22 lines
1.1 KiB
YAML
22 lines
1.1 KiB
YAML
---
|
|
# Fedora ships its own crypto-policies preset and update-crypto-policies
|
|
# behaves differently; applying DEFAULT:NO-SHA1 can break package signing.
|
|
# EL10 dropped the NO-SHA1 subpolicy module (DEFAULT already disables SHA-1
|
|
# signatures), so the modifier is set only on EL9 and below.
|
|
- name: Configure System Cryptography Policy
|
|
vars:
|
|
_cis_crypto_policy: "{{ 'DEFAULT' if (os_version_major | int >= 10) else 'DEFAULT:NO-SHA1' }}"
|
|
when:
|
|
- cis_effective_rules.crypto_policy | default(false)
|
|
- os in (os_family_rhel | difference(['fedora']))
|
|
ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set {{ _cis_crypto_policy }}"
|
|
register: cis_crypto_policy_result
|
|
changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"
|
|
|
|
- name: Mask Systemd Services
|
|
when: cis_effective_rules.mask_services | default(false)
|
|
ansible.builtin.command: >
|
|
{{ chroot_command }} systemctl mask {{ 'nftables' if system_cfg.features.firewall.toolkit == 'iptables' else 'iptables' }} bluetooth rpcbind
|
|
register: cis_mask_services_result
|
|
changed_when: "'Created symlink' in cis_mask_services_result.stderr"
|