-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for #273 Allow for a local crypto policy module, for instance for the openSSH server. #358
Merged
uk-bolly
merged 1 commit into
ansible-lockdown:devel
from
TeamSalvador:bugfix/local-crypto-policies
Mar 21, 2024
Merged
Fix for #273 Allow for a local crypto policy module, for instance for the openSSH server. #358
uk-bolly
merged 1 commit into
ansible-lockdown:devel
from
TeamSalvador:bugfix/local-crypto-policies
Mar 21, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bbaassssiiee
force-pushed
the
bugfix/local-crypto-policies
branch
from
March 20, 2024 15:52
efaf058
to
d3a21d5
Compare
bbaassssiiee
changed the title
Fix for #273 Allow for a local site policy, for instance for the openSSH server.
Fix for #273 Allow for a local crypto policy module, for instance for the openSSH server.
Mar 21, 2024
If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy assigned to the system-wide crypto policy. The role defaults can be overridden by the user's vars. The user should implement a .pmod file, and add its basename to `rhel8cis_allowed_crypto_policies_modules`. The role vars are harder to change due to the 21 priority levels of Ansible. Signed-off-by: Bas Meijer <[email protected]>
bbaassssiiee
force-pushed
the
bugfix/local-crypto-policies
branch
from
March 21, 2024 08:51
a4ae557
to
ba88012
Compare
uk-bolly
approved these changes
Mar 21, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you
Merged
uk-bolly
added a commit
that referenced
this pull request
Jun 20, 2024
* initial v3.0.0 Signed-off-by: Mark Bolwell <[email protected]> * updated Signed-off-by: Mark Bolwell <[email protected]> * removed old conflict line Signed-off-by: Mark Bolwell <[email protected]> * tidy up warning on 432 Signed-off-by: Mark Bolwell <[email protected]> * tidy up ec2_checks Signed-off-by: Mark Bolwell <[email protected]> * updated warning on line 435 Signed-off-by: Mark Bolwell <[email protected]> * updated prelim and typos Signed-off-by: Mark Bolwell <[email protected]> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](ansible/ansible-lint@v24.2.0...v24.2.1) * March 24 updates (#356) * added conditional to user password check #354 thanks to @bbaassssiiee Signed-off-by: Mark Bolwell <[email protected]> * updated logic to check root passwd locked Signed-off-by: Mark Bolwell <[email protected]> * Updated Signed-off-by: Mark Bolwell <[email protected]> * lint and audit order change Signed-off-by: Mark Bolwell <[email protected]> * updated for documentation format Signed-off-by: Mark Bolwell <[email protected]> --------- Signed-off-by: Mark Bolwell <[email protected]> * Allow for a local site policy for the openSSH server. (#358) If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy assigned to the system-wide crypto policy. The role defaults can be overridden by the user's vars. The user should implement a .pmod file, and add its basename to `rhel8cis_allowed_crypto_policies_modules`. The role vars are harder to change due to the 21 priority levels of Ansible. Signed-off-by: Bas Meijer <[email protected]> * Issues March24 (#366) * #359 addressed thanks to @bbaassssiiee Signed-off-by: Mark Bolwell <[email protected]> * sysctl matches requirement & handler added Signed-off-by: Mark Bolwell <[email protected]> * container updated and cautions updated Signed-off-by: Mark Bolwell <[email protected]> * issues #360 addressed thanks to @bbaassssiiee Signed-off-by: Mark Bolwell <[email protected]> * updated Signed-off-by: Mark Bolwell <[email protected]> * Added #361 ensure local interface on 3.4.2.2 Signed-off-by: Mark Bolwell <[email protected]> * issue #363 addressed Signed-off-by: Mark Bolwell <[email protected]> * variable naming and lint Signed-off-by: Mark Bolwell <[email protected]> * variable naming and lint Signed-off-by: Mark Bolwell <[email protected]> * updated handler Signed-off-by: Mark Bolwell <[email protected]> * variable naming and lint updates Signed-off-by: Mark Bolwell <[email protected]> * updated Signed-off-by: Mark Bolwell <[email protected]> * fix issues with pam_unix Signed-off-by: Mark Bolwell <[email protected]> * added extra options Signed-off-by: Mark Bolwell <[email protected]> * issue #365 addressed Signed-off-by: Mark Bolwell <[email protected]> * fixed commenting alternate file Signed-off-by: Mark Bolwell <[email protected]> * updated var name to discovered Signed-off-by: Mark Bolwell <[email protected]> * renamed variable tomake it clearer Signed-off-by: Mark Bolwell <[email protected]> * updated Signed-off-by: Mark Bolwell <[email protected]> * fix typo Signed-off-by: Mark Bolwell <[email protected]> * updated discovered variable naming Signed-off-by: Mark Bolwell <[email protected]> * updated variable naming Signed-off-by: Mark Bolwell <[email protected]> --------- Signed-off-by: Mark Bolwell <[email protected]> * [pre-commit.ci] pre-commit autoupdate (#367) updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * [pre-commit.ci] pre-commit autoupdate (#368) updates: - [github.com/ansible-community/ansible-lint: v24.2.1 → v24.2.2](ansible/ansible-lint@v24.2.1...v24.2.2) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * updated for audit and url alignment (#370) Signed-off-by: Mark Bolwell <[email protected]> * [pre-commit.ci] pre-commit autoupdate (#372) updates: - [github.com/Yelp/detect-secrets: v1.4.0 → v1.5.0](Yelp/detect-secrets@v1.4.0...v1.5.0) - [github.com/gitleaks/gitleaks: v8.18.2 → v8.18.3](gitleaks/gitleaks@v8.18.2...v8.18.3) - [github.com/ansible-community/ansible-lint: v24.2.2 → v24.6.0](ansible/ansible-lint@v24.2.2...v24.6.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * use RHEL8 chrony.conf (#371) Signed-off-by: Tomáš Kuba <[email protected]> * Update Alma 8 GPG Key (#369) * Update Alma 8 GPG Key Update AlmaLinux.yml Signed-off-by: ajython <[email protected]> * Update AlmaLinux.yml Replace depricated Alma 8 GPG key Signed-off-by: ajython <[email protected]> --------- Signed-off-by: ajython <[email protected]> * May 24 updates (#376) * updated path to match disa for audit tools Signed-off-by: Mark Bolwell <[email protected]> * updated dict control Signed-off-by: Mark Bolwell <[email protected]> * updated nullok logic Signed-off-by: Mark Bolwell <[email protected]> * updated typos Signed-off-by: Mark Bolwell <[email protected]> * updated typ thanks to @msachikanta Signed-off-by: Mark Bolwell <[email protected]> --------- Signed-off-by: Mark Bolwell <[email protected]> * [pre-commit.ci] pre-commit autoupdate (#383) updates: - [github.com/gitleaks/gitleaks: v8.18.3 → v8.18.4](gitleaks/gitleaks@v8.18.3...v8.18.4) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * updated known issues thanks to @fgierlinger Signed-off-by: Mark Bolwell <[email protected]> * Interactive users logic and workflow (#385) * interactive user vars updates Signed-off-by: Mark Bolwell <[email protected]> * improved conditionals checks Signed-off-by: Mark Bolwell <[email protected]> * Tidy up titles Signed-off-by: Mark Bolwell <[email protected]> * updated with latest devel Signed-off-by: Mark Bolwell <[email protected]> * removed file not required Signed-off-by: Mark Bolwell <[email protected]> * improved logic for /dev/null home dirs Signed-off-by: Mark Bolwell <[email protected]> * Updated workflow to new runner Signed-off-by: Mark Bolwell <[email protected]> --------- Signed-off-by: Mark Bolwell <[email protected]> --------- Signed-off-by: Mark Bolwell <[email protected]> Signed-off-by: Bas Meijer <[email protected]> Signed-off-by: Tomáš Kuba <[email protected]> Signed-off-by: ajython <[email protected]> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Bas <[email protected]> Co-authored-by: tomkuba <[email protected]> Co-authored-by: ajython <[email protected]> Co-authored-by: Fred W <[email protected]>
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy assigned to the system-wide crypto policy.
The user should implement a .pmod file, and add its basename to
rhel8cis_allowed_crypto_policies_modules
.Overall Review of Changes:
rhel8cis_allowed_crypto_policies_modules
todefaults/main.yml
instead ofvars/main.yml
.The role defaults can be overridden by the user's vars.
The role vars are harder to change due to the 21 priority levels of Ansible.
Issue Fixes:
#273
Enhancements:
NO-SHA1 is a simple extra.
How has this been tested?:
@bbaassssiiee