Comments (5)
drybjed
commented on May 22, 2024
1
Hi. Actually, I decided to switch to a template-based approach instead of using the sysctl module. The primary reason was because sysctl configuration can be kept in multiple files located in multiple directories. If you look at the sysctl(8) man page, you can find the description of the sysctl --system parameter:
--system
Load settings from all system configuration files.
/run/sysctl.d/*.conf
/etc/sysctl.d/*.conf
/usr/local/lib/sysctl.d/*.conf
/usr/lib/sysctl.d/*.conf
/lib/sysctl.d/*.conf
/etc/sysctl.conf
This means that in the event that other Ansible roles apply their own configuration that might override the parameters specified by the debops.sysctl role, these parameters are respected by the sysctl --system command and idempotent loops that switch between one value and another depending on what command is used (sysctl --system or sysctl Ansible module) won't happen.
Setting all desired variables in a templated file at once is also faster than configuring individual variables one at a time using sysctl module. You also don't need to specifically enable the option to ignore missing parameters, because sysctl --system automatically handles that for you.
As for the role complexity - this is how all DebOps roles are designed, in essence. The user is supposed to configure a role through Ansible inventory variables, which have a defined, easy to use format specified in the role documentation. The internal code used by the role in the tasks and templates is more complex but should be treated as a "private" code (think public and private functions in OOP model). Users are not supposed to modify DebOps roles on their own; instead a given role behaviour can be influenced through Ansible inventory.
from ansible-collection-hardening.
ypid
commented on May 22, 2024
1
@conorsch You are right. DebOps is focused on Debian. But in this case it should be easy to update the role to support other distros as well. I would be willing to maintain that for other distros as well if that would allow @dev-sec to use the role.
from ansible-collection-hardening.
rndmh3ro
commented on May 22, 2024
Hi @ypid, thanks for the suggestion. However I don't think a dependency is a good idea. I'd really like to keep this role as simple as possible. And looking at the code of your sysctl-role, it does not seem very simple (I did not test it, though!).
However I'd really like to here more about why you choose to use template+command instead of the sysctl-module! Maybe in our gitter channel?
from ansible-collection-hardening.
conorsch
commented on May 22, 2024
While I like the template approach in debops,sysctl, the role is not appropriate for inclusion as a dependency because it targets Debian-based distros specifically, whereas the dev-sec.os-hardening role works on a wide variety of Linux distros.
from ansible-collection-hardening.
rndmh3ro
commented on May 22, 2024
Closing this as I'm not comfortable with injecting the another role as a dependency here. I want to try to keep this role lightweight and easily understandable.
from ansible-collection-hardening.
Related Issues (20)
- What is the uscase of sysctl_overwrite over ansible.posix.sysctl? HOT 4
- How does one set `sshd_authenticationmethods` to include password authentication? HOT 3
- Minimize access user paths should be fully configurable HOT 2
- Fix pam tests HOT 1
- Create role documentation with Automated-Ansible-Role-Documentation
- sshd_hardening role cannot be used to build system images HOT 1
- [devsec.hardening.os_hardening : restart-auditd] fails HOT 2
- Default value of `ssh_client_alive_interval` is inconsistent with what documentation says HOT 1
- nginx conf.d directory is missing on Rocky Linux 8 HOT 1
- Job for auditd.service invalid HOT 4
- ssh_hardening ipv6 HOT 2
- No such file directory error triggered by the kernel.unprivileged_userns_clone configuration HOT 1
- Feature Request: Alpine support for ssh hardening HOT 1
- Make value of kernel.unprivileged_userns_clone depending on kernel version HOT 4
- Test multiple supported Ansible versions HOT 2
- Extend ansible-lint testing to cover our test cases
- Amazon Linux gpg check fails HOT 1
- Fails to install HOT 2
- 9.0.0 version number in galaxy.yml file is wrong HOT 1
- harden permissions for directory mount /var/log fails for minimized Ubuntu 22.04 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-collection-hardening.