Skip to content

RHEL 10 CIS: improve controls related to pwd hashing algos#14247

Merged
jan-cerny merged 4 commits intoComplianceAsCode:masterfrom
vojtapolasek:rhel10_cis_password_hashing
Dec 17, 2025
Merged

RHEL 10 CIS: improve controls related to pwd hashing algos#14247
jan-cerny merged 4 commits intoComplianceAsCode:masterfrom
vojtapolasek:rhel10_cis_password_hashing

Conversation

@vojtapolasek
Copy link
Collaborator

@vojtapolasek vojtapolasek commented Dec 16, 2025

Description:

  • make all following rules accept multiple values in XCCDF variable, while using the first in the list for remediation:
    • set_password_hashing_algorithm_systemauth
  • set_password_hashing_algorithm_passwordauth
  • set_password_hashing_algorithm_logindefs
  • update OVAL, Bash, Ansible and tests
  • update RHEL 10 CIS with new variables which contain multiple values

Rationale:

  • CIS allows multiple valid hashing algorithms

Review Hints:

Use Automatus and check against RHEL 10 CIS policy.

@vojtapolasek
RHEL 10 CIS: align with control 5.4.1.4
0b0c419 
allow both SHA512 and YESCRYPT algorithms
@vojtapolasek
modify set_password_hashing_algorithm_passwordauth to support multipl…
47824ab 
…e values when checking, in the same way as set_password_hashing_algorithm_logindefs
@vojtapolasek
modify set_password_hashing_algorithm_systemauth to support multiple …
440567e 
…values
@vojtapolasek
RHEL 10 CIS: align password hashing algorithm controls with each other
1687434 
now all controls support checking for multiple hashing algorithm
@vojtapolasek vojtapolasek added this to the 0.1.80 milestone Dec 16, 2025
@vojtapolasek vojtapolasek added Update Rule Issues or pull requests related to Rules updates. CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. labels Dec 16, 2025
@jan-cerny jan-cerny self-assigned this Dec 16, 2025
jan-cerny
jan-cerny approved these changes Dec 16, 2025
View reviewed changes
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have run Automatus TSs on RHEL 10 with both Ansible and Bash remediations for rules set_password_hashing_algorithm_passwordauth, set_password_hashing_algorithm_systemauth and set_password_hashing_algorithm_logindefs

@openshift-ci
Copy link

openshift-ci bot commented Dec 16, 2025

@vojtapolasek: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 1687434 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Mab879
Copy link
Member

Mab879 commented Dec 17, 2025

/packit retest-failed

@jan-cerny
Copy link
Collaborator

jan-cerny commented Dec 17, 2025

/packit build

@jan-cerny jan-cerny merged commit 9f94235 into ComplianceAsCode:master Dec 17, 2025
138 of 142 checks passed
@sync-cac-oscal-bot sync-cac-oscal-bot bot mentioned this pull request Dec 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 is a code owner

Assignees

@jan-cerny jan-cerny

Labels

CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. Update Rule Issues or pull requests related to Rules updates.

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

3 participants

@vojtapolasek @Mab879 @jan-cerny