mirror of
https://github.com/jtesta/ssh-audit.git
synced 2025-06-22 10:43:41 +02:00
Moved built-in policies from external files to internal database. (#75)
This commit is contained in:
Joe Testa
31
ssh-audit.1
31
ssh-audit.1
@ -1,4 +1,4 @@
|
||||
.TH SSH-AUDIT 1 "July 16, 2020"
|
||||
.TH SSH-AUDIT 1 "October 19, 2020"
|
||||
.SH NAME
|
||||
\fBssh-audit\fP \- SSH server & client configuration auditor
|
||||
.SH SYNOPSIS
|
||||
@ -59,7 +59,7 @@ Specify the minimum output level. Default is info.
|
||||
.TP
|
||||
.B -L, \-\-list-policies
|
||||
.br
|
||||
List all official, built-in policies for common systems. Their file paths can then be provided using -P/--policy=<path/to/policy.txt>.
|
||||
List all official, built-in policies for common systems. Their full names can then be passed to -P/--policy.
|
||||
|
||||
.TP
|
||||
.B \-\-lookup=<alg1,alg2,...>
|
||||
@ -67,7 +67,7 @@ List all official, built-in policies for common systems. Their file paths can t
|
||||
Look up the security information of an algorithm(s) in the internal database. Does not connect to a server.
|
||||
|
||||
.TP
|
||||
.B -M, \-\-make-policy=<policy.txt>
|
||||
.B -M, \-\-make-policy=<custom_policy.txt>
|
||||
.br
|
||||
Creates a policy based on the target server. Useful when other servers should be compared to the target server's custom configuration (i.e.: a cluster environment). Note that the resulting policy can be edited manually.
|
||||
|
||||
@ -82,7 +82,7 @@ Disable color output.
|
||||
The TCP port to connect to when auditing a server, or the port to listen on when auditing a client.
|
||||
|
||||
.TP
|
||||
.B -P, \-\-policy=<policy.txt>
|
||||
.B -P, \-\-policy=<"built-in policy name" | path/to/custom_policy.txt>
|
||||
.br
|
||||
Runs a policy audit against a target using the specified policy (see \fBPOLICY AUDIT\fP section for detailed description of this mode of operation). Combine with -c/--client-audit to audit a client configuration instead of a server. Use -L/--list-policies to list all official, built-in policies for common systems.
|
||||
|
||||
@ -109,7 +109,7 @@ By default, \fBssh-audit\fP performs a standard audit. That is, it enumerates a
|
||||
|
||||
.SH POLICY AUDIT
|
||||
.PP
|
||||
When the -P/--policy=<policy.txt> option is used, \fBssh-audit\fP performs a policy audit. The target's host key types, key exchanges, ciphers, MACs, and other information is compared to a set of expected values defined in the specified policy file. If everything matches, only a short message stating a passing result is reported. Otherwise, the field(s) that did not match are reported.
|
||||
When the -P/--policy option is used, \fBssh-audit\fP performs a policy audit. The target's host key types, key exchanges, ciphers, MACs, and other information is compared to a set of expected values defined in the specified policy file. If everything matches, only a short message stating a passing result is reported. Otherwise, the field(s) that did not match are reported.
|
||||
|
||||
.PP
|
||||
Policy auditing is helpful for ensuring a group of related servers are properly hardened to an exact specification.
|
||||
@ -140,7 +140,7 @@ ssh-audit -T servers.txt
|
||||
.RE
|
||||
|
||||
.LP
|
||||
To audit a client configuration (listens on port 2222 by default; connect using "ssh anything@localhost"):
|
||||
To audit a client configuration (listens on port 2222 by default; connect using "ssh -p 2222 anything@localhost"):
|
||||
.RS
|
||||
.nf
|
||||
ssh-audit -c
|
||||
@ -156,7 +156,7 @@ ssh-audit -c -p 4567
|
||||
.RE
|
||||
|
||||
.LP
|
||||
To list all official built-in policies (hint: use resulting file paths with -P/--policy):
|
||||
To list all official built-in policies (hint: use their full names with -P/--policy):
|
||||
.RS
|
||||
.nf
|
||||
ssh-audit -L
|
||||
@ -164,10 +164,19 @@ ssh-audit -L
|
||||
.RE
|
||||
|
||||
.LP
|
||||
To run a policy audit against a server:
|
||||
To run a built-in policy audit against a server (hint: use -L to see list of built-in policies):
|
||||
.RS
|
||||
.nf
|
||||
ssh-audit -P path/to/server_policy targetserver
|
||||
ssh-audit -P "Hardened Ubuntu Server 20.04 LTS (version 1)" targetserver
|
||||
.fi
|
||||
.RE
|
||||
|
||||
|
||||
.LP
|
||||
To run a custom policy audit against a server (hint: use -M/--make-policy to create a custom policy file):
|
||||
.RS
|
||||
.nf
|
||||
ssh-audit -P path/to/server_policy.txt targetserver
|
||||
.fi
|
||||
.RE
|
||||
|
||||
@ -175,7 +184,7 @@ ssh-audit -P path/to/server_policy targetserver
|
||||
To run a policy audit against a client:
|
||||
.RS
|
||||
.nf
|
||||
ssh-audit -c -P path/to/client_policy
|
||||
ssh-audit -c -P ["policy name" | path/to/client_policy.txt]
|
||||
.fi
|
||||
.RE
|
||||
|
||||
@ -183,7 +192,7 @@ ssh-audit -c -P path/to/client_policy
|
||||
To run a policy audit against many servers:
|
||||
.RS
|
||||
.nf
|
||||
ssh-audit -T servers.txt -P path/to/server_policy
|
||||
ssh-audit -T servers.txt -P ["policy name" | path/to/server_policy.txt]
|
||||
.fi
|
||||
.RE
|
||||
|
||||
|
||||
Reference in New Issue
Block a user