From 8f87d75293d45f1c10c77ac0ba803fe120fd1fba Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Fri, 15 Mar 2019 18:17:48 +0100 Subject: [PATCH] FIX(99.5.4): fix regex to allow other authkey options than "from" --- bin/hardening/99.5.4_ssh_keys_from.sh | 9 +++++---- tests/hardening/99.5.4_ssh_keys_from.sh | 26 ++++++++++++++++++++----- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/bin/hardening/99.5.4_ssh_keys_from.sh b/bin/hardening/99.5.4_ssh_keys_from.sh index a760a5f..cfa2b99 100755 --- a/bin/hardening/99.5.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.4_ssh_keys_from.sh @@ -17,7 +17,8 @@ DESCRIPTION="Check field in ssh authorized keys files for users with logi # Regex looking for empty, hash starting lines, or 'from="127.127.127,127.127.127" ssh' # shellcheck disable=2089 -REGEX="^(from=(?:'|\")(,?(\d{1,3}(\.\d{1,3}){3}))+(?:'|\")\s+ssh|#|$)" +REGEX_FROM_IP="from=(?:'|\")(,?(\d{1,3}(\.\d{1,3}){3}))+(?:'|\")" +REGEX_OK_LINES="(^(#|$)|($REGEX_FROM_IP))" AUTHKEYFILE_PATTERN="" AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2" @@ -33,7 +34,7 @@ check_ip() { warn "No allowed IPs to treat"; return ; fi - for line in $($SUDO_CMD grep -ne "from" "$file" | tr -s " " | sed 's/ /_/g' ); do + for line in $($SUDO_CMD grep -noP "$REGEX_FROM_IP" "$file" | tr -s " " | sed 's/ /_/g' ); do linum=$(echo "$line" | cut -d ':' -f 1) ips=$(echo "$line" | cut -d '"' -f 2 | tr ',' ' ') ok_ips_allowed="" @@ -69,8 +70,8 @@ check_file() { if $SUDO_CMD [ -r "$file" ]; then debug "Treating $file" FOUND_AUTHKF=1 - if $SUDO_CMD grep -vqP "$REGEX" "${file}" ; then - bad_lines="$(grep -vnP "$REGEX" "${file}" | cut -d ':' -f 1 | tr '\n' ' ' | sed 's/ $//' )" + if $SUDO_CMD grep -vqP "$REGEX_OK_LINES" "${file}" ; then + bad_lines="$(grep -vnP "$REGEX_OK_LINES" "${file}" | cut -d ':' -f 1 | tr '\n' ' ' | sed 's/ $//' )" crit "There are anywhere access keys in ${file} at lines (${bad_lines})." else ok "File ${file} is cleared from anywhere access keys." diff --git a/tests/hardening/99.5.4_ssh_keys_from.sh b/tests/hardening/99.5.4_ssh_keys_from.sh index 435f336..ac57440 100644 --- a/tests/hardening/99.5.4_ssh_keys_from.sh +++ b/tests/hardening/99.5.4_ssh_keys_from.sh @@ -19,22 +19,26 @@ test_audit() { register_test retvalshouldbe 0 run emptyauthkey /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - ssh-keygen -t ed25519 -f /tmp/key1 + ssh-keygen -N "" -t ed25519 -f /tmp/key1 cat /tmp/key1.pub >> /home/secaudit/.ssh/authorized_keys2 describe Key without from field register_test retvalshouldbe 1 run keynofrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - echo -n 'from="127.0.0.1" ' > /home/secaudit/.ssh/authorized_keys2 - cat /tmp/key1.pub >> /home/secaudit/.ssh/authorized_keys2 + { + echo -n 'from="127.0.0.1" '; + cat /tmp/key1.pub; + } > /home/secaudit/.ssh/authorized_keys2 describe Key with from, no ip check register_test retvalshouldbe 0 run keyfrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all # shellcheck disable=2016 echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg - echo -n 'from="10.0.1.2" ' >> /home/secaudit/.ssh/authorized_keys2 - cat /tmp/key1.pub >> /home/secaudit/.ssh/authorized_keys2 + { + echo -n 'from="10.0.1.2" '; + cat /tmp/key1.pub; + } >> /home/secaudit/.ssh/authorized_keys2 describe Key with from, filled allowed IPs, one bad ip register_test retvalshouldbe 1 run badfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all @@ -45,6 +49,18 @@ test_audit() { register_test retvalshouldbe 0 run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + # shellcheck disable=2016 + echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + { + echo -n 'from="10.0.1.2",command="echo bla" '; + cat /tmp/key1.pub; + echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" '; + cat /tmp/key1.pub; + } >> /home/secaudit/.ssh/authorized_keys2 + describe Key with from and command options + register_test retvalshouldbe 0 + run keyfromcommand /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + useradd -s /bin/bash -m jeantest2 # shellcheck disable=2016 echo 'USERS_TO_CHECK="jeantest2 secaudit"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg