Allow for a local site policy for the openSSH server.

If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy assigned to the system-wide crypto policy. The role defaults can be overridden by the user's vars. The user should implement a .pmod file, and add its basename to `rhel8cis_allowed_crypto_policies_modules`. The role vars are harder to change due to the 21 priority levels of Ansible. Signed-off-by: Bas Meijer <[email protected]>
ansible-lockdown · Mar 21, 2024 · ba88012 · ba88012
1 parent 319a091
commit ba88012
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -492,7 +492,14 @@ rhel8cis_selinux_policy: targeted
 
 # 1.6 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
 rhel8cis_crypto_policy: 'DEFAULT'
-# Added module to be loaded - (Allowed options in vars/main.yml - OSPP and AD-SUPPORT)
+
+# 1.6.1 Allowed crypto-policy modules
+rhel8cis_allowed_crypto_policies_modules:
+    - 'AD-SUPPORT'
+    - 'NO-SHA1'
+    - 'OSPP'
+
+# Added module to be loaded
 rhel8cis_crypto_policy_module: ''
 
 # 1.7

diff --git a/vars/main.yml b/vars/main.yml
@@ -7,10 +7,6 @@ rhel8cis_allowed_crypto_policies:
     - 'FUTURE'
     - 'FIPS'
 
-rhel8cis_allowed_crypto_policies_modules:
-    - 'OSPP'
-    - 'AD-SUPPORT'
-
 # default setting, this should not be changed
 # and is overridden if a task that changed sets the value if required.
 reboot_required: false