diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 9cf759cd3..5efff5bb1 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -55,6 +55,18 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f net.ipv4.ip_forward: 1 ``` +### hidepid on RHEL/CentOS 7 + +When having `polkit-0.112-18.el7` (and later) installed and `/proc` mounted with `hidepid=2`, everytime someone uses `systemctl` the following error is displayed, but systemctl runs successfully. + +``` +Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0) +``` + +We decided to set `hidepid=0` to remove the error message, if you want to use the other proposed workaround, you have to setup the user yourself and set our option to `hidepid_option: 2` via Ansible vars. + +For further details see [RedHat: "GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject" seen when executing systemctl command](https://access.redhat.com/solutions/5005111) or [#364: hidepid=2 gives error when running systemctl on EL7](/~https://github.com/dev-sec/ansible-collection-hardening/issues/364) + ### sysctl - vm.mmap_rnd_bits We are setting this sysctl to a default of `32`, some systems only support smaller values and this will generate an error. Unfortunately we cannot determine the correct applicable maximum. If you encounter this error you have to override this sysctl in your playbook. @@ -164,7 +176,7 @@ We know that this is the case on Raspberry Pi. - Default: `keep_logs` - Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. - `hidepid_option` - - Default: `2` + - Default: `2` (on RHEL/CentOS7 `0`, see known limitations) - Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc. - `proc_mnt_options` - Default: `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}` diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 28617b57d..fd928a873 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -280,5 +280,4 @@ os_selinux_state: enforcing # Set the SELinux polixy. os_selinux_policy: targeted -hidepid_option: '2' # allowed values: 0, 1, 2 proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}' diff --git a/roles/os_hardening/vars/Amazon.yml b/roles/os_hardening/vars/Amazon.yml index 8629cc0bc..f78c22c54 100644 --- a/roles/os_hardening/vars/Amazon.yml +++ b/roles/os_hardening/vars/Amazon.yml @@ -42,3 +42,5 @@ sysctl_rhel_config: kernel.exec-shield: 1 # Syncookies is used to prevent SYN-flooding attacks. net.ipv4.tcp_syncookies: 1 + +hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/Archlinux.yml b/roles/os_hardening/vars/Archlinux.yml index 99f05d1b2..fe4641d2c 100644 --- a/roles/os_hardening/vars/Archlinux.yml +++ b/roles/os_hardening/vars/Archlinux.yml @@ -23,3 +23,5 @@ os_auth_sys_gid_max: 999 modprobe_package: 'kmod' auditd_package: 'audit' + +hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/Debian.yml b/roles/os_hardening/vars/Debian.yml index 7d4e2a06f..27b64b3e7 100644 --- a/roles/os_hardening/vars/Debian.yml +++ b/roles/os_hardening/vars/Debian.yml @@ -35,3 +35,5 @@ auditd_package: 'auditd' tally2_path: '/usr/share/pam-configs/tally2' passwdqc_path: '/usr/share/pam-configs/passwdqc' + +hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/Fedora.yml b/roles/os_hardening/vars/Fedora.yml index c8cd1d09d..756de540f 100644 --- a/roles/os_hardening/vars/Fedora.yml +++ b/roles/os_hardening/vars/Fedora.yml @@ -33,3 +33,5 @@ os_useradd_create_home: true modprobe_package: 'module-init-tools' auditd_package: 'audit' + +hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/RedHat.yml b/roles/os_hardening/vars/RedHat.yml index dc20124d5..d4286ef08 100644 --- a/roles/os_hardening/vars/RedHat.yml +++ b/roles/os_hardening/vars/RedHat.yml @@ -33,3 +33,5 @@ os_useradd_create_home: true modprobe_package: 'module-init-tools' auditd_package: 'audit' + +hidepid_option: '2' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/RedHat_7.yml b/roles/os_hardening/vars/RedHat_7.yml new file mode 100644 index 000000000..a21a82899 --- /dev/null +++ b/roles/os_hardening/vars/RedHat_7.yml @@ -0,0 +1,37 @@ +--- + +os_packages_pam_ccreds: 'pam_ccreds' +os_packages_pam_passwdqc: 'pam_passwdqc' +os_packages_pam_cracklib: 'pam_cracklib' +os_nologin_shell_path: '/sbin/nologin' + +# Different distros use different standards for /etc/shadow perms, e.g. +# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640. +# You must provide key/value pairs for owner, group, and mode if overriding. +os_shadow_perms: + owner: root + group: root + mode: '0000' + +os_passwd_perms: + owner: root + group: root + mode: '0644' + +os_env_umask: '077' + +os_auth_uid_min: 1000 +os_auth_gid_min: 1000 +os_auth_sys_uid_min: 201 +os_auth_sys_uid_max: 999 +os_auth_sys_gid_min: 201 +os_auth_sys_gid_max: 999 + +# defaults for useradd +os_useradd_mail_dir: /var/spool/mail +os_useradd_create_home: true + +modprobe_package: 'module-init-tools' +auditd_package: 'audit' + +hidepid_option: '0' # allowed values: 0, 1, 2 diff --git a/roles/os_hardening/vars/Suse.yml b/roles/os_hardening/vars/Suse.yml index 152af1fe2..5d30fd5c3 100644 --- a/roles/os_hardening/vars/Suse.yml +++ b/roles/os_hardening/vars/Suse.yml @@ -32,3 +32,5 @@ os_useradd_create_home: false modprobe_package: 'kmod-compat' auditd_package: 'audit' + +hidepid_option: '2' # allowed values: 0, 1, 2