free
/
freedombone
Suivre 1
Favoriser 0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Parcourir la source

Additional ssh stig tests

Bob Mottram il y a 8 ans
Parent
cab5ffcefd
révision
baf5d90770
1 fichiers modifiés avec 193 ajouts et 29 suppressions
Vue séparée Afficher les stats Diff
  1. 193
    29
      tests/check-ssh.sh

+ 193
- 29
tests/check-ssh.sh Voir le fichier 

@@ -1,33 +1,197 @@
1 1 
 #!/bin/bash
2 2 
 case $1 in
3 
-        Protocol)
4 
-                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -w "^Protocol" | awk '{print $2}')" -ne 2 ];then
5 
-                        exit 1
6 
-                fi
7 
-        ;;
8 
-        rhosts)
9 
-                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i IgnoreRhosts | awk '{print $2}')" != "yes" ];then
10 
-                        exit 1
11 
-                fi
12 
-        ;;
13 
-        hostauth)
14 
-                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i HostbasedAuthentication | awk '{print $2}')" != "no" ];then
15 
-                        exit 1
16 
-                fi
17 
-        ;;
18 
-        permitroot)
19 
-                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitRootLogin | awk '{print $2}')" != "no" ];then
20 
-                        exit 1
21 
-                fi
22 
-        ;;
23 
-        emptypassword)
24 
-                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
25 
-                        exit 1
26 
-                fi
27 
-        ;;
28 
-        emptypasswordenvironment)
29 
-                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
30 
-                        exit 1
31 
-                fi
3 
+    Protocol)
4 
+        if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -w "^Protocol" | awk '{print $2}')" -ne 2 ];then
5 
+            exit 1
6 
+        fi
7 
+        ;;
8 
+    rhosts)
9 
+        if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i IgnoreRhosts | awk '{print $2}')" != "yes" ];then
10 
+            exit 1
11 
+        fi
12 
+        ;;
13 
+    hostauth)
14 
+        if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i HostbasedAuthentication | awk '{print $2}')" != "no" ];then
15 
+            exit 1
16 
+        fi
17 
+        ;;
18 
+    permitroot)
19 
+        if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitRootLogin | awk '{print $2}')" != "no" ];then
20 
+            exit 1
21 
+        fi
22 
+        ;;
23 
+    emptypassword)
24 
+        if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
25 
+            exit 1
26 
+        fi
27 
+        ;;
28 
+    emptypasswordenvironment)
29 
+        if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
30 
+            exit 1
31 
+        fi
32 
+        ;;
33 
+    ciphers)
34 
+        if grep -i "Ciphers.*aes128-ctr\|Ciphers.*aes256-ctr\|Ciphers.*aes192-ctr" /etc/ssh/sshd_config;then
35 
+            :
36 
+        else
37 
+            exit 1
38 
+        fi
39 
+        ;;
40 
+    banner)
41 
+        if grep -i banner /etc/ssh/sshd_config | grep -v "^#";then
42 
+            :
43 
+        else
44 
+            exit 1
45 
+        fi
46 
+        ;;
47 
+    sshd_status)
48 
+        if systemctl status sshd | grep "Active:.*(running)";then
49 
+            :
50 
+        else
51 
+            exit 1
52 
+        fi
53 
+        ;;
54 
+    ClientAliveInterval)
55 
+        if grep ClientAliveInterval /etc/ssh/sshd_config | grep -v "^#";then
56 
+            INTERVAL=`grep ClientAliveInterval /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
57 
+            if [ ${INTERVAL} -lt 60 ];then
58 
+                exit 1
59 
+            fi
60 
+        else
61 
+            exit 1
62 
+        fi
63 
+        ;;
64 
+    RhostsRSAAuthentication)
65 
+        if grep RhostsRSAAuthentication /etc/ssh/sshd_config | grep -v "^#";then
66 
+            SETVALUE=`grep RhostsRSAAuthentication /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
67 
+            if [ "${SETVALUE}" == "no" ];then
68 
+                exit 1
69 
+            fi
70 
+        else
71 
+            exit 1
72 
+        fi
73 
+        ;;
74 
+    ClientAliveCountMax)
75 
+        if grep ClientAliveCountMax /etc/ssh/sshd_config | grep -v "^#";then
76 
+            SETVALUE=`grep ClientAliveCountMax /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
77 
+            if [ ${SETVALUE} -gt 3 ];then
78 
+                exit 1
79 
+            fi
80 
+        else
81 
+            exit 1
82 
+        fi
83 
+        ;;
84 
+    IgnoreRhosts)
85 
+        if grep IgnoreRhosts /etc/ssh/sshd_config | grep -v "^#";then
86 
+            SETVALUE=`grep IgnoreRhosts /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
87 
+            if [ "${SETVALUE}" == "no" ];then
88 
+                exit 1
89 
+            fi
90 
+        else
91 
+            exit 1
92 
+        fi
93 
+        ;;
94 
+    PrintLastLog)
95 
+        if grep PrintLastLog /etc/ssh/sshd_config | grep -v "^#";then
96 
+            SETVALUE=`grep PrintLastLog /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
97 
+            if [ "${SETVALUE}" != "yes" ];then
98 
+                exit 1
99 
+            fi
100 
+        else
101 
+            exit 1
102 
+        fi
103 
+        ;;
104 
+    IgnoreUserKnownHosts)
105 
+        if grep IgnoreUserKnownHosts /etc/ssh/sshd_config | grep -v "^#";then
106 
+            SETVALUE=`grep IgnoreUserKnownHosts /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
107 
+            if [ "${SETVALUE}" != "yes" ];then
108 
+                exit 1
109 
+            fi
110 
+        else
111 
+            exit 1
112 
+        fi
113 
+        ;;
114 
+    macs)
115 
+        if grep -i "MACs.*hmac-sha2-256\|MACs.*hmac-sha2-512"  /etc/ssh/sshd_config;then
116 
+            :
117 
+        else
118 
+            exit 1
119 
+        fi
120 
+        ;;
121 
+    pubkeypermissive)
122 
+        COUNT=`find /etc/ssh/ -type f -name "*.pub" -perm  /133  -exec ls -l {} \; | wc -l`
123 
+        if [ ${COUNT} -eq 0 ];then
124 
+            :
125 
+        else
126 
+            exit 1
127 
+        fi
128 
+        ;;
129 
+    hostkeypermissive)
130 
+        COUNT=`find /etc/ssh/ -type f -name "*ssh_host*key" -perm  /177  -exec ls -l {} \; | wc -l`
131 
+        if [ ${COUNT} -eq 0 ];then
132 
+            :
133 
+        else
134 
+            exit 1
135 
+        fi
136 
+        ;;
137 
+    GSSAPIAuthentication)
138 
+        if grep GSSAPIAuthentication /etc/ssh/sshd_config | grep -v "^#";then
139 
+            SETVALUE=`grep GSSAPIAuthentication /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
140 
+            if [ "${SETVALUE}" != "no" ];then
141 
+                exit 1
142 
+            fi
143 
+        else
144 
+            exit 1
145 
+        fi
146 
+        ;;
147 
+    KerberosAuthentication)
148 
+        if grep KerberosAuthentication /etc/ssh/sshd_config | grep -v "^#";then
149 
+            SETVALUE=`grep KerberosAuthentication /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
150 
+            if [ "${SETVALUE}" != "no" ];then
151 
+                exit 1
152 
+            fi
153 
+        else
154 
+            exit 1
155 
+        fi
156 
+        ;;
157 
+    StrictModes)
158 
+        if grep StrictModes /etc/ssh/sshd_config | grep -v "^#";then
159 
+            SETVALUE=`grep StrictModes /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
160 
+            if [ "${SETVALUE}" != "yes" ];then
161 
+                exit 1
162 
+            fi
163 
+        else
164 
+            exit 1
165 
+        fi
166 
+        ;;
167 
+    UsePrivilegeSeparation)
168 
+        if grep UsePrivilegeSeparation /etc/ssh/sshd_config | grep -v "^#";then
169 
+            SETVALUE=`grep UsePrivilegeSeparation /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
170 
+            if [ "${SETVALUE}" != "yes" -a "${SETVALUE}" != "sandbox" ];then
171 
+                exit 1
172 
+            fi
173 
+        else
174 
+            exit 1
175 
+        fi
176 
+        ;;
177 
+    Compression)
178 
+        if grep Compression /etc/ssh/sshd_config | grep -v "^#";then
179 
+            SETVALUE=`grep Compression /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
180 
+            if [ "${SETVALUE}" != "no" -a "${SETVALUE}" != "delayed" ];then
181 
+                exit 1
182 
+            fi
183 
+        else
184 
+            exit 1
185 
+        fi
186 
+        ;;
187 
+    X11Forwarding)
188 
+        if grep X11Forwarding /etc/ssh/sshd_config | grep -v "^#";then
189 
+            SETVALUE=`grep X11Forwarding /etc/ssh/sshd_config | grep -v "^#" | awk '{printf $2}'`
190 
+            if [ "${SETVALUE}" != "no" ];then
191 
+                exit 1
192 
+            fi
193 
+        else
194 
+            exit 1
195 
+        fi
32 196 
         ;;
33 197 
 esac