From 413ccb96b7131dcc7c3427cf806758b7223b8038 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 5 Sep 2025 16:39:55 -0400 Subject: [PATCH] Update cryto policy based controls with improved logic Signed-off-by: Frederick Witty --- Changelog.md | 1 + defaults/main.yml | 1 + tasks/prelim.yml | 3 +-- tasks/section_1/cis_1.6.x.yml | 9 ++++++++- tasks/section_5/cis_5.1.x.yml | 3 +++ 5 files changed, 14 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index fb4a9f4..252418c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changes to rhel9CIS ## 2.0.3 - Based on CIS v2.0.0 +- improvment on crypto policy managed controls with var logic - addressed issue #384 thank you @polski-g - update command to shell module on tasks - addressed issue 371 thanks to @bgro and kodebach diff --git a/defaults/main.yml b/defaults/main.yml index 344e195..b829873 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -595,6 +595,7 @@ rhel9cis_set_boot_pass: true # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' ## Controls 1.6.x and Controls 5.1.x +rhel9cis_crypto_policy_ansible_managed: true # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index bd69172..1368993 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -136,8 +136,7 @@ register: prelim_systemd_coredump - name: "PRELIM | PATCH | Setup crypto-policy" - when: - - rhel9cis_rule_1_6_1 + when: rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 0530645..6f3d6af 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,7 +1,9 @@ --- - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy" - when: rhel9cis_rule_1_6_1 + when: + - rhel9cis_rule_1_6_1 + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -39,6 +41,7 @@ when: - rhel9cis_rule_1_6_3 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -69,6 +72,7 @@ when: - rhel9cis_rule_1_6_4 - "'NO-WEAKMAC' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -99,6 +103,7 @@ when: - rhel9cis_rule_1_6_5 - "'NO-SSHCBC' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -129,6 +134,7 @@ when: - rhel9cis_rule_1_6_6 - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -159,6 +165,7 @@ when: - rhel9cis_rule_1_6_7 - "'NO-SSHETM' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 3fd366c..ee384d3 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -80,6 +80,7 @@ when: - rhel9cis_rule_5_1_4 - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -108,6 +109,7 @@ when: - rhel9cis_rule_5_1_5 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -136,6 +138,7 @@ when: - rhel9cis_rule_5_1_6 - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation