Updated bootloader password logic and enabled old methods without change

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2026-03-25 14:27:12 +00:00 · 2026-02-05 18:10:29 +00:00 · 2026-02-05 18:10:29 +00:00 · 9a3f458db0
commit 9a3f458db0
parent 9b091984db
2 changed files with 3 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -579,6 +579,8 @@ rhel9cis_bootloader_password: 'password'  # pragma: allowlist secret
 # Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes
 rhel9cis_bootloader_salt: ''

+rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
+
 ## Controls 1.6.x and Controls 5.1.x
 # This variable governs if current Ansible role should manage system-wide crypto policy.
 rhel9cis_crypto_policy_ansiblemanaged: true
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -13,7 +13,7 @@
    - NIST800-53R5_AC-3
  ansible.builtin.copy:
    dest: /boot/grub2/user.cfg
-    content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash | default(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}" # noqa template-instead-of-copy
+    content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy
    owner: root
    group: root
    mode: 'go-rwx'