Merge pull request #59 from ansible-lockdown/Feb26_updates

Feb26 updates
2026-03-25 14:27:12 +00:00 · 2026-02-05 16:01:24 -05:00 · 2026-02-05 16:01:24 -05:00 · 0a77d6859f
commit 0a77d6859f
parent 6b986a7352 3442801399
23 changed files with 121 additions and 32 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,6 +1,5 @@
 ---
 parseable: true
 quiet: true
 skip_list:
  - 'package-latest'
--- a/.github/workflows/export_badges_private.yml
+++ b/.github/workflows/export_badges_private.yml
@ -12,8 +12,6 @@ on:
  push:
    branches:
      - latest
  schedule:
    - cron: '0 */6 * * *'
  workflow_dispatch:
 jobs:
--- a/CONTRIBUTING.rst
+++ b/CONTRIBUTING.rst
@ -7,7 +7,7 @@ Rules
 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <joan.doe@email.com>) in the commit message (details in Signing section)
 3) All work is done in your own branch
 4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
-5) Be open and nice to eachother
+5) Be open and nice to each other
 Workflow
 --------
--- a/Changelog.md
+++ b/Changelog.md
@ -6,7 +6,7 @@ addressed issue #419, thank you @aaronk1
 addressed issue #418 thank you @bbaassssiiee
 Added better sysctl logic to disable IPv6
 Added option to disable IPv6 via sysctl (original method) or via the kernel
-pre-commit udpates
+pre-commit updates
 public issue #410 thanks to @kpi-nourman
 public issue #413 thanks to @bbaassssiiee
 Public issues incorporated
@ -18,6 +18,8 @@ Benchmark version variable in audit template
 fixed typo thanks to @fragglexarmy #393
 fixed typo thanks to @trumbaut #397 & #399
 updated auditd template to be 2.19 complaint
 PR345 thanks to thulium-drake boot password hash - if used needs passlib module
 tidy up tags on tasks/main.yml
 ## 2.0.3 - Based on CIS v2.0.0
--- a/README.md
+++ b/README.md
@ -128,6 +128,9 @@ RHEL Family OS 9
 - python-def
 - libselinux-python
 If you are using the option to create your own bootloader hash the ansible controller
 -  passlib
 ---
 ## Auditing 🔍
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -566,14 +566,18 @@ rhel9cis_selinux_pol: targeted
 rhel9cis_selinux_enforce: enforcing
 ## Control 1.4.1
-# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value
+# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
-# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with
+rhel9cis_set_boot_pass: false
-# this format: 'grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>'
+
 # Either set rhel9cis_bootloader_password_hash or rhel9cis_bootloader_password and rhel9cis_bootloader_salt
 # If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring
 rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
-## Control 1.4.1
+# This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed.
-# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
+rhel9cis_bootloader_password: 'password'  # pragma: allowlist secret
-rhel9cis_set_boot_pass: true
+
 # Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes
 rhel9cis_bootloader_salt: ''
 ## Controls 1.6.x and Controls 5.1.x
 # This variable governs if current Ansible role should manage system-wide crypto policy.
--- a/filter_plugins/grub_hash.py
+++ b/filter_plugins/grub_hash.py
@ -0,0 +1,73 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 # Copyright (c) 2025, Jeffrey van Pelt <jeff@vanpelt.one>
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 from __future__ import annotations
 DOCUMENTATION = r"""
 name: grub_hash
 short_description: Generate a GRUB2 password hash
 version_added: 1.0.0
 author: Jeffrey van Pelt (@Thulium-Drake)
 description:
  - Generate a GRUB2 password hash from the input
 options:
  _input:
    description: The desired password for the GRUB bootloader
    type: string
    required: true
  salt:
    description: The salt used to generate the hash
    type: string
    required: false
  rounds:
    description: The amount of rounds to run the PBKDF2 function
    type: int
    required: false
 """
 EXAMPLES = r"""
 - name: 'Generate hash with defaults'
  ansible.builtin.debug:
    msg: "{{ 'mango123!' | grub_hash }}"
 - name: 'Generate hash with custom rounds and salt'
  ansible.builtin.debug:
    msg: "{{ 'mango123!' | grub_hash(rounds=10001, salt='andpepper') }}"
    # Produces: grub.pbkdf2.sha512.10001.616E64706570706572.4C6AEA2A811B4059D4F47AEA36B77DB185B41E9F08ECC3C4C694427DB876C21B24E6CBA0319053E4F1431CDEE83076398C73B9AA8F50A7355E446229BC69A97C
 """
 RETURN = r"""
 _value:
  description: A GRUB2 password hash
  type: string
 """
 from ansible.errors import AnsibleFilterError
 import os
 import base64
 from passlib.hash import grub_pbkdf2_sha512
 def grub_hash(password, rounds=10000, salt=None):
    if salt is None:
        # Generate 64-byte salt if not provided
        salt = os.urandom(64)
    # Check if the salt, when not generated, is a valid bytes value and attempt to convert if needed
    if not isinstance(salt, bytes):
        try:
            salt = salt.encode("utf-8")
        except AttributeError:
            raise TypeError("Salt must be a string, not int.")
    # Configure hash generator
    pbkdf2_generator = grub_pbkdf2_sha512.using(rounds=rounds, salt=salt)
    return pbkdf2_generator.hash(password)
 class FilterModule(object):
    def filters(self):
        return {
            'grub_hash': grub_hash
        }
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -41,14 +41,14 @@
    fail_msg: "Crypto policy is not a permitted version"
    success_msg: "Crypto policy is a permitted version"
- name: "Check rhel9cis_bootloader_password_hash variable has been changed"
+- name: "Check rhel9cis_bootloader_password variable has been changed"
  when:
    - rhel9cis_set_boot_pass
    - rhel9cis_rule_1_4_1
  tags: always
  ansible.builtin.assert:
-    that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
+    that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret
-    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
+    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password or rhel9cis_bootloader_password_hash variable has not been set correctly"
 - name: "Check crypto-policy module input"
  when:
@ -154,9 +154,7 @@
    file: "{{ ansible_facts.distribution }}.yml"
 - name: "Include preliminary steps"
-  tags:
+  tags: prelim_tasks
    - prelim_tasks
    - always
  ansible.builtin.import_tasks:
    file: prelim.yml
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -4,7 +4,9 @@
 # List users in order to look up files inside each home directory
 - name: "PRELIM | Include audit specific variables"
-  when: run_audit or audit_only or setup_audit
+  when:
    - run_audit or audit_only
    - setup_audit
  tags:
    - setup_audit
    - run_audit
@ -12,7 +14,8 @@
    file: audit.yml
 - name: "PRELIM | Include pre-remediation audit tasks"
-  when: run_audit or audit_only or setup_audit
+  when:
    - run_audit or audit_only
  tags: run_audit
  ansible.builtin.import_tasks: pre_remediation_audit.yml
@ -92,6 +95,11 @@
    - rhel9cis_rule_1_2_1_1
    - ansible_facts.distribution != 'RedHat'
    - ansible_facts.distribution != 'OracleLinux'
  tags:
    - level1-server
    - level1-workstation
    - rule_1.2.1.1
    - gpg
  ansible.builtin.package:
    name: "{{ gpg_key_package }}"
    state: latest
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -13,7 +13,7 @@
    - NIST800-53R5_AC-3
  ansible.builtin.copy:
    dest: /boot/grub2/user.cfg
-    content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}"  # noqa template-instead-of-copy
+    content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy
    owner: root
    group: root
    mode: 'go-rwx'
--- a/tasks/section_7/cis_7.1.x.yml
+++ b/tasks/section_7/cis_7.1.x.yml
@ -58,7 +58,7 @@
    - level1-server
    - level1-workstation
    - patch
-    - permissionss
+    - permissions
    - rule_7.1.4
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
--- a/templates/audit/98_auditd_exception.rules.j2
+++ b/templates/audit/98_auditd_exception.rules.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 ### YOUR CHANGES WILL BE LOST!
 # This file contains users whose actions are not logged by auditd
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 ### YOUR CHANGES WILL BE LOST!
 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually
--- a/templates/etc/ansible/compliance_facts.j2
+++ b/templates/etc/ansible/compliance_facts.j2
@ -1,6 +1,6 @@
 # CIS Hardening Carried out
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 [lockdown_details]
 # Benchmark release
--- a/templates/etc/cron.d/aide.cron.j2
+++ b/templates/etc/cron.d/aide.cron.j2
@ -1,7 +1,7 @@
 # Run AIDE integrity check
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 ### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2
--- a/templates/etc/dconf/db/00-automount_lock.j2
+++ b/templates/etc/dconf/db/00-automount_lock.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 # Lock desktop media-handling automount setting
 /org/gnome/desktop/media-handling/automount
--- a/templates/etc/dconf/db/00-autorun_lock.j2
+++ b/templates/etc/dconf/db/00-autorun_lock.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 # Lock desktop media-handling settings
 /org/gnome/desktop/media-handling/autorun-never
--- a/templates/etc/dconf/db/00-media-automount.j2
+++ b/templates/etc/dconf/db/00-media-automount.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 [org/gnome/desktop/media-handling]
 automount=false
--- a/templates/etc/dconf/db/00-media-autorun.j2
+++ b/templates/etc/dconf/db/00-media-autorun.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 [org/gnome/desktop/media-handling]
 autorun-never=true
--- a/templates/etc/dconf/db/00-screensaver.j2
+++ b/templates/etc/dconf/db/00-screensaver.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 # Specify the dconf path
 [org/gnome/desktop/session]
--- a/templates/etc/dconf/db/00-screensaver_lock.j2
+++ b/templates/etc/dconf/db/00-screensaver_lock.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 # Lock desktop screensaver idle-delay setting
 /org/gnome/desktop/session/idle-delay
--- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2
+++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 [org/gnome/login-screen]
 banner-message-enable=true
--- a/vars/main.yml
+++ b/vars/main.yml
@ -24,6 +24,8 @@ rhel9cis_allowed_crypto_policies_modules:
  - 'NO-SSHWEAKMAC'
  - 'NO-WEAKMAC'
 rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0
@ -74,3 +76,5 @@ audit_bins:
  - /sbin/autrace
  - /sbin/auditd
  - /sbin/augenrules
 company_title: 'Mindpoint Group - A Tyto Athene Company'