sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity
RHEL9-CIS/tasks/section_1/cis_1.6.x.yml
Mark Bolwell 2de8a39cdc
updated yamllint, company naming, linting and spacing 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-12-04 12:00:12 +00:00

185 lines
6.4 KiB
YAML
Raw Blame History

---
- name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy"
when: rhel9cis_rule_1_6_1
tags:
- level1-server
- level1-workstation
- automated
- patch
- crypto
- rule_1.6.1
- NIST800-53R5_SC-6
ansible.builtin.debug:
msg: "Captured in prelim to ensure not LEGACY. Runs handler to update"
notify:
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.2 | PATCH | Ensure system wide crypto policy is not set in sshd configuration"
when: rhel9cis_rule_1_6_2
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_1.6.2
- NIST800-53R5_SC-8
- NIST800-53R5_IA-5
- NIST800-53R5_AC-17- NIST800-53R5_SC-6
ansible.builtin.lineinfile:
path: /etc/sysconfig/sshd
regexp: ^CRYPTO_POLICY\s*=
state: absent
notify: Restart sshd
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | Add submodule exclusion"
when:
- rhel9cis_rule_1_6_3
- "'NO-SHA1' not in rhel9cis_crypto_policy_module"
tags:
- level1-server
- level1-workstation
- automated
- patch
- crypto
- rule_1.6.3
- NIST800-53R5_SC-6
block:
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support"
ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
owner: root
group: root
mode: 'g-wx,o-rwx'
register: discovered_no_sha1_template
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SHA1' }}"
changed_when: discovered_no_sha1_template is changed # noqa: no-handler
notify:
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits"
when:
- rhel9cis_rule_1_6_4
- "'NO-WEAKMAC' not in rhel9cis_crypto_policy_module"
tags:
- level1-server
- level1-workstation
- automated
- patch
- crypto
- rule_1.6.4
- NIST800-53R5_SC-6
block:
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion"
ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod
owner: root
group: root
mode: 'g-wx,o-rwx'
register: discovered_no_weakmac_template
- name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-WEAKMAC' }}"
changed_when: discovered_no_weakmac_template is changed # noqa: no-handler
notify:
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh"
when:
- rhel9cis_rule_1_6_5
- "'NO-SSHCBC' not in rhel9cis_crypto_policy_module"
tags:
- level1-server
- level1-workstation
- automated
- patch
- crypto
- rule_1.6.5
- NIST800-53R5_SC-6
block:
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | Add submodule exclusion"
ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod
owner: root
group: root
mode: 'g-wx,o-rwx'
register: discovered_no_sshcbc_template
- name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHCBC' }}"
changed_when: discovered_no_sshcbc_template is changed # noqa: no-handler
notify:
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh"
when:
- rhel9cis_rule_1_6_6
- "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
tags:
- level1-server
- level1-workstation
- automated
- patch
- crypto
- rule_1.6.6
- NIST800-53R5_SC-6
block:
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
owner: root
group: root
mode: 'g-wx,o-rwx'
register: discovered_no_sshweakciphers_template
- name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}"
changed_when: discovered_no_sshweakciphers_template is changed # noqa: no-handler
notify:
- Update Crypto Policy
- Set Crypto Policy
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh"
when:
- rhel9cis_rule_1_6_7
- "'NO-SSHETM' not in rhel9cis_crypto_policy_module"
tags:
- level1-server
- level1-workstation
- automated
- patch
- crypto
- rule_1.6.7
- NIST800-53R5_SC-6
block:
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | Add submodule exclusion"
ansible.builtin.template:
src: etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
dest: /etc/crypto-policies/policies/modules/NO-SSHETM.pmod
owner: root
group: root
mode: 'g-wx,o-rwx'
register: discovered_no_sshetm_template
- name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules"
ansible.builtin.set_fact:
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHETM' }}"
changed_when: discovered_no_sshetm_template is changed # noqa: no-handler
notify:
- Update Crypto Policy
- Set Crypto Policy
View git blame Copy permalink