coulomb/railiance-infra
0
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity
Files
4afc2a0fd66ea81e4a4c62893ead1598f2107cbb
railiance-infra/goss/baseline.yaml
Bernd Worsch 4afc2a0fd6 fix: correct Goss test suite to match actual server state 
Fixes found by running make verify against Railiance01:

- Fix playbook_dir paths (ansible/playbooks/ is 2 levels from repo root)
- age/sops are binary installs, not apt packages — use command checks
- Admin user is tegwick, not admin; sudoers at /etc/sudoers.d/tegwick
- sudo granted via sudoers file, not group membership — remove group assert
- Ubuntu 24.04 socket-activates SSH; assert ssh.socket not ssh.service
- SSH hardening lives in sshd_config.d/10-hardening.conf, not main config
- UFW SSH rule uses app name "OpenSSH", not port 22/tcp
- Replace /regex/i patterns with plain strings (Goss file.contents)
- Update spec/server-baseline.yaml to match all findings

All 27 assertions now pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 15:50:06 +00:00

72 lines
1.5 KiB
YAML
Raw Blame History

# Goss baseline assertions for railiance managed nodes
# Derived from spec/server-baseline.yaml — keep in sync.
# Run: goss -g /etc/goss/baseline.yaml validate
package:
ufw:
installed: true
fail2ban:
installed: true
git:
installed: true
curl:
installed: true
vim:
installed: true
htop:
installed: true
# age and sops are binary installs, not apt packages — checked via command below
service:
ufw:
enabled: true
running: true
fail2ban:
enabled: true
running: true
# Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
# ssh.socket keeps it running. Assert the socket is enabled.
ssh.socket:
enabled: true
running: true
file:
/etc/ssh/sshd_config.d/10-hardening.conf:
exists: true
contents:
- "PermitRootLogin no"
- "PasswordAuthentication no"
- "PubkeyAuthentication yes"
user:
tegwick:
exists: true
# sudo access is via /etc/sudoers.d/tegwick (NOPASSWD), not group membership
shell: /bin/bash
command:
"ufw status":
exit-status: 0
stdout:
- "Status: active"
- /OpenSSH.*ALLOW/
- /6443\/tcp.*ALLOW/
- /8472\/udp.*ALLOW/
"grep NOPASSWD /etc/sudoers.d/tegwick":
exit-status: 0
stdout:
- "NOPASSWD"
"grep -r HISTCONTROL /etc/profile.d/":
exit-status: 0
stdout:
- "ignorespace"
"fail2ban-client status sshd":
exit-status: 0
stdout:
- "Status for the jail: sshd"
"test -x /usr/local/bin/age":
exit-status: 0
"test -x /usr/local/bin/sops":
exit-status: 0
Reference in New Issue View Git Blame Copy Permalink