add testing for OpenBSD and FreeBSD (#642)

* add testing for OpenBSD and FreeBSD

Signed-off-by: Martin Schurz <[email protected]>

* make python work

Signed-off-by: Martin Schurz <[email protected]>

* remove jinja template ...

Signed-off-by: Martin Schurz <[email protected]>

* make verify work

Signed-off-by: Martin Schurz <[email protected]>

* correct verify

Signed-off-by: Martin Schurz <[email protected]>

* correct verify

Signed-off-by: Martin Schurz <[email protected]>

* correct verify

Signed-off-by: Martin Schurz <[email protected]>

* correct verify

Signed-off-by: Martin Schurz <[email protected]>

* use right vm name for connect

Signed-off-by: Martin Schurz <[email protected]>

* add a bit of documentation

Signed-off-by: Martin Schurz <[email protected]>

* remove sudo

Signed-off-by: Martin Schurz <[email protected]>

* add weird OpenSBD workaround

Signed-off-by: Martin Schurz <[email protected]>

* make verify playbook more consistent

Signed-off-by: Martin Schurz <[email protected]>

* rename nonlinux to BSD

Signed-off-by: Martin Schurz <[email protected]>

* use openbsd7 for testing

Signed-off-by: Martin Schurz <[email protected]>

* correct use openbsd7 everywhere

Signed-off-by: Martin Schurz <[email protected]>

* add waivers

Signed-off-by: Martin Schurz <[email protected]>

* update waiver descriptions

Signed-off-by: Martin Schurz <[email protected]>

* use docker for inspec

Signed-off-by: Martin Schurz <[email protected]>

* keep looking right ;)

Signed-off-by: Martin Schurz <[email protected]>

* correct path to waivers

Signed-off-by: Martin Schurz <[email protected]>

* use ephemeral directory in docker

Signed-off-by: Martin Schurz <[email protected]>

* use bsd inspec profile

Signed-off-by: Martin Schurz <[email protected]>

* remove openbsd workaround

Signed-off-by: Martin Schurz <[email protected]>

* re-add openbsd workaround

Signed-off-by: Martin Schurz <[email protected]>

* commit suggestions

Signed-off-by: Martin Schurz <[email protected]>

* add supportet OS to metadata

Signed-off-by: Martin Schurz <[email protected]>

* use current python

Signed-off-by: Martin Schurz <[email protected]>

---------

Signed-off-by: Martin Schurz <[email protected]>

Author: schurzi

.github/workflows/ssh_hardening_bsd.yml

@@ -0,0 +1,52 @@
+---
+name: "devsec.ssh_hardening BSD"
+on:  # yamllint disable-line rule:truthy
+  workflow_dispatch:
+  push:
+    branches: [master]
+    paths:
+      - 'roles/ssh_hardening/**'
+      - 'molecule/ssh_hardening_bsd/**'
+      - '.github/workflows/ssh_hardening_bsd.yml'
+  pull_request:
+    branches: [master]
+    paths:
+      - 'roles/ssh_hardening/**'
+      - 'molecule/ssh_hardening_bsd/**'
+      - '.github/workflows/ssh_hardening_bsd.yml'
+  schedule:
+    - cron: '0 6 * * 5'
+
+concurrency:
+  group: >-
+    ${{ github.workflow }}-${{
+      github.event.pull_request.number || github.sha
+    }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: self-hosted
+    env:
+      PY_COLORS: 1
+      ANSIBLE_FORCE_COLOR: 1
+    strategy:
+      fail-fast: false
+      matrix:
+        molecule_distro:
+          - openbsd7
+          - freebsd12
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          path: ansible_collections/devsec/hardening
+          submodules: true
+
+      - name: Test with molecule
+        run: |
+          molecule --version
+          molecule test -s ssh_hardening_bsd
+        env:
+          MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
+        working-directory: ansible_collections/devsec/hardening

molecule/ssh_hardening_bsd/INSTALL.rst

@@ -0,0 +1,22 @@
+*******
+Docker driver installation guide
+*******
+
+Requirements
+============
+
+* Docker Engine
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ python3 -m pip install 'molecule[docker]'

molecule/ssh_hardening_bsd/converge.yml

@@ -0,0 +1,14 @@
+---
+- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+  hosts: all
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  collections:
+    - devsec.hardening
+  tasks:
+    - include_role:
+        name: ssh_hardening
+  vars:
+    sftp_enabled: false

molecule/ssh_hardening_bsd/molecule.yml

@@ -0,0 +1,62 @@
+---
+dependency:
+  name: galaxy
+  options:
+    role-file: molecule/ssh_hardening_bsd/requirements.yml
+driver:
+  name: vagrant
+  provider:
+    name: libvirt
+platforms:
+  # we need to name every instance differntly to start multiple VMs on the same host (parallelization)
+  # since we also need to use different OS users to run the tests because of how molecule operates,
+  # the VM names must be predictable by OS user (to clean up canceled runs)
+  - name: "${USER}"
+    box: "generic/${MOLECULE_DISTRO}"
+    memory: 1024
+    cpus: 2
+provisioner:
+  name: ansible
+  options:
+    diff: true
+  env:
+    ANSIBLE_PIPELINING: "True"
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+      callback_whitelist: profile_tasks, timer, yaml
+verifier:
+  name: ansible
+  env:
+    ANSIBLE_PIPELINING: "True"
+
+scenario:
+  create_sequence:
+    - dependency
+    - create
+    - prepare
+  check_sequence:
+    - dependency
+    - destroy
+    - create
+    - prepare
+    - converge
+    - check
+    - destroy
+  converge_sequence:
+    - dependency
+    - create
+    - prepare
+    - converge
+  destroy_sequence:
+    - destroy
+  test_sequence:
+    - dependency
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - verify
+    - destroy

molecule/ssh_hardening_bsd/prepare.yml

@@ -0,0 +1,32 @@
+---
+- name: prepare OpenBSD host
+  hosts: all
+  become: true
+  gather_facts: false
+  tasks:
+    - name: install python
+      # BSDs are special for Ansible - https://docs.ansible.com/ansible/latest/os_guide/intro_bsd.html
+      raw: "pkg_add python%3.10"
+      when: "lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'"
+
+- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+  hosts: all
+  become: true
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
+    - name: created needed directory
+      file:
+        path: "/var/run/sshd"
+        state: directory
+
+    - name: create ssh host keys  # noqa ignore-errors
+      command: "ssh-keygen -A"
+      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
+            ansible_facts.distribution == "Fedora" or
+            ansible_facts.distribution == "Amazon" or
+            ansible_facts.os_family == "Suse"
+      changed_when: false
+      ignore_errors: true

molecule/ssh_hardening_bsd/requirements.yml

@@ -0,0 +1,3 @@
+---
+roles:
+  - geerlingguy.git

molecule/ssh_hardening_bsd/verify.yml

@@ -0,0 +1,55 @@
+---
+- name: OpenBSD workaround - inspec detects OpenSBD as unix and not linux compatible
+  hosts: all
+  become: true
+  tasks:
+    - name: use the type command instead of which to detect existing commands
+      file:
+        src: "/usr/bin/which"
+        dest: "/usr/bin/type"
+        state: hard
+      when: "lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'"
+
+- name: Verify
+  hosts: localhost
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
+    - name: get ssh-config
+      command: 
+        cmd: "vagrant ssh-config"
+        chdir: "{{ molecule_ephemeral_directory }}"
+      register: ssh_config
+      changed_when: false
+
+    - name: create ssh-config file
+      copy:
+        content: "{{ ssh_config.stdout_lines | join ('\n') }}"
+        dest: "{{ molecule_ephemeral_directory }}/ssh-config"
+      changed_when: false
+
+    - name: Execute cinc-auditor tests
+      command: >
+        docker run
+        --volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }}
+        --volume ./waivers_{{ lookup('env', 'MOLECULE_DISTRO') }}.yaml:/waivers.yaml
+        docker.io/cincproject/auditor exec
+        --ssh-config-file={{ molecule_ephemeral_directory }}/ssh-config
+        -t ssh://{{ lookup('env', 'USER') }}
+        --sudo --no-show-progress --no-color
+        --waiver-file /waivers.yaml
+        --no-distinct-exit https://github.com/dev-sec/ssh-baseline/archive/refs/heads/master.zip
+      register: test_results
+      changed_when: false
+      ignore_errors: true
+
+    - name: Display details about the cinc-auditor results
+      debug:
+        msg: "{{ test_results.stdout_lines }}"
+
+    - name: Fail when tests fail
+      fail:
+        msg: "Inspec failed to validate"
+      when: test_results.rc != 0

molecule/ssh_hardening_bsd/waivers_freebsd12.yaml

@@ -0,0 +1,3 @@
+sshd-45:
+  run: false
+  justification: "PrintLastLog is broken on FreeBSD. see: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441"

molecule/ssh_hardening_bsd/waivers_openbsd7.yaml

@@ -0,0 +1,21 @@
+ssh-17:
+  run: false
+  justification: "GSSAPIAuthentication is disabled. see: https://github.com/dev-sec/ansible-collection-hardening/pull/598"
+ssh-18:
+  run: false
+  justification: "GSSAPIDelegateCredentials is disabled. see: https://github.com/dev-sec/ansible-collection-hardening/pull/598"
+sshd-30:
+  run: false
+  justification: "KerberosAuthentication is disabled. see: https://github.com/dev-sec/ansible-ssh-hardening/pull/171"
+sshd-31:
+  run: false
+  justification: "KerberosOrLocalPasswd is disabled. see: https://github.com/dev-sec/ansible-ssh-hardening/pull/171"
+sshd-32:
+  run: false
+  justification: "KerberosTicketCleanup is disabled. see: https://github.com/dev-sec/ansible-ssh-hardening/pull/171"
+sshd-33:
+  run: false
+  justification: "GSSAPIAuthentication is disabled. see: https://github.com/dev-sec/ansible-collection-hardening/pull/598"
+sshd-34:
+  run: false
+  justification: "GSSAPICleanupCredentials is disabled. see: https://github.com/dev-sec/ansible-collection-hardening/pull/598"

roles/ssh_hardening/meta/main.yml

@@ -24,6 +24,12 @@ galaxy_info:
     - name: ArchLinux
     - name: SmartOS
     - name: opensuse
+    - name: FreeBSD
+      versions:
+        - "12.2"
+    - name: OpenBSD
+      versions:
+        - "7.0"
   galaxy_tags:
     - system
     - security