OpenStack-Ansible

openstack-ansible-security: Logic fails for 'security_sshd_permit_root_login'

Bug #1685194 reported by Mike Eriksson on 2017-04-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Fix Released	Medium	Jean-Philippe Evrard

Bug Description

I spotted the following when I was running tests against a newly secured machine and got warnings that root login was still allowed although it was set to 'no' in defaults/main.yml.

[I tried to submit a pull request to Github but got pointed to this resource instead. Since I'm not entirely certain how to run the review and everything I'm submitting it as a bug at least. I got a proposed fix below, but need some assistance if I'm to submit it myself.]

From defaults/main.yml

# Permit direct root logins
security_sshd_permit_root_login: no # V-72247

That makes sense as a setting/configuration since that echoes what you'd expect to set in sshd_config yourself. However, when this is handled in tasks/rhel7stig/sshd.yml and ultimately templates/sshd_config_block.j2 this doesn't work as expected.

The part in sshd_config_block.j2 than references this is:

{% if security_sshd_permit_root_login | bool %}
# V-72247
PermitRootLogin no
{% endif %}

Basically - if the variable is set to no, the line below fails the boolean test and is not written into the sshd_config file. I believe that anyone who runs this against their hosts with this setting will still be allowing root logins although they think they're not.

If you set the variable to yes, it just 'feels and looks' wrong to me.

I'm not good enough at Ansible and Jinja2 to figure out how to do a 'negative' bool after the | so I put in the following instead:

{% if not security_sshd_permit_root_login | bool %}

Maybe there's a more elegant solution to this?

This is the first instance of this issue I've spotted but there might be more - I'll try and go through the ssh settings closer now.

Cheers, Mike

Tags:

Jean-Philippe Evrard (jean-philippe-evrard) on 2017-04-25

Changed in openstack-ansible:
status:	New → Confirmed
importance:	Undecided → Low
importance:	Low → Medium
tags:	added: low-hanging-fruit
Changed in openstack-ansible:
assignee:	nobody → Jean-Philippe Evrard (jean-philippe-evrard)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-16: Fix proposed to ansible-hardening (master)

Fix proposed to branch: master
Review: https://review.openstack.org/512289

Changed in openstack-ansible:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-20: Fix merged to ansible-hardening (master)

Reviewed: https://review.openstack.org/512289
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=2cf232ae627514bccc283ef3f578e422f7bcf745
Submitter: Zuul
Branch: master

commit 2cf232ae627514bccc283ef3f578e422f7bcf745
Author: Jean-Philippe Evrard <email address hidden>
Date: Mon Oct 16 13:04:05 2017 +0000

Fix logic error

    if security_sshd_permit_root_login is not set to yes, we should
    override this and template a "no", instead of templating a "no"
    when the value is set to yes.

Change-Id: I747a8818762119eee63fa03d175b66ae4021f6da
Closes-Bug: #1685194

Changed in openstack-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-13: Fix proposed to ansible-hardening (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/519485

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-13: Fix proposed to ansible-hardening (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/519487

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-14: Fix merged to ansible-hardening (stable/pike)

Reviewed: https://review.openstack.org/519485
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=a8afdd109b71e6d3d2e1323df0a9394208d59bd8
Submitter: Zuul
Branch: stable/pike

commit a8afdd109b71e6d3d2e1323df0a9394208d59bd8
Author: Jean-Philippe Evrard <email address hidden>
Date: Mon Oct 16 13:04:05 2017 +0000

Fix logic error

    if security_sshd_permit_root_login is not set to yes, we should
    override this and template a "no", instead of templating a "no"
    when the value is set to yes.

    Change-Id: I747a8818762119eee63fa03d175b66ae4021f6da
    Closes-Bug: #1685194
    (cherry picked from commit 2cf232ae627514bccc283ef3f578e422f7bcf745)

tags:

added: in-stable-pike

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-14: Fix merged to ansible-hardening (stable/ocata)

Reviewed: https://review.openstack.org/519487
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=f4a60c909d5402ce028ef8dab8ff973fa72cf81b
Submitter: Zuul
Branch: stable/ocata

commit f4a60c909d5402ce028ef8dab8ff973fa72cf81b
Author: Jean-Philippe Evrard <email address hidden>
Date: Mon Oct 16 13:04:05 2017 +0000

Fix logic error

    if security_sshd_permit_root_login is not set to yes, we should
    override this and template a "no", instead of templating a "no"
    when the value is set to yes.

Conflicts:
templates/sshd_config_block.j2

    Change-Id: I747a8818762119eee63fa03d175b66ae4021f6da
    Closes-Bug: #1685194
    (cherry picked from commit 2cf232ae627514bccc283ef3f578e422f7bcf745)