forked from ansible-lockdown/RHEL9-CIS
Merge pull request #65 from ansible-lockdown/rule_1.10_crypto
Rule 1.10 crypto
This commit is contained in:
uk-bolly
GitHub
commit
5460aac425
7 changed files with 62 additions and 21 deletions
|
|
@ -1,5 +1,9 @@
|
|||
# Changes to rhel9CIS
|
||||
|
||||
## 1.0.8
|
||||
|
||||
rule_1.10 improvements allowing for module checking (useful for AD)
|
||||
|
||||
## 1.0.7
|
||||
|
||||
lint and yaml updates
|
||||
|
|
@ -8,7 +12,7 @@ improvements to 6.1.10, 6.1.11, 6.1.13, 6.1.14
|
|||
|
||||
## 1.0.6
|
||||
|
||||
updated ymlalint as galaxy doenst honouyr local settings
|
||||
updated yamllint as galaxy doesn't honour local settings
|
||||
removed empty lines in files
|
||||
|
||||
## 1.0.5
|
||||
|
|
|
|||
|
|
@ -380,9 +380,11 @@ rhel9cis_dconf_db_name: local
|
|||
rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900)
|
||||
rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5)
|
||||
|
||||
# 1.10 Set crypto policy DEFAULT
|
||||
# Control 1.10 states not to use LEGACY
|
||||
rhel9cis_crypto_policy: "DEFAULT"
|
||||
# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
|
||||
# Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS.
|
||||
rhel9cis_crypto_policy: 'DEFAULT'
|
||||
# Added module to be allowed as default setting (Allowed options in vars/main.yml)
|
||||
rhel9cis_crypto_policy_module: ''
|
||||
|
||||
# System network parameters (host only OR host and router)
|
||||
rhel9cis_is_router: false
|
||||
|
|
|
|||
|
|
@ -20,20 +20,20 @@
|
|||
tags:
|
||||
- always
|
||||
|
||||
- name: "Check password set for {{ ansible_user }}"
|
||||
- name: "Check password set for {{ ansible_env.SUDO_USER }}"
|
||||
block:
|
||||
- name: Capture current password state of "{{ ansible_user }}"
|
||||
ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
|
||||
- name: "Check password set for {{ ansible_env.SUDO_USER }} | password state"
|
||||
ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'"
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: false
|
||||
register: ansible_user_password_set
|
||||
register: rhel9cis_ansible_user_password_set
|
||||
|
||||
- name: "Assert that password set for {{ ansible_user }} and account not locked"
|
||||
- name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert password set and not locked"
|
||||
ansible.builtin.assert:
|
||||
that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
|
||||
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
|
||||
success_msg: "You a password set for the {{ ansible_user }}"
|
||||
that: ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!"
|
||||
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
|
||||
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
|
||||
vars:
|
||||
sudo_password_rule: rhel9cis_rule_5_3_4
|
||||
when:
|
||||
|
|
@ -41,6 +41,7 @@
|
|||
- not system_is_ec2
|
||||
tags:
|
||||
- user_passwd
|
||||
- rule_5.3.4
|
||||
|
||||
- name: "Ensure root password is set"
|
||||
block:
|
||||
|
|
@ -92,6 +93,17 @@
|
|||
fail_msg: "Crypto policy is not a permitted version"
|
||||
success_msg: "Crypto policy is a permitted version"
|
||||
|
||||
- name: Check crypto-policy module input
|
||||
ansible.builtin.assert:
|
||||
that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
|
||||
fail_msg: "Crypto policy module is not a permitted version"
|
||||
success_msg: "Crypto policy module is a permitted version"
|
||||
when:
|
||||
- rhel9cis_rule_1_10
|
||||
- rhel9cis_crypto_policy_module | length > 0
|
||||
tags:
|
||||
- rule_1.10
|
||||
|
||||
- name: Check rhel9cis_bootloader_password_hash variable has been changed
|
||||
ansible.builtin.assert:
|
||||
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@
|
|||
|
||||
- name: "PRELIM | Setup crypto-policy"
|
||||
block:
|
||||
- name: "PRELIM | Install crypto-policies"
|
||||
- name: "PRELIM | Install crypto-policies | pkgs present"
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- crypto-policies
|
||||
|
|
@ -62,10 +62,19 @@
|
|||
state: present
|
||||
|
||||
- name: "PRELIM | Gather system-wide crypto-policy"
|
||||
ansible.builtin.shell: update-crypto-policies --show
|
||||
ansible.builtin.shell: 'update-crypto-policies --show'
|
||||
changed_when: false
|
||||
check_mode: false
|
||||
register: system_wide_crypto_policy
|
||||
register: rhel9cis_system_wide_crypto_policy
|
||||
|
||||
- name: "PRELIM | Gather system-wide crypto-policy | set fact system policy"
|
||||
ansible.builtin.set_fact:
|
||||
current_crypto_policy: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[0] }}"
|
||||
|
||||
- name: "PRELIM | Gather system-wide crypto-policy module | set fact system policy submodule"
|
||||
ansible.builtin.set_fact:
|
||||
current_crypto_module: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[1] }}"
|
||||
when: "':' in rhel9cis_system_wide_crypto_policy.stdout"
|
||||
when:
|
||||
- rhel9cis_rule_1_10
|
||||
tags:
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@
|
|||
community.general.modprobe:
|
||||
name: usb-storage
|
||||
state: absent
|
||||
when: not system_is_container
|
||||
when: not system_is_container
|
||||
|
||||
- name: "1.1.9 | PATCH | Disable USB Storage | blacklist"
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
|
|||
|
|
@ -1,16 +1,25 @@
|
|||
---
|
||||
|
||||
- name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy"
|
||||
ansible.builtin.shell: |
|
||||
update-crypto-policies --set "{{ rhel9cis_crypto_policy }}"
|
||||
update-crypto-policies
|
||||
notify: Change_requires_reboot
|
||||
block:
|
||||
- name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy | set_fact"
|
||||
ansible.builtin.set_fact:
|
||||
rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}:{{ rhel9cis_crypto_policy_module }}{% endif %}"
|
||||
|
||||
- name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy"
|
||||
ansible.builtin.shell: |
|
||||
update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
|
||||
update-crypto-policies
|
||||
notify: change_requires_reboot
|
||||
when:
|
||||
- rhel9cis_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
|
||||
when:
|
||||
- rhel9cis_rule_1_10
|
||||
- system_wide_crypto_policy['stdout'] == 'LEGACY'
|
||||
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- no system_is_ec2
|
||||
- patch
|
||||
- rule_1.10
|
||||
|
|
|
|||
|
|
@ -7,6 +7,11 @@ rhel9cis_allowed_crypto_policies:
|
|||
- 'FUTURE'
|
||||
- 'FIPS'
|
||||
|
||||
rhel9cis_allowed_crypto_policies_modules:
|
||||
- 'OSPP'
|
||||
- 'AD-SUPPORT'
|
||||
- 'AD-SUPPORT-LEGACY'
|
||||
|
||||
# Used to control warning summary
|
||||
warn_control_list: ""
|
||||
warn_count: 0
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue