Merge pull request ComplianceAsCode#12127 from marcusburghardt/anssi_rounds

Change default hashing algorithm settings in ANSSI profiles for RHEL

Author: vojtapolasek

linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var

@@ -16,4 +16,4 @@ options:
     default: SHA512
     SHA512: SHA512
     SHA256: SHA256
-    yescrypt: yescrypt
+    yescrypt: YESCRYPT

linux_os/guide/system/accounts/accounts-restrictions/password_storage/var_password_pam_unix_rounds.var

@@ -3,7 +3,7 @@ documentation_complete: true
 title: Password Hashing algorithm
 
 description: |-
-    Specify the number of SHA rounds for the system password encryption algorithm.
+    Specify the number of rounds for the system password encryption algorithm.
     Defines the value set in <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>
 
 type: number

products/rhel8/profiles/anssi_bp28_enhanced.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
     - anssi:all:enhanced
+    - var_password_hashing_algorithm=SHA512
+    - var_password_pam_unix_rounds=65536
     - '!timer_logrotate_enabled'
     # Following rules once had a prodtype incompatible with the rhel8 product
     - '!cracklib_accounts_password_pam_minlen'

products/rhel8/profiles/anssi_bp28_high.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
     - anssi:all:high
+    - var_password_hashing_algorithm=SHA512
+    - var_password_pam_unix_rounds=65536
     # the following rule renders UEFI systems unbootable
     - '!sebool_secure_mode_insmod'
     - '!timer_logrotate_enabled'

products/rhel8/profiles/anssi_bp28_intermediary.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
   - anssi:all:intermediary
+  - var_password_hashing_algorithm=SHA512
+  - var_password_pam_unix_rounds=65536
   # Following rules once had a prodtype incompatible with the rhel8 product
   - '!cracklib_accounts_password_pam_minlen'
   - '!accounts_passwords_pam_tally2_deny_root'

products/rhel8/profiles/anssi_bp28_minimal.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
   - anssi:all:minimal
+  - var_password_hashing_algorithm=SHA512
+  - var_password_pam_unix_rounds=65536
   # Following rules once had a prodtype incompatible with the rhel8 product
   - '!cracklib_accounts_password_pam_minlen'
   - '!accounts_passwords_pam_tally2_deny_root'

products/rhel9/profiles/anssi_bp28_enhanced.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
     - anssi:all:enhanced
+    - var_password_hashing_algorithm=SHA512
+    - var_password_pam_unix_rounds=65536
     # Following rules once had a prodtype incompatible with the rhel9 product
     - '!partition_for_opt'
     - '!accounts_passwords_pam_tally2_deny_root'

products/rhel9/profiles/anssi_bp28_high.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
     - anssi:all:high
+    - var_password_hashing_algorithm=SHA512
+    - var_password_pam_unix_rounds=65536
     # the following rule renders UEFI systems unbootable
     - '!sebool_secure_mode_insmod'
     # Following rules once had a prodtype incompatible with the rhel9 product

products/rhel9/profiles/anssi_bp28_intermediary.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
   - anssi:all:intermediary
+  - var_password_hashing_algorithm=SHA512
+  - var_password_pam_unix_rounds=65536
   # Following rules once had a prodtype incompatible with the rhel9 product
   - '!partition_for_opt'
   - '!cracklib_accounts_password_pam_minlen'

products/rhel9/profiles/anssi_bp28_minimal.profile

@@ -21,6 +21,8 @@ description: |-
 
 selections:
   - anssi:all:minimal
+  - var_password_hashing_algorithm=SHA512
+  - var_password_pam_unix_rounds=65536
   # Following rules once had a prodtype incompatible with the rhel9 product
   - '!cracklib_accounts_password_pam_minlen'
   - '!accounts_passwords_pam_tally2_deny_root'