Skip to content

Add a warning about hashing algorithms#14231

Merged
Mab879 merged 1 commit intoComplianceAsCode:masterfrom
jan-cerny:hashing_cis
Dec 11, 2025
Merged

Add a warning about hashing algorithms#14231
Mab879 merged 1 commit intoComplianceAsCode:masterfrom
jan-cerny:hashing_cis

Conversation

@jan-cerny
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny commented Dec 11, 2025

CIS Benchmarks for all RHEL versions (8, 9, 10) permit using both sha512 and yescrypt algorithms for password hashing. However, users shouldn't mix them to use both at once. Users should choose one of them and use it consistently. Therefore, our rules need to specify a single specific algortihm. Users can switch to the other one in their profiles by changing the value of the var_password_hashing_algorithm_pam variable in tailoring files. We will add a warning to these rules to explain users this situation.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6100

@jan-cerny
Add a warning about hashing algorithms
0f9b866 
CIS Benchmarks for all RHEL versions (8, 9, 10) permit using both sha512
and yescrypt algorithms for password hashing. However, users shouldn't
mix them to use both at once. Users should choose one of them and use it
consistently.  Therefore, our rules need to specify a single specific
algortihm. Users can switch to the other one in their profiles by
changing the value of the `var_password_hashing_algorithm_pam` variable
in tailoring files. We will add a warning to these rules to explain
users this situation.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6100
@jan-cerny jan-cerny added this to the 0.1.80 milestone Dec 11, 2025
@jan-cerny jan-cerny added RHEL9 Red Hat Enterprise Linux 9 product related. RHEL8 Red Hat Enterprise Linux 8 product related. CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. labels Dec 11, 2025
@Mab879 Mab879 self-assigned this Dec 11, 2025
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Dec 11, 2025

@jan-cerny: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 0f9b866 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Mab879 Mab879 merged commit 0cce367 into ComplianceAsCode:master Dec 11, 2025
136 of 140 checks passed
@sync-cac-oscal-bot sync-cac-oscal-bot Bot mentioned this pull request Dec 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels

CIS CIS Benchmark related. RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related. RHEL10 Red Hat Enterprise Linux 10 product related.

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879