From 013886ec1660395bc828cd9bb6619c95d014ce5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Sat, 5 Dec 2015 20:37:47 +0100 Subject: [PATCH 01/15] Refactorized [SSH-7408]. First step for differents types of tests. --- include/tests_ssh | 92 +++++++++++++++++++++++++++++------------------ 1 file changed, 58 insertions(+), 34 deletions(-) diff --git a/include/tests_ssh b/include/tests_ssh index a7ee736a..82a5d388 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -87,28 +87,37 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking specific defined options in ${SSH_DAEMON_CONFIG}" ## SSHOPTIONS scheme: - ## :,, + ## :,,: + ## + ## Test types: + ## (a) '=' -- equal to is better, + ## (b) '<' -- less or equal is better, + ## (c) '>' -- more or equal is better, + ## (d) '!' -- not equal is better. + ## ## Example: - ## PermitRootLogin:NO,WITHOUT-PASSWORD,YES - SSHOPS="Compression:NO,DELAYED,YES,\ - FingerprintHash:SHA256,MD5,,\ - IgnoreRhosts:YES,,NO,\ - LogLevel:VERBOSE,INFO,,\ - PermitRootLogin:NO,WITHOUT-PASSWORD,YES,\ - PrintLastLog:YES,,NO,\ - Protocol:2,,1,\ - StrictModes:YES,,NO,\ - TCPKeepAlive:YES,,NO,\ - UseDNS:YES,,NO,\ - UsePrivilegeSeparation:SANDBOX,YES,NO,\ - VerifyReverseMapping:YES,,NO,\ - X11Forwarding:NO,,YES," + ## PermitRootLogin:NO,WITHOUT-PASSWORD,YES,:= + SSHOPS="Compression:NO,DELAYED,YES:=\ + FingerprintHash:SHA256,MD5,:=\ + IgnoreRhosts:YES,,NO:=\ + LogLevel:VERBOSE,INFO,:=\ + PermitRootLogin:NO,WITHOUT-PASSWORD,YES:=\ + PrintLastLog:YES,,NO:=\ + Protocol:2,,1:=\ + StrictModes:YES,,NO:=\ + TCPKeepAlive:YES,,NO:=\ + UseDNS:YES,,NO:=\ + UsePrivilegeSeparation:SANDBOX,YES,NO:=\ + VerifyReverseMapping:YES,,NO:=\ + X11Forwarding:NO,,YES:=" for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` EXPECTEDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f1` MEDIUMSCOREDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f2` WEAKVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f3` + TESTTYPE=`echo ${I} | cut -d ':' -f3` + RESULT="NONE" FOUNDVALUE=`awk -v OPT="${OPTIONNAME}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_CONFIG}` logtext "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_CONFIG}" @@ -116,32 +125,47 @@ logtext "Result: Option ${OPTIONNAME} found in ${SSH_DAEMON_CONFIG}" logtext "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}" - if [ "${FOUNDVALUE}" = "${EXPECTEDVALUE}" ]; then - logtext "Result: SSH option ${OPTIONNAME} is configured very well" - Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result OK --color GREEN - AddHP 3 3 - elif [ "${FOUNDVALUE}" = "${MEDIUMSCOREDVALUE}" ]; then - logtext "Result: SSH option ${OPTIONNAME} is configured reasonably" - ReportSuggestion ${TEST_NO} "Consider hardening of SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" - Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "MEDIUM" --color YELLOW - AddHP 1 3 - elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then - logtext "Result: SSH option ${OPTIONNAME} is in a weak configuruation state and should be fixed" - #ReportWarning ${TEST_NO} "M" "Unsafe configured SSH option: ${OPTIONNAME}" - ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" - Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result WARNING --color RED - AddHP 0 3 + if [ "${TESTTYPE}" = "=" ]; then + if [ "${FOUNDVALUE}" = "${EXPECTEDVALUE}" ]; then + RESULT="GOOD" + elif [ "${FOUNDVALUE}" = "${MEDIUMSCOREDVALUE}" ]; then + RESULT="MIDSCORED" + elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then + RESULT="WEAK" + else + RESULT="UNKNOWN" + fi else - logtext "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)" - Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE - #ReportException "SSH-7408:01" "Unknown SSH option" - report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|" + RESULT="NONE" fi + fi + + if [ "${RESULT}" = "GOOD" ]; then + logtext "Result: SSH option ${OPTIONNAME} is configured very well" + Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result OK --color GREEN + AddHP 3 3 + elif [ "${RESULT}" = "MIDSCORED" ]; then + logtext "Result: SSH option ${OPTIONNAME} is configured reasonably" + ReportSuggestion ${TEST_NO} "Consider hardening of SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" + Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "MEDIUM" --color YELLOW + AddHP 1 3 + elif [ "${RESULT}" = "WEAK" ]; then + logtext "Result: SSH option ${OPTIONNAME} is in a weak configuruation state and should be fixed" + #ReportWarning ${TEST_NO} "M" "Unsafe configured SSH option: ${OPTIONNAME}" + ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" + Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result WARNING --color RED + AddHP 0 3 + elif [ "${RESULT}" = "UNKNOWN" ]; then + logtext "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)" + Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE + #ReportException "SSH-7408:01" "Unknown SSH option" + report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|" else logtext "Result: Option ${OPTIONNAME} not found in ${SSH_DAEMON_CONFIG}" Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "NOT FOUND" --color WHITE fi + done fi # From 9a306403274c02d95119574f54a1f5e0519345a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Sat, 5 Dec 2015 20:52:26 +0100 Subject: [PATCH 02/15] [SSH-7408]: Implemented '<' test type. --- include/tests_ssh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/include/tests_ssh b/include/tests_ssh index 82a5d388..02e4a386 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -135,6 +135,17 @@ else RESULT="UNKNOWN" fi + + elif [ "${TESTTYPE}" = "<" ]; then + if [ "${FOUNDVALUE}" -ge "${WEAKVALUE}" ]; then + RESULT="WEAK" + elif [ "${FOUNDVALUE}" -ge "${MEDIUMSCOREDVALUE}" -o "${FOUNDVALUE}" -le "${MEDIUMSCOREDVALUE}" ]; then + RESULT="MIDSCORED" + elif [ "${FOUNDVALUE}" -le "${EXPECTEDVALUE}" ]; then + RESULT="GOOD" + else + RESULT="UNKNOWN" + fi else RESULT="NONE" fi From 2e37c176754515a47e13494e3e0a438ec8af243b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Sat, 5 Dec 2015 21:14:24 +0100 Subject: [PATCH 03/15] [SSH-7408]: Implemented '>' test type. --- include/tests_ssh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/include/tests_ssh b/include/tests_ssh index 02e4a386..92198c6d 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -146,6 +146,17 @@ else RESULT="UNKNOWN" fi + + elif [ "${TESTTYPE}" = ">" ]; then + if [ "${FOUNDVALUE}" -le "${WEAKVALUE}" ]; then + RESULT="WEAK" + elif [ "${FOUNDVALUE}" -le "${WEAKVALUE}" -a "${FOUNDVALUE}" -ge "${MEDIUMSCOREDVALUE}" ]; then + RESULT="MIDSCORED" + elif [ "${FOUNDVALUE}" -ge "${EXPECTEDVALUE}" ]; then + RESULT="GOOD" + else + RESULT="UNKNOWN" + fi else RESULT="NONE" fi From c252b9b3760bc1281be79744e11caf927ebf7d0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Sat, 5 Dec 2015 21:16:17 +0100 Subject: [PATCH 04/15] Improved [SSH-7408] with 'MaxAuthTries'. --- include/tests_ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 92198c6d..ebacede9 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -109,7 +109,8 @@ UseDNS:YES,,NO:=\ UsePrivilegeSeparation:SANDBOX,YES,NO:=\ VerifyReverseMapping:YES,,NO:=\ - X11Forwarding:NO,,YES:=" + X11Forwarding:NO,,YES:=\ + MaxAuthTries:1,3,6:<" for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` From 7bcf442a1ecb57c83a25abdcdce867f407c6b4c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Sat, 5 Dec 2015 21:34:19 +0100 Subject: [PATCH 05/15] Improved [SSH-7408] with 'ClientAliveCountMax'. --- include/tests_ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index ebacede9..13ae7e8f 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -110,7 +110,8 @@ UsePrivilegeSeparation:SANDBOX,YES,NO:=\ VerifyReverseMapping:YES,,NO:=\ X11Forwarding:NO,,YES:=\ - MaxAuthTries:1,3,6:<" + MaxAuthTries:1,3,6:<\ + ClientAliveCountMax:2,4,16:<" for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` From d191bed2d785b29786aac8489350fd6c652936c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Sat, 5 Dec 2015 21:37:27 +0100 Subject: [PATCH 06/15] Improved [SSH-7408] with 'ClientAliveInterval'. --- include/tests_ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 13ae7e8f..290be929 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -111,7 +111,8 @@ VerifyReverseMapping:YES,,NO:=\ X11Forwarding:NO,,YES:=\ MaxAuthTries:1,3,6:<\ - ClientAliveCountMax:2,4,16:<" + ClientAliveCountMax:2,4,16:<\ + ClientAliveInterval:300,600,900:<" for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` From c394024769ce37f5d3bbba21426277eda9ad9a9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Sat, 5 Dec 2015 21:45:40 +0100 Subject: [PATCH 07/15] [SSH-7408]: Implemented '!' test type. --- include/tests_ssh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/include/tests_ssh b/include/tests_ssh index 290be929..b36e82a1 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -160,6 +160,16 @@ else RESULT="UNKNOWN" fi + + elif [ "${TESTTYPE}" = "!" ]; then + if [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then + RESULT="WEAK" + elif [ ! "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then + RESULT="GOOD" + else + RESULT="UNKNOWN" + fi + else RESULT="NONE" fi From 96dfb5cf154d49d67f4aff41abef6efd67b9bb62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Sat, 5 Dec 2015 21:46:44 +0100 Subject: [PATCH 08/15] Improved [SSH-7408] with 'Port'. --- include/tests_ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index b36e82a1..024a0605 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -112,7 +112,8 @@ X11Forwarding:NO,,YES:=\ MaxAuthTries:1,3,6:<\ ClientAliveCountMax:2,4,16:<\ - ClientAliveInterval:300,600,900:<" + ClientAliveInterval:300,600,900:<\ + Port:,,22:!" for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` From 35b663cff986b34e657fc50d05c443ec4da44c20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Sat, 5 Dec 2015 21:55:12 +0100 Subject: [PATCH 09/15] Improved [SSH-7408] with 'LoginGraceTime'. --- include/tests_ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 024a0605..94e851db 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -113,7 +113,8 @@ MaxAuthTries:1,3,6:<\ ClientAliveCountMax:2,4,16:<\ ClientAliveInterval:300,600,900:<\ - Port:,,22:!" + Port:,,22:!\ + LoginGraceTime:120,240,480:<" for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` From 47576a1bd02e52106143f2ccbfdf721c2744a240 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Sun, 6 Dec 2015 01:46:35 +0100 Subject: [PATCH 10/15] Improved [SSH-7408] with 'MaxStartups'. --- include/tests_ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 94e851db..aca69bec 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -114,7 +114,8 @@ ClientAliveCountMax:2,4,16:<\ ClientAliveInterval:300,600,900:<\ Port:,,22:!\ - LoginGraceTime:120,240,480:<" + LoginGraceTime:120,240,480:<\ + MaxStartups:4,8,16:<" for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` From 5487401abade0e5fffcc606c97f97f89cdf5b166 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Sun, 6 Dec 2015 00:45:15 +0100 Subject: [PATCH 11/15] Improved [SSH-7408] with 'MaxSessions'. --- include/tests_ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index aca69bec..9e0251c9 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -115,7 +115,8 @@ ClientAliveInterval:300,600,900:<\ Port:,,22:!\ LoginGraceTime:120,240,480:<\ - MaxStartups:4,8,16:<" + MaxStartups:4,8,16:<\ + MaxSessions:2,4,8:<" for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` From 3817ffd29983cf3688b2d11fa28d058264652205 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Sun, 6 Dec 2015 01:00:50 +0100 Subject: [PATCH 12/15] Improved [SSH-7408] with 'PermitUserEnvironment'. --- include/tests_ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 9e0251c9..dcf0c39b 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -116,7 +116,8 @@ Port:,,22:!\ LoginGraceTime:120,240,480:<\ MaxStartups:4,8,16:<\ - MaxSessions:2,4,8:<" + MaxSessions:2,4,8:< + PermitUserEnvironment:NO,,YES:=" for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` From 490fd6d5ecda9b79104705a132a618895356296a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Mon, 7 Dec 2015 07:13:10 +0100 Subject: [PATCH 13/15] Improved [SSH-7408] with 'GatewayPorts'. --- include/tests_ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index dcf0c39b..f8259dda 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -117,7 +117,8 @@ LoginGraceTime:120,240,480:<\ MaxStartups:4,8,16:<\ MaxSessions:2,4,8:< - PermitUserEnvironment:NO,,YES:=" + PermitUserEnvironment:NO,,YES:=\ + GatewayPorts:NO,,YES:=" for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` From 785119824e678549ae5ac7733b3c2d50f99941f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Mon, 7 Dec 2015 07:15:03 +0100 Subject: [PATCH 14/15] Improved [SSH-7408] with 'PermitTunnel'. --- include/tests_ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index f8259dda..29962923 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -118,7 +118,8 @@ MaxStartups:4,8,16:<\ MaxSessions:2,4,8:< PermitUserEnvironment:NO,,YES:=\ - GatewayPorts:NO,,YES:=" + GatewayPorts:NO,,YES:=\ + PermitTunnel:NO,,YES:=" for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` From 8c544846ab142d5f0dfe7d31f84d10099d980cb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Mon, 7 Dec 2015 07:15:48 +0100 Subject: [PATCH 15/15] Improved [SSH-7408] with 'AllowTcpForwarding'. --- include/tests_ssh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 29962923..da53b0b5 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -119,7 +119,8 @@ MaxSessions:2,4,8:< PermitUserEnvironment:NO,,YES:=\ GatewayPorts:NO,,YES:=\ - PermitTunnel:NO,,YES:=" + PermitTunnel:NO,,YES:=\ + AllowTcpForwarding:NO,LOCAL,YES:=" for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1`