test(base): Molecule coverage for ssh hardening + fail2ban
Add explicit base__ssh_authorised_keys: [] default to prevent undefined-var errors in Molecule. Extend verify.yml with sshd drop-in validation, PasswordAuthentication check, and fail2ban jail assertion. Pre-create /run/sshd in ssh.yml so sshd -t works in containers before the service has ever started. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
deec75de0f
commit
a111a20cc8
3 changed files with 24 additions and 0 deletions
|
|
@ -19,3 +19,4 @@ base__fail2ban_maxretry: 5
|
|||
base__fail2ban_bantime: 1h
|
||||
base__fail2ban_findtime: 10m
|
||||
# base__ssh_authorised_keys lives in group_vars/all/vars.yml (per-person control keys).
|
||||
base__ssh_authorised_keys: []
|
||||
|
|
|
|||
|
|
@ -47,3 +47,18 @@
|
|||
- name: Syntax-check the rendered ruleset (no apply)
|
||||
ansible.builtin.command: nft -c -f /etc/nftables.conf
|
||||
changed_when: false
|
||||
|
||||
- name: Sshd drop-in present and config valid
|
||||
ansible.builtin.command: sshd -t
|
||||
changed_when: false
|
||||
tags: [verify]
|
||||
|
||||
- name: PasswordAuthentication is disabled
|
||||
ansible.builtin.command: grep -q '^PasswordAuthentication no' /etc/ssh/sshd_config.d/10-boma.conf
|
||||
changed_when: false
|
||||
tags: [verify]
|
||||
|
||||
- name: Fail2ban sshd jail configured
|
||||
ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local
|
||||
changed_when: false
|
||||
tags: [verify]
|
||||
|
|
|
|||
|
|
@ -14,6 +14,14 @@
|
|||
mode: "0644"
|
||||
notify: reload sshd
|
||||
|
||||
- name: Ensure sshd privilege-separation directory exists (required for sshd -t)
|
||||
ansible.builtin.file:
|
||||
path: /run/sshd
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
|
||||
- name: Validate the full sshd config (drop-in included)
|
||||
ansible.builtin.command: sshd -t
|
||||
changed_when: false
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue