rule_1.10 updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2023-06-06 14:36:38 +01:00 · 2023-06-06 14:36:38 +01:00 · 674d3417ff
commit 674d3417ff
parent 3c3ddfa474
5 changed files with 50 additions and 14 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -380,9 +380,11 @@ rhel9cis_dconf_db_name: local
 rhel9cis_screensaver_idle_delay: 900  # Set max value for idle-delay in seconds (between 1 and 900)
 rhel9cis_screensaver_lock_delay: 5  # Set max value for lock-delay in seconds (between 0 and 5)

-# 1.10 Set crypto policy DEFAULT
-# Control 1.10 states not to use LEGACY
-rhel9cis_crypto_policy: "DEFAULT"
+# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
+# Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS.
+rhel9cis_crypto_policy: 'DEFAULT'
+# Added module to be allowed as default setting (Allowed options in vars/main.yml)
+rhel9cis_crypto_policy_module: ''

 # System network parameters (host only OR host and router)
 rhel9cis_is_router: false
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -22,18 +22,18 @@

 - name: "Check password set for {{ ansible_user }}"
  block:
-      - name: Capture current password state of "{{ ansible_user }}"
-        ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
+      - name: Capture current password state of connecting user"
+        ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'"
        changed_when: false
        failed_when: false
        check_mode: false
        register: ansible_user_password_set

-      - name: "Assert that password set for {{ ansible_user }} and account not locked"
+      - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked"
        ansible.builtin.assert:
            that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
-            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
-            success_msg: "You a password set for the {{ ansible_user }}"
+            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
+            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
        vars:
            sudo_password_rule: rhel9cis_rule_5_3_4
  when:
@ -92,6 +92,17 @@
      fail_msg: "Crypto policy is not a permitted version"
      success_msg: "Crypto policy is a permitted version"

+- name: Check crypto-policy module input
+  ansible.builtin.assert:
+      that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
+      fail_msg: "Crypto policy module is not a permitted version"
+      success_msg: "Crypto policy module is a permitted version"
+  when:
+      - rhel9cis_rule_1_10
+      - rhel9cis_crypto_policy_module | length > 0
+  tags:
+      - rule_1.10
+
 - name: Check rhel9cis_bootloader_password_hash variable has been changed
  ansible.builtin.assert:
      that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -62,10 +62,19 @@
            state: present

      - name: "PRELIM | Gather system-wide crypto-policy"
-        ansible.builtin.shell: update-crypto-policies --show
+        ansible.builtin.shell: 'update-crypto-policies --show'
        changed_when: false
        check_mode: false
        register: system_wide_crypto_policy
+
+      - name: "PRELIM | Gather system-wide crypto-policy"
+        ansible.builtin.set_fact:
+            current_crypto_policy: "{{ system_wide_crypto_policy.stdout.split(':')[0] }}"
+
+      - name: "PRELIM | Gather system-wide crypto-policy module"
+        ansible.builtin.set_fact:
+            current_crypto_module: "{{ system_wide_crypto_policy.stdout.split(':')[1] }}"
+        when: "':' in system_wide_crypto_policy.stdout"
  when:
      - rhel9cis_rule_1_10
  tags:
--- a/tasks/section_1/cis_1.10.yml
+++ b/tasks/section_1/cis_1.10.yml
@ -1,16 +1,25 @@
 ---

 - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy"
-  ansible.builtin.shell: |
-      update-crypto-policies --set "{{ rhel9cis_crypto_policy }}"
-      update-crypto-policies
-  notify: Change_requires_reboot
+  block:
+      - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy | set_fact"
+        ansible.builtin.set_fact:
+            rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}:{{ rhel9cis_crypto_policy_module }}{% endif %}"
+
+      - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy"
+        ansible.builtin.shell: |
+            update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
+            update-crypto-policies
+        notify: change_requires_reboot
+        when:
+            - system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
  when:
      - rhel9cis_rule_1_10
-      - system_wide_crypto_policy['stdout'] == 'LEGACY'
+
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - no system_is_ec2
      - patch
      - rule_1.10
--- a/vars/main.yml
+++ b/vars/main.yml
@ -7,6 +7,11 @@ rhel9cis_allowed_crypto_policies:
    - 'FUTURE'
    - 'FIPS'

+rhel9cis_allowed_crypto_policies_modules:
+    - 'OSPP'
+    - 'AD-Support'
+    - 'AD-Support-LEGACY'
+
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0