ENT-13766: Fixes / improvements / security hardning#2131
ENT-13766: Fixes / improvements / security hardning#2131larsewi wants to merge 5 commits intocfengine:masterfrom
Conversation
larsewi
changed the title
larsewi
changed the title
larsewi
changed the title
The mv commands in cleanup() print confusing "cannot stat" errors when files don't exist, which is expected on first provisioning runs. Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Disable PermitRootLogin, PasswordAuthentication, and KbdInteractiveAuthentication in sshd_config to enforce key-only SSH access. This prevents brute force attacks on VMs exposed via autossh tunnels through the SSH bridge. Ticket: ENT-13766 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Broaden epel-release from redhat_7/centos_7 only to all redhat/centos platforms. This is needed to install fail2ban (and potentially other EPEL packages) on RHEL 8/9/10. Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Install fail2ban on Debian/Ubuntu and RHEL/CentOS platforms to ban IPs with repeated failed SSH auth attempts. Configures sshd jail with 5 max retries, 1 hour ban time, and 10 minute find window. Ticket: ENT-13766 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
| NO_CONFIGURE=1 run_and_print_on_failure ./autogen.sh | ||
| export NO_CONFIGURE=1 | ||
| run_and_print_on_failure ./autogen.sh |
There was a problem hiding this comment.
echo 'echo " In child script: NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"' > autogen.sh
run_and_print_on_failure() {
echo " Inside function: NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"
bash -c 'echo " In child process: NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"'
bash $1
}
echo "=== Test 1: prefix assignment ==="
(
NO_CONFIGURE=1 run_and_print_on_failure autogen.sh
)
echo ""
echo "=== Test 2: export ==="
(
export NO_CONFIGURE=1
run_and_print_on_failure autogen.sh
)$ bash test.sh
=== Test 1: prefix assignment ===
Inside function: NO_CONFIGURE=1
In child process: NO_CONFIGURE=1
In child script: NO_CONFIGURE=1
=== Test 2: export ===
Inside function: NO_CONFIGURE=1
In child process: NO_CONFIGURE=1
In child script: NO_CONFIGURE=1
There was a problem hiding this comment.
This is true for bash, but not dash. So it fails on the Debian 9 bootstrap host.
When a shell function is executed, the variables which are explicitly placed in the environment of the command (by placing assignments to them before the function name) are made local to the function and are set to the values given. Linux Man Pages
The key phrase is "local to the function" — dash makes them local, not exported. That means child processes spawned within the function don't inherit them.
There was a problem hiding this comment.
The key phrase is "local to the function" — dash makes them local, not exported. That means child processes spawned within the function don't inherit them.
I think that's ambiguous, exactly what "local to the function" means here. My interpretation, which seems to align with all the shells I tested on is that "local to the function" means it will be unset after the function, but it will be set for subprocesses spawned inside the function. This also makes it so functions work "the same" / similarily as commands which start binaries / spawn subprocesses.
I tested in dash with Debian 12, exactly the same result - maybe a bug in debian 9 version of dash?
There was a problem hiding this comment.
Interesting - tested with Craig and it does make a difference on Debian 9, but looks like a bug IMO:
echo 'echo " In child script: NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"' > autogen.sh
in_sub_function() {
echo " Inside subfunction: NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"
}
run_and_print_on_failure() {
echo " Inside function: NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"
dash -c 'echo " In child process: NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"'
dash $1
in_sub_function
}
echo "=== Test 1: prefix assignment ==="
(
NO_CONFIGURE=1 run_and_print_on_failure autogen.sh
)
echo ""
echo "=== Test 2: export ==="
(
export NO_CONFIGURE=1
run_and_print_on_failure autogen.sh
)$ dash test.sh
=== Test 1: prefix assignment ===
Inside function: NO_CONFIGURE=1
In child process: NO_CONFIGURE=<unset>
In child script: NO_CONFIGURE=<unset>
Inside subfunction: NO_CONFIGURE=1
=== Test 2: export ===
Inside function: NO_CONFIGURE=1
In child process: NO_CONFIGURE=1
In child script: NO_CONFIGURE=1
Inside subfunction: NO_CONFIGURE=1
craigcomstock
left a comment
craigcomstock
left a comment
There was a problem hiding this comment.
yes, I really think we need a refined sshd config module though... as still managing just sshd_config is not really sufficient. If some of these options are present in sshd_config.d they may come in first and "win". So we need to compare the RESULTING configuration aka ssh -G output which shows the resulting configuration.
3 participants
Uh oh!
There was an error while loading. Please reload this page.