add posibility to run ssh_hardening as unprivileged user (#561)

* add VM tests for ssh_hardening Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove VM tests from ssh_hardening Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * run ssh_hardening test as unprivileged user Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add link for documentation Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use different config Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove become Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * re-add become Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move become into role Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * indentation Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * try args apply Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix linting Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add documentation Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2024-11-10 01:04:13 +00:00 · 2022-08-15 13:19:07 +02:00 · 2022-08-15 13:19:07 +02:00 · a806ec8598
commit a806ec8598
parent fad6059f6d
5 changed files with 13 additions and 1 deletions
--- a/galaxy.yml
+++ b/galaxy.yml
@ -1,3 +1,4 @@
+---
 namespace: devsec
 name: hardening
 version: 7.15.1
--- a/molecule/ssh_hardening/converge.yml
+++ b/molecule/ssh_hardening/converge.yml
@ -1,7 +1,6 @@
 ---
 - name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
  hosts: all
-  become: true
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
--- a/molecule/ssh_hardening/molecule.yml
+++ b/molecule/ssh_hardening/molecule.yml
@ -29,6 +29,12 @@ provisioner:
    defaults:
      interpreter_python: auto_silent
      callback_whitelist: profile_tasks, timer, yaml
+  inventory:
+    host_vars:
+      # https://molecule.readthedocs.io/en/latest/examples.html#docker-with-non-privileged-user
+      # setting for the platform instance named 'instance'
+      instance:
+        ansible_user: ansible
 verifier:
  name: ansible

--- a/roles/ssh_hardening/README.md
+++ b/roles/ssh_hardening/README.md
@ -11,6 +11,9 @@ Warning: This role disables root-login on the target server! Please make sure yo
 ## Requirements

 - Ansible >= 2.9
+- root-privileges on the target system
+
+As this role requires root-privileges, we added `become: true` to all tasks. So please make sure you run the role as root or as a user with become-privileges.

 ## Role Variables

--- a/roles/ssh_hardening/tasks/main.yml
+++ b/roles/ssh_hardening/tasks/main.yml
@ -1,3 +1,6 @@
 ---
 - include_tasks: hardening.yml
+  args:
+    apply:
+      become: true
  when: ssh_hardening_enabled | bool