mirror of
https://github.com/jtesta/ssh-audit.git
synced 2025-06-22 02:33:40 +02:00
Added policy checks (#10).
This commit is contained in:
@ -0,0 +1 @@
|
||||
{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test1 v1"}
|
@ -0,0 +1,3 @@
|
||||
Host: localhost
|
||||
Policy: Docker policy: test1 v1
|
||||
Result: [0;32m✔ Passed[0m
|
@ -0,0 +1 @@
|
||||
{"errors": ["RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072", "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 1024"], "host": "localhost", "passed": false, "policy": "Docker poliicy: test10 v1"}
|
@ -0,0 +1,7 @@
|
||||
Host: localhost
|
||||
Policy: Docker poliicy: test10 v1
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072
|
||||
* RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 1024[0m
|
@ -0,0 +1 @@
|
||||
{"errors": ["Key exchanges did not match. Expected: ['kex_alg1', 'kex_alg2']; Actual: ['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1']"], "host": "localhost", "passed": false, "policy": "Docker policy: test2 v1"}
|
@ -0,0 +1,6 @@
|
||||
Host: localhost
|
||||
Policy: Docker policy: test2 v1
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* Key exchanges did not match. Expected: ['kex_alg1', 'kex_alg2']; Actual: ['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'][0m
|
@ -0,0 +1 @@
|
||||
{"errors": ["Host key types did not match. Expected: ['ssh-rsa', 'ssh-dss', 'key_alg1']; Actual: ['ssh-rsa', 'ssh-dss']"], "host": "localhost", "passed": false, "policy": "Docker policy: test3 v1"}
|
@ -0,0 +1,6 @@
|
||||
Host: localhost
|
||||
Policy: Docker policy: test3 v1
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* Host key types did not match. Expected: ['ssh-rsa', 'ssh-dss', 'key_alg1']; Actual: ['ssh-rsa', 'ssh-dss'][0m
|
@ -0,0 +1 @@
|
||||
{"errors": ["Ciphers did not match. Expected: ['cipher_alg1', 'cipher_alg2']; Actual: ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se']"], "host": "localhost", "passed": false, "policy": "Docker policy: test4 v1"}
|
@ -0,0 +1,6 @@
|
||||
Host: localhost
|
||||
Policy: Docker policy: test4 v1
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* Ciphers did not match. Expected: ['cipher_alg1', 'cipher_alg2']; Actual: ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se'][0m
|
@ -0,0 +1 @@
|
||||
{"errors": ["MACs did not match. Expected: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac_alg1', 'hmac-md5-96']; Actual: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96']"], "host": "localhost", "passed": false, "policy": "Docker policy: test5 v1"}
|
@ -0,0 +1,6 @@
|
||||
Host: localhost
|
||||
Policy: Docker policy: test5 v1
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* MACs did not match. Expected: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac_alg1', 'hmac-md5-96']; Actual: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'][0m
|
@ -0,0 +1 @@
|
||||
{"errors": [], "host": "localhost", "passed": true, "policy": "Docker poliicy: test7 v1"}
|
@ -0,0 +1,3 @@
|
||||
Host: localhost
|
||||
Policy: Docker poliicy: test7 v1
|
||||
Result: [0;32m✔ Passed[0m
|
@ -0,0 +1 @@
|
||||
{"errors": ["RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 2048; Actual: 1024"], "host": "localhost", "passed": false, "policy": "Docker poliicy: test8 v1"}
|
@ -0,0 +1,6 @@
|
||||
Host: localhost
|
||||
Policy: Docker poliicy: test8 v1
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 2048; Actual: 1024[0m
|
@ -0,0 +1 @@
|
||||
{"errors": ["RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072"], "host": "localhost", "passed": false, "policy": "Docker poliicy: test9 v1"}
|
@ -0,0 +1,6 @@
|
||||
Host: localhost
|
||||
Policy: Docker poliicy: test9 v1
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072[0m
|
@ -0,0 +1 @@
|
||||
{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test11 v1"}
|
@ -0,0 +1,3 @@
|
||||
Host: localhost
|
||||
Policy: Docker policy: test11 v1
|
||||
Result: [0;32m✔ Passed[0m
|
@ -0,0 +1 @@
|
||||
{"errors": ["RSA hostkey (rsa-sha2-256) sizes did not match. Expected: 4096; Actual: 3072", "RSA hostkey (rsa-sha2-512) sizes did not match. Expected: 4096; Actual: 3072", "RSA hostkey (ssh-rsa) sizes did not match. Expected: 4096; Actual: 3072"], "host": "localhost", "passed": false, "policy": "Docker policy: test12 v1"}
|
@ -0,0 +1,8 @@
|
||||
Host: localhost
|
||||
Policy: Docker policy: test12 v1
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* RSA hostkey (rsa-sha2-256) sizes did not match. Expected: 4096; Actual: 3072
|
||||
* RSA hostkey (rsa-sha2-512) sizes did not match. Expected: 4096; Actual: 3072
|
||||
* RSA hostkey (ssh-rsa) sizes did not match. Expected: 4096; Actual: 3072[0m
|
@ -0,0 +1 @@
|
||||
{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test13 v1"}
|
@ -0,0 +1,3 @@
|
||||
Host: localhost
|
||||
Policy: Docker policy: test13 v1
|
||||
Result: [0;32m✔ Passed[0m
|
@ -0,0 +1 @@
|
||||
{"errors": ["Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. Expected: 4096; Actual: 2048"], "host": "localhost", "passed": false, "policy": "Docker policy: test14 v1"}
|
@ -0,0 +1,6 @@
|
||||
Host: localhost
|
||||
Policy: Docker policy: test14 v1
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. Expected: 4096; Actual: 2048[0m
|
@ -0,0 +1 @@
|
||||
{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test6 v1"}
|
@ -0,0 +1,3 @@
|
||||
Host: localhost
|
||||
Policy: Docker policy: test6 v1
|
||||
Result: [0;32m✔ Passed[0m
|
10
test/docker/policies/policy_test1.txt
Normal file
10
test/docker/policies/policy_test1.txt
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Docker policy: test1
|
||||
#
|
||||
|
||||
name = "Docker policy: test1"
|
||||
version = 1
|
||||
host keys = ssh-rsa, ssh-dss
|
||||
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
|
||||
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
|
||||
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
|
39
test/docker/policies/policy_test10.txt
Normal file
39
test/docker/policies/policy_test10.txt
Normal file
@ -0,0 +1,39 @@
|
||||
#
|
||||
# Docker policy: test10
|
||||
#
|
||||
|
||||
# The name of this policy (displayed in the output during scans). Must be in quotes.
|
||||
name = "Docker poliicy: test10"
|
||||
|
||||
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
|
||||
version = 1
|
||||
|
||||
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
|
||||
# banner = "SSH-2.0-OpenSSH_5.6"
|
||||
|
||||
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
|
||||
# header = "[]"
|
||||
|
||||
# The compression options that must match exactly (order matters). Commented out to ignore by default.
|
||||
# compressions = none, zlib@openssh.com
|
||||
|
||||
# RSA host key sizes.
|
||||
hostkey_size_rsa-sha2-256 = 3072
|
||||
hostkey_size_rsa-sha2-512 = 3072
|
||||
hostkey_size_ssh-rsa = 3072
|
||||
hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096
|
||||
|
||||
# RSA CA key sizes.
|
||||
cakey_size_ssh-rsa-cert-v01@openssh.com = 4096
|
||||
|
||||
# The host key types that must match exactly (order matters).
|
||||
host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
|
||||
|
||||
# The key exchange algorithms that must match exactly (order matters).
|
||||
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
|
||||
|
||||
# The ciphers that must match exactly (order matters).
|
||||
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
|
||||
|
||||
# The MACs that must match exactly (order matters).
|
||||
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
|
35
test/docker/policies/policy_test11.txt
Normal file
35
test/docker/policies/policy_test11.txt
Normal file
@ -0,0 +1,35 @@
|
||||
#
|
||||
# Docker policy: test11
|
||||
#
|
||||
|
||||
# The name of this policy (displayed in the output during scans). Must be in quotes.
|
||||
name = "Docker policy: test11"
|
||||
|
||||
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
|
||||
version = 1
|
||||
|
||||
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
|
||||
# banner = "SSH-2.0-OpenSSH_8.0"
|
||||
|
||||
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
|
||||
# header = "[]"
|
||||
|
||||
# The compression options that must match exactly (order matters). Commented out to ignore by default.
|
||||
# compressions = none, zlib@openssh.com
|
||||
|
||||
# RSA host key sizes.
|
||||
hostkey_size_rsa-sha2-256 = 3072
|
||||
hostkey_size_rsa-sha2-512 = 3072
|
||||
hostkey_size_ssh-rsa = 3072
|
||||
|
||||
# The host key types that must match exactly (order matters).
|
||||
host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
|
||||
|
||||
# The key exchange algorithms that must match exactly (order matters).
|
||||
key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
|
||||
|
||||
# The ciphers that must match exactly (order matters).
|
||||
ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
|
||||
|
||||
# The MACs that must match exactly (order matters).
|
||||
macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
|
35
test/docker/policies/policy_test12.txt
Normal file
35
test/docker/policies/policy_test12.txt
Normal file
@ -0,0 +1,35 @@
|
||||
#
|
||||
# Docker policy: test12
|
||||
#
|
||||
|
||||
# The name of this policy (displayed in the output during scans). Must be in quotes.
|
||||
name = "Docker policy: test12"
|
||||
|
||||
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
|
||||
version = 1
|
||||
|
||||
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
|
||||
# banner = "SSH-2.0-OpenSSH_8.0"
|
||||
|
||||
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
|
||||
# header = "[]"
|
||||
|
||||
# The compression options that must match exactly (order matters). Commented out to ignore by default.
|
||||
# compressions = none, zlib@openssh.com
|
||||
|
||||
# RSA host key sizes.
|
||||
hostkey_size_rsa-sha2-256 = 4096
|
||||
hostkey_size_rsa-sha2-512 = 4096
|
||||
hostkey_size_ssh-rsa = 4096
|
||||
|
||||
# The host key types that must match exactly (order matters).
|
||||
host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
|
||||
|
||||
# The key exchange algorithms that must match exactly (order matters).
|
||||
key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
|
||||
|
||||
# The ciphers that must match exactly (order matters).
|
||||
ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
|
||||
|
||||
# The MACs that must match exactly (order matters).
|
||||
macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
|
38
test/docker/policies/policy_test13.txt
Normal file
38
test/docker/policies/policy_test13.txt
Normal file
@ -0,0 +1,38 @@
|
||||
#
|
||||
# Docker policy: test13
|
||||
#
|
||||
|
||||
# The name of this policy (displayed in the output during scans). Must be in quotes.
|
||||
name = "Docker policy: test13"
|
||||
|
||||
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
|
||||
version = 1
|
||||
|
||||
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
|
||||
# banner = "SSH-2.0-OpenSSH_8.0"
|
||||
|
||||
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
|
||||
# header = "[]"
|
||||
|
||||
# The compression options that must match exactly (order matters). Commented out to ignore by default.
|
||||
# compressions = none, zlib@openssh.com
|
||||
|
||||
# RSA host key sizes.
|
||||
hostkey_size_rsa-sha2-256 = 3072
|
||||
hostkey_size_rsa-sha2-512 = 3072
|
||||
hostkey_size_ssh-rsa = 3072
|
||||
|
||||
# Group exchange DH modulus sizes.
|
||||
dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
|
||||
|
||||
# The host key types that must match exactly (order matters).
|
||||
host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
|
||||
|
||||
# The key exchange algorithms that must match exactly (order matters).
|
||||
key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
|
||||
|
||||
# The ciphers that must match exactly (order matters).
|
||||
ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
|
||||
|
||||
# The MACs that must match exactly (order matters).
|
||||
macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
|
38
test/docker/policies/policy_test14.txt
Normal file
38
test/docker/policies/policy_test14.txt
Normal file
@ -0,0 +1,38 @@
|
||||
#
|
||||
# Docker policy: test14
|
||||
#
|
||||
|
||||
# The name of this policy (displayed in the output during scans). Must be in quotes.
|
||||
name = "Docker policy: test14"
|
||||
|
||||
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
|
||||
version = 1
|
||||
|
||||
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
|
||||
# banner = "SSH-2.0-OpenSSH_8.0"
|
||||
|
||||
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
|
||||
# header = "[]"
|
||||
|
||||
# The compression options that must match exactly (order matters). Commented out to ignore by default.
|
||||
# compressions = none, zlib@openssh.com
|
||||
|
||||
# RSA host key sizes.
|
||||
hostkey_size_rsa-sha2-256 = 3072
|
||||
hostkey_size_rsa-sha2-512 = 3072
|
||||
hostkey_size_ssh-rsa = 3072
|
||||
|
||||
# Group exchange DH modulus sizes.
|
||||
dh_modulus_size_diffie-hellman-group-exchange-sha256 = 4096
|
||||
|
||||
# The host key types that must match exactly (order matters).
|
||||
host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
|
||||
|
||||
# The key exchange algorithms that must match exactly (order matters).
|
||||
key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
|
||||
|
||||
# The ciphers that must match exactly (order matters).
|
||||
ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
|
||||
|
||||
# The MACs that must match exactly (order matters).
|
||||
macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
|
10
test/docker/policies/policy_test2.txt
Normal file
10
test/docker/policies/policy_test2.txt
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Docker policy: test2
|
||||
#
|
||||
|
||||
name = "Docker policy: test2"
|
||||
version = 1
|
||||
host keys = ssh-rsa, ssh-dss
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
|
||||
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
|
10
test/docker/policies/policy_test3.txt
Normal file
10
test/docker/policies/policy_test3.txt
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Docker policy: test3
|
||||
#
|
||||
|
||||
name = "Docker policy: test3"
|
||||
version = 1
|
||||
host keys = ssh-rsa, ssh-dss, key_alg1
|
||||
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
|
||||
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
|
||||
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
|
10
test/docker/policies/policy_test4.txt
Normal file
10
test/docker/policies/policy_test4.txt
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Docker policy: test4
|
||||
#
|
||||
|
||||
name = "Docker policy: test4"
|
||||
version = 1
|
||||
host keys = ssh-rsa, ssh-dss
|
||||
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
|
||||
ciphers = cipher_alg1, cipher_alg2
|
||||
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
|
10
test/docker/policies/policy_test5.txt
Normal file
10
test/docker/policies/policy_test5.txt
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Docker policy: test5
|
||||
#
|
||||
|
||||
name = "Docker policy: test5"
|
||||
version = 1
|
||||
host keys = ssh-rsa, ssh-dss
|
||||
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
|
||||
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
|
||||
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96
|
12
test/docker/policies/policy_test6.txt
Normal file
12
test/docker/policies/policy_test6.txt
Normal file
@ -0,0 +1,12 @@
|
||||
#
|
||||
# Docker policy: test6
|
||||
#
|
||||
|
||||
name = "Docker policy: test6"
|
||||
version = 1
|
||||
banner = "SSH-2.0-OpenSSH_8.0"
|
||||
compressions = none, zlib@openssh.com
|
||||
host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
|
||||
key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
|
||||
ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
|
||||
macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
|
39
test/docker/policies/policy_test7.txt
Normal file
39
test/docker/policies/policy_test7.txt
Normal file
@ -0,0 +1,39 @@
|
||||
#
|
||||
# Docker policy: test7
|
||||
#
|
||||
|
||||
# The name of this policy (displayed in the output during scans). Must be in quotes.
|
||||
name = "Docker poliicy: test7"
|
||||
|
||||
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
|
||||
version = 1
|
||||
|
||||
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
|
||||
# banner = "SSH-2.0-OpenSSH_5.6"
|
||||
|
||||
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
|
||||
# header = "[]"
|
||||
|
||||
# The compression options that must match exactly (order matters). Commented out to ignore by default.
|
||||
# compressions = none, zlib@openssh.com
|
||||
|
||||
# RSA host key sizes.
|
||||
hostkey_size_rsa-sha2-256 = 3072
|
||||
hostkey_size_rsa-sha2-512 = 3072
|
||||
hostkey_size_ssh-rsa = 3072
|
||||
hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072
|
||||
|
||||
# RSA CA key sizes.
|
||||
cakey_size_ssh-rsa-cert-v01@openssh.com = 1024
|
||||
|
||||
# The host key types that must match exactly (order matters).
|
||||
host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
|
||||
|
||||
# The key exchange algorithms that must match exactly (order matters).
|
||||
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
|
||||
|
||||
# The ciphers that must match exactly (order matters).
|
||||
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
|
||||
|
||||
# The MACs that must match exactly (order matters).
|
||||
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
|
39
test/docker/policies/policy_test8.txt
Normal file
39
test/docker/policies/policy_test8.txt
Normal file
@ -0,0 +1,39 @@
|
||||
#
|
||||
# Docker policy: test8
|
||||
#
|
||||
|
||||
# The name of this policy (displayed in the output during scans). Must be in quotes.
|
||||
name = "Docker poliicy: test8"
|
||||
|
||||
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
|
||||
version = 1
|
||||
|
||||
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
|
||||
# banner = "SSH-2.0-OpenSSH_5.6"
|
||||
|
||||
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
|
||||
# header = "[]"
|
||||
|
||||
# The compression options that must match exactly (order matters). Commented out to ignore by default.
|
||||
# compressions = none, zlib@openssh.com
|
||||
|
||||
# RSA host key sizes.
|
||||
hostkey_size_rsa-sha2-256 = 3072
|
||||
hostkey_size_rsa-sha2-512 = 3072
|
||||
hostkey_size_ssh-rsa = 3072
|
||||
hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072
|
||||
|
||||
# RSA CA key sizes.
|
||||
cakey_size_ssh-rsa-cert-v01@openssh.com = 2048
|
||||
|
||||
# The host key types that must match exactly (order matters).
|
||||
host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
|
||||
|
||||
# The key exchange algorithms that must match exactly (order matters).
|
||||
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
|
||||
|
||||
# The ciphers that must match exactly (order matters).
|
||||
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
|
||||
|
||||
# The MACs that must match exactly (order matters).
|
||||
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
|
39
test/docker/policies/policy_test9.txt
Normal file
39
test/docker/policies/policy_test9.txt
Normal file
@ -0,0 +1,39 @@
|
||||
#
|
||||
# Docker policy: test9
|
||||
#
|
||||
|
||||
# The name of this policy (displayed in the output during scans). Must be in quotes.
|
||||
name = "Docker poliicy: test9"
|
||||
|
||||
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
|
||||
version = 1
|
||||
|
||||
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
|
||||
# banner = "SSH-2.0-OpenSSH_5.6"
|
||||
|
||||
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
|
||||
# header = "[]"
|
||||
|
||||
# The compression options that must match exactly (order matters). Commented out to ignore by default.
|
||||
# compressions = none, zlib@openssh.com
|
||||
|
||||
# RSA host key sizes.
|
||||
hostkey_size_rsa-sha2-256 = 3072
|
||||
hostkey_size_rsa-sha2-512 = 3072
|
||||
hostkey_size_ssh-rsa = 3072
|
||||
hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096
|
||||
|
||||
# RSA CA key sizes.
|
||||
cakey_size_ssh-rsa-cert-v01@openssh.com = 1024
|
||||
|
||||
# The host key types that must match exactly (order matters).
|
||||
host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
|
||||
|
||||
# The key exchange algorithms that must match exactly (order matters).
|
||||
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
|
||||
|
||||
# The ciphers that must match exactly (order matters).
|
||||
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
|
||||
|
||||
# The MACs that must match exactly (order matters).
|
||||
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
|
@ -11,7 +11,7 @@ class TestAuditConf:
|
||||
@staticmethod
|
||||
def _test_conf(conf, **kwargs):
|
||||
options = {
|
||||
'host': None,
|
||||
'host': '',
|
||||
'port': 22,
|
||||
'ssh1': True,
|
||||
'ssh2': True,
|
||||
|
@ -16,36 +16,39 @@ class TestErrors:
|
||||
conf.batch = True
|
||||
return conf
|
||||
|
||||
def _audit(self, spy, conf=None, sysexit=True):
|
||||
def _audit(self, spy, conf=None, exit_expected=False):
|
||||
if conf is None:
|
||||
conf = self._conf()
|
||||
spy.begin()
|
||||
if sysexit:
|
||||
|
||||
if exit_expected:
|
||||
with pytest.raises(SystemExit):
|
||||
self.audit(conf)
|
||||
else:
|
||||
self.audit(conf)
|
||||
ret = self.audit(conf)
|
||||
assert ret != 0
|
||||
|
||||
lines = spy.flush()
|
||||
return lines
|
||||
|
||||
def test_connection_unresolved(self, output_spy, virtual_socket):
|
||||
vsocket = virtual_socket
|
||||
vsocket.gsock.addrinfodata['localhost#22'] = []
|
||||
lines = self._audit(output_spy)
|
||||
lines = self._audit(output_spy, exit_expected=True)
|
||||
assert len(lines) == 1
|
||||
assert 'has no DNS records' in lines[-1]
|
||||
|
||||
def test_connection_refused(self, output_spy, virtual_socket):
|
||||
vsocket = virtual_socket
|
||||
vsocket.errors['connect'] = socket.error(errno.ECONNREFUSED, 'Connection refused')
|
||||
lines = self._audit(output_spy)
|
||||
lines = self._audit(output_spy, exit_expected=True)
|
||||
assert len(lines) == 1
|
||||
assert 'Connection refused' in lines[-1]
|
||||
|
||||
def test_connection_timeout(self, output_spy, virtual_socket):
|
||||
vsocket = virtual_socket
|
||||
vsocket.errors['connect'] = socket.timeout('timed out')
|
||||
lines = self._audit(output_spy)
|
||||
lines = self._audit(output_spy, exit_expected=True)
|
||||
assert len(lines) == 1
|
||||
assert 'timed out' in lines[-1]
|
||||
|
||||
|
337
test/test_policy.py
Normal file
337
test/test_policy.py
Normal file
@ -0,0 +1,337 @@
|
||||
import hashlib
|
||||
import pytest
|
||||
from datetime import date
|
||||
|
||||
|
||||
class TestPolicy:
|
||||
@pytest.fixture(autouse=True)
|
||||
def init(self, ssh_audit):
|
||||
self.Policy = ssh_audit.Policy
|
||||
self.wbuf = ssh_audit.WriteBuf
|
||||
self.ssh2 = ssh_audit.SSH2
|
||||
|
||||
|
||||
def _get_kex(self):
|
||||
'''Returns an SSH2.Kex object to simulate a server connection.'''
|
||||
|
||||
w = self.wbuf()
|
||||
w.write(b'\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff')
|
||||
w.write_list(['kex_alg1', 'kex_alg2'])
|
||||
w.write_list(['key_alg1', 'key_alg2'])
|
||||
w.write_list(['cipher_alg1', 'cipher_alg2', 'cipher_alg3'])
|
||||
w.write_list(['cipher_alg1', 'cipher_alg2', 'cipher_alg3'])
|
||||
w.write_list(['mac_alg1', 'mac_alg2', 'mac_alg3'])
|
||||
w.write_list(['mac_alg1', 'mac_alg2', 'mac_alg3'])
|
||||
w.write_list(['comp_alg1', 'comp_alg2'])
|
||||
w.write_list(['comp_alg1', 'comp_alg2'])
|
||||
w.write_list([''])
|
||||
w.write_list([''])
|
||||
w.write_byte(False)
|
||||
w.write_int(0)
|
||||
return self.ssh2.Kex.parse(w.write_flush())
|
||||
|
||||
|
||||
def test_policy_basic(self):
|
||||
'''Ensure that a basic policy can be parsed correctly.'''
|
||||
|
||||
policy_data = '''# This is a comment
|
||||
name = "Test Policy"
|
||||
version = 1
|
||||
|
||||
compressions = comp_alg1
|
||||
host keys = key_alg1
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
policy = self.Policy(policy_data=policy_data)
|
||||
assert str(policy) == "Name: [Test Policy]\nVersion: [1]\nBanner: {undefined}\nHeader: {undefined}\nCompressions: comp_alg1\nHost Keys: key_alg1\nKey Exchanges: kex_alg1, kex_alg2\nCiphers: cipher_alg1, cipher_alg2, cipher_alg3\nMACs: mac_alg1, mac_alg2, mac_alg3"
|
||||
|
||||
|
||||
def test_policy_invalid_1(self):
|
||||
'''Basic policy, but with 'ciphersx' instead of 'ciphers'.'''
|
||||
|
||||
policy_data = '''# This is a comment
|
||||
name = "Test Policy"
|
||||
version = 1
|
||||
|
||||
compressions = comp_alg1
|
||||
host keys = key_alg1
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphersx = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
failed = False
|
||||
try:
|
||||
self.Policy(policy_data=policy_data)
|
||||
except ValueError:
|
||||
failed = True
|
||||
|
||||
assert failed, "Invalid policy did not cause Policy object to throw exception"
|
||||
|
||||
|
||||
def test_policy_invalid_2(self):
|
||||
'''Basic policy, but is missing the required name field.'''
|
||||
|
||||
policy_data = '''# This is a comment
|
||||
#name = "Test Policy"
|
||||
version = 1
|
||||
|
||||
compressions = comp_alg1
|
||||
host keys = key_alg1
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
failed = False
|
||||
try:
|
||||
self.Policy(policy_data=policy_data)
|
||||
except ValueError:
|
||||
failed = True
|
||||
|
||||
assert failed, "Invalid policy did not cause Policy object to throw exception"
|
||||
|
||||
|
||||
def test_policy_invalid_3(self):
|
||||
'''Basic policy, but is missing the required version field.'''
|
||||
|
||||
policy_data = '''# This is a comment
|
||||
name = "Test Policy"
|
||||
#version = 1
|
||||
|
||||
compressions = comp_alg1
|
||||
host keys = key_alg1
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
failed = False
|
||||
try:
|
||||
self.Policy(policy_data=policy_data)
|
||||
except ValueError:
|
||||
failed = True
|
||||
|
||||
assert failed, "Invalid policy did not cause Policy object to throw exception"
|
||||
|
||||
|
||||
def test_policy_invalid_4(self):
|
||||
'''Basic policy, but is missing quotes in the name field.'''
|
||||
|
||||
policy_data = '''# This is a comment
|
||||
name = Test Policy
|
||||
version = 1
|
||||
|
||||
compressions = comp_alg1
|
||||
host keys = key_alg1
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
failed = False
|
||||
try:
|
||||
self.Policy(policy_data=policy_data)
|
||||
except ValueError:
|
||||
failed = True
|
||||
|
||||
assert failed, "Invalid policy did not cause Policy object to throw exception"
|
||||
|
||||
|
||||
def test_policy_invalid_5(self):
|
||||
'''Basic policy, but is missing quotes in the banner field.'''
|
||||
|
||||
policy_data = '''# This is a comment
|
||||
name = "Test Policy"
|
||||
version = 1
|
||||
|
||||
banner = 0mg
|
||||
compressions = comp_alg1
|
||||
host keys = key_alg1
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
failed = False
|
||||
try:
|
||||
self.Policy(policy_data=policy_data)
|
||||
except ValueError:
|
||||
failed = True
|
||||
|
||||
assert failed, "Invalid policy did not cause Policy object to throw exception"
|
||||
|
||||
|
||||
def test_policy_invalid_6(self):
|
||||
'''Basic policy, but is missing quotes in the header field.'''
|
||||
|
||||
policy_data = '''# This is a comment
|
||||
name = "Test Policy"
|
||||
version = 1
|
||||
|
||||
header = 0mg
|
||||
compressions = comp_alg1
|
||||
host keys = key_alg1
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
failed = False
|
||||
try:
|
||||
self.Policy(policy_data=policy_data)
|
||||
except ValueError:
|
||||
failed = True
|
||||
|
||||
assert failed, "Invalid policy did not cause Policy object to throw exception"
|
||||
|
||||
|
||||
def test_policy_create_1(self):
|
||||
'''Creates a policy from a kex and ensures it is generated exactly as expected.'''
|
||||
|
||||
kex = self._get_kex()
|
||||
pol_data = self.Policy.create('www.l0l.com', 'bannerX', 'headerX', kex)
|
||||
|
||||
# Today's date is embedded in the policy, so filter it out to get repeatable results.
|
||||
pol_data = pol_data.replace(date.today().strftime('%Y/%m/%d'), '[todays date]')
|
||||
|
||||
# Instead of writing out the entire expected policy--line by line--just check that it has the expected hash.
|
||||
assert hashlib.sha256(pol_data.encode('ascii')).hexdigest() == 'e830fb9e5731995e5e4858b2b6d16704d7e5c2769d3a8d9acdd023a83ab337c5'
|
||||
|
||||
|
||||
def test_policy_evaluate_passing_1(self):
|
||||
'''Creates a policy and evaluates it against the same server'''
|
||||
|
||||
kex = self._get_kex()
|
||||
policy_data = self.Policy.create('www.l0l.com', None, None, kex)
|
||||
policy = self.Policy(policy_data=policy_data)
|
||||
|
||||
ret, errors = policy.evaluate('SSH Server 1.0', None, kex)
|
||||
assert ret is True
|
||||
assert len(errors) == 0
|
||||
|
||||
|
||||
def test_policy_evaluate_failing_1(self):
|
||||
'''Ensure that a policy with a specified banner fails against a server with a different banner'''
|
||||
|
||||
policy_data = '''name = "Test Policy"
|
||||
version = 1
|
||||
banner = "XXX mismatched banner XXX"
|
||||
compressions = comp_alg1, comp_alg2
|
||||
host keys = key_alg1, key_alg2
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
policy = self.Policy(policy_data=policy_data)
|
||||
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
|
||||
assert ret is False
|
||||
assert len(errors) == 1
|
||||
assert errors[0].find('Banner did not match.') != -1
|
||||
|
||||
|
||||
def test_policy_evaluate_failing_2(self):
|
||||
'''Ensure that a mismatched compressions list results in a failure'''
|
||||
|
||||
policy_data = '''name = "Test Policy"
|
||||
version = 1
|
||||
compressions = XXXmismatchedXXX, comp_alg1, comp_alg2
|
||||
host keys = key_alg1, key_alg2
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
policy = self.Policy(policy_data=policy_data)
|
||||
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
|
||||
assert ret is False
|
||||
assert len(errors) == 1
|
||||
assert errors[0].find('Compression types did not match.') != -1
|
||||
|
||||
|
||||
def test_policy_evaluate_failing_3(self):
|
||||
'''Ensure that a mismatched host keys results in a failure'''
|
||||
|
||||
policy_data = '''name = "Test Policy"
|
||||
version = 1
|
||||
compressions = comp_alg1, comp_alg2
|
||||
host keys = XXXmismatchedXXX, key_alg1, key_alg2
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
policy = self.Policy(policy_data=policy_data)
|
||||
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
|
||||
assert ret is False
|
||||
assert len(errors) == 1
|
||||
assert errors[0].find('Host key types did not match.') != -1
|
||||
|
||||
|
||||
def test_policy_evaluate_failing_4(self):
|
||||
'''Ensure that a mismatched key exchange list results in a failure'''
|
||||
|
||||
policy_data = '''name = "Test Policy"
|
||||
version = 1
|
||||
compressions = comp_alg1, comp_alg2
|
||||
host keys = key_alg1, key_alg2
|
||||
key exchanges = XXXmismatchedXXX, kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
policy = self.Policy(policy_data=policy_data)
|
||||
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
|
||||
assert ret is False
|
||||
assert len(errors) == 1
|
||||
assert errors[0].find('Key exchanges did not match.') != -1
|
||||
|
||||
|
||||
def test_policy_evaluate_failing_5(self):
|
||||
'''Ensure that a mismatched cipher list results in a failure'''
|
||||
|
||||
policy_data = '''name = "Test Policy"
|
||||
version = 1
|
||||
compressions = comp_alg1, comp_alg2
|
||||
host keys = key_alg1, key_alg2
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, XXXmismatched, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
policy = self.Policy(policy_data=policy_data)
|
||||
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
|
||||
assert ret is False
|
||||
assert len(errors) == 1
|
||||
assert errors[0].find('Ciphers did not match.') != -1
|
||||
|
||||
|
||||
def test_policy_evaluate_failing_6(self):
|
||||
'''Ensure that a mismatched MAC list results in a failure'''
|
||||
|
||||
policy_data = '''name = "Test Policy"
|
||||
version = 1
|
||||
compressions = comp_alg1, comp_alg2
|
||||
host keys = key_alg1, key_alg2
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, XXXmismatched, mac_alg3'''
|
||||
|
||||
policy = self.Policy(policy_data=policy_data)
|
||||
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
|
||||
assert ret is False
|
||||
assert len(errors) == 1
|
||||
assert errors[0].find('MACs did not match.') != -1
|
||||
|
||||
|
||||
def test_policy_evaluate_failing_7(self):
|
||||
'''Ensure that a mismatched host keys and MACs results in a failure'''
|
||||
|
||||
policy_data = '''name = "Test Policy"
|
||||
version = 1
|
||||
compressions = comp_alg1, comp_alg2
|
||||
host keys = key_alg1, key_alg2, XXXmismatchedXXX
|
||||
key exchanges = kex_alg1, kex_alg2
|
||||
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, XXXmismatchedXXX, mac_alg3'''
|
||||
|
||||
policy = self.Policy(policy_data=policy_data)
|
||||
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
|
||||
assert ret is False
|
||||
assert len(errors) == 2
|
||||
|
||||
errors_str = ', '.join(errors)
|
||||
assert errors_str.find('Host key types did not match.') != -1
|
||||
assert errors_str.find('MACs did not match.') != -1
|
@ -133,8 +133,8 @@ class TestSSH1:
|
||||
vsocket.rdata.append(b'SSH-1.5-OpenSSH_7.2 ssh-audit-test\r\n')
|
||||
vsocket.rdata.append(self._create_ssh1_packet(w.write_flush()))
|
||||
output_spy.begin()
|
||||
with pytest.raises(SystemExit):
|
||||
self.audit(self._conf())
|
||||
ret = self.audit(self._conf())
|
||||
assert ret != 0
|
||||
lines = output_spy.flush()
|
||||
assert len(lines) == 7
|
||||
assert 'unknown message' in lines[-1]
|
||||
|
@ -143,8 +143,8 @@ class TestSSH2:
|
||||
vsocket.rdata.append(b'SSH-2.0-OpenSSH_7.3 ssh-audit-test\r\n')
|
||||
vsocket.rdata.append(self._create_ssh2_packet(w.write_flush()))
|
||||
output_spy.begin()
|
||||
with pytest.raises(SystemExit):
|
||||
self.audit(self._conf())
|
||||
ret = self.audit(self._conf())
|
||||
assert ret != 0
|
||||
lines = output_spy.flush()
|
||||
assert len(lines) == 3
|
||||
assert 'unknown message' in lines[-1]
|
||||
|
Reference in New Issue
Block a user