Add the 'debops.proc_hidepid' role

parent d62b5059
......@@ -947,6 +947,14 @@ stages:
JANE_DIFF_PATTERN: '.*/debops.preseed/.*'
JANE_LOG_PATTERN: '\[debops\.preseed\]'
'proc_hidepid role':
<<: *test_role_no_deps
variables:
JANE_TEST_PLAY: '${DEBOPS_PLAYBOOKS}/service/proc_hidepid.yml'
JANE_INVENTORY_GROUPS: 'debops_service_proc_hidepid'
JANE_DIFF_PATTERN: '.*/debops.proc_hidepid/.*'
JANE_LOG_PATTERN: '\[debops\.proc_hidepid\]'
# --- r --- [[[2
......
......@@ -40,6 +40,8 @@ Added
- :ref:`debops.machine`: manage the :file:`/etc/machine-info` file,
the :file:`/etc/issue` file and a dynamic MOTD.
- :ref:`debops.proc_hidepid`: configure the ``/proc`` ``hidepid=`` options.
- You can now :ref:`use Vagrant <quick_start__vagrant>` to create an Ansible
Controller based on Debian Stretch and use it to manage itself or other hosts
over the network.
......
---
- name: Manage /proc hidepid= configuration
hosts: [ 'debops_all_hosts', 'debops_service_proc_hidepid' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: debops.proc_hidepid
tags: [ 'role::proc_hidepid' ]
debops.proc_hidepid - Configure /proc hidepid= options
Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2018 DebOps https://debops.org/
This Ansible role is part of DebOps.
DebOps is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
DebOps is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DebOps. If not, see https://www.gnu.org/licenses/.
---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# debops.proc_hidepid default variables
# =====================================
# .. envvar:: proc_hidepid__enabled [[[
#
# Enable or disable support for managing the ``/proc`` ``hidepid=`` option
# using Ansible.
proc_hidepid__enabled: '{{ True
if ((ansible_system_capabilities_enforced|bool and
"cap_sys_admin" in ansible_system_capabilities) or
not ansible_system_capabilities_enforced|bool)
else False }}'
# ]]]
# .. envvar:: proc_hidepid__level [[[
#
# Specify what level of protection for the ``/proc`` files to configure:
#
# - ``0``: no protection, files are world-readable
#
# - ``1``: the ``/proc`` contents are protected using UNIX permissions, file
# owners can access their own files
#
# - ``2``: the ``/proc`` contents are invisible to non-owners, only ``root``
# and users in the specific UNIX system group can see everything
#
proc_hidepid__level: '2'
# ]]]
# .. envvar:: proc_hidepid__group [[[
#
# Name of the UNIX system group which will have unrestricted access to the
# ``/proc`` filesystem.
proc_hidepid__group: 'procadmins'
# ]]]
# .. envvar:: proc_hidepid__gid [[[
#
# The GID used by the UNIX system group. If not specified, it will be selected
# automatically. It might be best not to change existing GID once set.
proc_hidepid__gid: ''
# ]]]
# ]]]
---
dependencies: []
galaxy_info:
author: 'Maciej Delmanowski'
description: 'Configure /proc hidepid= options'
company: 'DebOps'
license: 'GPL-3.0'
min_ansible_version: '2.4.0'
platforms:
- name: Ubuntu
versions:
- precise
- trusty
- xenial
- name: Debian
versions:
- wheezy
- jessie
- stretch
categories:
- system
- security
- hidepid
---
- name: Ensure that UNIX system group with /proc access exists
group:
name: '{{ proc_hidepid__group }}'
gid: '{{ proc_hidepid__gid if proc_hidepid__gid|d() else omit }}'
state: 'present'
system: True
when: proc_hidepid__enabled|bool
- name: Configure /proc with hidepid= option in /etc/fstab
mount:
name: '/proc'
src: 'proc'
fstype: 'proc'
opts: 'defaults,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }}'
state: 'mounted'
when: proc_hidepid__enabled|bool
# This is a workaround for Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1039887
- name: Remount /proc from rc.local when needed
lineinfile:
dest: '/etc/rc.local'
regexp: '^mount -o remount,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }} /proc'
line: 'mount -o remount,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }} /proc'
insertbefore: 'exit 0'
state: 'present'
when: (proc_hidepid__enabled|bool and
(ansible_distribution in [ 'Ubuntu' ] and
ansible_distribution_release in [ 'trusty' ]))
- name: Create the systemd-logind configuration directory
file:
path: '/etc/systemd/system/systemd-logind.service.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
when: proc_hidepid__enabled|bool and ansible_service_mgr == 'systemd'
- name: Ensure that logind is exempt from hidepid
template:
src: 'etc/systemd/system/systemd-logind.service.d/hidepid.conf.j2'
dest: '/etc/systemd/system/systemd-logind.service.d/hidepid.conf'
owner: 'root'
group: 'root'
mode: '0644'
register: proc_hidepid__register_logind
when: proc_hidepid__enabled|bool and ansible_service_mgr == 'systemd'
- name: Reload systemd daemons
command: systemctl daemon-reload
when: proc_hidepid__register_logind|changed
- name: Make sure that Ansible local facts directory exists
file:
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
- name: Save proc_hidepid local facts
template:
src: 'etc/ansible/facts.d/proc_hidepid.fact.j2'
dest: '/etc/ansible/facts.d/proc_hidepid.fact'
owner: 'root'
group: 'root'
mode: '0755'
register: proc_hidepid__register_facts
- name: Update Ansible facts if they were modified
action: setup
when: proc_hidepid__register_facts|changed
#!/bin/bash
# {{ ansible_managed }}
# Gather information about /proc related to hidepid
set -o nounset -o pipefail -o errexit
hidepid_configured="true"
hidepid_enabled="false"
hidepid_level=""
hidepid_gid=""
hidepid_group=""
if grep -qs -E '^proc\s+.*hidepid=' /proc/mounts ; then
hidepid_enabled="true"
# Find the hidepid value
hidepid_level="$(grep -E '^proc\s+.*hidepid=' /proc/mounts | awk '{print $4}' | awk -F',' '{for (i=1;i<=NF;i++) {if ($i ~ /hidepid=/) {print $i}}}' | cut -d= -f2)"
# Find the hidepid gid
hidepid_gid="$(grep -E '^proc\s+.*hidepid=' /proc/mounts | awk '{print $4}' | awk -F',' '{for (i=1;i<=NF;i++) {if ($i ~ /gid=/) {print $i}}}' | cut -d= -f2)"
# Find the hidepid group
if [ -n "${hidepid_gid}" ]; then
hidepid_group="$(getent group ${hidepid_gid} | cut -d: -f1)"
fi
fi
output="{\"configured\": \"${hidepid_configured}\", \"enabled\": \"${hidepid_enabled}\", \"level\": \"${hidepid_level}\", \"gid\": \"${hidepid_gid}\", \"group\": \"${hidepid_group}\"}"
printf "${output}\n"
# {{ ansible_managed }}
# Based on https://github.com/indiv0/ansible-role-console
[Service]
SupplementaryGroups={{ proc_hidepid__group }}
......@@ -124,6 +124,7 @@ other hosts.
- :ref:`debops.nfs`
- :ref:`debops.nfs_server`
- :ref:`debops.persistent_paths`
- :ref:`debops.proc_hidepid`
- :ref:`debops.tftpd`
- :ref:`debops.tgt`
- ``debops.samba``
......@@ -181,6 +182,7 @@ Monitoring
- :ref:`debops.librenms`
- :ref:`debops.monit`
- :ref:`debops.proc_hidepid`
- :ref:`debops.snmpd`
- ``debops.smstools``
......@@ -222,6 +224,7 @@ Security
- :ref:`debops.authorized_keys`
- :ref:`debops.fail2ban`
- :ref:`debops.ferm`
- :ref:`debops.proc_hidepid`
- :ref:`debops.sshd`
- :ref:`debops.tcpwrappers`
- ``debops-contrib.apparmor``
......
Getting started
===============
.. contents::
:local:
Ansible local facts
-------------------
The ``debops.proc_hidepid`` role provides a set of Ansible local facts
available in the ``ansible_local.proc_hidepid.*`` hierarchy. You can use the
facts to add application UNIX accounts to the correct UNIX system group that
allows them access to the ``/proc`` filesystem.
Example inventory
-----------------
The ``debops.proc_hidepid`` role is included by default in the ``common.yml``
DebOps playbook; you don't need to add hosts to any Ansible groups to enable
it.
Example playbook
----------------
If you are using this role without DebOps, here's an example Ansible playbook
that uses the ``debops.proc_hidepid`` role:
.. literalinclude:: ../../../../ansible/playbooks/service/proc_hidepid.yml
:language: yaml
Ansible tags
------------
You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
tasks are performed during Ansible run. This can be used after a host was first
configured to speed up playbook execution, when you are sure that most of the
configuration is already in the desired state.
Available role tags:
``role::proc_hidepid``
Main role tag, should be used in the playbook to execute all of the role
tasks as well as role dependencies.
.. _debops.proc_hidepid:
debops.proc_hidepid
===================
This role will ensure that the ``/proc`` filesystem is mounted with the
``hidepid=`` option enabled. `The 'hidepid=' option`__ can be used to hide
processes that don't belong to a particular user account.
.. __: https://wiki.archlinux.org/index.php/Security#hidepid
.. toctree::
:maxdepth: 2
getting-started
defaults
Copyright
---------
.. literalinclude:: ../../../../ansible/roles/debops.proc_hidepid/COPYRIGHT
..
Local Variables:
mode: rst
ispell-local-dictionary: "american"
End:
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment