SLES-15-010250 add rule, remediation and tests.

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/bash/shared.sh

@@ -0,0 +1,4 @@
+# platform = multi_platform_sle
+. /usr/share/scap-security-guide/remediation_functions
+
+ensure_pam_module_options '/etc/pam.d/common-auth' 'auth' 'required' 'pam_unix.so' 'sha512' '' ''

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/rule.yml

@@ -0,0 +1,64 @@
+documentation_complete: true
+
+prodtype: sle15
+
+title: "Set PAM's Common Authentication Hashing Algorithm"
+
+description: |-
+    The PAM system service can be configured to only store encrypted
+    representations of passwords. In
+    <tt>/etc/pam.d/common-auth</tt>,
+    the
+    <tt>auth</tt> section of the file controls which PAM modules execute
+    during a password change. Set the <tt>pam_unix.so</tt> module in the
+    <tt>auth</tt> section to include the argument <tt>sha512</tt>, as shown
+    below:
+    <br />
+    <pre>auth   required    pam_unix.so sha512 <i>other arguments...</i></pre>
+    <br />
+    This will help ensure when local users change their authentication method,
+    hashes for the new authentications will be generated using the SHA-512
+    algorithm. This is the default.
+
+rationale: |-
+    Unapproved mechanisms used for authentication to the cryptographic module
+    are not verified and therefore cannot be relied on to provide
+    confidentiality or integrity, and data may be compromised.
+    This setting ensures user and group account administration utilities are
+    configured to store only encrypted representations of passwords.
+    Additionally, the <tt>crypt_style</tt> configuration option ensures the use
+    of a strong hashing algorithm that makes password cracking attacks more
+    difficult.
+
+severity: medium
+
+identifiers:
+    cce@sle15: CCE-85754-0
+
+references:
+    disa: CCI-000803
+    nist: IA-7,IA-7.1
+    srg@sle15: SRG-OS-000120-GPOS-00061
+    vmmsrg@sle15: SRG-OS-000480-VMM-002000
+    stigid@sle15: SLES-15-010250
+
+ocil_clause: 'it does not'
+
+ocil: |-
+    Inspect the contents of <tt>/etc/pam.d/common-auth</tt>
+    and ensure that the <tt>pam_unix.so</tt> module includes the argument
+    <tt>sha512</tt>:
+    <pre>$ grep sha512 /etc/pam.d/common-auth</pre>
+
+platform: pam
+
+template:
+    name: pam_options
+    vars:
+      path: /etc/pam.d/common-auth
+      type: auth
+      control_flag: required
+      module: pam_unix.so
+      arguments:
+        - argument: sha512
+          new_argument: sha512

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_required.fail.sh

@@ -0,0 +1,3 @@
+# platform = SUSE Linux Enterprise 15
+
+echo "auth	optional 	pam_unix.so	try_first_pass sha512" > /etc/pam.d/common-auth

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_sha512.fail.sh

@@ -0,0 +1,3 @@
+# platform = SUSE Linux Enterprise 15
+
+echo "auth	required 	pam_unix.so	try_first_pass" > /etc/pam.d/common-auth

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pass.sh

@@ -0,0 +1,3 @@
+# platform = SUSE Linux Enterprise 15
+
+echo "auth	required 	pam_unix.so	try_first_pass sha512" > /etc/pam.d/common-auth

sle15/profiles/stig.profile

@@ -212,6 +212,7 @@ selections:
     - set_password_hashing_algorithm_logindefs
     - set_password_hashing_algorithm_systemauth
     - set_password_hashing_min_rounds_logindefs
+    - set_password_hashing_algorithm_commonauth
     - smartcard_configure_ca
     - smartcard_configure_cert_checking
     - smartcard_pam_enabled