change inclusion of os specific defaults

molecule/os_hardening/verify.yml

@@ -56,3 +56,17 @@
       fail:
         msg: "Inspec failed to validate"
       when: test_results.rc != 0
+
+    # test if variable can be overridden
+    - name: workaround for https://github.com/ansible/ansible/issues/66304
+      set_fact:
+        ansible_virtualization_type: "docker"
+        os_env_umask: "027 #override"
+
+    - include_role:
+        name: os_hardening
+
+    - name: verify os_env_umask
+      shell:
+        cmd: "grep '027 #override' /etc/login.defs"
+      changed_when: false

molecule/ssh_hardening/molecule.yml

@@ -63,4 +63,3 @@ scenario:
     - idempotence
     - verify
     - destroy
-

roles/mysql_hardening/tasks/main.yml

@@ -1,13 +1,26 @@
 ---
-- name: set OS dependent variables
-  include_vars: '{{ item }}'
+- name: Fetch OS dependent variables
+  include_vars:
+    file: '{{ item }}'
+    name: 'os_vars'
   with_first_found:
-    - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
-    - '{{ ansible_facts.distribution }}.yml'
-    - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
-    - '{{ ansible_facts.os_family }}.yml'
+    - files:
+        - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.distribution }}.yml'
+        - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.os_family }}.yml'
+      skip: true
   tags: always
 
+# we only override variables with our default if they have not been specified already.
+# by default the lookup functions finds all varnames containing the string, therefore
+# we add ^ and $ to denote start and end of string, so this returns only exact maches.
+- name: Set OS dependent variables, if not already defined by user
+  set_fact:
+    '{{ item.key }}': '{{ item.value }}'
+  when: "not lookup('varnames', '^' + item.key + '$')"
+  with_dict: '{{ os_vars }}'
+
 - include: configure.yml
   when: mysql_hardening_enabled | bool
   tags:

roles/mysql_hardening/tasks/mysql_secure_installation.yml

@@ -43,4 +43,4 @@
     query:
       - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
-  when: mysql_remove_remote_root
+  when: mysql_remove_remote_root

roles/os_hardening/defaults/main.yml

@@ -271,9 +271,6 @@ os_filesystem_whitelist: []
 # the Ansible role dependency mechanism.
 os_hardening_enabled: true
 
-# Set the umask you want to apply, or leave empty to use the defaults.
-os_env_umask: ''
-
 # Set to false to disable installing and configuring auditd.
 os_auditd_enabled: true
 os_auditd_max_log_file_action: keep_logs

roles/os_hardening/tasks/hardening.yml

@@ -1,18 +1,26 @@
 ---
-- name: Set OS family dependent variables
-  include_vars: '{{ ansible_facts.os_family }}.yml'
-  tags: always
-
-- name: Set OS dependent variables
-  include_vars: '{{ item }}'
+- name: Fetch OS dependent variables
+  include_vars:
+    file: '{{ item }}'
+    name: 'os_vars'
   with_first_found:
     - files:
-        - '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
         - '{{ ansible_facts.distribution }}.yml'
-        - '{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.os_family }}.yml'
       skip: true
   tags: always
 
+# we only override variables with our default, if they have not been specified already
+# by default the lookup functions finds all varnames containing the string, therefore
+# we add ^ and $ to denote start and end of string, so this returns only exact maches
+- name: Set OS dependent variables, if not already defined by user
+  set_fact:
+    '{{ item.key }}': '{{ item.value }}'
+  when: "not lookup('varnames', '^' + item.key + '$')"
+  with_dict: '{{ os_vars }}'
+
 - import_tasks: auditd.yml
   tags: auditd
   when: os_auditd_enabled | bool

roles/os_hardening/templates/etc/login.defs.j2

@@ -92,7 +92,7 @@ KILLCHAR          025
 # Prefix these values with `0` to get octal, `0x` to get hexadecimal.
 # `022` is the "historical" value in Debian for UMASK
 # `027`, or even `077`, could be considered better for privacy.
-UMASK             {{ os_env_umask | default(os_env_umask_default, true) }}
+UMASK             {{ os_env_umask }}
 
 # Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
 # If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user.

roles/os_hardening/vars/Amazon.yml

@@ -1,4 +1,39 @@
 ---
+
+os_packages_pam_ccreds: 'pam_ccreds'
+os_packages_pam_passwdqc: 'pam_passwdqc'
+os_packages_pam_cracklib: 'pam_cracklib'
+os_nologin_shell_path: '/sbin/nologin'
+
+# Different distros use different standards for /etc/shadow perms, e.g.
+# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
+# You must provide key/value pairs for owner, group, and mode if overriding.
+os_shadow_perms:
+  owner: root
+  group: root
+  mode: '0000'
+
+os_passwd_perms:
+  owner: root
+  group: root
+  mode: '0644'
+
+os_env_umask: '077'
+
+os_auth_uid_min: 1000
+os_auth_gid_min: 1000
+os_auth_sys_uid_min: 201
+os_auth_sys_uid_max: 999
+os_auth_sys_gid_min: 201
+os_auth_sys_gid_max: 999
+
+# defaults for useradd
+os_useradd_mail_dir: /var/spool/mail
+os_useradd_create_home: true
+
+modprobe_package: 'module-init-tools'
+auditd_package: 'audit'
+
 # system accounts that do not get their login disabled and pasword changed
 os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
 

roles/os_hardening/vars/Archlinux.yml

@@ -12,7 +12,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask_default: '027'
+os_env_umask: '027'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/os_hardening/vars/Debian.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask_default: '027'
+os_env_umask: '027'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/os_hardening/vars/Fedora.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask_default: '027'
+os_env_umask: '027'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000
@@ -27,5 +27,9 @@ os_auth_sys_uid_max: 999
 os_auth_sys_gid_min: 201
 os_auth_sys_gid_max: 999
 
+# defaults for useradd
+os_useradd_mail_dir: /var/spool/mail
+os_useradd_create_home: true
+
 modprobe_package: 'module-init-tools'
 auditd_package: 'audit'

roles/os_hardening/vars/RedHat.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask_default: '077'
+os_env_umask: '077'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/os_hardening/vars/Suse.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask_default: '027'
+os_env_umask: '027'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/ssh_hardening/defaults/main.yml

@@ -75,9 +75,6 @@ ssh_allow_agent_forwarding: false   # sshd
 # false to disable X11 Forwarding. Set to true to allow X11 Forwarding.
 ssh_x11_forwarding: false   # sshd
 
-# true if SSH has PAM support
-ssh_pam_support: true
-
 # false to disable pam authentication.
 ssh_use_pam: true                   # sshd
 
@@ -87,9 +84,6 @@ sshd_authenticationmethods: 'publickey'
 # true if SSH support GSSAPI
 ssh_gssapi_support: false
 
-# true if SSH support Kerberos
-ssh_kerberos_support: true
-
 # if specified, login is disallowed for user names that match one of the patterns.
 ssh_deny_users: ''                  # sshd
 
@@ -188,62 +182,9 @@ ssh_macs: []
 ssh_ciphers: []
 ssh_kex: []
 
-ssh_macs_53_default:
-  - hmac-ripemd160
-  - hmac-sha1
-
-ssh_macs_53_el_6_5_default:
-  - hmac-sha2-512
-  - hmac-sha2-256
-
-ssh_macs_59_default:
-  - hmac-sha2-512
-  - hmac-sha2-256
-  - hmac-ripemd160
-
-ssh_macs_66_default:
-  - hmac-sha2-512-etm@openssh.com
-  - hmac-sha2-256-etm@openssh.com
-  - umac-128-etm@openssh.com
-  - hmac-sha2-512
-  - hmac-sha2-256
-
-ssh_macs_76_default:
-  - hmac-sha2-512-etm@openssh.com
-  - hmac-sha2-256-etm@openssh.com
-  - umac-128-etm@openssh.com
-  - hmac-sha2-512
-  - hmac-sha2-256
-
-ssh_ciphers_53_default:
-  - aes256-ctr
-  - aes192-ctr
-  - aes128-ctr
-
-ssh_ciphers_66_default:
-  - chacha20-poly1305@openssh.com
-  - aes256-gcm@openssh.com
-  - aes128-gcm@openssh.com
-  - aes256-ctr
-  - aes192-ctr
-  - aes128-ctr
-
-ssh_kex_59_default:
-  - diffie-hellman-group-exchange-sha256
-
-ssh_kex_66_default:
-  - curve25519-sha256@libssh.org
-  - diffie-hellman-group-exchange-sha256
-
-ssh_kex_80_default:
-  - sntrup4591761x25519-sha512@tinyssh.org
-  - curve25519-sha256@libssh.org
-  - diffie-hellman-group-exchange-sha256
-
 # directory where to store ssh_password policy
 ssh_custom_selinux_dir: '/etc/selinux/local-policies'
 
-sshd_moduli_file: '/etc/ssh/moduli'
 sshd_moduli_minimum: 2048
 
 # disable ChallengeResponseAuthentication
@@ -267,7 +208,3 @@ sshd_syslog_facility: 'AUTH'
 sshd_log_level: 'VERBOSE'
 
 sshd_strict_modes: true
-
-# disable CRYPTO_POLICY to take settings from sshd configuration
-# see: https://access.redhat.com/solutions/4410591
-sshd_disable_crypto_policy: true

roles/ssh_hardening/tasks/hardening.yml

@@ -1,11 +1,25 @@
 ---
-- name: set OS dependent variables
-  include_vars: '{{ item }}'
+- name: Fetch OS dependent variables
+  include_vars:
+    file: '{{ item }}'
+    name: 'os_vars'
   with_first_found:
-    - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
-    - '{{ ansible_facts.distribution }}.yml'
-    - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
-    - '{{ ansible_facts.os_family }}.yml'
+    - files:
+        - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.distribution }}.yml'
+        - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.os_family }}.yml'
+      skip: true
+  tags: always
+
+# we only override variables with our default, if they have not been specified already
+# by default the lookup functions finds all varnames containing the string, therefore
+# we add ^ and $ to denote start and end of string, so this returns only exact maches
+- name: Set OS dependent variables, if not already defined by user
+  set_fact:
+    '{{ item.key }}': '{{ item.value }}'
+  when: "not lookup('varnames', '^' + item.key + '$')"
+  with_dict: '{{ os_vars }}'
 
 - name: get openssh-version
   command: ssh -V

roles/ssh_hardening/vars/Archlinux.yml

@@ -5,6 +5,14 @@ sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root
 
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
+ssh_pam_support: true
+
+sshd_moduli_file: '/etc/ssh/moduli'
+
 # CRYPTO_POLICY is not supported on Archlinux
 # and the package check only works in Ansible >2.10
 sshd_disable_crypto_policy: false