sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Fix logic and notes for in crypto policy building

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-06-20 11:28:19 +01:00
parent 055cb35603
commit bd1547313a
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
5 changed files with 11 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Changelog.md
View file

@ -5,6 +5,7 @@
Update to audit_only to allow fetching results Update to audit_only to allow fetching results
resolved false warning for fetch audit resolved false warning for fetch audit
fix root user check fix root user check
Improved documentation and variable compilation for crypto policies
## 2.0.1 - Based on CIS v2.0.0 ## 2.0.1 - Based on CIS v2.0.0

4
defaults/main.yml
View file

@ -580,8 +580,8 @@ rhel9cis_crypto_policy: 'DEFAULT'
## Control 1.6 ## Control 1.6
# This variable contains the value of the crypto policy module(combinations of policies and # This variable contains the value of the crypto policy module(combinations of policies and
# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
# using 'rhel9cis_allowed_crypto_policies_modules' variable. # using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable.
rhel9cis_crypto_policy_module: '' rhel9cis_additional_crypto_policy_module: ''
## Controls: ## Controls:
# - 1.7.1 - Ensure message of the day is configured properly # - 1.7.1 - Ensure message of the day is configured properly

2
handlers/main.yml
View file

@ -186,7 +186,7 @@
- name: Update Crypto Policy - name: Update Crypto Policy
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}{{ rhel9cis_crypto_policy_module }}{% endif %}" rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{{ rhel9cis_crypto_policy_module }}:{{ rhel9cis_additional_crypto_policy_module }}"
notify: Set Crypto Policy notify: Set Crypto Policy
- name: Set Crypto Policy - name: Set Crypto Policy

2
tasks/main.yml
View file

@ -61,7 +61,7 @@
- crypto - crypto
- NIST800-53R5_SC-6 - NIST800-53R5_SC-6
ansible.builtin.assert: ansible.builtin.assert:
that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules that: rhel9cis_additional_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
fail_msg: "Crypto policy module is not a permitted version" fail_msg: "Crypto policy module is not a permitted version"
success_msg: "Crypto policy module is a permitted version" success_msg: "Crypto policy module is a permitted version"

6
vars/main.yml
View file

@ -7,10 +7,16 @@ rhel9cis_allowed_crypto_policies:
- 'FUTURE' - 'FUTURE'
- 'FIPS' - 'FIPS'
# Following is left blank for ability to build string
rhel9cis_crypto_policy_module: ''
# Do not adjust these are recognized as part of the CIS benchmark and used during testing
rhel9cis_allowed_crypto_policies_modules: rhel9cis_allowed_crypto_policies_modules:
# Recognized by CIS as possible extra options
- 'OSPP' - 'OSPP'
- 'AD-SUPPORT' - 'AD-SUPPORT'
- 'AD-SUPPORT-LEGACY' - 'AD-SUPPORT-LEGACY'
# The following are already included in 1.6.x controls
- 'NO-SHA1' - 'NO-SHA1'
- 'NO-SSHCBC' - 'NO-SSHCBC'
- 'NO-SSHETM' - 'NO-SSHETM'