/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/oval/shared.xml b/...m/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/oval/shared.xml
@@ -37,9 +37,17 @@
   <!-- Define corresponding variable state (the requirement) for the variable object -->
   <!-- The check should PASS if retrieved last ENCRYPT_METHOD value is equal to the requirement -->
   <ind:variable_state id="state_set_password_hashing_algorithm_logindefs" version="1">
-    <ind:value operation="equals" datatype="string" var_ref="var_password_hashing_algorithm"/>
+    <ind:value operation="pattern match" datatype="string" var_ref="var_password_hashing_algorithm_regex"/>
   </ind:variable_state>
 
+  <local_variable datatype="string" id="var_password_hashing_algorithm_regex" version="1" comment="Limit regex">
+    <concat>
+      <literal_component>^</literal_component>
+       <variable_component var_ref="var_password_hashing_algorithm"/>
+      <literal_component>$</literal_component>
+    </concat>
+  </local_variable>
+
   <external_variable id="var_password_hashing_algorithm" version="1"
     datatype="string" comment="hashing algorithm for /etc/login.defs"/>
 </def-group>
diff --git a/...shing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue.fail.sh b/...shing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_password_hashing_algorithm=good_value1|good_value2
+
+if grep -q "^ENCRYPT_METHOD" /etc/login.defs; then
+	sed -i "s/^ENCRYPT_METHOD\b.*/ENCRYPT_METHOD wrong_value/" /etc/login.defs
+else
+	echo "ENCRYPT_METHOD wrong_value" >> /etc/login.defs
+fi
diff --git a/...shing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue.pass.sh b/...shing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_password_hashing_algorithm=good_value1|good_value2
+
+if grep -q "^ENCRYPT_METHOD" /etc/login.defs; then
+	sed -i "s/^ENCRYPT_METHOD\b.*/ENCRYPT_METHOD good_value2/" /etc/login.defs
+else
+	echo "ENCRYPT_METHOD good_value2" >> /etc/login.defs
+fi
diff --git a/...hing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue2.pass.sh b/...hing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_multivalue2.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_password_hashing_algorithm=good_value1|good_value2
+
+if grep -q "^ENCRYPT_METHOD" /etc/login.defs; then
+	sed -i "s/^ENCRYPT_METHOD\b.*/ENCRYPT_METHOD good_value1/" /etc/login.defs
+else
+	echo "ENCRYPT_METHOD good_value1" >> /etc/login.defs
+fi
diff --git a/..._hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_partial.fail.sh b/..._hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_partial.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# variables = var_password_hashing_algorithm=value1|value2
+
+# test that partial match fails
+if grep -q "^ENCRYPT_METHOD" /etc/login.defs; then
+	sed -i "s/^ENCRYPT_METHOD\b.*/ENCRYPT_METHOD value/" /etc/login.defs
+else
+	echo "ENCRYPT_METHOD value" >> /etc/login.defs
+fi
diff --git a/...hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_yescrypt.pass.sh b/...hashing_algorithm/set_password_hashing_algorithm_logindefs/tests/default_yescrypt.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# variables = var_password_hashing_algorithm=YESCRYPT
+
+# Make sure ENCRYPT_METHOD is YESCRYPT
+if grep -q "^ENCRYPT_METHOD" /etc/login.defs; then
+	sed -i "s/^ENCRYPT_METHOD\b.*/ENCRYPT_METHOD YESCRYPT/" /etc/login.defs
+else
+	echo "ENCRYPT_METHOD YESCRYPT" >> /etc/login.defs
+fi
diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var
@@ -17,3 +17,4 @@ options:
     SHA512: SHA512
     SHA256: SHA256
     yescrypt: YESCRYPT
+    cis_ubuntu2404: SHA512|YESCRYPT