From 34428013999c4c56d4abb5aad6a1481804592f53 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 5 Feb 2026 20:28:52 +0000 Subject: [PATCH] tidy up of variables and warning for bootloader password Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 -- tasks/main.yml | 2 +- vars/main.yml | 2 ++ 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 24ec0b6..931ea93 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -579,8 +579,6 @@ rhel9cis_bootloader_password: 'password' # pragma: allowlist secret # Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes rhel9cis_bootloader_salt: '' -rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy - ## Controls 1.6.x and Controls 5.1.x # This variable governs if current Ansible role should manage system-wide crypto policy. rhel9cis_crypto_policy_ansiblemanaged: true diff --git a/tasks/main.yml b/tasks/main.yml index 4525a74..d6325fd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -48,7 +48,7 @@ tags: always ansible.builtin.assert: that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret - msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password variable has not been set correctly" + msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password or rhel9cis_bootloader_password_hash variable has not been set correctly" - name: "Check crypto-policy module input" when: diff --git a/vars/main.yml b/vars/main.yml index a6ee2b5..dfff3c5 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -24,6 +24,8 @@ rhel9cis_allowed_crypto_policies_modules: - 'NO-SSHWEAKMAC' - 'NO-WEAKMAC' +rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy + # Used to control warning summary warn_control_list: "" warn_count: 0