commit 0c97a68f7be1bfa5834fa6c68eeb7fcc9fbc00ef

Author: Gabriel Becker <ggasparb@redhat.com>

Date:   Thu Feb 17 12:15:36 2022 +0100

    Custom patch for RHEL7.9 PR 8050.

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh

new file mode 100644

index 0000000..1c151a1

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh

@@ -0,0 +1,5 @@

+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhv

+

+if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then

+	sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth"

+fi

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml

new file mode 100644

index 0000000..24fdbe4

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml

@@ -0,0 +1,19 @@

+<def-group>

+  <definition class="compliance" id="set_password_hashing_algorithm_passwordauth" version="1">

+    {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/password-auth.") }}}

+    <criteria operator="AND">

+      <criterion test_ref="test_pam_unix_passwordauth_sha512" />

+    </criteria>

+  </definition>

+

+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/password-auth for correct settings" id="test_pam_unix_passwordauth_sha512" version="1">

+    <ind:object object_ref="object_pam_unix_passwordauth_sha512" />

+  </ind:textfilecontent54_test>

+

+  <ind:textfilecontent54_object comment="check /etc/pam.d/password-auth for correct settings" id="object_pam_unix_passwordauth_sha512" version="1">

+      <ind:filepath>/etc/pam.d/password-auth</ind:filepath>

+      <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern>

+    <ind:instance datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+</def-group>

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml

new file mode 100644

index 0000000..9375269

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml

@@ -0,0 +1,72 @@

+documentation_complete: true

+

+prodtype: fedora,rhel7,rhel8,rhel9,rhv4

+

+title: "Set PAM's Password Hashing Algorithm - password-auth"

+

+description: |-

+    The PAM system service can be configured to only store encrypted

+    representations of passwords. In

+    <tt>/etc/pam.d/password-auth</tt>,

+    the

+    <tt>password</tt> section of the file controls which PAM modules execute

+    during a password change. Set the <tt>pam_unix.so</tt> module in the

+    <tt>password</tt> section to include the argument <tt>sha512</tt>, as shown

+    below:

+    

+    
password    sufficient    pam_unix.so sha512 other arguments...

+    

+    This will help ensure when local users change their passwords, hashes for

+    the new passwords will be generated using the SHA-512 algorithm. This is

+    the default.

+

+rationale: |-

+    Passwords need to be protected at all times, and encryption is the standard

+    method for protecting passwords. If passwords are not encrypted, they can

+    be plainly read (i.e., clear text) and easily compromised. Passwords that

+    are encrypted with a weak algorithm are no more protected than if they are

+    kepy in plain text.

+    

+    This setting ensures user and group account administration utilities are

+    configured to store only encrypted representations of passwords.

+    Additionally, the <tt>crypt_style</tt> configuration option ensures the use

+    of a strong hashing algorithm that makes password cracking attacks more

+    difficult.

+

+severity: medium

+

+identifiers:

+    cce@rhel7: CCE-85943-9

+    cce@rhel8: CCE-85945-4

+    cce@rhel9: CCE-85946-2

+

+references:

+    anssi: BP28(R32)

+    cis-csc: 1,12,15,16,5

+    cis@rhel7: 5.4.3

+    cis@rhel8: 5.4.4

+    cjis: 5.6.2.2

+    cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10

+    cui: 3.13.11

+    disa: CCI-000196

+    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4

+    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'

+    ism: 0418,1055,1402

+    iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3

+    nist: IA-5(c),IA-5(1)(c),CM-6(a)

+    nist-csf: PR.AC-1,PR.AC-6,PR.AC-7

+    pcidss: Req-8.2.1

+    srg: SRG-OS-000073-GPOS-00041

+    stigid@rhel7: RHEL-07-010200

+    stigid@rhel8: RHEL-08-010160

+    vmmsrg: SRG-OS-000480-VMM-002000

+

+ocil_clause: 'it does not'

+

+ocil: |-

+    Inspect the <tt>password</tt> section of <tt>/etc/pam.d/password-auth</tt>

+    and ensure that the <tt>pam_unix.so</tt> module includes the argument

+    <tt>sha512</tt>:

+    
$ grep sha512 /etc/pam.d/password-auth

+

+platform: pam

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh

new file mode 100644

index 0000000..a924fe5

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+

+if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then

+	sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth"

+fi

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh

new file mode 100644

index 0000000..68e925a

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh

@@ -0,0 +1,3 @@

+#!/bin/bash

+

+sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/sha512//g" "/etc/pam.d/password-auth"

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh

index 02af406..e7503fe 100644

--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh

+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh

@@ -1,7 +1,9 @@

 # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv

 AUTH_FILES[0]="/etc/pam.d/system-auth"

+{{%- if product == "rhel7" %}}

 AUTH_FILES[1]="/etc/pam.d/password-auth"

+{{%- endif %}}

 for pamFile in "${AUTH_FILES[@]}"

 do

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml

index d76b6f8..a754a84 100644

--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml

+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml

@@ -3,6 +3,9 @@

     {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.") }}}

     <criteria operator="AND">

       <criterion test_ref="test_pam_unix_sha512" />

+      {{%- if product == "rhel7" %}}

+      <extend_definition comment="check /etc/pam.d/password-auth for correct settings" definition_ref="set_password_hashing_algorithm_passwordauth" />

+      {{%- endif %}}

     </criteria>

   </definition>

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml

index 24ab30d..58fcea9 100644

--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml

+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml

@@ -69,7 +69,7 @@ references:

     srg: SRG-OS-000073-GPOS-00041

     stigid@ol7: OL07-00-010200

     stigid@rhel7: RHEL-07-010200

-    stigid@rhel8: RHEL-08-010160

+    stigid@rhel8: RHEL-08-010159

     stigid@sle12: SLES-12-010230

     stigid@sle15: SLES-15-020170

     vmmsrg: SRG-OS-000480-VMM-002000

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh

index 7e48176..fb9feec 100644

--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh

+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh

@@ -1,7 +1,9 @@

 #!/bin/bash

 AUTH_FILES[0]="/etc/pam.d/system-auth"

+{{%- if product == "rhel7" %}}

 AUTH_FILES[1]="/etc/pam.d/password-auth"

+{{%- endif %}}

 for pamFile in "${AUTH_FILES[@]}"

 do

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh

index 09bb82d..2f35381 100644

--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh

+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh

@@ -1,7 +1,9 @@

 #!/bin/bash

 AUTH_FILES[0]="/etc/pam.d/system-auth"

+{{%- if product == "rhel7" %}}

 AUTH_FILES[1]="/etc/pam.d/password-auth"

+{{%- endif %}}

 for pamFile in "${AUTH_FILES[@]}"

 do

diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile

index fed3364..2449b8a 100644

--- a/products/rhel8/profiles/pci-dss.profile

+++ b/products/rhel8/profiles/pci-dss.profile

@@ -126,6 +126,7 @@ selections:

     - service_pcscd_enabled

     - sssd_enable_smartcards

     - set_password_hashing_algorithm_systemauth

+    - set_password_hashing_algorithm_passwordauth

     - set_password_hashing_algorithm_logindefs

     - set_password_hashing_algorithm_libuserconf

     - file_owner_etc_shadow

diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile

index d76bb38..1045be3 100644

--- a/products/rhel8/profiles/rht-ccp.profile

+++ b/products/rhel8/profiles/rht-ccp.profile

@@ -54,6 +54,7 @@ selections:

     - accounts_password_pam_difok

     - accounts_passwords_pam_faillock_deny

     - set_password_hashing_algorithm_systemauth

+    - set_password_hashing_algorithm_passwordauth

     - set_password_hashing_algorithm_logindefs

     - set_password_hashing_algorithm_libuserconf

     - require_singleuser_auth

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 7473865..6eb08da 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -146,6 +146,9 @@ selections:

     # RHEL-08-010152

     - require_emergency_target_auth

+    # RHEL-08-010159

+    - set_password_hashing_algorithm_passwordauth

+

     # RHEL-08-010160

     - set_password_hashing_algorithm_systemauth

diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile

index af34750..88f1518 100644

--- a/products/rhel9/profiles/pci-dss.profile

+++ b/products/rhel9/profiles/pci-dss.profile

@@ -125,6 +125,7 @@ selections:

 #    - service_pcscd_enabled  # not supported in RHEL9 ATM

     - sssd_enable_smartcards

     - set_password_hashing_algorithm_systemauth

+    - set_password_hashing_algorithm_passwordauth

     - set_password_hashing_algorithm_logindefs

     - set_password_hashing_algorithm_libuserconf

     - file_owner_etc_shadow

diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile

index 8d60468..9d2cf4b 100644

--- a/products/rhel9/profiles/stig.profile

+++ b/products/rhel9/profiles/stig.profile

@@ -128,6 +128,9 @@ selections:

     # To be released in V1R3

     # - require_emergency_target_auth

+    # RHEL-08-010159

+    - set_password_hashing_algorithm_passwordauth

+

     # RHEL-08-010160

     - set_password_hashing_algorithm_systemauth

diff --git a/products/rhv4/profiles/pci-dss.profile b/products/rhv4/profiles/pci-dss.profile

index 90e196e..f1fb1f8 100644

--- a/products/rhv4/profiles/pci-dss.profile

+++ b/products/rhv4/profiles/pci-dss.profile

@@ -115,6 +115,7 @@ selections:

     - service_pcscd_enabled

     - sssd_enable_smartcards

     - set_password_hashing_algorithm_systemauth

+    - set_password_hashing_algorithm_passwordauth

     - set_password_hashing_algorithm_logindefs

     - set_password_hashing_algorithm_libuserconf

     - file_owner_etc_shadow

diff --git a/products/rhv4/profiles/rhvh-stig.profile b/products/rhv4/profiles/rhvh-stig.profile

index ef28fa1..d17833b 100644

--- a/products/rhv4/profiles/rhvh-stig.profile

+++ b/products/rhv4/profiles/rhvh-stig.profile

@@ -355,6 +355,7 @@ selections:

     - set_password_hashing_algorithm_libuserconf

     - set_password_hashing_algorithm_logindefs

     - set_password_hashing_algorithm_systemauth

+    - set_password_hashing_algorithm_passwordauth

     - package_opensc_installed

     - var_smartcard_drivers=cac

     - configure_opensc_card_drivers

diff --git a/products/rhv4/profiles/rhvh-vpp.profile b/products/rhv4/profiles/rhvh-vpp.profile

index 9be3e34..3b5802d 100644

--- a/products/rhv4/profiles/rhvh-vpp.profile

+++ b/products/rhv4/profiles/rhvh-vpp.profile

@@ -200,6 +200,7 @@ selections:

     - accounts_password_pam_unix_remember

     - set_password_hashing_algorithm_logindefs

     - set_password_hashing_algorithm_systemauth

+    - set_password_hashing_algorithm_passwordauth

     - set_password_hashing_algorithm_libuserconf

     - no_empty_passwords

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 226fed8..97dfbe2 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -69,9 +69,6 @@ CCE-85939-7

 CCE-85940-5

 CCE-85941-3

 CCE-85942-1

-CCE-85943-9

-CCE-85945-4

-CCE-85946-2

 CCE-85947-0

 CCE-85948-8

 CCE-85949-6

diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile

index f58bcf9..e235d49 100644

--- a/tests/data/profile_stability/rhel8/pci-dss.profile

+++ b/tests/data/profile_stability/rhel8/pci-dss.profile

@@ -1,5 +1,9 @@

+title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

 description: Ensures PCI-DSS v3.2.1 security configuration settings are applied.

-documentation_complete: true

+extends: null

+metadata:

+    SMEs:

+    - yuumasato

 reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

 selections:

 - account_disable_post_pw_expiration

@@ -120,6 +124,7 @@ selections:

 - service_pcscd_enabled

 - set_password_hashing_algorithm_libuserconf

 - set_password_hashing_algorithm_logindefs

+- set_password_hashing_algorithm_passwordauth

 - set_password_hashing_algorithm_systemauth

 - sshd_set_idle_timeout

 - sshd_set_keepalive_0

@@ -136,4 +141,8 @@ selections:

 - var_multiple_time_servers=rhel

 - var_sshd_set_keepalive=0

 - var_smartcard_drivers=cac

-title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8

+platforms: !!set {}

+cpe_names: !!set {}

+platform: null

+filter_rules: ''

+documentation_complete: true

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 1e84dea..58699ee 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -329,6 +329,7 @@ selections:

 - service_systemd-coredump_disabled

 - service_usbguard_enabled

 - set_password_hashing_algorithm_logindefs

+- set_password_hashing_algorithm_passwordauth

 - set_password_hashing_algorithm_systemauth

 - sshd_disable_compression

 - sshd_disable_empty_passwords

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index 1c9cf55..f432444 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -340,6 +340,7 @@ selections:

 - service_systemd-coredump_disabled

 - service_usbguard_enabled

 - set_password_hashing_algorithm_logindefs

+- set_password_hashing_algorithm_passwordauth

 - set_password_hashing_algorithm_systemauth

 - sshd_disable_compression

 - sshd_disable_empty_passwords