Merge pull request #150 from artem-sidorenko/subnamespace

Split the attribues to the client and server areas

Author: chris-rock

attributes/default.rb

@@ -46,55 +46,57 @@
   default['ssh-hardening']['sshserver']['service_name'] = 'ssh'
 end
 
+# sshd + ssh client
+default['ssh-hardening']['network']['ipv6']['enable']      = false
 default['ssh-hardening']['config_disclaimer']              = '**Note:** This file was automatically created by Hardening Framework (dev-sec.io) configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.'
-default['ssh-hardening']['network']['ipv6']['enable']      = false   # sshd + ssh
-default['ssh-hardening']['ssh']['server']['kex']           = nil     # nil = calculate best combination for server version
+default['ssh-hardening']['ssh']['ports']                   = [22]
+
+# ssh client
 default['ssh-hardening']['ssh']['client']['mac']           = nil     # nil = calculate best combination for client
-default['ssh-hardening']['ssh']['server']['cipher']        = nil     # nil = calculate best combination for server version
 default['ssh-hardening']['ssh']['client']['kex']           = nil     # nil = calculate best combination for client
-default['ssh-hardening']['ssh']['server']['mac']           = nil     # nil = calculate best combination for server version
 default['ssh-hardening']['ssh']['client']['cipher']        = nil     # nil = calculate best combination for client
-default['ssh-hardening']['ssh']['client']['cbc_required']  = false   # ssh
-default['ssh-hardening']['ssh']['server']['cbc_required']  = false   # sshd
-default['ssh-hardening']['ssh']['client']['weak_hmac']     = false   # ssh
-default['ssh-hardening']['ssh']['server']['weak_hmac']     = false   # sshd
-default['ssh-hardening']['ssh']['client']['weak_kex']      = false   # ssh
-default['ssh-hardening']['ssh']['server']['weak_kex']      = false   # sshd
-default['ssh-hardening']['ssh']['ports']                   = [22]  # sshd + ssh
-default['ssh-hardening']['ssh']['listen_to']               = ['0.0.0.0']     # sshd
-default['ssh-hardening']['ssh']['host_key_files']          = ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']     # sshd
-default['ssh-hardening']['ssh']['client_alive_interval']   = 600     # sshd, 10min
-default['ssh-hardening']['ssh']['client_alive_count']      = 3       # sshd, ~> 3 x interval
-default['ssh-hardening']['ssh']['remote_hosts']            = []     # ssh
-default['ssh-hardening']['ssh']['allow_root_with_key']     = false   # sshd
-default['ssh-hardening']['ssh']['allow_tcp_forwarding']    = false   # sshd
-default['ssh-hardening']['ssh']['allow_agent_forwarding']  = false   # sshd
-default['ssh-hardening']['ssh']['allow_x11_forwarding']    = false   # sshd
-default['ssh-hardening']['ssh']['use_pam']                 = false   # sshd
-default['ssh-hardening']['ssh']['challenge_response_authentication'] = false   # sshd
-default['ssh-hardening']['ssh']['deny_users']              = []      # sshd
-default['ssh-hardening']['ssh']['allow_users']             = []      # sshd
-default['ssh-hardening']['ssh']['deny_groups']             = []      # sshd
-default['ssh-hardening']['ssh']['allow_groups']            = []      # sshd
-default['ssh-hardening']['ssh']['print_motd']              = false   # sshd
-default['ssh-hardening']['ssh']['print_last_log']          = false   # sshd
-# set this to nil to disable banner or provide a path like '/etc/issue.net'
-default['ssh-hardening']['ssh']['banner']                  = nil     # sshd
-default['ssh-hardening']['ssh']['os_banner']               = false   # sshd (Debian OS family)
+default['ssh-hardening']['ssh']['client']['cbc_required']  = false
+default['ssh-hardening']['ssh']['client']['weak_hmac']     = false
+default['ssh-hardening']['ssh']['client']['weak_kex']      = false
 
-# set this to nil to let us use the default OpenSSH in case it's not set by the user
-default['ssh-hardening']['ssh']['use_dns']                 = nil     # sshd
-# set this to nil to let us detect the attribute based on the node platform
-default['ssh-hardening']['ssh']['use_privilege_separation'] = nil
-default['ssh-hardening']['ssh']['login_grace_time']         = '30s'  # sshd
-default['ssh-hardening']['ssh']['max_auth_tries']           = 2      # sshd
-default['ssh-hardening']['ssh']['max_sessions']             = 10     # sshd
+default['ssh-hardening']['ssh']['client']['remote_hosts']  = []
 default['ssh-hardening']['ssh']['client']['password_authentication'] = false   # ssh
-default['ssh-hardening']['ssh']['server']['password_authentication'] = false   # sshd
 # http://undeadly.org/cgi?action=article&sid=20160114142733
 default['ssh-hardening']['ssh']['client']['roaming']        = false
 
-# Define SFTP options
-default['ssh-hardening']['ssh']['sftp']['enable']        = false
-default['ssh-hardening']['ssh']['sftp']['group']         = 'sftponly'
-default['ssh-hardening']['ssh']['sftp']['chroot']        = '/home/%u'
+# sshd
+default['ssh-hardening']['ssh']['server']['kex']                      = nil     # nil = calculate best combination for server version
+default['ssh-hardening']['ssh']['server']['cipher']                   = nil     # nil = calculate best combination for server version
+default['ssh-hardening']['ssh']['server']['mac']                      = nil     # nil = calculate best combination for server version
+default['ssh-hardening']['ssh']['server']['cbc_required']             = false
+default['ssh-hardening']['ssh']['server']['weak_hmac']                = false
+default['ssh-hardening']['ssh']['server']['weak_kex']                 = false
+default['ssh-hardening']['ssh']['server']['listen_to']                = ['0.0.0.0']
+default['ssh-hardening']['ssh']['server']['host_key_files']           = ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']
+default['ssh-hardening']['ssh']['server']['client_alive_interval']    = 600     # 10min
+default['ssh-hardening']['ssh']['server']['client_alive_count']       = 3       # ~> 3 x interval
+
+default['ssh-hardening']['ssh']['server']['allow_root_with_key']      = false
+default['ssh-hardening']['ssh']['server']['allow_tcp_forwarding']     = false
+default['ssh-hardening']['ssh']['server']['allow_agent_forwarding']   = false
+default['ssh-hardening']['ssh']['server']['allow_x11_forwarding']     = false
+default['ssh-hardening']['ssh']['server']['use_pam']                  = false
+default['ssh-hardening']['ssh']['server']['challenge_response_authentication'] = false
+default['ssh-hardening']['ssh']['server']['deny_users']               = []
+default['ssh-hardening']['ssh']['server']['allow_users']              = []
+default['ssh-hardening']['ssh']['server']['deny_groups']              = []
+default['ssh-hardening']['ssh']['server']['allow_groups']             = []
+default['ssh-hardening']['ssh']['server']['print_motd']               = false
+default['ssh-hardening']['ssh']['server']['print_last_log']           = false
+default['ssh-hardening']['ssh']['server']['banner']                   = nil     # set this to nil to disable banner or provide a path like '/etc/issue.net'
+default['ssh-hardening']['ssh']['server']['os_banner']                = false   # (Debian OS family)
+default['ssh-hardening']['ssh']['server']['use_dns']                  = nil     # set this to nil to let us use the default OpenSSH in case it's not set by the user
+default['ssh-hardening']['ssh']['server']['use_privilege_separation'] = nil     # set this to nil to let us detect the attribute based on the node platform
+default['ssh-hardening']['ssh']['server']['login_grace_time']         = '30s'
+default['ssh-hardening']['ssh']['server']['max_auth_tries']           = 2
+default['ssh-hardening']['ssh']['server']['max_sessions']             = 10
+default['ssh-hardening']['ssh']['server']['password_authentication']  = false
+# sshd sftp options
+default['ssh-hardening']['ssh']['server']['sftp']['enable']           = false
+default['ssh-hardening']['ssh']['server']['sftp']['group']            = 'sftponly'
+default['ssh-hardening']['ssh']['server']['sftp']['chroot']           = '/home/%u'

recipes/client.rb

@@ -38,7 +38,6 @@
   variables(
     mac:     node['ssh-hardening']['ssh']['client']['mac']    || DevSec::Ssh.get_client_macs(node['ssh-hardening']['ssh']['client']['weak_hmac']),
     kex:     node['ssh-hardening']['ssh']['client']['kex']    || DevSec::Ssh.get_client_kexs(node['ssh-hardening']['ssh']['client']['weak_kex']),
-    cipher:  node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required']),
-    roaming: node['ssh-hardening']['ssh']['client']['roaming']
+    cipher:  node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required'])
   )
 end

recipes/server.rb

@@ -69,11 +69,7 @@
     mac:    node['ssh-hardening']['ssh']['server']['mac']    || DevSec::Ssh.get_server_macs(node['ssh-hardening']['ssh']['server']['weak_hmac']),
     kex:    node['ssh-hardening']['ssh']['server']['kex']    || DevSec::Ssh.get_server_kexs(node['ssh-hardening']['ssh']['server']['weak_kex']),
     cipher: node['ssh-hardening']['ssh']['server']['cipher'] || DevSec::Ssh.get_server_ciphers(node['ssh-hardening']['ssh']['server']['cbc_required']),
-    use_priv_sep: node['ssh-hardening']['ssh']['use_privilege_separation'] || DevSec::Ssh.get_server_privilege_separarion,
-    deny_users: node['ssh-hardening']['ssh']['deny_users'],
-    allow_users: node['ssh-hardening']['ssh']['allow_users'],
-    deny_groups: node['ssh-hardening']['ssh']['deny_groups'],
-    allow_groups: node['ssh-hardening']['ssh']['allow_groups']
+    use_priv_sep: node['ssh-hardening']['ssh']['use_privilege_separation'] || DevSec::Ssh.get_server_privilege_separarion
   )
   notifies :restart, 'service[sshd]'
 end

spec/recipes/server_spec.rb

@@ -271,7 +271,7 @@
   context 'with attribute deny_users' do
     cached(:chef_run) do
       ChefSpec::ServerRunner.new do |node|
-        node.normal['ssh-hardening']['ssh']['deny_users'] = %w(someuser)
+        node.normal['ssh-hardening']['ssh']['server']['deny_users'] = %w(someuser)
       end.converge(described_recipe)
     end
 
@@ -284,7 +284,7 @@
   context 'with attribute deny_users mutiple' do
     cached(:chef_run) do
       ChefSpec::ServerRunner.new do |node|
-        node.normal['ssh-hardening']['ssh']['deny_users'] = %w(someuser otheruser)
+        node.normal['ssh-hardening']['ssh']['server']['deny_users'] = %w(someuser otheruser)
       end.converge(described_recipe)
     end
 
@@ -304,7 +304,7 @@
   context 'with attribute use_dns set to false' do
     cached(:chef_run) do
       ChefSpec::ServerRunner.new do |node|
-        node.normal['ssh-hardening']['ssh']['use_dns'] = false
+        node.normal['ssh-hardening']['ssh']['server']['use_dns'] = false
       end.converge(described_recipe)
     end
 
@@ -317,7 +317,7 @@
   context 'with attribute use_dns set to true' do
     cached(:chef_run) do
       ChefSpec::ServerRunner.new do |node|
-        node.normal['ssh-hardening']['ssh']['use_dns'] = true
+        node.normal['ssh-hardening']['ssh']['server']['use_dns'] = true
       end.converge(described_recipe)
     end
 
@@ -337,7 +337,7 @@
   context 'with attribute ["sftp"]["enable"] set to true' do
     cached(:chef_run) do
       ChefSpec::ServerRunner.new do |node|
-        node.normal['ssh-hardening']['ssh']['sftp']['enable'] = true
+        node.normal['ssh-hardening']['ssh']['server']['sftp']['enable'] = true
       end.converge(described_recipe)
     end
 
@@ -350,8 +350,8 @@
   context 'with attribute ["sftp"]["enable"] set to true and ["sftp"]["group"] set to "testgroup"' do
     cached(:chef_run) do
       ChefSpec::ServerRunner.new do |node|
-        node.normal['ssh-hardening']['ssh']['sftp']['enable'] = true
-        node.normal['ssh-hardening']['ssh']['sftp']['group'] = 'testgroup'
+        node.normal['ssh-hardening']['ssh']['server']['sftp']['enable'] = true
+        node.normal['ssh-hardening']['ssh']['server']['sftp']['group'] = 'testgroup'
       end.converge(described_recipe)
     end
 
@@ -364,8 +364,8 @@
   context 'with attribute ["sftp"]["enable"] set to true and ["sftp"]["chroot"] set to "/export/home/%u"' do
     cached(:chef_run) do
       ChefSpec::ServerRunner.new do |node|
-        node.normal['ssh-hardening']['ssh']['sftp']['enable'] = true
-        node.normal['ssh-hardening']['ssh']['sftp']['chroot'] = 'test_home_dir'
+        node.normal['ssh-hardening']['ssh']['server']['sftp']['enable'] = true
+        node.normal['ssh-hardening']['ssh']['server']['sftp']['chroot'] = 'test_home_dir'
       end.converge(described_recipe)
     end
 

templates/default/openssh.conf.erb

@@ -14,7 +14,7 @@
 # Address family should always be limited to the active network configuration.
 AddressFamily <%= ((@node['ssh-hardening']['network']['ipv6']['enable']) ? "any" : "inet" ) %>
 
-<% Array(@node['ssh-hardening']['ssh']['remote_hosts']).each do |host| %>
+<% Array(@node['ssh-hardening']['ssh']['client']['remote_hosts']).each do |host| %>
 # Restrict the following configuration to be limited to this Host.
 Host <%= host %>
 <% end %>
@@ -111,4 +111,4 @@ Compression yes
 #VisualHostKey yes
 
 # http://undeadly.org/cgi?action=article&sid=20160114142733
-UseRoaming <%= @roaming ? 'yes' : 'no' %>
+UseRoaming <%= @node['ssh-hardening']['ssh']['client']['roaming'] ? 'yes' : 'no' %>