move sysctls to debian specific vars (dev-sec#524)

* fix ansible-lint issue ansible/ansible-lint#1795 Signed-off-by: rndmh3ro <github@gumpri.ch> * move 2 sysctls to debian specific Signed-off-by: rndmh3ro <github@gumpri.ch> * fix ansible-lint issue ansible/ansible-lint#1795 Signed-off-by: rndmh3ro <github@gumpri.ch> * add arch linux sysctls * simplify sysctl settings Signed-off-by: rndmh3ro <github@gumpri.ch> * ove overwrite to the bottom to let it acutally overwrite something Signed-off-by: rndmh3ro <github@gumpri.ch> * fix typo Signed-off-by: rndmh3ro <github@gumpri.ch>
divialth · Feb 18, 2022 · 51b0625 · 51b0625
1 parent 1e8a644
commit 51b0625
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 24 deletions.
diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml
@@ -30,6 +30,8 @@ jobs:
         # override-deps: |
         #   ansible==2.9
         #   ansible-lint==4.2.0
+        override-deps: |
+           rich>=9.5.1,<11.0.0
         # [optional]
         # Arguments to be passed to the ansible-lint
 

diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
@@ -69,7 +69,7 @@ sysctl_config:
   # filenames (generally seen as "/tmp file race" vulnerabilities).
   fs.protected_hardlinks: 1
   fs.protected_symlinks: 1
-  
+
   # For more info on the following settings see: https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
   # Restrict FIFO special device creation behavior
   fs.protected_fifos: 1
@@ -288,14 +288,6 @@ sysctl_config:
   vm.mmap_rnd_bits: 32
   vm.mmap_rnd_compat_bits: 16
 
-  # Disable unprivileged users from loading eBPF programs into the kernel.
-  # One of mitigations against CVE-2021-33909. | Tail-2
-  kernel.unprivileged_bpf_disabled: 1
-
-  # Reduce attack surface by disabling unprivileged user namespaces.
-  # Mitigates CVE-2021-33909 and other exploits.
-  kernel.unprivileged_userns_clone: 0
-
 # Do not delete the following line or otherwise the playbook will fail
 # at task 'create a combined sysctl-dict if overwrites are defined'
 sysctl_overwrite:

diff --git a/roles/os_hardening/tasks/sysctl.yml b/roles/os_hardening/tasks/sysctl.yml
@@ -43,6 +43,17 @@
 
 - name: Change sysctls
   block:
+    - name: Create a combined sysctl-dict if os-dependent sysctls are defined
+      set_fact:
+        sysctl_config: '{{ sysctl_config | combine(sysctl_custom_config) }}'
+      when: sysctl_custom_config | default()
+
+    # sysctl_rhel_config is kept for backwards-compatibility. use sysctl_custom_config instead
+    - name: Create a combined sysctl-dict if os-dependent sysctls are defined
+      set_fact:
+        sysctl_config: '{{ sysctl_config | combine(sysctl_rhel_config) }}'
+      when: sysctl_rhel_config | default()
+
     - name: Create a combined sysctl-dict if overwrites are defined
       set_fact:
         sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
@@ -57,17 +68,6 @@
         reload: true
         ignoreerrors: true
       with_dict: '{{ sysctl_config }}'
-
-    - name: Change various sysctl-settings on Amazon Linux, look at the sysctl-vars file for documentation
-      sysctl:
-        name: '{{ item.key }}'
-        value: '{{ item.value }}'
-        state: present
-        reload: true
-        ignoreerrors: true
-      with_dict: '{{ sysctl_rhel_config }}'
-      when: ansible_facts.distribution == 'Amazon'
-
   when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
 
 - name: Apply ufw defaults

diff --git a/roles/os_hardening/vars/Amazon.yml b/roles/os_hardening/vars/Amazon.yml
@@ -45,8 +45,4 @@ auditd_package: 'audit'
 # system accounts that do not get their login disabled and pasword changed
 os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
 
-sysctl_rhel_config:
-  # ExecShield protection against buffer overflows
-  kernel.exec-shield: 1
-
 hidepid_option: '2'  # allowed values: 0, 1, 2
diff --git a/roles/os_hardening/vars/Archlinux.yml b/roles/os_hardening/vars/Archlinux.yml
@@ -33,3 +33,9 @@ modprobe_package: 'kmod'
 auditd_package: 'audit'
 
 hidepid_option: '2'  # allowed values: 0, 1, 2
+
+sysctl_custom_config:
+  # Mitigation of vulnerability CVE-2021-33909
+  kernel.unprivileged_userns_clone: 0
+  # Mitigation of vulnerability CVE-2021-33910
+  kernel.unprivileged_bpf_disabled: 1
diff --git a/roles/os_hardening/vars/Debian.yml b/roles/os_hardening/vars/Debian.yml
@@ -43,3 +43,9 @@ tally2_path: '/usr/share/pam-configs/tally2'
 passwdqc_path: '/usr/share/pam-configs/passwdqc'
 
 hidepid_option: '2'  # allowed values: 0, 1, 2
+
+sysctl_custom_config:
+  # Mitigation of vulnerability CVE-2021-33909
+  kernel.unprivileged_userns_clone: 0
+  # Mitigation of vulnerability CVE-2021-33910
+  kernel.unprivileged_bpf_disabled: 1