From 4d0dabaf36ed92a423bb779c1230ff1a8b21330c Mon Sep 17 00:00:00 2001 From: Bas Date: Thu, 21 Mar 2024 10:09:17 +0100 Subject: [PATCH] Allow for a local site policy for the openSSH server. (#358) If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy assigned to the system-wide crypto policy. The role defaults can be overridden by the user's vars. The user should implement a .pmod file, and add its basename to `rhel8cis_allowed_crypto_policies_modules`. The role vars are harder to change due to the 21 priority levels of Ansible. Signed-off-by: Bas Meijer --- defaults/main.yml | 9 ++++++++- vars/main.yml | 4 ---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 73cf243e..da0cb0e1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -492,7 +492,14 @@ rhel8cis_selinux_policy: targeted # 1.6 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) rhel8cis_crypto_policy: 'DEFAULT' -# Added module to be loaded - (Allowed options in vars/main.yml - OSPP and AD-SUPPORT) + +# 1.6.1 Allowed crypto-policy modules +rhel8cis_allowed_crypto_policies_modules: + - 'AD-SUPPORT' + - 'NO-SHA1' + - 'OSPP' + +# Added module to be loaded rhel8cis_crypto_policy_module: '' # 1.7 diff --git a/vars/main.yml b/vars/main.yml index e0d92405..9a92b432 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,10 +7,6 @@ rhel8cis_allowed_crypto_policies: - 'FUTURE' - 'FIPS' -rhel8cis_allowed_crypto_policies_modules: - - 'OSPP' - - 'AD-SUPPORT' - # default setting, this should not be changed # and is overridden if a task that changed sets the value if required. reboot_required: false