Please add assertion for ubtu22cis_sshd formatting about ubuntu22-cis HOT 7 CLOSED

hi @dderemiah

The changes are just to the format of the variable and the way it can be reused in other locations, there should have been no impact to the previous settings. While i try to replicate this problem, just to confirm the understanding if you could provide a copy of your current settings, so we can see if we understand the exact issue.

many thanks

uk-bolly

from ubuntu22-cis.

hi @dderemiah

Just to follow up
i have run with the current devel (the changes as expected were made) and the new community_work_fix branch and it doesn't change the the config and sshd is able to be restarted without an issue. So if you do have a copy of your settings and the latest community branch changes still break please let us know.

TASK [Linux/REMEDIATE/UBUNTU22-CIS : 5.2.13 | PATCH | Ensure only strong Ciphers are used] *************************************
ok: [ubuntu22_04]

TASK [Linux/REMEDIATE/UBUNTU22-CIS : 5.2.14 | PATCH | Ensure only strong MAC algorithms are used] ******************************
ok: [ubuntu22_04]

TASK [Linux/REMEDIATE/UBUNTU22-CIS : 5.2.15 | PATCH | Ensure only strong Key Exchange algorithms are used] *********************
ok: [ubuntu22_04]

many thanks

uk-bolly

from ubuntu22-cis.

If I am changing the defaults using a vars_file with the role and I have the the old format of :
ubtu22cis_sshd:
log_level: "INFO"
max_auth_tries: 4
ciphers: "[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr"
macs: "[email protected],[email protected],hmac-sha2-512,hmac-sha2-256"
kex_algorithms: "curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
client_alive_interval: 300
client_alive_count_max: 3
login_grace_time: 60
max_sessions: 8
allow_users: ""
allow_groups: ""
deny_users: "ubuntu"
deny_groups: "uucp"

And I update my role with the community fixes and don't notice that the format of ciphers,macs, and kex_algorithms has changed, I will end up with a invalid sshd_config . Normally this would not be a huge issue because I could correct the vars file and rerun but don't you agree since this is a common condition and it breaks Ansible indirectly by disabling ssh, that it warrants an assertion?

from ubuntu22-cis.

hi @dderemiah

Thank you again for the feedback on this, while the changelog is updated to state the changes, this could be a good idea to ensure that the new format is followed. I will work to add a assertion that the ssh formats are in the correct layout.

Many thanks

uk-bolly

from ubuntu22-cis.

hi @dderemiah

I believe this should now be resolved, i have added a validate to each section to test the configuration is valid before allowing the commit, rather than using another assert.
This has been merged and added to devel, please let me know if this fixes the issues for you?

many thanks

uk-bolly

from ubuntu22-cis.

Confirmed this fixes the issue. Thanks Bolly!

from ubuntu22-cis.

hi @dderemiah

I believe that this issue has been addressed and the fix merged?
I will close this issue, please feel free to reopen or raise a new one if this particular problem still exists.

Many thanks

uk-bolly

from ubuntu22-cis.