search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.5k stars 1.49k forks source link

Changes needed in AUTH-9230 #1352

Open borislavba opened 1 year ago

borislavba commented 1 year ago

SHACRYPT{MIN,MAX}_ROUNDS are checked when ENCRYPT_METHOD is not SHA256/512 (e.g. Fedora 37's default is Yescrypt). According to the comments in /etc/login.defs they are used only when ENCRYPT_METHOD is SHA256/512. Maybe the checks should be rewritten according to the ENCRYPT_METHOD selected.

Also note this: In Fedora's login.defs there's this: "Currently SHA_CRYPT_MIN_ROUNDS is not supported" In ArchLinux there is no such comment... So I'm a bit confused if the SHA_CRYPT_MIN_ROUNDS should be checked or not.

vk6xebec commented 1 year ago

Make sure the MIN and MAX ROUNDS are uncommented. Lynis will not throw an error. The system will ignore those fields.

MFTabriz commented 1 year ago

Make sure the MIN and MAX ROUNDS are uncommented. Lynis will not throw an error. The system will ignore those fields.

I thought it goes without saying: Lynis should not propose changes which will be ignored by system.