Audit 1.4.3 | Ensure authentication required for single user mode fails when root password is set using yescrypt (now default in Ubuntu 22.x)

[LoZZoL]

Describe the Issue Audit 1.4.3 | Ensure authentication required for single user mode runs the following grep regex against /etc/shadow: grep -Eq '^root:\$[0-9]' /etc/shadow || echo "Root is locked", which is identical to the recommendation from CIS.

However, if the root password is set but encrypted with Yescrypt, the above grep statement will fail and give a false negative to the audit.

Expected Behavior Audit 1.4.3 should not fail if the root password has been set

Actual Behavior If encrypted using Yescrypt (and stored in /etc/shadow beginning: root:$y$) the audit fails.

Control(s) Affected 1.4.3

Environment (please complete the following information):

• branch being used: improvements
• Ansible Version: core 2.15.4
• Host Python Version: Python 3.10.12
• Ansible Server Python Version: Python 3.9.16

Possible Solution Change test to: grep -Eq '^root:\$[0-9y]' /etc/shadow || echo "Root is locked" to support Yescrypt

[uk-bolly]

hi @LoZZoL

Thank you for taking the time to raise this issue and further discussions on discord if resolving these issues. Time like this really does help us to improve the product.

many thanks

uk-bolly