diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index 53426dff1..00b283cfa 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -35,6 +35,14 @@ jobs: strategy: fail-fast: false matrix: + include: + # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?) + # - molecule_distro: opensuse_tumbleweed + # molecule_docker_command: "/usr/lib/systemd/systemd" + - molecule_distro: alpine + molecule_docker_command: "/sbin/init" + molecule_docker_command: + - "/lib/systemd/systemd" molecule_distro: - centosstream9 - rocky8 @@ -48,7 +56,6 @@ jobs: - debian12 - amazon2023 - arch - # - opensuse_tumbleweed # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?) steps: - name: Checkout repo uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 @@ -76,11 +83,9 @@ jobs: - name: Test with molecule run: | - if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then - export MOLECULE_DOCKER_COMMAND="/usr/lib/systemd/systemd" - fi molecule --version molecule test -s ssh_hardening env: MOLECULE_DISTRO: ${{ matrix.molecule_distro }} + MOLECULE_DOCKER_COMMAND: ${{ matrix.molecule_docker_command }} working-directory: ansible_collections/devsec/hardening diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml index ee3bb62b3..7ccbb88e8 100644 --- a/.github/workflows/ssh_hardening_custom_tests.yml +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -35,6 +35,14 @@ jobs: strategy: fail-fast: false matrix: + include: + # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?) + # - molecule_distro: opensuse_tumbleweed + # molecule_docker_command: "/usr/lib/systemd/systemd" + - molecule_distro: alpine + molecule_docker_command: "/sbin/init" + molecule_docker_command: + - "/lib/systemd/systemd" molecule_distro: - centosstream9 - rocky8 @@ -48,7 +56,6 @@ jobs: - debian12 - amazon2023 - arch - # - opensuse_tumbleweed # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?) steps: - name: Checkout repo uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 @@ -76,11 +83,9 @@ jobs: - name: Test with molecule run: | - if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then - export MOLECULE_DOCKER_COMMAND="/usr/lib/systemd/systemd" - fi molecule --version molecule test -s ssh_hardening_custom_tests env: MOLECULE_DISTRO: ${{ matrix.molecule_distro }} + MOLECULE_DOCKER_COMMAND: ${{ matrix.molecule_docker_command }} working-directory: ansible_collections/devsec/hardening diff --git a/molecule/ssh_hardening/prepare.yml b/molecule/ssh_hardening/prepare.yml index 08cb0e30b..7d3b8c652 100644 --- a/molecule/ssh_hardening/prepare.yml +++ b/molecule/ssh_hardening/prepare.yml @@ -1,5 +1,5 @@ --- -- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings +- name: Prepare the molecule container for the role hosts: all become: true environment: @@ -53,6 +53,14 @@ - openssh when: ansible_facts.os_family == 'Suse' + - name: Install required tools on Alpine + community.general.apk: + name: + - openssh + state: present + update_cache: true + when: ansible_facts.os_family == 'Alpine' + - name: Install required tools on Arch community.general.pacman: name: diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml index 08cb0e30b..83884dd47 100644 --- a/molecule/ssh_hardening_custom_tests/prepare.yml +++ b/molecule/ssh_hardening_custom_tests/prepare.yml @@ -62,6 +62,14 @@ update_cache: true when: ansible_facts.os_family == 'Archlinux' + - name: Install required tools on Alpine + community.general.apk: + name: + - openssh + state: present + update_cache: true + when: ansible_facts.os_family == 'Alpine' + - name: Create ssh host keys # noqa ignore-errors ansible.builtin.command: ssh-keygen -A when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md index a01590408..2ba21a696 100644 --- a/roles/ssh_hardening/README.md +++ b/roles/ssh_hardening/README.md @@ -52,6 +52,7 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec - focal, jammy, noble - Debian - bookworm, bullseye +- Alpine - Amazon - Fedora - ArchLinux diff --git a/roles/ssh_hardening/meta/main.yml b/roles/ssh_hardening/meta/main.yml index 663d671c1..c710039c8 100644 --- a/roles/ssh_hardening/meta/main.yml +++ b/roles/ssh_hardening/meta/main.yml @@ -19,6 +19,7 @@ galaxy_info: versions: - bookworm - bullseye + - name: Alpine - name: Amazon - name: Fedora - name: ArchLinux diff --git a/roles/ssh_hardening/vars/Alpine.yml b/roles/ssh_hardening/vars/Alpine.yml new file mode 100644 index 000000000..d18ecc515 --- /dev/null +++ b/roles/ssh_hardening/vars/Alpine.yml @@ -0,0 +1,23 @@ +--- +ssh_pkgs: + - openssh +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: /etc/ssh +sshd_service_name: sshd +ssh_owner: root +ssh_group: root +ssh_host_keys_owner: root +ssh_host_keys_group: root +ssh_host_keys_mode: "0600" + +# true if SSH support Kerberos +ssh_kerberos_support: true + +# true if SSH has PAM support +ssh_pam_support: true + +sshd_moduli_file: /etc/ssh/moduli + +# CRYPTO_POLICY is not supported on Archlinux +# and the package check only works in Ansible >2.10 +sshd_disable_crypto_policy: false