From efaf05843dffb9379215fb3b7e6bac2b54f665b8 Mon Sep 17 00:00:00 2001 From: Bas Meijer Date: Wed, 20 Mar 2024 16:43:49 +0100 Subject: [PATCH] Allow for a local site policy for the openSSH server. If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy assigned to the system-wide crypto policy. The role defaults can be overridden by the user's vars. The user should implement a .pmod file, and add its basename to `rhel8cis_allowed_crypto_policies_modules`. The role vars are harder to change due to the 21 priority levels of Ansible. --- defaults/main.yml | 9 ++++++++- vars/main.yml | 4 ---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 73cf243e..c779ecdf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -492,7 +492,14 @@ rhel8cis_selinux_policy: targeted # 1.6 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) rhel8cis_crypto_policy: 'DEFAULT' -# Added module to be loaded - (Allowed options in vars/main.yml - OSPP and AD-SUPPORT) + +# 1.6.1 Allowed crypto-policy modules +rhel8cis_allowed_crypto_policies_modules: + - 'AD-SUPPORT' + - 'NO-SHA1' + - 'OSPP' + +# Added module to be loaded rhel8cis_crypto_policy_module: '' # 1.7 diff --git a/vars/main.yml b/vars/main.yml index e0d92405..9a92b432 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,10 +7,6 @@ rhel8cis_allowed_crypto_policies: - 'FUTURE' - 'FIPS' -rhel8cis_allowed_crypto_policies_modules: - - 'OSPP' - - 'AD-SUPPORT' - # default setting, this should not be changed # and is overridden if a task that changed sets the value if required. reboot_required: false