From 5a1764acf7623ee04d8610793f418ab1d4e2226e Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Thu, 8 Dec 2016 12:46:40 +0000 Subject: Adds ability to populate SSH Banner text A puppet manifest to allow the toggle of 'Banner' in sshd_config and enable population of an SSH login banner needed for security compliance such as DISA STIG If `Bannertext` is set as a parameter, the `Banner` key within sshd_config is toggled to `/etc/issue` and the content is copied into the `/etc/issue` file Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e Closes-Bug: #1640306 --- manifests/profile/base/sshd.pp | 61 ++++++++++++++++++++++++++ releasenotes/notes/sshd-437c531301f458bb.yaml | 3 ++ spec/classes/tripleo_profile_base_sshd_spec.rb | 30 +++++++++++++ 3 files changed, 94 insertions(+) create mode 100644 manifests/profile/base/sshd.pp create mode 100644 releasenotes/notes/sshd-437c531301f458bb.yaml create mode 100644 spec/classes/tripleo_profile_base_sshd_spec.rb diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp new file mode 100644 index 0000000..e7916c1 --- /dev/null +++ b/manifests/profile/base/sshd.pp @@ -0,0 +1,61 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::sshd +# +# SSH profile for tripleo +# +# === Parameters +# +# [*bannertext*] +# The text used within SSH Banner +# Defaults to hiera('BannerText') +# +class tripleo::profile::base::sshd ( + $bannertext = hiera('BannerText', undef), +) { + + if $bannertext { + $action = 'set' + } else { + $action = 'rm' + } + + package {'openssh-server': + ensure => installed, + } + + augeas { 'sshd_config_banner': + context => '/files/etc/ssh/sshd_config', + changes => [ "${action} Banner /etc/issue" ], + notify => Service['sshd'] + } + + file { '/etc/issue': + ensure => file, + backup => false, + content => $bannertext, + owner => 'root', + group => 'root', + mode => '0600' + } + + service { 'sshd': + ensure => 'running', + enable => true, + hasstatus => false, + require => Package['openssh-server'], + } +} diff --git a/releasenotes/notes/sshd-437c531301f458bb.yaml b/releasenotes/notes/sshd-437c531301f458bb.yaml new file mode 100644 index 0000000..0086cb0 --- /dev/null +++ b/releasenotes/notes/sshd-437c531301f458bb.yaml @@ -0,0 +1,3 @@ +--- +features: + - Added manifest and template to enable configuration of sshd_config diff --git a/spec/classes/tripleo_profile_base_sshd_spec.rb b/spec/classes/tripleo_profile_base_sshd_spec.rb new file mode 100644 index 0000000..210b41c --- /dev/null +++ b/spec/classes/tripleo_profile_base_sshd_spec.rb @@ -0,0 +1,30 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::sshd' do + + context 'with banner configured' do + it do + is_expected.to contain_file('/etc/issue').with({ + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0600', + }) + end + end +end -- cgit 1.2.3-korg