Linux System-wide Crypto Sub Policy

This repository contains a set of Ansible playbooks and Bash scripts designed to manage and enforce system-wide cryptographic policies on Linux systems. The primary goal is to apply a sub-policy that effectively disables known weak ciphers and hashing algorithms, such as CBC and HMAC-SHA1, ensuring a stronger security posture.

---

Purpose

Modern cryptography is an essential component of a secure system. This project provides both automated (Ansible) and manual (Bash) methods to implement and back out a system-wide crypto sub-policy. This dual-method approach ensures that administrators can enforce critical security settings consistently and reliably, regardless of their preferred workflow.

---

Key Features

• Dual-Method Approach: Provides both idempotent Ansible playbooks and self-contained Bash scripts for flexible deployment and management.
• Remediation: Enforces a crypto sub-policy that disables weak ciphers and hashes, a critical step for hardening systems against modern threats.
• Backout Functionality: Includes dedicated backout scripts and playbooks to safely restore the system to its previous state, enabling easy and safe rollbacks.
• Automated Backups: Both methods create backups of the krb5.conf file before making any changes.

---

File Breakdown

• crypto_subPolicy.yml: An Ansible playbook to apply the crypto sub-policy. It removes weak Kerberos settings, creates the necessary .pmod files, and sets the new system-wide policy.
• crypto_subPolicy_BACKOUT.yml: An Ansible playbook to revert the changes. It restores the backed-up krb5.conf file and resets the crypto policy to DEFAULT.
• crypto_subPolicy.sh: A Bash script that performs the same remediation actions as the Ansible playbook. This is ideal for manual, one-off deployments.
• crypto_subPolicy_BACKOUT.sh: A Bash script to revert the changes made by the main Bash script.

---

Technologies

• Ansible: Automation engine for managing configurations.
• Bash: Shell scripting language for manual execution.
• YAML: For defining Ansible playbooks.
• Linux: Specifically targeting systems using update-crypto-policies.

---

Usage

Note: Always review the code and test in a non-production environment before applying it to critical systems.

Method 1: Using Ansible (Recommended for Automation)

1. Place the crypto_subPolicy.yml and crypto_subPolicy_BACKOUT.yml playbooks in your Ansible environment.
2. Run the remediation playbook:

   ansible-playbook -i <your_inventory_file> crypto_subPolicy.yml

3. To back out the changes, run the backout playbook:

   ansible-playbook -i <your_inventory_file> crypto_subPolicy_BACKOUT.yml

Method 2: Using Bash Scripts (For Manual Use)

1. Copy the crypto_subPolicy.sh and crypto_subPolicy_BACKOUT.sh scripts to the target system.
2. Make the scripts executable:

   chmod +x crypto_subPolicy.sh crypto_subPolicy_BACKOUT.sh

3. Run the remediation script with sudo or as the root user:

   sudo ./crypto_subPolicy.sh

4. To back out the changes, run the backout script with sudo:

   sudo ./crypto_subPolicy_BACKOUT.sh