sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Improved logic for crypto policy additions

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-08-07 14:05:59 +01:00
parent 49fdafc5e0
commit d5b688caac
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
3 changed files with 42 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

3
handlers/main.yml
View file

@ -38,14 +38,13 @@
- name: Update Crypto Policy - name: Update Crypto Policy
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}:{{ rhel9cis_crypto_policy_module }}{% endif %}" rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}{{ rhel9cis_crypto_policy_module }}{% endif %}"
notify: Set Crypto Policy notify: Set Crypto Policy
- name: Set Crypto Policy - name: Set Crypto Policy
when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
ansible.builtin.shell: | ansible.builtin.shell: |
update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
update-crypto-policies
notify: notify:
- Change_requires_reboot - Change_requires_reboot
- Restart sshd - Restart sshd

61
tasks/section_1/cis_1.6.x.yml
View file

@ -55,13 +55,15 @@
owner: root owner: root
group: root group: root
mode: '0640' mode: '0640'
notify: register: NO_SHA1_TEMPLATE
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules" - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SHA1' }}" rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SHA1' }}"
changed_when: NO_SHA1_TEMPLATE is defined
notify:
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits" - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits"
when: when:
@ -76,6 +78,9 @@
- rule_1.6.4 - rule_1.6.4
- NIST800-53R5_SC-6 - NIST800-53R5_SC-6
block: block:
- ansible.builtin.debug:
msg: "{{ rhel9cis_crypto_policy_module }}"
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion" - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion"
ansible.builtin.template: ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
@ -83,13 +88,15 @@
owner: root owner: root
group: root group: root
mode: '0640' mode: '0640'
notify: register: NO_WEAKMAC_TEMPLATE
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules" - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-WEAKMAC' }}" rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-WEAKMAC' }}"
changed_when: NO_WEAKMAC_TEMPLATE is defined
notify:
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh" - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh"
when: when:
@ -104,6 +111,8 @@
- rule_1.6.5 - rule_1.6.5
- NIST800-53R5_SC-6 - NIST800-53R5_SC-6
block: block:
- ansible.builtin.debug:
msg: "{{ rhel9cis_crypto_policy_module }}"
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | Add submodule exclusion" - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | Add submodule exclusion"
ansible.builtin.template: ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 src: etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
@ -111,18 +120,20 @@
owner: root owner: root
group: root group: root
mode: '0640' mode: '0640'
register: NO_SSHCBC_TEMPLATE
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHCBC' }}"
changed_when: NO_SSHCBC_TEMPLATE is defined
notify: notify:
- Update Crypto Policy - Update Crypto Policy
- Set Crypto Policy - Set Crypto Policy
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHCBC' }}"
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh" - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh"
when: when:
- rhel9cis_rule_1_6_6 - rhel9cis_rule_1_6_6
- "'NO-SSHWEAKMAC' not in rhel9cis_crypto_policy_module" - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -132,6 +143,8 @@
- rule_1.6.6 - rule_1.6.6
- NIST800-53R5_SC-6 - NIST800-53R5_SC-6
block: block:
- ansible.builtin.debug:
msg: "{{ rhel9cis_crypto_policy_module }}"
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion" - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
ansible.builtin.template: ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
@ -139,13 +152,15 @@
owner: root owner: root
group: root group: root
mode: '0640' mode: '0640'
notify: register: NO_SSHWEAKCIPHERS_TEMPLATE
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules" - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHWEAKCIPHERS' }}" rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}"
changed_when: NO_SSHWEAKCIPHERS_TEMPLATE is defined
notify:
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh" - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh"
when: when:
@ -160,6 +175,8 @@
- rule_1.6.7 - rule_1.6.7
- NIST800-53R5_SC-6 - NIST800-53R5_SC-6
block: block:
- ansible.builtin.debug:
msg: "{{ rhel9cis_crypto_policy_module }}"
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | Add submodule exclusion" - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | Add submodule exclusion"
ansible.builtin.template: ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 src: etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
@ -167,10 +184,12 @@
owner: root owner: root
group: root group: root
mode: '0640' mode: '0640'
notify: register: NO_SSHETM_TEMPLATE
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules" - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHETM' }}" rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHETM' }}"
changed_when: NO_SSHETM_TEMPLATE is defined
notify:
- Update Crypto Policy
- Set Crypto Policy

2
tasks/section_5/cis_5.1.x.yml
View file

@ -161,7 +161,7 @@
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | submodule to crypto policy modules" - name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | submodule to crypto policy modules"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SHA1' }}" rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
- name: "5.1.7 | PATCH | Ensure sshd access is configured" - name: "5.1.7 | PATCH | Ensure sshd access is configured"
when: when: