Tests and docs for dev-secGH-126

artem-forks · Dec 22, 2016 · d2f18d1 · d2f18d1
1 parent e49dae6
commit d2f18d1
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -46,6 +46,7 @@ This cookbook provides secure ssh-client and ssh-server configurations. This coo
 * `['ssh-hardening']['ssh']['print_motd']` - `false` to disable printing of the MOTD
 * `['ssh-hardening']['ssh']['print_last_log']` - `false` to disable display of last login information
 * `['ssh-hardening']['ssh']['banner']` - `nil` to disable banner or provide a path like '/etc/issue.net'
+* `['ssh-hardening']['ssh']['os_banner']` - `false` to disable version information during the protocol handshake (debian family only)
 * `['ssh-hardening']['ssh']['max_auth_tries']` - controls `MaxAuthTries`; the number of authentication attempts per connection.
 * `['ssh-hardening']['ssh']['max_sessions']` - controls `MaxSessions`; the number of sessions per connection.
 * `['ssh-hardening']['ssh']['deny_users']` - `[]` to configure `DenyUsers`, if specified login is disallowed for user names that match one of the patterns.

diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb
@@ -211,6 +211,43 @@
     end
   end
 
+  describe 'debian banner' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new(platform: 'ubuntu', version: '16.04').converge(described_recipe)
+    end
+
+    it 'disables the debian banner' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config').
+        with_content(/DebianBanner no/)
+    end
+
+    context 'with enabled debian banner' do
+      cached(:chef_run) do
+        ChefSpec::ServerRunner.new(platform: 'ubuntu', version: '16.04') do |node|
+          node.normal['ssh-hardening']['ssh']['os_banner'] = true
+        end.converge(described_recipe)
+      end
+
+      it 'uses the enabled debian banner' do
+        expect(chef_run).to render_file('/etc/ssh/sshd_config').
+          with_content(/DebianBanner yes/)
+      end
+    end
+
+    context 'with centos as platform' do
+      cached(:chef_run) do
+        ChefSpec::ServerRunner.new(platform: 'centos', version: '7.2.1511') do |node|
+          node.normal['ssh-hardening']['ssh']['os_banner'] = true
+        end.converge(described_recipe)
+      end
+
+      it 'does not have the debian banner option' do
+        expect(chef_run).not_to render_file('/etc/ssh/sshd_config').
+          with_content(/DebianBanner/)
+      end
+    end
+  end
+
   it 'leaves deny users commented' do
     expect(chef_run).to render_file('/etc/ssh/sshd_config').
       with_content(/#DenyUsers */)