Section 5.5.4 limits password reuse even if not required

[fgierlinger]

Describe the Issue
In #232 a problem was raised because the remember option should not be used with the pam_unix.so module, but task 5.5.3 and 5.5.4 do. In PR #240, task 5.5.3 was changed to use the pam_pwhistory.so module. A long comment has also been added to explain why pam_pwhistory.so is used instead of pam_unix.so.

However, task 5.5.4 Ensure password hashing algorithm is SHA-512 still limits password reusability with the pam_unix.so module. Even though the task has nothing to do with password reuse.

Expected Behavior
Task 5.5.4 Ensure password hashing algorithm is SHA-512 should only change the hashing algorithm, not limit password reuse.

Actual Behavior
The task 5.5.4 Ensure password hashing algorithm is SHA-512 has 2 tasks:

1. Set the password hashing algorithm to SHA-512
2. Limit the password reuse with the pam_unix.so module in /etc/pam.d/password-auth and /etc/pam.d/system-auth.

TASK [ansible-rhel8-cis : 5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf] *************************************
ok: [localhost] => (item={'path': '/etc/libuser.conf', 'regexp': '^crypt_style\\s*=\\s*.*$', 'replace': 'crypt_style = sha512'})
ok: [localhost] => (item={'path': '/etc/login.defs', 'regexp': '^ENCRYPT_METHOD.*', 'replace': 'ENCRYPT_METHOD SHA512'})

TASK [ansible-rhel8-cis : 5.5.4 | PATCH | Ensure password reuse is limited | pwhistory] ****************************************************
--- before: /etc/pam.d/password-auth
+++ after: /etc/pam.d/password-auth
@@ -17,7 +17,7 @@
 account     required                                     pam_permit.so
 
 password    requisite                                    pam_pwquality.so local_users_only
-password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
+password    sufficient                                   pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
 password    [success=1 default=ignore]                   pam_localuser.so
 password    sufficient                                   pam_sss.so use_authtok
 password    required                                     pam_deny.so

changed: [localhost] => (item=/etc/pam.d/password-auth)

Control(s) Affected
v8 3.11 Encrypt Sensitive Data at Rest
v7 16.4 Encrypt or Hash all Authentication Credentials

Environment (please complete the following information):

• branch being used: tag 2.6.0 (bc4cdf8)
• Ansible Version: 4.0.0 (core 2.11.12)
• Host Python Version: Python 3.11.5
• Ansible Server Python Version: Python 3.6.8
• Additional Details:

Additional Notes

Possible Solution
Remove the task "5.5.4 | PATCH | Ensure password reuse is limited | pwhistory"

[uk-bolly]

hi @fgierlinger

Thank you for this issue, i can see you are referring to the older benchmark version 2.0.0.
CIS v3.0 was released a whil ago.
I have therefore added these fixes to a new locked branch called benchamrk_v2.0.0.

I hope this helps.

Many thanks

uk-bolly

[uk-bolly]

hi @fgierlinger

Thank you again for your time regarding this issue. You should find that this fix was merged into devel and is now in the main branch. I will close this issue, please feel free to reopen if this is not resolved as expected.

Many thanks

uk-bolly