From 070f06bd1fecdfd9fc515932a9ed98e0b9665fa9 Mon Sep 17 00:00:00 2001 From: "Nicholas O. Wilburn" Date: Tue, 26 Sep 2017 12:55:38 -0700 Subject: [PATCH] Add variable to disable repo_gpgcheck The DISA STIGs want to enforce repo_gpgcheck = 1 in /etc/yum.conf This will not work on current RedHat due to a few reasons: 1. RedHat does not provide gpg signed repo data. There is a ticket opened id=1410638 2. Repo maintainers must use this on their repos. EPEL currently does not 3. Algorithms used to gpg sign yum repos break when FIPs is enabled This is fixed in 7.4 For more information see the following: https://github.com/OpenSCAP/scap-security-guide/issues/1596 --- defaults/main.yml | 1 + tasks/yum.yml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 383b186..4851a4f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,6 +5,7 @@ ### Yum Settings security_yum_verify_gpg: True +security_yum_repo_gpgcheck: True ### AIDE Settings security_aide_configure: True diff --git a/tasks/yum.yml b/tasks/yum.yml index 6b05d02..d65a6e9 100644 --- a/tasks/yum.yml +++ b/tasks/yum.yml @@ -43,7 +43,8 @@ create: False with_items: - "/etc/yum.conf" - when: ansible_distribution == "CentOS" or yum_config_file.stat.exists + when: (ansible_distribution == "CentOS" or yum_config_file.stat.exists) and + security_yum_repo_gpgcheck == True - name: "Ensure gpgcheck Enabled for local packages" ini_file: