From 59eca28b3cee78e8dea11a0f6dad5d2885b6dfa4 Mon Sep 17 00:00:00 2001 From: Jeffrey van Pelt Date: Thu, 5 Jun 2025 22:41:33 +0200 Subject: [PATCH] Added option to add a salt, this will allow ansible to idempotently set the password Signed-off-by: Jeffrey van Pelt --- defaults/main.yml | 3 +++ tasks/section_1/cis_1.4.x.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index d734b6a..a847984 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -563,6 +563,9 @@ rhel9cis_selinux_enforce: enforcing # This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed. rhel9cis_bootloader_password: password # pragma: allowlist secret +# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes +rhel9cis_bootloader_salt: '' + ## Control 1.4.1 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: true diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 2252c26..ec95c16 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -13,7 +13,7 @@ - NIST800-53R5_AC-3 ansible.builtin.copy: dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash | default(rhel9cis_bootloader_password | grub_hash) }}" # noqa template-instead-of-copy + content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash | default(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}" # noqa template-instead-of-copy owner: root group: root mode: 'go-rwx'