search

dev-sec / ansible-collection-hardening

This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL
http://dev-sec.io/
Apache License 2.0
3.94k stars 723 forks source link

Allow skipping /proc mount options management #780

Open Tristan971 opened 2 months ago

Tristan971 commented 2 months ago

Description

Seems like you cannot remount /proc (anymore? never could? unsure) for LXC containers, at least in some cases.

It is persistently failing with the following error here (Ubuntu 22.04 inside Proxmox 8.2, kernel is 6.8.4):

TASK [devsec.hardening.os_hardening : Set option hidepid for proc filesystem] ***************************************
fatal: [quic-tests-lon1]: FAILED! => changed=false 
  ansible_facts:
    discovered_interpreter_python: /usr/bin/python3
  msg: |-
    Error mounting /proc: umount: /proc: target is busy.

Solution

I would have filed it as a bug report, but given https://github.com/dev-sec/ansible-collection-hardening/issues/460#issuecomment-1875554371, I believe it might be better to allow leaving /proc as-is in general.

Allowing to skip it altogether also happens to match the similar toggles like os_mnt_boot_enabled, os_mnt_home_enabled, os_mnt_var_enabled, etc.

Alternatives

Figuring out whether it is intended for /proc to be remountable on LXC in the first place, and if yes finding the culprit between the Kernel, Proxmox, Ubuntu, and the Apparmor profiles of the host and guest... all for rather minimal value.

Additional information

I'm willing to make the PR for this feature to happen