Added policy checks (#10).

This commit is contained in:
Joe Testa
2020-06-30 15:53:50 -04:00
parent 8e71c2d66b
commit dd44e2f010
51 changed files with 1328 additions and 40 deletions

View File

@ -0,0 +1 @@
{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test1 v1"}

View File

@ -0,0 +1,3 @@
Host: localhost
Policy: Docker policy: test1 v1
Result: ✔ Passed

View File

@ -0,0 +1 @@
{"errors": ["RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072", "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 1024"], "host": "localhost", "passed": false, "policy": "Docker poliicy: test10 v1"}

View File

@ -0,0 +1,7 @@
Host: localhost
Policy: Docker poliicy: test10 v1
Result: ❌ Failed!

Errors:
* RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072
* RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 1024

View File

@ -0,0 +1 @@
{"errors": ["Key exchanges did not match. Expected: ['kex_alg1', 'kex_alg2']; Actual: ['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1']"], "host": "localhost", "passed": false, "policy": "Docker policy: test2 v1"}

View File

@ -0,0 +1,6 @@
Host: localhost
Policy: Docker policy: test2 v1
Result: ❌ Failed!

Errors:
* Key exchanges did not match. Expected: ['kex_alg1', 'kex_alg2']; Actual: ['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1']

View File

@ -0,0 +1 @@
{"errors": ["Host key types did not match. Expected: ['ssh-rsa', 'ssh-dss', 'key_alg1']; Actual: ['ssh-rsa', 'ssh-dss']"], "host": "localhost", "passed": false, "policy": "Docker policy: test3 v1"}

View File

@ -0,0 +1,6 @@
Host: localhost
Policy: Docker policy: test3 v1
Result: ❌ Failed!

Errors:
* Host key types did not match. Expected: ['ssh-rsa', 'ssh-dss', 'key_alg1']; Actual: ['ssh-rsa', 'ssh-dss']

View File

@ -0,0 +1 @@
{"errors": ["Ciphers did not match. Expected: ['cipher_alg1', 'cipher_alg2']; Actual: ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se']"], "host": "localhost", "passed": false, "policy": "Docker policy: test4 v1"}

View File

@ -0,0 +1,6 @@
Host: localhost
Policy: Docker policy: test4 v1
Result: ❌ Failed!

Errors:
* Ciphers did not match. Expected: ['cipher_alg1', 'cipher_alg2']; Actual: ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se']

View File

@ -0,0 +1 @@
{"errors": ["MACs did not match. Expected: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac_alg1', 'hmac-md5-96']; Actual: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96']"], "host": "localhost", "passed": false, "policy": "Docker policy: test5 v1"}

View File

@ -0,0 +1,6 @@
Host: localhost
Policy: Docker policy: test5 v1
Result: ❌ Failed!

Errors:
* MACs did not match. Expected: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac_alg1', 'hmac-md5-96']; Actual: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96']

View File

@ -0,0 +1 @@
{"errors": [], "host": "localhost", "passed": true, "policy": "Docker poliicy: test7 v1"}

View File

@ -0,0 +1,3 @@
Host: localhost
Policy: Docker poliicy: test7 v1
Result: ✔ Passed

View File

@ -0,0 +1 @@
{"errors": ["RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 2048; Actual: 1024"], "host": "localhost", "passed": false, "policy": "Docker poliicy: test8 v1"}

View File

@ -0,0 +1,6 @@
Host: localhost
Policy: Docker poliicy: test8 v1
Result: ❌ Failed!

Errors:
* RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 2048; Actual: 1024

View File

@ -0,0 +1 @@
{"errors": ["RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072"], "host": "localhost", "passed": false, "policy": "Docker poliicy: test9 v1"}

View File

@ -0,0 +1,6 @@
Host: localhost
Policy: Docker poliicy: test9 v1
Result: ❌ Failed!

Errors:
* RSA hostkey (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072

View File

@ -0,0 +1 @@
{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test11 v1"}

View File

@ -0,0 +1,3 @@
Host: localhost
Policy: Docker policy: test11 v1
Result: ✔ Passed

View File

@ -0,0 +1 @@
{"errors": ["RSA hostkey (rsa-sha2-256) sizes did not match. Expected: 4096; Actual: 3072", "RSA hostkey (rsa-sha2-512) sizes did not match. Expected: 4096; Actual: 3072", "RSA hostkey (ssh-rsa) sizes did not match. Expected: 4096; Actual: 3072"], "host": "localhost", "passed": false, "policy": "Docker policy: test12 v1"}

View File

@ -0,0 +1,8 @@
Host: localhost
Policy: Docker policy: test12 v1
Result: ❌ Failed!

Errors:
* RSA hostkey (rsa-sha2-256) sizes did not match. Expected: 4096; Actual: 3072
* RSA hostkey (rsa-sha2-512) sizes did not match. Expected: 4096; Actual: 3072
* RSA hostkey (ssh-rsa) sizes did not match. Expected: 4096; Actual: 3072

View File

@ -0,0 +1 @@
{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test13 v1"}

View File

@ -0,0 +1,3 @@
Host: localhost
Policy: Docker policy: test13 v1
Result: ✔ Passed

View File

@ -0,0 +1 @@
{"errors": ["Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. Expected: 4096; Actual: 2048"], "host": "localhost", "passed": false, "policy": "Docker policy: test14 v1"}

View File

@ -0,0 +1,6 @@
Host: localhost
Policy: Docker policy: test14 v1
Result: ❌ Failed!

Errors:
* Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. Expected: 4096; Actual: 2048

View File

@ -0,0 +1 @@
{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test6 v1"}

View File

@ -0,0 +1,3 @@
Host: localhost
Policy: Docker policy: test6 v1
Result: ✔ Passed

View File

@ -0,0 +1,10 @@
#
# Docker policy: test1
#
name = "Docker policy: test1"
version = 1
host keys = ssh-rsa, ssh-dss
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

View File

@ -0,0 +1,39 @@
#
# Docker policy: test10
#
# The name of this policy (displayed in the output during scans). Must be in quotes.
name = "Docker poliicy: test10"
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
version = 1
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
# banner = "SSH-2.0-OpenSSH_5.6"
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
# header = "[]"
# The compression options that must match exactly (order matters). Commented out to ignore by default.
# compressions = none, zlib@openssh.com
# RSA host key sizes.
hostkey_size_rsa-sha2-256 = 3072
hostkey_size_rsa-sha2-512 = 3072
hostkey_size_ssh-rsa = 3072
hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096
# RSA CA key sizes.
cakey_size_ssh-rsa-cert-v01@openssh.com = 4096
# The host key types that must match exactly (order matters).
host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
# The key exchange algorithms that must match exactly (order matters).
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
# The ciphers that must match exactly (order matters).
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
# The MACs that must match exactly (order matters).
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

View File

@ -0,0 +1,35 @@
#
# Docker policy: test11
#
# The name of this policy (displayed in the output during scans). Must be in quotes.
name = "Docker policy: test11"
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
version = 1
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
# banner = "SSH-2.0-OpenSSH_8.0"
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
# header = "[]"
# The compression options that must match exactly (order matters). Commented out to ignore by default.
# compressions = none, zlib@openssh.com
# RSA host key sizes.
hostkey_size_rsa-sha2-256 = 3072
hostkey_size_rsa-sha2-512 = 3072
hostkey_size_ssh-rsa = 3072
# The host key types that must match exactly (order matters).
host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
# The key exchange algorithms that must match exactly (order matters).
key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
# The ciphers that must match exactly (order matters).
ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
# The MACs that must match exactly (order matters).
macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1

View File

@ -0,0 +1,35 @@
#
# Docker policy: test12
#
# The name of this policy (displayed in the output during scans). Must be in quotes.
name = "Docker policy: test12"
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
version = 1
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
# banner = "SSH-2.0-OpenSSH_8.0"
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
# header = "[]"
# The compression options that must match exactly (order matters). Commented out to ignore by default.
# compressions = none, zlib@openssh.com
# RSA host key sizes.
hostkey_size_rsa-sha2-256 = 4096
hostkey_size_rsa-sha2-512 = 4096
hostkey_size_ssh-rsa = 4096
# The host key types that must match exactly (order matters).
host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
# The key exchange algorithms that must match exactly (order matters).
key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
# The ciphers that must match exactly (order matters).
ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
# The MACs that must match exactly (order matters).
macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1

View File

@ -0,0 +1,38 @@
#
# Docker policy: test13
#
# The name of this policy (displayed in the output during scans). Must be in quotes.
name = "Docker policy: test13"
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
version = 1
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
# banner = "SSH-2.0-OpenSSH_8.0"
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
# header = "[]"
# The compression options that must match exactly (order matters). Commented out to ignore by default.
# compressions = none, zlib@openssh.com
# RSA host key sizes.
hostkey_size_rsa-sha2-256 = 3072
hostkey_size_rsa-sha2-512 = 3072
hostkey_size_ssh-rsa = 3072
# Group exchange DH modulus sizes.
dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
# The host key types that must match exactly (order matters).
host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
# The key exchange algorithms that must match exactly (order matters).
key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
# The ciphers that must match exactly (order matters).
ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
# The MACs that must match exactly (order matters).
macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1

View File

@ -0,0 +1,38 @@
#
# Docker policy: test14
#
# The name of this policy (displayed in the output during scans). Must be in quotes.
name = "Docker policy: test14"
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
version = 1
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
# banner = "SSH-2.0-OpenSSH_8.0"
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
# header = "[]"
# The compression options that must match exactly (order matters). Commented out to ignore by default.
# compressions = none, zlib@openssh.com
# RSA host key sizes.
hostkey_size_rsa-sha2-256 = 3072
hostkey_size_rsa-sha2-512 = 3072
hostkey_size_ssh-rsa = 3072
# Group exchange DH modulus sizes.
dh_modulus_size_diffie-hellman-group-exchange-sha256 = 4096
# The host key types that must match exactly (order matters).
host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
# The key exchange algorithms that must match exactly (order matters).
key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
# The ciphers that must match exactly (order matters).
ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
# The MACs that must match exactly (order matters).
macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1

View File

@ -0,0 +1,10 @@
#
# Docker policy: test2
#
name = "Docker policy: test2"
version = 1
host keys = ssh-rsa, ssh-dss
key exchanges = kex_alg1, kex_alg2
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

View File

@ -0,0 +1,10 @@
#
# Docker policy: test3
#
name = "Docker policy: test3"
version = 1
host keys = ssh-rsa, ssh-dss, key_alg1
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

View File

@ -0,0 +1,10 @@
#
# Docker policy: test4
#
name = "Docker policy: test4"
version = 1
host keys = ssh-rsa, ssh-dss
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
ciphers = cipher_alg1, cipher_alg2
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

View File

@ -0,0 +1,10 @@
#
# Docker policy: test5
#
name = "Docker policy: test5"
version = 1
host keys = ssh-rsa, ssh-dss
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96

View File

@ -0,0 +1,12 @@
#
# Docker policy: test6
#
name = "Docker policy: test6"
version = 1
banner = "SSH-2.0-OpenSSH_8.0"
compressions = none, zlib@openssh.com
host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1

View File

@ -0,0 +1,39 @@
#
# Docker policy: test7
#
# The name of this policy (displayed in the output during scans). Must be in quotes.
name = "Docker poliicy: test7"
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
version = 1
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
# banner = "SSH-2.0-OpenSSH_5.6"
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
# header = "[]"
# The compression options that must match exactly (order matters). Commented out to ignore by default.
# compressions = none, zlib@openssh.com
# RSA host key sizes.
hostkey_size_rsa-sha2-256 = 3072
hostkey_size_rsa-sha2-512 = 3072
hostkey_size_ssh-rsa = 3072
hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072
# RSA CA key sizes.
cakey_size_ssh-rsa-cert-v01@openssh.com = 1024
# The host key types that must match exactly (order matters).
host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
# The key exchange algorithms that must match exactly (order matters).
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
# The ciphers that must match exactly (order matters).
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
# The MACs that must match exactly (order matters).
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

View File

@ -0,0 +1,39 @@
#
# Docker policy: test8
#
# The name of this policy (displayed in the output during scans). Must be in quotes.
name = "Docker poliicy: test8"
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
version = 1
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
# banner = "SSH-2.0-OpenSSH_5.6"
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
# header = "[]"
# The compression options that must match exactly (order matters). Commented out to ignore by default.
# compressions = none, zlib@openssh.com
# RSA host key sizes.
hostkey_size_rsa-sha2-256 = 3072
hostkey_size_rsa-sha2-512 = 3072
hostkey_size_ssh-rsa = 3072
hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072
# RSA CA key sizes.
cakey_size_ssh-rsa-cert-v01@openssh.com = 2048
# The host key types that must match exactly (order matters).
host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
# The key exchange algorithms that must match exactly (order matters).
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
# The ciphers that must match exactly (order matters).
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
# The MACs that must match exactly (order matters).
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

View File

@ -0,0 +1,39 @@
#
# Docker policy: test9
#
# The name of this policy (displayed in the output during scans). Must be in quotes.
name = "Docker poliicy: test9"
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
version = 1
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
# banner = "SSH-2.0-OpenSSH_5.6"
# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
# header = "[]"
# The compression options that must match exactly (order matters). Commented out to ignore by default.
# compressions = none, zlib@openssh.com
# RSA host key sizes.
hostkey_size_rsa-sha2-256 = 3072
hostkey_size_rsa-sha2-512 = 3072
hostkey_size_ssh-rsa = 3072
hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096
# RSA CA key sizes.
cakey_size_ssh-rsa-cert-v01@openssh.com = 1024
# The host key types that must match exactly (order matters).
host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
# The key exchange algorithms that must match exactly (order matters).
key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
# The ciphers that must match exactly (order matters).
ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
# The MACs that must match exactly (order matters).
macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

View File

@ -11,7 +11,7 @@ class TestAuditConf:
@staticmethod
def _test_conf(conf, **kwargs):
options = {
'host': None,
'host': '',
'port': 22,
'ssh1': True,
'ssh2': True,

View File

@ -16,36 +16,39 @@ class TestErrors:
conf.batch = True
return conf
def _audit(self, spy, conf=None, sysexit=True):
def _audit(self, spy, conf=None, exit_expected=False):
if conf is None:
conf = self._conf()
spy.begin()
if sysexit:
if exit_expected:
with pytest.raises(SystemExit):
self.audit(conf)
else:
self.audit(conf)
ret = self.audit(conf)
assert ret != 0
lines = spy.flush()
return lines
def test_connection_unresolved(self, output_spy, virtual_socket):
vsocket = virtual_socket
vsocket.gsock.addrinfodata['localhost#22'] = []
lines = self._audit(output_spy)
lines = self._audit(output_spy, exit_expected=True)
assert len(lines) == 1
assert 'has no DNS records' in lines[-1]
def test_connection_refused(self, output_spy, virtual_socket):
vsocket = virtual_socket
vsocket.errors['connect'] = socket.error(errno.ECONNREFUSED, 'Connection refused')
lines = self._audit(output_spy)
lines = self._audit(output_spy, exit_expected=True)
assert len(lines) == 1
assert 'Connection refused' in lines[-1]
def test_connection_timeout(self, output_spy, virtual_socket):
vsocket = virtual_socket
vsocket.errors['connect'] = socket.timeout('timed out')
lines = self._audit(output_spy)
lines = self._audit(output_spy, exit_expected=True)
assert len(lines) == 1
assert 'timed out' in lines[-1]

337
test/test_policy.py Normal file
View File

@ -0,0 +1,337 @@
import hashlib
import pytest
from datetime import date
class TestPolicy:
@pytest.fixture(autouse=True)
def init(self, ssh_audit):
self.Policy = ssh_audit.Policy
self.wbuf = ssh_audit.WriteBuf
self.ssh2 = ssh_audit.SSH2
def _get_kex(self):
'''Returns an SSH2.Kex object to simulate a server connection.'''
w = self.wbuf()
w.write(b'\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff')
w.write_list(['kex_alg1', 'kex_alg2'])
w.write_list(['key_alg1', 'key_alg2'])
w.write_list(['cipher_alg1', 'cipher_alg2', 'cipher_alg3'])
w.write_list(['cipher_alg1', 'cipher_alg2', 'cipher_alg3'])
w.write_list(['mac_alg1', 'mac_alg2', 'mac_alg3'])
w.write_list(['mac_alg1', 'mac_alg2', 'mac_alg3'])
w.write_list(['comp_alg1', 'comp_alg2'])
w.write_list(['comp_alg1', 'comp_alg2'])
w.write_list([''])
w.write_list([''])
w.write_byte(False)
w.write_int(0)
return self.ssh2.Kex.parse(w.write_flush())
def test_policy_basic(self):
'''Ensure that a basic policy can be parsed correctly.'''
policy_data = '''# This is a comment
name = "Test Policy"
version = 1
compressions = comp_alg1
host keys = key_alg1
key exchanges = kex_alg1, kex_alg2
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, mac_alg3'''
policy = self.Policy(policy_data=policy_data)
assert str(policy) == "Name: [Test Policy]\nVersion: [1]\nBanner: {undefined}\nHeader: {undefined}\nCompressions: comp_alg1\nHost Keys: key_alg1\nKey Exchanges: kex_alg1, kex_alg2\nCiphers: cipher_alg1, cipher_alg2, cipher_alg3\nMACs: mac_alg1, mac_alg2, mac_alg3"
def test_policy_invalid_1(self):
'''Basic policy, but with 'ciphersx' instead of 'ciphers'.'''
policy_data = '''# This is a comment
name = "Test Policy"
version = 1
compressions = comp_alg1
host keys = key_alg1
key exchanges = kex_alg1, kex_alg2
ciphersx = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, mac_alg3'''
failed = False
try:
self.Policy(policy_data=policy_data)
except ValueError:
failed = True
assert failed, "Invalid policy did not cause Policy object to throw exception"
def test_policy_invalid_2(self):
'''Basic policy, but is missing the required name field.'''
policy_data = '''# This is a comment
#name = "Test Policy"
version = 1
compressions = comp_alg1
host keys = key_alg1
key exchanges = kex_alg1, kex_alg2
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, mac_alg3'''
failed = False
try:
self.Policy(policy_data=policy_data)
except ValueError:
failed = True
assert failed, "Invalid policy did not cause Policy object to throw exception"
def test_policy_invalid_3(self):
'''Basic policy, but is missing the required version field.'''
policy_data = '''# This is a comment
name = "Test Policy"
#version = 1
compressions = comp_alg1
host keys = key_alg1
key exchanges = kex_alg1, kex_alg2
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, mac_alg3'''
failed = False
try:
self.Policy(policy_data=policy_data)
except ValueError:
failed = True
assert failed, "Invalid policy did not cause Policy object to throw exception"
def test_policy_invalid_4(self):
'''Basic policy, but is missing quotes in the name field.'''
policy_data = '''# This is a comment
name = Test Policy
version = 1
compressions = comp_alg1
host keys = key_alg1
key exchanges = kex_alg1, kex_alg2
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, mac_alg3'''
failed = False
try:
self.Policy(policy_data=policy_data)
except ValueError:
failed = True
assert failed, "Invalid policy did not cause Policy object to throw exception"
def test_policy_invalid_5(self):
'''Basic policy, but is missing quotes in the banner field.'''
policy_data = '''# This is a comment
name = "Test Policy"
version = 1
banner = 0mg
compressions = comp_alg1
host keys = key_alg1
key exchanges = kex_alg1, kex_alg2
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, mac_alg3'''
failed = False
try:
self.Policy(policy_data=policy_data)
except ValueError:
failed = True
assert failed, "Invalid policy did not cause Policy object to throw exception"
def test_policy_invalid_6(self):
'''Basic policy, but is missing quotes in the header field.'''
policy_data = '''# This is a comment
name = "Test Policy"
version = 1
header = 0mg
compressions = comp_alg1
host keys = key_alg1
key exchanges = kex_alg1, kex_alg2
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, mac_alg3'''
failed = False
try:
self.Policy(policy_data=policy_data)
except ValueError:
failed = True
assert failed, "Invalid policy did not cause Policy object to throw exception"
def test_policy_create_1(self):
'''Creates a policy from a kex and ensures it is generated exactly as expected.'''
kex = self._get_kex()
pol_data = self.Policy.create('www.l0l.com', 'bannerX', 'headerX', kex)
# Today's date is embedded in the policy, so filter it out to get repeatable results.
pol_data = pol_data.replace(date.today().strftime('%Y/%m/%d'), '[todays date]')
# Instead of writing out the entire expected policy--line by line--just check that it has the expected hash.
assert hashlib.sha256(pol_data.encode('ascii')).hexdigest() == 'e830fb9e5731995e5e4858b2b6d16704d7e5c2769d3a8d9acdd023a83ab337c5'
def test_policy_evaluate_passing_1(self):
'''Creates a policy and evaluates it against the same server'''
kex = self._get_kex()
policy_data = self.Policy.create('www.l0l.com', None, None, kex)
policy = self.Policy(policy_data=policy_data)
ret, errors = policy.evaluate('SSH Server 1.0', None, kex)
assert ret is True
assert len(errors) == 0
def test_policy_evaluate_failing_1(self):
'''Ensure that a policy with a specified banner fails against a server with a different banner'''
policy_data = '''name = "Test Policy"
version = 1
banner = "XXX mismatched banner XXX"
compressions = comp_alg1, comp_alg2
host keys = key_alg1, key_alg2
key exchanges = kex_alg1, kex_alg2
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, mac_alg3'''
policy = self.Policy(policy_data=policy_data)
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
assert ret is False
assert len(errors) == 1
assert errors[0].find('Banner did not match.') != -1
def test_policy_evaluate_failing_2(self):
'''Ensure that a mismatched compressions list results in a failure'''
policy_data = '''name = "Test Policy"
version = 1
compressions = XXXmismatchedXXX, comp_alg1, comp_alg2
host keys = key_alg1, key_alg2
key exchanges = kex_alg1, kex_alg2
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, mac_alg3'''
policy = self.Policy(policy_data=policy_data)
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
assert ret is False
assert len(errors) == 1
assert errors[0].find('Compression types did not match.') != -1
def test_policy_evaluate_failing_3(self):
'''Ensure that a mismatched host keys results in a failure'''
policy_data = '''name = "Test Policy"
version = 1
compressions = comp_alg1, comp_alg2
host keys = XXXmismatchedXXX, key_alg1, key_alg2
key exchanges = kex_alg1, kex_alg2
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, mac_alg3'''
policy = self.Policy(policy_data=policy_data)
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
assert ret is False
assert len(errors) == 1
assert errors[0].find('Host key types did not match.') != -1
def test_policy_evaluate_failing_4(self):
'''Ensure that a mismatched key exchange list results in a failure'''
policy_data = '''name = "Test Policy"
version = 1
compressions = comp_alg1, comp_alg2
host keys = key_alg1, key_alg2
key exchanges = XXXmismatchedXXX, kex_alg1, kex_alg2
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, mac_alg3'''
policy = self.Policy(policy_data=policy_data)
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
assert ret is False
assert len(errors) == 1
assert errors[0].find('Key exchanges did not match.') != -1
def test_policy_evaluate_failing_5(self):
'''Ensure that a mismatched cipher list results in a failure'''
policy_data = '''name = "Test Policy"
version = 1
compressions = comp_alg1, comp_alg2
host keys = key_alg1, key_alg2
key exchanges = kex_alg1, kex_alg2
ciphers = cipher_alg1, XXXmismatched, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, mac_alg3'''
policy = self.Policy(policy_data=policy_data)
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
assert ret is False
assert len(errors) == 1
assert errors[0].find('Ciphers did not match.') != -1
def test_policy_evaluate_failing_6(self):
'''Ensure that a mismatched MAC list results in a failure'''
policy_data = '''name = "Test Policy"
version = 1
compressions = comp_alg1, comp_alg2
host keys = key_alg1, key_alg2
key exchanges = kex_alg1, kex_alg2
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, XXXmismatched, mac_alg3'''
policy = self.Policy(policy_data=policy_data)
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
assert ret is False
assert len(errors) == 1
assert errors[0].find('MACs did not match.') != -1
def test_policy_evaluate_failing_7(self):
'''Ensure that a mismatched host keys and MACs results in a failure'''
policy_data = '''name = "Test Policy"
version = 1
compressions = comp_alg1, comp_alg2
host keys = key_alg1, key_alg2, XXXmismatchedXXX
key exchanges = kex_alg1, kex_alg2
ciphers = cipher_alg1, cipher_alg2, cipher_alg3
macs = mac_alg1, mac_alg2, XXXmismatchedXXX, mac_alg3'''
policy = self.Policy(policy_data=policy_data)
ret, errors = policy.evaluate('SSH Server 1.0', None, self._get_kex())
assert ret is False
assert len(errors) == 2
errors_str = ', '.join(errors)
assert errors_str.find('Host key types did not match.') != -1
assert errors_str.find('MACs did not match.') != -1

View File

@ -133,8 +133,8 @@ class TestSSH1:
vsocket.rdata.append(b'SSH-1.5-OpenSSH_7.2 ssh-audit-test\r\n')
vsocket.rdata.append(self._create_ssh1_packet(w.write_flush()))
output_spy.begin()
with pytest.raises(SystemExit):
self.audit(self._conf())
ret = self.audit(self._conf())
assert ret != 0
lines = output_spy.flush()
assert len(lines) == 7
assert 'unknown message' in lines[-1]

View File

@ -143,8 +143,8 @@ class TestSSH2:
vsocket.rdata.append(b'SSH-2.0-OpenSSH_7.3 ssh-audit-test\r\n')
vsocket.rdata.append(self._create_ssh2_packet(w.write_flush()))
output_spy.begin()
with pytest.raises(SystemExit):
self.audit(self._conf())
ret = self.audit(self._conf())
assert ret != 0
lines = output_spy.flush()
assert len(lines) == 3
assert 'unknown message' in lines[-1]