Skip to content

Commit f2ae388

Browse files
0intro0intro
committed
CIS AlmaLinux 9: use configure_custom_crypto_policy_cis for crypto policy controls
Switch controls 1.6.1, 1.6.4, and 1.6.5 from configure_crypto_policy to configure_custom_crypto_policy_cis with NO-WEAKMAC and NO-SSHCBC modules per CIS AlmaLinux 9 Benchmark 2.0.0.
1 parent 347b070 commit f2ae388

2 files changed

Lines changed: 22 additions & 15 deletions

File tree

controls/cis_almalinux9.yml

Lines changed: 8 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -547,8 +547,7 @@ controls:
547547
- l1_workstation
548548
status: automated
549549
rules:
550-
- configure_crypto_policy
551-
- var_system_crypto_policy=default_nosha1
550+
- configure_custom_crypto_policy_cis
552551

553552
- id: 1.6.2
554553
title: Ensure system wide crypto policy is not set in sshd configuration (Automated)
@@ -568,31 +567,25 @@ controls:
568567
notes: |-
569568
This requirement is already satisfied by 1.6.1.
570569
related_rules:
571-
- configure_crypto_policy
570+
- configure_custom_crypto_policy_cis
572571

573572
- id: 1.6.4
574573
title: Ensure system wide crypto policy disables macs less than 128 bits (Automated)
575574
levels:
576575
- l1_server
577576
- l1_workstation
578-
status: pending
579-
notes: |-
580-
It is necessary a new rule to ensure a module disabling weak MACs in
581-
/etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
582-
related_rules:
583-
- configure_crypto_policy
577+
status: automated
578+
rules:
579+
- configure_custom_crypto_policy_cis
584580

585581
- id: 1.6.5
586582
title: Ensure system wide crypto policy disables cbc for ssh (Automated)
587583
levels:
588584
- l1_server
589585
- l1_workstation
590-
status: pending
591-
notes: |-
592-
It is necessary a new rule to ensure a module disabling CBC in
593-
/etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
594-
related_rules:
595-
- configure_crypto_policy
586+
status: automated
587+
rules:
588+
- configure_custom_crypto_policy_cis
596589

597590
- id: 1.6.6
598591
title: Ensure system wide crypto policy disables chacha20-poly1305 for ssh (Automated)

linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,20 @@ title: Implement Custom Crypto Policy Modules for CIS Benchmark
5656
"scope": "rpm-sequoia"
5757
},
5858
] %}}
59+
{{% elif product == "almalinux9" %}}
60+
{{% set base_policy = "DEFAULT:NO-SHA1" %}}
61+
{{% set sub_policies = [
62+
{
63+
"module_name": "NO-WEAKMAC",
64+
"key": "mac",
65+
"value": "-*-64*"
66+
},
67+
{
68+
"module_name": "NO-SSHCBC",
69+
"key": "cipher@SSH",
70+
"value": "-*-CBC"
71+
},
72+
] %}}
5973
{{% elif product == "rhel10" or product == "fedora" %}}
6074
{{% set base_policy = "DEFAULT" %}}
6175
{{% set sub_policies = [

0 commit comments

Comments
 (0)