ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

incorporated PR 345 thanks to @thulium-drake

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2026-02-03 09:01:55 +00:00
parent c7567a98ac
commit 943b570484
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
4 changed files with 85 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

14
defaults/main.yml
View file

@ -565,15 +565,15 @@ rhel9cis_selinux_pol: targeted
# Even though logging still occurs.
rhel9cis_selinux_enforce: enforcing
## Control 1.4.1
# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value
# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with
# this format: 'grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>'
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
## Control 1.4.1
# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
rhel9cis_set_boot_pass: true
rhel9cis_set_boot_pass: false
# This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed.
rhel9cis_bootloader_password: 'password' # pragma: allowlist secret
# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes
rhel9cis_bootloader_salt: ''
## Controls 1.6.x and Controls 5.1.x
# This variable governs if current Ansible role should manage system-wide crypto policy.