konstruktoid / ansible-role-hardening

Ansible role to apply a security baseline. Systemd edition.
Apache License 2.0
536 stars 113 forks source link

[BUG] Missing privilege separation directory: /run/sshd #756

Open egorksv opened 1 month ago

egorksv commented 1 month ago

Describe the bug Error during initial ansible run, works fine on re-running provisioning

TASK [konstruktoid.hardening : Configure sshd using sshd_config.d] *************
fatal: [testbox]: FAILED! => {"changed": false, "checksum": "5fc62ec3b19ce4d13b89ce4bee077fd86dd615b7", "exit_status": 255, "msg": "failed to validate", "stderr": "Missing privilege separation directory: /run/sshd\r\n", "stderr_lines": ["Missing privilege separation directory: /run/sshd"], "stdout": "", "stdout_lines": []}

To Reproduce Running with Vagrant:

# Vagrantfile to test Ansible scripts locally
Vagrant.configure('2') do |config|
  config.vagrant.plugins = "vagrant-qemu"

  config.vm.define "testbox" do |machine|
    machine.vm.box = 'cloud-image/ubuntu-24.04'
    machine.vm.hostname = "webserver"
    machine.vm.provider "qemu" do |vb|
      vb.cpus = '1'
      vb.memory = '1024'
    end
  end

  config.vm.provision "ansible" do |ansible|
    ansible.version = "2.7.15"
    ansible.compatibility_mode = "2.0"
    ansible.become = true
    ansible.become_user = "root"
    ansible.playbook = "ansible/openbao-server.yml"
    ansible.verbose = "v"
    ansible.groups = {
      "webservers" => ["testbox"]
   }
  end

end

Tasks.yml:

---
  - name: Import the hardening role
    ansible.builtin.import_role:
      name: konstruktoid.hardening
    vars:
      sshd_admin_net:
        - 10.0.2.0/24
        - 192.168.0.0/24
        - 192.168.1.0/24
      suid_sgid_permissions: false
      disable_wireless: true
egorksv commented 1 month ago

UPD: Read as "Ansible Galaxy has very old version 1.15.0"

Disregard that, still happens in v2.1.1

Confirmed fixed on master

konstruktoid commented 1 month ago

Hi @egorksv, yeah I've seen that as well when using some images. The directory is created when the sshd is restarted IIRC.

I'll add an task that creates the directory beforehand.

konstruktoid commented 1 month ago

https://github.com/systemd/systemd/releases/tag/v256 (SSH Integration) mentions it, but the issue is a proper classic.

"The generated unit only works correctly if the SSH privilege separation ("privsep") directory exists. Unfortunately distributions vary wildly where they place this directory. An incomprehensive list:

    • /usr/share/empty.sshd/  (new fedora)
    • /var/empty/
    • /var/empty/sshd/
    • /run/sshd/              (debian/ubuntu?)

  If the SSH privsep directory is placed below /var/ or /run/ care
  needs to be taken that the directory is created automatically at boot
  if needed, since these directories possibly or always come up
  empty. This can be done via a tmpfiles.d/ drop-in. You may use the
  "sshdprivsepdir" meson option provided by systemd to configure the
  directory, in case you want systemd to create the directory as needed
  automatically, if your distribution does not cover this natively."
konstruktoid commented 1 month ago

Fix is on its way.

konstruktoid commented 1 month ago

better handling of privsep directories merged in https://github.com/konstruktoid/ansible-role-hardening/pull/758 will publish a new release soon

konstruktoid commented 3 weeks ago

https://github.com/konstruktoid/ansible-role-hardening/releases/tag/v2.2.0 released with the fix included