Closed fgierlinger closed 3 weeks ago
uk-bolly
commented
1 month ago hi @fgierlinger
Thank you for taking the time to highlight this issue. I am raising a PR which should fix this issue and hope to get merged into devel asap.
Many thanks
uk-bolly
uk-bolly
commented
3 weeks ago hi @fgierlinger
Thank you again for your time regarding this issue. You should find that this fix was merged into devel and is now in the main branch. I will close this issue, please feel free to reopen if this is not resolved as expected.
Many thanks
uk-bolly
Describe the Issue The task "_Check debian11cis_grubuser password variable has been changed | if password blank or incorrect type and not being set" in tasks/main.yml checks if the password contains
$y$. This prefix signifies a yescrypt hashed password. But the CIS hardening guide specifies, that either SHA512 or yescrypt are acceptable hashing algorithms.https://github.com/ansible-lockdown/DEBIAN11-CIS/blob/e2b418df1ef701ebc6ef7760ea20a0dea090ad1d/tasks/main.yml#L69-L75
Expected Behavior All hashing algorithms stated in the hardening guide should be accepted. The task should check for either a
$6$prefix (SHA-512) or a$y$prefix (yescrypt).Actual Behavior Only yescrypt is accepted as hashing algorithm.
Control(s) Affected 5.4.1.4 Ensure strong password hashing algorithm is configured (Automated)
Environment (please complete the following information):