section1 v2 initial

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2

@@ -0,0 +1,6 @@
+# This is a subpolicy dropping the SHA1 hash and signature support
+# Carried out as part of CIS Benchmark
+
+hash = -SHA1
+sign = -*-SHA1
+sha1_in_certs = 0

templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2

@@ -0,0 +1,5 @@
+# This is a subpolicy to disable all CBC mode ciphers
+# for the SSH protocol (libssh and OpenSSH)
+# Carried out as part of CIS Benchmark
+
+cipher@SSH = -*-CBC

templates/etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod.j2

@@ -0,0 +1,5 @@
+# This is a subpolicy to disable the chacha20-poly1305 ciphers
+# for the SSH protocol (libssh and OpenSSH)
+# Carried out as part of CIS Benchmark
+
+cipher@SSH = -CHACHA20-POLY1305

templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2

@@ -0,0 +1,5 @@
+# This is a subpolicy to disable Encrypt then MAC
+# for the SSH protocol (libssh and OpenSSH)
+# Carried out as part of CIS Benchmark
+
+etm@SSH = DISABLE_ETM

templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2

@@ -0,0 +1,4 @@
+# This is a subpolicy to disable weak macs
+# Carried out as part of CIS Benchmark
+
+mac = -*-64

templates/etc/sysctl.d/60-kernel_sysctl.conf.j2

@@ -1,7 +1,12 @@
 ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
 
-{% if rhel9cis_rule_1_5_3 %}
-# Kernel sysctl
-# CIS 1.5.3
+{% if rhel9cis_rule_1_5_1 %}
+# Adress space randomise
+# CIS 1.5.1
 kernel.randomize_va_space = 2
 {% endif %}
+{% if rhel9cis_rule_1_5_2 %}
+# Ptrace scope
+# CIS 1.5.2
+kernel.yama.ptrace_scope = 1
+{% endif %}