Adding AlmaLinux (ansiblebook#12)

* hardening * Amended for Yum mirrors * meta-data
playingfield · Mar 8, 2023 · 1d206cb · 1d206cb
1 parent 8c7cb38
commit 1d206cb
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 23 deletions.
diff --git a/meta/main.yml b/meta/main.yml
@@ -9,20 +9,17 @@ galaxy_info:
 
   license: MIT
 
-  min_ansible_version: 2.11.0
+  min_ansible_version: "2.11.0"
 
   platforms:
     - name: EL
       versions:
-        - 7
-        - 8
-    - name: Fedora
-      versions:
-        - ALL
+        - "7"
+        - "8"
     - name: Ubuntu
       versions:
-        - 20
-        - 18
+        - "bionic"
+        - "focal"
   galaxy_tags:
     - system
     - security

diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -13,15 +13,17 @@ platforms:
   - name: ssh-centos8
     image: quay.io/centos/centos:stream8
     command: /sbin/init
+    cgroupns_mode: host
     capabilities:
-      - CAP_NET_BIND_SERVICE
+      - SYS_ADMIN
     published_ports:
       - 127.0.0.1:2258:22
     tmpfs:
       - /run
       - /tmp
+    privileged: true
     volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
 provisioner:
   name: ansible
   config_options:

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -59,7 +59,7 @@
 - name: Apply STRICT hardening for sshd
   when:
     - crypto_policy == 'STRICT'
-    - distro_version in [ 'RedHat8', 'CentOS8','Debian11','Rocky8']
+    - distro_version in [ 'RedHat8', 'CentOS8', 'AlmaLinux8', 'Debian11', 'Rocky8']
   include_tasks: "strict_config.yml"
 
 - name: Apply STRICT hardening for sshd

diff --git a/templates/STRICT.pol b/templates/STRICT.pol
@@ -1,40 +1,48 @@
 # https://access.redhat.com/articles/3642912
 # This is a stricter policy than FIPS:OSPP
 
-mac = HMAC-SHA2-256 UMAC-128 HMAC-SHA2-512
+mac = AEAD HMAC-SHA2-384
 
-group = X25519 SECP256R1 SECP384R1 SECP521R1 \
+group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
     FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
 
-hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-384 SHA3-512
+hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224
 
+# SHA1 signatures needed for DNSSec
 sign = EDDSA-ED25519 \
        RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 \
        RSA-SHA3-256 RSA-SHA2-256 \
        RSA-SHA3-384 RSA-SHA2-384 \
        RSA-SHA3-512 RSA-SHA2-512 \
-       RSA-PSS-SHA2-224 RSA-SHA2-224
+       RSA-PSS-SHA2-224 RSA-SHA2-224 \
+       ECDSA-SHA1 RSA-PSS-SHA1 RSA-SHA1
 
 # tls_cipher is deprecated
-tls_cipher = AES-256-GCM AES-256-CCM \
+cipher@TLS = AES-256-GCM AES-256-CCM \
     AES-128-GCM AES-128-CCM
 
-cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CTR \
-    AES-128-GCM AES-128-CCM AES-128-CTR
+cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 \
+    CAMELLIA-256-GCM AES-256-CTR AES-128-GCM AES-128-CCM AES-128-CTR
+
+# Yum mirrors need ECDHE (using weak elliptic curves like ecdh-sha2-nistp521)
+key_exchange = ECDHE DHE-PSK ECDHE-PSK DHE DHE-RSA PSK DHE-PSK
 
-key_exchange = DHE DHE-RSA PSK DHE-PSK
 # protocol is deprecated
-protocol = TLS1.3 TLS1.2 DTLS1.2
+protocol@TLS = TLS1.3 TLS1.2 DTLS1.2
 # ike_protocol is deprecated
-ike_protocol = IKEv2
+protocol@IKE = IKEv2
 
 min_tls_version = TLS1.2
 min_dtls_version = DTLS1.2
 
 # Parameter sizes
-min_dh_size = {{ min_dh_size }}
-min_dsa_size = 3072
+min_dh_size = 2048
+min_dsa_size = 2048
 min_rsa_size = 2048
 
 # GnuTLS only for now
 sha1_in_certs = 0
+
+arbitrary_dh_groups = 1
+ssh_certs = 1
+ssh_etm = 1