From e30ab5ccc89533db7b99cdd239e028f02a2a3517 Mon Sep 17 00:00:00 2001 From: rndmh3ro Date: Fri, 18 Feb 2022 10:08:47 +0100 Subject: [PATCH 1/7] fix ansible-lint issue https://github.com/ansible-community/ansible-lint/issues/1795 Signed-off-by: rndmh3ro --- .github/workflows/ansible-lint.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index cd76a3843..97f706e22 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -30,6 +30,10 @@ jobs: # override-deps: | # ansible==2.9 # ansible-lint==4.2.0 + override-deps: | + ansible==2.10.7 + ansible-base==2.10.5 + ansible-lint==5.3.2 # [optional] # Arguments to be passed to the ansible-lint From 2a6f372a6d1854f04acf3c42aa56b7a7e21970d3 Mon Sep 17 00:00:00 2001 From: rndmh3ro Date: Fri, 18 Feb 2022 10:21:45 +0100 Subject: [PATCH 2/7] move 2 sysctls to debian specific Signed-off-by: rndmh3ro --- roles/os_hardening/defaults/main.yml | 10 +--------- roles/os_hardening/tasks/sysctl.yml | 10 ++++++++++ roles/os_hardening/vars/Debian.yml | 6 ++++++ 3 files changed, 17 insertions(+), 9 deletions(-) diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 0a96c8a78..8919a2a22 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -69,7 +69,7 @@ sysctl_config: # filenames (generally seen as "/tmp file race" vulnerabilities). fs.protected_hardlinks: 1 fs.protected_symlinks: 1 - + # For more info on the following settings see: https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html # Restrict FIFO special device creation behavior fs.protected_fifos: 1 @@ -288,14 +288,6 @@ sysctl_config: vm.mmap_rnd_bits: 32 vm.mmap_rnd_compat_bits: 16 - # Disable unprivileged users from loading eBPF programs into the kernel. - # One of mitigations against CVE-2021-33909. | Tail-2 - kernel.unprivileged_bpf_disabled: 1 - - # Reduce attack surface by disabling unprivileged user namespaces. - # Mitigates CVE-2021-33909 and other exploits. - kernel.unprivileged_userns_clone: 0 - # Do not delete the following line or otherwise the playbook will fail # at task 'create a combined sysctl-dict if overwrites are defined' sysctl_overwrite: diff --git a/roles/os_hardening/tasks/sysctl.yml b/roles/os_hardening/tasks/sysctl.yml index 9919d5f32..bddc85fb2 100644 --- a/roles/os_hardening/tasks/sysctl.yml +++ b/roles/os_hardening/tasks/sysctl.yml @@ -68,6 +68,16 @@ with_dict: '{{ sysctl_rhel_config }}' when: ansible_facts.distribution == 'Amazon' + - name: Change various sysctl-settings on Debian, look at the sysctl-vars file for documentation + sysctl: + name: '{{ item.key }}' + value: '{{ item.value }}' + state: present + reload: true + ignoreerrors: true + with_dict: '{{ sysctl_debian_config }}' + when: ansible_facts.os_family == 'Debian' + when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz'] - name: Apply ufw defaults diff --git a/roles/os_hardening/vars/Debian.yml b/roles/os_hardening/vars/Debian.yml index efb086087..d6dab6875 100644 --- a/roles/os_hardening/vars/Debian.yml +++ b/roles/os_hardening/vars/Debian.yml @@ -43,3 +43,9 @@ tally2_path: '/usr/share/pam-configs/tally2' passwdqc_path: '/usr/share/pam-configs/passwdqc' hidepid_option: '2' # allowed values: 0, 1, 2 + +sysctl_debian_config: + # Mitigation of vulnerability CVE-2021-33909 + kernel.unprivileged_userns_clone: 0 + # Mitigation of vulnerability CVE-2021-33910 + kernel.unprivileged_bpf_disabled: 1 From 0cff10b5540d581a642dc780f71ba94da09194b1 Mon Sep 17 00:00:00 2001 From: rndmh3ro Date: Fri, 18 Feb 2022 10:23:30 +0100 Subject: [PATCH 3/7] fix ansible-lint issue https://github.com/ansible-community/ansible-lint/issues/1795 Signed-off-by: rndmh3ro --- .github/workflows/ansible-lint.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 97f706e22..8b35d3dd7 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -31,9 +31,7 @@ jobs: # ansible==2.9 # ansible-lint==4.2.0 override-deps: | - ansible==2.10.7 - ansible-base==2.10.5 - ansible-lint==5.3.2 + rich>=9.5.1,<11.0.0 # [optional] # Arguments to be passed to the ansible-lint From c295e4c25192e711a7ba6e9528638e372fe5b207 Mon Sep 17 00:00:00 2001 From: rndmh3ro Date: Fri, 18 Feb 2022 10:51:45 +0100 Subject: [PATCH 4/7] add arch linux sysctls --- roles/os_hardening/tasks/sysctl.yml | 10 ++++++++++ roles/os_hardening/vars/Archlinux.yml | 6 ++++++ 2 files changed, 16 insertions(+) diff --git a/roles/os_hardening/tasks/sysctl.yml b/roles/os_hardening/tasks/sysctl.yml index bddc85fb2..3bb0aa5dc 100644 --- a/roles/os_hardening/tasks/sysctl.yml +++ b/roles/os_hardening/tasks/sysctl.yml @@ -78,6 +78,16 @@ with_dict: '{{ sysctl_debian_config }}' when: ansible_facts.os_family == 'Debian' + - name: Change various sysctl-settings on Arch Linux, look at the sysctl-vars file for documentation + sysctl: + name: '{{ item.key }}' + value: '{{ item.value }}' + state: present + reload: true + ignoreerrors: true + with_dict: '{{ sysctl_arch_config }}' + when: ansible_facts.os_family == 'Archlinux' + when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz'] - name: Apply ufw defaults diff --git a/roles/os_hardening/vars/Archlinux.yml b/roles/os_hardening/vars/Archlinux.yml index 275525461..401c4ccad 100644 --- a/roles/os_hardening/vars/Archlinux.yml +++ b/roles/os_hardening/vars/Archlinux.yml @@ -33,3 +33,9 @@ modprobe_package: 'kmod' auditd_package: 'audit' hidepid_option: '2' # allowed values: 0, 1, 2 + +sysctl_arch_config: + # Mitigation of vulnerability CVE-2021-33909 + kernel.unprivileged_userns_clone: 0 + # Mitigation of vulnerability CVE-2021-33910 + kernel.unprivileged_bpf_disabled: 1 From 4f43e3f699aaaa5cfdd37f3a3ce5a88a52f9592e Mon Sep 17 00:00:00 2001 From: rndmh3ro Date: Fri, 18 Feb 2022 14:24:02 +0100 Subject: [PATCH 5/7] simplify sysctl settings Signed-off-by: rndmh3ro --- roles/os_hardening/tasks/sysctl.yml | 42 +++++++-------------------- roles/os_hardening/vars/Amazon.yml | 4 --- roles/os_hardening/vars/Archlinux.yml | 2 +- roles/os_hardening/vars/Debian.yml | 2 +- 4 files changed, 13 insertions(+), 37 deletions(-) diff --git a/roles/os_hardening/tasks/sysctl.yml b/roles/os_hardening/tasks/sysctl.yml index 3bb0aa5dc..d6f7dbc96 100644 --- a/roles/os_hardening/tasks/sysctl.yml +++ b/roles/os_hardening/tasks/sysctl.yml @@ -48,6 +48,17 @@ sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' when: sysctl_overwrite | default() + - name: Create a combined sysctl-dict if os-dependenct sysctls are defined + set_fact: + sysctl_config: '{{ sysctl_config | combine(sysctl_custom_config) }}' + when: sysctl_custom_config | default() + + # sysctl_rhel_config is kept for backwards-compatibility. use sysctl_custom_config instead + - name: Create a combined sysctl-dict if os-dependent are defined + set_fact: + sysctl_config: '{{ sysctl_config | combine(sysctl_rhel_config) }}' + when: sysctl_rhel_config | default() + - name: Change various sysctl-settings, look at the sysctl-vars file for documentation sysctl: name: '{{ item.key }}' @@ -57,37 +68,6 @@ reload: true ignoreerrors: true with_dict: '{{ sysctl_config }}' - - - name: Change various sysctl-settings on Amazon Linux, look at the sysctl-vars file for documentation - sysctl: - name: '{{ item.key }}' - value: '{{ item.value }}' - state: present - reload: true - ignoreerrors: true - with_dict: '{{ sysctl_rhel_config }}' - when: ansible_facts.distribution == 'Amazon' - - - name: Change various sysctl-settings on Debian, look at the sysctl-vars file for documentation - sysctl: - name: '{{ item.key }}' - value: '{{ item.value }}' - state: present - reload: true - ignoreerrors: true - with_dict: '{{ sysctl_debian_config }}' - when: ansible_facts.os_family == 'Debian' - - - name: Change various sysctl-settings on Arch Linux, look at the sysctl-vars file for documentation - sysctl: - name: '{{ item.key }}' - value: '{{ item.value }}' - state: present - reload: true - ignoreerrors: true - with_dict: '{{ sysctl_arch_config }}' - when: ansible_facts.os_family == 'Archlinux' - when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz'] - name: Apply ufw defaults diff --git a/roles/os_hardening/vars/Amazon.yml b/roles/os_hardening/vars/Amazon.yml index 9ac48c2b3..044c21231 100644 --- a/roles/os_hardening/vars/Amazon.yml +++ b/roles/os_hardening/vars/Amazon.yml @@ -45,8 +45,4 @@ auditd_package: 'audit' # system accounts that do not get their login disabled and pasword changed os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user'] -sysctl_rhel_config: - # ExecShield protection against buffer overflows - kernel.exec-shield: 1 - hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/Archlinux.yml b/roles/os_hardening/vars/Archlinux.yml index 401c4ccad..0c9f29c11 100644 --- a/roles/os_hardening/vars/Archlinux.yml +++ b/roles/os_hardening/vars/Archlinux.yml @@ -34,7 +34,7 @@ auditd_package: 'audit' hidepid_option: '2' # allowed values: 0, 1, 2 -sysctl_arch_config: +sysctl_custom_config: # Mitigation of vulnerability CVE-2021-33909 kernel.unprivileged_userns_clone: 0 # Mitigation of vulnerability CVE-2021-33910 diff --git a/roles/os_hardening/vars/Debian.yml b/roles/os_hardening/vars/Debian.yml index d6dab6875..07a1b5ac3 100644 --- a/roles/os_hardening/vars/Debian.yml +++ b/roles/os_hardening/vars/Debian.yml @@ -44,7 +44,7 @@ passwdqc_path: '/usr/share/pam-configs/passwdqc' hidepid_option: '2' # allowed values: 0, 1, 2 -sysctl_debian_config: +sysctl_custom_config: # Mitigation of vulnerability CVE-2021-33909 kernel.unprivileged_userns_clone: 0 # Mitigation of vulnerability CVE-2021-33910 From f61aa9d804d8a4eb810b6c846c4a628381915372 Mon Sep 17 00:00:00 2001 From: rndmh3ro Date: Fri, 18 Feb 2022 15:26:58 +0100 Subject: [PATCH 6/7] ove overwrite to the bottom to let it acutally overwrite something Signed-off-by: rndmh3ro --- roles/os_hardening/tasks/sysctl.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/os_hardening/tasks/sysctl.yml b/roles/os_hardening/tasks/sysctl.yml index d6f7dbc96..b580e3d0f 100644 --- a/roles/os_hardening/tasks/sysctl.yml +++ b/roles/os_hardening/tasks/sysctl.yml @@ -43,11 +43,6 @@ - name: Change sysctls block: - - name: Create a combined sysctl-dict if overwrites are defined - set_fact: - sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' - when: sysctl_overwrite | default() - - name: Create a combined sysctl-dict if os-dependenct sysctls are defined set_fact: sysctl_config: '{{ sysctl_config | combine(sysctl_custom_config) }}' @@ -59,6 +54,11 @@ sysctl_config: '{{ sysctl_config | combine(sysctl_rhel_config) }}' when: sysctl_rhel_config | default() + - name: Create a combined sysctl-dict if overwrites are defined + set_fact: + sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' + when: sysctl_overwrite | default() + - name: Change various sysctl-settings, look at the sysctl-vars file for documentation sysctl: name: '{{ item.key }}' From a2b6a1f59339e8d2e9de8937de087aaf395cb111 Mon Sep 17 00:00:00 2001 From: rndmh3ro Date: Fri, 18 Feb 2022 15:29:29 +0100 Subject: [PATCH 7/7] fix typo Signed-off-by: rndmh3ro --- roles/os_hardening/tasks/sysctl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/os_hardening/tasks/sysctl.yml b/roles/os_hardening/tasks/sysctl.yml index b580e3d0f..b0d673a2a 100644 --- a/roles/os_hardening/tasks/sysctl.yml +++ b/roles/os_hardening/tasks/sysctl.yml @@ -43,13 +43,13 @@ - name: Change sysctls block: - - name: Create a combined sysctl-dict if os-dependenct sysctls are defined + - name: Create a combined sysctl-dict if os-dependent sysctls are defined set_fact: sysctl_config: '{{ sysctl_config | combine(sysctl_custom_config) }}' when: sysctl_custom_config | default() # sysctl_rhel_config is kept for backwards-compatibility. use sysctl_custom_config instead - - name: Create a combined sysctl-dict if os-dependent are defined + - name: Create a combined sysctl-dict if os-dependent sysctls are defined set_fact: sysctl_config: '{{ sysctl_config | combine(sysctl_rhel_config) }}' when: sysctl_rhel_config | default()