ANSSI profile configures unsupported password hashing algorithm on RHEL 8

[vojtapolasek]

Description of problem:

After applying the ANSSI BP028 High profile on RHEL 8, the passwd command refuses to change the password and logs suggest that sha512 algorithm is not supported.

SCAP Security Guide Version:

master as of bec7734

Operating System Version:

RHEL 8

Steps to Reproduce:

1. ./build_product rhel8
2. upload the datastream to a VM running RHEL 8
3. oscap xccdf eval --remediate --profile anssi_bp28_high ssg-rhel8-ds.xml
4. passwd
5. journalctl | tail

Actual Results:

Changing password for user root.
New password: 
Retype new password: 
passwd: Authentication token manipulation error
...
Apr 09 14:19:16 rhel8 passwd[23724]: pam_unix(passwd:chauthtok): Algo sha512 not supported by the crypto backend.
Apr 09 14:19:16 rhel8 passwd[23724]: pam_unix(passwd:chauthtok): crypt() failure or out of memory for password

Expected Results:

The password gets changed.

Additional Information/Debugging Steps:

The rule causing this problem is probably set_password_hashing_algorithm_systemauth.

[Mab879]

This is concering, If true, there are other profiles we need to check on as well.