In a container, ssh should not run as root

micheelengronne · micheelengronne · commit 5dc04cbb2f31 · 2020-05-05T18:03:51.000+02:00
Add the option to choose the owner of configurations files and their locations.

Signed-off-by: Michée Lengronne &lt;michee.lengronne@coppint.com&gt;
diff --git a/controls/ssh_spec.rb b/controls/ssh_spec.rb
@@ -22,16 +22,28 @@
   command('ssh').exist?
 end
 
+custom_user = attribute(
+  'custom_user',
+  value: 'root',
+  description: 'The SSH user is not always root. It must be an unprivileged user in a container'
+)
+
+custom_path = attribute(
+  'custom_path',
+  value: '/etc/ssh',
+  description: 'Sometimes ssh configuration files are present in another location and ssh use them with the -f flag'
+)
+
 control 'ssh-01' do
   impact 1.0
   title 'client: Check ssh_config owner, group and permissions.'
-  desc 'The ssh_config should owned by root, only be writable by owner and readable to all.'
+  desc 'The ssh_config should owned by root or a specified user, only be writable by owner and readable to all.'
 
-  describe file('/etc/ssh/ssh_config') do
+  describe file(custom_path + '/ssh_config') do
     it { should exist }
     it { should be_file }
-    it { should be_owned_by 'root' }
-    it { should be_grouped_into os.darwin? ? 'wheel' : 'root' }
+    it { should be_owned_by custom_user }
+    it { should be_grouped_into os.darwin? ? 'wheel' : custom_user }
     it { should_not be_executable }
     it { should be_readable.by('owner') }
     it { should be_readable.by('group') }
