search

dev-sec / ansible-collection-hardening

This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL
http://dev-sec.io/
Apache License 2.0
4.09k stars 732 forks source link

Error when using the ssh_hardening role #519

Closed obvionaoe closed 2 years ago

obvionaoe commented 2 years ago

Describe the bug I'm getting an error when using the ssh_hardening role from the collection. I don't know how to debug it since it gives an error from a temporary file.

Expected behavior The role should run without any issues

Actual behavior

TASK [roles/ansible_collections/devsec/hardening/roles/ssh_hardening : Create sshd_config and set permissions to root/600] ***************************************************************************************************************************************************************
fatal: [main]: FAILED! => {"changed": false, "checksum": "d3469635fff016d9c8b4ae13264f7291a109683e", "exit_status": 255, "msg": "failed to validate", "stderr": "/root/.ansible/tmp/ansible-tmp-1641774009.653889-60739-3401062524539/source line 14: unsupported option \"True\".\r\n", "stderr_lines": ["/root/.ansible/tmp/ansible-tmp-1641774009.653889-60739-3401062524539/source line 14: unsupported option \"True\"."], "stdout": "", "stdout_lines": []}

Example Playbook

- hosts: all
  become: true
  tasks:
    - name: SSH Hardening
      include_role:
        name: roles/ansible_collections/devsec/hardening/roles/ssh_hardening
      vars:
        network_ipv6_enable: false
        ssh_permit_root_login: yes

OS / Environment

Ubuntu 20.04

Ansible Version

ansible [core 2.12.1]
  config file = $HOME/projects/personal/ansible/playbooks/server/ansible.cfg
  configured module search path = ['$HOME/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.10/site-packages/ansible
  ansible collection location = $HOME/projects/personal/ansible/playbooks/server/roles
  executable location = /usr/bin/ansible
  python version = 3.10.1 (main, Dec 18 2021, 23:53:45) [GCC 11.1.0]
  jinja version = 3.0.3
  libyaml = True

Role Version

7.14.0

Additional context Add any other context about the problem here.

rndmh3ro commented 2 years ago

Please see the documentation:

ssh_permit_root_login

    Default: no
    Description: Disable root-login. Set to 'without-password' or 'yes' to enable root-login - The quotes are required!

You need to use quotes:

- hosts: all
  become: true
  tasks:
    - name: SSH Hardening
      include_role:
        name: roles/ansible_collections/devsec/hardening/roles/ssh_hardening
      vars:
        network_ipv6_enable: false
        ssh_permit_root_login: "yes"
obvionaoe commented 2 years ago

Well this worked before without quotes... Thanks!

rndmh3ro commented 2 years ago

You're right, it did work on an older version. But since the permit root option takes other values besides yes and no it was changed to a string.

obvionaoe commented 2 years ago

Gotcha! Thanks