Gpgcheck switch

README.md

@@ -34,7 +34,7 @@ It will not:
   * Sander van Zoest sysctl `https://github.com/svanzoest-cookbooks/sysctl`
 
 ## Attributes
-
+* `['os-hardening']['yum']['gpg_exclude'] = []` - Array of yum configuration files to exclude from gpgcheck
 * `['os-hardening']['components'][COMPONENT_NAME]` - allows the fine control over which components should be executed via default recipe. See below for more details
 * `['os-hardening']['desktop']['enable'] = false`
   true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc

attributes/default.rb

@@ -27,6 +27,7 @@
   default['os-hardening']['packages']['pam_cracklib'] = 'pam_cracklib'
   default['os-hardening']['packages']['pam_pwquality'] = 'libpwquality'
   default['os-hardening']['packages']['auditd'] = 'audit'
+  default['os-hardening']['yum']['gpg_exclude'] = []
 
   if node['platform_version'].to_f < 7
     default['os-hardening']['auth']['pam']['passwdqc']['enable']  = true

recipes/yum.rb

@@ -26,15 +26,25 @@
   block do
     # TODO: harmonize with latter function
     config_file = '/etc/yum.conf'
-    GPGCheck.check(config_file)
+    # Only check files not listed in gpg_exclude array
+    unless node['os-hardening']['yum']['gpg_exclude'].include? config_file
+      GPGCheck.check(config_file)
+    end
 
     Dir.glob('/etc/yum.repos.d/*').each do |file|
-      GPGCheck.check(file)
+      config_file = '/etc/yum.conf'
+      # Only check files not listed in gpg_exclude array
+      unless node['os-hardening']['yum']['gpg_exclude'].include? file
+        GPGCheck.check(file)
+      end
     end
 
     rhn_conf = '/etc/yum/pluginconf.d/rhnplugin.conf'
     File.file?(rhn_conf) do
-      GPGCheck.check(rhn_conf)
+      # Only check files not listed in gpg_exclude array
+      unless node['os-hardening']['yum']['gpg_exclude'].include? rhn_conf
+        GPGCheck.check(rhn_conf)
+      end
     end
   end
   action :run