sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

added pragma allowed

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-09-21 15:36:05 +01:00
parent 580ee762ee
commit 11071a66ab
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
2 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

6
defaults/main.yml
View file

@ -361,7 +361,7 @@ rhel9cis_allow_autofs: false
# DO NOT USE PLAIN TEXT PASSWORDS!!!!! # DO NOT USE PLAIN TEXT PASSWORDS!!!!!
# The intent here is to use a password utility like Ansible Vault here # The intent here is to use a password utility like Ansible Vault here
rhel9cis_rh_sub_user: user rhel9cis_rh_sub_user: user
rhel9cis_rh_sub_password: password rhel9cis_rh_sub_password: password # pragma: allowlist secret
# 1.2.2 # 1.2.2
# Do you require rhnsd # Do you require rhnsd
@ -373,8 +373,8 @@ rhel9cis_rhel_default_repo: true
rhel9cis_rule_enable_repogpg: true rhel9cis_rule_enable_repogpg: true
# 1.4.1 Bootloader password # 1.4.1 Bootloader password
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret
rhel9cis_bootloader_password: random rhel9cis_bootloader_password: random # pragma: allowlist secret
rhel9cis_set_boot_pass: true rhel9cis_set_boot_pass: true
# 1.8 Gnome Desktop # 1.8 Gnome Desktop

4
tasks/main.yml
View file

@ -35,7 +35,7 @@
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
vars: vars:
sudo_password_rule: rhel9cis_rule_5_3_4 sudo_password_rule: rhel9cis_rule_5_3_4 # pragma: allowlist secret
when: when:
- rhel9cis_rule_5_3_4 - rhel9cis_rule_5_3_4
- ansible_env.SUDO_USER is defined - ansible_env.SUDO_USER is defined
@ -107,7 +107,7 @@
- name: Check rhel9cis_bootloader_password_hash variable has been changed - name: Check rhel9cis_bootloader_password_hash variable has been changed
ansible.builtin.assert: ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
when: when:
- rhel9cis_set_boot_pass - rhel9cis_set_boot_pass