RHEL-08-010130 not mitigated in STIG Ansible playbook

[GitYukari]

Description of problem:

The rhel8-playbook-stig.yml Ansible playbook includes checks and fixes for the STIG: https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2023-09-11/finding/V-230233

The STIG requires SHA_CRYPT_MIN_ROUNDS to be present in the file and set to 5000 or greater.

When the playbook runs, it completes with a result of "OK", even if the /etc/login.defs if SHA_CRYPT_MIN_ROUNDS is not present.

Below is the output of the workbook being run against /etc/login.defs where it does not contain SHA_CRYPT_MIN_ROUNDS:

$ ansible-playbook --connection=local --inventory localhost, /usr/share/scap-security-guide/ansible/rhel8-playbook-stig.yml --tags set_password_hashing_min_rounds_logindefs

PLAY [Ansible Playbook for xccdf_org.ssgproject.content_profile_stig] ********************************

TASK [Gathering Facts] *******************************************************************************
ok: [localhost]

TASK [Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MIN_ROUNDS has Minimum Value of 5000] ***
ok: [localhost]

TASK [Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MAX_ROUNDS has Minimum Value of 5000] ***
ok: [localhost]

PLAY RECAP *******************************************************************************************
localhost                  : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

The playbook does not attempt to update the file if the required SHA_CRYPT_MIN_ROUNDS 5000 line is missing.

However, the rhel8-script-stig.sh script does properly mitigate this finding.

SCAP Security Guide Version:

0.1.72

Operating System Version:

RHEL 8
(possibly 7 and 9)