Os immutable fs

roles/os_hardening/README.md

@@ -113,6 +113,22 @@ Otherwise inspec will fail. For more information, see [issue #124](https://githu
 
 We know that this is the case on Raspberry Pi.
 
+### Using with ostree system, ie coreos/silverblue
+
+If you are using os_hardening with a filesystem that has an immutable filesystem in accordance with the ostree specification, then you can set the variable `os_immutable_fs: true` (default is false).
+
+Behind the scenes, the variable ansible_package_use will be set to the rpm_ostree_pkg module, to allow the generic ansible.builtin.package module to install via that module.
+
+#### reboots
+By its nature, ostree needs to be rebooted for packages to be installed, so if any package installs, a reboot will be initiated at the end of the role, and will then wait for the remote to be ready before continuing.  To skip the reboot use the --skip-tags switch on the command line with the tag `ostree_reboot`.
+
+Currently os_immutable_fs only selects for Fedora systems, ie iot, silverblue, coreos, kinoite.
+
+#### dependencies
+For os_hardening to work, you will need the python-rpm package installed on the control node and 'pip install rpm' in the python prefix from where you are running ansible.
+
+Note that on Coreos remote systems, neither python nor python-rpm is installed as default, so for ansible to work you will have to install both packages on the remote using ansible.builtin.raw, before you use os_hardening.
+
 ## Changing sysctl variables
 
 If you want to override sysctl-variables, you can use the `sysctl_overwrite` variable (in older versions you had to override the whole `sysctl_dict`).
@@ -806,6 +822,24 @@ This role is mostly based on guides by:
   - Description: Add list of user to allow creation of .netrc in users homedir
   - Type: list of ''
   - Required: no
+- `os_immutable_fs`
+  - Default: false
+  - Description: A boolean set if the root file system is immutable ie rpm-ostree
+  - Type: 
+  - Required: no
+- `ansible_package_use`:
+  - Default: "{{ (os_immutable_fs |bool) |ternary('community.general.rpm_ostree_pkg', '') }}"
+  - Description: a string that indicates which package manager to use to ansible.builtin.package 
+           that must be to the rpm_ostree_pkg module when the os is immutable, as the default of
+           atomic_container is both deprecated and incorrect.
+  - Type: str
+  - Required: no
+- `rpm_ostree_needs_reboot`:
+  - Default: false
+  - Description: A variable used to indicate to a reboot task when the remote should be rebooted
+           to handle package installation on rpm_ostree systems.  Used internally for os_immutable_fs.
+  - Type: bool
+  - Required: no
 - `os_pam_enabled`
   - Default: `True`
   - Description: Set to false to disable installing and configuring pam.

roles/os_hardening/meta/argument_specs.yml

@@ -799,6 +799,21 @@ argument_specs:
         default: '[]'
         type: list
         description: A list of filesystems that should not be disabled
+      os_immutable_fs:
+        default: false
+        type: bool
+        description: A boolean set if the root file system is immutable ie rpm-ostree
+      ansible_package_use:
+        default: "{{ (os_immutable_fs |bool) |ternary('community.general.rpm_ostree_pkg', '') }}"
+        type: str
+        description: a string that indicates which package manager to use to ansible.builtin.package 
+           that must be set when the os is immutable, as the default of atomic_container is both
+           deprecated and incorrect.
+      os_ostree_needs_reboot:
+         default: false
+         type: bool
+         description: A variable used to indicate to a reboot task when the remote should be rebooted
+           to handle package installation on ostree systems.
       os_hardening_enabled:
         default: true
         type: bool

roles/os_hardening/tasks/auditd.yml

@@ -3,7 +3,11 @@
   ansible.builtin.package:
     name: "{{ auditd_package }}"
     state: present
+  register: os_ostree_pkgs_installed
   tags: auditd
+
+- set_fact:
+    os_ostree_needs_reboot: os_ostree_pkgs_installed.results[0].needs_reboot is true | bool
 
 - name: Configure auditd | package-08
   ansible.builtin.template:

roles/os_hardening/tasks/hardening.yml

@@ -109,6 +109,14 @@
   when:
     - ansible_facts.os_family == 'RedHat'
     - os_yum_enabled | bool
+    - not os_immutable_fs
+
+- name: Import tasks to configure ostree systems
+  ansible.builtin.import_tasks: rpm_ostree.yml
+  tags: yum
+  when:
+    - ansible_facts.os_family == 'RedHat'
+    - os_immutable_fs | bool
 
 - name: Import tasks to configure apt
   ansible.builtin.import_tasks: apt.yml

roles/os_hardening/tasks/main.yml

@@ -4,3 +4,20 @@
   when: os_hardening_enabled | bool
   tags:
     - always
+
+- name: Reboot if ostree_immutable needs_reboot is true
+  ansible.builtin.reboot:
+    msg: "Rebooting to install packages"
+    pre_reboot_delay: 0
+  when:
+    - os_immutable_fs | bool
+    - os_ostree_needs_reboot | bool
+  tags: ostree_reboot
+
+- name: Wait for ostree system to be up
+  ansible.builtin.wait_for_connection:
+    delay: 20
+  when:
+    - os_immutable_fs | bool 
+    - os_ostree_needs_reboot | bool
+  tags: ostree_reboot

roles/os_hardening/tasks/minimize_access.yml

@@ -66,7 +66,9 @@
     owner: root
     group: root
     mode: "0750"
-  when: '"change_user" not in os_security_users_allow'
+  when:
+    - '"change_user" not in os_security_users_allow'
+    - not os_immutable_fs | bool
 
 # we have to define this combined variable here, because when defining it
 # in the defaults like this:

roles/os_hardening/tasks/minimize_access_fs.yml

@@ -29,6 +29,7 @@
     mode: "{{ mount.mode }}"
   when:
     - mountpoint_exists.stat.exists | bool
+    - not os_immutable_fs | bool
 
 - name: "Register changed mountpoints"
   ansible.builtin.set_fact:

roles/os_hardening/tasks/modprobe.yml

@@ -3,6 +3,10 @@
   ansible.builtin.package:
     name: "{{ modprobe_package }}"
     state: present
+  register: os_ostree_pkgs_installed
+
+- set_fact:
+    os_ostree_needs_reboot: os_ostree_pkgs_installed.results[0].needs_reboot is true | bool
 
 - name: Check if efi is installed
   ansible.builtin.stat:

roles/os_hardening/tasks/pam.yml

@@ -16,6 +16,7 @@
     state: absent
   when:
     - ansible_facts.os_family != 'Archlinux'
+    - not os_immutable_fs | bool
 
 - name: Import tasks for Debian PAM
   ansible.builtin.import_tasks: pam_debian.yml

roles/os_hardening/tasks/pam_rhel.yml

@@ -5,6 +5,7 @@
     state: present
   when:
     - os_auth_pam_sssd_enable | bool
+    - not os_immutable_fs | bool
 
 - name: Configure passwdqc and faillock via central system-auth config
   ansible.builtin.template:

roles/os_hardening/tasks/rpm_ostree.yml

@@ -0,0 +1,11 @@
+---
+# configuration tasks for rpm_ostree systems
+# selected when os_immutable_fs == true
+# basic tasks taken from ./yum.yml
+- name: Remove deprecated or insecure packages | package-01 - package-09
+  community.general.rpm_ostree_pkg:
+    name: "{{ os_security_packages_list }}"
+    state: absent
+  when: 
+    - os_immutable_fs
+    - os_security_packages_clean | bool

roles/os_hardening/tasks/user_accounts.yml

@@ -90,6 +90,10 @@
     shell: '{{ os_nologin_shell_path }}'
     createhome: false
   loop: "{{ system_users }}"
+  when:
+    - not os_immutable_fs # fedora atomic-hosts have os_nologin as standard and nss-altfiles causes issues
+    - (system_users is defined) and (system_users | length > 0)
+      # https://github.com/dev-sec/ansible-collection-hardening/issues/857
 
 - name: Lock passwords from linux system accounts
   ansible.builtin.user:
@@ -98,8 +102,9 @@
     createhome: false
   loop: "{{ system_users }}"
   when:
-    - getent_shadow[item][0] is not match("\!") # password hashes containing illegal characters like "!" are unusable already (locked)
-
+    - (system_users is defined) and (system_users | length > 0) # https://github.com/dev-sec/ansible-collection-hardening/issues/857
+    - (getent_shadow[item][0] is defined and getent_shadow[item][0] is not match("\!")) # password hashes containing illegal characters like "!" are unusable already (locked)
+
 - name: Limit access to home directories of regular (non-system, non-root) accounts
   ansible.builtin.file:
     mode: "0700"

roles/os_hardening/tasks/yum.yml

@@ -48,4 +48,6 @@
   ansible.builtin.dnf:
     name: "{{ os_security_packages_list }}"
     state: absent
-  when: os_security_packages_clean | bool
+  when:
+    - os_security_packages_clean | bool
+    - not os_immutable_fs

roles/os_hardening/vars/Fedora.yml

@@ -82,3 +82,7 @@ modprobe_package: module-init-tools
 auditd_package: audit
 
 hidepid_option: "2" # allowed values: 0, 1, 2
+
+os_immutable_fs: false
+ansible_package_use: "{{ (os_immutable_fs |bool) |ternary('community.general.rpm_ostree_pkg', '') }}"
+os_ostree_needs_reboot: false

roles/ssh_hardening/README.md

@@ -43,6 +43,23 @@ Since Debian 12 and Ubuntu 22.04 the ssh-daemon is not running by default anymor
 We revert this change to its traditional behaviour.
 For more information, see [this issue](https://github.com/dev-sec/ansible-collection-hardening/issues/763).
 
+### Using with ostree system, ie coreos/silverblue
+
+If you are using ssh_hardening with a filesystem that has an immutable filesystem in accordance with the ostree specification, then you can set the variable `ssh_immutable_fs: true` (default is false).
+
+Behind the scenes, the variable ansible_package_use will be set to rpm_ostree_pkg, to allow the generic ansible.builtin.package module to install via that module.
+
+#### reboots
+By its nature, ostree needs to be rebooted for packages to be installed, so if any package installs, a reboot will be initiated at the end of the role, and will then wait for the remote to be ready before continuing.  To skip the reboot use the --skip-tags switch on the command line with the tag `ostree_reboot`.
+
+Currently ssh_immutable_fs only selects for Fedora systems, ie iot, silverblue, coreos, kinoite.
+
+#### dependencies
+For os_hardening to work, you will need the python-rpm package installed on the control node and 'pip install rpm' in the python prefix from where you are running ansible.
+
+Note that on Coreos remote systems, neither python nor python-rpm is installed as default, so for ansible to work you will have to install both packages on the remote using ansible.builtin.raw, before you use ssh_hardening.  You will also need to specify the following in your playbook with reference to the ssh_hardening role:
+`ssh_authorized_keys_file: '.ssh/authorized_keys.d/ignition'`
+
 <!-- BEGIN_ANSIBLE_DOCS -->
 
 ## Supported Operating Systems
@@ -474,7 +491,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Description: The facility code that is used when logging messages from sshd.
   - Type: str
   - Required: no
-
+- `ssh_immutable_fs`:
+  - Default: false
+  - Description: A boolean set if the root file system is immutable ie rpm-ostree
+  - Type: bool
+  - Required: no
 ## Dependencies
 
 None.

roles/ssh_hardening/meta/argument_specs.yml

@@ -368,3 +368,18 @@ argument_specs:
       ssh_forward_agent:
         default: 'no'
         description: Enables the ssh forward agent for the Cli if set to 'yes'
+      ssh_immutable_fs:
+        default: false
+        type: bool
+        description: A boolean set if the root file system is immutable ie rpm-ostree
+      ansible_package_use:
+        default: "{{ (ssh_immutable_fs |bool) |ternary('community.general.rpm_ostree_pkg', '') }}"
+        type: str
+        description: a string that indicates to ansible.builtin.package which package manager to use, 
+           that must be set when the os is immutable, as the default of atomic_container is both
+           deprecated and incorrect.  Used internally by ssh_immutable_fs.
+      ssh_ostree_needs_reboot:
+         default: false
+         type: bool
+         description: A variable used to indicate to a reboot task when the remote should be rebooted
+           to handle package installation on rpm_ostree systems.  Used internally by ssh_immutable_fs.

roles/ssh_hardening/tasks/install.yml

@@ -7,6 +7,11 @@
   loop: "{{ ssh_pkgs }}"
   loop_control:
     loop_var: pkg
+  register: ssh_ostree_pkgs_installed
+
+- name: Indicate ssh_ostree_needs_reboot
+  ansible.builtin.set_fact:
+    ssh_ostree_needs_reboot: ssh_ostree_pkgs_installed.results[0].needs_reboot is true | bool
 
 # see https://github.com/dev-sec/ansible-collection-hardening/issues/763
 - name: Change Debian/Ubuntu systems so ssh starts traditionally instead of socket-activated

roles/ssh_hardening/tasks/main.yml

@@ -5,3 +5,20 @@
     apply:
       become: true
   when: ssh_hardening_enabled | bool
+
+- name: Reboot if ostree_immutable needs_reboot is true
+  ansible.builtin.reboot:
+    msg: "Rebooting to install packages"
+    pre_reboot_delay: 0
+  when:
+    - ssh_ostree_needs_reboot | bool
+    - ssh_immutable_fs | bool
+  tags: ostree_reboot
+
+- name: Wait for ostree system to be up
+  ansible.builtin.wait_for_connection:
+    delay: 20
+  when:
+    - ssh_ostree_needs_reboot | bool
+    - ssh_immutable_fs | bool 
+  tags: ostree_reboot

roles/ssh_hardening/tasks/selinux.yml

@@ -3,6 +3,11 @@
   ansible.builtin.package:
     name: "{{ ssh_selinux_packages }}"
     state: present
+  register: ssh_ostree_pkgs_installed
+
+- name: Indicate ssh_ostree_needs_reboot
+  ansible.builtin.set_fact:
+    ssh_ostree_needs_reboot: ssh_ostree_pkgs_installed.results[0].needs_reboot is true | bool
 
 - name: Authorize the following ports for selinux - {{ ssh_server_ports }}
   community.general.seport:

roles/ssh_hardening/vars/Fedora.yml

@@ -24,3 +24,7 @@ sshd_moduli_file: /etc/ssh/moduli
 # disable CRYPTO_POLICY to take settings from sshd configuration
 # see: https://access.redhat.com/solutions/4410591
 sshd_disable_crypto_policy: true
+
+ssh_immutable_fs: false
+ansible_package_use: "{{ (ssh_immutable_fs |bool) |ternary('community.general.rpm_ostree_pkg', '') }}"
+ssh_ostree_needs_reboot: false