Skip to content

Commit

Permalink
Allow for a local site policy for the openSSH server. (#358)
Browse files Browse the repository at this point in the history
If changes to the system-wide crypto policy are required to meet local
site policy for the openSSH server, these changes should be done with a sub-policy
assigned to the system-wide crypto policy.

The role defaults can be overridden by the user's vars.
The user should implement a .pmod file, and add its basename to `rhel8cis_allowed_crypto_policies_modules`.
The role vars are harder to change due to the 21 priority levels of Ansible.

Signed-off-by: Bas Meijer <[email protected]>
  • Loading branch information
bbaassssiiee authored Mar 21, 2024
1 parent 319a091 commit 4d0daba
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 5 deletions.
9 changes: 8 additions & 1 deletion defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -492,7 +492,14 @@ rhel8cis_selinux_policy: targeted

# 1.6 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
rhel8cis_crypto_policy: 'DEFAULT'
# Added module to be loaded - (Allowed options in vars/main.yml - OSPP and AD-SUPPORT)

# 1.6.1 Allowed crypto-policy modules
rhel8cis_allowed_crypto_policies_modules:
- 'AD-SUPPORT'
- 'NO-SHA1'
- 'OSPP'

# Added module to be loaded
rhel8cis_crypto_policy_module: ''

# 1.7
Expand Down
4 changes: 0 additions & 4 deletions vars/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,6 @@ rhel8cis_allowed_crypto_policies:
- 'FUTURE'
- 'FIPS'

rhel8cis_allowed_crypto_policies_modules:
- 'OSPP'
- 'AD-SUPPORT'

# default setting, this should not be changed
# and is overridden if a task that changed sets the value if required.
reboot_required: false
Expand Down

0 comments on commit 4d0daba

Please sign in to comment.