Update password generation in hardening-linux-server

The algorithm used to generate passwords was based on the date function This function is a unreliable source for passsword-generation as the out- put is predictable. We have replaced the function with one that is based on /dev/urandom. This leds to better and more secure passwords.
telekom · Aug 7, 2020 · 25cb197 · 25cb197
1 parent 0f9649f
commit 25cb197
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -98,6 +98,10 @@ The roles are tested for hardening of the following Linux versions:
 - **Ansible (Linux)**: Change for IPTables requirements (Req-46 to 49) for IPv6 support.
 - **Ansible (SSH)**: Added new requirement (Req-6) to configure host key algorithms.
 
+### v1.2.1 (07.08.2020)
+
+- **Security Vulnerability (Linux)**: Fixed an issue where passwords generated by our scripts were weak and guessable.
+
 ## References
 
 Telekom Security - Security Requirements:

diff --git a/hardening-linux-server/tasks/linux(01)basic-hardening.yml b/hardening-linux-server/tasks/linux(01)basic-hardening.yml
@@ -633,7 +633,7 @@
     - os_config_root_password
 
 - name: req-024.2 generate a secret root password
-  shell: date +%s | sha256sum | base64 | head -c 20
+  shell: cat /dev/urandom | tr -dc '[:graph:]' | head -c20
   register: root_password
   changed_when: false
   when: