railiance-infra/goss/baseline.yaml

72 lines
1.5 KiB
YAML
Raw Normal View History

# Goss baseline assertions for railiance managed nodes
# Derived from spec/server-baseline.yaml — keep in sync.
# Run: goss -g /etc/goss/baseline.yaml validate
package:
ufw:
installed: true
fail2ban:
installed: true
git:
installed: true
curl:
installed: true
vim:
installed: true
htop:
installed: true
# age and sops are binary installs, not apt packages — checked via command below
service:
ufw:
enabled: true
running: true
fail2ban:
enabled: true
running: true
# Ubuntu 24.04 uses socket activation: ssh.service is disabled by design,
# ssh.socket keeps it running. Assert the socket is enabled.
ssh.socket:
enabled: true
running: true
file:
/etc/ssh/sshd_config.d/10-hardening.conf:
exists: true
contents:
- "PermitRootLogin no"
- "PasswordAuthentication no"
- "PubkeyAuthentication yes"
user:
tegwick:
exists: true
# sudo access is via /etc/sudoers.d/tegwick (NOPASSWD), not group membership
shell: /bin/bash
command:
"ufw status":
exit-status: 0
stdout:
- "Status: active"
- /OpenSSH.*ALLOW/
- /6443\/tcp.*ALLOW/
- /8472\/udp.*ALLOW/
"grep NOPASSWD /etc/sudoers.d/tegwick":
exit-status: 0
stdout:
- "NOPASSWD"
"grep -r HISTCONTROL /etc/profile.d/":
exit-status: 0
stdout:
- "ignorespace"
"fail2ban-client status sshd":
exit-status: 0
stdout:
- "Status for the jail: sshd"
"test -x /usr/local/bin/age":
exit-status: 0
"test -x /usr/local/bin/sops":
exit-status: 0