ansible-collection-hardening icon indicating copy to clipboard operation
ansible-collection-hardening copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

rework filesystem hardening

Open divialth opened this issue 3 years ago • 4 comments

  • removed a lot duplicated code by using a loop
  • added new hardening options for /tmp
  • added new options "passno" and "dump" for every filesystem. currently ansible changed that values to 0 for every fs new default depends on fstype, can be overwritten in config
  • removed default fstype in config the type will now be autodetected, can be overwritten in config
  • mount src setting is now optional the source will now be autodetected, can be overwritten in config
  • it will be now checked, if it is really a mount
  • changed fs reload to handler
  • removed check os_auditd_enabled on /var/log/audit

Notes:

  • The playbook will no longer fail, if a folder does not exists
  • It will now skip mount points, if they are not present on the target system. If you have many different configured servers this is very useful
  • The folders are still be hardened regardless if *_enabled is used or not
  • Was there a reason why /var/log/audit was only hardened, when the os_auditd_enabled variable was set to true?

divialth avatar Aug 03 '22 09:08 divialth

i think this would supersede #523

divialth avatar Aug 03 '22 09:08 divialth

Yes, I was too slow :) Thanks! #523 is deprecated

lbayerlein avatar Aug 03 '22 12:08 lbayerlein

  • removed a lot duplicated code by using a loop

    • added new hardening options for /tmp

    • added new options "passno" and "dump" for every filesystem. currently ansible changed that values to 0 for every fs new default depends on fstype, can be overwritten in config

    • removed default fstype in config the type will now be autodetected, can be overwritten in config

    • mount src setting is now optional the source will now be autodetected, can be overwritten in config

    • it will be now checked, if it is really a mount

    • changed fs reload to handler

    • removed check os_auditd_enabled on /var/log/audit

Notes:

* The playbook will no longer fail, if a folder does not exists

* It will now skip mount points, if they are not present on the target system.
  If you have many different configured servers this is very useful

* The folders are still be hardened regardless if *_enabled  is used or not

* Was there a reason why /var/log/audit was only hardened, when the os_auditd_enabled variable was set to true?

Hi @divialth,

yes there was a reason for me, because /var/log/audit only exists on RHEL derivates. Debian based does not have this folder. And some users do not want to harden /var/log/audit so we set the default to false.

Would you prefer to query a fact for an specific operatingsystems to set this to true?

lbayerlein avatar Aug 03 '22 12:08 lbayerlein

yes there was a reason for me, because /var/log/audit only exists on RHEL derivates. Debian based does not have this folder. And some users do not want to harden /var/log/audit so we set the default to false.

Would you prefer to query a fact for an specific operatingsystems to set this to true?

This should be no longer a problem. The first task in minimize_access_fs.yml only runs, when it is real mount point (or a whitelisted special device like /run, /dev...) The hardening of the permissions on the directory also does now only run, if it is already existing.

I also did not changed any of the _enabled defaults. The only thing i removed was the boolean check for os_auditd_enabled.

divialth avatar Aug 03 '22 14:08 divialth

I think this will work for us. A "go" on my side :+1:

lbayerlein avatar Aug 18 '22 08:08 lbayerlein

please consider my suggestions as nitpicking.

Aside from my comments I want to say I absolutely like what you did here!

I have implemented your other naming suggestions and also did a rebase to resolve the merge conflicts. The current failing CI checks seems to be unrelated. Please correct me if I am wrong.

divialth avatar Aug 20 '22 10:08 divialth