move sysctls to debian specific vars (#524)

* fix ansible-lint issue

ansible/ansible-lint#1795
Signed-off-by: rndmh3ro <[email protected]>

* move 2 sysctls to debian specific

Signed-off-by: rndmh3ro <[email protected]>

* fix ansible-lint issue

ansible/ansible-lint#1795
Signed-off-by: rndmh3ro <[email protected]>

* add arch linux sysctls

* simplify sysctl settings

Signed-off-by: rndmh3ro <[email protected]>

* ove overwrite to the bottom to let it acutally overwrite something

Signed-off-by: rndmh3ro <[email protected]>

* fix typo

Signed-off-by: rndmh3ro <[email protected]>

Author: rndmh3ro

.github/workflows/ansible-lint.yml

@@ -30,6 +30,8 @@ jobs:
         # override-deps: |
         #   ansible==2.9
         #   ansible-lint==4.2.0
+        override-deps: |
+           rich>=9.5.1,<11.0.0
         # [optional]
         # Arguments to be passed to the ansible-lint
 

roles/os_hardening/defaults/main.yml

@@ -69,7 +69,7 @@ sysctl_config:
   # filenames (generally seen as "/tmp file race" vulnerabilities).
   fs.protected_hardlinks: 1
   fs.protected_symlinks: 1
-  
+
   # For more info on the following settings see: https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
   # Restrict FIFO special device creation behavior
   fs.protected_fifos: 1
@@ -288,14 +288,6 @@ sysctl_config:
   vm.mmap_rnd_bits: 32
   vm.mmap_rnd_compat_bits: 16
 
-  # Disable unprivileged users from loading eBPF programs into the kernel.
-  # One of mitigations against CVE-2021-33909. | Tail-2
-  kernel.unprivileged_bpf_disabled: 1
-
-  # Reduce attack surface by disabling unprivileged user namespaces.
-  # Mitigates CVE-2021-33909 and other exploits.
-  kernel.unprivileged_userns_clone: 0
-
 # Do not delete the following line or otherwise the playbook will fail
 # at task 'create a combined sysctl-dict if overwrites are defined'
 sysctl_overwrite:

roles/os_hardening/tasks/sysctl.yml

@@ -43,6 +43,17 @@
 
 - name: Change sysctls
   block:
+    - name: Create a combined sysctl-dict if os-dependent sysctls are defined
+      set_fact:
+        sysctl_config: '{{ sysctl_config | combine(sysctl_custom_config) }}'
+      when: sysctl_custom_config | default()
+
+    # sysctl_rhel_config is kept for backwards-compatibility. use sysctl_custom_config instead
+    - name: Create a combined sysctl-dict if os-dependent sysctls are defined
+      set_fact:
+        sysctl_config: '{{ sysctl_config | combine(sysctl_rhel_config) }}'
+      when: sysctl_rhel_config | default()
+
     - name: Create a combined sysctl-dict if overwrites are defined
       set_fact:
         sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
@@ -57,17 +68,6 @@
         reload: true
         ignoreerrors: true
       with_dict: '{{ sysctl_config }}'
-
-    - name: Change various sysctl-settings on Amazon Linux, look at the sysctl-vars file for documentation
-      sysctl:
-        name: '{{ item.key }}'
-        value: '{{ item.value }}'
-        state: present
-        reload: true
-        ignoreerrors: true
-      with_dict: '{{ sysctl_rhel_config }}'
-      when: ansible_facts.distribution == 'Amazon'
-
   when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
 
 - name: Apply ufw defaults

roles/os_hardening/vars/Amazon.yml

@@ -45,8 +45,4 @@ auditd_package: 'audit'
 # system accounts that do not get their login disabled and pasword changed
 os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
 
-sysctl_rhel_config:
-  # ExecShield protection against buffer overflows
-  kernel.exec-shield: 1
-
 hidepid_option: '2'  # allowed values: 0, 1, 2

roles/os_hardening/vars/Archlinux.yml

@@ -33,3 +33,9 @@ modprobe_package: 'kmod'
 auditd_package: 'audit'
 
 hidepid_option: '2'  # allowed values: 0, 1, 2
+
+sysctl_custom_config:
+  # Mitigation of vulnerability CVE-2021-33909
+  kernel.unprivileged_userns_clone: 0
+  # Mitigation of vulnerability CVE-2021-33910
+  kernel.unprivileged_bpf_disabled: 1

roles/os_hardening/vars/Debian.yml

@@ -43,3 +43,9 @@ tally2_path: '/usr/share/pam-configs/tally2'
 passwdqc_path: '/usr/share/pam-configs/passwdqc'
 
 hidepid_option: '2'  # allowed values: 0, 1, 2
+
+sysctl_custom_config:
+  # Mitigation of vulnerability CVE-2021-33909
+  kernel.unprivileged_userns_clone: 0
+  # Mitigation of vulnerability CVE-2021-33910
+  kernel.unprivileged_bpf_disabled: 1