Merge pull request #188 from dev-sec/chris-rock/amazonlinux

amazonlinux support

Author: chris-rock

.kitchen.dokken.yml

@@ -73,6 +73,18 @@ platforms:
   driver:
     image: opensuse:leap
     pid_one_command: /usr/lib/systemd/systemd
+- name: amazonlinux-1
+  driver:
+    image: amazonlinux:1
+    intermediate_instructions:
+    - RUN yum -y install upstart procps util-linux
+    pid_one_command: /sbin/init
+- name: amazonlinux-2
+  driver:
+    image: amazonlinux:2
+    intermediate_instructions:
+    - RUN yum -y install systemd
+    pid_one_command: /usr/lib/systemd/systemd
 
 suites:
 - name: default

.rubocop.yml

@@ -35,4 +35,4 @@ Metrics/BlockLength:
   Exclude:
     - 'spec/**/*'
 Style/FrozenStringLiteralComment:
-  Enabled: false
+  Enabled: false

.travis.yml

@@ -28,6 +28,8 @@ env:
  - INSTANCE=fedora-25
  - INSTANCE=opensuse-42
  - INSTANCE=opensuse-42 CHEF_VERSION=12.5.1
+ - INSTANCE=amazonlinux-1
+ - INSTANCE=amazonlinux-2
 
 script:
   -  bundle exec rake kitchen KITCHEN_LOCAL_YAML=.kitchen.dokken.yml

README.md

@@ -23,6 +23,7 @@ This cookbook provides secure ssh-client and ssh-server configurations. This coo
 - Oracle Linux 6, 7
 - Fedora 24, 25
 - OpenSuse Leap 42
+- Amazon Linux 1, 2
 
 ## Attributes
 

metadata.rb

@@ -35,6 +35,7 @@
 supports 'suse'
 supports 'opensuse', '>= 13.2'
 supports 'opensuseleap', '>= 42.1'
+supports 'amazon'
 
 recipe 'ssh-hardening::default', 'installs and configures ssh client and server'
 recipe 'ssh-hardening::client', 'install and apply security hardening for ssh client'

recipes/client.rb

@@ -20,8 +20,14 @@
 # limitations under the License.
 #
 
+ohai 'reload' do
+  action :nothing
+end
+
 package 'openssh-client' do
   package_name node['ssh-hardening']['sshclient']['package']
+  # we need to reload the package version, otherwise we get the version that was installed before cookbook execution
+  notifies :reload, 'ohai[reload]', :immediate
 end
 
 directory 'openssh-client ssh directory /etc/ssh' do
@@ -37,8 +43,13 @@
   owner 'root'
   group 'root'
   variables(
-    mac:     node['ssh-hardening']['ssh']['client']['mac']    || DevSec::Ssh.get_client_macs(node['ssh-hardening']['ssh']['client']['weak_hmac']),
-    kex:     node['ssh-hardening']['ssh']['client']['kex']    || DevSec::Ssh.get_client_kexs(node['ssh-hardening']['ssh']['client']['weak_kex']),
-    cipher:  node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required'])
+    # we do lazy here to ensure we detect the version that comes with the packge update above
+    lazy do
+      {
+        mac:     node['ssh-hardening']['ssh']['client']['mac']    || DevSec::Ssh.get_client_macs(node['ssh-hardening']['ssh']['client']['weak_hmac']),
+        kex:     node['ssh-hardening']['ssh']['client']['kex']    || DevSec::Ssh.get_client_kexs(node['ssh-hardening']['ssh']['client']['weak_kex']),
+        cipher:  node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required'])
+      }
+    end
   )
 end

recipes/server.rb

@@ -40,8 +40,14 @@
 directory cache_dir
 
 # installs package name
+ohai 'reload' do
+  action :nothing
+end
+
 package 'openssh-server' do
   package_name node['ssh-hardening']['sshserver']['package']
+  # we need to reload the package version, otherwise we get the version that was installed before cookbook execution
+  notifies :reload, 'ohai[reload]', :immediate
 end
 
 # Handle addional SELinux policy on RHEL/Fedora for different UsePAM options
@@ -168,11 +174,16 @@
   owner 'root'
   group 'root'
   variables(
-    mac:    node['ssh-hardening']['ssh']['server']['mac']    || DevSec::Ssh.get_server_macs(node['ssh-hardening']['ssh']['server']['weak_hmac']),
-    kex:    node['ssh-hardening']['ssh']['server']['kex']    || DevSec::Ssh.get_server_kexs(node['ssh-hardening']['ssh']['server']['weak_kex']),
-    cipher: node['ssh-hardening']['ssh']['server']['cipher'] || DevSec::Ssh.get_server_ciphers(node['ssh-hardening']['ssh']['server']['cbc_required']),
-    use_priv_sep: node['ssh-hardening']['ssh']['use_privilege_separation'] || DevSec::Ssh.get_server_privilege_separarion,
-    hostkeys: node['ssh-hardening']['ssh']['server']['host_key_files'] || DevSec::Ssh.get_server_algorithms.map { |alg| "/etc/ssh/ssh_host_#{alg}_key" }
+    # we do lazy here to ensure we detect the version that comes with the packge update above
+    lazy do
+      {
+        mac:          node['ssh-hardening']['ssh']['server']['mac']    || DevSec::Ssh.get_server_macs(node['ssh-hardening']['ssh']['server']['weak_hmac']),
+        kex:          node['ssh-hardening']['ssh']['server']['kex']    || DevSec::Ssh.get_server_kexs(node['ssh-hardening']['ssh']['server']['weak_kex']),
+        cipher:       node['ssh-hardening']['ssh']['server']['cipher'] || DevSec::Ssh.get_server_ciphers(node['ssh-hardening']['ssh']['server']['cbc_required']),
+        use_priv_sep: node['ssh-hardening']['ssh']['use_privilege_separation'] || DevSec::Ssh.get_server_privilege_separarion,
+        hostkeys:     node['ssh-hardening']['ssh']['server']['host_key_files'] || DevSec::Ssh.get_server_algorithms.map { |alg| "/etc/ssh/ssh_host_#{alg}_key" }
+      }
+    end
   )
   notifies :restart, 'service[sshd]'
 end