-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathuclalib_CVE-2023-48795.yml
66 lines (56 loc) · 2.06 KB
/
uclalib_CVE-2023-48795.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
---
- name: uclalib_CVE-2023-48795.yml
become: yes
become_method: sudo
hosts: all
vars:
- strict_cipher_list: "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]"
- strict_macs_list: "MACs [email protected],[email protected],hmac-sha2-256,hmac-sha2-512"
- crypto_policy_path: "/etc/crypto-policies/policies/modules"
- crypto_policy_file: "CVE-2023-48795.pmod"
tasks:
- block:
- name: Replace strict ciphers and MACs in sshd_config
lineinfile:
path: "/etc/ssh/sshd_config"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: "^Ciphers", line: "{{ strict_cipher_list }}" }
- { regexp: "^MACs", line: "{{ strict_macs_list }}" }
- name: Replace strict ciphers and MACs in ssh_config
lineinfile:
path: "/etc/ssh/ssh_config"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: "^Ciphers", line: "{{ strict_cipher_list }}" }
- { regexp: "^MACs", line: "{{ strict_macs_list }}" }
- name: Restart SSHD
service:
name: "sshd"
state: "restarted"
when: ansible_distribution_major_version == '7'
- block:
- name: Create crypto policy file excluding ciphers
copy:
content: |
cipher@SSH = -CHACHA20-POLY1305
ssh_etm = 0
dest: "{{ crypto_policy_path }}/{{ crypto_policy_file }}"
owner: "root"
group: "root"
mode: "0640"
- name: Get default crypto policy name
command: >
update-crypto-policies --show
register: default_crypto_policy
changed_when: "false"
- name: Apply crypto policy to system configuration
command: >
update-crypto-policies --set {{ default_crypto_policy.stdout }}:{{ crypto_policy_file.split('.')[0] }}
- name: Restart SSHD
service:
name: "sshd"
state: "restarted"
when: ansible_distribution_major_version == '8'