Grub passwd update

Changelog.md

@@ -18,6 +18,7 @@
 - README new layout
 
 - Added test for rule 4.3.4 check user is using sudo has password set before NOPASSWD removed from sudoers
+- grub password check update thanks to @Acenl12 on discord
 
 ## V1.0.1 - based upon CIS 1.1.0
 

defaults/main.yml

@@ -477,7 +477,10 @@ ubtu20cis_set_grub_password: true
 ubtu20cis_grub_user_file: /etc/grub.d/40_custom
 ubtu20cis_grub_user: root
 ubtu20cis_grub_file: /boot/grub/grub.cfg
-ubtu20cis_bootloader_password_hash: "grub.pbkdf2.sha512.10000"  # pragma: allowlist secret
+
+# This is used to set the password in grub the full string is required.
+# It is suggested that this variable is overridden by your setup e.g. inventory/ groupvars / vaults etc
+ubtu20cis_bootloader_password_hash: "grub.pbkdf2.sha512.10000.ChangeMe"  # pragma: allowlist secret
 
 # Change the following value to true if you wish to be prompted to get past grub bootloader
 ubtu20cis_ask_passwd_to_boot: false

tasks/main.yml

@@ -18,8 +18,8 @@
 - name: Ensure grub password has been changed
   ansible.builtin.assert:
       that:
-          - '"ChangeMe" not in ubtu20cis_grub_pw'
-          - '"grub.pbkdf2.sha512.1000" in ubtu20cis_grub_pw'
+          - '"ChangeMe" not in ubtu20cis_bootloader_password_hash'
+          - '"grub.pbkdf2.sha512.1000" in ubtu20cis_bootloader_password_hash'
       fail_msg: "The default grub password has not been changed"
   when:
       - ubtu20cis_set_grub_password

templates/ansible_vars_goss.yml.j2

@@ -373,7 +373,7 @@ ubtu20cis_allow_autofs: {{ ubtu20cis_allow_autofs }}
 ubtu20cis_grub_conf_file: /boot/grub/grub.cfg
 ubtu20cis_grub_user_file: {{ ubtu20cis_grub_user_file }}
 ubtu20cis_grub_username: {{ ubtu20cis_grub_user }}
-ubtu20cis_grub_hash: {{ ubtu20cis_grub_pw }}
+ubtu20cis_grub_hash: {{ ubtu20cis_bootloader_password_hash }}
 
 ubtu20cis_root_pw: {{ ubtu20cis_root_pw }}