added os_immutable_fs to os_hardening and ssh_hardening and edited tasks to allow both roles to work with redhat and fedora immutable filesystem os's - next step to add support for ubuntu core

Author: millerthegorilla

roles/os_hardening/README.md

@@ -116,7 +116,9 @@ We know that this is the case on Raspberry Pi.
 
 ### Using with ostree system, ie coreos/silverblue
 
-If you are using os_hardening with a filesystem that has immutable directories in accordance with the ostree specification, then you can set the variable `os_immutable_fs: true`.  It defaults to `ansible_facts.pkg_mgr == 'atomic_container'` and so should compensate for the immutable file system by default.
+If you are using os_hardening with a filesystem that has an immutable filesystem in accordance with the ostree specification, then you can set the variable `os_immutable_fs: True`, which defaults to `os_immutable_fs: "{{ (ansible_facts.pkg_mgr == 'atomic_container') | bool }} "` and so should compensate for the immutable file system by default.
+However, for os_hardening to work, you will need at least python-rpm package installed.
+Note that on Coreos systems, neither python nor python-rpm is installed as default.
 
 ## Variables
 =======
@@ -815,8 +817,8 @@ This role is mostly based on guides by:
   - Type: list of ''
   - Required: no
 - `os_immutable_fs`
-  - Default: `ansible_facts.pkg_mgr == 'atomic_container'`
-  - Description: Specify that file system is immutable in accordance with ostree system ie coreos/silverblue 
+  - Default: `"{{ (ansible_facts.pkg_mgr == 'atomic_container') | bool }} "`
+  - Description: Specify that file system is immutable in accordance with ostree system ie coreos/silverblue.  Default is boolean depending on ansible_facts.
 - `os_pam_enabled`
   - Default: `True`
   - Description: Set to false to disable installing and configuring pam.

roles/os_hardening/defaults/main.yml

@@ -54,8 +54,6 @@ os_security_packages_list: [xinetd, inetd, ypserv, telnet-server, rsh-server, pr
 os_security_init_prompt: true
 # Require root password for single user mode. (rhel, centos)
 os_security_init_single: false
-# Set to true if filesystem is immutable (ie ostree or similar)
-os_immutable_fs: ansible_facts.pkg_mgr == 'atomic_container'
 
 # Apply ufw defaults
 ufw_manage_defaults: true

roles/os_hardening/tasks/hardening.yml

@@ -28,6 +28,13 @@
   with_dict: "{{ os_vars }}"
   tags: always
 
+# I am unable to get the above code to recognise os_immutable_fs
+# set in var/Fedora.yml so I set it explicitly here.
+- name: set fact
+  ansible.builtin.set_fact:
+    "os_immutable_fs": "{{ ansible_facts.pkg_mgr == 'atomic_container' }}"
+  tags: always
+
 - name: Import tasks for auditd
   ansible.builtin.import_tasks: auditd.yml
   tags: auditd
@@ -110,6 +117,13 @@
     - ansible_facts.os_family == 'RedHat'
     - os_yum_enabled | bool
 
+- name: Import tasks to configure yum
+  ansible.builtin.import_tasks: rpm_ostree.yml
+  tags: yum
+  when:
+    - ansible_facts.os_family == 'RedHat'
+    - os_immutable_fs | bool
+
 - name: Import tasks to configure apt
   ansible.builtin.import_tasks: apt.yml
   tags: apt

roles/os_hardening/tasks/rpm_ostree.yml

@@ -0,0 +1,9 @@
+---
+# configuration tasks for rpm_ostree systems
+# selected when os_immutable_fs == true
+# basic tasks taken from ./yum.yml
+- name: Remove deprecated or insecure packages | package-01 - package-09
+  community.general.rpm_ostree_pkg:
+    name: "{{ os_security_packages_list }}"
+    state: absent
+  when: os_security_packages_clean | bool

roles/os_hardening/tasks/yum.yml

@@ -49,3 +49,4 @@
     name: "{{ os_security_packages_list }}"
     state: absent
   when: os_security_packages_clean | bool
+  when: not os_immutable_fs

roles/os_hardening/vars/Fedora.yml

@@ -82,3 +82,5 @@ modprobe_package: module-init-tools
 auditd_package: audit
 
 hidepid_option: "2" # allowed values: 0, 1, 2
+
+os_immutable_fs: "{{ (ansible_facts.pkg_mgr == 'atomic_container') | bool }} "

roles/os_hardening/vars/RedHat.yml

@@ -82,3 +82,5 @@ modprobe_package: module-init-tools
 auditd_package: audit
 
 hidepid_option: "2" # allowed values: 0, 1, 2
+
+os_immutable_fs: "{{ (ansible_facts.pkg_mgr == 'atomic_container') | bool }} "

roles/ssh_hardening/tasks/hardening.yml

@@ -22,6 +22,13 @@
   with_dict: "{{ os_vars }}"
   tags: always
 
+# I am unable to get the above code to recognise os_immutable_fs
+# set in var/Fedora.yml so I set it explicitly here.
+- name: set fact
+  ansible.builtin.set_fact:
+    "os_immutable_fs": "{{ ansible_facts.pkg_mgr == 'atomic_container' }}"
+  tags: always
+
 - name: Install openssh package and configure the service
   ansible.builtin.include_tasks: install.yml
 

roles/ssh_hardening/tasks/install.yml

@@ -1,5 +1,10 @@
 ---
 
+- name: set fact for os_immutable_fs
+  set_fact: 
+    ansible_package_use: "community.general.rpm_ostree_pkg" 
+  when: os_immutable_fs | bool
+
 - name: Install openssh package(s)
   ansible.builtin.package:
     name: "{{ pkg }}"
@@ -8,6 +13,12 @@
   loop_control:
     loop_var: pkg
 
+- name: reboot if ostree_immutable needs_reboot is true
+  ansible.builtin.reboot:
+    msg: "Rebooting to install packages"
+    pre_reboot_delay: 0
+  when: ssh_pkgs_installed.results[0].needs_reboot
+
 # see https://github.com/dev-sec/ansible-collection-hardening/issues/763
 - name: Change Debian/Ubuntu systems so ssh starts traditionally instead of socket-activated
   ansible.builtin.include_tasks: disable-systemd-socket.yml

roles/ssh_hardening/vars/Fedora.yml

@@ -24,3 +24,5 @@ sshd_moduli_file: /etc/ssh/moduli
 # disable CRYPTO_POLICY to take settings from sshd configuration
 # see: https://access.redhat.com/solutions/4410591
 sshd_disable_crypto_policy: true
+
+os_immutable_fs: "{{ (ansible_facts.pkg_mgr == 'atomic_container') | bool }} "