Verified Commit 0b2f7759 authored by Maciej Delmanowski's avatar Maciej Delmanowski

Merge branch 'drybjed-role-proc_hidepid'

parents d62b5059 eb94a884
Pipeline #17270108 failed with stages
in 4 minutes and 46 seconds
......@@ -947,6 +947,14 @@ stages:
JANE_DIFF_PATTERN: '.*/debops.preseed/.*'
JANE_LOG_PATTERN: '\[debops\.preseed\]'
'proc_hidepid role':
<<: *test_role_no_deps
variables:
JANE_TEST_PLAY: '${DEBOPS_PLAYBOOKS}/service/proc_hidepid.yml'
JANE_INVENTORY_GROUPS: 'debops_service_proc_hidepid'
JANE_DIFF_PATTERN: '.*/debops.proc_hidepid/.*'
JANE_LOG_PATTERN: '\[debops\.proc_hidepid\]'
# --- r --- [[[2
......
......@@ -40,6 +40,8 @@ Added
- :ref:`debops.machine`: manage the :file:`/etc/machine-info` file,
the :file:`/etc/issue` file and a dynamic MOTD.
- :ref:`debops.proc_hidepid`: configure the ``/proc`` ``hidepid=`` options.
- You can now :ref:`use Vagrant <quick_start__vagrant>` to create an Ansible
Controller based on Debian Stretch and use it to manage itself or other hosts
over the network.
......@@ -123,6 +125,10 @@ Removed
is now available in the :ref:`debops.machine` role. You will need to update
the Ansible inventory variables to reflect the changes.
- [debops.console] Management of the ``/proc`` ``hidepid=`` option has been
moved to a new role, :ref:`debops.proc_hidepid`. You will need to update the
Ansible inventory variables to reflect the changes.
debops v0.6.0 - 2017-10-21
--------------------------
......
......@@ -121,6 +121,9 @@
- role: debops.root_account
tags: [ 'role::root_account' ]
- role: debops.proc_hidepid
tags: [ 'role::proc_hidepid' ]
- role: debops.console
tags: [ 'role::console' ]
......
......@@ -17,7 +17,7 @@
- role: debops.tcpwrappers
tags: [ 'role::tcpwrappers' ]
tcpwrappers__dependent__allow:
tcpwrappers__dependent_allow:
- '{{ mariadb_server__tcpwrappers__dependent_allow }}'
- role: debops.mariadb_server
......
---
- name: Manage /proc hidepid= configuration
hosts: [ 'debops_all_hosts', 'debops_service_proc_hidepid' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: debops.proc_hidepid
tags: [ 'role::proc_hidepid' ]
......@@ -53,29 +53,6 @@ console_fsckfix: 'yes'
console_fsckfix_releases: [ 'wheezy', 'jessie', 'precise', 'trusty', 'xenial' ]
# ---- /proc & hidepid= options ----
# Mounting /proc with hidepid= allows you to hide process information of other
# users on unprivileged accounts. This functionality is only enabled on recent
# Linux kernels, and only on hardware hosts or KVM virtual machines. For LXC
# containers, have a look at the 'debops.lxc' role. For OpenVZ containers,
# AFAIK there's no way to enable it.
# Enable or disable hidepid= option in /proc. Disabling only stops Ansible
# from adding hidepid= automatically, you need to remove the /proc entry from
# /etc/fstab manually (and optionally remount command from /etc/rc.local)
# because if Ansible tries to do this using the 'mount' module, it will try to
# remove the /proc mount point as well. :-(
console_proc_hidepid: True
# What level of hidepid= to use (choices: 0, 1, 2)
console_proc_hidepid_level: '2'
# System group to set for /proc so that selected users can access it without
# restrictions; this is meant for monitoring services, etc.
console_proc_hidepid_group: 'procadmins'
# ---- /etc/hosts ----
# Add or remove entries in /etc/hosts
......
......@@ -58,28 +58,6 @@
path: '{{ (console_preferred_editors | intersect(console_register_installed_editors.stdout_lines)) | first }}'
tags: [ 'role::console:editor' ]
# Enable hidepid= only on specific hosts
- include: proc_hidepid.yml
when: (ansible_local|d() and ((ansible_local.root|d() and 'ignore-cap12s' in ansible_local.root.flags) or
(ansible_local.cap12s|d() and (not ansible_local.cap12s.enabled | bool or
(ansible_local.cap12s.enabled | bool and 'cap_sys_admin' in ansible_local.cap12s.list)))))
- name: Make sure that Ansible fact directory exists
file:
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
- name: Install proc hidepid fact script
template:
src: 'etc/ansible/facts.d/proc.fact.j2'
dest: '/etc/ansible/facts.d/proc.fact'
owner: 'root'
group: 'root'
mode: '0755'
- name: Remove obsolet sysctl configuration file
file:
path: '/etc/sysctl.d/10-debops.console.conf'
......
debops.proc_hidepid - Configure /proc hidepid= options
Copyright (C) 2018 Maciej Delmanowski <[email protected]>
Copyright (C) 2018 DebOps https://debops.org/
This Ansible role is part of DebOps.
DebOps is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
DebOps is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DebOps. If not, see https://www.gnu.org/licenses/.
---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# debops.proc_hidepid default variables
# =====================================
# .. envvar:: proc_hidepid__enabled [[[
#
# Enable or disable support for managing the ``/proc`` ``hidepid=`` option
# using Ansible.
proc_hidepid__enabled: '{{ True
if ((ansible_system_capabilities_enforced|bool and
"cap_sys_admin" in ansible_system_capabilities) or
not ansible_system_capabilities_enforced|bool)
else False }}'
# ]]]
# .. envvar:: proc_hidepid__level [[[
#
# Specify what level of protection for the ``/proc`` files to configure:
#
# - ``0``: no protection, files are world-readable
#
# - ``1``: the ``/proc`` contents are protected using UNIX permissions, file
# owners can access their own files
#
# - ``2``: the ``/proc`` contents are invisible to non-owners, only ``root``
# and users in the specific UNIX system group can see everything
#
proc_hidepid__level: '2'
# ]]]
# .. envvar:: proc_hidepid__group [[[
#
# Name of the UNIX system group which will have unrestricted access to the
# ``/proc`` filesystem.
proc_hidepid__group: 'procadmins'
# ]]]
# .. envvar:: proc_hidepid__gid [[[
#
# The GID used by the UNIX system group. If not specified, it will be selected
# automatically. It might be best not to change existing GID once set.
proc_hidepid__gid: ''
# ]]]
# ]]]
---
dependencies: []
galaxy_info:
author: 'Maciej Delmanowski'
description: 'Configure /proc hidepid= options'
company: 'DebOps'
license: 'GPL-3.0'
min_ansible_version: '2.4.0'
platforms:
- name: Ubuntu
versions:
- precise
- trusty
- xenial
- name: Debian
versions:
- wheezy
- jessie
- stretch
categories:
- system
- security
- hidepid
---
- name: Make sure that system group with access to /proc exists
- name: Ensure that UNIX system group with /proc access exists
group:
name: '{{ console_proc_hidepid_group }}'
system: True
name: '{{ proc_hidepid__group }}'
gid: '{{ proc_hidepid__gid if proc_hidepid__gid|d() else omit }}'
state: 'present'
when: console_proc_hidepid is defined and console_proc_hidepid
system: True
when: proc_hidepid__enabled|bool
- name: Configure /proc with hidepid= in /etc/fstab
- name: Configure /proc with hidepid= option in /etc/fstab
mount:
name: '/proc'
src: 'proc'
fstype: 'proc'
opts: 'defaults,hidepid={{ console_proc_hidepid_level }},gid={{ console_proc_hidepid_group }}'
opts: 'defaults,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }}'
state: 'mounted'
when: console_proc_hidepid is defined and console_proc_hidepid
when: proc_hidepid__enabled|bool
# This is a workaround for Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1039887
- name: Remount /proc from rc.local when needed
lineinfile:
dest: '/etc/rc.local'
regexp: '^mount -o remount,hidepid={{ console_proc_hidepid_level }},gid={{ console_proc_hidepid_group }} /proc'
line: 'mount -o remount,hidepid={{ console_proc_hidepid_level }},gid={{ console_proc_hidepid_group }} /proc'
regexp: '^mount -o remount,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }} /proc'
line: 'mount -o remount,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }} /proc'
insertbefore: 'exit 0'
state: 'present'
when: ((console_proc_hidepid is defined and console_proc_hidepid) and
(ansible_distribution in [ 'Ubuntu' ] and ansible_distribution_release in [ 'trusty' ]))
when: (proc_hidepid__enabled|bool and
(ansible_distribution in [ 'Ubuntu' ] and
ansible_distribution_release in [ 'trusty' ]))
- name: Create the systemd-logind configuration directory
file:
......@@ -34,9 +36,7 @@
owner: 'root'
group: 'root'
mode: '0755'
when: (console_proc_hidepid | bool and
(ansible_local|d() and ansible_local.init|d() and
ansible_local.init == "systemd"))
when: proc_hidepid__enabled|bool and ansible_service_mgr == 'systemd'
- name: Ensure that logind is exempt from hidepid
template:
......@@ -45,12 +45,30 @@
owner: 'root'
group: 'root'
mode: '0644'
register: console_register_hidepid_logind
when: (console_proc_hidepid | bool and
(ansible_local|d() and ansible_local.init|d() and
ansible_local.init == "systemd"))
register: proc_hidepid__register_logind
when: proc_hidepid__enabled|bool and ansible_service_mgr == 'systemd'
- name: Reload systemd daemons
command: systemctl daemon-reload
when: console_register_hidepid_logind.changed | bool
when: proc_hidepid__register_logind|changed
- name: Make sure that Ansible local facts directory exists
file:
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
- name: Save proc_hidepid local facts
template:
src: 'etc/ansible/facts.d/proc_hidepid.fact.j2'
dest: '/etc/ansible/facts.d/proc_hidepid.fact'
owner: 'root'
group: 'root'
mode: '0755'
register: proc_hidepid__register_facts
- name: Update Ansible facts if they were modified
action: setup
when: proc_hidepid__register_facts|changed
......@@ -6,17 +6,18 @@
set -o nounset -o pipefail -o errexit
hidepid="false"
hidepid_type=""
hidepid_configured="true"
hidepid_enabled="false"
hidepid_level=""
hidepid_gid=""
hidepid_group=""
if grep -qs -E '^proc\s+.*hidepid=' /proc/mounts ; then
hidepid="true"
hidepid_enabled="true"
# Find the hidepid value
hidepid_type="$(grep -E '^proc\s+.*hidepid=' /proc/mounts | awk '{print $4}' | awk -F',' '{for (i=1;i<=NF;i++) {if ($i ~ /hidepid=/) {print $i}}}' | cut -d= -f2)"
hidepid_level="$(grep -E '^proc\s+.*hidepid=' /proc/mounts | awk '{print $4}' | awk -F',' '{for (i=1;i<=NF;i++) {if ($i ~ /hidepid=/) {print $i}}}' | cut -d= -f2)"
# Find the hidepid gid
hidepid_gid="$(grep -E '^proc\s+.*hidepid=' /proc/mounts | awk '{print $4}' | awk -F',' '{for (i=1;i<=NF;i++) {if ($i ~ /gid=/) {print $i}}}' | cut -d= -f2)"
......@@ -28,7 +29,6 @@ if grep -qs -E '^proc\s+.*hidepid=' /proc/mounts ; then
fi
output="{\"hidepid\": \"${hidepid}\", \"hidepid_type\": \"${hidepid_type}\", \"hidepid_gid\": \"${hidepid_gid}\", \"hidepid_group\": \"${hidepid_group}\"}"
echo ${output}
output="{\"configured\": \"${hidepid_configured}\", \"enabled\": \"${hidepid_enabled}\", \"level\": \"${hidepid_level}\", \"gid\": \"${hidepid_gid}\", \"group\": \"${hidepid_group}\"}"
printf "${output}\n"
......@@ -3,5 +3,4 @@
# Based on https://github.com/indiv0/ansible-role-console
[Service]
SupplementaryGroups={{ console_proc_hidepid_group }}
SupplementaryGroups={{ proc_hidepid__group }}
......@@ -274,8 +274,8 @@ snmpd_load_15min: '{{ (((snmpd_load_base | float) *
# Should the ``debops.snmpd`` add the ``snmp`` user account to a group that has
# access to the ``/proc`` filesystem?
snmpd_proc_hidepid: '{{ True
if (ansible_local|d() and ansible_local.proc|d() and
ansible_local.proc.hidepid|bool)
if (ansible_local|d() and ansible_local.proc_hidepid|d() and
(ansible_local.proc_hidepid.enabled|d())|bool)
else False }}'
......@@ -283,9 +283,9 @@ snmpd_proc_hidepid: '{{ True
#
# Name of the system group which ``snmp`` user will be added to to get
# information about processes.
snmpd_proc_hidepid_group: '{{ (ansible_local.proc.hidepid_group
if (ansible_local|d() and ansible_local.proc|d() and
ansible_local.proc.hidepid_group|d())
snmpd_proc_hidepid_group: '{{ (ansible_local.proc_hidepid.group
if (ansible_local|d() and ansible_local.proc_hidepid|d() and
ansible_local.proc_hidepid.group|d())
else "") }}'
......
......@@ -124,6 +124,7 @@ other hosts.
- :ref:`debops.nfs`
- :ref:`debops.nfs_server`
- :ref:`debops.persistent_paths`
- :ref:`debops.proc_hidepid`
- :ref:`debops.tftpd`
- :ref:`debops.tgt`
- ``debops.samba``
......@@ -181,6 +182,7 @@ Monitoring
- :ref:`debops.librenms`
- :ref:`debops.monit`
- :ref:`debops.proc_hidepid`
- :ref:`debops.snmpd`
- ``debops.smstools``
......@@ -222,6 +224,7 @@ Security
- :ref:`debops.authorized_keys`
- :ref:`debops.fail2ban`
- :ref:`debops.ferm`
- :ref:`debops.proc_hidepid`
- :ref:`debops.sshd`
- :ref:`debops.tcpwrappers`
- ``debops-contrib.apparmor``
......
Getting started
===============
.. contents::
:local:
Ansible local facts
-------------------
The ``debops.proc_hidepid`` role provides a set of Ansible local facts
available in the ``ansible_local.proc_hidepid.*`` hierarchy. You can use the
facts to add application UNIX accounts to the correct UNIX system group that
allows them access to the ``/proc`` filesystem.
Example inventory
-----------------
The ``debops.proc_hidepid`` role is included by default in the ``common.yml``
DebOps playbook; you don't need to add hosts to any Ansible groups to enable
it.
Example playbook
----------------
If you are using this role without DebOps, here's an example Ansible playbook
that uses the ``debops.proc_hidepid`` role:
.. literalinclude:: ../../../../ansible/playbooks/service/proc_hidepid.yml
:language: yaml
Ansible tags
------------
You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
tasks are performed during Ansible run. This can be used after a host was first
configured to speed up playbook execution, when you are sure that most of the
configuration is already in the desired state.
Available role tags:
``role::proc_hidepid``
Main role tag, should be used in the playbook to execute all of the role
tasks as well as role dependencies.
.. _debops.proc_hidepid:
debops.proc_hidepid
===================
This role will ensure that the ``/proc`` filesystem is mounted with the
``hidepid=`` option enabled. `The 'hidepid=' option`__ can be used to hide
processes that don't belong to a particular user account.
.. __: https://wiki.archlinux.org/index.php/Security#hidepid
.. toctree::
:maxdepth: 2
getting-started
defaults
Copyright
---------
.. literalinclude:: ../../../../ansible/roles/debops.proc_hidepid/COPYRIGHT
..
Local Variables:
mode: rst
ispell-local-dictionary: "american"
End:
......@@ -59,8 +59,28 @@ Inventory variable changes
| ``console_motd`` | :envvar:`machine__motd` | No |
+-------------------+---------------------------------+---------------+
The support for dynamic MOTD has been implemented by the :ref:`debops.machine`
role, you might want to use that instead of the static MOTD file.
The support for dynamic MOTD has been implemented by the :ref:`debops.machine`
role, you might want to use that instead of the static MOTD file.
- Configuration of the ``/proc`` ``hidepid=`` option has been removed from the
``debops.console`` and is now available in the new :ref:`debops.proc_hidepid`
Ansible role. List of default variables that were affected:
+--------------------------------+---------------------------------+---------------+
| Old variable name | New variable name | Changed value |
+================================+=================================+===============+
| ``console_proc_hidepid`` | :envvar:`proc_hidepid__enabled` | No |
+--------------------------------+---------------------------------+---------------+
| ``console_proc_hidepid_level`` | :envvar:`proc_hidepid__level` | No |
+--------------------------------+---------------------------------+---------------+
| ``console_proc_hidepid_group`` | :envvar:`proc_hidepid__group` | No |
+--------------------------------+---------------------------------+---------------+
The logic to enable/disable the ``hidepid=`` configuration has been moved to
the :envvar:`proc_hidepid__enabled` variable to be more accessible. The role
creates its own set of Ansible local facts with new variable names, you might
need to update configuration of the roles that relied on them.
v0.6.0
------
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment