sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs(cis): explain Fedora exclusion from crypto-policy configuration

Browse Source
This commit is contained in:
Sandwich
2026-02-21 01:22:41 +01:00
parent a123a32feb
commit 7970d933e8
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/cis/tasks/crypto.yml
View File

@@ -1,4 +1,6 @@
--- ---
# Fedora ships its own crypto-policies preset and update-crypto-policies
# behaves differently; applying DEFAULT:NO-SHA1 can break package signing.
- name: Configure System Cryptography Policy - name: Configure System Cryptography Policy
when: os in (os_family_rhel | difference(['fedora'])) when: os in (os_family_rhel | difference(['fedora']))
ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1" ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"