From 674d3417ff03377963e858d120ee6bd3436d5dff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 6 Jun 2023 14:36:38 +0100 Subject: [PATCH] rule_1.10 updates Signed-off-by: Mark Bolwell --- defaults/main.yml | 8 +++++--- tasks/main.yml | 21 ++++++++++++++++----- tasks/prelim.yml | 11 ++++++++++- tasks/section_1/cis_1.10.yml | 19 ++++++++++++++----- vars/main.yml | 5 +++++ 5 files changed, 50 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ee4f51b..9d3c003 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -380,9 +380,11 @@ rhel9cis_dconf_db_name: local rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) -# 1.10 Set crypto policy DEFAULT -# Control 1.10 states not to use LEGACY -rhel9cis_crypto_policy: "DEFAULT" +# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) +# Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS. +rhel9cis_crypto_policy: 'DEFAULT' +# Added module to be allowed as default setting (Allowed options in vars/main.yml) +rhel9cis_crypto_policy_module: '' # System network parameters (host only OR host and router) rhel9cis_is_router: false diff --git a/tasks/main.yml b/tasks/main.yml index 2bb0f3f..2bab3f6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,18 +22,18 @@ - name: "Check password set for {{ ansible_user }}" block: - - name: Capture current password state of "{{ ansible_user }}" - ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + - name: Capture current password state of connecting user" + ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: ansible_user_password_set - - name: "Assert that password set for {{ ansible_user }} and account not locked" + - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" ansible.builtin.assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" - success_msg: "You a password set for the {{ ansible_user }}" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" + success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" vars: sudo_password_rule: rhel9cis_rule_5_3_4 when: @@ -92,6 +92,17 @@ fail_msg: "Crypto policy is not a permitted version" success_msg: "Crypto policy is a permitted version" +- name: Check crypto-policy module input + ansible.builtin.assert: + that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules + fail_msg: "Crypto policy module is not a permitted version" + success_msg: "Crypto policy module is a permitted version" + when: + - rhel9cis_rule_1_10 + - rhel9cis_crypto_policy_module | length > 0 + tags: + - rule_1.10 + - name: Check rhel9cis_bootloader_password_hash variable has been changed ansible.builtin.assert: that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f555337..47d1750 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -62,10 +62,19 @@ state: present - name: "PRELIM | Gather system-wide crypto-policy" - ansible.builtin.shell: update-crypto-policies --show + ansible.builtin.shell: 'update-crypto-policies --show' changed_when: false check_mode: false register: system_wide_crypto_policy + + - name: "PRELIM | Gather system-wide crypto-policy" + ansible.builtin.set_fact: + current_crypto_policy: "{{ system_wide_crypto_policy.stdout.split(':')[0] }}" + + - name: "PRELIM | Gather system-wide crypto-policy module" + ansible.builtin.set_fact: + current_crypto_module: "{{ system_wide_crypto_policy.stdout.split(':')[1] }}" + when: "':' in system_wide_crypto_policy.stdout" when: - rhel9cis_rule_1_10 tags: diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index c43e445..e61e367 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -1,16 +1,25 @@ --- - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" - ansible.builtin.shell: | - update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" - update-crypto-policies - notify: Change_requires_reboot + block: + - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy | set_fact" + ansible.builtin.set_fact: + rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}:{{ rhel9cis_crypto_policy_module }}{% endif %}" + + - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" + ansible.builtin.shell: | + update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" + update-crypto-policies + notify: change_requires_reboot + when: + - system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy when: - rhel9cis_rule_1_10 - - system_wide_crypto_policy['stdout'] == 'LEGACY' + tags: - level1-server - level1-workstation + - automated - no system_is_ec2 - patch - rule_1.10 diff --git a/vars/main.yml b/vars/main.yml index 2a93184..6b9fcea 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,6 +7,11 @@ rhel9cis_allowed_crypto_policies: - 'FUTURE' - 'FIPS' +rhel9cis_allowed_crypto_policies_modules: + - 'OSPP' + - 'AD-Support' + - 'AD-Support-LEGACY' + # Used to control warning summary warn_control_list: "" warn_count: 0