From 44c194abe5eb7f3438ea25f2aa2dd6ef6bf4ca18 Mon Sep 17 00:00:00 2001
From: Julien Dessaux
Date: Fri, 4 Aug 2017 07:34:10 +0000
Subject: Added basic sshd policy

---
 services/main.cf               |  2 ++
 services/sshd.cf               | 33 +++++++++++++++++++++++++++++++++
 templates/sshd/authorized_keys |  3 +++
 3 files changed, 38 insertions(+)
 create mode 100644 services/sshd.cf
 create mode 100644 templates/sshd/authorized_keys

diff --git a/services/main.cf b/services/main.cf
index 4c2b022..5d994b3 100644
--- a/services/main.cf
+++ b/services/main.cf
@@ -7,12 +7,14 @@ bundle common classify
                 "check_mk",
                 "flavour",
                 "julien",
+                "sshd",
             };
             "inputs" slist => {
                 "services/check_mk.cf",
                 "services/common.cf",
                 "services/$(flavour).cf",
                 "services/julien.cf",
+                "services/sshd.cf",
             };
         debian::
             "flavour" string => "debian";
diff --git a/services/sshd.cf b/services/sshd.cf
new file mode 100644
index 0000000..da602a1
--- /dev/null
+++ b/services/sshd.cf
@@ -0,0 +1,33 @@
+bundle agent sshd
+{
+    files:
+        freebsd::
+            "/etc/rc.conf"
+                create => "true",
+                edit_defaults => std_defs,
+                perms => system_owned("444"),
+                edit_line => append_if_no_line("sshd_enable=\"YES\""),
+                classes => if_repaired("sshd_rc_conf_file_repaired");
+            "/root/.ssh/."
+                create => "true",
+                perms => system_owned("700"),
+                classes => if_repaired("sshd_ssh_dir_repaired");
+            "/root/.ssh/authorized_keys"
+                create => "true",
+                edit_defaults => empty,
+                perms => system_owned("444"),
+                edit_template => "$(sys.inputdir)/templates/sshd/authorized_keys",
+                classes => if_repaired("sshd_authorized_keys_files_repaired");
+    classes:
+        freebsd::
+            "sshd_service_running" expression => returnszero("/usr/sbin/service sshd status", "noshell");
+    commands:
+        freebsd.!sshd_service_running::
+            "/usr/sbin/service sshd start" classes => if_repaired("sshd_service_repaired");
+    reports:
+        any::
+            "$(this.bundle): /etc/rc.conf repaired" ifvarclass => "sshd_rc_conf_file_repaired";
+            "$(this.bundle): /root/.ssh directory repaired" ifvarclass => "sshd_ssh_dir_repaired";
+            "$(this.bundle): /root/.ssh/authorized_keys repaired" ifvarclass => "sshd_rc_conf_file_repaired";
+            "$(this.bundle): sshd service repaired" ifvarclass => "sshd_service_repaired";
+}
diff --git a/templates/sshd/authorized_keys b/templates/sshd/authorized_keys
new file mode 100644
index 0000000..d3f7f5a
--- /dev/null
+++ b/templates/sshd/authorized_keys
@@ -0,0 +1,3 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDN1ha6PFKgxF3MSWUlDaruVVpj3UzoiN4IJEvDrCnDbIW8xu+TclbeGJSRXXBbqRKeUfhX0GDA7cvSUIAz2U7AGK7wq5tbzJKagVYtxcSHBSi6dZR9KGb3eoshnrCeFzem1jWXG02PZJGvjB+ml3QhUguyAqm9q0n/NL6zzKhGoKiELO+tQghGIY8jafRv4rE4yyXZnwuCu8JI9P8ldGhKgOPeOdKIVTIVezUmKILWgAF+Hg7O72rQqUua9sdoK1mEYme/wgu0bQbvN26owGgBAgS3uc2nngLD01TZToG/wC1wH9A3KxT6+3akjRlPfLOY0BuK4OBGEGm6e0KZrIMhUr8fHQ8nmTmBqw7puI0gIXYB2EjhpsQ7TijYVqLYXbyxaXYyqisgY0QRWC7Te5Io6TSgorfXzi7zrcQGgWByHkhxTylf36LYSKWEheIQIRqytOdGqeXagFMz2ptLFKk4dA61LS5fPXIJucdghvnmLPml8cO9/9VHQ7gq7DxQu7sIwt/W13yTTUyI9DSHwxeHUwECzxAb5pOVL6pRjTMH8q1/eAMl35TFSh6s5tGvvHGz9+gMlE9A2Pv8CyXDBmXV6srrwxTSlglnmgdq6c9w3VtBKu572/z0cS6vqZMgEno4rIiwyhqNWdjbMXYw/U0q/w5XC9zCcSuluxvaY14qqQ== perso
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCMgVz9WSgj4sWL4NjWEY3Mhb/D3Uw5JGUMHVqRd4SBqpP+SAw9i9AWtQSInsae0izx1NOEOOhSG7LQ3ocByXp+37opqo3xFibwWLoLimOXX2F9mnbR+AIhoFuojni0Wi7OlGVtq9rk5Di6VbrCeOG0zLMtBOn3X876f6bbdlGOm99yBVJi7bpU38Btiln+HkCwkoeFr0cOiIZ7LUFe/h6yk8S4IAq7TC90iznIbJUVdY/ap4FcxtEarmX8xAmUhq6ENYD9m5S51hcsvBwx4f00q2NBdi/3radwIZ5GrwzcRG+oPMQYe9Rr2y5Te+KKOzrJ3nuQdtTd7zZYDp4uEK7Wp/gCmfNEaylVJ6zsd6dda5SVsx03+XwhUq62yRaohUypCikVe9ygZ17jM/x4PG4OsFa7HiFjZ1FR83ETO7A5VR+FBb/ApRjjMCp7KqRWReQLSe3w66QXkS8dNsZMtH5ZAzsyzRrg0B5TQjtgyWyy358PCNwtQyqNUsl4xP7flnF53TvW9xfnBkJ8k72l/jMMFh1GJTyrBvHPI+WxVs6mV63XdUXTJSgQqE0k8fG2qBjaSfCbIlyeE6+9JyhFbtgVTo4jCqcwP+ZAWdiEAYU4eoaE7Rx5eFa0/iTw0uFAteDmXsCpJgf8rwIhRPuQHv4wzjFzaw+3qvA0/aDI83RGw== q10
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMdBAFjENiPMTtq90GT3+NZ68nfGxQiRExaYYnLzm1ecmulCvsuA4AOpeLY6f+FWe+ludiw7nhrXzssDdsKBy0QL+XQyvjjjW4X+k9MYhP1gAWXEOGJnjJ/1ovEsMt++6fLyNKLUTA46kErbEehDs22r+rIiEKatrn0BNrJcRI94H44oEL1/ImzVam0cSBL0tPiaJxe60sBs7M76zfyFtVdMGkeuBpS7ee+FLA58fsS3/sEZmkas8MT0QdvZz1y/66MknXYbIaqDSOUACXGF4yVKpogLRRJ1SgNo1Ujo/U3VOR1O4CiQczsZOcbSdjgl0x3fJb7BaIxrZy9iW2I7G/L/chfTvRws+x1s1y5FNZOOiXMCdZjhgLaRwb6p5gMsMVn9sJbhDjmejcAkBKQDkzbvxxhfVkH225FoVXA9YF0msWLyOEyZQYbA8autLDJsAOT5RDfw/G82DQBufAPEBR/bPby0Hl5kjqW75bpSVxDvzmKwt3EpITg9iuYEhvYZ/Zq5qC1UJ54ZfOvaf0PsTUzFePty6ve/JzfxCV1XgFQ+B8l4NSz11loDfNXSUngf7lL4qu5X4aN6WmLFO1YbyFlfpvt3K1CekJmWVeE5mV9EFTUJ4ParVWRGiA4W+zaCOsHgRkcGkp4eYGyWW8gOR/lVxYU2IFl9mbMrC9bkdRbQ== hurricane
-- 
cgit v1.2.3