From 4afc2a0fd66ea81e4a4c62893ead1598f2107cbb Mon Sep 17 00:00:00 2001
From: Bernd Worsch <bernd.worsch@gmail.com>
Date: Mon, 9 Mar 2026 15:50:06 +0000
Subject: [PATCH] fix: correct Goss test suite to match actual server state
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes found by running make verify against Railiance01:

- Fix playbook_dir paths (ansible/playbooks/ is 2 levels from repo root)
- age/sops are binary installs, not apt packages — use command checks
- Admin user is tegwick, not admin; sudoers at /etc/sudoers.d/tegwick
- sudo granted via sudoers file, not group membership — remove group assert
- Ubuntu 24.04 socket-activates SSH; assert ssh.socket not ssh.service
- SSH hardening lives in sshd_config.d/10-hardening.conf, not main config
- UFW SSH rule uses app name "OpenSSH", not port 22/tcp
- Replace /regex/i patterns with plain strings (Goss file.contents)
- Update spec/server-baseline.yaml to match all findings

All 27 assertions now pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 ansible/roles/goss/tasks/main.yml |  6 +++---
 goss/baseline.yaml                | 33 +++++++++++++++++--------------
 spec/server-baseline.yaml         | 16 +++++++++------
 3 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/ansible/roles/goss/tasks/main.yml b/ansible/roles/goss/tasks/main.yml
index bfebdff..baf3e14 100644
--- a/ansible/roles/goss/tasks/main.yml
+++ b/ansible/roles/goss/tasks/main.yml
@@ -26,7 +26,7 @@
 
 - name: Copy baseline test file
   ansible.builtin.copy:
-    src: "{{ playbook_dir }}/../goss/baseline.yaml"
+    src: "{{ playbook_dir }}/../../goss/baseline.yaml"
     dest: "{{ goss_dir }}/baseline.yaml"
     owner: root
     group: root
@@ -41,7 +41,7 @@
 
 - name: Ensure local reports directory exists
   ansible.builtin.file:
-    path: "{{ playbook_dir }}/../reports"
+    path: "{{ playbook_dir }}/../../reports"
     state: directory
     mode: "0755"
   delegate_to: localhost
@@ -50,7 +50,7 @@
 - name: Write TAP report locally
   ansible.builtin.copy:
     content: "{{ goss_result.stdout }}"
-    dest: "{{ playbook_dir }}/../reports/goss-{{ inventory_hostname }}-{{ ansible_date_time.date }}.tap"
+    dest: "{{ playbook_dir }}/../../reports/goss-{{ inventory_hostname }}-{{ ansible_date_time.date }}.tap"
     mode: "0644"
   delegate_to: localhost
   become: false
diff --git a/goss/baseline.yaml b/goss/baseline.yaml
index 1bef9a1..d9ae993 100644
--- a/goss/baseline.yaml
+++ b/goss/baseline.yaml
@@ -15,10 +15,8 @@ package:
     installed: true
   htop:
     installed: true
-  age:
-    installed: true
-  sops:
-    installed: true
+
+# age and sops are binary installs, not apt packages — checked via command below
 
 service:
   ufw:
@@ -27,23 +25,24 @@ service:
   fail2ban:
     enabled: true
     running: true
-  ssh:
+  # Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
+  # ssh.socket keeps it running. Assert the socket is enabled.
+  ssh.socket:
     enabled: true
     running: true
 
 file:
-  /etc/ssh/sshd_config:
+  /etc/ssh/sshd_config.d/10-hardening.conf:
     exists: true
-    contains:
-      - /^PermitRootLogin no/i
-      - /^PasswordAuthentication no/i
-      - /^PubkeyAuthentication yes/i
+    contents:
+      - "PermitRootLogin no"
+      - "PasswordAuthentication no"
+      - "PubkeyAuthentication yes"
 
 user:
-  admin:
+  tegwick:
     exists: true
-    groups:
-      - sudo
+    # sudo access is via /etc/sudoers.d/tegwick (NOPASSWD), not group membership
     shell: /bin/bash
 
 command:
@@ -51,10 +50,10 @@ command:
     exit-status: 0
     stdout:
       - "Status: active"
-      - /22\/tcp.*ALLOW/
+      - /OpenSSH.*ALLOW/
       - /6443\/tcp.*ALLOW/
       - /8472\/udp.*ALLOW/
-  "grep NOPASSWD /etc/sudoers.d/admin":
+  "grep NOPASSWD /etc/sudoers.d/tegwick":
     exit-status: 0
     stdout:
       - "NOPASSWD"
@@ -66,3 +65,7 @@ command:
     exit-status: 0
     stdout:
       - "Status for the jail: sshd"
+  "test -x /usr/local/bin/age":
+    exit-status: 0
+  "test -x /usr/local/bin/sops":
+    exit-status: 0
diff --git a/spec/server-baseline.yaml b/spec/server-baseline.yaml
index 38b079c..390d4cc 100644
--- a/spec/server-baseline.yaml
+++ b/spec/server-baseline.yaml
@@ -18,9 +18,7 @@ firewall:
   default_incoming: deny
   default_outgoing: allow
   rules:
-    - name: SSH
-      port: 22
-      proto: tcp
+    - name: OpenSSH   # UFW app name; resolves to 22/tcp
       action: allow
     - name: k3s-api
       port: 6443
@@ -39,6 +37,8 @@ ssh:
   password_authentication: "no"
   pubkey_authentication: "yes"
   challenge_response_authentication: "no"
+  # Hardening is applied via drop-in: /etc/ssh/sshd_config.d/10-hardening.conf
+  # The cloud image default sshd_config is left in place; the drop-in overrides it.
 
 # ---------------------------------------------------------------------------
 # Services
@@ -50,9 +50,11 @@ services:
   - name: fail2ban
     enabled: true
     running: true
-  - name: ssh
+  - name: ssh.socket
     enabled: true
     running: true
+    # Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
+    # triggered on demand by ssh.socket.
 
 # ---------------------------------------------------------------------------
 # Packages
@@ -65,6 +67,8 @@ packages:
     - curl
     - vim
     - htop
+  binaries:
+    # Installed to /usr/local/bin/ by the sops_agent role, not via apt
     - age
     - sops
 
@@ -72,9 +76,9 @@ packages:
 # Users
 # ---------------------------------------------------------------------------
 users:
-  - name: admin
+  - name: tegwick
     shell: /bin/bash
-    sudo: passwordless  # NOPASSWD:ALL in /etc/sudoers.d/
+    sudo: passwordless  # NOPASSWD:ALL via /etc/sudoers.d/tegwick — NOT via sudo group
     ssh_key_auth: true
 
 # ---------------------------------------------------------------------------