Merge pull request #2 from atomic111/master

added all kitchen test for ssh_config + sshd_config and added TUTORIAL.md

.kitchen.yml

@@ -35,10 +35,9 @@ platforms:
 - name: debian-wheezy-7
   driver_config:
     box: debian-wheezy-7
-    box_url: https://dl.dropboxusercontent.com/u/86066173/debian-wheezy.box
+    box_url: https://dl.dropboxusercontent.com/s/cd583cuf0mbcix7/debian-wheezy-64-chef.box
 
 suites:
 - name: default
   run_list:
     - role[ssh]
-

README.md

@@ -65,8 +65,29 @@ Configure attributes:
       "listen_to" : "10.2.3.4"
     }
 
-Under `listen` you can define a number of accept-rules, comprised of at least the field `proto`, which designates one or more protocols/services. `to` and `from` may take one or more ip addresses (including bitmasks) upon which the rule will act.
+Under `listen` you can define a number of accept-rules, comprised of at least the field `proto`, which designates one or more protocols/services. `to` and `from` may take one or more ip addresses (including bitmasks) upon which the rule will act. **The default value for `listen_to` is `0.0.0.0`. It is highly recommended to change the value.**
 
+## Local Testing
+
+For local testing you can use vagrant and Virtualbox of VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started).
+
+Next install test-kitchen:
+
+    gem install test-kitchen kitchen-vagrant
+
+Next install berkshelf for dependency management
+
+    gem install berkshelf
+
+Create a local kitchen configuration:
+
+    cp .kitchen.local.yml{.example,}
+
+You should now be able to run tests:
+
+    kitchen test
+
+http://kitchen.ci/docs/getting-started
 
 ## Contributors + Kudos
 

TUTORIAL.md

@@ -0,0 +1,69 @@
+# Tutorial
+
+## Deutsche Telekom AG
+
+### Debian / Ubuntu
+
+1. Install ruby
+
+        apt-get install ruby1.9.1-full
+
+2. Install chef
+
+        gem1.9.1 install chef
+
+3. May be you have to adjust the `$PATH` variable
+
+        export PATH=$PATH:/var/lib/gems/1.9.1/bin/
+
+4. Download the chef cookbook
+
+        git clone https://github.com/TelekomLabs/chef-ssh-hardening.git
+
+5. Move hardening to `cookbooks`
+
+        mkdir cookbooks
+        mv chef-ssh-hardening cookbooks/ssh-hardening
+
+6. Download some dependences for the os-hardening cookbook
+
+        cd cookbooks
+        git clone https://github.com/edelight/chef-solo-search
+        cd ..
+
+7. Add a public key to the root user `data_bags/users/root.json`
+
+        {
+          "id" : "root",
+          "ssh_rootkeys" : "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TCCCCCCjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qPasgCgzUFtdOKLv6IedplqoPasdasd0aYet2PkEDo3MlTBckFXPITAMzF8dJSICCCCFo9D8HfdOV0IAdx4O7dETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIUc9c9WhQ== vagrant insecure public key"
+        }
+
+8. Create `solo.rb`
+
+    This file is used to specify the configuration details for chef-solo. So create a `solo.rb` that include the `cookbook_path` and the `data_bags`.
+
+        cookbook_path "cookbooks"
+        data_bag_path "data_bags
+
+9. Create `solo.json`
+
+    Chef-solo does not interact with the Chef Server. Consequently, node-specific attributes must be located in a JSON file on the target system. Create the following `solo.json`.
+
+        {
+
+            "ssh" : {
+                "listen_to" : "10.0.2.15"
+           },
+            "run_list":[
+                "recipe[chef-solo-search]",
+                "recipe[ssh-hardening::server]"
+            ]
+        }
+
+10. Run chef-solo
+
+        chef-solo -c solo.rb -j solo.json
+
+
+
+

attributes/default.rb

@@ -39,8 +39,8 @@
 default['ssh']['weak_hmac']             = false   # sshd + ssh
 default['ssh']['weak_kex']              = false   # sshd + ssh
 default['ssh']['ports']                 = [ 22 ]  # sshd + ssh
-default['ssh']['listen_to']             = [ ]     # sshd
-default['ssh']['host_key_files']        = [ ]     # sshd
+default['ssh']['listen_to']             = ["0.0.0.0"]     # sshd
+default['ssh']['host_key_files']        = ["/etc/ssh/ssh_host_rsa_key","/etc/ssh/ssh_host_dsa_key","/etc/ssh/ssh_host_ecdsa_key"]     # sshd
 default['ssh']['client_alive_interval'] = 600     # sshd, 10min
 default['ssh']['client_alive_count']    = 3       # sshd, ~> 3 x interval
 default['ssh']['remote_hosts']          = [ ]     # ssh

templates/default/authorized_keys.erb

@@ -1,3 +1,3 @@
 <% @keys.each do |key| %>
 <%= key %>
-<% end %>
+<% end %>