Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #5776 adds iptables-persistent dependency on Focal #5780

Merged
merged 5 commits into from
Feb 11, 2021
Merged

Fixes #5776 adds iptables-persistent dependency on Focal #5780

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ac1ca03
Fixes #5776 adds iptables-persistent dependency on Focal
kushaldas Feb 9, 2021
01cc5af
Uses the load_iptables only for Xenial
kushaldas Feb 10, 2021
70c5307
Uses distribution based variables in app handlers
kushaldas Feb 10, 2021
47853d6
Removes unused iptables-restore handler
Feb 11, 2021
8e10aec
Adds config tests for iptables-persistent package
Feb 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 0 additions & 3 deletions install_files/ansible-base/roles/app/handlers/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,6 @@
name: tor
state: restarted

- name: reload iptables rules
shell: iptables-restore < /etc/network/iptables/rules_v4

## App/securedrop section
- name: restart apache2
service:
Expand Down
1 change: 1 addition & 0 deletions install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ resolvconf_target_filepath: /etc/resolv.conf
securedrop_common_packages:
- apt-transport-https
- aptitude
- iptables-persistent
- unattended-upgrades
- ntp
- ntpdate
Expand Down
8 changes: 6 additions & 2 deletions install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@
dest: /etc/network/if-up.d/load_iptables
owner: root
mode: "0744"
when:
- ansible_distribution_release == 'xenial'

- name: Create iptables directory.
file:
Expand All @@ -35,6 +37,8 @@
owner: root
group: root
dest: /etc/network/iptables
when:
- ansible_distribution_release == 'xenial'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the load_iptables script is only copied under Xenial, then its content shouldn't change to address Focal support.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.


- name: Determine local platform specific routing info
set_fact:
Expand All @@ -59,14 +63,14 @@
- name: Copy IPv4 iptables rules.
template:
src: rules_v4
dest: /etc/network/iptables/rules_v4
dest: "{{ iptables_v4_path }}"
owner: root
mode: "0644"
notify: drop flag for reboot

- name: Copy IPv6 iptables rules.
copy:
src: iptables_rules_v6
dest: /etc/network/iptables/rules_v6
dest: "{{ iptables_v6_path }}"
owner: root
mode: "0644"
2 changes: 2 additions & 0 deletions install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
---
- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"

- include: fetch_tor_config.yml
when: fetch_tor_client_auth_configs

Expand Down
3 changes: 3 additions & 0 deletions install_files/ansible-base/roles/restrict-direct-access/vars/Ubuntu_focal.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
iptables_v4_path: /etc/iptables/rules.v4
iptables_v6_path: /etc/iptables/rules.v6
3 changes: 3 additions & 0 deletions install_files/ansible-base/roles/restrict-direct-access/vars/Ubuntu_xenial.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
iptables_v4_path: /etc/network/iptables/rules_v4
iptables_v6_path: /etc/network/iptables/rules_v6
11 changes: 11 additions & 0 deletions molecule/testinfra/common/test_system_hardening.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,3 +149,14 @@ def test_no_ecrypt_messages_in_logs(host, logfile):
def test_unused_packages_are_removed(host, package):
""" Check if unused package is present """
assert host.package(package).is_installed is False


def test_iptables_packages(host):
"""
Focal hosts should use iptables-persistent for enforcing
firewall config across reboots.
"""
if host.system_info.codename == "focal":
assert host.package("iptables-persistent").is_installed
else:
assert not host.package("iptables-persistent").is_installed