sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: EL10 PAM and crypto readiness via authselect profile and DEFAULT policy

Browse Source
This commit is contained in:
Sandwich
2026-05-28 17:30:57 +02:00
parent 6fe843355e
commit 89e366d0f0
6 changed files with 84 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
roles/cis/tasks/crypto.yml
View File

@@ -1,11 +1,15 @@
---
# Fedora ships its own crypto-policies preset and update-crypto-policies
# behaves differently; applying DEFAULT:NO-SHA1 can break package signing.
# EL10 dropped the NO-SHA1 subpolicy module (DEFAULT already disables SHA-1
# signatures), so the modifier is set only on EL9 and below.
- name: Configure System Cryptography Policy
vars:
_cis_crypto_policy: "{{ 'DEFAULT' if (os_version_major | int >= 10) else 'DEFAULT:NO-SHA1' }}"
when:
- cis_effective_rules.crypto_policy | default(false)
- os in (os_family_rhel | difference(['fedora']))
ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"
ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set {{ _cis_crypto_policy }}"
register: cis_crypto_policy_result
changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"