From b45d49402608a9d5485a320dc9ea5f09aa276ecf Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 12 Feb 2024 11:25:27 -0600 Subject: [PATCH 1/2] Add 11 rounds to var_password_pam_unix_rounds This will be used for things like yescript. --- .../password_storage/var_password_pam_unix_rounds.var | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/var_password_pam_unix_rounds.var b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/var_password_pam_unix_rounds.var index 88344e41497..d2b1522a646 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/var_password_pam_unix_rounds.var +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/var_password_pam_unix_rounds.var @@ -16,3 +16,4 @@ options: default: 5000 5000: 5000 65536: 65536 + 11: 11 From fb8dc971116ce70a8e64cab7a1c35bf060a6a8b7 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 12 Feb 2024 13:13:27 -0600 Subject: [PATCH 2/2] Update ANSSI R68 Remove to yescript Add pwquality rules to match the obsure flag --- controls/anssi.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/controls/anssi.yml b/controls/anssi.yml index e83849f97ef..aeaa4412050 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -1283,14 +1283,15 @@ controls: The selection of rules doesn't cover the use of hardware devices to protect the passwords. status: supported rules: - # ENCRYPT_METHOD, system default is SHA512 + - var_password_hashing_algorithm=yescrypt - set_password_hashing_algorithm_systemauth - # The default salt size is secure enough: - # https://bugzilla.redhat.com/show_bug.cgi?id=1229472 - # SHA_CRYPT_MIN_ROUNDS 65536 - - var_password_pam_unix_rounds=65536 + - var_password_pam_unix_rounds=11 - accounts_password_pam_unix_rounds_system_auth - accounts_password_pam_unix_rounds_password_auth + - accounts_password_pam_minclass + - accounts_password_pam_minlen + - accounts_password_pam_retry + - var_password_pam_minclass=4 - id: R69 title: Securing access to remote user databases