rule_1.10 updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

defaults/main.yml

@@ -380,9 +380,11 @@ rhel9cis_dconf_db_name: local
 rhel9cis_screensaver_idle_delay: 900  # Set max value for idle-delay in seconds (between 1 and 900)
 rhel9cis_screensaver_lock_delay: 5  # Set max value for lock-delay in seconds (between 0 and 5)
 
-# 1.10 Set crypto policy DEFAULT
+# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
-# Control 1.10 states not to use LEGACY
+# Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS.
-rhel9cis_crypto_policy: "DEFAULT"
+rhel9cis_crypto_policy: 'DEFAULT'
+# Added module to be allowed as default setting (Allowed options in vars/main.yml)
+rhel9cis_crypto_policy_module: ''
 
 # System network parameters (host only OR host and router)
 rhel9cis_is_router: false

tasks/main.yml

@@ -22,18 +22,18 @@
 
 - name: "Check password set for {{ ansible_user }}"
   block:
-      - name: Capture current password state of "{{ ansible_user }}"
+      - name: Capture current password state of connecting user"
-        ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
+        ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'"
         changed_when: false
         failed_when: false
         check_mode: false
         register: ansible_user_password_set
 
-      - name: "Assert that password set for {{ ansible_user }} and account not locked"
+      - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked"
         ansible.builtin.assert:
             that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
-            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
+            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
-            success_msg: "You a password set for the {{ ansible_user }}"
+            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
         vars:
             sudo_password_rule: rhel9cis_rule_5_3_4
   when:
@@ -92,6 +92,17 @@
       fail_msg: "Crypto policy is not a permitted version"
       success_msg: "Crypto policy is a permitted version"
 
+- name: Check crypto-policy module input
+  ansible.builtin.assert:
+      that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
+      fail_msg: "Crypto policy module is not a permitted version"
+      success_msg: "Crypto policy module is a permitted version"
+  when:
+      - rhel9cis_rule_1_10
+      - rhel9cis_crypto_policy_module | length > 0
+  tags:
+      - rule_1.10
+
 - name: Check rhel9cis_bootloader_password_hash variable has been changed
   ansible.builtin.assert:
       that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'

tasks/prelim.yml

@@ -62,10 +62,19 @@
             state: present
 
       - name: "PRELIM | Gather system-wide crypto-policy"
-        ansible.builtin.shell: update-crypto-policies --show
+        ansible.builtin.shell: 'update-crypto-policies --show'
         changed_when: false
         check_mode: false
         register: system_wide_crypto_policy
+
+      - name: "PRELIM | Gather system-wide crypto-policy"
+        ansible.builtin.set_fact:
+            current_crypto_policy: "{{ system_wide_crypto_policy.stdout.split(':')[0] }}"
+
+      - name: "PRELIM | Gather system-wide crypto-policy module"
+        ansible.builtin.set_fact:
+            current_crypto_module: "{{ system_wide_crypto_policy.stdout.split(':')[1] }}"
+        when: "':' in system_wide_crypto_policy.stdout"
   when:
       - rhel9cis_rule_1_10
   tags:

tasks/section_1/cis_1.10.yml

@@ -1,16 +1,25 @@
 ---
 
 - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy"
-  ansible.builtin.shell: |
+  block:
-      update-crypto-policies --set "{{ rhel9cis_crypto_policy }}"
+      - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy | set_fact"
-      update-crypto-policies
+        ansible.builtin.set_fact:
-  notify: Change_requires_reboot
+            rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}:{{ rhel9cis_crypto_policy_module }}{% endif %}"
+
+      - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy"
+        ansible.builtin.shell: |
+            update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
+            update-crypto-policies
+        notify: change_requires_reboot
+        when:
+            - system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
   when:
       - rhel9cis_rule_1_10
-      - system_wide_crypto_policy['stdout'] == 'LEGACY'
+
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - no system_is_ec2
       - patch
       - rule_1.10

vars/main.yml

@@ -7,6 +7,11 @@ rhel9cis_allowed_crypto_policies:
     - 'FUTURE'
     - 'FIPS'
 
+rhel9cis_allowed_crypto_policies_modules:
+    - 'OSPP'
+    - 'AD-Support'
+    - 'AD-Support-LEGACY'
+
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0