Comments (7)
hi @dderemiah
The changes are just to the format of the variable and the way it can be reused in other locations, there should have been no impact to the previous settings. While i try to replicate this problem, just to confirm the understanding if you could provide a copy of your current settings, so we can see if we understand the exact issue.
many thanks
uk-bolly
from ubuntu22-cis.
hi @dderemiah
Just to follow up
i have run with the current devel (the changes as expected were made) and the new community_work_fix branch and it doesn't change the the config and sshd is able to be restarted without an issue. So if you do have a copy of your settings and the latest community branch changes still break please let us know.
TASK [Linux/REMEDIATE/UBUNTU22-CIS : 5.2.13 | PATCH | Ensure only strong Ciphers are used] *************************************
ok: [ubuntu22_04]
TASK [Linux/REMEDIATE/UBUNTU22-CIS : 5.2.14 | PATCH | Ensure only strong MAC algorithms are used] ******************************
ok: [ubuntu22_04]
TASK [Linux/REMEDIATE/UBUNTU22-CIS : 5.2.15 | PATCH | Ensure only strong Key Exchange algorithms are used] *********************
ok: [ubuntu22_04]
many thanks
uk-bolly
from ubuntu22-cis.
If I am changing the defaults using a vars_file with the role and I have the the old format of :
ubtu22cis_sshd:
log_level: "INFO"
max_auth_tries: 4
ciphers: "[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr"
macs: "[email protected],[email protected],hmac-sha2-512,hmac-sha2-256"
kex_algorithms: "curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
client_alive_interval: 300
client_alive_count_max: 3
login_grace_time: 60
max_sessions: 8
allow_users: ""
allow_groups: ""
deny_users: "ubuntu"
deny_groups: "uucp"
And I update my role with the community fixes and don't notice that the format of ciphers,macs, and kex_algorithms has changed, I will end up with a invalid sshd_config . Normally this would not be a huge issue because I could correct the vars file and rerun but don't you agree since this is a common condition and it breaks Ansible indirectly by disabling ssh, that it warrants an assertion?
from ubuntu22-cis.
hi @dderemiah
Thank you again for the feedback on this, while the changelog is updated to state the changes, this could be a good idea to ensure that the new format is followed. I will work to add a assertion that the ssh formats are in the correct layout.
Many thanks
uk-bolly
from ubuntu22-cis.
hi @dderemiah
I believe this should now be resolved, i have added a validate to each section to test the configuration is valid before allowing the commit, rather than using another assert.
This has been merged and added to devel, please let me know if this fixes the issues for you?
many thanks
uk-bolly
from ubuntu22-cis.
Confirmed this fixes the issue. Thanks Bolly!
from ubuntu22-cis.
hi @dderemiah
I believe that this issue has been addressed and the fix merged?
I will close this issue, please feel free to reopen or raise a new one if this particular problem still exists.
Many thanks
uk-bolly
from ubuntu22-cis.
Related Issues (20)
- 5.4.1 | PATCH | Ensure password creation requirements are configured HOT 3
- A value for var: *container_vars_file* is not defined in this role HOT 2
- Unexpected Deletion of Tanium Configuration Files during CIS Benchmark Application HOT 2
- IPv6 disabling doesn't respect declared mechanism
- Syntax issue for PRELIM task "Find all sudoers files" HOT 3
- Syntax issue for PRELIM task "List users accounts" HOT 1
- Inconsistency issue for task 2.2.16 HOT 1
- Enhancing the way tasks for rules 1.1.2.2, 1.1.2.3, and 1.1.2.4 are written
- Small fixes in the documentation of the variables HOT 1
- After run this rule and now login take longer time HOT 4
- reboot task is not idempotent HOT 2
- Control 3.1.1 | Disable IPv6 does not work using sysctl HOT 1
- ERROR! this task 'ansible.builtin.include_vars' has extra params HOT 1
- Hard disk partitioning prerequisite HOT 3
- Error 1.6.1.1 and 5.4.1 when blocked /var/lib/dpkg/lock-frontend. HOT 3
- Error on handler rule_4_1_3_21. Not added in tags parameters. HOT 3
- "PRELIM | Gather UID 0 accounts other than root" runs even though ubtu22cis_rule_6_2_10 is false HOT 1
- UBUNTU22-CIS 'audit_bin' is undefined HOT 1
- Tasks are not being skipped based on defaults/main.yml or passing '-e taskname=false' HOT 6
- Ubuntu 24 compatibility HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ubuntu22-cis.