Update cryto policy based controls with improved logic

Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>

Changelog.md

@@ -1,6 +1,7 @@
 # Changes to rhel9CIS
 
 ## 2.0.3 - Based on CIS v2.0.0
+- improvment on crypto policy managed controls with var logic
 - addressed issue #384 thank you @polski-g
 - update command to shell module on tasks
 - addressed issue 371 thanks to @bgro and kodebach

defaults/main.yml

@@ -595,6 +595,7 @@ rhel9cis_set_boot_pass: true
 #  -'FIPS': A level that conforms to the FIPS140-2 requirements
 rhel9cis_crypto_policy: 'DEFAULT'
 ## Controls 1.6.x and Controls 5.1.x
+rhel9cis_crypto_policy_ansible_managed: true
 # This variable contains the value of the crypto policy module(combinations of policies and
 # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
 # using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are:

tasks/prelim.yml

@@ -136,8 +136,7 @@
   register: prelim_systemd_coredump
 
 - name: "PRELIM | PATCH | Setup crypto-policy"
-  when:
+  when: rhel9cis_crypto_policy_ansible_managed
-    - rhel9cis_rule_1_6_1
   tags:
     - level1-server
     - level1-workstation

tasks/section_1/cis_1.6.x.yml

@@ -1,7 +1,9 @@
 ---
 
 - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy"
-  when: rhel9cis_rule_1_6_1
+  when:
+    - rhel9cis_rule_1_6_1
+    - rhel9cis_crypto_policy_ansible_managed
   tags:
     - level1-server
     - level1-workstation
@@ -39,6 +41,7 @@
   when:
     - rhel9cis_rule_1_6_3
     - "'NO-SHA1' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansible_managed
   tags:
     - level1-server
     - level1-workstation
@@ -69,6 +72,7 @@
   when:
     - rhel9cis_rule_1_6_4
     - "'NO-WEAKMAC' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansible_managed
   tags:
     - level1-server
     - level1-workstation
@@ -99,6 +103,7 @@
   when:
     - rhel9cis_rule_1_6_5
     - "'NO-SSHCBC' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansible_managed
   tags:
     - level1-server
     - level1-workstation
@@ -129,6 +134,7 @@
   when:
     - rhel9cis_rule_1_6_6
     - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansible_managed
   tags:
     - level1-server
     - level1-workstation
@@ -159,6 +165,7 @@
   when:
     - rhel9cis_rule_1_6_7
     - "'NO-SSHETM' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansible_managed
   tags:
     - level1-server
     - level1-workstation

tasks/section_5/cis_5.1.x.yml

@@ -80,6 +80,7 @@
   when:
     - rhel9cis_rule_5_1_4
     - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansible_managed
   tags:
     - level1-server
     - level1-workstation
@@ -108,6 +109,7 @@
   when:
     - rhel9cis_rule_5_1_5
     - "'NO-SHA1' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansible_managed
   tags:
     - level1-server
     - level1-workstation
@@ -136,6 +138,7 @@
   when:
     - rhel9cis_rule_5_1_6
     - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansible_managed
   tags:
     - level1-server
     - level1-workstation