ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-25 22:53:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge 59eca28b3c into 07885f99b4

Browse source
This commit is contained in:
Jeffrey van Pelt 2025-12-03 21:36:45 +01:00 committed by GitHub
commit be8200c228
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 82 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

6
tasks/main.yml
View file

@ -43,14 +43,14 @@
fail_msg: "Crypto policy is not a permitted version"
success_msg: "Crypto policy is a permitted version"
- name: "Check rhel9cis_bootloader_password_hash variable has been changed"
- name: "Check rhel9cis_bootloader_password variable has been changed"
when:
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1
tags: always
ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
that: rhel9cis_bootloader_password != 'password' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password variable has not been set correctly"
- name: "Check crypto-policy module input"
when:

2
tasks/section_1/cis_1.4.x.yml
View file

@ -13,7 +13,7 @@
- NIST800-53R5_AC-3
ansible.builtin.copy:
dest: /boot/grub2/user.cfg
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash | default(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}" # noqa template-instead-of-copy
owner: root
group: root
mode: 'go-rwx'