mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-25 23:11:24 +01:00
FIX(99.5.4): fix regex to allow other authkey options than "from"
This commit is contained in:
parent
41e3402b10
commit
8f87d75293
@ -17,7 +17,8 @@ DESCRIPTION="Check <from> field in ssh authorized keys files for users with logi
|
|||||||
|
|
||||||
# Regex looking for empty, hash starting lines, or 'from="127.127.127,127.127.127" ssh'
|
# Regex looking for empty, hash starting lines, or 'from="127.127.127,127.127.127" ssh'
|
||||||
# shellcheck disable=2089
|
# shellcheck disable=2089
|
||||||
REGEX="^(from=(?:'|\")(,?(\d{1,3}(\.\d{1,3}){3}))+(?:'|\")\s+ssh|#|$)"
|
REGEX_FROM_IP="from=(?:'|\")(,?(\d{1,3}(\.\d{1,3}){3}))+(?:'|\")"
|
||||||
|
REGEX_OK_LINES="(^(#|$)|($REGEX_FROM_IP))"
|
||||||
AUTHKEYFILE_PATTERN=""
|
AUTHKEYFILE_PATTERN=""
|
||||||
AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"
|
AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"
|
||||||
|
|
||||||
@ -33,7 +34,7 @@ check_ip() {
|
|||||||
warn "No allowed IPs to treat";
|
warn "No allowed IPs to treat";
|
||||||
return ;
|
return ;
|
||||||
fi
|
fi
|
||||||
for line in $($SUDO_CMD grep -ne "from" "$file" | tr -s " " | sed 's/ /_/g' ); do
|
for line in $($SUDO_CMD grep -noP "$REGEX_FROM_IP" "$file" | tr -s " " | sed 's/ /_/g' ); do
|
||||||
linum=$(echo "$line" | cut -d ':' -f 1)
|
linum=$(echo "$line" | cut -d ':' -f 1)
|
||||||
ips=$(echo "$line" | cut -d '"' -f 2 | tr ',' ' ')
|
ips=$(echo "$line" | cut -d '"' -f 2 | tr ',' ' ')
|
||||||
ok_ips_allowed=""
|
ok_ips_allowed=""
|
||||||
@ -69,8 +70,8 @@ check_file() {
|
|||||||
if $SUDO_CMD [ -r "$file" ]; then
|
if $SUDO_CMD [ -r "$file" ]; then
|
||||||
debug "Treating $file"
|
debug "Treating $file"
|
||||||
FOUND_AUTHKF=1
|
FOUND_AUTHKF=1
|
||||||
if $SUDO_CMD grep -vqP "$REGEX" "${file}" ; then
|
if $SUDO_CMD grep -vqP "$REGEX_OK_LINES" "${file}" ; then
|
||||||
bad_lines="$(grep -vnP "$REGEX" "${file}" | cut -d ':' -f 1 | tr '\n' ' ' | sed 's/ $//' )"
|
bad_lines="$(grep -vnP "$REGEX_OK_LINES" "${file}" | cut -d ':' -f 1 | tr '\n' ' ' | sed 's/ $//' )"
|
||||||
crit "There are anywhere access keys in ${file} at lines (${bad_lines})."
|
crit "There are anywhere access keys in ${file} at lines (${bad_lines})."
|
||||||
else
|
else
|
||||||
ok "File ${file} is cleared from anywhere access keys."
|
ok "File ${file} is cleared from anywhere access keys."
|
||||||
|
@ -19,22 +19,26 @@ test_audit() {
|
|||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
run emptyauthkey /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run emptyauthkey /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
ssh-keygen -t ed25519 -f /tmp/key1
|
ssh-keygen -N "" -t ed25519 -f /tmp/key1
|
||||||
cat /tmp/key1.pub >> /home/secaudit/.ssh/authorized_keys2
|
cat /tmp/key1.pub >> /home/secaudit/.ssh/authorized_keys2
|
||||||
describe Key without from field
|
describe Key without from field
|
||||||
register_test retvalshouldbe 1
|
register_test retvalshouldbe 1
|
||||||
run keynofrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run keynofrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
echo -n 'from="127.0.0.1" ' > /home/secaudit/.ssh/authorized_keys2
|
{
|
||||||
cat /tmp/key1.pub >> /home/secaudit/.ssh/authorized_keys2
|
echo -n 'from="127.0.0.1" ';
|
||||||
|
cat /tmp/key1.pub;
|
||||||
|
} > /home/secaudit/.ssh/authorized_keys2
|
||||||
describe Key with from, no ip check
|
describe Key with from, no ip check
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
run keyfrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run keyfrom /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# shellcheck disable=2016
|
# shellcheck disable=2016
|
||||||
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
echo -n 'from="10.0.1.2" ' >> /home/secaudit/.ssh/authorized_keys2
|
{
|
||||||
cat /tmp/key1.pub >> /home/secaudit/.ssh/authorized_keys2
|
echo -n 'from="10.0.1.2" ';
|
||||||
|
cat /tmp/key1.pub;
|
||||||
|
} >> /home/secaudit/.ssh/authorized_keys2
|
||||||
describe Key with from, filled allowed IPs, one bad ip
|
describe Key with from, filled allowed IPs, one bad ip
|
||||||
register_test retvalshouldbe 1
|
register_test retvalshouldbe 1
|
||||||
run badfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run badfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
@ -45,6 +49,18 @@ test_audit() {
|
|||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
# shellcheck disable=2016
|
||||||
|
echo 'ALLOWED_IPS="$ALLOWED_IPS 127.0.0.1,10.2.3.1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
{
|
||||||
|
echo -n 'from="10.0.1.2",command="echo bla" ';
|
||||||
|
cat /tmp/key1.pub;
|
||||||
|
echo -n 'command="echo bla,from="10.0.1.2,10.2.3.1"" ';
|
||||||
|
cat /tmp/key1.pub;
|
||||||
|
} >> /home/secaudit/.ssh/authorized_keys2
|
||||||
|
describe Key with from and command options
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
run keyfromcommand /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
useradd -s /bin/bash -m jeantest2
|
useradd -s /bin/bash -m jeantest2
|
||||||
# shellcheck disable=2016
|
# shellcheck disable=2016
|
||||||
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
Loading…
Reference in New Issue
Block a user