crypto_policies

Table of Contents

1. Description
2. Setup - The basics of getting started with crypto_policies
   • What crypto_policies affects
   • Setup requirements
   • Beginning with crypto_policies
3. Usage - Configuration options and additional functionality
4. Limitations - OS compatibility, etc.
5. Development - Guide for contributing to the module

Description

This module sets the system-wide crypto policy on the Red Hat OS family.

The module also provides a fact showing the current crypto policy and if the crypto-policies software is available and installed on the OS.

This affects the security level of BIND, GnuTLS, Kerberos, NSS, OpenJDK, OpenSSH, OpenSSL and more.

The crypto-policies software available on the RedHat os family from version 8 and on configures the policy for which cryptographic algorithms are to be available and used across various applications and libraries. See the crypto-policies(7) man page or the Red Hat documentation on security hardening for more information.

Setup

Beginning with crypto_policies

This is a simple module. Include it to use the 'DEFAULT' crypto policy, or use the policy parameter to set a policy and optional policy modules.

Usage

Basic usage. This will use the DEFAULT policy, which is default for this module..

include crypto_policies

Set a policy of DEFAULT adding the NO-SHA1 module to disable the sha1 hashing algorithm.

class { 'crypto_policies':
  policy => 'DEFAULT:NO-SHA1',
}

Limitations

For now, this only works on the RedHat OS family version 8.

On any other OS, or if the crypto-policies software is uninstalled, this module will silently do nothing.

Development

Pull requests and bug reports are welcome.