fix: correct Goss test suite to match actual server state
Fixes found by running make verify against Railiance01: - Fix playbook_dir paths (ansible/playbooks/ is 2 levels from repo root) - age/sops are binary installs, not apt packages — use command checks - Admin user is tegwick, not admin; sudoers at /etc/sudoers.d/tegwick - sudo granted via sudoers file, not group membership — remove group assert - Ubuntu 24.04 socket-activates SSH; assert ssh.socket not ssh.service - SSH hardening lives in sshd_config.d/10-hardening.conf, not main config - UFW SSH rule uses app name "OpenSSH", not port 22/tcp - Replace /regex/i patterns with plain strings (Goss file.contents) - Update spec/server-baseline.yaml to match all findings All 27 assertions now pass. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -26,7 +26,7 @@
|
||||
|
||||
- name: Copy baseline test file
|
||||
ansible.builtin.copy:
|
||||
src: "{{ playbook_dir }}/../goss/baseline.yaml"
|
||||
src: "{{ playbook_dir }}/../../goss/baseline.yaml"
|
||||
dest: "{{ goss_dir }}/baseline.yaml"
|
||||
owner: root
|
||||
group: root
|
||||
@@ -41,7 +41,7 @@
|
||||
|
||||
- name: Ensure local reports directory exists
|
||||
ansible.builtin.file:
|
||||
path: "{{ playbook_dir }}/../reports"
|
||||
path: "{{ playbook_dir }}/../../reports"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
delegate_to: localhost
|
||||
@@ -50,7 +50,7 @@
|
||||
- name: Write TAP report locally
|
||||
ansible.builtin.copy:
|
||||
content: "{{ goss_result.stdout }}"
|
||||
dest: "{{ playbook_dir }}/../reports/goss-{{ inventory_hostname }}-{{ ansible_date_time.date }}.tap"
|
||||
dest: "{{ playbook_dir }}/../../reports/goss-{{ inventory_hostname }}-{{ ansible_date_time.date }}.tap"
|
||||
mode: "0644"
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
|
||||
@@ -15,10 +15,8 @@ package:
|
||||
installed: true
|
||||
htop:
|
||||
installed: true
|
||||
age:
|
||||
installed: true
|
||||
sops:
|
||||
installed: true
|
||||
|
||||
# age and sops are binary installs, not apt packages — checked via command below
|
||||
|
||||
service:
|
||||
ufw:
|
||||
@@ -27,23 +25,24 @@ service:
|
||||
fail2ban:
|
||||
enabled: true
|
||||
running: true
|
||||
ssh:
|
||||
# Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
|
||||
# ssh.socket keeps it running. Assert the socket is enabled.
|
||||
ssh.socket:
|
||||
enabled: true
|
||||
running: true
|
||||
|
||||
file:
|
||||
/etc/ssh/sshd_config:
|
||||
/etc/ssh/sshd_config.d/10-hardening.conf:
|
||||
exists: true
|
||||
contains:
|
||||
- /^PermitRootLogin no/i
|
||||
- /^PasswordAuthentication no/i
|
||||
- /^PubkeyAuthentication yes/i
|
||||
contents:
|
||||
- "PermitRootLogin no"
|
||||
- "PasswordAuthentication no"
|
||||
- "PubkeyAuthentication yes"
|
||||
|
||||
user:
|
||||
admin:
|
||||
tegwick:
|
||||
exists: true
|
||||
groups:
|
||||
- sudo
|
||||
# sudo access is via /etc/sudoers.d/tegwick (NOPASSWD), not group membership
|
||||
shell: /bin/bash
|
||||
|
||||
command:
|
||||
@@ -51,10 +50,10 @@ command:
|
||||
exit-status: 0
|
||||
stdout:
|
||||
- "Status: active"
|
||||
- /22\/tcp.*ALLOW/
|
||||
- /OpenSSH.*ALLOW/
|
||||
- /6443\/tcp.*ALLOW/
|
||||
- /8472\/udp.*ALLOW/
|
||||
"grep NOPASSWD /etc/sudoers.d/admin":
|
||||
"grep NOPASSWD /etc/sudoers.d/tegwick":
|
||||
exit-status: 0
|
||||
stdout:
|
||||
- "NOPASSWD"
|
||||
@@ -66,3 +65,7 @@ command:
|
||||
exit-status: 0
|
||||
stdout:
|
||||
- "Status for the jail: sshd"
|
||||
"test -x /usr/local/bin/age":
|
||||
exit-status: 0
|
||||
"test -x /usr/local/bin/sops":
|
||||
exit-status: 0
|
||||
|
||||
@@ -18,9 +18,7 @@ firewall:
|
||||
default_incoming: deny
|
||||
default_outgoing: allow
|
||||
rules:
|
||||
- name: SSH
|
||||
port: 22
|
||||
proto: tcp
|
||||
- name: OpenSSH # UFW app name; resolves to 22/tcp
|
||||
action: allow
|
||||
- name: k3s-api
|
||||
port: 6443
|
||||
@@ -39,6 +37,8 @@ ssh:
|
||||
password_authentication: "no"
|
||||
pubkey_authentication: "yes"
|
||||
challenge_response_authentication: "no"
|
||||
# Hardening is applied via drop-in: /etc/ssh/sshd_config.d/10-hardening.conf
|
||||
# The cloud image default sshd_config is left in place; the drop-in overrides it.
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Services
|
||||
@@ -50,9 +50,11 @@ services:
|
||||
- name: fail2ban
|
||||
enabled: true
|
||||
running: true
|
||||
- name: ssh
|
||||
- name: ssh.socket
|
||||
enabled: true
|
||||
running: true
|
||||
# Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
|
||||
# triggered on demand by ssh.socket.
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Packages
|
||||
@@ -65,6 +67,8 @@ packages:
|
||||
- curl
|
||||
- vim
|
||||
- htop
|
||||
binaries:
|
||||
# Installed to /usr/local/bin/ by the sops_agent role, not via apt
|
||||
- age
|
||||
- sops
|
||||
|
||||
@@ -72,9 +76,9 @@ packages:
|
||||
# Users
|
||||
# ---------------------------------------------------------------------------
|
||||
users:
|
||||
- name: admin
|
||||
- name: tegwick
|
||||
shell: /bin/bash
|
||||
sudo: passwordless # NOPASSWD:ALL in /etc/sudoers.d/
|
||||
sudo: passwordless # NOPASSWD:ALL via /etc/sudoers.d/tegwick — NOT via sudo group
|
||||
ssh_key_auth: true
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user