feat(ssh): add alpine support (#809)

Signed-off-by: Sebastian Gumprich <[email protected]>
dev-sec · Oct 13, 2024 · 7b112dc · 7b112dc
1 parent cd9cf8f
commit 7b112dc
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 9 deletions.
diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
@@ -35,6 +35,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        include:
+          # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
+          # - molecule_distro: opensuse_tumbleweed
+          #   molecule_docker_command: "/usr/lib/systemd/systemd"
+          - molecule_distro: alpine
+            molecule_docker_command: "/sbin/init"
+        molecule_docker_command:
+          - "/lib/systemd/systemd"
         molecule_distro:
           - centosstream9
           - rocky8
@@ -48,7 +56,6 @@ jobs:
           - debian12
           - amazon2023
           - arch
-          # - opensuse_tumbleweed  # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
     steps:
       - name: Checkout repo
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
@@ -76,11 +83,9 @@ jobs:
 
       - name: Test with molecule
         run: |
-          if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then
-            export MOLECULE_DOCKER_COMMAND="/usr/lib/systemd/systemd"
-          fi
           molecule --version
           molecule test -s ssh_hardening
         env:
           MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
+          MOLECULE_DOCKER_COMMAND: ${{ matrix.molecule_docker_command }}
         working-directory: ansible_collections/devsec/hardening
diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml
@@ -35,6 +35,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        include:
+          # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
+          # - molecule_distro: opensuse_tumbleweed
+          #   molecule_docker_command: "/usr/lib/systemd/systemd"
+          - molecule_distro: alpine
+            molecule_docker_command: "/sbin/init"
+        molecule_docker_command:
+          - "/lib/systemd/systemd"
         molecule_distro:
           - centosstream9
           - rocky8
@@ -48,7 +56,6 @@ jobs:
           - debian12
           - amazon2023
           - arch
-          # - opensuse_tumbleweed  # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
     steps:
       - name: Checkout repo
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
@@ -76,11 +83,9 @@ jobs:
 
       - name: Test with molecule
         run: |
-          if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then
-            export MOLECULE_DOCKER_COMMAND="/usr/lib/systemd/systemd"
-          fi
           molecule --version
           molecule test -s ssh_hardening_custom_tests
         env:
           MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
+          MOLECULE_DOCKER_COMMAND: ${{ matrix.molecule_docker_command }}
         working-directory: ansible_collections/devsec/hardening
diff --git a/molecule/ssh_hardening/prepare.yml b/molecule/ssh_hardening/prepare.yml
@@ -1,5 +1,5 @@
 ---
-- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+- name: Prepare the molecule container for the role
   hosts: all
   become: true
   environment:
@@ -53,6 +53,14 @@
           - openssh
       when: ansible_facts.os_family == 'Suse'
 
+    - name: Install required tools on Alpine
+      community.general.apk:
+        name:
+          - openssh
+        state: present
+        update_cache: true
+      when: ansible_facts.os_family == 'Alpine'
+
     - name: Install required tools on Arch
       community.general.pacman:
         name:

diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml
@@ -62,6 +62,14 @@
         update_cache: true
       when: ansible_facts.os_family == 'Archlinux'
 
+    - name: Install required tools on Alpine
+      community.general.apk:
+        name:
+          - openssh
+        state: present
+        update_cache: true
+      when: ansible_facts.os_family == 'Alpine'
+
     - name: Create ssh host keys # noqa ignore-errors
       ansible.builtin.command: ssh-keygen -A
       when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')

diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md
@@ -52,6 +52,7 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - focal, jammy, noble
 - Debian
   - bookworm, bullseye
+- Alpine
 - Amazon
 - Fedora
 - ArchLinux

diff --git a/roles/ssh_hardening/meta/main.yml b/roles/ssh_hardening/meta/main.yml
@@ -19,6 +19,7 @@ galaxy_info:
       versions:
         - bookworm
         - bullseye
+    - name: Alpine
     - name: Amazon
     - name: Fedora
     - name: ArchLinux

diff --git a/roles/ssh_hardening/vars/Alpine.yml b/roles/ssh_hardening/vars/Alpine.yml
@@ -0,0 +1,23 @@
+---
+ssh_pkgs:
+  - openssh
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: /etc/ssh
+sshd_service_name: sshd
+ssh_owner: root
+ssh_group: root
+ssh_host_keys_owner: root
+ssh_host_keys_group: root
+ssh_host_keys_mode: "0600"
+
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
+ssh_pam_support: true
+
+sshd_moduli_file: /etc/ssh/moduli
+
+# CRYPTO_POLICY is not supported on Archlinux
+# and the package check only works in Ansible >2.10
+sshd_disable_crypto_policy: false
-Original file line number
+Diff line change
@@ Expand Up @@
       - focal, jammy, noble
     - Debian
       - bookworm, bullseye
+    - Alpine
     - Amazon
     - Fedora
     - ArchLinux
@@ Expand Down @@