feat(cis): add selectable profile and per-rule hardening toggles

roles/cis/tasks/grub_password.yml

@@ -0,0 +1,31 @@
+---
+# Opt-in only: a GRUB superuser password blocks unattended menu edits; the default entry still boots.
+- name: Assert a GRUB password hash is supplied
+  when: cis_effective_rules.grub_password | default(false)
+  ansible.builtin.assert:
+    that: cis_cfg.grub_password_hash | length > 0
+    fail_msg: >-
+      system.features.cis.rules.grub_password is enabled but
+      system.features.cis.params.grub_password_hash is empty. Generate one with
+      grub2-mkpasswd-pbkdf2 and set it there.
+    quiet: true
+
+- name: Deploy the GRUB superuser password
+  when: cis_effective_rules.grub_password | default(false)
+  ansible.builtin.copy:
+    dest: /mnt/etc/grub.d/01_cis_password
+    mode: "0755"
+    content: |
+      #!/bin/sh
+      cat <<'EOF'
+      set superusers="root"
+      password_pbkdf2 root {{ cis_cfg.grub_password_hash }}
+      EOF
+
+- name: Regenerate the GRUB configuration
+  when: cis_effective_rules.grub_password | default(false)
+  ansible.builtin.command: >-
+    {{ chroot_command }}
+    {{ 'grub2-mkconfig -o /boot/grub2/grub.cfg' if is_rhel | bool else 'grub-mkconfig -o /boot/grub/grub.cfg' }}
+  register: cis_grub_regen
+  changed_when: cis_grub_regen.rc == 0