From 43a339c74fe6b9038f694829921090c03a692d57 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Thu, 7 Sep 2023 14:23:12 +0100
Subject: [PATCH] new var rhel9cis_rhel_default_repo

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 defaults/main.yml             | 1 +
 tasks/section_1/cis_1.2.x.yml | 4 ++--
 vars/AlmaLinux.yml            | 2 ++
 vars/OracleLinux.yml          | 2 ++
 vars/RedHat.yml               | 3 +++
 5 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 72857c0..2ace2f9 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -370,6 +370,7 @@ rhel9cis_rhnsd_required: false
 
 # 1.2.4 repo_gpgcheck
 rhel9cis_rhel_default_repo: true
+rhel9cis_rule_enable_repogpg: true
 
 # 1.4.1 Bootloader password
 rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B'
diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml
index 1317cc7..fc2d992 100644
--- a/tasks/section_1/cis_1.2.x.yml
+++ b/tasks/section_1/cis_1.2.x.yml
@@ -111,8 +111,8 @@
 
   when:
       - rhel9cis_rule_1_2_4
-      - not rhel9cis_rhel_default_repo or ansible_facts.distribution != 'RedHat'
-      - ansible_facts.distribution != 'OracleLinux'
+      - rhel9cis_rule_enable_repogpg
+      - not rhel9cis_rhel_default_repo
   tags:
       - level1-server
       - level1-workstation
diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml
index c460fb0..b0eb3d9 100644
--- a/vars/AlmaLinux.yml
+++ b/vars/AlmaLinux.yml
@@ -3,3 +3,5 @@
 
 os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29
 os_gpg_key_pubkey_content: "AlmaLinux OS 9 <packager@almalinux.org> b86b3716"
+# disable repo_gpgcheck due to OS default repos
+rhel9cis_rule_enable_repogpg: false
diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml
index d916178..64927cc 100644
--- a/vars/OracleLinux.yml
+++ b/vars/OracleLinux.yml
@@ -2,3 +2,5 @@
 # OS Specific Settings
 os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec
 os_gpg_key_pubkey_content: "Oracle Linux (release key 1) <secalert_us@oracle.com>"
+# disable repo_gpgcheck due to OS default repos
+rhel9cis_rule_enable_repogpg: false
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
index d33b0bc..c5833a4 100644
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@@ -3,3 +3,6 @@
 
 os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b
 os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) <security@redhat.com> fd431d51"
+
+# disable repo_gpgcheck due to OS default repos
+rhel9cis_rule_enable_repogpg: false