32 lines
1.2 KiB
YAML
32 lines
1.2 KiB
YAML
---
|
|
# Opt-in only: a GRUB superuser password blocks unattended menu edits; the default entry still boots.
|
|
- name: Assert a GRUB password hash is supplied
|
|
when: cis_effective_rules.grub_password | default(false)
|
|
ansible.builtin.assert:
|
|
that: cis_cfg.grub_password_hash | length > 0
|
|
fail_msg: >-
|
|
system.features.cis.rules.grub_password is enabled but
|
|
system.features.cis.params.grub_password_hash is empty. Generate one with
|
|
grub2-mkpasswd-pbkdf2 and set it there.
|
|
quiet: true
|
|
|
|
- name: Deploy the GRUB superuser password
|
|
when: cis_effective_rules.grub_password | default(false)
|
|
ansible.builtin.copy:
|
|
dest: /mnt/etc/grub.d/01_cis_password
|
|
mode: "0755"
|
|
content: |
|
|
#!/bin/sh
|
|
cat <<'EOF'
|
|
set superusers="root"
|
|
password_pbkdf2 root {{ cis_cfg.grub_password_hash }}
|
|
EOF
|
|
|
|
- name: Regenerate the GRUB configuration
|
|
when: cis_effective_rules.grub_password | default(false)
|
|
ansible.builtin.command: >-
|
|
{{ chroot_command }}
|
|
{{ 'grub2-mkconfig -o /boot/grub2/grub.cfg' if is_rhel | bool else 'grub-mkconfig -o /boot/grub/grub.cfg' }}
|
|
register: cis_grub_regen
|
|
changed_when: cis_grub_regen.rc == 0
|