feat: implement WP-0002 — Goss test suite, verify playbook, and ADR-002
- goss/baseline.yaml: assertions for all spec/server-baseline.yaml items (packages, services, SSH config, UFW rules, admin user, fail2ban, HISTCONTROL) - goss/vars/baseline-vars.yaml: parameterised ports and paths - ansible/roles/goss/: installs Goss binary (v0.4.9), deploys tests, runs assertions in TAP format, fetches report to reports/ - ansible/playbooks/verify.yaml: playbook wrapping the goss role - Makefile: add 'make verify' target; update 'make status' with hint - docs/adr/ADR-002: formal repo boundary — railiance-hosts vs railiance-bootstrap - workplans/RAIL-HO-WP-0002: registered workstream 8fed53c2, T03–T06 done Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
2be5de2a3a
commit
8f5799553e
7 changed files with 242 additions and 5 deletions
8
Makefile
8
Makefile
|
|
@ -195,6 +195,14 @@ status: ## Show live security state of all hosts (UFW, fail2ban, SSH hardening)
|
|||
cd $(ANS_DIR) && ansible all -u $(SSH_USER) -m shell -a "systemctl is-active fail2ban"
|
||||
@echo "=== SSH hardening ==="
|
||||
cd $(ANS_DIR) && ansible all -u $(SSH_USER) -m shell -a "grep -iE '^(PermitRootLogin|PasswordAuthentication)' /etc/ssh/sshd_config" --become
|
||||
@echo ""
|
||||
@echo "--- Hint: run 'make verify' for a structured pass/fail report ---"
|
||||
|
||||
verify: ## Run Goss test suite against all hosts — exits non-zero on failure
|
||||
@echo "Running Goss baseline assertions..."
|
||||
@cd $(ANS_DIR) && ansible-playbook playbooks/verify.yaml -u $(SSH_USER) && \
|
||||
echo "All assertions passed." || \
|
||||
(echo "One or more assertions FAILED — see reports/ for TAP output." && exit 1)
|
||||
|
||||
converge: ## Converge all hosts to the baseline (idempotent)
|
||||
cd $(ANS_DIR) && ansible-playbook $(PLAY) -u $(SSH_USER)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue