Add variable to disable repo_gpgcheck

The DISA STIGs want to enforce repo_gpgcheck = 1 in /etc/yum.conf This will not work on current RedHat due to a few reasons: 1. RedHat does not provide gpg signed repo data. There is a ticket opened id=1410638 2. Repo maintainers must use this on their repos. EPEL currently does not 3. Algorithms used to gpg sign yum repos break when FIPs is enabled This is fixed in 7.4 For more information see the following: ComplianceAsCode/content#1596
ragingpastry · Sep 26, 2017 · 070f06b · 070f06b
1 parent 259d572
commit 070f06b
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -5,6 +5,7 @@
 
 ### Yum Settings
 security_yum_verify_gpg: True
+security_yum_repo_gpgcheck: True
 
 ### AIDE Settings
 security_aide_configure: True

diff --git a/tasks/yum.yml b/tasks/yum.yml
@@ -43,7 +43,8 @@
     create: False
   with_items:
     - "/etc/yum.conf"
-  when: ansible_distribution == "CentOS" or yum_config_file.stat.exists
+  when: (ansible_distribution == "CentOS" or yum_config_file.stat.exists) and
+         security_yum_repo_gpgcheck == True
 
 - name: "Ensure gpgcheck Enabled for local packages"
   ini_file: