Do not use PrintLastLog for Archlinux

matclab · matclab · commit e34d35cf128e · 2025-08-12T15:44:11.000+02:00
Signed-off-by: matclab &lt;mathieu@clabaut.net&gt;
diff --git a/molecule/ssh_hardening/verify.yml b/molecule/ssh_hardening/verify.yml
@@ -10,9 +10,11 @@
       ansible.builtin.command: >
         docker run
         --volume /run/docker.sock:/run/docker.sock
+        --volume ./waivers_{{ lookup('env', 'MOLECULE_DISTRO') }}.yaml:/waivers.yaml
         docker.io/cincproject/auditor exec
         -t docker://instance
         --no-show-progress --no-color
+        --waiver-file /waivers.yaml
         --no-distinct-exit https://github.com/dev-sec/ssh-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false
diff --git a/molecule/ssh_hardening/waivers_arch.yaml b/molecule/ssh_hardening/waivers_arch.yaml
@@ -0,0 +1,3 @@
+sshd-45:
+  run: false
+  justification: "PrintLastLog is unsupported on ArchLinux. 
diff --git a/roles/ssh_hardening/templates/opensshd.conf.j2 b/roles/ssh_hardening/templates/opensshd.conf.j2
@@ -253,7 +253,7 @@ UseDNS {{ 'yes' if (ssh_use_dns|bool) else 'no' }}
 
 PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }}
 
-{% if ansible_facts.os_family != 'FreeBSD' %}
+{% if ansible_facts.os_family not in ('FreeBSD','Archlinux') %}
 PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }}
 {% endif %}
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+sshd-45:`
	`2`	`+ run: false`
	`3`	`+ justification: "PrintLastLog is unsupported on ArchLinux.`