tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #105 from kboratynski/features/ssh_refactor 

Implementation of several SSH related configuration items.
This commit is contained in:
Michael Boelen 2015-12-08 18:49:58 +01:00
parent 2be968eb2c 8c544846ab
commit 494ba68a6b
1 changed files with 103 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
include/tests_ssh
View File

@ -87,28 +87,48 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking specific defined options in ${SSH_DAEMON_CONFIG}" logtext "Test: Checking specific defined options in ${SSH_DAEMON_CONFIG}"
## SSHOPTIONS scheme: ## SSHOPTIONS scheme:
## <OptionName>:<ExpectedValue>,<MediumScoreValue>,<WeakValue> ## <OptionName>:<ExpectedValue>,<MediumScoreValue>,<WeakValue>:<TestType>
##
## Test types:
## (a) '=' -- equal to is better,
## (b) '<' -- less or equal is better,
## (c) '>' -- more or equal is better,
## (d) '!' -- not equal is better.
##
## Example: ## Example:
## PermitRootLogin:NO,WITHOUT-PASSWORD,YES ## PermitRootLogin:NO,WITHOUT-PASSWORD,YES,:=
SSHOPS="Compression:NO,DELAYED,YES,\ SSHOPS="Compression:NO,DELAYED,YES:=\
FingerprintHash:SHA256,MD5,,\ FingerprintHash:SHA256,MD5,:=\
IgnoreRhosts:YES,,NO,\ IgnoreRhosts:YES,,NO:=\
LogLevel:VERBOSE,INFO,,\ LogLevel:VERBOSE,INFO,:=\
PermitRootLogin:NO,WITHOUT-PASSWORD,YES,\ PermitRootLogin:NO,WITHOUT-PASSWORD,YES:=\
PrintLastLog:YES,,NO,\ PrintLastLog:YES,,NO:=\
Protocol:2,,1,\ Protocol:2,,1:=\
StrictModes:YES,,NO,\ StrictModes:YES,,NO:=\
TCPKeepAlive:YES,,NO,\ TCPKeepAlive:YES,,NO:=\
UseDNS:YES,,NO,\ UseDNS:YES,,NO:=\
UsePrivilegeSeparation:SANDBOX,YES,NO,\ UsePrivilegeSeparation:SANDBOX,YES,NO:=\
VerifyReverseMapping:YES,,NO,\ VerifyReverseMapping:YES,,NO:=\
X11Forwarding:NO,,YES," X11Forwarding:NO,,YES:=\
MaxAuthTries:1,3,6:<\
ClientAliveCountMax:2,4,16:<\
ClientAliveInterval:300,600,900:<\
Port:,,22:!\
LoginGraceTime:120,240,480:<\
MaxStartups:4,8,16:<\
MaxSessions:2,4,8:<
PermitUserEnvironment:NO,,YES:=\
GatewayPorts:NO,,YES:=\
PermitTunnel:NO,,YES:=\
AllowTcpForwarding:NO,LOCAL,YES:="
for I in ${SSHOPS}; do for I in ${SSHOPS}; do
OPTIONNAME=`echo ${I} | cut -d ':' -f1` OPTIONNAME=`echo ${I} | cut -d ':' -f1`
EXPECTEDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f1` EXPECTEDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f1`
MEDIUMSCOREDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f2` MEDIUMSCOREDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f2`
WEAKVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f3` WEAKVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f3`
TESTTYPE=`echo ${I} | cut -d ':' -f3`
RESULT="NONE"
FOUNDVALUE=`awk -v OPT="${OPTIONNAME}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_CONFIG}` FOUNDVALUE=`awk -v OPT="${OPTIONNAME}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_CONFIG}`
logtext "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_CONFIG}" logtext "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_CONFIG}"
@ -116,32 +136,79 @@
logtext "Result: Option ${OPTIONNAME} found in ${SSH_DAEMON_CONFIG}" logtext "Result: Option ${OPTIONNAME} found in ${SSH_DAEMON_CONFIG}"
logtext "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}" logtext "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}"
if [ "${TESTTYPE}" = "=" ]; then
if [ "${FOUNDVALUE}" = "${EXPECTEDVALUE}" ]; then if [ "${FOUNDVALUE}" = "${EXPECTEDVALUE}" ]; then
RESULT="GOOD"
elif [ "${FOUNDVALUE}" = "${MEDIUMSCOREDVALUE}" ]; then
RESULT="MIDSCORED"
elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
RESULT="WEAK"
else
RESULT="UNKNOWN"
fi
elif [ "${TESTTYPE}" = "<" ]; then
if [ "${FOUNDVALUE}" -ge "${WEAKVALUE}" ]; then
RESULT="WEAK"
elif [ "${FOUNDVALUE}" -ge "${MEDIUMSCOREDVALUE}" -o "${FOUNDVALUE}" -le "${MEDIUMSCOREDVALUE}" ]; then
RESULT="MIDSCORED"
elif [ "${FOUNDVALUE}" -le "${EXPECTEDVALUE}" ]; then
RESULT="GOOD"
else
RESULT="UNKNOWN"
fi
elif [ "${TESTTYPE}" = ">" ]; then
if [ "${FOUNDVALUE}" -le "${WEAKVALUE}" ]; then
RESULT="WEAK"
elif [ "${FOUNDVALUE}" -le "${WEAKVALUE}" -a "${FOUNDVALUE}" -ge "${MEDIUMSCOREDVALUE}" ]; then
RESULT="MIDSCORED"
elif [ "${FOUNDVALUE}" -ge "${EXPECTEDVALUE}" ]; then
RESULT="GOOD"
else
RESULT="UNKNOWN"
fi
elif [ "${TESTTYPE}" = "!" ]; then
if [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
RESULT="WEAK"
elif [ ! "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
RESULT="GOOD"
else
RESULT="UNKNOWN"
fi
else
RESULT="NONE"
fi
fi
if [ "${RESULT}" = "GOOD" ]; then
logtext "Result: SSH option ${OPTIONNAME} is configured very well" logtext "Result: SSH option ${OPTIONNAME} is configured very well"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result OK --color GREEN Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result OK --color GREEN
AddHP 3 3 AddHP 3 3
elif [ "${FOUNDVALUE}" = "${MEDIUMSCOREDVALUE}" ]; then elif [ "${RESULT}" = "MIDSCORED" ]; then
logtext "Result: SSH option ${OPTIONNAME} is configured reasonably" logtext "Result: SSH option ${OPTIONNAME} is configured reasonably"
ReportSuggestion ${TEST_NO} "Consider hardening of SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" ReportSuggestion ${TEST_NO} "Consider hardening of SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "MEDIUM" --color YELLOW Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "MEDIUM" --color YELLOW
AddHP 1 3 AddHP 1 3
elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then elif [ "${RESULT}" = "WEAK" ]; then
logtext "Result: SSH option ${OPTIONNAME} is in a weak configuruation state and should be fixed" logtext "Result: SSH option ${OPTIONNAME} is in a weak configuruation state and should be fixed"
#ReportWarning ${TEST_NO} "M" "Unsafe configured SSH option: ${OPTIONNAME}" #ReportWarning ${TEST_NO} "M" "Unsafe configured SSH option: ${OPTIONNAME}"
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result WARNING --color RED Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result WARNING --color RED
AddHP 0 3 AddHP 0 3
else elif [ "${RESULT}" = "UNKNOWN" ]; then
logtext "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)" logtext "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE
#ReportException "SSH-7408:01" "Unknown SSH option" #ReportException "SSH-7408:01" "Unknown SSH option"
report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|" report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|"
fi
else else
logtext "Result: Option ${OPTIONNAME} not found in ${SSH_DAEMON_CONFIG}" logtext "Result: Option ${OPTIONNAME} not found in ${SSH_DAEMON_CONFIG}"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "NOT FOUND" --color WHITE
fi fi
done done
fi fi
# #