Add new variable to set_password_hashing_min_rounds_logindefs rule

[mrkanon]

Description:

• Add new variable to set_password_hashing_min_rounds_logindefs and update remediations, oval file, rule and policy files.
• Add two new test to check the new possible values of the variable
• Update oval file, ansible and bash remediation to support values large than the default
• Add the correct value to ol8 stig

Rationale:

Add variable to manage different values of SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS in /etc/login.defs

[openshift-ci]

Hi @mrkanon. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs' differs.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
@@ -2,18 +2,42 @@
 var_password_hashing_min_rounds_login_defs=''
 
 
-if [ -e "/etc/login.defs" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs"
-else
-    printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2
-    return 1
+config_file="/etc/login.defs"
+current_min_rounds=$(grep -Po '^\s*SHA_CRYPT_MIN_ROUNDS\s+\K\d+' "$config_file")
+current_max_rounds=$(grep -Po '^\s*SHA_CRYPT_MAX_ROUNDS\s+\K\d+' "$config_file")
+
+if [[ -z "$current_min_rounds" || "$current_min_rounds" -le "$var_password_hashing_min_rounds_login_defs" ]]; then
+    if [ -e "/etc/login.defs" ] ; then
+        
+        LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs"
+    else
+        printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2
+        return 1
+    fi
+    # make sure file has newline at the end
+    sed -i -e '$a\' "/etc/login.defs"
+
+    cp "/etc/login.defs" "/etc/login.defs.bak"
+    # Insert at the end of the file
+    printf '%s\n' "SHA_CRYPT_MIN_ROUNDS $var_password_hashing_min_rounds_login_defs" >> "/etc/login.defs"
+    # Clean up after ourselves.
+    rm "/etc/login.defs.bak"
 fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/login.defs"
 
-cp "/etc/login.defs" "/etc/login.defs.bak"
-# Insert at the end of the file
-printf '%s\n' "SHA_CRYPT_MIN_ROUNDS $var_password_hashing_min_rounds_login_defs" >> "/etc/login.defs"
-# Clean up after ourselves.
-rm "/etc/login.defs.bak"
+if [[ -n "$current_max_rounds" && "$current_max_rounds" -le "$var_password_hashing_min_rounds_login_defs" ]]; then
+    if [ -e "/etc/login.defs" ] ; then
+        
+        LC_ALL=C sed -i "/^\s*SHA_CRYPT_MAX_ROUNDS\s*/Id" "/etc/login.defs"
+    else
+        printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2
+        return 1
+    fi
+    # make sure file has newline at the end
+    sed -i -e '$a\' "/etc/login.defs"
+
+    cp "/etc/login.defs" "/etc/login.defs.bak"
+    # Insert at the end of the file
+    printf '%s\n' "SHA_CRYPT_MAX_ROUNDS $var_password_hashing_min_rounds_login_defs" >> "/etc/login.defs"
+    # Clean up after ourselves.
+    rm "/etc/login.defs.bak"
+fi

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[Xeicker]

@ComplianceAsCode/red-hatters I think this is also applicable to RHEL8, Could you take a look?

[qlty-cloud-legacy]

Code Climate has analyzed commit 506de40 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

[Xeicker]

I see this was updated taking into account #12948

So it was indeed needed by RHEL, it LGTM now

[ggbecker]

/packit retest-failed

[ggbecker]

I've restarted failing packit jobs and below are the old failed packit logs in case it's needed (for reference)
Dashboard https://dashboard.packit.dev/jobs/testing-farm/768737
Testing Farm https://artifacts.dev.testing-farm.io/74d2a431-f6ef-4e34-8180-60afe1dcc9f9

Dashboard https://dashboard.packit.dev/jobs/testing-farm/768736
Testing Farm https://artifacts.dev.testing-farm.io/67a8f887-0d9a-4cb2-8fff-fbe52696b239