diff options
author | mboelen <michael@cisofy.com> | 2014-09-09 16:49:37 +0400 |
---|---|---|
committer | mboelen <michael@cisofy.com> | 2014-09-09 16:49:37 +0400 |
commit | dd2ea3efaf5a91b97840383b578ad8ddffbd76a8 (patch) | |
tree | 705fee4e70ef4920598f76ab238332e791f33372 /include/tests_ssh | |
parent | 3beae44e9268920f73f742365bfb26be5e5f63be (diff) |
Made adjustments to run in non-privileged scans
Diffstat (limited to 'include/tests_ssh')
-rw-r--r-- | include/tests_ssh | 184 |
1 files changed, 95 insertions, 89 deletions
diff --git a/include/tests_ssh b/include/tests_ssh index 91da5f0d..8905511b 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -59,17 +59,23 @@ ReportException "${TEST_NO}:01" logtext "Result: we already had found another sshd_config file. Using this new file then." fi - FOUND=1 - SSH_DAEMON_CONFIG="${I}/sshd_config" - fi - done - if [ "${SSH_DAEMON_CONFIG}" = "" ]; then - logtext "Result: No sshd configuration found" - Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW - else - logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" - Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN - fi + FileIsReadable ${I}/sshd_config + if [ ${CANREAD} -eq 1 ]; then + FOUND=1 + SSH_DAEMON_CONFIG="${I}/sshd_config" + else + logtext "Warning: can not read ${I}/sshd_config file" + fi + fi + done + if [ "${SSH_DAEMON_CONFIG}" = "" ]; then + logtext "Result: No sshd configuration found" + Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW + ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found" + else + logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" + Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN + fi fi # ################################################################################# @@ -117,24 +123,24 @@ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SSH-7412 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: PermitRootLogin" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check PermitRootLogin option" - FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'` - if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then - logtext "Result: PermitRootLogin is enabled, root can login directly" - Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED + logtext "Test: check PermitRootLogin option" + FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'` + if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then + logtext "Result: PermitRootLogin is enabled, root can login directly" + Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED ReportWarning ${TEST_NO} "M" "Root can directly login via SSH" - AddHP 0 3 - else - # YYY add test for DenyUsers root - if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then - logtext "Result: PermitRootLogin is disabled. Root can't login directly" - Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN - AddHP 3 3 - else - logtext "Result: Value of PermitRootLogin is unknown (not defined)" - Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE - fi - fi + AddHP 0 3 + else + # YYY add test for DenyUsers root + if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then + logtext "Result: PermitRootLogin is disabled. Root can't login directly" + Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN + AddHP 3 3 + else + logtext "Result: Value of PermitRootLogin is unknown (not defined)" + Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE + fi + fi fi # ################################################################################# @@ -144,23 +150,23 @@ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SSH-7414 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Protocol" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: check allowed SSH protocol versions" - FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'` - if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then - logtext "Result: Protocol option is set to allow SSH protocol version 1" - Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED + logtext "Test: check allowed SSH protocol versions" + FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'` + if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then + logtext "Result: Protocol option is set to allow SSH protocol version 1" + Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed" - AddHP 0 3 - else - if [ "${FIND}" = "2" ]; then - logtext "Result: only protocol 2 is allowed" - Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN - AddHP 3 3 - else - logtext "Result: value of Protocol is unknown (not defined)" - Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE - fi - fi + AddHP 0 3 + else + if [ "${FIND}" = "2" ]; then + logtext "Result: only protocol 2 is allowed" + Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN + AddHP 3 3 + else + logtext "Result: value of Protocol is unknown (not defined)" + Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE + fi + fi fi # ################################################################################# @@ -170,24 +176,24 @@ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SSH-7416 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: StrictModes" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Check configured StrictModes option" - FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'` - if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then - logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked" - Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED + logtext "Test: Check configured StrictModes option" + FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'` + if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then + logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked" + Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED ReportWarning ${TEST_NO} "M" "StrictModes is turned off" - ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config" - AddHP 0 3 - else - if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then - logtext "Result: StrictModes active, file permissions are checked" - Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN - AddHP 3 3 - else - logtext "Result: value of StrictModes is unknown (not defined)" - Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE - fi - fi + ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config" + AddHP 0 3 + else + if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then + logtext "Result: StrictModes active, file permissions are checked" + Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN + AddHP 3 3 + else + logtext "Result: value of StrictModes is unknown (not defined)" + Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE + fi + fi fi # ################################################################################# @@ -225,35 +231,35 @@ Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - # AllowUsers - FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` - if [ ! "${FIND}" = "" ]; then - logtext "Result: AllowUsers set, with value ${FIND}" - Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN - FOUND=1 - else - logtext "Result: AllowUsers is not set" - Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE - fi - - # AllowGroups - FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` - if [ ! "${FIND}" = "" ]; then - logtext "Result: AllowUsers set ${FIND}" - Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN - FOUND=1 - else - logtext "Result: AllowGroups is not set" - Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE - fi + # AllowUsers + FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: AllowUsers set, with value ${FIND}" + Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN + FOUND=1 + else + logtext "Result: AllowUsers is not set" + Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE + fi + + # AllowGroups + FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: AllowUsers set ${FIND}" + Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN + FOUND=1 + else + logtext "Result: AllowGroups is not set" + Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE + fi - if [ ${FOUND} -eq 1 ]; then - logtext "Result: SSH is limited to a specific set of users, which is good" - AddHP 2 2 - else - logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine." - AddHP 0 1 - fi + if [ ${FOUND} -eq 1 ]; then + logtext "Result: SSH is limited to a specific set of users, which is good" + AddHP 2 2 + else + logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine." + AddHP 0 1 + fi fi # ################################################################################# |