dev-sec · schurzi · Aug 22, 2020 · Jan 18, 2020 · Aug 22, 2020
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -131,6 +131,15 @@ platforms:
         - sed -i '/systemd/d' /etc/pam.d/common-session
         - systemctl enable sshd.service
 
+  - name: arch-ansible-latest
+    driver:
+      image: rndmh3ro/docker-arch-ansible:latest
+      platform: arch
+      run_command: /usr/lib/systemd/systemd
+      provision_command:
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
+
 verifier:
   name: inspec
   sudo: true

diff --git a/.travis.yml b/.travis.yml
@@ -27,6 +27,9 @@ env:
       init=/lib/systemd/systemd
     - distro=opensuse_tumbleweed
       run_opts="--privileged"
+    - distro=arch
+      init=/usr/lib/systemd/systemd
+      run_opts="--privileged"
 
 before_install:
   # Pull container

diff --git a/meta/main.yml b/meta/main.yml
@@ -22,6 +22,7 @@ galaxy_info:
     - name: Amazon
     - name: Fedora
     - name: openSUSE
+    - name: ArchLinux
   galaxy_tags:
     - system
     - security

diff --git a/tasks/pam.yml b/tasks/pam.yml
@@ -14,6 +14,8 @@
   package:
     name: '{{ os_packages_pam_ccreds }}'
     state: 'absent'
+  when:
+    - ansible_facts.os_family != 'Archlinux'
 
 - name: remove pam_cracklib, because it does not play nice with passwdqc
   apt:
@@ -121,7 +123,9 @@
 - name: Gather package facts
   package_facts:
     manager: auto
-  when: ansible_facts.os_family != 'Suse'
+  when:
+    - ansible_facts.os_family != 'Suse'
+    - ansible_facts.os_family != 'Archlinux'
 
 - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
   template:
@@ -132,4 +136,5 @@
     group: 'root'
   when:
     - ansible_facts.os_family != 'Suse'
+    - ansible_facts.os_family != 'Archlinux'
     - "'libuser' in ansible_facts.packages"
diff --git a/tasks/sysctl.yml b/tasks/sysctl.yml
@@ -5,6 +5,7 @@
     owner: 'root'
     group: 'root'
     mode: '0440'
+    state: touch
 
 - name: set Daemon umask, do config for rhel-family | NSA 2.2.4.1
   template:

diff --git a/tests/test.yml b/tests/test.yml
@@ -27,8 +27,13 @@
     - name: install required tools on SuSE
       shell: "zypper -n install python-xml"
       when: ansible_facts.os_family == 'Suse'
+    - name: install required tools on arch
+      pacman:
+        name: awk
+      when: ansible_facts.os_family == 'Archlinux'
     - name: create recursing symlink to test minimize access
       shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
+
   vars:
     os_security_users_allow: change_user
     os_security_kernel_enable_core_dump: true

diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml
@@ -0,0 +1,25 @@
+---
+
+os_nologin_shell_path: '/sbin/nologin'
+
+os_shadow_perms:
+  owner: root
+  group: root
+  mode: '0600'
+
+os_passwd_perms:
+  owner: root
+  group: root
+  mode: '0644'
+
+os_env_umask: '027'
+
+os_auth_uid_min: 1000
+os_auth_gid_min: 1000
+os_auth_sys_uid_min: 500
+os_auth_sys_uid_max: 999
+os_auth_sys_gid_min: 500
+os_auth_sys_gid_max: 999
+
+modprobe_package: 'kmod'
+auditd_package: 'audit'