added sysctl_config_blacklist variable to filter the sys_config

[foxcris]

On my system could not apply all sys_config options which are applied per default. Thus i added a variable sysctl_config_blacklist to filter/exclude specific sys_config options to be applied.

[rndmh3ro]

Hey @foxcris,

I'm not sure I want to merge this PR. What's wrong with overriding the sysctl_config parameter?

[schurzi]

This also sounds problematic to me.

Could you add the errors you are getting and describe your system? Maybe the errors should be fixed on a different level. I'm thinking maybe there is some renaming or depreciation of specific sysctl names involved.

[foxcris]

Hi,

thank you for your remarks. I created this solution as i had problems applying the default config variables on an rasperry pi running rasbian (debian buster).
Applying the role leads to an error which aborted the ansible script.

Used variables for this role:
os_auditd_enabled: false

Cause of the problem are these sysctl variables:
kernel.yama.ptrace_scope
vm.mmap_rnd_bits
vm.mmap_rnd_compat_bits
kernel.kexec_load_disabled
net.ipv4.conf.default.log_martians

The use of sysctl_overwrite was no solution as someone can overwrite and extend variables with this approach but it is not possible to remove a variable from the default sysctl configuration.

[schurzi]

Thank you very much. This helps a lot in debugging this issue. I'm currently speculating, that these sysctl variables do not exist on your system. Can you verify that? (by calling sysctl <name>)

If that is the case, I think out best options would be to use ignoreerrors in the sysctl task (https://docs.ansible.com/ansible/2.9/modules/sysctl_module.html#sysctl-module). Note: This does not ignore all errors, but only errors regarding not found sysctl variables.

@rndmh3ro what do you think?

[foxcris]

`sysctl kernel.yama.ptrace_scope
sysctl: cannot stat /proc/sys/kernel/yama/ptrace_scope: No such file or directory

sysctl vm.mmap_rnd_bits
vm.mmap_rnd_bits = 8

sysctl vm.mmap_rnd_compat_bits
sysctl: cannot stat /proc/sys/vm/mmap_rnd_compat_bits: No such file or directory

sysctl kernel.kexec_load_disabled
sysctl: cannot stat /proc/sys/kernel/kexec_load_disabled: No such file or directory

sysctl net.ipv4.conf.default.log_martians
net.ipv4.conf.default.log_martians = 1
`

Regarding the ignoreerrors option. As far a I can see you are already using this option in tasks/sysctl.yml. So this would not help with my problem. Or am i wrong?

[schurzi]

yes, you are absoluteöy right. Sorry I missed that.

But that also means, that all systl which are not present on your system cannot be the source of this problem. That leaves net.ipv4.conf.default.log_martians and vm.mmap_rnd_bits to consider.

Our module tries to set net.ipv4.conf.default.log_martians to 1 and vm.mmap_rnd_bits to 32. Since net.ipv4.conf.default.log_martians is already 1 on your system, I would like to try if vm.mmap_rnd_bits is the real curlpit here.

Can you try our role, without your blacklist and with the following variable added:

- hosts: localhost
  roles:
    - dev-sec.os-hardening
  vars:
    os_auditd_enabled: false
    sysctl_overwrite:
      vm.mmap_rnd_bits: 8

[foxcris]

I just tried to run with:
sysctl_overwrite: vm.mmap_rnd_bits: 8 net.ipv4.conf.default.log_martians: 1

Result:

ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.default.accept_ra_rtr_pref', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.default.accept_redirects', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.default.accept_ra_pinfo', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.default.router_solicitations', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.all.arp_ignore', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'fs.protected_hardlinks', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.default.autoconf', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.default.dad_transmits', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.ip_forward', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.default.rp_filter', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.all.forwarding', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'kernel.kptr_restrict', u'value': 2})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.default.log_martians', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.all.send_redirects', u'value': 0})
failed: [192.168.100.17] (item={u'key': u'vm.mmap_rnd_compat_bits', u'value': 16}) => {"ansible_loop_var": "item", "changed": false, "item": {"key": "vm.mmap_rnd_compat_bits", "value": 16}, "msg": "Failed to reload sysctl: net.ipv6.conf.default.accept_ra_rtr_pref = 0\nnet.ipv6.conf.default.dad_transmits = 0\nnet.ipv6.conf.default.accept_ra_pinfo = 0\nnet.ipv6.conf.default.router_solicitations = 0\nnet.ipv4.conf.all.arp_ignore = 1\nfs.protected_hardlinks = 1\nnet.ipv6.conf.default.autoconf = 0\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv4.ip_forward = 0\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv6.conf.all.forwarding = 0\nkernel.kptr_restrict = 2\nnet.ipv4.conf.all.send_redirects = 0\nvm.mmap_rnd_bits = 32\nnet.ipv4.conf.default.rp_filter = 1\nnet.ipv4.tcp_rfc1337 = 1\nfs.protected_symlinks = 1\nkernel.sysrq = 0\nnet.ipv4.icmp_ratelimit = 100\nvm.mmap_min_addr = 65536\nnet.ipv4.conf.all.log_martians = 1\nfs.suid_dumpable = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv6.conf.all.accept_ra = 0\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv4.conf.default.accept_source_route = 0\nkernel.core_uses_pid = 1\nkernel.randomize_va_space = 2\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv6.conf.default.accept_ra = 0\nnet.ipv4.icmp_ratemask = 88089\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.tcp_timestamps = 0\nnet.ipv6.conf.default.max_addresses = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.all.shared_media = 1\nnet.ipv6.conf.all.disable_ipv6 = 1\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.shared_media = 1\nnet.ipv4.conf.all.arp_announce = 2\nnet.ipv6.conf.default.accept_ra_defrtr = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.accept_redirects = 0\nsysctl: setting key \"vm.mmap_rnd_bits\": Invalid argument\n"}
changed: [192.168.100.17] => (item={u'key': u'vm.mmap_rnd_bits', u'value': 8})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.icmp_echo_ignore_broadcasts', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.tcp_rfc1337', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'fs.protected_symlinks', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'kernel.sysrq', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.icmp_ratelimit', u'value': 100})
changed: [192.168.100.17] => (item={u'key': u'kernel.yama.ptrace_scope', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'vm.mmap_min_addr', u'value': 65536})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.all.log_martians', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'fs.suid_dumpable', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.default.accept_redirects', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.icmp_ignore_bogus_error_responses', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.default.accept_ra', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.default.secure_redirects', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.default.accept_source_route', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'kernel.core_uses_pid', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'kernel.randomize_va_space', u'value': 2})
changed: [192.168.100.17] => (item={u'key': u'kernel.kexec_load_disabled', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.all.accept_redirects', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.icmp_ratemask', u'value': 88089})
ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.default.accept_ra_defrtr', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.tcp_timestamps', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.default.max_addresses', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.all.accept_source_route', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.all.shared_media', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.all.disable_ipv6', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.all.secure_redirects', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.default.shared_media', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.all.arp_announce', u'value': 2})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.all.rp_filter', u'value': 1})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.default.send_redirects', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv4.conf.all.accept_redirects', u'value': 0})
ok: [192.168.100.17] => (item={u'key': u'net.ipv6.conf.all.accept_ra', u'value': 0})

PLAY RECAP ******************************************************************************************************************************************************************************************************
192.168.100.17             : ok=37   changed=2    unreachable=0    failed=1    skipped=22   rescued=0    ignored=0```

[schurzi]

oh that one is nice. can you re-run this test? I think this error will be gone in the second try :)
The sysctl module has persistet the incompatible value for vm.mmap_rnd_bits and this gets reloaded on a change, hence this is failing now, but it will work on the next run, because now a usable value is persisted.

[foxcris]

You are right. Everything worked with the second run.
I think we can close this pull request as the implemented solution is not necessary.

[schurzi]

Thank you for your help. As you noted, the solution is not necessary.

But I would really like, if you could try out what the maximum possible value for vm.mmap_rnd_bits is on Raspberry and we could add some documentation, that covers this. (since I have currently no idea, how we could add this to the Ansible code) :)

[foxcris]

The maximum supported value is 16.