Description of problem:

After applying the ANSSI BP028 High profile on RHEL 8, the passwd command refuses to change the password and logs suggest that sha512 algorithm is not supported.

SCAP Security Guide Version:

master as of bec7734

Operating System Version:

RHEL 8

Steps to Reproduce:

1. ./build_product rhel8
2. upload the datastream to a VM running RHEL 8
3. oscap xccdf eval --remediate --profile anssi_bp28_high ssg-rhel8-ds.xml
4. passwd
5. journalctl | tail

Actual Results:

Changing password for user root.
New password: 
Retype new password: 
passwd: Authentication token manipulation error
...
Apr 09 14:19:16 rhel8 passwd[23724]: pam_unix(passwd:chauthtok): Algo sha512 not supported by the crypto backend.
Apr 09 14:19:16 rhel8 passwd[23724]: pam_unix(passwd:chauthtok): crypt() failure or out of memory for password

Expected Results:

The password gets changed.

Additional Information/Debugging Steps:

The rule causing this problem is probably set_password_hashing_algorithm_systemauth.

This is concering, If true, there are other profiles we need to check on as well.

I can confirme this issue.
Redhat 8.10 after profile application passwords are stuck and if root password is weak, profile expire it and you can’t rescue him via chroot.

Hello, I investigated this a bit more and I found interesting things.
I confirm this happens on RHEL 8 but it DOES not happen on RHEL 9.
Then I found that the problematic lines are probably these:

/etc/authselect/system-auth:password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok rounds=11
/etc/authselect/password-auth:password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok rounds=11

Interesting is that the passwd command starts working again when I remove the rounds=11 part.

Update,
I update rounds=11 with the same value than oscap on redhat 8.8 : rounds=65536 for the both and all is OK now.

pam_unix.so

We can safely update this to use 65536 with sha512.