SSL validation is disabled with yum
Description
This policy detects whether Ansible yum tasks have SSL validation disabled. Disabling SSL validation can significantly increase security risks as it allows the system to accept potentially compromised SSL certificates without verification. This could result in exposing the system to potential man-in-the-middle attacks.
Code Example
yaml
- name: Example
hosts: all
gather_facts: False
tasks:
- name: Validate SSL certificates with yum
ansible.builtin.yum:
name: nginx
state: latest
- sslverify: false
+ sslverify: trueRemediation
Ansible
- Module: ansible.builtin.yum or yum
- Attribute: sslverify
To mitigate this risk, ensure that the sslverify attribute in your Ansible yum tasks is set to 'true'. This will enforce SSL verification, and help maintain the integrity and confidentiality of the communication with yum repositories.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0045 |
| Severity | MEDIUM |
| IaC Type | Ansible |
| Frameworks | Ansible |
| Checkov ID | CKV_ANSIBLE_4 |