fix: correct Goss test suite to match actual server state

Fixes found by running make verify against Railiance01: - Fix playbook_dir paths (ansible/playbooks/ is 2 levels from repo root) - age/sops are binary installs, not apt packages — use command checks - Admin user is tegwick, not admin; sudoers at /etc/sudoers.d/tegwick - sudo granted via sudoers file, not group membership — remove group assert - Ubuntu 24.04 socket-activates SSH; assert ssh.socket not ssh.service - SSH hardening lives in sshd_config.d/10-hardening.conf, not main config - UFW SSH rule uses app name "OpenSSH", not port 22/tcp - Replace /regex/i patterns with plain strings (Goss file.contents) - Update spec/server-baseline.yaml to match all findings All 27 assertions now pass. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 15:50:06 +00:00
parent 8f5799553e
commit 4afc2a0fd6
3 changed files with 31 additions and 24 deletions
--- a/ansible/roles/goss/tasks/main.yml
+++ b/ansible/roles/goss/tasks/main.yml
@@ -26,7 +26,7 @@
 - name: Copy baseline test file
  ansible.builtin.copy:
-    src: "{{ playbook_dir }}/../goss/baseline.yaml"
+    src: "{{ playbook_dir }}/../../goss/baseline.yaml"
    dest: "{{ goss_dir }}/baseline.yaml"
    owner: root
    group: root
@@ -41,7 +41,7 @@
 - name: Ensure local reports directory exists
  ansible.builtin.file:
-    path: "{{ playbook_dir }}/../reports"
+    path: "{{ playbook_dir }}/../../reports"
    state: directory
    mode: "0755"
  delegate_to: localhost
@@ -50,7 +50,7 @@
 - name: Write TAP report locally
  ansible.builtin.copy:
    content: "{{ goss_result.stdout }}"
-    dest: "{{ playbook_dir }}/../reports/goss-{{ inventory_hostname }}-{{ ansible_date_time.date }}.tap"
+    dest: "{{ playbook_dir }}/../../reports/goss-{{ inventory_hostname }}-{{ ansible_date_time.date }}.tap"
    mode: "0644"
  delegate_to: localhost
  become: false
--- a/goss/baseline.yaml
+++ b/goss/baseline.yaml
@@ -15,10 +15,8 @@ package:
    installed: true
  htop:
    installed: true
-  age:
+
-    installed: true
+# age and sops are binary installs, not apt packages — checked via command below
  sops:
    installed: true
 service:
  ufw:
@@ -27,23 +25,24 @@ service:
  fail2ban:
    enabled: true
    running: true
-  ssh:
+  # Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
  # ssh.socket keeps it running. Assert the socket is enabled.
  ssh.socket:
    enabled: true
    running: true
 file:
-  /etc/ssh/sshd_config:
+  /etc/ssh/sshd_config.d/10-hardening.conf:
    exists: true
-    contains:
+    contents:
-      - /^PermitRootLogin no/i
+      - "PermitRootLogin no"
-      - /^PasswordAuthentication no/i
+      - "PasswordAuthentication no"
-      - /^PubkeyAuthentication yes/i
+      - "PubkeyAuthentication yes"
 user:
-  admin:
+  tegwick:
    exists: true
-    groups:
+    # sudo access is via /etc/sudoers.d/tegwick (NOPASSWD), not group membership
      - sudo
    shell: /bin/bash
 command:
@@ -51,10 +50,10 @@ command:
    exit-status: 0
    stdout:
      - "Status: active"
-      - /22\/tcp.*ALLOW/
+      - /OpenSSH.*ALLOW/
      - /6443\/tcp.*ALLOW/
      - /8472\/udp.*ALLOW/
-  "grep NOPASSWD /etc/sudoers.d/admin":
+  "grep NOPASSWD /etc/sudoers.d/tegwick":
    exit-status: 0
    stdout:
      - "NOPASSWD"
@@ -66,3 +65,7 @@ command:
    exit-status: 0
    stdout:
      - "Status for the jail: sshd"
  "test -x /usr/local/bin/age":
    exit-status: 0
  "test -x /usr/local/bin/sops":
    exit-status: 0
--- a/spec/server-baseline.yaml
+++ b/spec/server-baseline.yaml
@@ -18,9 +18,7 @@ firewall:
  default_incoming: deny
  default_outgoing: allow
  rules:
-    - name: SSH
+    - name: OpenSSH   # UFW app name; resolves to 22/tcp
      port: 22
      proto: tcp
      action: allow
    - name: k3s-api
      port: 6443
@@ -39,6 +37,8 @@ ssh:
  password_authentication: "no"
  pubkey_authentication: "yes"
  challenge_response_authentication: "no"
  # Hardening is applied via drop-in: /etc/ssh/sshd_config.d/10-hardening.conf
  # The cloud image default sshd_config is left in place; the drop-in overrides it.
 # ---------------------------------------------------------------------------
 # Services
@@ -50,9 +50,11 @@ services:
  - name: fail2ban
    enabled: true
    running: true
-  - name: ssh
+  - name: ssh.socket
    enabled: true
    running: true
    # Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
    # triggered on demand by ssh.socket.
 # ---------------------------------------------------------------------------
 # Packages
@@ -65,6 +67,8 @@ packages:
    - curl
    - vim
    - htop
  binaries:
    # Installed to /usr/local/bin/ by the sops_agent role, not via apt
    - age
    - sops
@@ -72,9 +76,9 @@ packages:
 # Users
 # ---------------------------------------------------------------------------
 users:
-  - name: admin
+  - name: tegwick
    shell: /bin/bash
-    sudo: passwordless  # NOPASSWD:ALL in /etc/sudoers.d/
+    sudo: passwordless  # NOPASSWD:ALL via /etc/sudoers.d/tegwick — NOT via sudo group
    ssh_key_auth: true
 # ---------------------------------------------------------------------------