From 2863be6c02aedb4fc840ac5b0dcfcc2777bcc681 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 6 Feb 2026 14:16:29 +0000 Subject: [PATCH] tidied up comments to make it simpler Signed-off-by: Mark Bolwell --- defaults/main.yml | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7d25795..0b29d9f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -569,21 +569,31 @@ rhel9cis_selinux_enforce: enforcing # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: false -# 2 Options for setting the bootloader password -# 1. Set the bootloader password and salt - Reqiured the passlib python module available to the ansible controller -# or -# 2. Set the bootloader password hash +################### bootloader password ##################################### # -# Option 1: Set the bootloader password and salt - if salt is set, the password will be hashed using the salt -# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes +# Two options for for setting the bootloader password +# +# Option 1: Set the bootloader password and salt – requires the passlib Python module +# to be available on the Ansible controller. +# Set this value to something secure to have predictable hashes, +# which will prevent unnecessary changes. + rhel9cis_bootloader_salt: '' -# This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed. + +# This variable stores the GRUB bootloader password to be written +# to the '/boot/grub2/user.cfg' file. The default value must be changed. + rhel9cis_bootloader_password: 'password' # pragma: allowlist secret -# Option 2: Set the bootloader password hash - if the salt value is empty, the password will be set using below variable -# If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring +# Option 2: Set the bootloader password hash – if the salt value is empty, +# the password will be set using the variable below. +# If you are not using the bootloader hash filter, you can set it here +# in encrypted format, e.g. grub.pbkdf2.sha512.hashstring + rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret +#################################################### + ## Controls 1.6.x and Controls 5.1.x # This variable governs if current Ansible role should manage system-wide crypto policy. rhel9cis_crypto_policy_ansiblemanaged: true