From 79dc1e6cfca90e4dc0871c1ca20d0c404c669af3 Mon Sep 17 00:00:00 2001 From: "R. Tyler Croy" Date: Mon, 10 Sep 2012 00:40:26 -0700 Subject: [PATCH] Whitelist the nagios server for denyhosts to prevent it from stupidly blocking Nagios SSH checks Fixes #49 --- .blimpignore | 1 + features/security.feature | 13 +++++++++++ features/step_definitions/security_steps.rb | 7 ++++++ modules/base/manifests/denyhosts.pp | 15 +++++++++++++ modules/base/manifests/init.pp | 24 ++++++++++----------- 5 files changed, 48 insertions(+), 12 deletions(-) create mode 100644 features/security.feature create mode 100644 features/step_definitions/security_steps.rb create mode 100644 modules/base/manifests/denyhosts.pp diff --git a/.blimpignore b/.blimpignore index 31e59e2..a8fb6e0 100644 --- a/.blimpignore +++ b/.blimpignore @@ -1,3 +1,4 @@ modules/mysql/spec modules/firewall/spec modules/stdlib/spec +*.deb diff --git a/features/security.feature b/features/security.feature new file mode 100644 index 0000000..92a300e --- /dev/null +++ b/features/security.feature @@ -0,0 +1,13 @@ +Feature: Secure hosts + + + Scenario: Ensure the Nagios host is never blocked + + On OSUOSL managed hosts the "denyhosts" package is installed and sometimes + the Nagios host (140.211.15.121) can be accidentally blacklisted by the + program. + + Given I have an empty Linux machine + And I have included the Jenkins base module + When I provision the host + Then the Nagios server should be whitelisted for denyhosts diff --git a/features/step_definitions/security_steps.rb b/features/step_definitions/security_steps.rb new file mode 100644 index 0000000..d7cd3bd --- /dev/null +++ b/features/step_definitions/security_steps.rb @@ -0,0 +1,7 @@ +Then /^the Nagios server should be whitelisted for denyhosts$/ do + whitelist_exists = vm.ssh_into('test -f /var/lib/denyhosts/allowed-hosts') + expect(whitelist_exists).to be(true) + + server_whitelisted = vm.ssh_into('grep "140.211.15.121" /var/lib/denyhosts/allowed-hosts') + expect(server_whitelisted).to be(true) +end diff --git a/modules/base/manifests/denyhosts.pp b/modules/base/manifests/denyhosts.pp new file mode 100644 index 0000000..36043d5 --- /dev/null +++ b/modules/base/manifests/denyhosts.pp @@ -0,0 +1,15 @@ +# +# Ensure consistent denyhosts settings across all machines +# + +class base::denyhosts { + file { + '/var/lib/denyhosts' : + ensure => directory; + + '/var/lib/denyhosts/allowed-hosts' : + ensure => present, + require => File['/var/lib/denyhosts'], + content => "140.211.15.121"; + } +} diff --git a/modules/base/manifests/init.pp b/modules/base/manifests/init.pp index ad9f40d..9211599 100644 --- a/modules/base/manifests/init.pp +++ b/modules/base/manifests/init.pp @@ -6,13 +6,6 @@ # not be loaded on every machine, then it should go elsewhere class base { - include autoupdate - include jenkins-dns - include sshd - include sudo - include stdlib - include users-core - # Unfortunately this module only supports Ubuntu if ($operatingsystem == 'Ubuntu') { include nagios::client @@ -33,11 +26,18 @@ class base { 'base::post' : stage => 'post'; - 'packages::git' : ; - 'packages::wget': ; - 'packages::ruby': ; - 'packages::hiera': ; - 'packages::puppet': ; + ['autoupdate', + 'base::denyhosts', + 'jenkins-dns', + 'sshd', + 'sudo', + 'stdlib', + 'users-core', + 'packages::git', + 'packages::wget', + 'packages::hiera', + 'packages::ruby', + 'packages::puppet'] : ; 'ntp' : ensure => running,