OK, I've basically finished moving the SSH tests to the Debian Plugin.
I've attached a diff for adding them to plugin_debian_phase1 for your
consideration.
There are a few other updates to previous tests (for example for
dm-crypt & cryptmount) and I've added initial tests for Fail2ban.
What do you think, should we add these to the Debian plugin?
Thanks,
Dave
--
Dave Vehrs Email: dve...@gmail.com
60,70c60,71
< apt-listbugs) APTLISTBUGSBINARY=${BINARY}; logtext " Found known binary: apt-listbugs (System tool) - ${BINARY}" ;;
< apt-listchanges) APTLISTCHANGESBINARY=${BINARY}; logtext " Found known binary: apt-listchanges (System tool) - ${BINARY}" ;;
< checkrestart) CHECKRESTARTBINARY="${BINARY}"; logtext " Found known binary: checkrestart (System tool) - ${BINARY}" ;;
< cryptmount) CRYPTMOUNTFOUND=1; CRYPTMOUNTBINARY="${BINARY}"; logtext " Found known binary: cryptmount (Encryption tool) - ${BINARY}" ;;
< cryptsetup) CRYPTSETUPFOUND=1; CRYPTSETUPBINARY="${BINARY}"; logtext " Found known binary: cryptsetup (Encryption tool) - ${BINARY}" ;;
< debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (System tool) - ${BINARY}" ;;
< debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (System tool) - ${BINARY}" ;;
< ecryptfsd) ECRYPTFSDFOUND=1; ECRYPTFSDBINARY="${BINARY}"; logtext " Found known binary: ecryptfsd (Layered Encryption) - ${BINARY}" ;;
< ecryptfs-migrate-home) ECRYPTFSMIGRATEFOUND=1; ECRYPTFSMIGRATEBINARY=${BINARY}; logtext " Found known binary: ecryptfs-migrate-home (Layered Encryption) - ${BINARY}" ;;
< lvdisplay) LVDISPLAYBINARY="${BINARY}"; logtext " Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;;
< mount) MOUNTBINARY="${BINARY}"; logtext " Fount known binary: mount (File system tool) - ${BINARY}" ;;
---
> apt-listbugs) APTLISTBUGSBINARY=${BINARY}; logtext " Found known binary: apt-listbugs (System tool) - ${BINARY}" ;;
> apt-listchanges) APTLISTCHANGESBINARY=${BINARY}; logtext " Found known binary: apt-listchanges (System tool) - ${BINARY}" ;;
> checkrestart) CHECKRESTARTBINARY="${BINARY}"; logtext " Found known binary: checkrestart (System tool) - ${BINARY}" ;;
> cryptmount) CRYPTMOUNTFOUND=1; CRYPTMOUNTBINARY="${BINARY}"; logtext " Found known binary: cryptmount (Encryption tool) - ${BINARY}" ;;
> cryptsetup) CRYPTSETUPFOUND=1; CRYPTSETUPBINARY="${BINARY}"; logtext " Found known binary: cryptsetup (Encryption tool) - ${BINARY}" ;;
> debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (System tool) - ${BINARY}" ;;
> debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (System tool) - ${BINARY}" ;;
> ecryptfsd) ECRYPTFSDFOUND=1; ECRYPTFSDBINARY="${BINARY}"; logtext " Found known binary: ecryptfsd (Layered Encryption) - ${BINARY}" ;;
> ecryptfs-migrate-home) ECRYPTFSMIGRATEFOUND=1; ECRYPTFSMIGRATEBINARY=${BINARY}; logtext " Found known binary: ecryptfs-migrate-home (Layered Encryption) - ${BINARY}" ;;
> fail2ban-server) FAIL2BANBINARY=${BINARY}; logtext " Found known binary: fail2ban-server (Security tool) - ${BINARY}" ;;
> lvdisplay) LVDISPLAYBINARY="${BINARY}"; logtext " Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;;
> mount) MOUNTBINARY="${BINARY}"; logtext " Fount known binary: mount (File system tool) - ${BINARY}" ;;
168c169
< if [ ${COUNT2} > 0 ]; then
---
> if [ ${COUNT2} -gt 0 ]; then
187c188
< if [ ${ROOT_COUNT} > 1 ]; then
---
> if [ ${ROOT_COUNT} -gt 1 ]; then
199c200
< if [ ${USER_COUNT} > 0 ]; then
---
> if [ ${USER_COUNT} -gt 0 ]; then
309c310
< if [ "a${TYPE}a" = "aa" ]; then
---
> if [ "a${TYPE}a" = "an/aa" ]; then
312,318c313
< # will not show a type, cipher or other descriptions.
< #
< # We do not add a hardening point because this result is
< # not definite but only possible. Display output is
< # yellow to alert the user so they can manually check
< # it.
< AddHP 0 1
---
> # will not show a type.
320c315
< # if cryptsetup exist with a valid exit status and
---
> # if cryptsetup exits with a valid exit status and
324c319,324
< Display --indent 6 --text "- Checking ${MOUNTPOINT} on ${DEVICE}" --result "Possible Cryptmount Usage" --color YELLOW
---
> CIPHER=`echo ${CRYPT} | grep "cipher:" | sed -e 's/.*cipher: \(.*\) keysize.*/\1/'`
> Display --indent 6 --text "- Checking ${MOUNTPOINT} on ${DEVICE}" --result "Cryptmount? [Cipher: ${CIPHER}]" --color GREEN
> # We add a hardening point because we have verified that
> # the drive is encrypted even if we cannot determine the
> # 'type' with these tools.
> AddHP 1 1
331a332,336
> #
> # We do not add a hardening point because it is possible
> # that the partition is encrypted but its status cannot
> # be verified by these tools.
> AddHP 0 1
400c405
< if [ ${ECRYPTFSHOME} = 1 ]; then
---
> if [ ${ECRYPTFSHOME} -eq 1 ]; then
538c543
< if [ ${COUNT} > 0 ]; then
---
> if [ ${COUNT} -gt 0 ]; then
540c545
< Display --indent 4 --text "- debsums" --result "Installed and enabled for cron." --color GREEN
---
> Display --indent 4 --text "- debsums" --result "Installed and enabled for cron" --color GREEN
544c549
< Display --indent 4 --text "- debsums" --result "Installed but not enabled for cron." --color YELLOW
---
> Display --indent 4 --text "- debsums" --result "Installed but not enabled for cron" --color YELLOW
555a561,1146
> # Test : DEB-0880
> # Description : Checking if fail2ban-server is installed.
> Register --test-no "DEB-0880" --weight L --network NO --description "Checking for fail2ban"
> if [ ${SKIPTEST} -eq 0 ]; then
> if [ ! "${FAIL2BANBINARY}" = "" ]; then
> logtext " - fail2ban is installed."
> AddHP 1 1
> LOCAL=`find /etc/fail2ban/ -name jail.local | wc -l`
> # Default installation of fail2ban includes a default configuration in
> # /etc/fail2ban/jail.conf. However this configuration can be
> # overwritten by any updates to the fail2ban package. To prevent this,
> # the configuration file should be copied to /etc/fail2ban/jail.local.
> if [ ${LOCAL} -gt 0 ]; then
> logtext " - fail2ban local custom configuration enabled."
> Display --indent 4 --text "- fail2ban" --result "Installed with jail.local" --color GREEN
> AddHP 1 1
> else
> logtext " - fail2ban configuration has not been localized."
> Display --indent 4 --text "- fail2ban" --result "Installed with jail.conf" --color YELLOW
> AddHP 0 1
> ReportSuggestion ${TEST_NO} "Copy /etc/fail2ban/jail.conf to jail.local to prevent it being changed by updates."
> fi
> else
> logtext " - fail2ban is not installed."
> Display --indent 4 --text "- fail2ban" --result "Not Installed" --color RED
> AddHP 0 2
> ReportSuggestion ${TEST_NO} "Install fail2ban to automatically ban hosts that commit multiple authentication errors."
> fi
> fi
>
> #################################################################################
> # SSH Tests
>
> SSH_DAEMON_RUNNING=0
> SSH_DAEMON_CONFIG_LOCS="/etc /etc/ssh"
>
> logtext "Status: Starting SSH checks..."
>
> Register --test-no "DEB-1101" --weight L --network NO --description "Check for running SSH daemon"
> if [ ${SKIPTEST} -eq 0 ]; then
> logtext "Test: Searching for running SSH Daemon"
> IsRunning sshd
> if [ ${RUNNING} -eq 1 ]; then
> SSH_DAEMON_RUNNING=1
> Display --indent 2 --text "- SSH Daemon" --result RUNNING --color GREEN
> else
> Display --indent 2 --text "- SSH Daemon" --result "NOT ENABLED" --color RED
> fi
> fi
>
> if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET+"NO"; fi
> Register --test-no "DEB-1102" --weight L --network NO --description "Determine location of sshd_config"
> if [ ${SKIPTEST} -eq 0 ]; then
> FOUND=0
> logtext "Test: determining location of sshd_config"
> for I in ${SSH_DAEMON_CONFIG_LOCS}; do
> if [ -f "${I}/sshd_config" ]; then
> logtext "Result: Found ${I}/sshd_Config"
> FileIsReadable ${I}/sshd_config
> if [ ${CANREAD} -eq 1 ]; then
> FOUND=1
> SSH_DAEMON_CONFIG="${I}/sshd_config"
> else
> logtext "Result: cannot read ${I}/sshd_config (permissions?)"
> fi
> fi
> done
> if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
> logtext "Result: No sshd configuration found"
> Display --indent 4 --text "- Searching for SSHD configuration file" --result "NOT FOUND" --color YELLOW
> ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found"
> else
> logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
> Display --indent 4 --text "- Searching for SSHD configuration file" --result FOUND --color GREEN
> fi
> fi
>
> # Test : DEB-1110
> # Description : LoginGraceTime
> # Goal : LoginGraceTime sets a time limit that the server will wait
> # for a user to login. Default is 120 seconds. We test to
> # determine if it is set to default or shorter.
>
> if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
> Register --test-no DEB-1110 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: LoginGraceTime"
> if [ ${SKIPTEST} -eq 0 ]; then
> FIND=`egrep "^\s*LoginGraceTime" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
> if [ ! "${FIND}" = "" ]; then
> if [ ${FIND} -eq 0 ]; then
> ReportSuggestion ${TEST_NO} "Consider enabling LoginGraceTime in ${SSH_DAEMON_CONFIG}"
> logtext "Result: LoginGraceTime is disabled"
> Display --indent 4 --text "- SSH option: LoginGraceTime" --result "Disabled" --color RED
> AddHP 0 2
> elif [ ${FIND} -gt 119 ]; then
> ReportSuggestion ${TEST_NO} "Consider enabling a shorter LoginGraceTime in ${SSH_DAEMON_CONFIG}"
> logtext "Result: LoginGraceTime is ${FIND} seconds."
> Display --indent 4 --text "- SSH option: LoginGraceTime" --result "${FIND} seconds" --color YELLOW
> AddHP 1 2
> else
> logtext "Result: LoginGraceTime is ${FIND} seconds."
> Display --indent 4 --text "- SSH option: LoginGraceTime" --result "${FIND} seconds" --color GREEN
> AddHP 2 2
> fi
> else
> FIND=`${SSHDBINARY} -T | grep logingracetime | ${AWKBINARY} '{ print $2 }'`
> ReportSuggestion ${TEST_NO} "Consider enabling a shorter LoginGraceTime in ${SSH_DAEMON_CONFIG}"
> logtext "Result: LoginGraceTime is ${FIND} seconds by default."
> Display --indent 4 --text "- SSH option: LoginGraceTime" --result "${FIND} seconds by Default" --color YELLOW
> AddHP 1 2
> fi
> fi
>
> # Test : DEB-1111
> # Description : MaxAuthTries
> # Goal : MaxAuthTries specifies the maximum number of authentication
> # attempts permitted per connection. Once the number of
> # failures reaches half this value, additional failures are
> # logged. The default is 6.
>
> if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
> Register --test-no DEB-1111 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: MaxAuthTries"
> if [ ${SKIPTEST} -eq 0 ]; then
> FIND=`egrep "^\s*MaxAuthTries" ${SSH_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'`
>
> if [ ! "${FIND}" = "" ]; then
> if [ ${FIND} -gt 6 ]; then
> ReportSuggestion ${TEST_NO} "Consider enabling fewer MaxAuthTries in ${SSH_DAEMON_CONFIG}"
> logtext "Result: MaxAuthTries is ${FIND} attempts."
> Display --indent 4 --text "- SSH option: MaxAuthTries" --result "${FIND} attempts" --color RED
> AddHP 0 2
> elif [ ${FIND} -eq 6 ]; then
> ReportSuggestion ${TEST_NO} "Consider enabling fewer MaxAuthTries in ${SSH_DAEMON_CONFIG}"
> logtext "Result: MaxAuthTries is ${FIND} attempts."
> Display --indent 4 --text "- SSH option: MaxAuthTries" --result "${FIND} attempts" --color YELLOW
> AddHP 1 2
> else
> logtext "Result: MaxAuthTries is ${FIND} attempts."
> Display --indent 4 --text "- SSH option: MaxAuthTries" --result "${FIND} attempts" --color GREEN
> AddHP 2 2
> fi
> else
> FIND=`${SSHDBINARY} -T | grep maxauthtries | ${AWKBINARY} '{ print $2 }'`
> ReportSuggestion ${TEST_NO} "Consider enabling fewer MaxAuthTries in ${SSH_DAEMON_CONFIG}"
> logtext "Result: MaxAuthTries is ${FIND} attempts by default."
> Display --indent 4 --text "- SSH option: MaxAuthTries" --result "${FIND} attempts by Default" --color YELLOW
> AddHP 1 2
> fi
> fi
>
> # Test : DEB-1112
> # Description : Debian Banner
> # Goal : Test to determine if Debian Banner is enabled for display
> # during protocol handshake.
> # Note : DebianBanner does not appear in the output of 'sshd -T',
> # therefore we need to assume the default enabled state when
> # it is not expressly configured in ${SSH_DAEMON_CONFIG}
>
> # If this test is moved into test_ssh then it is prudent to verify that the
> # version of Linux being tested is Debian. As this test is currently within a
> # plugin module that is developed for Debian it is an unnecessary PREQ.
> # if [ "${LINUX_VERSION}" = "Debian" -a ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then
> if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then
> PREQS_MET="YES"
> else
> PREQS_MET="NO"
> fi
> Register --test-no DEB-1112 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Debian Banner"
> if [ ${SKIPTEST} -eq 0 ]; then
> FIND=`egrep "^\s*DebianBanner" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
> if [ ! "${FIND}" = "" ]; then
> if [ "${FIND}" = "yes" ]; then
> logtext "Result: DebianBanner is enabled"
> Display --indent 4 --text "- SSH option: DebianBanner" --result "Enabled" --color YELLOW
> ReportSuggestion ${TEST_NO} "Add 'DebianBanner no' to ${SSH_DAEMON_CONFIG} to disable distribution specific suffix during protocol handshake."
> AddHP 0 1
> elif [ "${FIND}" = "no" ]; then
> logtext "Result: DebianBanner is disabled"
> Display --indent 4 --text "- SSH option: DebianBanner" --result "Disabled" --color GREEN
> AddHP 1 1
> fi
> else
> logtext "Result: DebianBanner is enabled by default."
> Display --indent 4 --text "- SSH option: DebianBanner" --result "Enabled by Default" --color RED
> ReportSuggestion ${TEST_NO} "Add 'DebianBanner no' to ${SSH_DAEMON_CONFIG} to disable distribution specific suffix during protocol handshake."
> AddHP 0 1
>
> fi
> fi
>
> # Test : DEB-1120
> # Description : Key Exchange Algorithms
> # Goal : Test to determine if which key exchange algorithms are
> # enabled and recommend if any should be disabled.
> # Note : Test only displays those key exchange algorithms that are
> # enabled. Those that are sufficiently secure for a hardened
> # system are displayed as green, and those that should be
> # removed are displayed as yellow.
> #
> # If KexAlgorithms is not configured in ${SSH_DAEMON_CONFIG},
> # then this test uses "sshd -T" to get the default
> # configuration.
> if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
> Register --test-no DEB-1120 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: KexAlgorithms"
> if [ ${SKIPTEST} -eq 0 ]; then
> # Defaults
> KEX_SHA1=false
> KEX_ECDH=false
> KEX_DHge256=false
> KEX_Curve25519=false
>
> FIND=`egrep "^\s*KexAlgorithms" ${SSH_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'`
>
> if [ ! "${FIND}" = "" ]; then
> Display --indent 4 --text "- SSH option: Key Exchange Algorithms (KexAlgorithms)" --result "Configured in ${SSH_DAEMON_CONFIG}" --color GREEN
> logtext "SSH option: KexAlgorithms is configured in ${SSH_DAEMON_CONFIG}."
> AddHP 1 1
> KEX_ALGORITHMS=${FIND}
> else
> # if KexAlgorithms is not defined in ${SSH_DAEMON_CONFIG}, then we
> # can extract the default value from 'sshd -T'
> Display --indent 4 --text "- SSH option: Key Exchange Algorithms (KexAlgorithms)" --result "Default" --color YELLOW
> logtext "SSH option: KexAlgorithms is not configured in ${SSH_DAEMON_CONFIG}, default used."
> AddHP 0 1
> # KexAlgorithms is lower-case in the output of 'sshd -T'
> KEX_ALGORITHMS=`${SSHDBINARY} -T | grep kexalgorithms | ${AWKBINARY} '{print $2}'`
> fi
>
> OLD_IFS=$IFS
> IFS=","
> for line in $KEX_ALGORITHMS; do
> IFS=${OLD_IFS}
> case "${line}" in
> *sha1*)
> KEX_SHA1=true
> Display --indent 6 --text "- ${line} " --result "Enabled" --color YELLOW
> logtext "'${line}' is included in KexAlgorithms, consider removing."
> AddHP 0 1
> ;;
> *ecdh-sha2-nistp*)
> KEX_ECDH=true
> Display --indent 6 --text "- ${line}" --result "Enabled" --color YELLOW
> logtext "'${line}' is included in KexAlgorithms, consider removing."
> AddHP 0 1
> ;;
> *)
> case "${line}" in
> curve25519-sha...@libssh.org)
> KEX_Curve25519=true
> ;;
> diffie-hellman-group-exchange-sha256)
> KEX_DHge256=true
> ;;
> esac
> Display --indent 6 --text "- ${line}" --result "Enabled" --color GREEN
> logtext "'${line}' is included in KexAlgorithms."
> AddHP 1 1
> ;;
> esac
> IFS=","
> done
> IFS=${OLD_IFS}
>
> if [ "${KEX_Curve25519}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'curve25519-sha...@libssh.org' Algorithm to KexAlgorithms in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'curve25519-sha...@libssh.org' to KexAlgorithms in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${KEX_DHge256}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'diffie-hellman-group-exchange-sha256' Algorithm to KexAlgorithms in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'diffie-hellman-group-exchange-sha256' to KexAlgorithms in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${KEX_SHA1}" = "true" ]; then
> ReportSuggestion ${TEST_NO} "Remove SHA1 Algorithms from KexAlgorithms in ${SSH_DAEMON_CONFIG}."
> fi
> if [ "${KEX_ECDH}" = "true" ]; then
> ReportSuggestion ${TEST_NO} "Remove ECDH Curve Algorithms from KexAlgorithms in ${SSH_DAEMON_CONFIG}."
> fi
> fi
>
> # Test : DEB-1130
> # Description : Message Authentication Codes
> # Goal : Test to determine if which MACs are enabled and recommend if
> # any should be disabled.
> # Note : Test only displays those MACs that are enabled. Those that
> # are sufficiently secure for a hardened system are displayed
> # as green, and those that should be removed are displayed as
> # yellow.
> #
> # If MACs is not configured in ${SSH_DAEMON_CONFIG},
> # then this test uses "sshd -T" to get the default
> # configuration.
> if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
> Register --test-no SSH-#### --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: MACs"
> if [ ${SKIPTEST} -eq 0 ]; then
> # Defaults
> MACS_MD5=false
> MACS_SHA1=false
> MACS_UMAC64=false
> MACS_HMAC_SHA2_512_ETM=false
> MACS_HMAC_SHA2_256_ETM=false
> MACS_HMAC_RIPEMD160_ETM=false
> MACS_UMAC_128_ETM=false
> MACS_HMAC_SHA2_512=false
> MACS_HMAC_SHA2_256=false
> MACS_HMAC_RIPEMD160=false
> MACS_UMAC_128=false
>
> FIND=`egrep "^\s*MACs" ${SSH_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'`
>
> if [ ! "${FIND}" = "" ]; then
> Display --indent 4 --text "- SSH option: Message Authentication Codes (MACs)" --result "Configured in ${SSH_DAEMON_CONFIG}" --color GREEN
> logtext "SSH option: MACs is configured in ${SSH_DAEMON_CONFIG}."
> AddHP 1 1
> MACS=${FIND}
> else
> # if MACs is not defined in ${SSH_DAEMON_CONFIG}, then we
> # can extract the default value from 'sshd -T'
> Display --indent 4 --text "- SSH option: Message Authentication Codes (MACs)" --result "Default" --color YELLOW
> logtext "SSH option: MACs is not configured in ${SSH_DAEMON_CONFIG}, default used."
> AddHP 0 1
> # MACs is lower-case in the output of 'sshd -T'
> MACS=`${SSHDBINARY} -T | grep macs | ${AWKBINARY} '{print $2}'`
> fi
>
> OLD_IFS=$IFS
> IFS=","
> for line in ${MACS}; do
> IFS=${OLD_IFS}
> case "${line}" in
> *md5*)
> MACS_MD5=true
> Display --indent 6 --text "- ${line} " --result "Enabled" --color YELLOW
> logtext "'${line}' is included in MACs, consider removing."
> AddHP 0 1
> ;;
> *sha1*)
> MACS_SHA1=true
> Display --indent 6 --text "- ${line} " --result "Enabled" --color YELLOW
> logtext "'${line}' is included in MACs, consider removing."
> AddHP 0 1
> ;;
> *umac-64*)
> MACS_UMAC64=true
> Display --indent 6 --text "- ${line}" --result "Enabled" --color YELLOW
> logtext "'${line}' is included in MACs, consider removing."
> AddHP 0 1
> ;;
> *)
> case "${line}" in
> hmac-sha2-512-...@openssh.com)
> MACS_HMAC_SHA2_512_ETM=true
> ;;
> hmac-sha2-256-...@openssh.com)
> MACS_HMAC_SHA2_256_ETM=true
> ;;
> hmac-ripemd160-...@openssh.com)
> MACS_HMAC_RIPEMD160_ETM=true
> ;;
> umac-128-...@openssh.com)
> MACS_UMAC_128_ETM=true
> ;;
> hmac-sha2-512)
> MACS_HMAC_SHA2_512=true
> ;;
> hmac-sha2-256)
> MACS_HMAC_SHA2_256=true
> ;;
> hmac-ripemd160)
> MACS_HMAC_RIPEMD160=true
> ;;
> umac-...@openssh.com)
> MACS_UMAC_128=true
> ;;
> esac
> Display --indent 6 --text "- ${line}" --result "Enabled" --color GREEN
> logtext "'${line}' is included in MACs."
> AddHP 1 1
> ;;
> esac
> IFS=","
> done
> IFS=${OLD_IFS}
>
> if [ "${MACS_HMAC_SHA2_512_ETM}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'hmac-sha2-512-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'hmac-sha2-512-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${MACS_HMAC_SHA2_256_ETM}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'hmac-sha2-256-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'hmac-sha2-256-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${MACS_HMAC_RIPEMD160_ETM}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'hmac-ripemd160-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'hmac-ripemd160-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${MACS_UMAC_128_ETM}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'umac-128-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'umac-128-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${MACS_HMAC_SHA2_512}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'hmac-sha2-512' to MACs in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'hmac-sha2-512' to MACs in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${MACS_HMAC_SHA2_256}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'hmac-sha2-256' to MACs in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'hmac-sha2-256' to MACs in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${MACS_HMAC_RIPEMD160}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'hmac-ripemd160' to MACs in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'hmac-ripemd160' to MACs in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${MACS_UMAC_128}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'umac-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'umac-...@openssh.com' to MACs in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
>
>
> if [ "${MACS_MD5}" = "true" ]; then
> ReportSuggestion ${TEST_NO} "Remove MD5 Algorithms from MACs in ${SSH_DAEMON_CONFIG}."
> fi
> if [ "${MACS_SHA1}" = "true" ]; then
> ReportSuggestion ${TEST_NO} "Remove SHA1 Algorithms from MACs in ${SSH_DAEMON_CONFIG}."
> fi
> if [ "${MACS_UMAC64}" = "true" ]; then
> ReportSuggestion ${TEST_NO} "Remove 'umac-64' Algorithms from MACs in ${SSH_DAEMON_CONFIG}."
> fi
> fi
>
> # Test : DEB-1140
> # Description : Ciphers
> # Goal : Test to determine if which ciphers are enabled and recommend if
> # any should be disabled.
> # Note : Test only displays those ciphers that are enabled. Those that
> # are sufficiently secure for a hardened system are displayed
> # as green, and those that should be removed are displayed as
> # yellow.
> #
> # If Ciphers is not configured in ${SSH_DAEMON_CONFIG},
> # then this test uses "sshd -T" to get the default
> # configuration.
> if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
> Register --test-no DEB-1140 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Ciphers"
> if [ ${SKIPTEST} -eq 0 ]; then
> # Defaults
> CIPHER_ARCFOUR=false
> CIPHER_CAST=false
> CIPHER_CBC=false
> CIPHER_DES=false
>
> CIPHER_CHACHA20_POLY1305=false
> CIPHER_AES256_GCM=false
> CIPHER_AES128_GCM=false
> CIPHER_AES256_CTR=false
> CIPHER_AES192_CTR=false
> CIPHER_AES128_CTR=false
>
> FIND=`egrep "^\s*Ciphers" ${SSH_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'`
>
> if [ ! "${FIND}" = "" ]; then
> Display --indent 4 --text "- SSH option: Ciphers" --result "Configured in ${SSH_DAEMON_CONFIG}" --color GREEN
> logtext "SSH option: Ciphers is configured in ${SSH_DAEMON_CONFIG}."
> AddHP 1 1
> CIPHERS=${FIND}
> else
> # if Ciphers is not defined in ${SSH_DAEMON_CONFIG}, then we
> # can extract the default value from 'sshd -T'
> Display --indent 4 --text "- SSH option: Ciphers" --result "Default" --color YELLOW
> logtext "SSH option: Ciphers is not configured in ${SSH_DAEMON_CONFIG}, default used."
> AddHP 0 1
> # Ciphers is lower-case in the output of 'sshd -T'
> CIPHERS=`${SSHDBINARY} -T | grep ciphers | ${AWKBINARY} '{print $2}'`
> fi
>
> OLD_IFS=$IFS
> IFS=","
> for line in ${CIPHERS}; do
> IFS=${OLD_IFS}
> case "${line}" in
> arcfour*)
> CIPHER_ARCFOUR=true
> Display --indent 6 --text "- ${line} " --result "Enabled" --color YELLOW
> logtext "'${line}' is included in Ciphers, consider removing."
> AddHP 0 1
> ;;
> cast128-cbc)
> CIPHER_CAST=true
> Display --indent 6 --text "- ${line}" --result "Enabled" --color YELLOW
> logtext "'${line}' is included in Ciphers, consider removing."
> AddHP 0 1
> ;;
> 3des-cbc)
> CIPHER_DES=true
> Display --indent 6 --text "- ${line} " --result "Enabled" --color YELLOW
> logtext "'${line}' is included in Ciphers, consider removing."
> AddHP 0 1
> ;;
> *-cbc)
> CIPHER_CBC=true
> Display --indent 6 --text "- ${line} " --result "Enabled" --color YELLOW
> logtext "'${line}' is included in Ciphers, consider removing."
> AddHP 0 1
> ;;
> *)
> case "${line}" in
> chacha20-poly1...@openssh.com)
> CIPHER_CHACHA20_POLY1305=true
> ;;
> aes256-...@openssh.com)
> CIPHER_AES256_GCM=true
> ;;
> aes128-...@openssh.com)
> CIPHER_AES128_GCM=true
> ;;
> aes256-ctr)
> CIPHER_AES256_CTR=true
> ;;
> aes192-ctr)
> CIPHER_AES192_CTR=true
> ;;
> aes128-ctr)
> CIPHER_AES128_CTR=true
> ;;
> esac
> Display --indent 6 --text "- ${line}" --result "Enabled" --color GREEN
> logtext "'${line}' is included in Ciphers."
> AddHP 1 1
> ;;
> esac
> IFS=","
> done
> IFS=${OLD_IFS}
>
> if [ "${CIPHER_CHACHA20_POLY1305}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'chacha20-poly1...@openssh.com' to Ciphers in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'chacha20-poly1...@openssh.com' to Ciphers in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${CIPHER_AES256_GCM}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'aes256-...@openssh.com' to Ciphers in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'aes256-...@openssh.com' to Ciphers in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${CIPHER_AES128_GCM}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'aes128-...@openssh.com' to Ciphers in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'aes128-...@openssh.com' to Ciphers in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${CIPHER_AES256_CTR}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'aes256-ctr' to Ciphers in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'aes256-ctr' to Ciphers in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${CIPHER_AES192_CTR}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'aes192-ctr' to Ciphers in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'aes192-ctr' to Ciphers in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
> if [ "${CIPHER_AES128_CTR}" = "false" ]; then
> ReportSuggestion ${TEST_NO} "Add 'aes128-ctr' to Ciphers in ${SSH_DAEMON_CONFIG}."
> logtext "Consider adding 'aes128-ctr' to Ciphers in ${SSH_DAEMON_CONFIG}"
> AddHP 0 1
> fi
>
>
> if [ "${CIPHER_ARCFOUR}" = "true" ]; then
> ReportSuggestion ${TEST_NO} "Remove RC4 ('arcfour') algorithms from Ciphers in ${SSH_DAEMON_CONFIG}."
> fi
> if [ "${CIPHER_CAST}" = "true" ]; then
> ReportSuggestion ${TEST_NO} "Remove 'cast128-cbc' from Ciphers in ${SSH_DAEMON_CONFIG}."
> fi
> if [ "${CIPHER_CBC}" = "true" ]; then
> ReportSuggestion ${TEST_NO} "Prefer CTR over CBC, remove CBC algorithms from Ciphers in ${SSH_DAEMON_CONFIG}."
> fi
> if [ "${CIPHER_DES}" = "true" ]; then
> ReportSuggestion ${TEST_NO} "Remove '3des-cbc' from Ciphers in ${SSH_DAEMON_CONFIG}."
> fi
> fi
