From be0e7f78090cbaa8a8360bf628ed3c50a8cacda8 Mon Sep 17 00:00:00 2001
From: schurzi <schurzi@drachen-server.de>
Date: Sat, 18 Jul 2020 10:20:09 +0200
Subject: [PATCH] add support for CentOS8 (#309)

* add testing for CentOS8

Adds testing environments for CentOS8 to local Kitchen and remote Travis
tests. Currently only local Kitchen Docker tests are verified.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* disable system wide CRYPTO_POLICY on RHEL8+

by default sshd will not use the crypto settings from sshd_config. To
make the settings effective we need to disable the system wide
CRYPTO_POLICY.

see: https://access.redhat.com/solutions/4410591

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* Set volume variable for travis tests to use cgroups mount where needed

Signed-off-by: Sebastian Gumprich <github@gumpri.ch>

Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
---
 .kitchen.vagrant.yml |  3 +++
 .kitchen.yml         | 14 ++++++++++++++
 .travis.yml          | 38 +++++++++++++++++++++++++++-----------
 defaults/main.yml    |  4 ++++
 tasks/hardening.yml  | 10 ++++++++++
 5 files changed, 58 insertions(+), 11 deletions(-)

diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml
index 2a1dff0..2c43610 100644
--- a/.kitchen.vagrant.yml
+++ b/.kitchen.vagrant.yml
@@ -33,6 +33,9 @@ platforms:
 - name: centos-7
   driver_config:
     box: bento/centos-7
+- name: centos-8
+  driver_config:
+    box: bento/centos-8
 - name: oracle-6
   driver_config:
     box: bento/oracle-6
diff --git a/.kitchen.yml b/.kitchen.yml
index e243825..10d97ab 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -36,6 +36,20 @@ platforms:
     provision_command:
       - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
       - systemctl enable sshd.service
+- name: centos8-ansible-latest
+  driver:
+    image: rndmh3ro/docker-centos8-ansible:latest
+    platform: centos
+    cap_add:
+      - SYS_ADMIN
+    volume:
+      - /sys/fs/cgroup:/sys/fs/cgroup
+    run_command: /sbin/init
+    provision_command:
+      - sed -i '/nologin/d' /etc/pam.d/sshd
+      - systemctl enable sshd.service
+  provisioner:
+    ansible_binary_path: "/usr/local/bin"
 - name: oracle6-ansible-latest
   driver:
     image: rndmh3ro/docker-oracle6-ansible:latest
diff --git a/.travis.yml b/.travis.yml
index 9d6c215..1caf394 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -5,55 +5,71 @@ env:
   - distro: centos6
     version: latest
     init: /sbin/init
+    volume: ":"
 
   - distro: centos7
     init: /usr/lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    run_opts: "--privileged"
     version: latest
+    volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
+
+  - distro: centos8
+    init: /usr/lib/systemd/systemd
+    run_opts: "--privileged"
+    version: latest
+    volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
   - distro: oracle6
     version: latest
     init: /sbin/init
+    volume: ":"
 
 #  - distro: oracle7
 #    init: /usr/lib/systemd/systemd
-#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+#    run_opts: "--privileged"
 #    version: latest
 
   - distro: ubuntu1604
     version: latest
     init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    run_opts: "--privileged"
+    volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
   - distro: ubuntu1804
     version: latest
     init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    run_opts: "--privileged"
+    volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
   - distro: debian9
     version: latest
     init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    run_opts: "--privileged"
+    volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
   - distro: debian10
     version: latest
     init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    run_opts: "--privileged"
+    volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
   - distro: amazon
     init: /lib/systemd/systemd
     version: latest
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    run_opts: "--privileged"
+    volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
   - distro: fedora
     init: /lib/systemd/systemd
     version: latest
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    run_opts: "--privileged"
+    volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
   - distro: arch
     init: /lib/systemd/systemd
     version: latest
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    run_opts: "--privileged"
+    volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
 before_install:
   # Pull container
@@ -65,7 +81,7 @@ script:
 
   - container_id=$(mktemp)
   # Run container in detached state.
-  - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
+  - 'docker run --detach --volume="${volume}" --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
 
   # Test role.
   - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml --diff'
@@ -73,7 +89,7 @@ script:
 
   # Verify role
   # remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141
-  - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit'
+  - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 sshd-49 --no-distinct-exit'
   # remove UseRoaming and RhostsRSAAuthentication because these options are deprecated - ssh-14, ssh-15, ssh-21
   - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-14 ssh-15 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit'
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 8d080f4..6d060f7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -262,3 +262,7 @@ sshd_syslog_facility: 'AUTH'
 sshd_log_level: 'VERBOSE'
 
 sshd_strict_modes: yes
+
+# disable CRYPTO_POLICY to take settings from sshd configuration
+# see: https://access.redhat.com/solutions/4410591
+sshd_disable_crypto_policy: true
diff --git a/tasks/hardening.yml b/tasks/hardening.yml
index d838bf7..e88877a 100644
--- a/tasks/hardening.yml
+++ b/tasks/hardening.yml
@@ -97,3 +97,13 @@
 - name: include selinux specific tasks
   include_tasks: selinux.yml
   when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled"
+
+- name: disable system CRYPTO_POLICY for RHEL8+
+  lineinfile:
+    path: /etc/sysconfig/sshd
+    regexp: 'CRYPTO_POLICY='
+    line: CRYPTO_POLICY=
+  when:
+    - ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
+    - ansible_facts.distribution_version is version('8.0', '>=')
+    - sshd_disable_crypto_policy | bool
\ No newline at end of file