cis-dil-benchmark-1.4.3 'Ensure authentication required for single user mode' inconsistency between Linux flavors

[dlouzan]

Hello, first of all thanks for the great project, Siemens fans here 👍

While importing the benchmark baseline for some internal tests, we have found that rule cis-dil-benchmark-1.4.3 tests fail on some specific Linux flavors, and we are not sure whether this is a wrong / incomplete benchmark test, or a valid failure.

• cis-dil-benchmark-1.4.3 expects the password entry not to be exactly equal to ! or *
• Debian sets by default in the cloud images the root /etc/shadow password to *. This fails validation.
• Fedora cloud images otoh sets it to !locked, which passes validation.
• But perhaps the CIS test should test for anything prefixed by ! or an exact *

• Standard tooling reports them as being exactly the same state locked

  • Fedora 36:

    
    # cat /etc/redhat-release
    Fedora release 36 (Thirty Six)

  grep root /etc/shadow

  root:!locked::0:99999:7:::

  passwd -S root

  root LK 1969-12-31 0 99999 7 -1 (Password locked.)

  
  - Debian 11:
  ```shell-session
  # cat /etc/debian_version
  11.6
  
  # grep root /etc/shadow
  root:*:19345:0:99999:7:::
  
  # passwd -S root
  root L 12/19/2022 0 99999 7 -1
  
  # passwd -l root
  passwd: password expiry information changed.
  
  # grep root /etc/shadow
  root:!*:19345:0:99999:7:::
  
  # passwd -S root
  root L 12/19/2022 0 99999 7 -1    

The man page says:

# man 5 shadow
...
       encrypted password
           This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications which read the /etc/shadow file may decide not to permit any access at all if the
           password field is empty.

           A password field which starts with an exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked.

           Refer to crypt(3) for details on how this string is interpreted.

           If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).
...

So we're not sure if this is a wrong test in CIL or the behaviour is indeed different between both /etc/shadow states. Should !* be valid too? (actually anything !-prefixed)

Could you guys shed some light here? Thanks!