sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Initial pmod templates for ssh control

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-07-24 14:02:51 +01:00
parent a36a84c5ea
commit 5c5499fd72
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
7 changed files with 12 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
View file

@ -1,5 +1,5 @@
# This is a subpolicy dropping the SHA1 hash and signature support # This is a subpolicy dropping the SHA1 hash and signature support
# Carried out as part of CIS Benchmark # Carried out as part of CIS Benchmark rule 1.6.3
hash = -SHA1 hash = -SHA1
sign = -*-SHA1 sign = -*-SHA1

2
templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
View file

@ -1,5 +1,5 @@
# This is a subpolicy to disable all CBC mode ciphers # This is a subpolicy to disable all CBC mode ciphers
# for the SSH protocol (libssh and OpenSSH) # for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark # Carried out as part of CIS Benchmark rule 1.6.5
cipher@SSH = -*-CBC cipher@SSH = -*-CBC

5
templates/etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod.j2
View file

@ -1,5 +0,0 @@
# This is a subpolicy to disable the chacha20-poly1305 ciphers
# for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark
cipher@SSH = -CHACHA20-POLY1305

2
templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
View file

@ -1,5 +1,5 @@
# This is a subpolicy to disable Encrypt then MAC # This is a subpolicy to disable Encrypt then MAC
# for the SSH protocol (libssh and OpenSSH) # for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark # Carried out as part of CIS Benchmark rule 1.6.7
etm@SSH = DISABLE_ETM etm@SSH = DISABLE_ETM

4
templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 Normal file
View file

@ -0,0 +1,4 @@
# This is a subpolicy to disable weak ciphers
# for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4
cipher@SSH ={% if rhel9cis_rule_1_6_6 %} -CHACHA20-POLY1305{% endif %}{% if rhel9cis_rule_5_1_5 %} -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC{% endif %}

4
templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod.j2 Normal file
View file

@ -0,0 +1,4 @@
# This is a subpolicy to disable weak macs
# Carried out as part of CIS Benchmark control 5.1.6
mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128*

2
templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
View file

@ -1,4 +1,4 @@
# This is a subpolicy to disable weak macs # This is a subpolicy to disable weak macs
# Carried out as part of CIS Benchmark # Carried out as part of CIS Benchmark rule 1.6.4
mac = -*-64 mac = -*-64