change inclusion of os specific defaults (#353)

* change inclusion of os specific defaults

we now include the os specific options into a separate variable and
merge this with the default ansible namespace, when the corresponding
keys do not already exist (eg. are defined by default oder by user)

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* simplify check for os specific variables

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add test for variable override

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* move tests to verify stage

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* correct grep

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* linting

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix typo

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* Revert "Merge pull request #351 from sprat/fix-umask"

This reverts commit 9e8e0bc8fb, reversing
changes made to 98c7553016.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* move immutable ssh vars to internal vars

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* move vars to OS files

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* change default handling for all roles

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix issues

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add documentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* Update main.yml

Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>

molecule/os_hardening/verify.yml

@@ -56,3 +56,17 @@
       fail:
         msg: "Inspec failed to validate"
       when: test_results.rc != 0
+
+    # test if variable can be overridden
+    - name: workaround for https://github.com/ansible/ansible/issues/66304
+      set_fact:
+        ansible_virtualization_type: "docker"
+        os_env_umask: "027 #override"
+
+    - include_role:
+        name: os_hardening
+
+    - name: verify os_env_umask
+      shell:
+        cmd: "grep '027 #override' /etc/login.defs"
+      changed_when: false

molecule/ssh_hardening/molecule.yml

@@ -63,4 +63,3 @@ scenario:
     - idempotence
     - verify
     - destroy
-

roles/mysql_hardening/tasks/main.yml

@@ -1,13 +1,26 @@
 ---
-- name: set OS dependent variables
-  include_vars: '{{ item }}'
+- name: Fetch OS dependent variables
+  include_vars:
+    file: '{{ item }}'
+    name: 'os_vars'
   with_first_found:
-    - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
-    - '{{ ansible_facts.distribution }}.yml'
-    - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
-    - '{{ ansible_facts.os_family }}.yml'
+    - files:
+        - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.distribution }}.yml'
+        - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.os_family }}.yml'
+      skip: true
   tags: always
 
+# we only override variables with our default if they have not been specified already.
+# by default the lookup functions finds all varnames containing the string, therefore
+# we add ^ and $ to denote start and end of string, so this returns only exact maches.
+- name: Set OS dependent variables, if not already defined by user
+  set_fact:
+    '{{ item.key }}': '{{ item.value }}'
+  when: "not lookup('varnames', '^' + item.key + '$')"
+  with_dict: '{{ os_vars }}'
+
 - include: configure.yml
   when: mysql_hardening_enabled | bool
   tags:

roles/mysql_hardening/tasks/mysql_secure_installation.yml

@@ -43,4 +43,4 @@
     query:
       - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
-  when: mysql_remove_remote_root
+  when: mysql_remove_remote_root

roles/os_hardening/defaults/main.yml

@@ -271,9 +271,6 @@ os_filesystem_whitelist: []
 # the Ansible role dependency mechanism.
 os_hardening_enabled: true
 
-# Set the umask you want to apply, or leave empty to use the defaults.
-os_env_umask: ''
-
 # Set to false to disable installing and configuring auditd.
 os_auditd_enabled: true
 os_auditd_max_log_file_action: keep_logs

roles/os_hardening/tasks/hardening.yml

@@ -1,18 +1,26 @@
 ---
-- name: Set OS family dependent variables
-  include_vars: '{{ ansible_facts.os_family }}.yml'
-  tags: always
-
-- name: Set OS dependent variables
-  include_vars: '{{ item }}'
+- name: Fetch OS dependent variables
+  include_vars:
+    file: '{{ item }}'
+    name: 'os_vars'
   with_first_found:
     - files:
-        - '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
         - '{{ ansible_facts.distribution }}.yml'
-        - '{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.os_family }}.yml'
       skip: true
   tags: always
 
+# we only override variables with our default, if they have not been specified already
+# by default the lookup functions finds all varnames containing the string, therefore
+# we add ^ and $ to denote start and end of string, so this returns only exact maches
+- name: Set OS dependent variables, if not already defined by user
+  set_fact:
+    '{{ item.key }}': '{{ item.value }}'
+  when: "not lookup('varnames', '^' + item.key + '$')"
+  with_dict: '{{ os_vars }}'
+
 - import_tasks: auditd.yml
   tags: auditd
   when: os_auditd_enabled | bool

roles/os_hardening/templates/etc/login.defs.j2

@@ -92,7 +92,7 @@ KILLCHAR          025
 # Prefix these values with `0` to get octal, `0x` to get hexadecimal.
 # `022` is the "historical" value in Debian for UMASK
 # `027`, or even `077`, could be considered better for privacy.
-UMASK             {{ os_env_umask | default(os_env_umask_default, true) }}
+UMASK             {{ os_env_umask }}
 
 # Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
 # If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user.

roles/os_hardening/vars/Amazon.yml

@@ -1,4 +1,39 @@
 ---
+
+os_packages_pam_ccreds: 'pam_ccreds'
+os_packages_pam_passwdqc: 'pam_passwdqc'
+os_packages_pam_cracklib: 'pam_cracklib'
+os_nologin_shell_path: '/sbin/nologin'
+
+# Different distros use different standards for /etc/shadow perms, e.g.
+# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
+# You must provide key/value pairs for owner, group, and mode if overriding.
+os_shadow_perms:
+  owner: root
+  group: root
+  mode: '0000'
+
+os_passwd_perms:
+  owner: root
+  group: root
+  mode: '0644'
+
+os_env_umask: '077'
+
+os_auth_uid_min: 1000
+os_auth_gid_min: 1000
+os_auth_sys_uid_min: 201
+os_auth_sys_uid_max: 999
+os_auth_sys_gid_min: 201
+os_auth_sys_gid_max: 999
+
+# defaults for useradd
+os_useradd_mail_dir: /var/spool/mail
+os_useradd_create_home: true
+
+modprobe_package: 'module-init-tools'
+auditd_package: 'audit'
+
 # system accounts that do not get their login disabled and pasword changed
 os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
 

roles/os_hardening/vars/Archlinux.yml

@@ -12,7 +12,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask_default: '027'
+os_env_umask: '027'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/os_hardening/vars/Debian.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask_default: '027'
+os_env_umask: '027'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/os_hardening/vars/Fedora.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask_default: '027'
+os_env_umask: '027'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000
@@ -27,5 +27,9 @@ os_auth_sys_uid_max: 999
 os_auth_sys_gid_min: 201
 os_auth_sys_gid_max: 999
 
+# defaults for useradd
+os_useradd_mail_dir: /var/spool/mail
+os_useradd_create_home: true
+
 modprobe_package: 'module-init-tools'
 auditd_package: 'audit'

roles/os_hardening/vars/Oracle Linux.yml

@@ -1,28 +0,0 @@
----
-
-os_packages_pam_ccreds: 'pam_ccreds'
-os_packages_pam_passwdqc: 'pam_passwdqc'
-os_packages_pam_cracklib: 'pam_cracklib'
-os_nologin_shell_path: '/sbin/nologin'
-
-# Different distros use different standards for /etc/shadow perms, e.g.
-# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
-# You must provide key/value pairs for owner, group, and mode if overriding.
-os_shadow_perms:
-  owner: root
-  group: root
-  mode: '0000'
-
-os_passwd_perms:
-  owner: root
-  group: root
-  mode: '0644'
-
-os_env_umask_default: '077'
-
-os_auth_uid_min: 1000
-os_auth_gid_min: 1000
-os_auth_sys_uid_min: 201
-os_auth_sys_uid_max: 999
-os_auth_sys_gid_min: 201
-os_auth_sys_gid_max: 999

roles/os_hardening/vars/RedHat-6.yml

@@ -1,7 +0,0 @@
----
-
-sysctl_rhel_config:
-  # ExecShield protection against buffer overflows
-  kernel.exec-shield: 1
-  # Syncookies is used to prevent SYN-flooding attacks.
-  net.ipv4.tcp_syncookies: 1

roles/os_hardening/vars/RedHat.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask_default: '077'
+os_env_umask: '077'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/os_hardening/vars/Suse.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask_default: '027'
+os_env_umask: '027'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/ssh_hardening/defaults/main.yml

@@ -79,9 +79,6 @@ ssh_allow_agent_forwarding: false   # sshd
 # false to disable X11 Forwarding. Set to true to allow X11 Forwarding.
 ssh_x11_forwarding: false   # sshd
 
-# true if SSH has PAM support
-ssh_pam_support: true
-
 # false to disable pam authentication.
 ssh_use_pam: true                   # sshd
 
@@ -91,9 +88,6 @@ sshd_authenticationmethods: 'publickey'
 # true if SSH support GSSAPI
 ssh_gssapi_support: false
 
-# true if SSH support Kerberos
-ssh_kerberos_support: true
-
 # if specified, login is disallowed for user names that match one of the patterns.
 ssh_deny_users: ''                  # sshd
 
@@ -192,62 +186,9 @@ ssh_macs: []
 ssh_ciphers: []
 ssh_kex: []
 
-ssh_macs_53_default:
-  - hmac-ripemd160
-  - hmac-sha1
-
-ssh_macs_53_el_6_5_default:
-  - hmac-sha2-512
-  - hmac-sha2-256
-
-ssh_macs_59_default:
-  - hmac-sha2-512
-  - hmac-sha2-256
-  - hmac-ripemd160
-
-ssh_macs_66_default:
-  - hmac-sha2-512-etm@openssh.com
-  - hmac-sha2-256-etm@openssh.com
-  - umac-128-etm@openssh.com
-  - hmac-sha2-512
-  - hmac-sha2-256
-
-ssh_macs_76_default:
-  - hmac-sha2-512-etm@openssh.com
-  - hmac-sha2-256-etm@openssh.com
-  - umac-128-etm@openssh.com
-  - hmac-sha2-512
-  - hmac-sha2-256
-
-ssh_ciphers_53_default:
-  - aes256-ctr
-  - aes192-ctr
-  - aes128-ctr
-
-ssh_ciphers_66_default:
-  - chacha20-poly1305@openssh.com
-  - aes256-gcm@openssh.com
-  - aes128-gcm@openssh.com
-  - aes256-ctr
-  - aes192-ctr
-  - aes128-ctr
-
-ssh_kex_59_default:
-  - diffie-hellman-group-exchange-sha256
-
-ssh_kex_66_default:
-  - curve25519-sha256@libssh.org
-  - diffie-hellman-group-exchange-sha256
-
-ssh_kex_80_default:
-  - sntrup4591761x25519-sha512@tinyssh.org
-  - curve25519-sha256@libssh.org
-  - diffie-hellman-group-exchange-sha256
-
 # directory where to store ssh_password policy
 ssh_custom_selinux_dir: '/etc/selinux/local-policies'
 
-sshd_moduli_file: '/etc/ssh/moduli'
 sshd_moduli_minimum: 2048
 
 # disable ChallengeResponseAuthentication
@@ -271,7 +212,3 @@ sshd_syslog_facility: 'AUTH'
 sshd_log_level: 'VERBOSE'
 
 sshd_strict_modes: true
-
-# disable CRYPTO_POLICY to take settings from sshd configuration
-# see: https://access.redhat.com/solutions/4410591
-sshd_disable_crypto_policy: true

roles/ssh_hardening/tasks/hardening.yml

@@ -1,11 +1,25 @@
 ---
-- name: set OS dependent variables
-  include_vars: '{{ item }}'
+- name: Fetch OS dependent variables
+  include_vars:
+    file: '{{ item }}'
+    name: 'os_vars'
   with_first_found:
-    - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
-    - '{{ ansible_facts.distribution }}.yml'
-    - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
-    - '{{ ansible_facts.os_family }}.yml'
+    - files:
+        - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.distribution }}.yml'
+        - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
+        - '{{ ansible_facts.os_family }}.yml'
+      skip: true
+  tags: always
+
+# we only override variables with our default, if they have not been specified already
+# by default the lookup functions finds all varnames containing the string, therefore
+# we add ^ and $ to denote start and end of string, so this returns only exact maches
+- name: Set OS dependent variables, if not already defined by user
+  set_fact:
+    '{{ item.key }}': '{{ item.value }}'
+  when: "not lookup('varnames', '^' + item.key + '$')"
+  with_dict: '{{ os_vars }}'
 
 - name: get openssh-version
   command: ssh -V

roles/ssh_hardening/vars/Archlinux.yml

@@ -5,6 +5,14 @@ sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root
 
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
+ssh_pam_support: true
+
+sshd_moduli_file: '/etc/ssh/moduli'
+
 # CRYPTO_POLICY is not supported on Archlinux
 # and the package check only works in Ansible >2.10
 sshd_disable_crypto_policy: false

roles/ssh_hardening/vars/Debian.yml

@@ -7,3 +7,13 @@ ssh_group: root
 ssh_selinux_packages:
   - policycoreutils-python
   - checkpolicy
+
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
+ssh_pam_support: true
+
+sshd_moduli_file: '/etc/ssh/moduli'
+
+sshd_disable_crypto_policy: false

roles/ssh_hardening/vars/Fedora.yml

@@ -7,3 +7,15 @@ ssh_group: root
 ssh_selinux_packages:
   - python3-policycoreutils
   - checkpolicy
+
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
+ssh_pam_support: true
+
+sshd_moduli_file: '/etc/ssh/moduli'
+
+# disable CRYPTO_POLICY to take settings from sshd configuration
+# see: https://access.redhat.com/solutions/4410591
+sshd_disable_crypto_policy: true

roles/ssh_hardening/vars/FreeBSD.yml

@@ -4,3 +4,13 @@ ssh_host_keys_dir: '/etc/ssh'
 sshd_service_name: sshd
 ssh_owner: root
 ssh_group: wheel
+
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
+ssh_pam_support: true
+
+sshd_moduli_file: '/etc/ssh/moduli'
+
+sshd_disable_crypto_policy: false

roles/ssh_hardening/vars/OpenBSD.yml

@@ -5,7 +5,12 @@ sshd_service_name: sshd
 ssh_owner: root
 ssh_group: wheel
 
-ssh_gssapi_support: false
+# true if SSH support Kerberos
 ssh_kerberos_support: false
+
+# true if SSH has PAM support
 ssh_pam_support: false
+
 sshd_moduli_file: '/etc/moduli'
+
+sshd_disable_crypto_policy: false

roles/ssh_hardening/vars/Oracle Linux.yml

@@ -1,9 +0,0 @@
----
-sshd_path: /usr/sbin/sshd
-ssh_host_keys_dir: '/etc/ssh'
-sshd_service_name: sshd
-ssh_owner: root
-ssh_group: root
-ssh_selinux_packages:
-  - policycoreutils-python
-  - checkpolicy

roles/ssh_hardening/vars/RedHat.yml

@@ -7,3 +7,15 @@ ssh_group: root
 ssh_selinux_packages:
   - policycoreutils-python
   - checkpolicy
+
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
+ssh_pam_support: true
+
+sshd_moduli_file: '/etc/ssh/moduli'
+
+# disable CRYPTO_POLICY to take settings from sshd configuration
+# see: https://access.redhat.com/solutions/4410591
+sshd_disable_crypto_policy: true

roles/ssh_hardening/vars/RedHat_8.yml

@@ -7,3 +7,15 @@ ssh_group: root
 ssh_selinux_packages:
   - python3-policycoreutils
   - checkpolicy
+
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
+ssh_pam_support: true
+
+sshd_moduli_file: '/etc/ssh/moduli'
+
+# disable CRYPTO_POLICY to take settings from sshd configuration
+# see: https://access.redhat.com/solutions/4410591
+sshd_disable_crypto_policy: true

roles/ssh_hardening/vars/SmartOS.yml

@@ -5,4 +5,12 @@ sshd_service_name: ssh
 ssh_owner: root
 ssh_group: root
 
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
 ssh_pam_support: false
+
+sshd_moduli_file: '/etc/ssh/moduli'
+
+sshd_disable_crypto_policy: false

roles/ssh_hardening/vars/Suse.yml

@@ -5,4 +5,12 @@ sshd_service_name: sshd
 ssh_owner: root
 ssh_group: root
 
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
+ssh_pam_support: true
+
+sshd_moduli_file: '/etc/ssh/moduli'
+
 sshd_disable_crypto_policy: false

roles/ssh_hardening/vars/main.yml

@@ -0,0 +1,52 @@
+---
+ssh_macs_53_default:
+  - hmac-ripemd160
+  - hmac-sha1
+
+ssh_macs_53_el_6_5_default:
+  - hmac-sha2-512
+  - hmac-sha2-256
+
+ssh_macs_59_default:
+  - hmac-sha2-512
+  - hmac-sha2-256
+  - hmac-ripemd160
+
+ssh_macs_66_default:
+  - hmac-sha2-512-etm@openssh.com
+  - hmac-sha2-256-etm@openssh.com
+  - umac-128-etm@openssh.com
+  - hmac-sha2-512
+  - hmac-sha2-256
+
+ssh_macs_76_default:
+  - hmac-sha2-512-etm@openssh.com
+  - hmac-sha2-256-etm@openssh.com
+  - umac-128-etm@openssh.com
+  - hmac-sha2-512
+  - hmac-sha2-256
+
+ssh_ciphers_53_default:
+  - aes256-ctr
+  - aes192-ctr
+  - aes128-ctr
+
+ssh_ciphers_66_default:
+  - chacha20-poly1305@openssh.com
+  - aes256-gcm@openssh.com
+  - aes128-gcm@openssh.com
+  - aes256-ctr
+  - aes192-ctr
+  - aes128-ctr
+
+ssh_kex_59_default:
+  - diffie-hellman-group-exchange-sha256
+
+ssh_kex_66_default:
+  - curve25519-sha256@libssh.org
+  - diffie-hellman-group-exchange-sha256
+
+ssh_kex_80_default:
+  - sntrup4591761x25519-sha512@tinyssh.org
+  - curve25519-sha256@libssh.org
+  - diffie-hellman-group-exchange-sha256