ISSUE Rule 5.1.4 | PATCH | Ensure sshd Ciphers are configured

[kpi-nourman]

Describe the Issue
I set vars rhel9cis_crypto_policy_module: 'OSPP' but task still Skipping

TASK [RHEL9-CIS-v2.0.0-releasetag-2.0.3 : 5.1.4 | PATCH | Ensure sshd Ciphers are configured | Add submodule exclusion] ***
task path: /runner/project/roles/RHEL9-CIS-v2.0.0-releasetag-2.0.3/tasks/section_5/cis_5.1.x.yml:99
skipping: [bsdvappdev254] => {
    "changed": false,
    "false_condition": "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module",
    "skip_reason": "Conditional result was False"
}
Read vars_file 'vars/rhel9_newsystem_vars.yml'

TASK [RHEL9-CIS-v2.0.0-releasetag-2.0.3 : 5.1.4 | PATCH | Ensure sshd Ciphers are configured | submodule to crypto policy modules] ***
task path: /runner/project/roles/RHEL9-CIS-v2.0.0-releasetag-2.0.3/tasks/section_5/cis_5.1.x.yml:110
skipping: [bsdvappdev254] => {
    "changed": false,
    "false_condition": "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module",
    "skip_reason": "Conditional result was False"
}
Read vars_file 'vars/rhel9_newsystem_vars.yml'

Expected Behavior
I try to add task debug after task rule 5.1.4 to see that vars success receive, and got my vars not in use.

TASK [RHEL9-CIS-v2.0.0-releasetag-2.0.3 : DEBUG | crypto policy module AFTER 5.1.4] ***
task path: /runner/project/roles/RHEL9-CIS-v2.0.0-releasetag-2.0.3/tasks/section_5/cis_5.1.x.yml:114
ok: [bsdvappdev254] => {
    "msg": [
        "rhel9cis_crypto_policy_module = :NO-SHA1:NO-WEAKMAC:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHETM"
    ]
}
Read vars_file 'vars/rhel9_newsystem_vars.yml'

Control(s) Affected
Rule 5.1.4 | PATCH | Ensure sshd Ciphers are configured

Environment (please complete the following information):

• branch being used: devel
• Ansible Version: AAP 2.4

Possible Solution
Enter a suggested fix here

[uk-bolly]

hi @kpi-nourman

Thank you for this issue and provding the details. I believe the issue is you are using the incorrect variables.
If you set rhel9cis_additional_crypto_policy_module: 'OSPP', this gets added during the handler phase
when debugging after 5.1.4 this is the following

- debug:
    msg: "{{ rhel9cis_crypto_policy_module }}:{% if rhel9cis_additional_crypto_policy_module | length > 0 %}:{{ rhel9cis_additional_crypto_policy_module }}{% endif %}"

with the outputs of

TASK [/Users/mbolwell/Documents/git/MPG/OS/Linux/REMEDIATE/Private-RHEL9-CIS : debug] **********************************************************************************************************************************
ok: [rocky9_bios] => {
    "msg": ":NO-SHA1:NO-WEAKMAC:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHETM::OSPP"
}

After running through the whole playbook and the system rebooting (clean built system, i am able to query and get the following

[root@localhost ~]# update-crypto-policies --show
DEFAULT:NO-SHA1:NO-WEAKMAC:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHETM:NO-SSHWEAKMACS:OSPP

I hope that all makes sense, please let us know if this doenst work for you.

Many thanks

uk-bolly

[kpi-nourman]

hi @kpi-nourman

Thank you for this issue and provding the details. I believe the issue is you are using the incorrect variables. If you set rhel9cis_additional_crypto_policy_module: 'OSPP', this gets added during the handler phase when debugging after 5.1.4 this is the following

- debug:
    msg: "{{ rhel9cis_crypto_policy_module }}:{% if rhel9cis_additional_crypto_policy_module | length > 0 %}:{{ rhel9cis_additional_crypto_policy_module }}{% endif %}"

with the outputs of

TASK [/Users/mbolwell/Documents/git/MPG/OS/Linux/REMEDIATE/Private-RHEL9-CIS : debug] **********************************************************************************************************************************
ok: [rocky9_bios] => {
    "msg": ":NO-SHA1:NO-WEAKMAC:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHETM::OSPP"
}

After running through the whole playbook and the system rebooting (clean built system, i am able to query and get the following

[root@localhost ~]# update-crypto-policies --show
DEFAULT:NO-SHA1:NO-WEAKMAC:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHETM:NO-SSHWEAKMACS:OSPP

I hope that all makes sense, please let us know if this doenst work for you.

Many thanks

uk-bolly

So i wrong to set rhel9cis_crypto_policy_module: OSPP?

because i follow the guide in main.yml variable to use OSPP in that variable for rule 5.1.4 task run, but the result after i set OSPP the task is skipping.

# This variable contains the value of the crypto policy module(combinations of policies and
# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
# using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are:
#    - 'OSPP'
#    - 'AD-SUPPORT'
#    - 'AD-SUPPORT-LEGACY'
rhel9cis_crypto_policy_module: 'OSPP'

so what can i do to run rule 5.1.4? because if i not set varsrhel9cis_crypto_policy_module that rule still skipping