From 9a3f458db0283f729c754fcd185f6681c74b120d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 5 Feb 2026 18:10:29 +0000 Subject: [PATCH] Updated bootloader password logic and enabled old methods without change Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ tasks/section_1/cis_1.4.x.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 931ea93..24ec0b6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -579,6 +579,8 @@ rhel9cis_bootloader_password: 'password' # pragma: allowlist secret # Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes rhel9cis_bootloader_salt: '' +rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy + ## Controls 1.6.x and Controls 5.1.x # This variable governs if current Ansible role should manage system-wide crypto policy. rhel9cis_crypto_policy_ansiblemanaged: true diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 1615066..4476d30 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -13,7 +13,7 @@ - NIST800-53R5_AC-3 ansible.builtin.copy: dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash | default(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}" # noqa template-instead-of-copy + content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy owner: root group: root mode: 'go-rwx'