Check if the NSS file exists, if not then run the update-crypto-policies

ggbecker · ggbecker · commit 07be9d4057c5 · 2025-10-09T14:23:53.000+02:00
This is to mimic the OVAL that does the same check.
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml
@@ -36,8 +36,15 @@
   failed_when: false
   check_mode: false
 
+- name: "{{{ rule_title }}} - Check existence of /etc/crypto-policies/back-ends/nss.config"
+  ansible.builtin.stat:
+    path: /etc/crypto-policies/back-ends/nss.config
+  register: nss_config_stat
+  changed_when: false
+
 - name: "{{{ rule_title }}} - Verify that Crypto Policy is Set (runtime)"
   ansible.builtin.command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }}
   when: >
     (current_crypto_policy.stdout.strip() != var_system_crypto_policy) or
-    (config_file_stat.stat.exists and current_file_stat.stat.exists and config_file_stat.stat.mtime > current_file_stat.stat.mtime)
+    (config_file_stat.stat.exists and current_file_stat.stat.exists and config_file_stat.stat.mtime > current_file_stat.stat.mtime) or
+    (not nss_config_stat.stat.exists)
