openstack-ansible-security: Logic fails for 'security_sshd_permit_root_login'

Bug #1685194 reported by Mike Eriksson on 2017-04-21
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Jean-Philippe Evrard

Bug Description

I spotted the following when I was running tests against a newly secured machine and got warnings that root login was still allowed although it was set to 'no' in defaults/main.yml.

[I tried to submit a pull request to Github but got pointed to this resource instead. Since I'm not entirely certain how to run the review and everything I'm submitting it as a bug at least. I got a proposed fix below, but need some assistance if I'm to submit it myself.]

From defaults/main.yml

# Permit direct root logins
security_sshd_permit_root_login: no # V-72247

That makes sense as a setting/configuration since that echoes what you'd expect to set in sshd_config yourself. However, when this is handled in tasks/rhel7stig/sshd.yml and ultimately templates/sshd_config_block.j2 this doesn't work as expected.

The part in sshd_config_block.j2 than references this is:

{% if security_sshd_permit_root_login | bool %}
# V-72247
PermitRootLogin no
{% endif %}

Basically - if the variable is set to no, the line below fails the boolean test and is not written into the sshd_config file. I believe that anyone who runs this against their hosts with this setting will still be allowing root logins although they think they're not.

If you set the variable to yes, it just 'feels and looks' wrong to me.

I'm not good enough at Ansible and Jinja2 to figure out how to do a 'negative' bool after the | so I put in the following instead:

{% if not security_sshd_permit_root_login | bool %}

Maybe there's a more elegant solution to this?

This is the first instance of this issue I've spotted but there might be more - I'll try and go through the ssh settings closer now.

Cheers, Mike

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Low
importance: Low → Medium
tags: added: low-hanging-fruit
Changed in openstack-ansible:
assignee: nobody → Jean-Philippe Evrard (jean-philippe-evrard)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers