Added SSH-7406 to detect OpenSSH version + condition based checking in SSH-7408

db/tests.db

@@ -354,6 +354,7 @@ SQD-3630:test:security:squid::Check Squid reply_body_max_size option:
 SQD-3680:test:security:squid::Check Squid version suppression:
 SSH-7402:test:security:ssh::Check for running SSH daemon:
 SSH-7404:test:security:ssh::Check SSH daemon file location:
+SSH-7406:test:security:ssh::Detection of OpenSSH server version:
 SSH-7408:test:security:ssh::Check SSH specific defined options:
 SSH-7440:test:security:ssh::AllowUsers and AllowGroups:
 STRG-1840:test:security:storage:Linux:Check if USB storage is disabled:

include/tests_ssh

@@ -27,6 +27,9 @@
     SSH_DAEMON_PORT=""
     SSH_DAEMON_RUNNING=0
     SSH_DAEMON_OPTIONS_FILE=""
+    OPENSSHD_VERSION=0
+    OPENSSHD_VERSION_MAJOR=0
+    OPENSSHD_VERSION_MINOR=0
 #
 #################################################################################
 #
@@ -89,6 +92,23 @@
     fi
 #
 #################################################################################
+#
+    # Test        : SSH-7406
+    # Description : Check OpenSSH version
+    if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determine OpenSSH version"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        OPENSSHD_VERSION=$(sshd -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d ',')
+        LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}"
+        if [ ! -z ${OPENSSHD_VERSION} ]; then
+            OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $1}')
+            LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}"
+            OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $2}')
+            LogText "Result: OpenSSH minor version: ${OPENSSHD_VERSION_MINOR}"
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : SSH-7408
     # Description : Check SSH specific defined options
@@ -124,20 +144,30 @@
                 PermitTunnel:NO,,YES:=\
                 Port:,,22:!\
                 PrintLastLog:YES,,NO:=\
-                Protocol:2,,1:=\
                 StrictModes:YES,,NO:=\
                 TCPKeepAlive:NO,,YES:=\
                 UseDNS:NO,,YES:=\
-                UsePrivilegeSeparation:SANDBOX,YES,NO:=\
                 VerifyReverseMapping:YES,,NO:=\
                 X11Forwarding:NO,,YES:=\
                 AllowAgentForwarding:NO,,YES:="
 
-        # Notes
+
-        # =========================================================
+        # OpenSSH had some options removed over time. Based on the version we add some additional options to check
-        # UsePrivilegeSeparation - removed since OpenSSH 7.5
+        if [ ${OPENSSHD_VERSION_MAJOR} -lt 7 ]; then
-        #
+            LogText "Result: added additional options for OpenSSH 6.x and lower"
-        # Disabled        MaxStartups:4,8,16:<\ (needs fixing)
+            SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:=  Protocol:2,,1:="
+        elif [ ${OPENSSHD_VERSION_MAJOR} -eq 7 ]; then
+            # Protocol 1 support removed (OpenSSH 7.4 and later)
+            if [ ${OPENSSHD_VERSION_MINOR} -lt 4 ]; then
+                LogText "Result: added additional options for OpenSSH < 7.4"
+                SSHOPS="${SSHOPS} Protocol:2,,1:="
+            fi
+            # UsePrivilegedSeparation removed (OpenSSH 7.5 and later)
+            if [ ${OPENSSHD_VERSION_MINOR} -lt 5 ]; then
+                LogText "Result: added additional options for OpenSSH < 7.5"
+                SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:="
+            fi
+        fi
 
         # Go through our list of options
         for I in ${SSHOPS}; do