ListenAddress should exist #165
Conversation
There can be multiple ListenAddress (for instance ipv6 and ipv4 failover). Signed-off-by: Michée Lengronne <[email protected]>
micheelengronne
force-pushed
the
micheelengronne-patch-4
branch
from
6313e42
to
9bd3bc9
Compare
controls/sshd_spec.rb
Outdated
| @@ -139,7 +139,7 @@ | |||
| title 'Server: Specify ListenAddress' | |||
| desc "Limit the SSH server to listen to a specific address. Don't let it listen on all interfaces to avoid logins from unexpected sources." | |||
| describe sshd_config(sshd_custom_path + '/sshd_config') do | |||
| its('ListenAddress') { should match(/.*/) } | |||
| its('ListenAddress') { should exist } | |||
There was a problem hiding this comment.
I think the test should check for not nil then
There was a problem hiding this comment.
its probably a bug in InSpec if the nil matches that regex. What is the value for ListenAddress that you want to check against?
There was a problem hiding this comment.
I want to check it agaisnt multiple defined ListenAddress. My usecase is ipv6+ipv4 failover. 2 ListenAddress that together give ["0.0.0.0", "::"]
The check fails with:
expected ["0.0.0.0", "::"] to match /.*/
There was a problem hiding this comment.
Got ya. I see that the control itself was probably not correctly implemented in the first place.
Should we check that it is not nil and the entries should not include "0.0.0.0" or "::"?
There was a problem hiding this comment.
I think 'not nil' is enough. I am not sure that "0.0.0.0" and "::" should be tested. For my usecase, i use these values as my sshd is in a container so the network and firewall are handled by the runtime (Docker, podman, CRI-O...). What are your thoughts on that ? Maybe, test "0.0.0.0" and "::" as an option via an attribute ?
There was a problem hiding this comment.
I am struggling with InSpec's dynamic results at this check. We may need to test for more emptiness:
describe sshd_config(sshd_custom_path + '/sshd_config') do
its('ListenAddress') { should_not eq nil }
its('ListenAddress') { should_not match /^\s*$/ }
its('ListenAddress') { should_not eq [] }
end
There was a problem hiding this comment.
Travis CI builds are green even if they appear running. Weird bug.
Signed-off-by: Michée Lengronne <[email protected]>
Signed-off-by: Michée Lengronne <[email protected]>
Signed-off-by: Michée Lengronne <[email protected]>
There can be multiple ListenAddress (for instance ipv6 and ipv4 failover).
Does the
existmatcher work for sshd_config ?