Skip to content

ENT-13766: Fixes / improvements / security hardning #2131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
larsewi wants to merge 5 commits into
base: master
Choose a base branch
from
+61 −6
Open

ENT-13766: Fixes / improvements / security hardning #2131

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
18e3b4d
Suppress cleanup() errors for missing files
larsewi Mar 5, 2026
395180d
Export NO_CONFIGURE so it propagates to autogen.sh subprocesses
larsewi Mar 5, 2026
e02399e
Harden SSH on build hosts: disable root login and password auth
larsewi Mar 5, 2026
7d592b8
Install epel-release on all RHEL/CentOS versions
larsewi Mar 5, 2026
797e416
Install and configure fail2ban on all build hosts
larsewi Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion build-scripts/autogen
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,8 @@ for proj in $projects; do
log_debug "Running autogen.sh for project $proj..."
(
cd "$BASEDIR/$proj"
NO_CONFIGURE=1 run_and_print_on_failure ./autogen.sh
export NO_CONFIGURE=1
run_and_print_on_failure ./autogen.sh
Comment on lines -64 to +65
Copy link
Member

@olehermanse olehermanse Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@larsewi isn't this exactly the same?

Copy link
Member

@olehermanse olehermanse Mar 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

echo 'echo "  In child script:       NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"' > autogen.sh

run_and_print_on_failure() {
    echo "  Inside function:       NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"
    bash -c 'echo "  In child process:      NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"'
    bash $1
}

echo "=== Test 1: prefix assignment ==="
(
    NO_CONFIGURE=1 run_and_print_on_failure autogen.sh
)

echo ""
echo "=== Test 2: export ==="
(
    export NO_CONFIGURE=1
    run_and_print_on_failure autogen.sh
)
$ bash test.sh
=== Test 1: prefix assignment ===
  Inside function:       NO_CONFIGURE=1
  In child process:      NO_CONFIGURE=1
  In child script:       NO_CONFIGURE=1

=== Test 2: export ===
  Inside function:       NO_CONFIGURE=1
  In child process:      NO_CONFIGURE=1
  In child script:       NO_CONFIGURE=1

Copy link
Contributor Author

@larsewi larsewi Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is true for bash, but not dash. So it fails on the Debian 9 bootstrap host.

When a shell function is executed, the variables which are explicitly placed in the environment of the command (by placing assignments to them before the function name) are made local to the function and are set to the values given. Linux Man Pages

The key phrase is "local to the function" — dash makes them local, not exported. That means child processes spawned within the function don't inherit them.

Copy link
Member

@olehermanse olehermanse Mar 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The key phrase is "local to the function" — dash makes them local, not exported. That means child processes spawned within the function don't inherit them.

I think that's ambiguous, exactly what "local to the function" means here. My interpretation, which seems to align with all the shells I tested on is that "local to the function" means it will be unset after the function, but it will be set for subprocesses spawned inside the function. This also makes it so functions work "the same" / similarily as commands which start binaries / spawn subprocesses.

I tested in dash with Debian 12, exactly the same result - maybe a bug in debian 9 version of dash?

Copy link
Member

@olehermanse olehermanse Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting - tested with Craig and it does make a difference on Debian 9, but looks like a bug IMO:

echo 'echo "  In child script:       NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"' > autogen.sh

in_sub_function() {
    echo "  Inside subfunction:    NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"
}

run_and_print_on_failure() {
    echo "  Inside function:       NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"
    dash -c 'echo "  In child process:      NO_CONFIGURE=${NO_CONFIGURE:-<unset>}"'
    dash $1
    in_sub_function
}

echo "=== Test 1: prefix assignment ==="
(
    NO_CONFIGURE=1 run_and_print_on_failure autogen.sh
)

echo ""
echo "=== Test 2: export ==="
(
    export NO_CONFIGURE=1
    run_and_print_on_failure autogen.sh
)
$ dash test.sh
=== Test 1: prefix assignment ===
  Inside function:       NO_CONFIGURE=1
  In child process:      NO_CONFIGURE=<unset>
  In child script:       NO_CONFIGURE=<unset>
  Inside subfunction:    NO_CONFIGURE=1

=== Test 2: export ===
  Inside function:       NO_CONFIGURE=1
  In child process:      NO_CONFIGURE=1
  In child script:       NO_CONFIGURE=1
  Inside subfunction:    NO_CONFIGURE=1

)
done

Expand Down
56 changes: 55 additions & 1 deletion ci/cfengine-build-host-setup.cf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ bundle agent cfengine_build_host_setup
"ntp";

debian|ubuntu::
"fail2ban"
comment => "Ban IPs with repeated failed SSH auth attempts";
"libltdl7" package_policy => "delete";
"libltdl-dev" package_policy => "delete";
"binutils";
Expand Down Expand Up @@ -124,8 +126,11 @@ bundle agent cfengine_build_host_setup
"xfsprogs";

# note that shellcheck, fakeroot and ccache require epel-release to be installed
(redhat_7|centos_7).(yum_dnf_conf_ok)::
(redhat|centos).(yum_dnf_conf_ok)::
"epel-release";
"fail2ban"
comment => "Ban IPs with repeated failed SSH auth attempts";
(redhat_7|centos_7).(yum_dnf_conf_ok)::
"ccache";
"fakeroot";
"perl-JSON-PP";
Expand Down Expand Up @@ -262,6 +267,41 @@ root - core unlimited
* - core unlimited
");

"/etc/fail2ban/jail.local"
create => "true",
content => "[sshd]
enabled = true
port = ssh
maxretry = 5
bantime = 3600
findtime = 600",
classes => if_repaired("fail2ban_config_changed"),
comment => "Configure fail2ban to ban IPs after 5 failed SSH attempts within 10 minutes";

"/etc/ssh/sshd_config"
edit_line => comment_lines_matching("^PermitRootLogin\s+(?!no\s*$).*", "#"),
classes => if_repaired("sshd_hardened"),
comment => "Comment out insecure PermitRootLogin values";
"/etc/ssh/sshd_config"
edit_line => comment_lines_matching("^PasswordAuthentication\s+(?!no\s*$).*", "#"),
classes => if_repaired("sshd_hardened"),
comment => "Comment out insecure PasswordAuthentication value";
"/etc/ssh/sshd_config"
edit_line => comment_lines_matching("^KbdInteractiveAuthentication\s+(?!no\s*$).*", "#"),
classes => if_repaired("sshd_hardened"),
comment => "Comment out insecure KbdInteractiveAuthentication value (OpenSSH 8.7+)";
"/etc/ssh/sshd_config"
edit_line => comment_lines_matching("^ChallengeResponseAuthentication\s+(?!no\s*$).*", "#"),
classes => if_repaired("sshd_hardened"),
comment => "Comment out insecure ChallengeResponseAuthentication value (OpenSSH < 8.7)";
"/etc/ssh/sshd_config"
edit_line => lines_present("PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no"),
classes => if_repaired("sshd_hardened"),
comment => "Ensure SSH hardening directives are present";

ubuntu_16|ubuntu_18|redhat_9|redhat_10::
"/etc/hosts" -> { "ENT-12437" }
edit_line => regex_replace("127.0.0.1 localhost localhost.localdomain","127.0.0.1 localhost.localdomain"),
Expand Down Expand Up @@ -343,6 +383,20 @@ jenkins_builds ALL=NOPASSWD: /usr/bin/podman
!have_sys_user.(suse|sles|opensuse)::
"useradd -u 3 sys" contain => in_shell;

services:
sshd_hardened::
"sshd"
service_policy => "restart",
comment => "Restart sshd to apply hardened configuration";
any::
"fail2ban"
service_policy => "start",
comment => "Ensure fail2ban is running";
fail2ban_config_changed::
"fail2ban"
service_policy => "restart",
comment => "Restart fail2ban to apply jail configuration";

# skip /etc/hosts change for now, seems kind of wrong and corrupts ip6 entries like `::1 ip6-ip6-loopback`
# maybe the following is needed to silence such errors as: ubuntu-16-mingw-j1: sudo: unable to resolve host localhost.localdomain
# ubuntu::
Expand Down
8 changes: 4 additions & 4 deletions ci/setup-cfengine-build-host.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,11 @@ function cleanup()
fi
echo "Cleaning up CFEngine install by moving to /var/bak.cfengine and /opt/bak.cfengine"
rm -rf /var/bak.cfengine
mv /var/cfengine /var/bak.cfengine || true
mv /var/cfengine /var/bak.cfengine 2>/dev/null || true
rm -rf /opt/bak.cfengine
mv /opt/cfengine /opt/bak.cfengine || true
mv /var/log/CFE* /var/bak.cfengine/ || true
mv /var/log/postgresql.log /var/bak.cfengine || true
mv /opt/cfengine /opt/bak.cfengine 2>/dev/null || true
mv /var/log/CFE* /var/bak.cfengine/ 2>/dev/null || true
mv /var/log/postgresql.log /var/bak.cfengine 2>/dev/null || true

if command -v pkill >/dev/null 2>&1; then
pkill -9 cf-agent || true
Expand Down