Skip to content

Split the attributes to the client and server areas #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 23, 2016
Merged

Split the attributes to the client and server areas #150

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8e36493
Split the attribues to the client and server areas
artem-sidorenko Dec 22, 2016
6d929fd
Cleanup the attribute handling in templates
artem-sidorenko Dec 22, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 45 additions & 43 deletions attributes/default.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,55 +46,57 @@
default['ssh-hardening']['sshserver']['service_name'] = 'ssh'
end

# sshd + ssh client
default['ssh-hardening']['network']['ipv6']['enable'] = false
default['ssh-hardening']['config_disclaimer'] = '**Note:** This file was automatically created by Hardening Framework (dev-sec.io) configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.'
default['ssh-hardening']['network']['ipv6']['enable'] = false # sshd + ssh
default['ssh-hardening']['ssh']['server']['kex'] = nil # nil = calculate best combination for server version
default['ssh-hardening']['ssh']['ports'] = [22]

# ssh client
default['ssh-hardening']['ssh']['client']['mac'] = nil # nil = calculate best combination for client
default['ssh-hardening']['ssh']['server']['cipher'] = nil # nil = calculate best combination for server version
default['ssh-hardening']['ssh']['client']['kex'] = nil # nil = calculate best combination for client
default['ssh-hardening']['ssh']['server']['mac'] = nil # nil = calculate best combination for server version
default['ssh-hardening']['ssh']['client']['cipher'] = nil # nil = calculate best combination for client
default['ssh-hardening']['ssh']['client']['cbc_required'] = false # ssh
default['ssh-hardening']['ssh']['server']['cbc_required'] = false # sshd
default['ssh-hardening']['ssh']['client']['weak_hmac'] = false # ssh
default['ssh-hardening']['ssh']['server']['weak_hmac'] = false # sshd
default['ssh-hardening']['ssh']['client']['weak_kex'] = false # ssh
default['ssh-hardening']['ssh']['server']['weak_kex'] = false # sshd
default['ssh-hardening']['ssh']['ports'] = [22] # sshd + ssh
default['ssh-hardening']['ssh']['listen_to'] = ['0.0.0.0'] # sshd
default['ssh-hardening']['ssh']['host_key_files'] = ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key'] # sshd
default['ssh-hardening']['ssh']['client_alive_interval'] = 600 # sshd, 10min
default['ssh-hardening']['ssh']['client_alive_count'] = 3 # sshd, ~> 3 x interval
default['ssh-hardening']['ssh']['remote_hosts'] = [] # ssh
default['ssh-hardening']['ssh']['allow_root_with_key'] = false # sshd
default['ssh-hardening']['ssh']['allow_tcp_forwarding'] = false # sshd
default['ssh-hardening']['ssh']['allow_agent_forwarding'] = false # sshd
default['ssh-hardening']['ssh']['allow_x11_forwarding'] = false # sshd
default['ssh-hardening']['ssh']['use_pam'] = false # sshd
default['ssh-hardening']['ssh']['challenge_response_authentication'] = false # sshd
default['ssh-hardening']['ssh']['deny_users'] = [] # sshd
default['ssh-hardening']['ssh']['allow_users'] = [] # sshd
default['ssh-hardening']['ssh']['deny_groups'] = [] # sshd
default['ssh-hardening']['ssh']['allow_groups'] = [] # sshd
default['ssh-hardening']['ssh']['print_motd'] = false # sshd
default['ssh-hardening']['ssh']['print_last_log'] = false # sshd
# set this to nil to disable banner or provide a path like '/etc/issue.net'
default['ssh-hardening']['ssh']['banner'] = nil # sshd
default['ssh-hardening']['ssh']['os_banner'] = false # sshd (Debian OS family)
default['ssh-hardening']['ssh']['client']['cbc_required'] = false
default['ssh-hardening']['ssh']['client']['weak_hmac'] = false
default['ssh-hardening']['ssh']['client']['weak_kex'] = false

# set this to nil to let us use the default OpenSSH in case it's not set by the user
default['ssh-hardening']['ssh']['use_dns'] = nil # sshd
# set this to nil to let us detect the attribute based on the node platform
default['ssh-hardening']['ssh']['use_privilege_separation'] = nil
default['ssh-hardening']['ssh']['login_grace_time'] = '30s' # sshd
default['ssh-hardening']['ssh']['max_auth_tries'] = 2 # sshd
default['ssh-hardening']['ssh']['max_sessions'] = 10 # sshd
default['ssh-hardening']['ssh']['client']['remote_hosts'] = []
default['ssh-hardening']['ssh']['client']['password_authentication'] = false # ssh
default['ssh-hardening']['ssh']['server']['password_authentication'] = false # sshd
# http://undeadly.org/cgi?action=article&sid=20160114142733
default['ssh-hardening']['ssh']['client']['roaming'] = false

# Define SFTP options
default['ssh-hardening']['ssh']['sftp']['enable'] = false
default['ssh-hardening']['ssh']['sftp']['group'] = 'sftponly'
default['ssh-hardening']['ssh']['sftp']['chroot'] = '/home/%u'
# sshd
default['ssh-hardening']['ssh']['server']['kex'] = nil # nil = calculate best combination for server version
default['ssh-hardening']['ssh']['server']['cipher'] = nil # nil = calculate best combination for server version
default['ssh-hardening']['ssh']['server']['mac'] = nil # nil = calculate best combination for server version
default['ssh-hardening']['ssh']['server']['cbc_required'] = false
default['ssh-hardening']['ssh']['server']['weak_hmac'] = false
default['ssh-hardening']['ssh']['server']['weak_kex'] = false
default['ssh-hardening']['ssh']['server']['listen_to'] = ['0.0.0.0']
default['ssh-hardening']['ssh']['server']['host_key_files'] = ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']
default['ssh-hardening']['ssh']['server']['client_alive_interval'] = 600 # 10min
default['ssh-hardening']['ssh']['server']['client_alive_count'] = 3 # ~> 3 x interval

default['ssh-hardening']['ssh']['server']['allow_root_with_key'] = false
default['ssh-hardening']['ssh']['server']['allow_tcp_forwarding'] = false
default['ssh-hardening']['ssh']['server']['allow_agent_forwarding'] = false
default['ssh-hardening']['ssh']['server']['allow_x11_forwarding'] = false
default['ssh-hardening']['ssh']['server']['use_pam'] = false
default['ssh-hardening']['ssh']['server']['challenge_response_authentication'] = false
default['ssh-hardening']['ssh']['server']['deny_users'] = []
default['ssh-hardening']['ssh']['server']['allow_users'] = []
default['ssh-hardening']['ssh']['server']['deny_groups'] = []
default['ssh-hardening']['ssh']['server']['allow_groups'] = []
default['ssh-hardening']['ssh']['server']['print_motd'] = false
default['ssh-hardening']['ssh']['server']['print_last_log'] = false
default['ssh-hardening']['ssh']['server']['banner'] = nil # set this to nil to disable banner or provide a path like '/etc/issue.net'
default['ssh-hardening']['ssh']['server']['os_banner'] = false # (Debian OS family)
default['ssh-hardening']['ssh']['server']['use_dns'] = nil # set this to nil to let us use the default OpenSSH in case it's not set by the user
default['ssh-hardening']['ssh']['server']['use_privilege_separation'] = nil # set this to nil to let us detect the attribute based on the node platform
default['ssh-hardening']['ssh']['server']['login_grace_time'] = '30s'
default['ssh-hardening']['ssh']['server']['max_auth_tries'] = 2
default['ssh-hardening']['ssh']['server']['max_sessions'] = 10
default['ssh-hardening']['ssh']['server']['password_authentication'] = false
# sshd sftp options
default['ssh-hardening']['ssh']['server']['sftp']['enable'] = false
default['ssh-hardening']['ssh']['server']['sftp']['group'] = 'sftponly'
default['ssh-hardening']['ssh']['server']['sftp']['chroot'] = '/home/%u'
3 changes: 1 addition & 2 deletions recipes/client.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@
variables(
mac: node['ssh-hardening']['ssh']['client']['mac'] || DevSec::Ssh.get_client_macs(node['ssh-hardening']['ssh']['client']['weak_hmac']),
kex: node['ssh-hardening']['ssh']['client']['kex'] || DevSec::Ssh.get_client_kexs(node['ssh-hardening']['ssh']['client']['weak_kex']),
cipher: node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required']),
roaming: node['ssh-hardening']['ssh']['client']['roaming']
cipher: node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required'])
)
end
6 changes: 1 addition & 5 deletions recipes/server.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,11 +69,7 @@
mac: node['ssh-hardening']['ssh']['server']['mac'] || DevSec::Ssh.get_server_macs(node['ssh-hardening']['ssh']['server']['weak_hmac']),
kex: node['ssh-hardening']['ssh']['server']['kex'] || DevSec::Ssh.get_server_kexs(node['ssh-hardening']['ssh']['server']['weak_kex']),
cipher: node['ssh-hardening']['ssh']['server']['cipher'] || DevSec::Ssh.get_server_ciphers(node['ssh-hardening']['ssh']['server']['cbc_required']),
use_priv_sep: node['ssh-hardening']['ssh']['use_privilege_separation'] || DevSec::Ssh.get_server_privilege_separarion,
deny_users: node['ssh-hardening']['ssh']['deny_users'],
allow_users: node['ssh-hardening']['ssh']['allow_users'],
deny_groups: node['ssh-hardening']['ssh']['deny_groups'],
allow_groups: node['ssh-hardening']['ssh']['allow_groups']
use_priv_sep: node['ssh-hardening']['ssh']['use_privilege_separation'] || DevSec::Ssh.get_server_privilege_separarion
)
notifies :restart, 'service[sshd]'
end
Expand Down
18 changes: 9 additions & 9 deletions spec/recipes/server_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@
context 'with attribute deny_users' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['deny_users'] = %w(someuser)
node.normal['ssh-hardening']['ssh']['server']['deny_users'] = %w(someuser)
end.converge(described_recipe)
end

Expand All @@ -190,7 +190,7 @@
context 'with attribute deny_users mutiple' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['deny_users'] = %w(someuser otheruser)
node.normal['ssh-hardening']['ssh']['server']['deny_users'] = %w(someuser otheruser)
end.converge(described_recipe)
end

Expand All @@ -210,7 +210,7 @@
context 'with attribute use_dns set to false' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['use_dns'] = false
node.normal['ssh-hardening']['ssh']['server']['use_dns'] = false
end.converge(described_recipe)
end

Expand All @@ -223,7 +223,7 @@
context 'with attribute use_dns set to true' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['use_dns'] = true
node.normal['ssh-hardening']['ssh']['server']['use_dns'] = true
end.converge(described_recipe)
end

Expand All @@ -243,7 +243,7 @@
context 'with attribute ["sftp"]["enable"] set to true' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['sftp']['enable'] = true
node.normal['ssh-hardening']['ssh']['server']['sftp']['enable'] = true
end.converge(described_recipe)
end

Expand All @@ -256,8 +256,8 @@
context 'with attribute ["sftp"]["enable"] set to true and ["sftp"]["group"] set to "testgroup"' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['sftp']['enable'] = true
node.normal['ssh-hardening']['ssh']['sftp']['group'] = 'testgroup'
node.normal['ssh-hardening']['ssh']['server']['sftp']['enable'] = true
node.normal['ssh-hardening']['ssh']['server']['sftp']['group'] = 'testgroup'
end.converge(described_recipe)
end

Expand All @@ -270,8 +270,8 @@
context 'with attribute ["sftp"]["enable"] set to true and ["sftp"]["chroot"] set to "/export/home/%u"' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['sftp']['enable'] = true
node.normal['ssh-hardening']['ssh']['sftp']['chroot'] = 'test_home_dir'
node.normal['ssh-hardening']['ssh']['server']['sftp']['enable'] = true
node.normal['ssh-hardening']['ssh']['server']['sftp']['chroot'] = 'test_home_dir'
end.converge(described_recipe)
end

Expand Down
4 changes: 2 additions & 2 deletions templates/default/openssh.conf.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
# Address family should always be limited to the active network configuration.
AddressFamily <%= ((@node['ssh-hardening']['network']['ipv6']['enable']) ? "any" : "inet" ) %>

<% Array(@node['ssh-hardening']['ssh']['remote_hosts']).each do |host| %>
<% Array(@node['ssh-hardening']['ssh']['client']['remote_hosts']).each do |host| %>
# Restrict the following configuration to be limited to this Host.
Host <%= host %>
<% end %>
Expand Down Expand Up @@ -111,4 +111,4 @@ Compression yes
#VisualHostKey yes

# http://undeadly.org/cgi?action=article&sid=20160114142733
UseRoaming <%= @roaming ? 'yes' : 'no' %>
UseRoaming <%= @node['ssh-hardening']['ssh']['client']['roaming'] ? 'yes' : 'no' %>
Loading