os_hardening fails when setting vm.mmap_rnd_bits

[hrmck]

Description

I am trying to run the role with the following playbook but it keeps failing at task devsec.hardening.os_hardening : Change various sysctl-settings, look at the sysctl-vars file for documentation.

Reproduction steps

- name: Set up my Raspberry Pi.
  hosts: rpi_01
  become: true

  tasks:
    - name: Get latest packages
      ansible.builtin.apt:
        update_cache: true
        cache_valid_time: 14400 # 4 hours

    - name: Strengthen SSH security
      ansible.builtin.include_role:
        name: devsec.hardening.ssh_hardening
      vars:
        network_ipv6_enable: false

    - name: Strengthen OS security
      ansible.builtin.include_role:
        name: devsec.hardening.os_hardening

Current Behavior

TASK [devsec.hardening.os_hardening : Change various sysctl-settings, look at the sysctl-vars file for documentation] ***
ok: [192.168.0.10] => (item={'key': 'fs.protected_hardlinks', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'fs.protected_symlinks', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'fs.protected_fifos', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'fs.protected_regular', 'value': 2})
ok: [192.168.0.10] => (item={'key': 'fs.suid_dumpable', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'kernel.core_uses_pid', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'kernel.kptr_restrict', 'value': 2})
changed: [192.168.0.10] => (item={'key': 'kernel.kexec_load_disabled', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'kernel.sysrq', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'kernel.randomize_va_space', 'value': 2})
changed: [192.168.0.10] => (item={'key': 'kernel.yama.ptrace_scope', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.ip_forward', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.all.forwarding', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.all.rp_filter', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.default.rp_filter', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.icmp_echo_ignore_broadcasts', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.icmp_ignore_bogus_error_responses', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.icmp_ratelimit', 'value': 100})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.icmp_ratemask', 'value': 88089})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.tcp_timestamps', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.all.arp_ignore', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.all.arp_announce', 'value': 2})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.tcp_rfc1337', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.tcp_syncookies', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.all.shared_media', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.default.shared_media', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.all.accept_source_route', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.default.accept_source_route', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.all.accept_source_route', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.default.accept_source_route', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.all.send_redirects', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.default.send_redirects', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.all.log_martians', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.default.log_martians', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.default.accept_redirects', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.all.accept_redirects', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.all.secure_redirects', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv4.conf.default.secure_redirects', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.default.accept_redirects', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.all.accept_redirects', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.all.accept_ra', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.default.accept_ra', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.default.router_solicitations', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.all.router_solicitations', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.default.accept_ra_rtr_pref', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.default.accept_ra_pinfo', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.default.accept_ra_defrtr', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.default.autoconf', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.all.autoconf', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.default.dad_transmits', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'net.ipv6.conf.default.max_addresses', 'value': 1})
ok: [192.168.0.10] => (item={'key': 'vm.mmap_min_addr', 'value': 65536})
failed: [192.168.0.10] (item={'key': 'vm.mmap_rnd_bits', 'value': 32}) => {"ansible_loop_var": "item", "changed": false, "item": {"key": "vm.mmap_rnd_bits", "value": 32}, "msg": "setting vm.mmap_rnd_bits failed: sysctl: setting key \"vm.mmap_rnd_bits\": Invalid argument\n"}
ok: [192.168.0.10] => (item={'key': 'vm.mmap_rnd_compat_bits', 'value': 16})
changed: [192.168.0.10] => (item={'key': 'kernel.unprivileged_userns_clone', 'value': 0})
ok: [192.168.0.10] => (item={'key': 'kernel.unprivileged_bpf_disabled', 'value': 1})

Expected Behavior

No items should fail.

OS / Environment

Debian GNU/Linux 11 (bullseye)
Raspberry Pi 4 (aarch64)

Ansible Version

ansible [core 2.14.11]
  config file = /mnt/c/Users/username/Documents/home-server/infra-ansible/ansible.cfg
  configured module search path = ['/home/username/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /mnt/c/Users/username/Documents/home-server/infra-ansible
  executable location = /usr/bin/ansible
  python version = 3.11.8 (main, Feb 28 2024, 00:00:00) [GCC 13.2.1 20231011 (Red Hat 13.2.1-4)] (/usr/bin/python3)
  jinja version = 3.1.3
  libyaml = True

Collection Version

devsec.hardening  9.0.1

Additional information

...

[rndmh3ro]

I guess this fails because of the ARM-architecture of the raspi.
I couldn't find any definitive evidence, though.

Here it looks like it is supported, but only up to 16. Can you try setting it to 16 as described in the readme?

[hrmck]

@rndmh3ro Thanks for your help.
I have tried 16 and 8 but both returns Invalid argument as below:

failed: [192.168.0.10] (item={'key': 'vm.mmap_rnd_bits', 'value': 8}) => {"ansible_loop_var": "item", "changed": false, "item": {"key": "vm.mmap_rnd_bits", "value": 8}, "msg": "setting vm.mmap_rnd_bits failed: sysctl: setting key \"vm.mmap_rnd_bits\": Invalid argument\n"}

This is how I override the value

- name: Strengthen OS security
      ansible.builtin.include_role:
        name: devsec.hardening.os_hardening
      vars:
        sysctl_overwrite:
          vm.mmap_rnd_bits: 8

[hrmck]

Update: Setting the value same as the one from /proc/sys/vm/mmap_rnd_bits (the default value) worked. In this case, it's 18. Odd.