Added policy checks (#10).

2025-06-23 19:14:32 +02:00 · 2020-06-30 15:53:50 -04:00
parent 8e71c2d66b
commit dd44e2f010
51 changed files with 1328 additions and 40 deletions
--- a/test/docker/expected_results/openssh_5.6p1_policy_test1.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test1.json
@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test1 v1"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test1.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test1.txt
@ -0,0 +1,3 @@
+Host:   localhost
+Policy: Docker policy: test1 v1
+Result: [0;32m✔ Passed[0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test10.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test10.json
@ -0,0 +1 @@
+{"errors": ["RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match.  Expected: 4096; Actual: 3072", "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match.  Expected: 4096; Actual: 1024"], "host": "localhost", "passed": false, "policy": "Docker poliicy: test10 v1"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test10.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test10.txt
@ -0,0 +1,7 @@
+Host:   localhost
+Policy: Docker poliicy: test10 v1
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match.  Expected: 4096; Actual: 3072
+  * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match.  Expected: 4096; Actual: 1024[0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test2.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test2.json
@ -0,0 +1 @@
+{"errors": ["Key exchanges did not match. Expected: ['kex_alg1', 'kex_alg2']; Actual: ['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1']"], "host": "localhost", "passed": false, "policy": "Docker policy: test2 v1"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test2.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test2.txt
@ -0,0 +1,6 @@
+Host:   localhost
+Policy: Docker policy: test2 v1
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * Key exchanges did not match. Expected: ['kex_alg1', 'kex_alg2']; Actual: ['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'][0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test3.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test3.json
@ -0,0 +1 @@
+{"errors": ["Host key types did not match. Expected: ['ssh-rsa', 'ssh-dss', 'key_alg1']; Actual: ['ssh-rsa', 'ssh-dss']"], "host": "localhost", "passed": false, "policy": "Docker policy: test3 v1"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test3.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test3.txt
@ -0,0 +1,6 @@
+Host:   localhost
+Policy: Docker policy: test3 v1
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * Host key types did not match. Expected: ['ssh-rsa', 'ssh-dss', 'key_alg1']; Actual: ['ssh-rsa', 'ssh-dss'][0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test4.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test4.json
@ -0,0 +1 @@
+{"errors": ["Ciphers did not match. Expected: ['cipher_alg1', 'cipher_alg2']; Actual: ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se']"], "host": "localhost", "passed": false, "policy": "Docker policy: test4 v1"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test4.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test4.txt
@ -0,0 +1,6 @@
+Host:   localhost
+Policy: Docker policy: test4 v1
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * Ciphers did not match. Expected: ['cipher_alg1', 'cipher_alg2']; Actual: ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se'][0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test5.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test5.json
@ -0,0 +1 @@
+{"errors": ["MACs did not match. Expected: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac_alg1', 'hmac-md5-96']; Actual: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96']"], "host": "localhost", "passed": false, "policy": "Docker policy: test5 v1"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test5.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test5.txt
@ -0,0 +1,6 @@
+Host:   localhost
+Policy: Docker policy: test5 v1
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * MACs did not match. Expected: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac_alg1', 'hmac-md5-96']; Actual: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'][0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test7.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test7.json
@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker poliicy: test7 v1"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test7.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test7.txt
@ -0,0 +1,3 @@
+Host:   localhost
+Policy: Docker poliicy: test7 v1
+Result: [0;32m✔ Passed[0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test8.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test8.json
@ -0,0 +1 @@
+{"errors": ["RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match.  Expected: 2048; Actual: 1024"], "host": "localhost", "passed": false, "policy": "Docker poliicy: test8 v1"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test8.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test8.txt
@ -0,0 +1,6 @@
+Host:   localhost
+Policy: Docker poliicy: test8 v1
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match.  Expected: 2048; Actual: 1024[0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test9.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test9.json
@ -0,0 +1 @@
+{"errors": ["RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match.  Expected: 4096; Actual: 3072"], "host": "localhost", "passed": false, "policy": "Docker poliicy: test9 v1"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test9.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test9.txt
@ -0,0 +1,6 @@
+Host:   localhost
+Policy: Docker poliicy: test9 v1
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match.  Expected: 4096; Actual: 3072[0m
--- a/test/docker/expected_results/openssh_8.0p1_policy_test11.json
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test11.json
@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test11 v1"}
--- a/test/docker/expected_results/openssh_8.0p1_policy_test11.txt
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test11.txt
@ -0,0 +1,3 @@
+Host:   localhost
+Policy: Docker policy: test11 v1
+Result: [0;32m✔ Passed[0m
--- a/test/docker/expected_results/openssh_8.0p1_policy_test12.json
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test12.json
@ -0,0 +1 @@
+{"errors": ["RSA hostkey (rsa-sha2-256) sizes did not match.  Expected: 4096; Actual: 3072", "RSA hostkey (rsa-sha2-512) sizes did not match.  Expected: 4096; Actual: 3072", "RSA hostkey (ssh-rsa) sizes did not match.  Expected: 4096; Actual: 3072"], "host": "localhost", "passed": false, "policy": "Docker policy: test12 v1"}
--- a/test/docker/expected_results/openssh_8.0p1_policy_test12.txt
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test12.txt
@ -0,0 +1,8 @@
+Host:   localhost
+Policy: Docker policy: test12 v1
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * RSA hostkey (rsa-sha2-256) sizes did not match.  Expected: 4096; Actual: 3072
+  * RSA hostkey (rsa-sha2-512) sizes did not match.  Expected: 4096; Actual: 3072
+  * RSA hostkey (ssh-rsa) sizes did not match.  Expected: 4096; Actual: 3072[0m
--- a/test/docker/expected_results/openssh_8.0p1_policy_test13.json
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test13.json
@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test13 v1"}
--- a/test/docker/expected_results/openssh_8.0p1_policy_test13.txt
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test13.txt
@ -0,0 +1,3 @@
+Host:   localhost
+Policy: Docker policy: test13 v1
+Result: [0;32m✔ Passed[0m
--- a/test/docker/expected_results/openssh_8.0p1_policy_test14.json
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test14.json
@ -0,0 +1 @@
+{"errors": ["Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match.  Expected: 4096; Actual: 2048"], "host": "localhost", "passed": false, "policy": "Docker policy: test14 v1"}
--- a/test/docker/expected_results/openssh_8.0p1_policy_test14.txt
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test14.txt
@ -0,0 +1,6 @@
+Host:   localhost
+Policy: Docker policy: test14 v1
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match.  Expected: 4096; Actual: 2048[0m
--- a/test/docker/expected_results/openssh_8.0p1_policy_test6.json
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test6.json
@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test6 v1"}
--- a/test/docker/expected_results/openssh_8.0p1_policy_test6.txt
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test6.txt
@ -0,0 +1,3 @@
+Host:   localhost
+Policy: Docker policy: test6 v1
+Result: [0;32m✔ Passed[0m
--- a/test/docker/policies/policy_test1.txt
+++ b/test/docker/policies/policy_test1.txt
@ -0,0 +1,10 @@
+#
+# Docker policy: test1
+#
+
+name = "Docker policy: test1"
+version = 1
+host keys = ssh-rsa, ssh-dss
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test10.txt
+++ b/test/docker/policies/policy_test10.txt
@ -0,0 +1,39 @@
+#
+# Docker policy: test10
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker poliicy: test10"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_5.6"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096
+
+# RSA CA key sizes.
+cakey_size_ssh-rsa-cert-v01@openssh.com = 4096
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
+# The MACs that must match exactly (order matters).
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test11.txt
+++ b/test/docker/policies/policy_test11.txt
@ -0,0 +1,35 @@
+#
+# Docker policy: test11
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker policy: test11"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_8.0"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+
+# The MACs that must match exactly (order matters).
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
--- a/test/docker/policies/policy_test12.txt
+++ b/test/docker/policies/policy_test12.txt
@ -0,0 +1,35 @@
+#
+# Docker policy: test12
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker policy: test12"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_8.0"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 4096
+hostkey_size_rsa-sha2-512 = 4096
+hostkey_size_ssh-rsa = 4096
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+
+# The MACs that must match exactly (order matters).
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
--- a/test/docker/policies/policy_test13.txt
+++ b/test/docker/policies/policy_test13.txt
@ -0,0 +1,38 @@
+#
+# Docker policy: test13
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker policy: test13"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_8.0"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+
+# The MACs that must match exactly (order matters).
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
--- a/test/docker/policies/policy_test14.txt
+++ b/test/docker/policies/policy_test14.txt
@ -0,0 +1,38 @@
+#
+# Docker policy: test14
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker policy: test14"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_8.0"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 4096
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+
+# The MACs that must match exactly (order matters).
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
--- a/test/docker/policies/policy_test2.txt
+++ b/test/docker/policies/policy_test2.txt
@ -0,0 +1,10 @@
+#
+# Docker policy: test2
+#
+
+name = "Docker policy: test2"
+version = 1
+host keys = ssh-rsa, ssh-dss
+key exchanges = kex_alg1, kex_alg2
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test3.txt
+++ b/test/docker/policies/policy_test3.txt
@ -0,0 +1,10 @@
+#
+# Docker policy: test3
+#
+
+name = "Docker policy: test3"
+version = 1
+host keys = ssh-rsa, ssh-dss, key_alg1
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test4.txt
+++ b/test/docker/policies/policy_test4.txt
@ -0,0 +1,10 @@
+#
+# Docker policy: test4
+#
+
+name = "Docker policy: test4"
+version = 1
+host keys = ssh-rsa, ssh-dss
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+ciphers = cipher_alg1, cipher_alg2
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test5.txt
+++ b/test/docker/policies/policy_test5.txt
@ -0,0 +1,10 @@
+#
+# Docker policy: test5
+#
+
+name = "Docker policy: test5"
+version = 1
+host keys = ssh-rsa, ssh-dss
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96
--- a/test/docker/policies/policy_test6.txt
+++ b/test/docker/policies/policy_test6.txt
@ -0,0 +1,12 @@
+#
+# Docker policy: test6
+#
+
+name = "Docker policy: test6"
+version = 1
+banner = "SSH-2.0-OpenSSH_8.0"
+compressions = none, zlib@openssh.com
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
--- a/test/docker/policies/policy_test7.txt
+++ b/test/docker/policies/policy_test7.txt
@ -0,0 +1,39 @@
+#
+# Docker policy: test7
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker poliicy: test7"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_5.6"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072
+
+# RSA CA key sizes.
+cakey_size_ssh-rsa-cert-v01@openssh.com = 1024
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
+# The MACs that must match exactly (order matters).
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test8.txt
+++ b/test/docker/policies/policy_test8.txt
@ -0,0 +1,39 @@
+#
+# Docker policy: test8
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker poliicy: test8"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_5.6"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072
+
+# RSA CA key sizes.
+cakey_size_ssh-rsa-cert-v01@openssh.com = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
+# The MACs that must match exactly (order matters).
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test9.txt
+++ b/test/docker/policies/policy_test9.txt
@ -0,0 +1,39 @@
+#
+# Docker policy: test9
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker poliicy: test9"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_5.6"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096
+
+# RSA CA key sizes.
+cakey_size_ssh-rsa-cert-v01@openssh.com = 1024
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
+# The MACs that must match exactly (order matters).
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/test_auditconf.py
+++ b/test/test_auditconf.py
@ -11,7 +11,7 @@ class TestAuditConf:
    @staticmethod
    def _test_conf(conf, **kwargs):
        options = {
-            'host': None,
+            'host': '',
            'port': 22,
            'ssh1': True,
            'ssh2': True,
--- a/test/test_errors.py
+++ b/test/test_errors.py
@ -16,36 +16,39 @@ class TestErrors:
        conf.batch = True
        return conf

-    def _audit(self, spy, conf=None, sysexit=True):
+    def _audit(self, spy, conf=None, exit_expected=False):
        if conf is None:
            conf = self._conf()
        spy.begin()
-        if sysexit:
+
+        if exit_expected:
            with pytest.raises(SystemExit):
                self.audit(conf)
        else:
-            self.audit(conf)
+            ret = self.audit(conf)
+            assert ret != 0
+
        lines = spy.flush()
        return lines

    def test_connection_unresolved(self, output_spy, virtual_socket):
        vsocket = virtual_socket
        vsocket.gsock.addrinfodata['localhost#22'] = []
-        lines = self._audit(output_spy)
+        lines = self._audit(output_spy, exit_expected=True)
        assert len(lines) == 1
        assert 'has no DNS records' in lines[-1]

    def test_connection_refused(self, output_spy, virtual_socket):
        vsocket = virtual_socket
        vsocket.errors['connect'] = socket.error(errno.ECONNREFUSED, 'Connection refused')
-        lines = self._audit(output_spy)
+        lines = self._audit(output_spy, exit_expected=True)
        assert len(lines) == 1
        assert 'Connection refused' in lines[-1]

    def test_connection_timeout(self, output_spy, virtual_socket):
        vsocket = virtual_socket
        vsocket.errors['connect'] = socket.timeout('timed out')
-        lines = self._audit(output_spy)
+        lines = self._audit(output_spy, exit_expected=True)
        assert len(lines) == 1
        assert 'timed out' in lines[-1]

--- a/test/test_policy.py
+++ b/test/test_policy.py
@ -0,0 +1,337 @@
+import hashlib
+import pytest
+from datetime import date
+
+
+class TestPolicy:
+    @pytest.fixture(autouse=True)
+    def init(self, ssh_audit):
+        self.Policy = ssh_audit.Policy
+        self.wbuf = ssh_audit.WriteBuf
+        self.ssh2 = ssh_audit.SSH2
+
+
+    def _get_kex(self):
+        '''Returns an SSH2.Kex object to simulate a server connection.'''
+
+        w = self.wbuf()
+        w.write(b'\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff')
+        w.write_list(['kex_alg1', 'kex_alg2'])
+        w.write_list(['key_alg1', 'key_alg2'])
+        w.write_list(['cipher_alg1', 'cipher_alg2', 'cipher_alg3'])
+        w.write_list(['cipher_alg1', 'cipher_alg2', 'cipher_alg3'])
+        w.write_list(['mac_alg1', 'mac_alg2', 'mac_alg3'])
+        w.write_list(['mac_alg1', 'mac_alg2', 'mac_alg3'])
+        w.write_list(['comp_alg1', 'comp_alg2'])
+        w.write_list(['comp_alg1', 'comp_alg2'])
+        w.write_list([''])
+        w.write_list([''])
+        w.write_byte(False)
+        w.write_int(0)
+        return self.ssh2.Kex.parse(w.write_flush())
+
+
+    def test_policy_basic(self):
+        '''Ensure that a basic policy can be parsed correctly.'''
+
+        policy_data = '''# This is a comment
+name = "Test Policy"
+version = 1
+
+compressions = comp_alg1
+host keys = key_alg1
+key exchanges = kex_alg1, kex_alg2
+ciphers = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, mac_alg3'''
+
+        policy = self.Policy(policy_data=policy_data)
+        assert str(policy) == "Name: [Test Policy]\nVersion: [1]\nBanner: {undefined}\nHeader: {undefined}\nCompressions: comp_alg1\nHost Keys: key_alg1\nKey Exchanges: kex_alg1, kex_alg2\nCiphers: cipher_alg1, cipher_alg2, cipher_alg3\nMACs: mac_alg1, mac_alg2, mac_alg3"
+
+
+    def test_policy_invalid_1(self):
+        '''Basic policy, but with 'ciphersx' instead of 'ciphers'.'''
+
+        policy_data = '''# This is a comment
+name = "Test Policy"
+version = 1
+
+compressions = comp_alg1
+host keys = key_alg1
+key exchanges = kex_alg1, kex_alg2
+ciphersx = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, mac_alg3'''
+
+        failed = False
+        try:
+            self.Policy(policy_data=policy_data)
+        except ValueError:
+            failed = True
+
+        assert failed, "Invalid policy did not cause Policy object to throw exception"
+
+
+    def test_policy_invalid_2(self):
+        '''Basic policy, but is missing the required name field.'''
+
+        policy_data = '''# This is a comment
+#name = "Test Policy"
+version = 1
+
+compressions = comp_alg1
+host keys = key_alg1
+key exchanges = kex_alg1, kex_alg2
+ciphers = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, mac_alg3'''
+
+        failed = False
+        try:
+            self.Policy(policy_data=policy_data)
+        except ValueError:
+            failed = True
+
+        assert failed, "Invalid policy did not cause Policy object to throw exception"
+
+
+    def test_policy_invalid_3(self):
+        '''Basic policy, but is missing the required version field.'''
+
+        policy_data = '''# This is a comment
+name = "Test Policy"
+#version = 1
+
+compressions = comp_alg1
+host keys = key_alg1
+key exchanges = kex_alg1, kex_alg2
+ciphers = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, mac_alg3'''
+
+        failed = False
+        try:
+            self.Policy(policy_data=policy_data)
+        except ValueError:
+            failed = True
+
+        assert failed, "Invalid policy did not cause Policy object to throw exception"
+
+
+    def test_policy_invalid_4(self):
+        '''Basic policy, but is missing quotes in the name field.'''
+
+        policy_data = '''# This is a comment
+name = Test Policy
+version = 1
+
+compressions = comp_alg1
+host keys = key_alg1
+key exchanges = kex_alg1, kex_alg2
+ciphers = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, mac_alg3'''
+
+        failed = False
+        try:
+            self.Policy(policy_data=policy_data)
+        except ValueError:
+            failed = True
+
+        assert failed, "Invalid policy did not cause Policy object to throw exception"
+
+
+    def test_policy_invalid_5(self):
+        '''Basic policy, but is missing quotes in the banner field.'''
+
+        policy_data = '''# This is a comment
+name = "Test Policy"
+version = 1
+
+banner = 0mg
+compressions = comp_alg1
+host keys = key_alg1
+key exchanges = kex_alg1, kex_alg2
+ciphers = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, mac_alg3'''
+
+        failed = False
+        try:
+            self.Policy(policy_data=policy_data)
+        except ValueError:
+            failed = True
+
+        assert failed, "Invalid policy did not cause Policy object to throw exception"
+
+
+    def test_policy_invalid_6(self):
+        '''Basic policy, but is missing quotes in the header field.'''
+
+        policy_data = '''# This is a comment
+name = "Test Policy"
+version = 1
+
+header = 0mg
+compressions = comp_alg1
+host keys = key_alg1
+key exchanges = kex_alg1, kex_alg2
+ciphers = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, mac_alg3'''
+
+        failed = False
+        try:
+            self.Policy(policy_data=policy_data)
+        except ValueError:
+            failed = True
+
+        assert failed, "Invalid policy did not cause Policy object to throw exception"
+
+
+    def test_policy_create_1(self):
+        '''Creates a policy from a kex and ensures it is generated exactly as expected.'''
+
+        kex = self._get_kex()
+        pol_data = self.Policy.create('www.l0l.com', 'bannerX', 'headerX', kex)
+
+        # Today's date is embedded in the policy, so filter it out to get repeatable results.
+        pol_data = pol_data.replace(date.today().strftime('%Y/%m/%d'), '[todays date]')
+
+        # Instead of writing out the entire expected policy--line by line--just check that it has the expected hash.
+        assert hashlib.sha256(pol_data.encode('ascii')).hexdigest() == 'e830fb9e5731995e5e4858b2b6d16704d7e5c2769d3a8d9acdd023a83ab337c5'
+
+
+    def test_policy_evaluate_passing_1(self):
+        '''Creates a policy and evaluates it against the same server'''
+
+        kex = self._get_kex()
+        policy_data = self.Policy.create('www.l0l.com', None, None, kex)
+        policy = self.Policy(policy_data=policy_data)
+
+        ret, errors = policy.evaluate('SSH Server 1.0', None, kex)
+        assert ret is True
+        assert len(errors) == 0
+
+
+    def test_policy_evaluate_failing_1(self):
+        '''Ensure that a policy with a specified banner fails against a server with a different banner'''
+
+        policy_data = '''name = "Test Policy"
+version = 1
+banner = "XXX mismatched banner XXX"
+compressions = comp_alg1, comp_alg2
+host keys = key_alg1, key_alg2
+key exchanges = kex_alg1, kex_alg2
+ciphers = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, mac_alg3'''
+
+        policy = self.Policy(policy_data=policy_data)
+        ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
+        assert ret is False
+        assert len(errors) == 1
+        assert errors[0].find('Banner did not match.') != -1
+
+
+    def test_policy_evaluate_failing_2(self):
+        '''Ensure that a mismatched compressions list results in a failure'''
+
+        policy_data = '''name = "Test Policy"
+version = 1
+compressions = XXXmismatchedXXX, comp_alg1, comp_alg2
+host keys = key_alg1, key_alg2
+key exchanges = kex_alg1, kex_alg2
+ciphers = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, mac_alg3'''
+
+        policy = self.Policy(policy_data=policy_data)
+        ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
+        assert ret is False
+        assert len(errors) == 1
+        assert errors[0].find('Compression types did not match.') != -1
+
+
+    def test_policy_evaluate_failing_3(self):
+        '''Ensure that a mismatched host keys results in a failure'''
+
+        policy_data = '''name = "Test Policy"
+version = 1
+compressions = comp_alg1, comp_alg2
+host keys = XXXmismatchedXXX, key_alg1, key_alg2
+key exchanges = kex_alg1, kex_alg2
+ciphers = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, mac_alg3'''
+
+        policy = self.Policy(policy_data=policy_data)
+        ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
+        assert ret is False
+        assert len(errors) == 1
+        assert errors[0].find('Host key types did not match.') != -1
+
+
+    def test_policy_evaluate_failing_4(self):
+        '''Ensure that a mismatched key exchange list results in a failure'''
+
+        policy_data = '''name = "Test Policy"
+version = 1
+compressions = comp_alg1, comp_alg2
+host keys = key_alg1, key_alg2
+key exchanges = XXXmismatchedXXX, kex_alg1, kex_alg2
+ciphers = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, mac_alg3'''
+
+        policy = self.Policy(policy_data=policy_data)
+        ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
+        assert ret is False
+        assert len(errors) == 1
+        assert errors[0].find('Key exchanges did not match.') != -1
+
+
+    def test_policy_evaluate_failing_5(self):
+        '''Ensure that a mismatched cipher list results in a failure'''
+
+        policy_data = '''name = "Test Policy"
+version = 1
+compressions = comp_alg1, comp_alg2
+host keys = key_alg1, key_alg2
+key exchanges = kex_alg1, kex_alg2
+ciphers = cipher_alg1, XXXmismatched, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, mac_alg3'''
+
+        policy = self.Policy(policy_data=policy_data)
+        ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
+        assert ret is False
+        assert len(errors) == 1
+        assert errors[0].find('Ciphers did not match.') != -1
+
+
+    def test_policy_evaluate_failing_6(self):
+        '''Ensure that a mismatched MAC list results in a failure'''
+
+        policy_data = '''name = "Test Policy"
+version = 1
+compressions = comp_alg1, comp_alg2
+host keys = key_alg1, key_alg2
+key exchanges = kex_alg1, kex_alg2
+ciphers = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, XXXmismatched, mac_alg3'''
+
+        policy = self.Policy(policy_data=policy_data)
+        ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
+        assert ret is False
+        assert len(errors) == 1
+        assert errors[0].find('MACs did not match.') != -1
+
+
+    def test_policy_evaluate_failing_7(self):
+        '''Ensure that a mismatched host keys and MACs results in a failure'''
+
+        policy_data = '''name = "Test Policy"
+version = 1
+compressions = comp_alg1, comp_alg2
+host keys = key_alg1, key_alg2, XXXmismatchedXXX
+key exchanges = kex_alg1, kex_alg2
+ciphers = cipher_alg1, cipher_alg2, cipher_alg3
+macs = mac_alg1, mac_alg2, XXXmismatchedXXX, mac_alg3'''
+
+        policy = self.Policy(policy_data=policy_data)
+        ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
+        assert ret is False
+        assert len(errors) == 2
+
+        errors_str = ', '.join(errors)
+        assert errors_str.find('Host key types did not match.') != -1
+        assert errors_str.find('MACs did not match.') != -1
--- a/test/test_ssh1.py
+++ b/test/test_ssh1.py
@ -133,8 +133,8 @@ class TestSSH1:
        vsocket.rdata.append(b'SSH-1.5-OpenSSH_7.2 ssh-audit-test\r\n')
        vsocket.rdata.append(self._create_ssh1_packet(w.write_flush()))
        output_spy.begin()
-        with pytest.raises(SystemExit):
-            self.audit(self._conf())
+        ret = self.audit(self._conf())
+        assert ret != 0
        lines = output_spy.flush()
        assert len(lines) == 7
        assert 'unknown message' in lines[-1]
--- a/test/test_ssh2.py
+++ b/test/test_ssh2.py
@ -143,8 +143,8 @@ class TestSSH2:
        vsocket.rdata.append(b'SSH-2.0-OpenSSH_7.3 ssh-audit-test\r\n')
        vsocket.rdata.append(self._create_ssh2_packet(w.write_flush()))
        output_spy.begin()
-        with pytest.raises(SystemExit):
-            self.audit(self._conf())
+        ret = self.audit(self._conf())
+        assert ret != 0
        lines = output_spy.flush()
        assert len(lines) == 3
        assert 'unknown message' in lines[-1]
				`@ -0,0 +1 @@`
				`{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test1 v1"}`
				`@ -0,0 +1 @@`
				`{"errors": ["RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072", "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 1024"], "host": "localhost", "passed": false, "policy": "Docker poliicy: test10 v1"}`
				`@ -0,0 +1 @@`
				`{"errors": ["Key exchanges did not match. Expected: ['kex_alg1', 'kex_alg2']; Actual: ['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1']"], "host": "localhost", "passed": false, "policy": "Docker policy: test2 v1"}`
				`@ -0,0 +1 @@`
				`{"errors": ["Host key types did not match. Expected: ['ssh-rsa', 'ssh-dss', 'key_alg1']; Actual: ['ssh-rsa', 'ssh-dss']"], "host": "localhost", "passed": false, "policy": "Docker policy: test3 v1"}`
				`@ -0,0 +1 @@`
				`{"errors": ["Ciphers did not match. Expected: ['cipher_alg1', 'cipher_alg2']; Actual: ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se']"], "host": "localhost", "passed": false, "policy": "Docker policy: test4 v1"}`
				`@ -0,0 +1 @@`
				`{"errors": ["MACs did not match. Expected: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac_alg1', 'hmac-md5-96']; Actual: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96']"], "host": "localhost", "passed": false, "policy": "Docker policy: test5 v1"}`
				`@ -0,0 +1 @@`
				`{"errors": ["RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 2048; Actual: 1024"], "host": "localhost", "passed": false, "policy": "Docker poliicy: test8 v1"}`
				`@ -0,0 +1 @@`
				`{"errors": ["RSA hostkey (rsa-sha2-256) sizes did not match. Expected: 4096; Actual: 3072", "RSA hostkey (rsa-sha2-512) sizes did not match. Expected: 4096; Actual: 3072", "RSA hostkey (ssh-rsa) sizes did not match. Expected: 4096; Actual: 3072"], "host": "localhost", "passed": false, "policy": "Docker policy: test12 v1"}`
				`@ -0,0 +1 @@`
				`{"errors": ["Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. Expected: 4096; Actual: 2048"], "host": "localhost", "passed": false, "policy": "Docker policy: test14 v1"}`