From 5028aa2f70814d7551c6a72575506a3a1658f99d Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 23 Oct 2018 17:14:47 +0200 Subject: Added SSH-7406 to detect OpenSSH version + condition based checking in SSH-7408 --- db/tests.db | 1 + include/tests_ssh | 44 +++++++++++++++++++++++++++++++++++++------- 2 files changed, 38 insertions(+), 7 deletions(-) diff --git a/db/tests.db b/db/tests.db index 4fc3e5fe..fde2dc5b 100644 --- a/db/tests.db +++ b/db/tests.db @@ -354,6 +354,7 @@ SQD-3630:test:security:squid::Check Squid reply_body_max_size option: SQD-3680:test:security:squid::Check Squid version suppression: SSH-7402:test:security:ssh::Check for running SSH daemon: SSH-7404:test:security:ssh::Check SSH daemon file location: +SSH-7406:test:security:ssh::Detection of OpenSSH server version: SSH-7408:test:security:ssh::Check SSH specific defined options: SSH-7440:test:security:ssh::AllowUsers and AllowGroups: STRG-1840:test:security:storage:Linux:Check if USB storage is disabled: diff --git a/include/tests_ssh b/include/tests_ssh index 2cdaa5c6..9b4179fa 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -27,6 +27,9 @@ SSH_DAEMON_PORT="" SSH_DAEMON_RUNNING=0 SSH_DAEMON_OPTIONS_FILE="" + OPENSSHD_VERSION=0 + OPENSSHD_VERSION_MAJOR=0 + OPENSSHD_VERSION_MINOR=0 # ################################################################################# # @@ -89,6 +92,23 @@ fi # ################################################################################# +# + # Test : SSH-7406 + # Description : Check OpenSSH version + if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determine OpenSSH version" + if [ ${SKIPTEST} -eq 0 ]; then + OPENSSHD_VERSION=$(sshd -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d ',') + LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}" + if [ ! -z ${OPENSSHD_VERSION} ]; then + OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $1}') + LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}" + OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $2}') + LogText "Result: OpenSSH minor version: ${OPENSSHD_VERSION_MINOR}" + fi + fi +# +################################################################################# # # Test : SSH-7408 # Description : Check SSH specific defined options @@ -124,20 +144,30 @@ PermitTunnel:NO,,YES:=\ Port:,,22:!\ PrintLastLog:YES,,NO:=\ - Protocol:2,,1:=\ StrictModes:YES,,NO:=\ TCPKeepAlive:NO,,YES:=\ UseDNS:NO,,YES:=\ - UsePrivilegeSeparation:SANDBOX,YES,NO:=\ VerifyReverseMapping:YES,,NO:=\ X11Forwarding:NO,,YES:=\ AllowAgentForwarding:NO,,YES:=" - # Notes - # ========================================================= - # UsePrivilegeSeparation - removed since OpenSSH 7.5 - # - # Disabled MaxStartups:4,8,16:<\ (needs fixing) + + # OpenSSH had some options removed over time. Based on the version we add some additional options to check + if [ ${OPENSSHD_VERSION_MAJOR} -lt 7 ]; then + LogText "Result: added additional options for OpenSSH 6.x and lower" + SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:= Protocol:2,,1:=" + elif [ ${OPENSSHD_VERSION_MAJOR} -eq 7 ]; then + # Protocol 1 support removed (OpenSSH 7.4 and later) + if [ ${OPENSSHD_VERSION_MINOR} -lt 4 ]; then + LogText "Result: added additional options for OpenSSH < 7.4" + SSHOPS="${SSHOPS} Protocol:2,,1:=" + fi + # UsePrivilegedSeparation removed (OpenSSH 7.5 and later) + if [ ${OPENSSHD_VERSION_MINOR} -lt 5 ]; then + LogText "Result: added additional options for OpenSSH < 7.5" + SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:=" + fi + fi # Go through our list of options for I in ${SSHOPS}; do -- cgit v1.2.3