From baf5d90770fc079aeaabbc62a863a36b7a2dfd4f Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 29 Jun 2017 11:29:17 +0100 Subject: [PATCH] Additional ssh stig tests --- tests/check-ssh.sh | 212 ++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 188 insertions(+), 24 deletions(-) diff --git a/tests/check-ssh.sh b/tests/check-ssh.sh index 7d7320da..699d943c 100644 --- a/tests/check-ssh.sh +++ b/tests/check-ssh.sh @@ -1,33 +1,197 @@ #!/bin/bash case $1 in - Protocol) - if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -w "^Protocol" | awk '{print $2}')" -ne 2 ];then - exit 1 - fi + Protocol) + if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -w "^Protocol" | awk '{print $2}')" -ne 2 ];then + exit 1 + fi ;; - rhosts) - if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i IgnoreRhosts | awk '{print $2}')" != "yes" ];then - exit 1 - fi + rhosts) + if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i IgnoreRhosts | awk '{print $2}')" != "yes" ];then + exit 1 + fi ;; - hostauth) - if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i HostbasedAuthentication | awk '{print $2}')" != "no" ];then - exit 1 - fi + hostauth) + if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i HostbasedAuthentication | awk '{print $2}')" != "no" ];then + exit 1 + fi ;; - permitroot) - if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitRootLogin | awk '{print $2}')" != "no" ];then - exit 1 - fi + permitroot) + if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitRootLogin | awk '{print $2}')" != "no" ];then + exit 1 + fi ;; - emptypassword) - if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then - exit 1 - fi + emptypassword) + if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then + exit 1 + fi ;; - emptypasswordenvironment) - if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then - exit 1 - fi + emptypasswordenvironment) + if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then + exit 1 + fi + ;; + ciphers) + if grep -i "Ciphers.*aes128-ctr\|Ciphers.*aes256-ctr\|Ciphers.*aes192-ctr" /etc/ssh/sshd_config;then + : + else + exit 1 + fi + ;; + banner) + if grep -i banner /etc/ssh/sshd_config | grep -v "^#";then + : + else + exit 1 + fi + ;; + sshd_status) + if systemctl status sshd | grep "Active:.*(running)";then + : + else + exit 1 + fi + ;; + ClientAliveInterval) + if grep ClientAliveInterval /etc/ssh/sshd_config | grep -v "^#";then + INTERVAL=`grep ClientAliveInterval /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'` + if [ ${INTERVAL} -lt 60 ];then + exit 1 + fi + else + exit 1 + fi + ;; + RhostsRSAAuthentication) + if grep RhostsRSAAuthentication /etc/ssh/sshd_config | grep -v "^#";then + SETVALUE=`grep RhostsRSAAuthentication /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'` + if [ "${SETVALUE}" == "no" ];then + exit 1 + fi + else + exit 1 + fi + ;; + ClientAliveCountMax) + if grep ClientAliveCountMax /etc/ssh/sshd_config | grep -v "^#";then + SETVALUE=`grep ClientAliveCountMax /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'` + if [ ${SETVALUE} -gt 3 ];then + exit 1 + fi + else + exit 1 + fi + ;; + IgnoreRhosts) + if grep IgnoreRhosts /etc/ssh/sshd_config | grep -v "^#";then + SETVALUE=`grep IgnoreRhosts /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'` + if [ "${SETVALUE}" == "no" ];then + exit 1 + fi + else + exit 1 + fi + ;; + PrintLastLog) + if grep PrintLastLog /etc/ssh/sshd_config | grep -v "^#";then + SETVALUE=`grep PrintLastLog /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'` + if [ "${SETVALUE}" != "yes" ];then + exit 1 + fi + else + exit 1 + fi + ;; + IgnoreUserKnownHosts) + if grep IgnoreUserKnownHosts /etc/ssh/sshd_config | grep -v "^#";then + SETVALUE=`grep IgnoreUserKnownHosts /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'` + if [ "${SETVALUE}" != "yes" ];then + exit 1 + fi + else + exit 1 + fi + ;; + macs) + if grep -i "MACs.*hmac-sha2-256\|MACs.*hmac-sha2-512" /etc/ssh/sshd_config;then + : + else + exit 1 + fi + ;; + pubkeypermissive) + COUNT=`find /etc/ssh/ -type f -name "*.pub" -perm /133 -exec ls -l {} \; | wc -l` + if [ ${COUNT} -eq 0 ];then + : + else + exit 1 + fi + ;; + hostkeypermissive) + COUNT=`find /etc/ssh/ -type f -name "*ssh_host*key" -perm /177 -exec ls -l {} \; | wc -l` + if [ ${COUNT} -eq 0 ];then + : + else + exit 1 + fi + ;; + GSSAPIAuthentication) + if grep GSSAPIAuthentication /etc/ssh/sshd_config | grep -v "^#";then + SETVALUE=`grep GSSAPIAuthentication /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'` + if [ "${SETVALUE}" != "no" ];then + exit 1 + fi + else + exit 1 + fi + ;; + KerberosAuthentication) + if grep KerberosAuthentication /etc/ssh/sshd_config | grep -v "^#";then + SETVALUE=`grep KerberosAuthentication /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'` + if [ "${SETVALUE}" != "no" ];then + exit 1 + fi + else + exit 1 + fi + ;; + StrictModes) + if grep StrictModes /etc/ssh/sshd_config | grep -v "^#";then + SETVALUE=`grep StrictModes /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'` + if [ "${SETVALUE}" != "yes" ];then + exit 1 + fi + else + exit 1 + fi + ;; + UsePrivilegeSeparation) + if grep UsePrivilegeSeparation /etc/ssh/sshd_config | grep -v "^#";then + SETVALUE=`grep UsePrivilegeSeparation /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'` + if [ "${SETVALUE}" != "yes" -a "${SETVALUE}" != "sandbox" ];then + exit 1 + fi + else + exit 1 + fi + ;; + Compression) + if grep Compression /etc/ssh/sshd_config | grep -v "^#";then + SETVALUE=`grep Compression /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'` + if [ "${SETVALUE}" != "no" -a "${SETVALUE}" != "delayed" ];then + exit 1 + fi + else + exit 1 + fi + ;; + X11Forwarding) + if grep X11Forwarding /etc/ssh/sshd_config | grep -v "^#";then + SETVALUE=`grep X11Forwarding /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'` + if [ "${SETVALUE}" != "no" ];then + exit 1 + fi + else + exit 1 + fi ;; esac