Add archlinux support

[djesionek]

This is my take on the changes from #223 as I could not modify that PR.

The tests depend on this PR I also made for the docker test: dev-sec/docker-ansible#7

[rndmh3ro]

Okay, I merged the other PR and we can now test arch in travis. However the build is failing: https://travis-ci.org/github/dev-sec/ansible-ssh-hardening/jobs/696618801

[djesionek]

The travis logs are not saying much for mee at this point.
Looks like the playbook tries to install some packages like openssh via apt but I don't see in which container this is happening exactly. I suppose this is the execution of the test playbook itself and that it fails on the arch container since I assume the tests were fine before. And apt surely won't work any good on arch.
I think more changes are necessary like hte package installer itself and so on. Will try to find the right code to change :)

[rndmh3ro]

You're right.

The play fails here: https://travis-ci.org/github/dev-sec/ansible-ssh-hardening/jobs/696618801#L565
Because of a missing ssh-keygen binary. That is missing, because ssh is not installed.

The test-plays are these: https://github.com/dev-sec/ansible-ssh-hardening/blob/master/tests/default_custom.yml and https://github.com/dev-sec/ansible-ssh-hardening/blob/master/tests/default.yml
You have to add tasks to install ssh on arch there.

[djesionek]

Any idea what this might be about?

RUNNING HANDLER [ansible-ssh-hardening : restart sshd] *************************

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Service is in unknown state", "status": {}}

[rndmh3ro]

I just tried to reproduce it. You can do that like this:

export distro=arch
export init=/sbin/init
export version=latest

docker pull rndmh3ro/docker-${distro}-ansible:${version}

container_id=/tmp/foo

docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"

docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml --diff

This basically runs the commands travis does.

I guess the reason for this error are missing privileges and mounts. I added a suggestion to the code to fix it.

[djesionek]

Okay got the playbook working. Now just the inspec executions fail.

[rndmh3ro]

@djesionek the tests pass now! Now all you need to do is sign-off your commits (see https://github.com/dev-sec/ansible-ssh-hardening/pull/291/checks?check_run_id=761595074) and we can merge this!

[djesionek]

@rndmh3ro not sure what changed but I won't complain, signed off!

[rndmh3ro]

Sorry, I forgot to tell you: @mesaguy added Arch support to the inspec tests here: dev-sec/ssh-baseline#173