Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

Commit be0e7f7

Browse files
schurziSebastian Gumprichrndmh3ro
authored
add support for CentOS8 (#309)
* add testing for CentOS8 Adds testing environments for CentOS8 to local Kitchen and remote Travis tests. Currently only local Kitchen Docker tests are verified. Signed-off-by: Martin Schurz <[email protected]> * disable system wide CRYPTO_POLICY on RHEL8+ by default sshd will not use the crypto settings from sshd_config. To make the settings effective we need to disable the system wide CRYPTO_POLICY. see: https://access.redhat.com/solutions/4410591 Signed-off-by: Martin Schurz <[email protected]> * Set volume variable for travis tests to use cgroups mount where needed Signed-off-by: Sebastian Gumprich <[email protected]> Co-authored-by: Sebastian Gumprich <[email protected]> Co-authored-by: Sebastian Gumprich <[email protected]>
1 parent 6626617 commit be0e7f7

File tree

5 files changed

+58
-11
lines changed

5 files changed

+58
-11
lines changed

.kitchen.vagrant.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,9 @@ platforms:
3333
- name: centos-7
3434
driver_config:
3535
box: bento/centos-7
36+
- name: centos-8
37+
driver_config:
38+
box: bento/centos-8
3639
- name: oracle-6
3740
driver_config:
3841
box: bento/oracle-6

.kitchen.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,20 @@ platforms:
3636
provision_command:
3737
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
3838
- systemctl enable sshd.service
39+
- name: centos8-ansible-latest
40+
driver:
41+
image: rndmh3ro/docker-centos8-ansible:latest
42+
platform: centos
43+
cap_add:
44+
- SYS_ADMIN
45+
volume:
46+
- /sys/fs/cgroup:/sys/fs/cgroup
47+
run_command: /sbin/init
48+
provision_command:
49+
- sed -i '/nologin/d' /etc/pam.d/sshd
50+
- systemctl enable sshd.service
51+
provisioner:
52+
ansible_binary_path: "/usr/local/bin"
3953
- name: oracle6-ansible-latest
4054
driver:
4155
image: rndmh3ro/docker-oracle6-ansible:latest

.travis.yml

Lines changed: 27 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -5,55 +5,71 @@ env:
55
- distro: centos6
66
version: latest
77
init: /sbin/init
8+
volume: ":"
89

910
- distro: centos7
1011
init: /usr/lib/systemd/systemd
11-
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
12+
run_opts: "--privileged"
1213
version: latest
14+
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
15+
16+
- distro: centos8
17+
init: /usr/lib/systemd/systemd
18+
run_opts: "--privileged"
19+
version: latest
20+
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
1321

1422
- distro: oracle6
1523
version: latest
1624
init: /sbin/init
25+
volume: ":"
1726

1827
# - distro: oracle7
1928
# init: /usr/lib/systemd/systemd
20-
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
29+
# run_opts: "--privileged"
2130
# version: latest
2231

2332
- distro: ubuntu1604
2433
version: latest
2534
init: /lib/systemd/systemd
26-
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
35+
run_opts: "--privileged"
36+
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
2737

2838
- distro: ubuntu1804
2939
version: latest
3040
init: /lib/systemd/systemd
31-
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
41+
run_opts: "--privileged"
42+
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
3243

3344
- distro: debian9
3445
version: latest
3546
init: /lib/systemd/systemd
36-
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
47+
run_opts: "--privileged"
48+
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
3749

3850
- distro: debian10
3951
version: latest
4052
init: /lib/systemd/systemd
41-
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
53+
run_opts: "--privileged"
54+
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
4255

4356
- distro: amazon
4457
init: /lib/systemd/systemd
4558
version: latest
46-
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
59+
run_opts: "--privileged"
60+
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
4761

4862
- distro: fedora
4963
init: /lib/systemd/systemd
5064
version: latest
51-
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
65+
run_opts: "--privileged"
66+
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
5267

5368
- distro: arch
5469
init: /lib/systemd/systemd
5570
version: latest
56-
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
71+
run_opts: "--privileged"
72+
volume: "/sys/fs/cgroup:/sys/fs/cgroup:ro"
5773

5874
before_install:
5975
# Pull container
@@ -65,15 +81,15 @@ script:
6581

6682
- container_id=$(mktemp)
6783
# Run container in detached state.
68-
- 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
84+
- 'docker run --detach --volume="${volume}" --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
6985

7086
# Test role.
7187
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml --diff'
7288
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml --diff'
7389

7490
# Verify role
7591
# remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141
76-
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit'
92+
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 sshd-49 --no-distinct-exit'
7793
# remove UseRoaming and RhostsRSAAuthentication because these options are deprecated - ssh-14, ssh-15, ssh-21
7894
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-14 ssh-15 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit'
7995

defaults/main.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -262,3 +262,7 @@ sshd_syslog_facility: 'AUTH'
262262
sshd_log_level: 'VERBOSE'
263263

264264
sshd_strict_modes: yes
265+
266+
# disable CRYPTO_POLICY to take settings from sshd configuration
267+
# see: https://access.redhat.com/solutions/4410591
268+
sshd_disable_crypto_policy: true

tasks/hardening.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,3 +97,13 @@
9797
- name: include selinux specific tasks
9898
include_tasks: selinux.yml
9999
when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled"
100+
101+
- name: disable system CRYPTO_POLICY for RHEL8+
102+
lineinfile:
103+
path: /etc/sysconfig/sshd
104+
regexp: 'CRYPTO_POLICY='
105+
line: CRYPTO_POLICY=
106+
when:
107+
- ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
108+
- ansible_facts.distribution_version is version('8.0', '>=')
109+
- sshd_disable_crypto_policy | bool

0 commit comments

Comments
 (0)