ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Updated comments for password hash and variable

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2026-02-06 12:49:05 +00:00
parent 3442801399
commit 591f0d90f4
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
2 changed files with 12 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

17
defaults/main.yml
View file

@ -569,15 +569,20 @@ rhel9cis_selinux_enforce: enforcing
# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
rhel9cis_set_boot_pass: false rhel9cis_set_boot_pass: false
# Either set rhel9cis_bootloader_password_hash or rhel9cis_bootloader_password and rhel9cis_bootloader_salt # 2 Options for setting the bootloader password
# If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring # 1. Set the bootloader password and salt - Reqiured the passlib python module available to the ansible controller
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret # or
# 2. Set the bootloader password hash
#
# Option 1: Set the bootloader password and salt - if salt is set, the password will be hashed using the salt
# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes
rhel9cis_bootloader_salt: ''
# This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed. # This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed.
rhel9cis_bootloader_password: 'password' # pragma: allowlist secret rhel9cis_bootloader_password: 'password' # pragma: allowlist secret
# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes # Option 2: Set the bootloader password hash - if the salt value is empty, the password will be set using below variable
rhel9cis_bootloader_salt: '' # If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
## Controls 1.6.x and Controls 5.1.x ## Controls 1.6.x and Controls 5.1.x
# This variable governs if current Ansible role should manage system-wide crypto policy. # This variable governs if current Ansible role should manage system-wide crypto policy.

2
vars/main.yml
View file

@ -24,7 +24,7 @@ rhel9cis_allowed_crypto_policies_modules:
- 'NO-SSHWEAKMAC' - 'NO-SSHWEAKMAC'
- 'NO-WEAKMAC' - 'NO-WEAKMAC'
rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
# Used to control warning summary # Used to control warning summary
warn_control_list: "" warn_control_list: ""