Skip to content

Commit

Permalink
add systemd/logind.conf variables
Browse files Browse the repository at this point in the history
Signed-off-by: Thomas Sjögren <[email protected]>
  • Loading branch information
konstruktoid committed Sep 3, 2024
1 parent 753d170 commit b0be1c6
Show file tree
Hide file tree
Showing 7 changed files with 84 additions and 16 deletions.
28 changes: 27 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -233,7 +233,7 @@ see [Unattended-Upgrade::Automatic-Reboot](https://help.ubuntu.com/community/Aut
and [dnf_automatic: reboot](https://dnf.readthedocs.io/en/latest/automatic.html).

The reboot time scheduling is currently only supported on Debian-based distros.
The reboot is by default scheduled randomly betweem 2:00-2:20AM, server time. The
The reboot is by default scheduled randomly betweem 2:00-2:20AM, server time. The
reboot time is chosen randomly from `reboot_from_time`, adding a random time within
`reboot_time_margin_mins` to avoid overloading hypervisors.

Expand Down Expand Up @@ -403,6 +403,32 @@ limit_nproc_soft: 512

Set maximum number of processes and open files, see [limits.conf(5)](https://www.man7.org/linux/man-pages/man5/limits.conf.5.html).

### ./defaults/main/logind.yml

```yaml
logind:
killuserprocesses: true
killexcludeusers:
- root
idleaction: lock
idleactionsec: 15min
removeipc: true
```

Configure [logind](https://www.freedesktop.org/software/systemd/man/latest/logind.conf.html).

`killuserprocesses` takes a boolean argument. Configures whether the processes
of a user should be killed when the user logs out.

`killexcludeusers` takes a list of usernames that override the
`killuserprocesses` setting.

`idleaction` and `idleactionsec` configures the action to take when the system
is idle and the delay after which the action configured in `idleaction` is taken.

`removeipc` takes a boolean argument. If enabled, the user may not consume IPC
resources after the last of the user's sessions terminated.

### ./defaults/main/misc.yml

```yaml
Expand Down
8 changes: 8 additions & 0 deletions defaults/main/logind.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
logind:
killuserprocesses: true
killexcludeusers:
- root
idleaction: lock
idleactionsec: 15min
removeipc: true
2 changes: 1 addition & 1 deletion molecule/custom/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ provisioner:
enabled: true
only_security: true
reboot: false
reboot_from_time: "2:00"
reboot_from_time: 2:00
reboot_time_margin_mins: "20"
fallback_ntp:
- 169.254.169.123
Expand Down
8 changes: 8 additions & 0 deletions molecule/default/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,14 @@ provisioner:
noble:
disable_wireless: true
kernel_lockdown: true
logind:
killuserprocesses: true
killexcludeusers:
- root
- vagrant
idleaction: lock
idleactionsec: 15min
removeipc: true
sshd_admin_net:
- 0.0.0.0/0
sshd_allow_groups:
Expand Down
16 changes: 16 additions & 0 deletions molecule/default/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1349,6 +1349,22 @@
- ForwardToSyslog={{ 'yes' if journald_forwardtosyslog else 'no' }}
- Compress={{ 'yes' if journald_compress else 'no' }}

- name: Verify logind settings
ansible.builtin.shell: |
set -o pipefail
systemd-analyze cat-config systemd/logind.conf | grep "^{{ item }}"
args:
executable: /bin/bash
register: journald_conf
failed_when: journald_conf.rc != 0
changed_when: journald_conf.rc != 0
with_items:
- KillUserProcesses={{ 'true' if logind.killuserprocesses else 'false' }}
- KillExcludeUsers={{ logind.killexcludeusers | join(' ') }}
- IdleAction={{ logind.idleaction }}
- IdleActionSec={{ logind.idleactionsec }}
- RemoveIPC={{ 'true' if logind.removeipc else 'false' }}

- name: Verify journal permissions
become: true
block:
Expand Down
28 changes: 19 additions & 9 deletions tasks/logindconf.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,22 @@
---
- name: Configure systemd logind
become: true
ansible.builtin.template:
src: "{{ logind_conf_template }}"
dest: /etc/systemd/logind.conf
backup: true
mode: "0644"
owner: root
group: root
notify:
- Reload systemd
block:
- name: Create logind.conf.d drop-in directory
ansible.builtin.file:
path: /etc/systemd/logind.conf.d
state: directory
mode: "0755"
owner: root
group: root

- name: Configure systemd logind
ansible.builtin.template:
src: "{{ logind_conf_template }}"
dest: /etc/systemd/logind.conf.d/zz-logind-hardening.conf
backup: true
mode: "0644"
owner: root
group: root
notify:
- Reload systemd
10 changes: 5 additions & 5 deletions templates/etc/systemd/logind.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
# Generated by Ansible role {{ ansible_role_name }}

[Login]
KillUserProcesses=1
KillExcludeUsers=root
IdleAction=lock
IdleActionSec=15min
RemoveIPC=yes
KillUserProcesses={{ 'true' if logind.killuserprocesses else 'false' }}
KillExcludeUsers={{ logind.killexcludeusers | join(' ') }}
IdleAction={{ logind.idleaction }}
IdleActionSec={{ logind.idleactionsec }}
RemoveIPC={{ 'true' if logind.removeipc else 'false' }}

0 comments on commit b0be1c6

Please sign in to comment.