If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy assigned to the system-wide crypto policy.
The user should implement a .pmod file, and add its basename to rhel8cis_allowed_crypto_policies_modules.
Overall Review of Changes:
Adds the NO-SHA1 policy module.
Moves rhel8cis_allowed_crypto_policies_modules to defaults/main.yml instead of vars/main.yml.
The role defaults can be overridden by the user's vars.
The role vars are harder to change due to the 21 priority levels of Ansible.
If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy assigned to the system-wide crypto policy.
The user should implement a .pmod file, and add its basename to
rhel8cis_allowed_crypto_policies_modules
.Overall Review of Changes:
rhel8cis_allowed_crypto_policies_modules
todefaults/main.yml
instead ofvars/main.yml
. The role defaults can be overridden by the user's vars. The role vars are harder to change due to the 21 priority levels of Ansible.Issue Fixes:
273
Enhancements: NO-SHA1 is a simple extra.
How has this been tested?: @bbaassssiiee