Adds ability to populate SSH Banner text

A puppet manifest to allow the toggle of 'Banner' in sshd_config
and enable population of an SSH login banner needed for security
compliance such as DISA STIG

If `Bannertext` is set as a parameter, the `Banner` key within
sshd_config is toggled to `/etc/issue` and the content is copied
into the `/etc/issue` file

Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e
Closes-Bug: #1640306

diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp
new file mode 100644 (file)
index 0000000..e7916c1
--- /dev/null
+++ b/manifests/profile/base/sshd.pp
@@ -0,0 +1,61 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::sshd
+#
+# SSH profile for tripleo
+#
+# === Parameters
+#
+# [*bannertext*]
+#   The text used within SSH Banner
+#   Defaults to hiera('BannerText')
+#
+class tripleo::profile::base::sshd (
+  $bannertext = hiera('BannerText', undef),
+) {
+
+  if $bannertext {
+    $action = 'set'
+  } else {
+    $action = 'rm'
+  }
+
+  package {'openssh-server':
+    ensure => installed,
+  }
+
+  augeas { 'sshd_config_banner':
+    context => '/files/etc/ssh/sshd_config',
+    changes => [ "${action} Banner /etc/issue"  ],
+    notify  => Service['sshd']
+  }
+
+  file { '/etc/issue':
+    ensure  => file,
+    backup  => false,
+    content => $bannertext,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600'
+  }
+
+  service { 'sshd':
+    ensure    => 'running',
+    enable    => true,
+    hasstatus => false,
+    require   => Package['openssh-server'],
+  }
+}

diff --git a/releasenotes/notes/sshd-437c531301f458bb.yaml b/releasenotes/notes/sshd-437c531301f458bb.yaml
new file mode 100644 (file)
index 0000000..0086cb0
--- /dev/null
+++ b/releasenotes/notes/sshd-437c531301f458bb.yaml
@@ -0,0 +1,3 @@
+---
+features:
+  - Added manifest and template to enable configuration of sshd_config

diff --git a/spec/classes/tripleo_profile_base_sshd_spec.rb b/spec/classes/tripleo_profile_base_sshd_spec.rb
new file mode 100644 (file)
index 0000000..210b41c
--- /dev/null
+++ b/spec/classes/tripleo_profile_base_sshd_spec.rb
@@ -0,0 +1,30 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::sshd' do
+
+  context 'with banner configured' do
+    it do
+      is_expected.to contain_file('/etc/issue').with({
+        'owner'  => 'root',
+        'group'  => 'root',
+        'mode'   => '0600',
+        })
+    end
+  end
+end