SSL certificate validation disabled with Ansible Yum
Description
This policy detects whether Ansible yum tasks enforce SSL certificate validation to confirm the authenticity of the SSL certificates being used during package installation and updates. Disabling certificate validation with Ansible yum can lead to serious security risks, such as exposure to man-in-the-middle attacks.
Code Example
yaml
- name: Example
hosts: all
gather_facts: False
tasks:
- name: Example
ansible.builtin.yum:
name: nginx
state: latest
- validate_certs: false
+ validate_certs: trueRemediation
Ansible
- Module: ansible.builtin.yum or yum
- Attribute: validate_certs
To mitigate this risk, ensure the `validate_certs` attribute in your yum tasks remains enabled (set to 'true'). Enabling validate_certs is crucial for verifying SSL certificates, thereby enhancing the security of your system during package installations or updates.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0044 |
| Severity | MEDIUM |
| IaC Type | Ansible |
| Frameworks | Ansible |
| Checkov ID | CKV_ANSIBLE_3 |