ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

tidy up of variables and warning for bootloader password

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2026-02-05 20:28:52 +00:00
parent 9a3f458db0
commit 3442801399
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
3 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
defaults/main.yml
View file

@ -579,8 +579,6 @@ rhel9cis_bootloader_password: 'password' # pragma: allowlist secret
# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes # Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes
rhel9cis_bootloader_salt: '' rhel9cis_bootloader_salt: ''
rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
## Controls 1.6.x and Controls 5.1.x ## Controls 1.6.x and Controls 5.1.x
# This variable governs if current Ansible role should manage system-wide crypto policy. # This variable governs if current Ansible role should manage system-wide crypto policy.
rhel9cis_crypto_policy_ansiblemanaged: true rhel9cis_crypto_policy_ansiblemanaged: true

2
tasks/main.yml
View file

@ -48,7 +48,7 @@
tags: always tags: always
ansible.builtin.assert: ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password variable has not been set correctly" msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password or rhel9cis_bootloader_password_hash variable has not been set correctly"
- name: "Check crypto-policy module input" - name: "Check crypto-policy module input"
when: when:

2
vars/main.yml
View file

@ -24,6 +24,8 @@ rhel9cis_allowed_crypto_policies_modules:
- 'NO-SSHWEAKMAC' - 'NO-SSHWEAKMAC'
- 'NO-WEAKMAC' - 'NO-WEAKMAC'
rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
# Used to control warning summary # Used to control warning summary
warn_control_list: "" warn_control_list: ""
warn_count: 0 warn_count: 0