Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

Commit 395fd03

Browse files
schurzischurzi
authored
improve testing in kitchen and travis (#313)
* improve local testing don't use privileged mode, since this grants too much permissions. Fixes several problems with PAM in test images. REorder options in kitchen configuration to simplify it. Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * check all controls in travis Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * set env vars in travis correctly according to documentation: https://docs.travis-ci.com/user/environment-variables/ Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add arch linux to local tests Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * shorten travis config Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use correct init command for containers Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * try privileged again Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * arch seems to like privilege Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
1 parent 0016239 commit 395fd03

File tree

2 files changed

+58
-90
lines changed

2 files changed

+58
-90
lines changed

.kitchen.yml

Lines changed: 32 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,11 @@
22
driver:
33
name: docker
44
use_sudo: false
5-
privileged: true
5+
cap_add:
6+
- SYS_ADMIN
7+
volume:
8+
- /sys/fs/cgroup:/sys/fs/cgroup
9+
run_command: /sbin/init
610
http_proxy: <%= ENV['http_proxy'] || nil %>
711
https_proxy: <%= ENV['https_proxy'] || nil %>
812

@@ -28,86 +32,96 @@ platforms:
2832
driver:
2933
image: rndmh3ro/docker-centos6-ansible:latest
3034
platform: centos
35+
provision_command:
36+
- sed -i '/loginuid/d' /etc/pam.d/sshd
37+
3138
- name: centos7-ansible-latest
3239
driver:
3340
image: rndmh3ro/docker-centos7-ansible:latest
3441
platform: centos
35-
run_command: /sbin/init
3642
provision_command:
37-
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
43+
- sed -i '/nologin/d' /etc/pam.d/sshd
3844
- systemctl enable sshd.service
45+
3946
- name: centos8-ansible-latest
4047
driver:
4148
image: rndmh3ro/docker-centos8-ansible:latest
4249
platform: centos
43-
cap_add:
44-
- SYS_ADMIN
45-
volume:
46-
- /sys/fs/cgroup:/sys/fs/cgroup
47-
run_command: /sbin/init
4850
provision_command:
4951
- sed -i '/nologin/d' /etc/pam.d/sshd
5052
- systemctl enable sshd.service
5153
provisioner:
5254
ansible_binary_path: "/usr/local/bin"
55+
5356
- name: oracle6-ansible-latest
5457
driver:
5558
image: rndmh3ro/docker-oracle6-ansible:latest
5659
platform: centos
60+
provision_command:
61+
- sed -i '/loginuid/d' /etc/pam.d/sshd
62+
5763
- name: oracle7-ansible-latest
5864
driver:
5965
image: rndmh3ro/docker-oracle7-ansible:latest
60-
run_command: /sbin/init
6166
platform: centos
6267
provision_command:
63-
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
68+
- sed -i '/nologin/d' /etc/pam.d/sshd
6469
- systemctl enable sshd.service
70+
6571
- name: ubuntu1604-ansible-latest
6672
driver:
6773
image: rndmh3ro/docker-ubuntu1604-ansible:latest
6874
platform: ubuntu
69-
run_command: /sbin/init
7075
provision_command:
7176
- systemctl enable ssh.service
77+
7278
- name: ubuntu1804-ansible-latest
7379
driver:
7480
image: rndmh3ro/docker-ubuntu1804-ansible:latest
7581
platform: ubuntu
76-
run_command: /sbin/init
7782
provision_command:
7883
- systemctl enable ssh.service
84+
7985
- name: debian9-ansible-latest
8086
driver:
8187
image: rndmh3ro/docker-debian9-ansible:latest
8288
platform: debian
83-
run_command: /sbin/init
8489
provision_command:
8590
- apt install -y systemd-sysv
8691
- systemctl enable ssh.service
92+
8793
- name: debian10-ansible-latest
8894
driver:
8995
image: rndmh3ro/docker-debian10-ansible
9096
platform: debian
91-
run_command: /sbin/init
9297
provision_command:
9398
- apt install -y systemd-sysv
9499
- systemctl enable ssh.service
100+
95101
- name: amazon-ansible-latest
96102
driver:
97103
image: rndmh3ro/docker-amazon-ansible:latest
98104
platform: centos
99-
run_command: /sbin/init
100105
provision_command:
101-
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
106+
- sed -i '/nologin/d' /etc/pam.d/sshd
102107
- systemctl enable sshd.service
108+
103109
- name: fedora-ansible-latest
104110
driver:
105111
image: rndmh3ro/docker-fedora-ansible:latest
106112
platform: centos
107-
run_command: /sbin/init
108113
provision_command:
109114
- dnf install -y python
110-
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
115+
- sed -i '/nologin/d' /etc/pam.d/sshd
116+
- systemctl enable sshd.service
117+
118+
- name: arch-ansible-latest
119+
driver:
120+
image: rndmh3ro/docker-arch-ansible:latest
121+
platform: arch
122+
run_command: /usr/lib/systemd/systemd
123+
provision_command:
124+
- sed -i '/nologin/d' /etc/pam.d/sshd
111125
- systemctl enable sshd.service
112126

113127
verifier:

.travis.yml

Lines changed: 26 additions & 72 deletions
Original file line numberDiff line numberDiff line change
@@ -2,74 +2,31 @@
22
services: docker
33

44
env:
5-
- distro: centos6
6-
version: latest
7-
init: /sbin/init
8-
volume: ":"
9-
10-
- distro: centos7
11-
init: /usr/lib/systemd/systemd
12-
run_opts: "--privileged"
13-
version: latest
14-
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
15-
16-
- distro: centos8
17-
init: /usr/lib/systemd/systemd
18-
run_opts: "--privileged"
19-
version: latest
20-
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
21-
22-
- distro: oracle6
23-
version: latest
24-
init: /sbin/init
25-
volume: ":"
26-
27-
# - distro: oracle7
28-
# init: /usr/lib/systemd/systemd
29-
# run_opts: "--privileged"
30-
# version: latest
31-
32-
- distro: ubuntu1604
33-
version: latest
34-
init: /lib/systemd/systemd
35-
run_opts: "--privileged"
36-
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
37-
38-
- distro: ubuntu1804
39-
version: latest
40-
init: /lib/systemd/systemd
41-
run_opts: "--privileged"
42-
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
43-
44-
- distro: debian9
45-
version: latest
46-
init: /lib/systemd/systemd
47-
run_opts: "--privileged"
48-
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
49-
50-
- distro: debian10
51-
version: latest
52-
init: /lib/systemd/systemd
53-
run_opts: "--privileged"
54-
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
55-
56-
- distro: amazon
57-
init: /lib/systemd/systemd
58-
version: latest
59-
run_opts: "--privileged"
60-
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
61-
62-
- distro: fedora
63-
init: /lib/systemd/systemd
64-
version: latest
65-
run_opts: "--privileged"
66-
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
67-
68-
- distro: arch
69-
init: /lib/systemd/systemd
70-
version: latest
71-
run_opts: "--privileged"
72-
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
5+
global:
6+
- version=latest
7+
- init=/sbin/init
8+
- run_opts="--cap-add SYS_ADMIN"
9+
- volume="/sys/fs/cgroup:/sys/fs/cgroup:ro"
10+
jobs:
11+
- distro=centos6
12+
volume=":"
13+
run_opts=""
14+
- distro=centos7
15+
- distro=centos8
16+
- distro=oracle6
17+
volume=":"
18+
run_opts=""
19+
# - distro=oracle7
20+
- distro=ubuntu1604
21+
- distro=ubuntu1804
22+
- distro=debian9
23+
init=/lib/systemd/systemd
24+
- distro=debian10
25+
- distro=amazon
26+
- distro=fedora
27+
- distro=arch
28+
init=/usr/lib/systemd/systemd
29+
run_opts="--privileged"
7330

7431
before_install:
7532
# Pull container
@@ -88,10 +45,7 @@ script:
8845
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml --diff'
8946

9047
# Verify role
91-
# remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141
92-
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 sshd-49 --no-distinct-exit'
93-
# remove UseRoaming and RhostsRSAAuthentication because these options are deprecated - ssh-14, ssh-15, ssh-21
94-
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-14 ssh-15 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit'
48+
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit'
9549

9650
notifications:
9751
webhooks: https://galaxy.ansible.com/api/v1/notifications/

0 commit comments

Comments
 (0)