Merge pull request #159 from artem-sidorenko/log-level

atomic111 · web-flow · commit 5fa902cb0a18 · 2017-01-13T10:00:26.000+01:00
Allow log level configuration of sshd
diff --git a/README.md b/README.md
@@ -67,6 +67,7 @@ override['ssh-hardening']['ssh']['server']['listen_to'] = node['ipaddress']
 * `['ssh-hardening']['ssh']['server']['max_auth_tries']` - `2`. The number of authentication attempts per connection
 * `['ssh-hardening']['ssh']['server']['max_sessions']` - `10` The number of sessions per connection
 * `['ssh-hardening']['ssh']['server']['password_authentication']` - `false`. Set to `true` if password authentication should be enabled
+* `['ssh-hardening']['ssh']['server']['log_level']` - `verbose`. The log level of sshd. See `LogLevel` in `man 5 sshd_config` for possible values.
 * `['ssh-hardening']['ssh']['server']['sftp']['enable']` - `false`. Set to `true` to enable the SFTP feature of OpenSSH daemon
 * `['ssh-hardening']['ssh']['server']['sftp']['group']` - `sftponly`. Sets the `Match Group` option of SFTP to allow SFTP only for dedicated users
 * `['ssh-hardening']['ssh']['server']['sftp']['chroot']` - `/home/%u`. Sets the directory where the SFTP user should be chrooted
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -93,6 +93,7 @@
 default['ssh-hardening']['ssh']['server']['max_auth_tries']           = 2
 default['ssh-hardening']['ssh']['server']['max_sessions']             = 10
 default['ssh-hardening']['ssh']['server']['password_authentication']  = false
+default['ssh-hardening']['ssh']['server']['log_level']                = 'verbose'
 # sshd sftp options
 default['ssh-hardening']['ssh']['server']['sftp']['enable']           = false
 default['ssh-hardening']['ssh']['server']['sftp']['group']            = 'sftponly'
diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb
@@ -404,6 +404,24 @@
     end
   end
 
+  it 'sets the log level to verbose' do
+    expect(chef_run).to render_file('/etc/ssh/sshd_config').
+      with_content('LogLevel VERBOSE')
+  end
+
+  context 'with log level set to debug' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.normal['ssh-hardening']['ssh']['server']['log_level'] = 'debug'
+      end.converge(described_recipe)
+    end
+
+    it 'sets the log level to debug' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config').
+        with_content('LogLevel DEBUG')
+    end
+  end
+
   it 'leaves deny users commented' do
     expect(chef_run).to render_file('/etc/ssh/sshd_config').
       with_content(/#DenyUsers */)
diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb
@@ -48,7 +48,7 @@ StrictModes yes
 
 # Logging, obsoletes QuietMode and FascistLogging
 SyslogFacility AUTH
-LogLevel VERBOSE
+LogLevel <%= @node['ssh-hardening']['ssh']['server']['log_level'].upcase %>
 
 # Cryptography
 # ------------
