mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-22 22:15:22 +01:00
Added policy audit examples and additional usage examples.
This commit is contained in:
parent
632adc076a
commit
6e3e8bac74
67
README.md
67
README.md
@ -19,6 +19,7 @@
|
|||||||
- output security information (related issues, assigned CVE list, etc);
|
- output security information (related issues, assigned CVE list, etc);
|
||||||
- analyze SSH version compatibility based on algorithm information;
|
- analyze SSH version compatibility based on algorithm information;
|
||||||
- historical information from OpenSSH, Dropbear SSH and libssh;
|
- historical information from OpenSSH, Dropbear SSH and libssh;
|
||||||
|
- policy scans to ensure adherence to a hardened/standard configuration;
|
||||||
- runs on Linux and Windows;
|
- runs on Linux and Windows;
|
||||||
- no dependencies
|
- no dependencies
|
||||||
|
|
||||||
@ -56,12 +57,71 @@ usage: ssh-audit.py [options] <host>
|
|||||||
* if both IPv4 and IPv6 are used, order of precedence can be set by using either `-46` or `-64`.
|
* if both IPv4 and IPv6 are used, order of precedence can be set by using either `-46` or `-64`.
|
||||||
* batch flag `-b` will output sections without header and without empty lines (implies verbose flag).
|
* batch flag `-b` will output sections without header and without empty lines (implies verbose flag).
|
||||||
* verbose flag `-v` will prefix each line with section type and algorithm name.
|
* verbose flag `-v` will prefix each line with section type and algorithm name.
|
||||||
|
* an exit code of 0 is returned when all algorithms are considered secure (for a standard audit), or when a policy check passes (for a policy audit).
|
||||||
|
|
||||||
### Server Audit Example
|
Basic server auditing:
|
||||||
Below is a screen shot of the server-auditing output when connecting to an unhardened OpenSSH v5.3 service:
|
```
|
||||||
|
ssh-audit localhost
|
||||||
|
ssh-audit 127.0.0.1
|
||||||
|
ssh-audit 127.0.0.1:222
|
||||||
|
ssh-audit ::1
|
||||||
|
ssh-audit [::1]:222
|
||||||
|
```
|
||||||
|
|
||||||
|
To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):
|
||||||
|
|
||||||
|
```
|
||||||
|
ssh-audit -T servers.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
To audit a client configuration (listens on port 2222 by default; connect using "ssh anything@localhost"):
|
||||||
|
|
||||||
|
```
|
||||||
|
ssh-audit -c
|
||||||
|
```
|
||||||
|
|
||||||
|
To audit a client configuration, with a listener on port 4567:
|
||||||
|
```
|
||||||
|
ssh-audit -c -p 4567
|
||||||
|
```
|
||||||
|
|
||||||
|
To list all official built-in policies (hint: use resulting file paths with -P/--policy):
|
||||||
|
```
|
||||||
|
ssh-audit -L
|
||||||
|
```
|
||||||
|
|
||||||
|
To run a policy audit against a server:
|
||||||
|
```
|
||||||
|
ssh-audit -P path/to/server_policy targetserver
|
||||||
|
```
|
||||||
|
|
||||||
|
To run a policy audit against a client:
|
||||||
|
```
|
||||||
|
ssh-audit -c -P path/to/client_policy
|
||||||
|
```
|
||||||
|
|
||||||
|
To run a policy audit against many servers:
|
||||||
|
```
|
||||||
|
ssh-audit -T servers.txt -P path/to/server_policy
|
||||||
|
```
|
||||||
|
|
||||||
|
To create a policy based on a target server (which can be manually edited; see official built-in policies for syntax examples):
|
||||||
|
```
|
||||||
|
ssh-audit -M new_policy.txt targetserver
|
||||||
|
```
|
||||||
|
|
||||||
|
### Server Standard Audit Example
|
||||||
|
Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service:
|
||||||
![screenshot](https://user-images.githubusercontent.com/2982011/64388792-317e6f80-d00e-11e9-826e-a4934769bb07.png)
|
![screenshot](https://user-images.githubusercontent.com/2982011/64388792-317e6f80-d00e-11e9-826e-a4934769bb07.png)
|
||||||
|
|
||||||
### Client Audit Example
|
### Server Policy Audit Example
|
||||||
|
Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine:
|
||||||
|
![screenshot](https://user-images.githubusercontent.com/2982011/94370881-95178700-00c0-11eb-8705-3157a4669dc0.png)
|
||||||
|
|
||||||
|
After applying the steps in the hardening guide (see below), the output changes to the following:
|
||||||
|
![screenshot](https://user-images.githubusercontent.com/2982011/94370873-87620180-00c0-11eb-9a59-469f61a56ce1.png)
|
||||||
|
|
||||||
|
### Client Standard Audit Example
|
||||||
Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects:
|
Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects:
|
||||||
![client_screenshot](https://user-images.githubusercontent.com/2982011/68867998-b946c100-06c4-11ea-975f-1f47e4178a74.png)
|
![client_screenshot](https://user-images.githubusercontent.com/2982011/68867998-b946c100-06c4-11ea-975f-1f47e4178a74.png)
|
||||||
|
|
||||||
@ -88,6 +148,7 @@ $ brew install ssh-audit
|
|||||||
|
|
||||||
## ChangeLog
|
## ChangeLog
|
||||||
### v2.3.0 (???)
|
### v2.3.0 (???)
|
||||||
|
- Added new policy auditing functionality to test adherence to a hardening guide/standard configuration. For an in-depth tutorial, see <link_goes_here>.
|
||||||
- Created new man page (see `ssh-audit.1` file).
|
- Created new man page (see `ssh-audit.1` file).
|
||||||
- 1024-bit moduli upgraded from warnings to failures.
|
- 1024-bit moduli upgraded from warnings to failures.
|
||||||
- Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00).
|
- Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00).
|
||||||
|
Loading…
Reference in New Issue
Block a user