{
  "id": "Q007",
  "title": "Security Theater",
  "tier": 2,
  "primary_vm": "web_server",
  "required_vms": ["workstation", "web_server"],
  "ticket_id": "T007",
  "baseline_snapshot": "baseline.post-q004",
  "summary": "Someone ran a hardening script on hermes that set AllowUsers in sshd_config to only allow a single user: deploy-bot. Now the web-admin group cannot SSH in. Priya filed the ticket after her access was blocked mid-incident response. The AllowUsers directive is correct in intent (locking down SSH) but was applied too aggressively — it needs to include the web-admin group or the relevant users. The player must fix sshd_config and reload sshd without breaking service continuity. Complication: the player must not lock themselves out during the fix, and they must validate that the specific users Priya listed can still SSH.",
  "clue_fingerprint": {
    "description": "SSH connection attempts from web-admin accounts fail with 'Permission denied'. sshd_config contains 'AllowUsers deploy-bot' with no other entries. /etc/group shows web-admin group members. The hardening script is in /opt/security/harden-ssh.sh and its log shows it ran last night.",
    "evidence": [
      { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowUsers deploy-bot" },
      { "type": "log_contains", "vm": "web_server", "path": "/var/log/auth.log", "contains": "User priya from" },
      { "type": "file_exists", "vm": "web_server", "path": "/opt/security/harden-ssh.sh" }
    ]
  },
  "objectives": [
    {
      "id": "sshd-config-corrected",
      "description": "sshd_config allows the web-admin group or its members",
      "check_mode": "passive",
      "validation": {
        "type": "or",
        "rules": [
          { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowGroups web-admin" },
          { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "priya" }
        ]
      }
    },
    {
      "id": "sshd-still-running",
      "description": "sshd remains active after config change",
      "check_mode": "passive",
      "validation": {
        "type": "service_state",
        "vm": "web_server",
        "service": "sshd",
        "state": "active"
      }
    },
    {
      "id": "deploy-bot-still-allowed",
      "description": "deploy-bot access is preserved",
      "check_mode": "passive",
      "validation": {
        "type": "or",
        "rules": [
          { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "deploy-bot" },
          { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowGroups" }
        ]
      }
    }
  ],
  "solution_branches": [
    {
      "id": "group-based-config",
      "label": "Proper Fix — Group-Based AllowGroups",
      "priority": 100,
      "validation": {
        "type": "and",
        "rules": [
          { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowGroups web-admin" },
          { "type": "service_state", "vm": "web_server", "service": "sshd", "state": "active" },
          { "type": "not", "rule": { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowUsers" } }
        ]
      },
      "trust_delta": 4,
      "world_flags": ["hermes_ssh_hardened_correct", "priya_access_restored"],
      "follow_up_dialogue": "priya-Q007-complete-clean",
      "follow_up_dialogues": ["marcus-Q007-complete-clean"],
      "_note": "Best fix. Switches from AllowUsers (fragile, breaks with new users) to AllowGroups (durable, group membership handles access). Trust bump is higher because this is the approach that will scale."
    },
    {
      "id": "allowusers-expanded",
      "label": "Acceptable Fix — AllowUsers Expanded",
      "priority": 60,
      "validation": {
        "type": "and",
        "rules": [
          { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "priya" },
          { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "deploy-bot" },
          { "type": "service_state", "vm": "web_server", "service": "sshd", "state": "active" }
        ]
      },
      "trust_delta": 1,
      "world_flags": ["hermes_ssh_allowusers_fragile", "priya_access_restored"],
      "follow_up_dialogue": "priya-Q007-complete-fragile",
      "follow_up_dialogues": ["marcus-Q007-complete-fragile"],
      "_note": "Access is restored but using AllowUsers. Every future new user will need to be manually added. Marcus or Priya will note this later."
    },
    {
      "id": "hardening-removed",
      "label": "Regression — SSH Restriction Removed Entirely",
      "priority": 200,
      "validation": {
        "type": "and",
        "rules": [
          { "type": "not", "rule": { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowUsers" } },
          { "type": "not", "rule": { "type": "file_contains", "vm": "web_server", "path": "/etc/ssh/sshd_config", "contains": "AllowGroups" } },
          { "type": "service_state", "vm": "web_server", "service": "sshd", "state": "active" }
        ]
      },
      "trust_delta": -3,
      "world_flags": ["hermes_ssh_unrestricted", "priya_access_restored"],
      "follow_up_dialogue": "priya-Q007-complete-regression",
      "follow_up_dialogues": ["marcus-Q007-complete-regression"],
      "_note": "Player fixed access by removing all restrictions. Priya's access works but the hardening is gone. This is the worst valid outcome — Priya is back in but so is everyone else."
    }
  ],
  "pressure_profile": "access_blocked_escalation",
  "blast_radius": [],
  "unlock_requirements": ["world_flag:player_ssh_configured"],
  "narrative_phase": "suspicion",
  "linux_concepts": ["sshd_config", "AllowGroups", "AllowUsers", "SSH access hardening"],
  "failure_conditions": ["Priya still locked out", "SSH restrictions removed entirely"],
  "behavior_impact": {
    "default": { "curiosity_delta": 1, "obedience_delta": 0, "risk_delta": 0, "suspicion_delta": 0 }
  },
  "hidden_hook": {
    "id": "q007_dale_ssh_key",
    "description": "An SSH key in hermes /root/.ssh/authorized_keys does not match any current staff. The fingerprint matches no documented key.",
    "discovery_method": "Player reads /root/.ssh/authorized_keys on hermes",
    "significance": "Dale had root SSH access to hermes that was never formally revoked."
  },
  "access_requirements": {
    "minimum_access": { "web_server": "sudo" },
    "requires_root": false,
    "temporary_grants_allowed": ["sudo:web_server:sshd"]
  },
  "tags": ["ssh", "security", "hardening", "sshd", "web_server"],
  "internal_notes": "This quest introduces Priya as a character and establishes that the player's fixes can have security implications, not just operational ones. The 'regression' branch should feel bad — Priya's grateful but Marcus or a later audit will surface it. The proper fix (AllowGroups) tests whether the player knows the difference between AllowUsers and AllowGroups. The sshd reload vs restart distinction matters here — a player who restarts sshd drops existing connections, which is more disruptive than reload."
}