From baf5d90770fc079aeaabbc62a863a36b7a2dfd4f Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Thu, 29 Jun 2017 11:29:17 +0100
Subject: [PATCH] Additional ssh stig tests
---
tests/check-ssh.sh | 222 +++++++++++++++++++++++++++++++++++++++------
1 file changed, 193 insertions(+), 29 deletions(-)
diff --git a/tests/check-ssh.sh b/tests/check-ssh.sh
index 7d7320da0..699d943cc 100644
--- a/tests/check-ssh.sh
+++ b/tests/check-ssh.sh
@@ -1,33 +1,197 @@
#!/bin/bash
case $1 in
- Protocol)
- if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -w "^Protocol" | awk '{print $2}')" -ne 2 ];then
- exit 1
- fi
- ;;
- rhosts)
- if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i IgnoreRhosts | awk '{print $2}')" != "yes" ];then
- exit 1
- fi
- ;;
- hostauth)
- if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i HostbasedAuthentication | awk '{print $2}')" != "no" ];then
- exit 1
- fi
- ;;
- permitroot)
- if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitRootLogin | awk '{print $2}')" != "no" ];then
- exit 1
- fi
- ;;
- emptypassword)
- if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
- exit 1
- fi
- ;;
- emptypasswordenvironment)
- if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
- exit 1
- fi
+ Protocol)
+ if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -w "^Protocol" | awk '{print $2}')" -ne 2 ];then
+ exit 1
+ fi
+ ;;
+ rhosts)
+ if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i IgnoreRhosts | awk '{print $2}')" != "yes" ];then
+ exit 1
+ fi
+ ;;
+ hostauth)
+ if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i HostbasedAuthentication | awk '{print $2}')" != "no" ];then
+ exit 1
+ fi
+ ;;
+ permitroot)
+ if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitRootLogin | awk '{print $2}')" != "no" ];then
+ exit 1
+ fi
+ ;;
+ emptypassword)
+ if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
+ exit 1
+ fi
+ ;;
+ emptypasswordenvironment)
+ if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
+ exit 1
+ fi
+ ;;
+ ciphers)
+ if grep -i "Ciphers.*aes128-ctr\|Ciphers.*aes256-ctr\|Ciphers.*aes192-ctr" /etc/ssh/sshd_config;then
+ :
+ else
+ exit 1
+ fi
+ ;;
+ banner)
+ if grep -i banner /etc/ssh/sshd_config | grep -v "^#";then
+ :
+ else
+ exit 1
+ fi
+ ;;
+ sshd_status)
+ if systemctl status sshd | grep "Active:.*(running)";then
+ :
+ else
+ exit 1
+ fi
+ ;;
+ ClientAliveInterval)
+ if grep ClientAliveInterval /etc/ssh/sshd_config | grep -v "^#";then
+ INTERVAL=`grep ClientAliveInterval /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
+ if [ ${INTERVAL} -lt 60 ];then
+ exit 1
+ fi
+ else
+ exit 1
+ fi
+ ;;
+ RhostsRSAAuthentication)
+ if grep RhostsRSAAuthentication /etc/ssh/sshd_config | grep -v "^#";then
+ SETVALUE=`grep RhostsRSAAuthentication /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
+ if [ "${SETVALUE}" == "no" ];then
+ exit 1
+ fi
+ else
+ exit 1
+ fi
+ ;;
+ ClientAliveCountMax)
+ if grep ClientAliveCountMax /etc/ssh/sshd_config | grep -v "^#";then
+ SETVALUE=`grep ClientAliveCountMax /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
+ if [ ${SETVALUE} -gt 3 ];then
+ exit 1
+ fi
+ else
+ exit 1
+ fi
+ ;;
+ IgnoreRhosts)
+ if grep IgnoreRhosts /etc/ssh/sshd_config | grep -v "^#";then
+ SETVALUE=`grep IgnoreRhosts /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
+ if [ "${SETVALUE}" == "no" ];then
+ exit 1
+ fi
+ else
+ exit 1
+ fi
+ ;;
+ PrintLastLog)
+ if grep PrintLastLog /etc/ssh/sshd_config | grep -v "^#";then
+ SETVALUE=`grep PrintLastLog /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
+ if [ "${SETVALUE}" != "yes" ];then
+ exit 1
+ fi
+ else
+ exit 1
+ fi
+ ;;
+ IgnoreUserKnownHosts)
+ if grep IgnoreUserKnownHosts /etc/ssh/sshd_config | grep -v "^#";then
+ SETVALUE=`grep IgnoreUserKnownHosts /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
+ if [ "${SETVALUE}" != "yes" ];then
+ exit 1
+ fi
+ else
+ exit 1
+ fi
+ ;;
+ macs)
+ if grep -i "MACs.*hmac-sha2-256\|MACs.*hmac-sha2-512" /etc/ssh/sshd_config;then
+ :
+ else
+ exit 1
+ fi
+ ;;
+ pubkeypermissive)
+ COUNT=`find /etc/ssh/ -type f -name "*.pub" -perm /133 -exec ls -l {} \; | wc -l`
+ if [ ${COUNT} -eq 0 ];then
+ :
+ else
+ exit 1
+ fi
+ ;;
+ hostkeypermissive)
+ COUNT=`find /etc/ssh/ -type f -name "*ssh_host*key" -perm /177 -exec ls -l {} \; | wc -l`
+ if [ ${COUNT} -eq 0 ];then
+ :
+ else
+ exit 1
+ fi
+ ;;
+ GSSAPIAuthentication)
+ if grep GSSAPIAuthentication /etc/ssh/sshd_config | grep -v "^#";then
+ SETVALUE=`grep GSSAPIAuthentication /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
+ if [ "${SETVALUE}" != "no" ];then
+ exit 1
+ fi
+ else
+ exit 1
+ fi
+ ;;
+ KerberosAuthentication)
+ if grep KerberosAuthentication /etc/ssh/sshd_config | grep -v "^#";then
+ SETVALUE=`grep KerberosAuthentication /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
+ if [ "${SETVALUE}" != "no" ];then
+ exit 1
+ fi
+ else
+ exit 1
+ fi
+ ;;
+ StrictModes)
+ if grep StrictModes /etc/ssh/sshd_config | grep -v "^#";then
+ SETVALUE=`grep StrictModes /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
+ if [ "${SETVALUE}" != "yes" ];then
+ exit 1
+ fi
+ else
+ exit 1
+ fi
+ ;;
+ UsePrivilegeSeparation)
+ if grep UsePrivilegeSeparation /etc/ssh/sshd_config | grep -v "^#";then
+ SETVALUE=`grep UsePrivilegeSeparation /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
+ if [ "${SETVALUE}" != "yes" -a "${SETVALUE}" != "sandbox" ];then
+ exit 1
+ fi
+ else
+ exit 1
+ fi
+ ;;
+ Compression)
+ if grep Compression /etc/ssh/sshd_config | grep -v "^#";then
+ SETVALUE=`grep Compression /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
+ if [ "${SETVALUE}" != "no" -a "${SETVALUE}" != "delayed" ];then
+ exit 1
+ fi
+ else
+ exit 1
+ fi
+ ;;
+ X11Forwarding)
+ if grep X11Forwarding /etc/ssh/sshd_config | grep -v "^#";then
+ SETVALUE=`grep X11Forwarding /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
+ if [ "${SETVALUE}" != "no" ];then
+ exit 1
+ fi
+ else
+ exit 1
+ fi
;;
esac
--
GitLab