Fails with 'rhel10cis_bootloader_password_hash' is undefined" #45
Description
Full log:
fatal: [default]: FAILED! => {"msg": "The conditional check 'rhel10cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel10cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'' failed. The error was: error while evaluating conditional (rhel10cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel10cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'): 'rhel10cis_bootloader_password_hash' is undefined"}
You check the existing of rhel10cis_bootloader_password variable, but variable rhel10cis_bootloader_password_hash is not documented in defaults and not any task generates it's content before first usage in task
'- name: "Check rhel10cis_bootloader_password variable has been changed"'
workaround:
-
python3 -c "import os,hashlib,binascii; p=b'PASSWORD'; s=os.urandom(16); i=10000; h=hashlib.pbkdf2_hmac('sha512',p,s,i); print(f'grub.pbkdf2.sha512.{i}.'+binascii.hexlify(s+h).decode())"
-
set rhel10cis_bootloader_password_hash variable with role running and content from command above.
I believe you missed task to generate this hash based on rhel10cis_bootloader_password and set fact in rhel10cis_bootloader_password_hash variable