From ec48249debd14121627dc66c1e8d575328d0ad41 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Tue, 20 Oct 2020 16:25:39 -0400 Subject: [PATCH] Now reports policy errors in an easier to read format. (#63) --- src/ssh_audit/policy.py | 19 +++++++++++-------- .../openssh_5.6p1_custom_policy_test10.txt | 10 ++++++++-- .../openssh_5.6p1_custom_policy_test2.txt | 5 ++++- .../openssh_5.6p1_custom_policy_test3.txt | 5 ++++- .../openssh_5.6p1_custom_policy_test4.txt | 5 ++++- .../openssh_5.6p1_custom_policy_test5.txt | 5 ++++- .../openssh_5.6p1_custom_policy_test8.txt | 5 ++++- .../openssh_5.6p1_custom_policy_test9.txt | 5 ++++- .../openssh_8.0p1_builtin_policy_test2.txt | 5 ++++- .../openssh_8.0p1_custom_policy_test12.txt | 15 ++++++++++++--- .../openssh_8.0p1_custom_policy_test14.txt | 5 ++++- 11 files changed, 63 insertions(+), 21 deletions(-) diff --git a/src/ssh_audit/policy.py b/src/ssh_audit/policy.py index 3a0ce69..143066c 100644 --- a/src/ssh_audit/policy.py +++ b/src/ssh_audit/policy.py @@ -375,20 +375,23 @@ macs = %s '''Transforms an error struct to a flat string of error messages.''' error_list = [] + spacer = '' for e in errors: - e_str = "%s did not match. " % e['mismatched_field'] + e_str = " * %s did not match.\n" % e['mismatched_field'] if ('expected_optional' in e) and (e['expected_optional'] != ['']): - e_str += "Expected (required): %s; Expected (optional): %s" % (Policy._normalize_error_field(e['expected_required']), Policy._normalize_error_field(e['expected_optional'])) + e_str += " - Expected (required): %s\n - Expected (optional): %s\n" % (Policy._normalize_error_field(e['expected_required']), Policy._normalize_error_field(e['expected_optional'])) + spacer = ' ' else: - e_str += "Expected: %s" % Policy._normalize_error_field(e['expected_required']) - e_str += "; Actual: %s" % Policy._normalize_error_field(e['actual']) + e_str += " - Expected: %s\n" % Policy._normalize_error_field(e['expected_required']) + spacer = ' ' + e_str += " - Actual:%s%s\n" % (spacer, Policy._normalize_error_field(e['actual'])) error_list.append(e_str) error_list.sort() # To ensure repeatable results for testing. error_str = '' if len(error_list) > 0: - error_str = " * %s" % '\n * '.join(error_list) + error_str = "\n".join(error_list) return error_str @@ -449,14 +452,14 @@ macs = %s @staticmethod def _normalize_error_field(field: List[str]) -> Any: - '''If field is an array with a string parsable as an integer, return that integer. Otherwise, return the field unmodified.''' + '''If field is an array with a string parsable as an integer, return that integer. Otherwise, return the field joined with commas.''' if len(field) == 1: try: return int(field[0]) except ValueError: - return field + return field[0] else: - return field + return ', '.join(field) def __str__(self) -> str: diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt index e7ee571..7f8befc 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt @@ -3,5 +3,11 @@ Policy: Docker poliicy: test10 (version 1) Result: ❌ Failed!  Errors: - * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 1024 - * RSA host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072 + * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. + - Expected: 4096 + - Actual: 1024 + + * RSA host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. + - Expected: 4096 + - Actual: 3072 + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt index b4d8cdc..e88e44b 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt @@ -3,4 +3,7 @@ Policy: Docker policy: test2 (version 1) Result: ❌ Failed!  Errors: - * Key exchanges did not match. Expected: ['kex_alg1', 'kex_alg2']; Actual: ['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] + * Key exchanges did not match. + - Expected: kex_alg1, kex_alg2 + - Actual: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt index a0586cc..cf7eefc 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt @@ -3,4 +3,7 @@ Policy: Docker policy: test3 (version 1) Result: ❌ Failed!  Errors: - * Host keys did not match. Expected: ['ssh-rsa', 'ssh-dss', 'key_alg1']; Actual: ['ssh-rsa', 'ssh-dss'] + * Host keys did not match. + - Expected: ssh-rsa, ssh-dss, key_alg1 + - Actual: ssh-rsa, ssh-dss + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt index 9438e4f..514b715 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt @@ -3,4 +3,7 @@ Policy: Docker policy: test4 (version 1) Result: ❌ Failed!  Errors: - * Ciphers did not match. Expected: ['cipher_alg1', 'cipher_alg2']; Actual: ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se'] + * Ciphers did not match. + - Expected: cipher_alg1, cipher_alg2 + - Actual: aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt index d20e9fb..746ca8c 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt @@ -3,4 +3,7 @@ Policy: Docker policy: test5 (version 1) Result: ❌ Failed!  Errors: - * MACs did not match. Expected: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac_alg1', 'hmac-md5-96']; Actual: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] + * MACs did not match. + - Expected: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96 + - Actual: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96 + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt index 888d404..36dceba 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt @@ -3,4 +3,7 @@ Policy: Docker poliicy: test8 (version 1) Result: ❌ Failed!  Errors: - * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 2048; Actual: 1024 + * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. + - Expected: 2048 + - Actual: 1024 + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt index 2761478..fc91c9f 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt @@ -3,4 +3,7 @@ Policy: Docker poliicy: test9 (version 1) Result: ❌ Failed!  Errors: - * RSA host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072 + * RSA host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. + - Expected: 4096 + - Actual: 3072 + diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt index 28d6575..de1f3e7 100644 --- a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt +++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt @@ -3,4 +3,7 @@ Policy: Hardened OpenSSH Server v8.0 (version 1) Result: ❌ Failed!  Errors: - * MACs did not match. Expected: ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com']; Actual: ['umac-64-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-64@openssh.com', 'umac-128@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] + * MACs did not match. + - Expected: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com + - Actual: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1 + diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt index 5baa42d..6fb0561 100644 --- a/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt @@ -3,6 +3,15 @@ Policy: Docker policy: test12 (version 1) Result: ❌ Failed!  Errors: - * RSA host key (rsa-sha2-256) sizes did not match. Expected: 4096; Actual: 3072 - * RSA host key (rsa-sha2-512) sizes did not match. Expected: 4096; Actual: 3072 - * RSA host key (ssh-rsa) sizes did not match. Expected: 4096; Actual: 3072 + * RSA host key (rsa-sha2-256) sizes did not match. + - Expected: 4096 + - Actual: 3072 + + * RSA host key (rsa-sha2-512) sizes did not match. + - Expected: 4096 + - Actual: 3072 + + * RSA host key (ssh-rsa) sizes did not match. + - Expected: 4096 + - Actual: 3072 + diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt index b2ea4ee..2bb59fb 100644 --- a/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt @@ -3,4 +3,7 @@ Policy: Docker policy: test14 (version 1) Result: ❌ Failed!  Errors: - * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. Expected: 4096; Actual: 2048 + * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. + - Expected: 4096 + - Actual: 2048 +