Check if the config file is newer than the current crypto policy file.

ggbecker · ggbecker · commit cb06f973a558 · 2025-10-09T14:23:53.000+02:00
This current crypto policy file is set by the update-crypto-policies
command, if there is a mismatch, the OVAL will detect and result in
fail.
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml
@@ -20,6 +20,24 @@
   failed_when: false
   check_mode: false
 
+- name: "{{{ rule_title }}} - Get mtime of /etc/crypto-policies/config"
+  ansible.builtin.stat:
+    path: /etc/crypto-policies/config
+  register: config_file_stat
+  changed_when: false
+  failed_when: false
+  check_mode: false
+
+- name: "{{{ rule_title }}} - Get mtime of /etc/crypto-policies/state/current"
+  ansible.builtin.stat:
+    path: /etc/crypto-policies/state/current
+  register: current_file_stat
+  changed_when: false
+  failed_when: false
+  check_mode: false
+
 - name: "{{{ rule_title }}} - Verify that Crypto Policy is Set (runtime)"
   ansible.builtin.command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }}
-  when: current_crypto_policy.stdout.strip() != var_system_crypto_policy
+  when: >
+    (current_crypto_policy.stdout.strip() != var_system_crypto_policy) or
+    (config_file_stat.stat.exists and current_file_stat.stat.exists and config_file_stat.stat.mtime > current_file_stat.stat.mtime)
