From e34d35cf128e0d09fa0b1c84f37b393e00760c9f Mon Sep 17 00:00:00 2001 From: matclab Date: Tue, 12 Aug 2025 13:11:23 +0200 Subject: [PATCH] Do not use PrintLastLog for Archlinux Signed-off-by: matclab --- molecule/ssh_hardening/verify.yml | 2 ++ molecule/ssh_hardening/waivers_arch.yaml | 3 +++ roles/ssh_hardening/templates/opensshd.conf.j2 | 2 +- 3 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 molecule/ssh_hardening/waivers_arch.yaml diff --git a/molecule/ssh_hardening/verify.yml b/molecule/ssh_hardening/verify.yml index 630e0a09f..3e4d0c8c4 100644 --- a/molecule/ssh_hardening/verify.yml +++ b/molecule/ssh_hardening/verify.yml @@ -10,9 +10,11 @@ ansible.builtin.command: > docker run --volume /run/docker.sock:/run/docker.sock + --volume ./waivers_{{ lookup('env', 'MOLECULE_DISTRO') }}.yaml:/waivers.yaml docker.io/cincproject/auditor exec -t docker://instance --no-show-progress --no-color + --waiver-file /waivers.yaml --no-distinct-exit https://github.com/dev-sec/ssh-baseline/archive/refs/heads/master.zip register: test_results changed_when: false diff --git a/molecule/ssh_hardening/waivers_arch.yaml b/molecule/ssh_hardening/waivers_arch.yaml new file mode 100644 index 000000000..5cd66c80f --- /dev/null +++ b/molecule/ssh_hardening/waivers_arch.yaml @@ -0,0 +1,3 @@ +sshd-45: + run: false + justification: "PrintLastLog is unsupported on ArchLinux. diff --git a/roles/ssh_hardening/templates/opensshd.conf.j2 b/roles/ssh_hardening/templates/opensshd.conf.j2 index ce8961942..adf8dd71c 100644 --- a/roles/ssh_hardening/templates/opensshd.conf.j2 +++ b/roles/ssh_hardening/templates/opensshd.conf.j2 @@ -253,7 +253,7 @@ UseDNS {{ 'yes' if (ssh_use_dns|bool) else 'no' }} PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }} -{% if ansible_facts.os_family != 'FreeBSD' %} +{% if ansible_facts.os_family not in ('FreeBSD','Archlinux') %} PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }} {% endif %}