ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

updated logic to allow manual hash to be added or filter

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2026-02-05 17:53:55 +00:00
parent f1786fe20f
commit 9b091984db
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
2 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
defaults/main.yml
View file

@ -569,6 +569,10 @@ rhel9cis_selinux_enforce: enforcing
# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
rhel9cis_set_boot_pass: false
# Either set rhel9cis_bootloader_password_hash or rhel9cis_bootloader_password and rhel9cis_bootloader_salt
# If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
# This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed.
rhel9cis_bootloader_password: 'password' # pragma: allowlist secret

2
tasks/main.yml
View file

@ -47,7 +47,7 @@
- rhel9cis_rule_1_4_1
tags: always
ansible.builtin.assert:
that: rhel9cis_bootloader_password != 'password' # pragma: allowlist secret
that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password variable has not been set correctly"
- name: "Check crypto-policy module input"