search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.01k stars 1.45k forks source link

Changes needed in AUTH-9230 #1352

Open borislavba opened 1 year ago

borislavba commented 1 year ago

SHACRYPT{MIN,MAX}_ROUNDS are checked when ENCRYPT_METHOD is not SHA256/512 (e.g. Fedora 37's default is Yescrypt). According to the comments in /etc/login.defs they are used only when ENCRYPT_METHOD is SHA256/512. Maybe the checks should be rewritten according to the ENCRYPT_METHOD selected.

Also note this: In Fedora's login.defs there's this: "Currently SHA_CRYPT_MIN_ROUNDS is not supported" In ArchLinux there is no such comment... So I'm a bit confused if the SHA_CRYPT_MIN_ROUNDS should be checked or not.

vk6xebec commented 1 year ago

Make sure the MIN and MAX ROUNDS are uncommented. Lynis will not throw an error. The system will ignore those fields.

MFTabriz commented 10 months ago

Make sure the MIN and MAX ROUNDS are uncommented. Lynis will not throw an error. The system will ignore those fields.

I thought it goes without saying: Lynis should not propose changes which will be ignored by system.