chore: bootstrap lean sysadmin-chronicles repo
Import the runnable game code, content, docs, scripts, and repo guidance while leaving local agent state, dependency installs, build output, and backup copies out of the published tree.
This commit is contained in:
@@ -0,0 +1,133 @@
|
||||
{
|
||||
"id": "Q007",
|
||||
"title": "Security Theater",
|
||||
"tier": 2,
|
||||
"primary_vm": "web_server",
|
||||
"required_vms": ["workstation", "web_server"],
|
||||
"ticket_id": "T007",
|
||||
"baseline_snapshot": "baseline.post-q004",
|
||||
"summary": "Someone ran a hardening script on hermes that set AllowUsers in sshd_config to only allow a single user: deploy-bot. Now the web-admin group cannot SSH in. Priya filed the ticket after her access was blocked mid-incident response. The AllowUsers directive is correct in intent (locking down SSH) but was applied too aggressively — it needs to include the web-admin group or the relevant users. The player must fix sshd_config and reload sshd without breaking service continuity. Complication: the player must not lock themselves out during the fix, and they must validate that the specific users Priya listed can still SSH.",
|
||||
"clue_fingerprint": {
|
||||
"description": "SSH connection attempts from web-admin accounts fail with 'Permission denied'. sshd_config contains 'AllowUsers deploy-bot' with no other entries. /etc/group shows web-admin group members. The hardening script is in /opt/security/harden-ssh.sh and its log shows it ran last night.",
|
||||
"evidence": [
|
||||
{ "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowUsers deploy-bot" },
|
||||
{ "type": "log_contains", "vm": "web_server", "path": "/var/log/auth.log", "contains": "User priya from" },
|
||||
{ "type": "file_exists", "vm": "web_server", "path": "/opt/security/harden-ssh.sh" }
|
||||
]
|
||||
},
|
||||
"objectives": [
|
||||
{
|
||||
"id": "sshd-config-corrected",
|
||||
"description": "sshd_config allows the web-admin group or its members",
|
||||
"check_mode": "passive",
|
||||
"validation": {
|
||||
"type": "or",
|
||||
"rules": [
|
||||
{ "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowGroups web-admin" },
|
||||
{ "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "priya" }
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "sshd-still-running",
|
||||
"description": "sshd remains active after config change",
|
||||
"check_mode": "passive",
|
||||
"validation": {
|
||||
"type": "service_state",
|
||||
"vm": "web_server",
|
||||
"service": "sshd",
|
||||
"state": "active"
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "deploy-bot-still-allowed",
|
||||
"description": "deploy-bot access is preserved",
|
||||
"check_mode": "passive",
|
||||
"validation": {
|
||||
"type": "or",
|
||||
"rules": [
|
||||
{ "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "deploy-bot" },
|
||||
{ "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowGroups" }
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"solution_branches": [
|
||||
{
|
||||
"id": "group-based-config",
|
||||
"label": "Proper Fix — Group-Based AllowGroups",
|
||||
"priority": 100,
|
||||
"validation": {
|
||||
"type": "and",
|
||||
"rules": [
|
||||
{ "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowGroups web-admin" },
|
||||
{ "type": "service_state", "vm": "web_server", "service": "sshd", "state": "active" },
|
||||
{ "type": "not", "rule": { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowUsers" } }
|
||||
]
|
||||
},
|
||||
"trust_delta": 4,
|
||||
"world_flags": ["hermes_ssh_hardened_correct", "priya_access_restored"],
|
||||
"follow_up_dialogue": "priya-Q007-complete-clean",
|
||||
"follow_up_dialogues": ["marcus-Q007-complete-clean"],
|
||||
"_note": "Best fix. Switches from AllowUsers (fragile, breaks with new users) to AllowGroups (durable, group membership handles access). Trust bump is higher because this is the approach that will scale."
|
||||
},
|
||||
{
|
||||
"id": "allowusers-expanded",
|
||||
"label": "Acceptable Fix — AllowUsers Expanded",
|
||||
"priority": 60,
|
||||
"validation": {
|
||||
"type": "and",
|
||||
"rules": [
|
||||
{ "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "priya" },
|
||||
{ "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "deploy-bot" },
|
||||
{ "type": "service_state", "vm": "web_server", "service": "sshd", "state": "active" }
|
||||
]
|
||||
},
|
||||
"trust_delta": 1,
|
||||
"world_flags": ["hermes_ssh_allowusers_fragile", "priya_access_restored"],
|
||||
"follow_up_dialogue": "priya-Q007-complete-fragile",
|
||||
"follow_up_dialogues": ["marcus-Q007-complete-fragile"],
|
||||
"_note": "Access is restored but using AllowUsers. Every future new user will need to be manually added. Marcus or Priya will note this later."
|
||||
},
|
||||
{
|
||||
"id": "hardening-removed",
|
||||
"label": "Regression — SSH Restriction Removed Entirely",
|
||||
"priority": 200,
|
||||
"validation": {
|
||||
"type": "and",
|
||||
"rules": [
|
||||
{ "type": "not", "rule": { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowUsers" } },
|
||||
{ "type": "not", "rule": { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowGroups" } },
|
||||
{ "type": "service_state", "vm": "web_server", "service": "sshd", "state": "active" }
|
||||
]
|
||||
},
|
||||
"trust_delta": -3,
|
||||
"world_flags": ["hermes_ssh_unrestricted", "priya_access_restored"],
|
||||
"follow_up_dialogue": "priya-Q007-complete-regression",
|
||||
"follow_up_dialogues": ["marcus-Q007-complete-regression"],
|
||||
"_note": "Player fixed access by removing all restrictions. Priya's access works but the hardening is gone. This is the worst valid outcome — Priya is back in but so is everyone else."
|
||||
}
|
||||
],
|
||||
"pressure_profile": "access_blocked_escalation",
|
||||
"blast_radius": [],
|
||||
"unlock_requirements": ["world_flag:player_ssh_configured"],
|
||||
"narrative_phase": "suspicion",
|
||||
"linux_concepts": ["sshd_config", "AllowGroups", "AllowUsers", "SSH access hardening"],
|
||||
"failure_conditions": ["Priya still locked out", "SSH restrictions removed entirely"],
|
||||
"behavior_impact": {
|
||||
"default": { "curiosity_delta": 1, "obedience_delta": 0, "risk_delta": 0, "suspicion_delta": 0 }
|
||||
},
|
||||
"hidden_hook": {
|
||||
"id": "q007_dale_ssh_key",
|
||||
"description": "An SSH key in hermes /root/.ssh/authorized_keys does not match any current staff. The fingerprint matches no documented key.",
|
||||
"discovery_method": "Player reads /root/.ssh/authorized_keys on hermes",
|
||||
"significance": "Dale had root SSH access to hermes that was never formally revoked."
|
||||
},
|
||||
"access_requirements": {
|
||||
"minimum_access": { "web_server": "sudo" },
|
||||
"requires_root": false,
|
||||
"temporary_grants_allowed": ["sudo:web_server:sshd"]
|
||||
},
|
||||
"tags": ["ssh", "security", "hardening", "sshd", "web_server"],
|
||||
"internal_notes": "This quest introduces Priya as a character and establishes that the player's fixes can have security implications, not just operational ones. The 'regression' branch should feel bad — Priya's grateful but Marcus or a later audit will surface it. The proper fix (AllowGroups) tests whether the player knows the difference between AllowUsers and AllowGroups. The sshd reload vs restart distinction matters here — a player who restarts sshd drops existing connections, which is more disruptive than reload."
|
||||
}
|
||||
Reference in New Issue
Block a user