bootloader updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/section_1/cis_1.4.x.yml

@@ -11,15 +11,27 @@
     - patch
     - rule_1.4.1
     - NIST800-53R5_AC-3
-  ansible.builtin.copy:
+  block:
-    dest: /boot/grub2/user.cfg
+    - name: "1.4.1 | PATCH | Ensure bootloader password is set | Set fact if using salt (no python passlib required)"
-    content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy
+      when: rhel9cis_bootloader_salt | length == 0
-    owner: root
+      ansible.builtin.set_fact:
-    group: root
+        rhel9cis_compiled_bootloader_password: "{{ rhel9cis_bootloader_password_hash }}"
-    mode: 'go-rwx'
-  notify: Grub2cfg
 
-- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
+    - name: "1.4.1 | PATCH | Ensure bootloader password is set | Set fact if using salt (python passlib required)"
+      when: rhel9cis_bootloader_salt | length > 0
+      ansible.builtin.set_fact:
+        rhel9cis_compiled_bootloader_password: "{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}" # noqa template-instead-of-copy
+
+    - name: "1.4.1 | PATCH | Ensure bootloader password is set"
+      ansible.builtin.copy:
+        dest: /boot/grub2/user.cfg
+        content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy
+        owner: root
+        group: root
+        mode: 'go-rwx'
+      notify: Grub2cfg
+
+- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured"
   when: rhel9cis_rule_1_4_2
   tags:
     - level1-server
@@ -29,7 +41,7 @@
     - rule_1.4.2
     - NIST800-53R5_AC-3
   block:
-    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | bios based system"
+    - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | bios based system"
       when: rhel9cis_legacy_boot
       ansible.builtin.file:
         path: "/boot/grub2/{{ item.path }}"
@@ -44,7 +56,7 @@
         - { path: 'grubenv', mode: 'u-x,go-rwx' }
         - { path: 'user.cfg', mode: 'u-x,go-rwx' }
 
-    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system"
+    - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | efi based system"
       when: not rhel9cis_legacy_boot
       vars:
         efi_mount_options: ['umask=0077', 'fmask=0077', 'uid=0', 'gid=0']
@@ -55,13 +67,13 @@
           check_mode: false
           register: discovered_efi_fstab
 
-        - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options"
+        - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | efi based system | Build Options"
           when: item not in discovered_efi_fstab.stdout
           ansible.builtin.set_fact:
             efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item }}"
           loop: "{{ efi_mount_options }}"
 
-        - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options"
+        - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | efi based system | Add mount options"
           when: efi_mount_opts_addition | length > 0
           ansible.builtin.lineinfile:
             path: /etc/fstab

vars/main.yml

@@ -1,6 +1,10 @@
 ---
+
 # vars file for RHEL9-CIS
 
+# Set default value for reboot value
+change_requires_reboot: false
+
 min_ansible_version: 2.10.1
 rhel9cis_allowed_crypto_policies:
   - 'DEFAULT'
@@ -24,8 +28,6 @@ rhel9cis_allowed_crypto_policies_modules:
   - 'NO-SSHWEAKMAC'
   - 'NO-WEAKMAC'
 
-rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
-
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0