- Description
- Setup - The basics of getting started with crypto_policies
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
This module sets the system-wide crypto policy on the Red Hat OS family.
The module also provides a fact showing the current crypto policy and if the crypto-policies software is available and installed on the OS.
This affects the security level of BIND, GnuTLS, Kerberos, NSS, OpenJDK, OpenSSH, OpenSSL and more.
The crypto-policies software available on the RedHat os family from
version 8 and on configures the policy for which cryptographic
algorithms are to be available and used across various applications
and libraries. See the crypto-policies(7) man page or the Red Hat
documentation on security
hardening
for more information.
This is a simple module. Include it to use the 'DEFAULT' crypto
policy, or use the policy parameter to set a policy and optional
policy modules.
Basic usage. This will use the DEFAULT policy, which is default for
this module..
include crypto_policiesSet a policy of DEFAULT adding the NO-SHA1 module to disable the
sha1 hashing algorithm.
class { 'crypto_policies':
policy => 'DEFAULT:NO-SHA1',
}For now, this only works on the RedHat OS family version 8.
On any other OS, or if the crypto-policies software is uninstalled, this module will silently do nothing.
Pull requests and bug reports are welcome.