RHEL8-CIS
RHEL8-CIS copied to clipboard
Section 5.5.4 limits password reuse even if not required
Describe the Issue In #232 a problem was raised because the remember option should not be used with the pam_unix.so module, but task 5.5.3 and 5.5.4 do. In PR #240, task 5.5.3 was changed to use the pam_pwhistory.so module. A long comment has also been added to explain why pam_pwhistory.so is used instead of pam_unix.so.
However, task 5.5.4 Ensure password hashing algorithm is SHA-512 still limits password reusability with the pam_unix.so module. Even though the task has nothing to do with password reuse.
Expected Behavior Task 5.5.4 Ensure password hashing algorithm is SHA-512 should only change the hashing algorithm, not limit password reuse.
Actual Behavior The task 5.5.4 Ensure password hashing algorithm is SHA-512 has 2 tasks:
- Set the password hashing algorithm to SHA-512
- Limit the password reuse with the pam_unix.so module in /etc/pam.d/password-auth and /etc/pam.d/system-auth.
TASK [ansible-rhel8-cis : 5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf] *************************************
ok: [localhost] => (item={'path': '/etc/libuser.conf', 'regexp': '^crypt_style\\s*=\\s*.*$', 'replace': 'crypt_style = sha512'})
ok: [localhost] => (item={'path': '/etc/login.defs', 'regexp': '^ENCRYPT_METHOD.*', 'replace': 'ENCRYPT_METHOD SHA512'})
TASK [ansible-rhel8-cis : 5.5.4 | PATCH | Ensure password reuse is limited | pwhistory] ****************************************************
--- before: /etc/pam.d/password-auth
+++ after: /etc/pam.d/password-auth
@@ -17,7 +17,7 @@
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
-password sufficient pam_unix.so sha512 shadow nullok use_authtok
+password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
changed: [localhost] => (item=/etc/pam.d/password-auth)
Control(s) Affected v8 3.11 Encrypt Sensitive Data at Rest v7 16.4 Encrypt or Hash all Authentication Credentials
Environment (please complete the following information):
- branch being used: tag 2.6.0 (bc4cdf885ce563ec9682caf65131bda9cb38277e)
- Ansible Version: 4.0.0 (core 2.11.12)
- Host Python Version: Python 3.11.5
- Ansible Server Python Version: Python 3.6.8
- Additional Details:
Additional Notes
Possible Solution Remove the task "5.5.4 | PATCH | Ensure password reuse is limited | pwhistory"