ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-26 07:03:07 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Added a filter plugin that will handle the GRUB password hashing for you

Browse source 
Signed-off-by: Jeffrey van Pelt <jeff@vanpelt.one>
This commit is contained in:
Jeffrey van Pelt 2025-06-04 17:59:22 +02:00
parent f70821bf7e
commit d08e7380d6
No known key found for this signature in database
GPG key ID: 39EFF6AA1F5B11A0
4 changed files with 79 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

6
tasks/main.yml
View file

@ -43,14 +43,14 @@
fail_msg: "Crypto policy is not a permitted version"
success_msg: "Crypto policy is a permitted version"
- name: "Check rhel9cis_bootloader_password_hash variable has been changed"
- name: "Check rhel9cis_bootloader_password variable has been changed"
when:
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1
tags: always
ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
that: rhel9cis_bootloader_password != 'password' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password variable has not been set correctly"
- name: "Check crypto-policy module input"
when:

2
tasks/section_1/cis_1.4.x.yml
View file

@ -13,7 +13,7 @@
- NIST800-53R5_AC-3
ansible.builtin.copy:
dest: /boot/grub2/user.cfg
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash | default(rhel9cis_bootloader_password | grub_hash) }}" # noqa template-instead-of-copy
owner: root
group: root
mode: 'go-rwx'