test(base): Molecule coverage for ssh hardening + fail2ban
Add explicit base__ssh_authorised_keys: [] default to prevent undefined-var errors in Molecule. Extend verify.yml with sshd drop-in validation, PasswordAuthentication check, and fail2ban jail assertion. Pre-create /run/sshd in ssh.yml so sshd -t works in containers before the service has ever started. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
deec75de0f
commit
a111a20cc8
3 changed files with 24 additions and 0 deletions
|
|
@ -19,3 +19,4 @@ base__fail2ban_maxretry: 5
|
||||||
base__fail2ban_bantime: 1h
|
base__fail2ban_bantime: 1h
|
||||||
base__fail2ban_findtime: 10m
|
base__fail2ban_findtime: 10m
|
||||||
# base__ssh_authorised_keys lives in group_vars/all/vars.yml (per-person control keys).
|
# base__ssh_authorised_keys lives in group_vars/all/vars.yml (per-person control keys).
|
||||||
|
base__ssh_authorised_keys: []
|
||||||
|
|
|
||||||
|
|
@ -47,3 +47,18 @@
|
||||||
- name: Syntax-check the rendered ruleset (no apply)
|
- name: Syntax-check the rendered ruleset (no apply)
|
||||||
ansible.builtin.command: nft -c -f /etc/nftables.conf
|
ansible.builtin.command: nft -c -f /etc/nftables.conf
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
|
- name: Sshd drop-in present and config valid
|
||||||
|
ansible.builtin.command: sshd -t
|
||||||
|
changed_when: false
|
||||||
|
tags: [verify]
|
||||||
|
|
||||||
|
- name: PasswordAuthentication is disabled
|
||||||
|
ansible.builtin.command: grep -q '^PasswordAuthentication no' /etc/ssh/sshd_config.d/10-boma.conf
|
||||||
|
changed_when: false
|
||||||
|
tags: [verify]
|
||||||
|
|
||||||
|
- name: Fail2ban sshd jail configured
|
||||||
|
ansible.builtin.command: grep -q '^\[sshd\]' /etc/fail2ban/jail.d/sshd.local
|
||||||
|
changed_when: false
|
||||||
|
tags: [verify]
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,14 @@
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
|
|
||||||
|
- name: Ensure sshd privilege-separation directory exists (required for sshd -t)
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /run/sshd
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
- name: Validate the full sshd config (drop-in included)
|
- name: Validate the full sshd config (drop-in included)
|
||||||
ansible.builtin.command: sshd -t
|
ansible.builtin.command: sshd -t
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue