search

ansible-lockdown / RHEL8-CIS

Ansible role for Red Hat 8 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
268 stars 165 forks source link

remediation is missing for * in the second field of the shadow file #353

Closed bbaassssiiee closed 7 months ago

bbaassssiiee commented 7 months ago

A new assert was introduced in tasks/main.yml, but the .

https://github.com/ansible-lockdown/RHEL8-CIS/blob/6d850c594ba7917ce6c9dfff940c705fd34034f7/tasks/main.yml#L56

No root password

With * in the second field of the shadow file, as the shadow manual page says, the command passwd -S root yields:

root LK 2020-08-31 0 99999 7 -1 (Alternate authentication scheme in use.)

(not Password locked)

This caused the play to fail in my Packer job on Azure

In Azure the root password should be locked or else it is removed in the build process.

How to lock the root password?

passwd -l root will not lock the password, only a delete followed by a lock will:

passwd -d root;passwd -l root

man 5 shadow

       encrypted password
           Refer to crypt(3) for details on how this string is interpreted.

           If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).

           This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications which read the /etc/shadow file may decide not to permit any access at all if the password field is empty.

           A password field which starts with an exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked.
bbaassssiiee commented 7 months ago

I tested this, and it works. Thanks as always! 🤠