Added note regarding hardening instructions.

Run tests against stable version of Python 3.13.
Issue a warning if an out-dated policy is used.
2026-05-25 07:21:23 +02:00 · 2024-10-10 16:10:52 -04:00 · 2024-10-10 16:06:18 -04:00 · 2024-10-10 15:57:29 -04:00
22 changed files with 64 additions and 21 deletions
@@ -7,7 +7,7 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13.0-rc.2"]
+        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]
    steps:
      - uses: actions/checkout@v4
@@ -57,6 +57,7 @@ class Policy:
        self._allow_algorithm_subset_and_reordering = False
        self._allow_larger_keys = False
        self._errors: List[Any] = []
        self._updated_builtin_policy_available = False  # If True, an outdated built-in policy was loaded.
        self._name_and_version: str = ''
@@ -496,6 +497,11 @@ macs = %s
        return self._name_and_version
    def is_outdated_builtin_policy(self) -> bool:
        '''Returns True if this is a built-in policy that has a more recent version available than currently selected.'''
        return self._updated_builtin_policy_available
    def is_server_policy(self) -> bool:
        '''Returns True if this is a server policy, or False if this is a client policy.'''
        return self._server_policy
@@ -549,6 +555,14 @@ macs = %s
            # Ensure this struct has all the necessary fields.
            p._normalize_hostkey_sizes()  # pylint: disable=protected-access
        # Now check if an updated version of the requested policy exists.  If so, set a warning for the user.
        if p is not None and p._version is not None:  # pylint: disable=protected-access
            next_version = str(int(p._version) + 1)  # pylint: disable=protected-access
            name_version_pos = policy_name.find("(version ")
            next_version_name = policy_name[0:name_version_pos] + "(version %s)" % next_version
            if next_version_name in BUILTIN_POLICIES:
                p._updated_builtin_policy_available = True  # pylint: disable=protected-access
        return p
@@ -670,7 +670,12 @@ def evaluate_policy(out: OutputBuffer, aconf: AuditConf, banner: Optional['Banne
    passed, error_struct, error_str = aconf.policy.evaluate(banner, kex)
    if aconf.json:
-        json_struct = {'host': aconf.host, 'port': aconf.port, 'policy': aconf.policy.get_name_and_version(), 'passed': passed, 'errors': error_struct}
+        warnings: List[str] = []
        if aconf.policy.is_outdated_builtin_policy():
            warnings.append("A newer version of this built-in policy is available.")
        json_struct = {'host': aconf.host, 'port': aconf.port, 'policy': aconf.policy.get_name_and_version(), 'passed': passed, 'errors': error_struct, 'warnings': warnings}
        out.info(json.dumps(json_struct, indent=4 if aconf.json_print_indent else None, sort_keys=True))
    else:
        spacing = ''
@@ -703,6 +708,10 @@ def evaluate_policy(out: OutputBuffer, aconf: AuditConf, banner: Optional['Banne
            out.fail("%sFailed!" % icon_fail)
            out.warn("\nErrors:\n%s" % error_str)
        # If the user selected an out-dated built-in policy then issue a warning.
        if aconf.policy.is_outdated_builtin_policy():
            out.warn("Note: A newer version of this built-in policy is available.  Use the -L option to view all available versions.")
    return passed
@@ -775,6 +784,7 @@ def list_policies(out: OutputBuffer, verbose: bool) -> None:
        out.info("\nHint: Use -P and provide the full name of a policy to run a policy scan with.\n")
        out.info("Hint: Use -L -v to also see the change log for each policy.\n")
        out.info("Note: the general OpenSSH policies apply to the official releases only. OS distributions may back-port changes that cause failures (for example, Debian 11 back-ported the strict KEX mode into their package of OpenSSH v8.4, whereas it was only officially added to OpenSSH v9.6 and later).  In these cases, consider creating a custom policy (-M option).\n")
        out.info("Note: instructions for hardening targets, which correspond to the above policies, can be found at: <https://ssh-audit.com/hardening_guides.html>\n")
    out.write()
@@ -3,5 +3,6 @@
    "host": "localhost",
    "passed": true,
    "policy": "Docker policy: test1 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -28,5 +28,6 @@
    "host": "localhost",
    "passed": false,
    "policy": "Docker poliicy: test10 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -20,5 +20,6 @@
    "host": "localhost",
    "passed": false,
    "policy": "Docker policy: test2 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -19,5 +19,6 @@
    "host": "localhost",
    "passed": false,
    "policy": "Docker policy: test3 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -29,5 +29,6 @@
    "host": "localhost",
    "passed": false,
    "policy": "Docker policy: test4 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -28,5 +28,6 @@
    "host": "localhost",
    "passed": false,
    "policy": "Docker policy: test5 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -3,5 +3,6 @@
    "host": "localhost",
    "passed": true,
    "policy": "Docker poliicy: test7 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -16,5 +16,6 @@
    "host": "localhost",
    "passed": false,
    "policy": "Docker poliicy: test8 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -16,5 +16,6 @@
    "host": "localhost",
    "passed": false,
    "policy": "Docker poliicy: test9 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -40,5 +40,6 @@
    "host": "localhost",
    "passed": false,
    "policy": "Hardened OpenSSH Server v8.0 (version 4)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -63,5 +63,6 @@
    "host": "localhost",
    "passed": false,
    "policy": "Hardened OpenSSH Server v8.0 (version 4)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -3,5 +3,6 @@
    "host": "localhost",
    "passed": true,
    "policy": "Docker policy: test11 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -40,5 +40,6 @@
    "host": "localhost",
    "passed": false,
    "policy": "Docker policy: test12 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -3,5 +3,6 @@
    "host": "localhost",
    "passed": true,
    "policy": "Docker policy: test13 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -16,5 +16,6 @@
    "host": "localhost",
    "passed": false,
    "policy": "Docker policy: test14 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -3,5 +3,6 @@
    "host": "localhost",
    "passed": true,
    "policy": "Docker policy: test15 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -83,5 +83,6 @@
    "host": "localhost",
    "passed": false,
    "policy": "Docker policy: test16 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -3,5 +3,6 @@
    "host": "localhost",
    "passed": true,
    "policy": "Docker policy: test17 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
@@ -3,5 +3,6 @@
    "host": "localhost",
    "passed": true,
    "policy": "Docker policy: test6 (version 1)",
-    "port": 2222
+    "port": 2222,
    "warnings": []
 }
Author	SHA1	Message	Date
Joe Testa	3220043aaf	Added note regarding hardening instructions.	2024-10-10 16:10:52 -04:00
Joe Testa	40ed92bbe6	Run tests against stable version of Python 3.13.	2024-10-10 16:06:18 -04:00
Joe Testa	720150b471	Issue a warning if an out-dated policy is used.	2024-10-10 15:57:29 -04:00