Fix Ubuntu 24.04 SSH hardening

Signed-off-by: Martin Schurz <[email protected]>

Author: schurzi

.config/ansible-lint.yml

@@ -8,9 +8,9 @@ exclude_paths:
   - .ansible/ # somehow someone decided that the cache directory should be renamed
   # add all waivers individually, since exclude_files does not support globs
   - molecule/os_hardening/waivers.yaml
-  - molecule/ssh_hardening_bsd/waivers_freebsd13.yaml
-  - molecule/ssh_hardening_bsd/waivers_freebsd14.yaml
-  - molecule/ssh_hardening_bsd/waivers_openbsd7.yaml
+  - molecule/ssh_hardening_vm/waivers_freebsd13.yaml
+  - molecule/ssh_hardening_vm/waivers_freebsd14.yaml
+  - molecule/ssh_hardening_vm/waivers_openbsd7.yaml
 
 mock_roles:
   - geerlingguy.git

.github/workflows/ssh_hardening_bsd.yml renamed to .github/workflows/ssh_hardening_vm.yml

@@ -1,20 +1,20 @@
 ---
-name: "devsec.ssh_hardening BSD"
+name: "devsec.ssh_hardening VM"
 on:  # yamllint disable-line rule:truthy
   workflow_dispatch:
   push:
     branches: [master]
     paths:
       - 'roles/ssh_hardening/**'
-      - 'molecule/ssh_hardening_bsd/**'
-      - '.github/workflows/ssh_hardening_bsd.yml'
+      - 'molecule/ssh_hardening_vm/**'
+      - '.github/workflows/ssh_hardening_vm.yml'
       - 'requirements.txt'
   pull_request:
     branches: [master]
     paths:
       - 'roles/ssh_hardening/**'
-      - 'molecule/ssh_hardening_bsd/**'
-      - '.github/workflows/ssh_hardening_bsd.yml'
+      - 'molecule/ssh_hardening_vm/**'
+      - '.github/workflows/ssh_hardening_vm.yml'
       - 'requirements.txt'
   schedule:
     - cron: '0 6 * * 5'
@@ -36,9 +36,10 @@ jobs:
       fail-fast: false
       matrix:
         molecule_distro:
-          - openbsd7
-          - freebsd13
-          - freebsd14
+          - generic/openbsd7
+          - generic/freebsd13
+          - generic/freebsd14
+          - cloud-image/ubuntu-24.04
     steps:
       - name: Checkout repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
@@ -47,10 +48,10 @@ jobs:
           submodules: true
 
       - name: Update Vagrant Box
-        run: vagrant box update --box generic/${{ matrix.molecule_distro }} || true
+        run: vagrant box update --box ${{ matrix.molecule_distro }} || true
 
       - name: Test with molecule
-        run: molecule test -s ssh_hardening_bsd
+        run: molecule test -s ssh_hardening_vm
         env:
           MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
         working-directory: ansible_collections/devsec/hardening

README.md

@@ -3,7 +3,7 @@
 [![devsec.os_hardening](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/os_hardening.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/os_hardening.yml)
 [![devsec.os_hardening VM](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/os_hardening_vm.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/os_hardening_vm.yml)
 [![devsec.ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening.yml)
-[![devsec.ssh_hardening BSD](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_bsd.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_bsd.yml)
+[![devsec.ssh_hardening VM](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_vm.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_vm.yml)
 [![devsec.ssh_hardening with custom tests](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_custom_tests.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_custom_tests.yml)
 [![devsec.nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/nginx_hardening.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/nginx_hardening.yml)
 [![devsec.mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/mysql_hardening.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/mysql_hardening.yml)

molecule/ssh_hardening_bsd/INSTALL.rst renamed to molecule/ssh_hardening_vm/INSTALL.rst

@@ -36,7 +36,7 @@
       ansible.builtin.command: >
         docker run --rm
         --volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }}
-        --volume ./waivers_{{ lookup('env', 'MOLECULE_DISTRO') }}.yaml:/waivers.yaml
+        --volume ./waivers_{{ lookup('env', 'MOLECULE_DISTRO') | regex_replace('^.*/', '') }}.yaml:/waivers.yaml
         docker.io/cincproject/auditor exec
         --ssh-config-file={{ molecule_ephemeral_directory }}/ssh-config
         -t ssh://{{ lookup('env', 'USER') }}