Skip to content

Make hardening crypto policies by Ansible idempotent#14001

Merged
Mab879 merged 3 commits into
ComplianceAsCode:masterfrom
jan-cerny:openssl_idem
Oct 13, 2025
Merged

Make hardening crypto policies by Ansible idempotent#14001
Mab879 merged 3 commits into
ComplianceAsCode:masterfrom
jan-cerny:openssl_idem

Conversation

@jan-cerny
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny commented Oct 9, 2025

Description:

This PR makes Ansible remediation in these rules idempotent:

  • harden_openssl_crypto_policy
  • harden_sshd_ciphers_opensshserver_conf_crypto_policy
  • harden_sshd_macs_opensshserver_conf_crypto_policy

Rationale:

Resolves: https://issues.redhat.com/browse/OPENSCAP-6230

Review Hints:

  • ./build_product --playbook-per-rule rhel8
  • manually replace hosts by hosts: all in build/rhel8/playbooks/all/harden_openssl_crypto_policy.yml
  • run ansible-playbook -u root -i YOUR_IP, build/rhel8/playbooks/all/harden_openssl_crypto_policy.yml at least twice and compare the output of the first run with the second run and so on, verify that the second and next runs don't change anything and that the output contains only "ok" or "skipping"
  • dtto with build/rhel8/playbooks/stig/harden_sshd_ciphers_opensshserver_conf_crypto_policy.yml and build/rhel8/playbooks/stig/harden_sshd_macs_opensshserver_conf_crypto_policy.yml
  • Apart from that, run automatus Tss with --remediate-using ansible. Ensure your automatus back end virtual machine contains at least openscap 1.3.12. This version is necessary because of the negative number in OVAL.

@jan-cerny jan-cerny added this to the 0.1.79 milestone Oct 9, 2025
@jan-cerny jan-cerny added the Ansible Ansible remediation update. label Oct 9, 2025
@jan-cerny jan-cerny changed the title Make haredening crypto policies by Ansible idempotent Make hardening crypto policies by Ansible idempotent Oct 9, 2025
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Oct 9, 2025

@jan-cerny: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-platform-compliance 5018cbd link true /test e2e-aws-openshift-platform-compliance
ci/prow/e2e-aws-openshift-node-compliance 5018cbd link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jan-cerny
Copy link
Copy Markdown
Collaborator Author

jan-cerny commented Oct 13, 2025

/packit build

@Mab879 Mab879 self-assigned this Oct 13, 2025
@Mab879 Mab879 merged commit 98e68cc into ComplianceAsCode:master Oct 13, 2025
135 of 136 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels

Ansible Ansible remediation update.

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879