From 9effc662f8474c68da9e2301e8fc271ad85077cf Mon Sep 17 00:00:00 2001 From: Artem Sidorenko Date: Tue, 16 Oct 2018 15:10:17 +0200 Subject: [PATCH 1/5] Ensure we do not have any deprecated config for sshd Signed-off-by: Artem Sidorenko --- .kitchen.dokken.yml | 3 --- .kitchen.yml | 5 +---- test/integration/default/controls/deprecations.rb | 7 +++++++ test/integration/default/controls/ssh-baseline.rb | 1 + test/integration/default/inspec.yml | 5 +++++ 5 files changed, 14 insertions(+), 7 deletions(-) create mode 100644 test/integration/default/controls/deprecations.rb create mode 100644 test/integration/default/controls/ssh-baseline.rb create mode 100644 test/integration/default/inspec.yml diff --git a/.kitchen.dokken.yml b/.kitchen.dokken.yml index c94107d..976e91e 100644 --- a/.kitchen.dokken.yml +++ b/.kitchen.dokken.yml @@ -94,6 +94,3 @@ suites: run_list: - recipe[test] - recipe[ssh-hardening] - verifier: - inspec_tests: - - https://github.com/dev-sec/ssh-baseline diff --git a/.kitchen.yml b/.kitchen.yml index 65c75fa..ece8e87 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -36,9 +36,6 @@ suites: run_list: - recipe[test] - recipe[ssh-hardening] - verifier: - inspec_tests: - - https://github.com/dev-sec/ssh-baseline - name: rhel-with-disabled-pam includes: - centos-6.8 @@ -61,5 +58,5 @@ suites: use_pam: false verifier: inspec_tests: - - https://github.com/dev-sec/ssh-baseline + - test/integration/default - test/integration/without-pam diff --git a/test/integration/default/controls/deprecations.rb b/test/integration/default/controls/deprecations.rb new file mode 100644 index 0000000..40144b8 --- /dev/null +++ b/test/integration/default/controls/deprecations.rb @@ -0,0 +1,7 @@ +control 'sshd configuration should not have any deprecations' do + describe command('sshd -t') do + its(:exit_status) { should eq 0 } + its(:stdout) { should eq '' } + its(:stderr) { should eq '' } + end +end diff --git a/test/integration/default/controls/ssh-baseline.rb b/test/integration/default/controls/ssh-baseline.rb new file mode 100644 index 0000000..dcc3b91 --- /dev/null +++ b/test/integration/default/controls/ssh-baseline.rb @@ -0,0 +1 @@ +include_controls 'ssh-baseline' diff --git a/test/integration/default/inspec.yml b/test/integration/default/inspec.yml new file mode 100644 index 0000000..c3c1478 --- /dev/null +++ b/test/integration/default/inspec.yml @@ -0,0 +1,5 @@ +name: ssh-hardening-integration-tests +version: 1.0.0 +depends: + - name: ssh-baseline + url: https://github.com/dev-sec/ssh-baseline From f8dbc23529687e00ef383dbbe35cf159d6065bb6 Mon Sep 17 00:00:00 2001 From: Artem Sidorenko Date: Tue, 16 Oct 2018 16:01:43 +0200 Subject: [PATCH 2/5] lets use the latest centos fauxhai data in the spec tests Signed-off-by: Artem Sidorenko --- spec/recipes/server_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb index c745cef..6e78b18 100644 --- a/spec/recipes/server_spec.rb +++ b/spec/recipes/server_spec.rb @@ -269,7 +269,7 @@ context 'when running on CentOS' do let(:platform) { 'centos' } - let(:version) { '7.2.1511' } + let(:version) { '7.5.1804' } let(:selinux_disabled_or_policy_removed) { false } let(:selinux_enabled_and_policy_installed) { false } @@ -392,7 +392,7 @@ end cached(:chef_run) do - ChefSpec::ServerRunner.new(platform: 'centos', version: '7.2.1511') do |node| + ChefSpec::ServerRunner.new(platform: 'centos', version: '7.5.1804') do |node| node.normal['ssh-hardening']['ssh']['server']['os_banner'] = true end.converge(described_recipe) end From eaf1050de23e066b1fde51e159ca9447d67f0fec Mon Sep 17 00:00:00 2001 From: Artem Sidorenko Date: Tue, 16 Oct 2018 16:02:17 +0200 Subject: [PATCH 3/5] Deprecated UseLogin option should not be used for openssh >=7.4 Signed-off-by: Artem Sidorenko --- recipes/server.rb | 3 ++- spec/recipes/server_spec.rb | 22 ++++++++++++++++++++++ templates/default/opensshd.conf.erb | 2 ++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/recipes/server.rb b/recipes/server.rb index 9b93e4b..f64d25d 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -181,7 +181,8 @@ kex: node['ssh-hardening']['ssh']['server']['kex'] || DevSec::Ssh.get_server_kexs(node['ssh-hardening']['ssh']['server']['weak_kex']), cipher: node['ssh-hardening']['ssh']['server']['cipher'] || DevSec::Ssh.get_server_ciphers(node['ssh-hardening']['ssh']['server']['cbc_required']), use_priv_sep: node['ssh-hardening']['ssh']['use_privilege_separation'] || DevSec::Ssh.get_server_privilege_separarion, - hostkeys: node['ssh-hardening']['ssh']['server']['host_key_files'] || DevSec::Ssh.get_server_algorithms.map { |alg| "/etc/ssh/ssh_host_#{alg}_key" } + hostkeys: node['ssh-hardening']['ssh']['server']['host_key_files'] || DevSec::Ssh.get_server_algorithms.map { |alg| "/etc/ssh/ssh_host_#{alg}_key" }, + version: DevSec::Ssh.get_ssh_server_version } end ) diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb index 6e78b18..041e317 100644 --- a/spec/recipes/server_spec.rb +++ b/spec/recipes/server_spec.rb @@ -230,6 +230,28 @@ expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content('UsePAM yes') end + describe 'version specifc options' do + context 'running with OpenSSH < 7.4' do + it 'should have UseLogin' do + expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content('UseLogin') + end + end + + context 'running with OpenSSH >= 7.4 on RHEL 7' do + let(:chef_run) do + ChefSpec::ServerRunner.new(platform: 'centos', version: '7.5.1804').converge(described_recipe) + end + + before do + stub_command('getenforce | grep -vq Disabled && semodule -l | grep -q ssh_password').and_return(true) + end + + it 'should not have UseLogin' do + expect(chef_run).to_not render_file('/etc/ssh/sshd_config').with_content('UseLogin') + end + end + end + describe 'UsePAM option' do let(:use_pam) { true } diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb index 0d527fa..0203587 100644 --- a/templates/default/opensshd.conf.erb +++ b/templates/default/opensshd.conf.erb @@ -85,7 +85,9 @@ KexAlgorithms <%= @kex %> # -------------- # Secure Login directives. +<% if @version.to_f < 7.4 %> UseLogin no +<% end %> UsePrivilegeSeparation <%= @use_priv_sep %> PermitUserEnvironment no LoginGraceTime <%= @node['ssh-hardening']['ssh']['server']['login_grace_time'] %> From e092f11b45c7fa95ecd02246b1c2e384fbf5d573 Mon Sep 17 00:00:00 2001 From: Artem Sidorenko Date: Tue, 16 Oct 2018 16:08:32 +0200 Subject: [PATCH 4/5] Deprecated UsePrivilegeSeparation option for openssh >=7.5 Signed-off-by: Artem Sidorenko --- spec/recipes/server_spec.rb | 18 ++++++++++++++++++ templates/default/opensshd.conf.erb | 2 ++ 2 files changed, 20 insertions(+) diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb index 041e317..40c518f 100644 --- a/spec/recipes/server_spec.rb +++ b/spec/recipes/server_spec.rb @@ -235,6 +235,10 @@ it 'should have UseLogin' do expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content('UseLogin') end + + it 'should have UsePrivilegeSeparation' do + expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content('UsePrivilegeSeparation') + end end context 'running with OpenSSH >= 7.4 on RHEL 7' do @@ -250,6 +254,20 @@ expect(chef_run).to_not render_file('/etc/ssh/sshd_config').with_content('UseLogin') end end + + context 'running with Openssh >= 7.5 on Ubuntu 18.04' do + let(:chef_run) do + ChefSpec::ServerRunner.new(version: '18.04').converge(described_recipe) + end + + it 'should not have UseLogin' do + expect(chef_run).to_not render_file('/etc/ssh/sshd_config').with_content('UseLogin') + end + + it 'should not have UsePrivilegeSeparation' do + expect(chef_run).to_not render_file('/etc/ssh/sshd_config').with_content('UsePrivilegeSeparation') + end + end end describe 'UsePAM option' do diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb index 0203587..ef5687c 100644 --- a/templates/default/opensshd.conf.erb +++ b/templates/default/opensshd.conf.erb @@ -88,7 +88,9 @@ KexAlgorithms <%= @kex %> <% if @version.to_f < 7.4 %> UseLogin no <% end %> +<% if @version.to_f < 7.5 %> UsePrivilegeSeparation <%= @use_priv_sep %> +<% end %> PermitUserEnvironment no LoginGraceTime <%= @node['ssh-hardening']['ssh']['server']['login_grace_time'] %> MaxAuthTries <%= @node['ssh-hardening']['ssh']['server']['max_auth_tries'] %> From c9e58c2ea49bc4ef15048f8675ff0e704a7f2770 Mon Sep 17 00:00:00 2001 From: Artem Sidorenko Date: Tue, 16 Oct 2018 17:16:20 +0200 Subject: [PATCH 5/5] Avoid duplicate resource declaration Signed-off-by: Artem Sidorenko --- recipes/client.rb | 4 ++-- recipes/server.rb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/recipes/client.rb b/recipes/client.rb index afa6cb5..8156429 100644 --- a/recipes/client.rb +++ b/recipes/client.rb @@ -20,14 +20,14 @@ # limitations under the License. # -ohai 'reload' do +ohai 'reload openssh-client' do action :nothing end package 'openssh-client' do package_name node['ssh-hardening']['sshclient']['package'] # we need to reload the package version, otherwise we get the version that was installed before cookbook execution - notifies :reload, 'ohai[reload]', :immediate + notifies :reload, 'ohai[reload openssh-client]', :immediately end directory 'openssh-client ssh directory /etc/ssh' do diff --git a/recipes/server.rb b/recipes/server.rb index f64d25d..7e17525 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -40,14 +40,14 @@ directory cache_dir # installs package name -ohai 'reload' do +ohai 'reload openssh-server' do action :nothing end package 'openssh-server' do package_name node['ssh-hardening']['sshserver']['package'] # we need to reload the package version, otherwise we get the version that was installed before cookbook execution - notifies :reload, 'ohai[reload]', :immediate + notifies :reload, 'ohai[reload openssh-server]', :immediately end # Handle addional SELinux policy on RHEL/Fedora for different UsePAM options