From 591f0d90f4262cbc7e7bb0e55e41ed4271c1d640 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 6 Feb 2026 12:49:05 +0000 Subject: [PATCH 1/2] Updated comments for password hash and variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 17 +++++++++++------ vars/main.yml | 2 +- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 931ea93..7d25795 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -569,15 +569,20 @@ rhel9cis_selinux_enforce: enforcing # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: false -# Either set rhel9cis_bootloader_password_hash or rhel9cis_bootloader_password and rhel9cis_bootloader_salt -# If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring -rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret - +# 2 Options for setting the bootloader password +# 1. Set the bootloader password and salt - Reqiured the passlib python module available to the ansible controller +# or +# 2. Set the bootloader password hash +# +# Option 1: Set the bootloader password and salt - if salt is set, the password will be hashed using the salt +# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes +rhel9cis_bootloader_salt: '' # This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed. rhel9cis_bootloader_password: 'password' # pragma: allowlist secret -# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes -rhel9cis_bootloader_salt: '' +# Option 2: Set the bootloader password hash - if the salt value is empty, the password will be set using below variable +# If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring +rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret ## Controls 1.6.x and Controls 5.1.x # This variable governs if current Ansible role should manage system-wide crypto policy. diff --git a/vars/main.yml b/vars/main.yml index dfff3c5..17fefbd 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -24,7 +24,7 @@ rhel9cis_allowed_crypto_policies_modules: - 'NO-SSHWEAKMAC' - 'NO-WEAKMAC' -rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy +rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy # Used to control warning summary warn_control_list: "" From 2863be6c02aedb4fc840ac5b0dcfcc2777bcc681 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 6 Feb 2026 14:16:29 +0000 Subject: [PATCH 2/2] tidied up comments to make it simpler Signed-off-by: Mark Bolwell --- defaults/main.yml | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7d25795..0b29d9f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -569,21 +569,31 @@ rhel9cis_selinux_enforce: enforcing # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: false -# 2 Options for setting the bootloader password -# 1. Set the bootloader password and salt - Reqiured the passlib python module available to the ansible controller -# or -# 2. Set the bootloader password hash +################### bootloader password ##################################### # -# Option 1: Set the bootloader password and salt - if salt is set, the password will be hashed using the salt -# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes +# Two options for for setting the bootloader password +# +# Option 1: Set the bootloader password and salt – requires the passlib Python module +# to be available on the Ansible controller. +# Set this value to something secure to have predictable hashes, +# which will prevent unnecessary changes. + rhel9cis_bootloader_salt: '' -# This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed. + +# This variable stores the GRUB bootloader password to be written +# to the '/boot/grub2/user.cfg' file. The default value must be changed. + rhel9cis_bootloader_password: 'password' # pragma: allowlist secret -# Option 2: Set the bootloader password hash - if the salt value is empty, the password will be set using below variable -# If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring +# Option 2: Set the bootloader password hash – if the salt value is empty, +# the password will be set using the variable below. +# If you are not using the bootloader hash filter, you can set it here +# in encrypted format, e.g. grub.pbkdf2.sha512.hashstring + rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret +#################################################### + ## Controls 1.6.x and Controls 5.1.x # This variable governs if current Ansible role should manage system-wide crypto policy. rhel9cis_crypto_policy_ansiblemanaged: true