diff --git a/include/tests_ssh b/include/tests_ssh index 56ba096d..a7ee736a 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -87,26 +87,28 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking specific defined options in ${SSH_DAEMON_CONFIG}" ## SSHOPTIONS scheme: - ## :,, + ## :,, ## Example: ## PermitRootLogin:NO,WITHOUT-PASSWORD,YES - SSHOPS="Protocol:2,,1\ - PermitRootLogin:NO,WITHOUT-PASSWORD,YES\ - StrictModes:YES,,NO\ - VerifyReverseMapping:YES,,NO\ - IgnoreRhosts:YES,,NO\ - UseDNS:YES,,NO\ - X11Forwarding:NO,,YES\ - FingerprintHash:SHA256,MD5,\ - TCPKeepAlive:YES,,NO\ - Compression:NO,DELAYED,YES\ - PrintLastLog:YES,,NO" + SSHOPS="Compression:NO,DELAYED,YES,\ + FingerprintHash:SHA256,MD5,,\ + IgnoreRhosts:YES,,NO,\ + LogLevel:VERBOSE,INFO,,\ + PermitRootLogin:NO,WITHOUT-PASSWORD,YES,\ + PrintLastLog:YES,,NO,\ + Protocol:2,,1,\ + StrictModes:YES,,NO,\ + TCPKeepAlive:YES,,NO,\ + UseDNS:YES,,NO,\ + UsePrivilegeSeparation:SANDBOX,YES,NO,\ + VerifyReverseMapping:YES,,NO,\ + X11Forwarding:NO,,YES," for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` EXPECTEDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f1` MEDIUMSCOREDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f2` - WRONGVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f3` + WEAKVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f3` FOUNDVALUE=`awk -v OPT="${OPTIONNAME}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_CONFIG}` logtext "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_CONFIG}" @@ -119,20 +121,21 @@ Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result OK --color GREEN AddHP 3 3 elif [ "${FOUNDVALUE}" = "${MEDIUMSCOREDVALUE}" ]; then - logtext "Result: SSH option ${OPTIONNAME} is configured totally wrong" - ReportSuggestion ${TEST_NO} "Consider hardening of SSH configuration" "${OPTIONNAME}" "-" + logtext "Result: SSH option ${OPTIONNAME} is configured reasonably" + ReportSuggestion ${TEST_NO} "Consider hardening of SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "MEDIUM" --color YELLOW AddHP 1 3 - elif [ "${FOUNDVALUE}" = "${WRONGVALUE}" ]; then - logtext "Result: SSH option ${OPTIONNAME} is configured totally wrong" + elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then + logtext "Result: SSH option ${OPTIONNAME} is in a weak configuruation state and should be fixed" #ReportWarning ${TEST_NO} "M" "Unsafe configured SSH option: ${OPTIONNAME}" - ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME}" "-" + ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result WARNING --color RED AddHP 0 3 else logtext "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)" Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE #ReportException "SSH-7408:01" "Unknown SSH option" + report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|" fi else