Additional ssh stig tests

2017-06-29 11:29:17 +01:00 · 2017-06-29 11:29:17 +01:00 · baf5d90770
parent cab5ffcefd
commit baf5d90770
1 changed files with 188 additions and 24 deletions
--- a/tests/check-ssh.sh
+++ b/tests/check-ssh.sh
@ -30,4 +30,168 @@ case $1 in
            exit 1
        fi
        ;;
    ciphers)
        if grep -i "Ciphers.*aes128-ctr\|Ciphers.*aes256-ctr\|Ciphers.*aes192-ctr" /etc/ssh/sshd_config;then
            :
        else
            exit 1
        fi
        ;;
    banner)
        if grep -i banner /etc/ssh/sshd_config | grep -v "^#";then
            :
        else
            exit 1
        fi
        ;;
    sshd_status)
        if systemctl status sshd | grep "Active:.*(running)";then
            :
        else
            exit 1
        fi
        ;;
    ClientAliveInterval)
        if grep ClientAliveInterval /etc/ssh/sshd_config | grep -v "^#";then
            INTERVAL=`grep ClientAliveInterval /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
            if [ ${INTERVAL} -lt 60 ];then
                exit 1
            fi
        else
            exit 1
        fi
        ;;
    RhostsRSAAuthentication)
        if grep RhostsRSAAuthentication /etc/ssh/sshd_config | grep -v "^#";then
            SETVALUE=`grep RhostsRSAAuthentication /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
            if [ "${SETVALUE}" == "no" ];then
                exit 1
            fi
        else
            exit 1
        fi
        ;;
    ClientAliveCountMax)
        if grep ClientAliveCountMax /etc/ssh/sshd_config | grep -v "^#";then
            SETVALUE=`grep ClientAliveCountMax /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
            if [ ${SETVALUE} -gt 3 ];then
                exit 1
            fi
        else
            exit 1
        fi
        ;;
    IgnoreRhosts)
        if grep IgnoreRhosts /etc/ssh/sshd_config | grep -v "^#";then
            SETVALUE=`grep IgnoreRhosts /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
            if [ "${SETVALUE}" == "no" ];then
                exit 1
            fi
        else
            exit 1
        fi
        ;;
    PrintLastLog)
        if grep PrintLastLog /etc/ssh/sshd_config | grep -v "^#";then
            SETVALUE=`grep PrintLastLog /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
            if [ "${SETVALUE}" != "yes" ];then
                exit 1
            fi
        else
            exit 1
        fi
        ;;
    IgnoreUserKnownHosts)
        if grep IgnoreUserKnownHosts /etc/ssh/sshd_config | grep -v "^#";then
            SETVALUE=`grep IgnoreUserKnownHosts /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
            if [ "${SETVALUE}" != "yes" ];then
                exit 1
            fi
        else
            exit 1
        fi
        ;;
    macs)
        if grep -i "MACs.*hmac-sha2-256\|MACs.*hmac-sha2-512"  /etc/ssh/sshd_config;then
            :
        else
            exit 1
        fi
        ;;
    pubkeypermissive)
        COUNT=`find /etc/ssh/ -type f -name "*.pub" -perm  /133  -exec ls -l {} \; | wc -l`
        if [ ${COUNT} -eq 0 ];then
            :
        else
            exit 1
        fi
        ;;
    hostkeypermissive)
        COUNT=`find /etc/ssh/ -type f -name "*ssh_host*key" -perm  /177  -exec ls -l {} \; | wc -l`
        if [ ${COUNT} -eq 0 ];then
            :
        else
            exit 1
        fi
        ;;
    GSSAPIAuthentication)
        if grep GSSAPIAuthentication /etc/ssh/sshd_config | grep -v "^#";then
            SETVALUE=`grep GSSAPIAuthentication /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
            if [ "${SETVALUE}" != "no" ];then
                exit 1
            fi
        else
            exit 1
        fi
        ;;
    KerberosAuthentication)
        if grep KerberosAuthentication /etc/ssh/sshd_config | grep -v "^#";then
            SETVALUE=`grep KerberosAuthentication /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
            if [ "${SETVALUE}" != "no" ];then
                exit 1
            fi
        else
            exit 1
        fi
        ;;
    StrictModes)
        if grep StrictModes /etc/ssh/sshd_config | grep -v "^#";then
            SETVALUE=`grep StrictModes /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
            if [ "${SETVALUE}" != "yes" ];then
                exit 1
            fi
        else
            exit 1
        fi
        ;;
    UsePrivilegeSeparation)
        if grep UsePrivilegeSeparation /etc/ssh/sshd_config | grep -v "^#";then
            SETVALUE=`grep UsePrivilegeSeparation /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
            if [ "${SETVALUE}" != "yes" -a "${SETVALUE}" != "sandbox" ];then
                exit 1
            fi
        else
            exit 1
        fi
        ;;
    Compression)
        if grep Compression /etc/ssh/sshd_config | grep -v "^#";then
            SETVALUE=`grep Compression /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
            if [ "${SETVALUE}" != "no" -a "${SETVALUE}" != "delayed" ];then
                exit 1
            fi
        else
            exit 1
        fi
        ;;
    X11Forwarding)
        if grep X11Forwarding /etc/ssh/sshd_config | grep -v "^#";then
            SETVALUE=`grep X11Forwarding /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
            if [ "${SETVALUE}" != "no" ];then
                exit 1
            fi
        else
            exit 1
        fi
        ;;
 esac