aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuke Hinds <lukehinds@gmail.com>2016-12-08 12:46:40 +0000
committerLuke Hinds <lhinds@redhat.com>2016-12-21 16:45:37 +0000
commit5a1764acf7623ee04d8610793f418ab1d4e2226e (patch)
treeee5a515ad816bfc76909e6d4a072c60b668d3a00
parenta102d35f12e75bbf7fa9c5f91aeaef145f203143 (diff)
Adds ability to populate SSH Banner text
A puppet manifest to allow the toggle of 'Banner' in sshd_config and enable population of an SSH login banner needed for security compliance such as DISA STIG If `Bannertext` is set as a parameter, the `Banner` key within sshd_config is toggled to `/etc/issue` and the content is copied into the `/etc/issue` file Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e Closes-Bug: #1640306
-rw-r--r--manifests/profile/base/sshd.pp61
-rw-r--r--releasenotes/notes/sshd-437c531301f458bb.yaml3
-rw-r--r--spec/classes/tripleo_profile_base_sshd_spec.rb30
3 files changed, 94 insertions, 0 deletions
diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp
new file mode 100644
index 0000000..e7916c1
--- /dev/null
+++ b/manifests/profile/base/sshd.pp
@@ -0,0 +1,61 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::sshd
+#
+# SSH profile for tripleo
+#
+# === Parameters
+#
+# [*bannertext*]
+# The text used within SSH Banner
+# Defaults to hiera('BannerText')
+#
+class tripleo::profile::base::sshd (
+ $bannertext = hiera('BannerText', undef),
+) {
+
+ if $bannertext {
+ $action = 'set'
+ } else {
+ $action = 'rm'
+ }
+
+ package {'openssh-server':
+ ensure => installed,
+ }
+
+ augeas { 'sshd_config_banner':
+ context => '/files/etc/ssh/sshd_config',
+ changes => [ "${action} Banner /etc/issue" ],
+ notify => Service['sshd']
+ }
+
+ file { '/etc/issue':
+ ensure => file,
+ backup => false,
+ content => $bannertext,
+ owner => 'root',
+ group => 'root',
+ mode => '0600'
+ }
+
+ service { 'sshd':
+ ensure => 'running',
+ enable => true,
+ hasstatus => false,
+ require => Package['openssh-server'],
+ }
+}
diff --git a/releasenotes/notes/sshd-437c531301f458bb.yaml b/releasenotes/notes/sshd-437c531301f458bb.yaml
new file mode 100644
index 0000000..0086cb0
--- /dev/null
+++ b/releasenotes/notes/sshd-437c531301f458bb.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Added manifest and template to enable configuration of sshd_config
diff --git a/spec/classes/tripleo_profile_base_sshd_spec.rb b/spec/classes/tripleo_profile_base_sshd_spec.rb
new file mode 100644
index 0000000..210b41c
--- /dev/null
+++ b/spec/classes/tripleo_profile_base_sshd_spec.rb
@@ -0,0 +1,30 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::sshd' do
+
+ context 'with banner configured' do
+ it do
+ is_expected.to contain_file('/etc/issue').with({
+ 'owner' => 'root',
+ 'group' => 'root',
+ 'mode' => '0600',
+ })
+ end
+ end
+end