ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-01-09 08:47:50 +08:00
Code Issues Projects Releases Packages Wiki Activity
266 commits 5 branches 49 tags 7.4 MiB
Commit graph

266 commits

This branch
This branch
All branches
Author SHA1 Message Date
Stéphane Lesimple
ed77c1ef3e feat: transmit PIV enforcement status to remote realms 
Closes #33
 2021-02-18 16:05:02 +01:00
Stéphane Lesimple
2327c4dfa1 chore: remove useless '## no critic', perltidy 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
5eb5135d26 doc: update 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
488ec6382e enh: move unexpected-sudo messages from security to code-warning type 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
e760cf6142 feat: add groupGenerateEgressKey and groupDelEgressKey 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
fe58cf1d14 enh: egress ssh key: compute an ID so that keys can be pointed to and deleted 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
c88be2def1 enh: get_group_keys: return the keyhome to avoid hardcoding it on several places 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
02b76d301a fix: groupSetRole: pass sudo param to subfuncs to avoid a security warning 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
4624f71ea2 fix: execute: remove osh_warn on tainted params to avoid exposing arguments on coding error 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
fbe7461fcb chore: fix typo in documentation 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
e235199715 fix: groupModify: deny early if user is not an owner of the group 
This way, the error message is clearer
 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
7eeccb7c5d enh: groupInfo: nicer message when no egress key exists 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
3b37242317 chore: more readable version of sql statements 
Signed-off-by: Stéphane Lesimple <stephane.lesimple+bastion@ovhcloud.com>
 2021-02-15 11:25:45 +01:00
Stéphane Lesimple
d9d77f5e71 chore: ghactions: use latest freebsdvm action version 2021-02-14 22:25:50 +01:00
Stéphane Lesimple
70feff2c2d enh: install: use in-place overwrite for sudoers files 
This fixes a race condition in sudo where it would log a log of
error messages to syslog if used while we're running the install
script: files around sudoers.d/ are then moved around, and it'll
yell for each file it previously listed if the file no longer
exists when it tries to stat() it. It also deprecates the --no-wait
flag of the install script, as now the sudoers.d/ directory will
always have integrity at all times.

Signed-off-by: Stéphane Lesimple <stephane.lesimple+bastion@ovhcloud.com>
 2021-02-14 22:25:50 +01:00
Stéphane Lesimple
473439cc1c chore: fix test for GitHub actions 
Signed-off-by: Stéphane Lesimple <stephane.lesimple+bastion@ovhcloud.com>
 2021-02-13 16:09:36 +01:00
Stéphane Lesimple
59187fcf4c fix: interactive: omit inactivity msg warning when set to 0 seconds 
Signed-off-by: Stéphane Lesimple <stephane.lesimple+bastion@ovhcloud.com>
 2021-02-13 16:09:36 +01:00
Stéphane Lesimple
d430c602bf release v3.02.00 2021-02-02 15:02:51 +01:00
Stéphane Lesimple
724ee2bb7a chore: add fanciness to README.md 2021-02-01 17:32:45 +01:00
Stéphane Lesimple
a913c5aa8a bump to v3.01.99-rc4 2021-01-25 12:18:27 +01:00
Stéphane Lesimple
5d36e820ca fix: admins no longer inherited superowner powers 
Regression since rc1
 2021-01-25 12:18:04 +01:00
Stéphane Lesimple
3bb1db3a4d bump to v3.01.99-rc3 2021-01-21 15:57:11 +01:00
Stéphane Lesimple
3dfa77ebab doc: update groupList/accountList documentation 2021-01-21 15:56:59 +01:00
Stéphane Lesimple
fd97845c1c chore: update autoload list accordingly 2021-01-21 15:56:59 +01:00
Stéphane Lesimple
efe3710e4c feat: groupList/accountList: add --include --exclude 2021-01-21 15:56:59 +01:00
Stéphane Lesimple
3aa6e343fd doc: add pointers to the-bastion-ansible-wrapper & debian-cis 2021-01-21 15:06:43 +01:00
Stéphane Lesimple
148d5206e5 enh: rootListIngressKeys: look for all well-known authkeys files 2021-01-21 15:06:27 +01:00
Stéphane Lesimple
61538ff086 chore: tests: also update totalerrors while tests are running 2021-01-20 14:01:55 +01:00
Stéphane Lesimple
80ade2ba4c fix: debian9: create_file_if_not_exists couldn't chgrp by filehanddle 2021-01-20 14:01:55 +01:00
Stéphane Lesimple
69778815bb enh: groupList: use cache to speedup calls 
On bastions with thousands of group, the speedup is ~x10
 2021-01-20 14:01:55 +01:00
Stéphane Lesimple
928bf0c7b0 enh: config: detect warnBefore/idleTimeout misconfiguration 
Before, an inconsistency in the configuration settings of the warnBefore(Lock|Kill)Seconds
and idle(Lock|Kill)Timeout could break any new connection (ttyrec refuses to launch).

Now we detect this case properly, and fallback to a sane setting for
warnBefore(Lock|Kill)Seconds (zero) if those were set without enabling the corresponding
idle(Lock|Kill)Timeout setting. We also log an error to syslog when it happens,
so that the sysadmin can fix their configuration.

Added hints about how these configuration options work together in the bastion.conf.dist file.

Fixes #125
 2021-01-19 12:26:09 +01:00
Stéphane Lesimple
141791db92 fix: scripts: (( )) returns 1 if evaluated to zero 2021-01-15 16:13:30 +01:00
Stéphane Lesimple
8d0004f8aa fix: config: be more permissive for documentationURL regex 2021-01-15 16:13:11 +01:00
Stéphane Lesimple
d04b15a19e fix: tocttou in ttyrec rotation script 2021-01-14 17:19:48 +01:00
Stéphane Lesimple
361c6a37a2 fix: osh-lingering-sessions-reaper.sh: tocttou on kill could terminate the script early 2021-01-14 17:16:31 +01:00
Pierre Kuhner
e7e045a40d fix: confusing error messages in groupDelServer 2021-01-14 09:40:55 +01:00
Stéphane Lesimple
36d0c709db bump to v3.01.99-rc2 2021-01-13 09:38:02 +01:00
Stéphane Lesimple
c6446495aa fix: logs: sql dbname was not properly passed through the update logs func 2021-01-13 09:38:02 +01:00
Stéphane Lesimple
ecc19db276 doc: upgrade: add a note about config normalization 2021-01-13 09:38:02 +01:00
Stéphane Lesimple
1378ba84f5 fix: re-introduce the ttyrecfile field 
This field was mistakenly removed along with the ttyrecsize one
by mistake in a479810d83.

Add tests to ensure this can't break again.
 2021-01-13 09:38:02 +01:00
Stephane Lesimple
916485b3cb chore: fix: documentation build was missing a prereq 2021-01-12 12:58:14 +01:00
Stéphane Lesimple
27d09e8cbe bump to v3.01.99-rc1 2021-01-12 12:05:41 +01:00
Stéphane Lesimple
1129850771 fix: global-log: directly set proper perms on file creation 2021-01-12 12:05:20 +01:00
Stéphane Lesimple
1676979913 feat: add PIV keys support and policy enforcement 
A new global option 'ingressRequirePIV' was added, to enable or disable a
bastion-wide policy forcing everybody to use only PIV keys.
 2021-01-12 12:05:06 +01:00
Stéphane Lesimple
b00f90aa48 doc: introduce ingressRequirePIV option & install-yubico-piv-checker.sh 2021-01-12 12:05:06 +01:00
Stéphane Lesimple
62d6393d56 feat: add yubico-piv-checker install script 2021-01-12 12:05:06 +01:00
Stéphane Lesimple
7aa655bcd2 doc: add documentation for PIV 2021-01-11 17:58:59 +01:00
Stéphane Lesimple
e75fc974c6
Merge pull request #112 from ovh/counterrors 
fix: tests: syslog-logged errors were not counted towards the total
 2021-01-08 11:58:58 +01:00
Stéphane Lesimple
41121f7723
fix: proper sqlite log location for invalid realm accounts 2021-01-07 17:20:54 +00:00
Stéphane Lesimple
920821f5d6
fix: tests: syslog-logged errors were not counted towards the total 2021-01-07 10:36:34 +00:00