-
Notifications
You must be signed in to change notification settings - Fork 28
/
system.rb
96 lines (89 loc) · 2.54 KB
/
system.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
def ssh_conf_path file
"/etc#{'/ssh' if Babushka.host.linux?}/#{file}_config"
end
dep 'hostname', :host_name, :for => :linux do
def current_hostname
shell('hostname -f')
end
host_name.default(shell('hostname'))
met? {
current_hostname == host_name
}
meet {
sudo "echo #{host_name} > /etc/hostname"
sudo "sed -ri 's/^127.0.0.1.*$/127.0.0.1 #{host_name} #{host_name.to_s.sub(/\..*$/, '')} localhost.localdomain localhost/' /etc/hosts"
sudo "hostname #{host_name}"
}
end
# It's hard to test for other timezones (EST maps to Australia/Melbourne, etc),
# and I only need UTC right now :)
dep 'utc' do
met? {
shell('date')[/\bUTC\b/]
}
meet {
sudo 'echo UTC > /etc/timezone'
sudo 'dpkg-reconfigure --frontend noninteractive tzdata'
}
end
dep 'secured ssh logins' do
requires 'sshd.bin', 'sed.bin'
met? {
# -o NumberOfPasswordPrompts=0
output = raw_shell('ssh -o StrictHostKeyChecking=no -o PasswordAuthentication=no nonexistentuser@localhost').stderr
if output.downcase['connection refused']
log_ok "sshd doesn't seem to be running."
elsif (auth_methods = output.scan(/Permission denied \((.*)\)\./).join.split(',')).empty?
log_error "sshd returned unexpected output."
else
(auth_methods == %w[publickey]).tap {|result|
log "sshd #{'only ' if result}accepts #{auth_methods.to_list} logins.", :as => (:ok if result)
}
end
}
meet {
%w[
PasswordAuthentication
ChallengeResponseAuthentication
].each {|option|
shell("sed -i'' -e 's/^[# ]*#{option}\\W*\\w*$/#{option} no/' #{ssh_conf_path(:sshd)}")
}
}
after {
if Babushka.host.matches?(:arch)
shell "systemctl restart sshd"
elsif Babushka.host.matches?(:apt)
shell "/etc/init.d/ssh restart"
end
}
end
dep 'lax host key checking' do
requires 'sed.bin'
met? {
ssh_conf_path(:ssh).p.grep(/^StrictHostKeyChecking[ \t]+no/)
}
meet {
shell("sed -i'' -e 's/^[# ]*StrictHostKeyChecking\\W*\\w*$/StrictHostKeyChecking no/' #{ssh_conf_path(:ssh)}")
}
end
dep 'admins can sudo' do
requires 'admin group'
met? {
!'/etc/sudoers'.p.read.split("\n").grep(/^%admin\b/).empty?
}
meet {
'/etc/sudoers'.p.append("%admin ALL=(ALL) ALL\n")
}
end
dep 'admin group' do
met? { '/etc/group'.p.grep(/^admin\:/) }
meet { sudo 'groupadd admin' }
end
dep 'tmp cleaning grace period', :for => :ubuntu do
met? {
"/etc/default/rcS".p.grep(/^[^#]*TMPTIME=0/).nil?
}
meet {
shell("sed -i'' -e 's/^TMPTIME=0$/TMPTIME=30/' '/etc/default/rcS'")
}
end