dev-sec
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 11 deletions b/‎.gitignore‎
Lines changed: 1 addition & 11 deletions
diff --git a/‎.kitchen.vagrant.yml‎
Lines changed: 27 additions & 11 deletions b/‎.kitchen.vagrant.yml‎
Lines changed: 27 additions & 11 deletions
diff --git a/‎.kitchen.yml‎
Lines changed: 48 additions & 27 deletions b/‎.kitchen.yml‎
Lines changed: 48 additions & 27 deletions
diff --git a/‎.travis.yml‎
Lines changed: 60 additions & 15 deletions b/‎.travis.yml‎
Lines changed: 60 additions & 15 deletions
diff --git a/‎Gemfile‎
Lines changed: 0 additions & 17 deletions b/‎Gemfile‎
Lines changed: 0 additions & 17 deletions
diff --git a/‎README.md‎
Lines changed: 6 additions & 4 deletions b/‎README.md‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎ansible.cfg‎
Lines changed: 14 additions & 0 deletions b/‎ansible.cfg‎
Lines changed: 14 additions & 0 deletions
@@ -1,13 +1,3 @@
-README.pdf
-README.html
-shared_test_repo/
-test/integration
 .kitchen
-coverage
-Vagrantfile.erb
-
-Gemfile.lock
-Berksfile.lock
-
-ansible.cfg
 hosts
+Gemfile.lock
@@ -1,10 +1,14 @@
 ---
 driver:
   name: vagrant
+  driver_config:
+    http_proxy: <%= ENV['http_proxy'] || nil %>
+    https_proxy: <%= ENV['https_proxy'] || nil %>
+  vagrantfiles:
+    - kitchen_vagrant_block.rb
 
 provisioner:
   name: ansible_playbook
-  test_repo_uri: https://github.com/hardening-io/tests-ssh-hardening.git
   hosts: all
   require_ansible_repo: false
   require_ansible_omnibus: true
@@ -13,6 +17,11 @@ provisioner:
   ansible_verbose: true
   roles_path: ../ansible-ssh-hardening/
   playbook: default.yml
+  http_proxy: <%= ENV['http_proxy'] || nil %>
+  https_proxy: <%= ENV['https_proxy'] || nil %>
+
+transport:
+  max_ssh_sessions: 5
 
 platforms:
 - name: ubuntu-12.04
@@ -23,14 +32,25 @@ platforms:
   driver_config:
     box: opscode-ubuntu-14.04
     box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
+- name: ubuntu-16.04
+  driver_config:
+    box: opscode-ubuntu-16.04
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box
 - name: centos-6.4
+- name: centos-7.2
   driver_config:
-    box: opscode-centos-6.4
-    box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box
+    box: opscode-centos-7.2
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-7.2_chef-provisionerless.box
 - name: centos-6.5
   driver_config:
     box: opscode-centos-6.5
     box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
+- name: centos-6.8
+  driver_config:
+    box: bento/centos-6.8
+- name: centos-7
+  driver_config:
+    box: bento/centos-7.2
 - name: oracle-6.4
   driver_config:
     box: oracle-6.4
@@ -39,10 +59,9 @@ platforms:
   driver_config:
     box: oracle-6.5
     box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
-- name: debian-6
+- name: oracle-7
   driver_config:
-    box: debian-6
-    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box
+    box: boxcutter/ol72
 - name: debian-7
   driver_config:
     box: debian-7
@@ -56,10 +75,7 @@ verifier:
   name: inspec
   sudo: true
   inspec_tests:
-    - https://github.com/dev-sec/tests-ssh-hardening
+    - https://github.com/dev-sec/ssh-baseline/
 
 suites:
-- name: ssh-ansible_1.9
-  provisioner:
-    ansible_version: 1.9.4
-- name: ssh-ansible_latest
+- name: ssh
@@ -1,60 +1,81 @@
 ---
 driver:
   name: docker
-  privileged: true
   use_sudo: false
-  provision_command:
-      - "mkdir /var/run/sshd"
+  privileged: true
+  http_proxy: <%= ENV['http_proxy'] || nil %>
+  https_proxy: <%= ENV['https_proxy'] || nil %>
+
+transport:
+  max_ssh_sessions: 5
+
+transport:
+  max_ssh_sessions: 5
+
 
 provisioner:
   name: ansible_playbook
   hosts: all
   require_ansible_repo: false
-  require_ansible_omnibus: true
   require_chef_for_busser: false
   require_ruby_for_busser: false
   ansible_verbose: true
   ansible_diff: true
   hosts: all
   roles_path: ../ansible-ssh-hardening/
+  http_proxy: <%= ENV['http_proxy'] || nil %>
+  https_proxy: <%= ENV['https_proxy'] || nil %>
   playbook: default.yml
+  ansible_extra_flags:
+    - "--skip-tags=sysctl"
 
 platforms:
-- name: ubuntu-12.04
+- name: centos6-ansible-latest
+  driver:
+    image: rndmh3ro/docker-centos6-ansible:latest
+    platform: centos
+- name: centos7-ansible-latest
   driver:
-    image: ubuntu:12.04
-- name: ubuntu-14.04
+    image: rndmh3ro/docker-centos7-ansible:latest
+    platform: centos
+- name: oracle6-ansible-latest
   driver:
-    image: ubuntu:14.04
-- name: ubuntu-16.04
+    image: rndmh3ro/docker-oracle6-ansible:latest
+    platform: centos
+- name: oracle7-ansible-latest
   driver:
-    image: ubuntu:16.04
-- name: centos-6.6
+    image: rndmh3ro/docker-oracle7-ansible:latest
+    platform: centos
+- name: ubuntu1204-ansible-latest
   driver:
-    image: centos:6.6
-- name: centos-6.7
+    image: rndmh3ro/docker-ubuntu1204-ansible:latest
+    platform: ubuntu
+- name: ubuntu1404-ansible-latest
   driver:
-    image: centos:6.7
-- name: centos-7
+    image: rndmh3ro/docker-ubuntu1404-ansible:latest
+    platform: ubuntu
+- name: ubuntu1604-ansible-latest
   driver:
-    image: centos:7
-    privileged: true
-    run_command: /usr/sbin/init
-- name: debian-7
+    image: rndmh3ro/docker-ubuntu1604-ansible:latest
+    platform: ubuntu
+- name: debian7-ansible-latest
   driver:
-    image: debian:7
-- name: debian-8
+    image: rndmh3ro/docker-debian7-ansible:latest
+    platform: debian
+- name: debian8-ansible-latest
   driver:
-    image: debian:8
+    image: rndmh3ro/docker-debian8-ansible:latest
+    platform: debian
+#- name: debian9-ansible-latest
+#  driver:
+#    image: rndmh3ro/docker-debian9-ansible:latest
+#    platform: debian
 
 verifier:
   name: inspec
   sudo: true
   inspec_tests:
-    - https://github.com/dev-sec/tests-ssh-hardening
+    - https://github.com/dev-sec/ssh-baseline
 
 suites:
-- name: ssh-ansible_1.9
-  provisioner:
-    ansible_version: 1.9.4
-- name: ssh-ansible_latest
+- name: ssh
@@ -1,22 +1,67 @@
 ---
-notifications:
-  webhooks: https://galaxy.ansible.com/api/v1/notifications/
-language: python
-python: "2.7"
+services: docker
 
 env:
-  - ANSIBLE_VERSION=latest
-  - ANSIBLE_VERSION=1.9.4
+  - distro: centos6
+    version: latest
+    init: /sbin/init
+
+  - distro: centos7
+    init: /usr/lib/systemd/systemd
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    version: latest
+
+  - distro: oracle6
+    version: latest
+    init: /sbin/init
+
+  - distro: oracle7
+    init: /usr/lib/systemd/systemd
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    version: latest
+
+  - distro: ubuntu1604
+    version: latest
+    init: /lib/systemd/systemd
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+
+  - distro: ubuntu1404
+    version: latest
+    init: /sbin/init
+
+  - distro: ubuntu1204
+    version: latest
+    init: /sbin/init
+
+  - distro: debian7
+    version: latest
+    init: /sbin/init
+
+  - distro: debian8
+    version: latest
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    init: /sbin/init
+
+#  - distro: debian9
+#    version: latest
+#    init: /lib/systemd/systemd
+#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+
 
 before_install:
- - sudo apt-get update -qq
- - sudo apt-get install -qq python-apt python-pycurl
-install:
-  - if [ "$ANSIBLE_VERSION" = "latest" ]; then pip install ansible; else pip install ansible==$ANSIBLE_VERSION; fi
-  - echo -e 'localhost ansible_connection=local' > spec/inventory
-  - echo -e '[defaults]\nroles_path = ../\nhostfile = ./spec/inventory' > ansible.cfg
+  # Pull container
+  - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
 
 script:
-  - ansible-playbook --syntax-check spec/travis.yml
-  - ansible-playbook --sudo -v --diff spec/travis.yml
-  - ansible-playbook --sudo -v --diff spec/travis.yml --extra-vars "network_ipv6_enable=true ssh_allow_root_with_key=true ssh_client_password_login=true ssh_client_cbc_required=true ssh_server_weak_hmac=true ssh_client_weak_kex=true sftp_enabled=true"
+  - container_id=$(mktemp)
+  # Run container in detached state.
+  - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
+
+  # Test role.
+  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/default.yml'
+
+  # Verify role
+  - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id})'
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/
@@ -2,19 +2,6 @@
 
 source 'https://rubygems.org'
 
-group :test do
-  gem 'rake'
-  gem 'foodcritic', '~> 4.0'
-  gem 'thor-foodcritic'
-  gem 'coveralls',  require: false
-end
-
-group :development do
-  gem 'guard'
-  gem 'guard-rspec'
-  gem 'guard-kitchen'
-end
-
 group :integration do
   gem 'test-kitchen', '~> 1.0'
   gem 'kitchen-ansible'
@@ -26,10 +13,6 @@ group :integration do
   gem 'kitchen-docker'
 end
 
-group :openstack do
-  gem 'kitchen-openstack'
-end
-
 group :tools do
   gem 'github_changelog_generator', '~> 1'
 end
@@ -12,7 +12,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 
 ## Requirements
 
-* Ansible
+* Ansible > 2.2.1
 
 ## Role Variables
 | Name           | Default Value | Description                        |
@@ -24,13 +24,13 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_server_weak_hmac` | false |true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.|
 |`ssh_client_weak_kex` | false |true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.|
 |`ssh_server_weak_kex` | false |true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.|
-|`ssh_server_ports` | ['22'] |ports to which ssh-server should listen to|
-|`ssh_client_ports` | ['22'] |ports to which ssh-client should connect to|
+|`ssh_server_ports` | ['22'] |ports on which ssh-server should listen|
+|`ssh_client_port` | '22' |port to which ssh-client should connect|
 |`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!|
 |`ssh_host_key_files` | ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key'] |Host keys to look for when starting sshd.|
 |`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages |
 |`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent |
-|`ssh_remote_hosts` | [] | one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons!|
+|`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.|
 |`ssh_allow_root_with_key` | false | false to disable root login altogether. Set to true to allow root to login via key-based mechanism.|
 |`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.|
 |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|
@@ -44,6 +44,8 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`sftp_enabled` | false | true to enable sftp configuration|
 |`sftp_chroot_dir` | /home/%u | change default sftp chroot location|
 |`ssh_client_roaming` | false | enable experimental client roaming|
+|`sshd_moduli_minimum` | 2048 | remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam|
+|`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
 
 ## Example Playbook
 
 
@@ -0,0 +1,14 @@
+# config file for ansible -- http://ansible.com/
+# ==============================================
+
+# nearly all parameters can be overridden in ansible-playbook 
+# or with command line flags. ansible will read ANSIBLE_CONFIG,
+# ansible.cfg in the current working directory, .ansible.cfg in
+# the home directory or /etc/ansible/ansible.cfg, whichever it
+# finds first
+
+[defaults]
+ansible_managed = Ansible managed: {file} modified on %Y-%m-%d by {uid} on {host}
+
+role_path = /vagrant
+scp_if_ssh = True