content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Rule `set_password_hashing_yescrypt_cost_factor_logindefs` fails SCAP validation (SRC-38-1)

Open evgenyz opened this issue 7 months ago • 3 comments

Description of problem:

Valid SCAP content must correctly coerce XCCDF and OVAL datatypes for external variables. The variable var_password_yescrypt_cost_factor_login_defs is defined as number but imported in the set_password_hashing_yescrypt_cost_factor_logindefs as string because of the template (key_value_pair_in_file).

SCAP Security Guide Version:

master, stabilization-0.1.77

Operating System Version:

RHEL10

Steps to Reproduce:

  1. Build the content
  2. Run scapval

Actual Results:

SRC-38-1 failure.

Expected Results:

No SRC-38 failures.

Additional Information/Debugging Steps:

Resulting external variable definition that violates type coercion:

<oval-def:external_variable id="oval:ssg-var_password_yescrypt_cost_factor_login_defs:var:1" version="1" datatype="string" comment="Variable defining the value the argument should have"/>

evgenyz avatar Jun 06 '25 13:06 evgenyz

There are two ways we would solve this.

  1. The easy way, set var_password_yescrypt_cost_factor_login_defs to string
  2. Create a custom oval that accounts for numbers. This would allow us to have smarter logic for allowing bigger cost factor than the variable is set to.

Mab879 avatar Jun 06 '25 15:06 Mab879

Option 1 is good as a patch for the release, option 2 is the right way to do it. Another possible variety of the option 2 is to introduce type and operation parameters to the template.

evgenyz avatar Jun 08 '25 08:06 evgenyz

This rule is now removed from the STIG profile. It is now in the default profile only now.

Mab879 avatar Jun 11 '25 20:06 Mab879