mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2026-03-25 14:27:12 +00:00
Merge pull request #60 from ansible-lockdown/Feb26_updates
Enhance documents for password hash
This commit is contained in:
Frederick Witty
GitHub
commit
a6aa5895d5
2 changed files with 22 additions and 7 deletions
|
|
@ -569,15 +569,30 @@ rhel9cis_selinux_enforce: enforcing
|
|||
# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
|
||||
rhel9cis_set_boot_pass: false
|
||||
|
||||
# Either set rhel9cis_bootloader_password_hash or rhel9cis_bootloader_password and rhel9cis_bootloader_salt
|
||||
# If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring
|
||||
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
|
||||
################### bootloader password #####################################
|
||||
#
|
||||
# Two options for for setting the bootloader password
|
||||
#
|
||||
# Option 1: Set the bootloader password and salt – requires the passlib Python module
|
||||
# to be available on the Ansible controller.
|
||||
# Set this value to something secure to have predictable hashes,
|
||||
# which will prevent unnecessary changes.
|
||||
|
||||
rhel9cis_bootloader_salt: ''
|
||||
|
||||
# This variable stores the GRUB bootloader password to be written
|
||||
# to the '/boot/grub2/user.cfg' file. The default value must be changed.
|
||||
|
||||
# This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed.
|
||||
rhel9cis_bootloader_password: 'password' # pragma: allowlist secret
|
||||
|
||||
# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes
|
||||
rhel9cis_bootloader_salt: ''
|
||||
# Option 2: Set the bootloader password hash – if the salt value is empty,
|
||||
# the password will be set using the variable below.
|
||||
# If you are not using the bootloader hash filter, you can set it here
|
||||
# in encrypted format, e.g. grub.pbkdf2.sha512.hashstring
|
||||
|
||||
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
|
||||
|
||||
####################################################
|
||||
|
||||
## Controls 1.6.x and Controls 5.1.x
|
||||
# This variable governs if current Ansible role should manage system-wide crypto policy.
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ rhel9cis_allowed_crypto_policies_modules:
|
|||
- 'NO-SSHWEAKMAC'
|
||||
- 'NO-WEAKMAC'
|
||||
|
||||
rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
|
||||
rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
|
||||
|
||||
# Used to control warning summary
|
||||
warn_control_list: ""
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue