mirror of
https://github.com/jtesta/ssh-audit.git
synced 2025-01-25 01:19:31 +01:00
pr307 update 2
This commit is contained in:
OAM7575
parent
48b9ee7deb
commit
231a47959a
@ -38,6 +38,3 @@ SNAP_PACKAGE = False
|
||||
|
||||
# Error message when installed as a Snap package and a file access fails.
|
||||
SNAP_PERMISSIONS_ERROR = 'Error while accessing file. It appears that ssh-audit was installed as a Snap package. In that case, there are two options: 1.) only try to read & write files in the $HOME/snap/ssh-audit/common/ directory, or 2.) grant permissions to read & write files in $HOME using the following command: "sudo snap connect ssh-audit:home :home"'
|
||||
|
||||
# Last update to Hardening Guides
|
||||
GUIDES_UPDATED = "2024-10-01"
|
||||
|
||||
@ -1,11 +1,74 @@
|
||||
"""
|
||||
The MIT License (MIT)
|
||||
|
||||
Copyright (C) 2020-2024 Joe Testa (jtesta@positronsecurity.com)
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in
|
||||
all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
THE SOFTWARE.
|
||||
"""
|
||||
from typing import Dict, Any
|
||||
import sys
|
||||
|
||||
from ssh_audit import exitcodes
|
||||
from ssh_audit.globals import VERSION
|
||||
from ssh_audit.globals import HARDENING_GUIDES
|
||||
|
||||
from typing import Any, Dict, List, Optional, Union, Tuple
|
||||
from typing import Optional, Any, Union, cast
|
||||
|
||||
|
||||
BUILTIN_GUIDES: Dict[str, Dict[str, Any]] = {
|
||||
|
||||
# Server
|
||||
# Amazon Server
|
||||
'Amazon 2023 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered host keys to prioritize ED25519 due to efficiency. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks', '2024-04-22': 'added connection throttling instructions to counteract the DHEat denial-of-service attack.', '2024-03-15': 'Initial revision'}, 'server_policy': True},
|
||||
|
||||
# Debian Server
|
||||
'Debian Bullseye Server (version 1)': {'version': '1', 'changelog': {'2021-09-17': 'Initial Revision.'}, 'server_policy': True},
|
||||
'Debian Bookworm Server (version 1)': {'version': '1', 'changelog': {'2021-09-17': 'Initial Revision.'}, 'server_policy': True},
|
||||
|
||||
# Rocky Linux
|
||||
'Rocky 9 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered host keys to prioritize ED25519 due to efficiency. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks', '\n2024-04-24': 'Added connection throttling instructions to counteract the DHEat denial-of-service attack.'}, 'server_policy': True},
|
||||
|
||||
# Ubuntu Server
|
||||
'Ubuntu 2004 Server (version 1)': {'version': '1', 'changelog': {'2024-04-24': '\nAdded connection throttling instructions to counteract the DHEat denial-of-service attack.'}, 'server_policy': True},
|
||||
'Ubuntu 2204 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': '\nRe-ordered host keys to prioritize ED25519 due to efficiency. \nRe-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks', '\n2024-04-22': '\nAdded connection throttling instructions to counteract the DHEat denial-of-service attack.'}, 'server_policy': True},
|
||||
'Ubuntu 2404 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': '\nAdded Required RSASize directive to enforce a minimum of 3072-bit user and host-based authentication keys.', '\n2024-04-29': '\nInitial revision. In comparison to Ubuntu 22.04 LTS guide, the following changes were made: \n1.) For key exchanges, diffie-hellman-group18-sha512 and diffie-hellman-group-exchange-sha256 were prioritized over diffie-hellman-group16-sha512 due to greater security strength; GSS algorithms were prioritized over their non-GSS equivalents in order to match the client guide, \n2.) For ciphers, 256-bit AES ciphers were prioritized over 192 and 128-bit AES ciphers due to their increased resistence against quantum computing attacks (previously, weaker GCM ciphers had priority over CTR ciphers), \n3.) The HostbasedAcceptedAlgorithms and PubkeyAcceptedAlgorithms settings are now the same as HostKeyAlgorithms setting, \n4.) The hmac-sha2-512-etm@openssh.com MAC was increased in priority due to its increased resistence against quantum computing attacks, and \n5.) The ED25519 host keys were given priority over RSA host keys due to their greater efficiency.'}, 'server_policy': True},
|
||||
|
||||
# Client
|
||||
# Amazon
|
||||
'Amazon 2023 Client (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', '2024-04-22': 'added connection throttling instructions to counteract the DHEat denial-of-service attack.', '2024-03-15': 'Initial revision'}, 'server_policy': False},
|
||||
|
||||
# Debian
|
||||
'Debian Bookworm Client (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Added RequiredRSASize directive to enforce a minimum of 3072-bit user and host-based authentication keys. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', '2024-03-15': 'Initial Revision'}, 'server_policy': False},
|
||||
|
||||
# Rocky Linux
|
||||
'Rocky 9 Client (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Added RequiredRSASize directive to enforce a minimum of 3072-bit user and host-based authentication keys. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', '2024-03-15': 'Initial Revision'}, 'server_policy': False},
|
||||
|
||||
# Mint
|
||||
'Mint 20 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
|
||||
'Mint 21 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
|
||||
'Mint 22 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
|
||||
|
||||
# Ubuntu
|
||||
'Ubuntu 2004 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
|
||||
'Ubuntu 2204 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
|
||||
'Ubuntu 2404 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
|
||||
}
|
||||
|
||||
|
||||
|
||||
class PrintHardeningGuides:
|
||||
def __init__(self, os_type: str, os_ver: str, clientserver: str) -> None:
|
||||
@ -13,48 +76,6 @@ class PrintHardeningGuides:
|
||||
self.os_ver = os_ver
|
||||
self.clientserver = clientserver
|
||||
|
||||
self.BUILTIN_GUIDES: Dict[str, Dict[str]] = {
|
||||
|
||||
# Server
|
||||
# Amazon Server
|
||||
'Amazon 2023 Client (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', '2024-04-22': 'added connection throttling instructions to counteract the DHEat denial-of-service attack.', '2024-03-15': 'Initial revision'}, 'server_policy': False},
|
||||
'Amazon 2023 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered host keys to prioritize ED25519 due to efficiency. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks', '2024-04-22': 'added connection throttling instructions to counteract the DHEat denial-of-service attack.', '2024-03-15': 'Initial revision'}, 'server_policy': True},
|
||||
|
||||
# Debian Server
|
||||
'Debian Bullseye Server (version 1)': {'version': '1', 'changelog': {'2021-09-17': 'Initial Revision.'}, 'server_policy': True},
|
||||
'Debian Bookworm Server (version 1)': {'version': '1', 'changelog': {'2021-09-17': 'Initial Revision.'}, 'server_policy': True},
|
||||
|
||||
# Rocky Linux
|
||||
'Rocky 9 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered host keys to prioritize ED25519 due to efficiency. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks', '\n2024-04-24': 'Added connection throttling instructions to counteract the DHEat denial-of-service attack.'}, 'server_policy': True},
|
||||
|
||||
# Ubuntu Server
|
||||
'Ubuntu 2004 Server (version 1)': {'version': '1', 'changelog': {'2024-04-24': '\nAdded connection throttling instructions to counteract the DHEat denial-of-service attack.'}, 'server_policy': True},
|
||||
'Ubuntu 2204 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': '\nRe-ordered host keys to prioritize ED25519 due to efficiency. \nRe-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks', '\n2024-04-22': '\nAdded connection throttling instructions to counteract the DHEat denial-of-service attack.'}, 'server_policy': True},
|
||||
'Ubuntu 2404 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': '\nAdded Required RSASize directive to enforce a minimum of 3072-bit user and host-based authentication keys.', '\n2024-04-29': '\nInitial revision. In comparison to Ubuntu 22.04 LTS guide, the following changes were made: \n1.) For key exchanges, diffie-hellman-group18-sha512 and diffie-hellman-group-exchange-sha256 were prioritized over diffie-hellman-group16-sha512 due to greater security strength; GSS algorithms were prioritized over their non-GSS equivalents in order to match the client guide, \n2.) For ciphers, 256-bit AES ciphers were prioritized over 192 and 128-bit AES ciphers due to their increased resistence against quantum computing attacks (previously, weaker GCM ciphers had priority over CTR ciphers), \n3.) The HostbasedAcceptedAlgorithms and PubkeyAcceptedAlgorithms settings are now the same as HostKeyAlgorithms setting, \n4.) The hmac-sha2-512-etm@openssh.com MAC was increased in priority due to its increased resistence against quantum computing attacks, and \n5.) The ED25519 host keys were given priority over RSA host keys due to their greater efficiency.'}, 'server_policy': True},
|
||||
|
||||
# Client
|
||||
# Amazon
|
||||
'Amazon 2023 Client (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', '2024-04-22': 'added connection throttling instructions to counteract the DHEat denial-of-service attack.', '2024-03-15': 'Initial revision'}, 'server_policy': False},
|
||||
|
||||
# Debian
|
||||
'Debian Bookworm Client (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Added RequiredRSASize directive to enforce a minimum of 3072-bit user and host-based authentication keys. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', '2024-03-15': 'Initial Revision'}, 'server_policy': False},
|
||||
|
||||
# Rocky Linux
|
||||
'Rocky 9 Client (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Added RequiredRSASize directive to enforce a minimum of 3072-bit user and host-based authentication keys. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', '2024-03-15': 'Initial Revision'}, 'server_policy': False},
|
||||
|
||||
# Mint
|
||||
'Mint 20 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
|
||||
'Mint 21 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
|
||||
'Mint 22 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
|
||||
|
||||
# Ubuntu
|
||||
'Ubuntu 2004 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
|
||||
'Ubuntu 2204 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
|
||||
'Ubuntu 2404 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
|
||||
|
||||
|
||||
}
|
||||
|
||||
self.get_config()
|
||||
|
||||
def get_config(self) -> None:
|
||||
@ -64,67 +85,70 @@ class PrintHardeningGuides:
|
||||
os_type = self.os_type
|
||||
os_ver = self.os_ver
|
||||
clientserver = self.clientserver
|
||||
BUILTIN_GUIDES = self.BUILTIN_GUIDES
|
||||
policy_name = os_type + " " + os_ver + " " + clientserver
|
||||
|
||||
supported_os = ["Amazon", "Debian", "Mint", "Rocky", "Ubuntu"]
|
||||
supported_edition = ["2404", "2204", "2004", "1804", "2023", "22", "21", "20", "9", "Bookworm", "Bullseye"]
|
||||
if clientserver not in ["Server", "Client"] or os_type not in supported_os and os_ver not in supported_edition:
|
||||
PrintHardeningGuides.unknown_variant(os_type, os_ver, clientserver)
|
||||
print(" ")
|
||||
print(f"\033[1mssh-audit Version : {VERSION}\033[0m")
|
||||
print(" ")
|
||||
print(f"\033[1mConfiguration : {os_type} {os_ver} {clientserver} is not supported\033[0m")
|
||||
PrintHardeningGuides.supported_varient()
|
||||
sys.exit(retval)
|
||||
|
||||
# Server Configs
|
||||
if clientserver in ["Server"]:
|
||||
# Amazon Linux
|
||||
if os_type in ["Amazon"] and os_ver in ["2023"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.server_modern_common()
|
||||
PrintHardeningGuides.amazon_server_2023()
|
||||
sys.exit(retval)
|
||||
# Debian
|
||||
elif os_type in ["Debian"] and os_ver in ["Bookworm"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.server_modern_common()
|
||||
PrintHardeningGuides.bookworm_server()
|
||||
PrintHardeningGuides.debian_ubuntu_rate_throttling()
|
||||
sys.exit(retval)
|
||||
elif os_type in ["Debian"] and os_ver in ["Bullseye"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.server_modern_common()
|
||||
PrintHardeningGuides.bullseye_server()
|
||||
sys.exit(retval)
|
||||
# Rocky Linux
|
||||
elif os_type in ["Rocky"] and os_ver in ["9"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.server_modern_common()
|
||||
PrintHardeningGuides.rocky_9_server()
|
||||
sys.exit(retval)
|
||||
# Ubuntu
|
||||
elif os_type in ["Ubuntu"] and os_ver in ["2404"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.server_modern_common()
|
||||
PrintHardeningGuides.ubuntu_server_2404()
|
||||
PrintHardeningGuides.debian_ubuntu_rate_throttling()
|
||||
sys.exit(retval)
|
||||
elif os_type in ["Ubuntu"] and os_ver in ["2204"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.server_modern_common()
|
||||
PrintHardeningGuides.ubuntu_server_2204()
|
||||
PrintHardeningGuides.debian_ubuntu_rate_throttling()
|
||||
sys.exit(retval)
|
||||
elif os_type in ["Ubuntu"] and os_ver in ["2004"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.server_modern_common()
|
||||
PrintHardeningGuides.ubuntu_server_2004()
|
||||
PrintHardeningGuides.debian_ubuntu_rate_throttling()
|
||||
sys.exit(retval)
|
||||
elif os_type in ["Ubuntu"] and os_ver in ["1804"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.server_legacy_common()
|
||||
PrintHardeningGuides.ubuntu_server_1804()
|
||||
sys.exit(retval)
|
||||
else:
|
||||
PrintHardeningGuides.unknown_variant(os_type, os_ver, clientserver)
|
||||
PrintHardeningGuides.supported_varient()
|
||||
sys.exit(retval)
|
||||
|
||||
|
||||
@ -132,65 +156,61 @@ class PrintHardeningGuides:
|
||||
if clientserver in ["Client"]:
|
||||
# Amazon
|
||||
if os_type in ["Amazon"] and os_ver in ["2023"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.amazon_2023_client()
|
||||
sys.exit(retval)
|
||||
# Debian
|
||||
elif os_type in ["Debian"] and os_ver in ["Bookworm"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.debian_bookworm_client()
|
||||
sys.exit(retval)
|
||||
# Mint
|
||||
elif os_type in ["Mint"] and os_ver in ["22"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.ubuntu_2404_mint_22_client()
|
||||
sys.exit(retval)
|
||||
elif os_type in ["Mint"] and os_ver in ["21"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.ubuntu_2204_mint_21_client()
|
||||
sys.exit(retval)
|
||||
elif os_type in ["Mint"] and os_ver in ["20"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.ubuntu_2004_mint_20_client()
|
||||
sys.exit(retval)
|
||||
# Rocky
|
||||
elif os_type in ["Rocky"] and os_ver in ["9"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.rocky_9_client()
|
||||
sys.exit(retval)
|
||||
# Ubuntu
|
||||
elif os_type in ["Ubuntu"] and os_ver in ["2404"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.ubuntu_2404_mint_22_client()
|
||||
sys.exit(retval)
|
||||
elif os_type in ["Ubuntu"] and os_ver in ["2204"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.ubuntu_2204_mint_21_client()
|
||||
sys.exit(retval)
|
||||
elif os_type in ["Ubuntu"] and os_ver in ["2004"]:
|
||||
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
|
||||
PrintHardeningGuides.print_ver_changelog(policy_name)
|
||||
PrintHardeningGuides.ubuntu_2004_mint_20_client()
|
||||
sys.exit(retval)
|
||||
else:
|
||||
PrintHardeningGuides.unknown_variant(os_type, os_ver, clientserver)
|
||||
PrintHardeningGuides.supported_varient()
|
||||
sys.exit(retval)
|
||||
|
||||
|
||||
|
||||
@staticmethod
|
||||
def unknown_variant(os_type: str, os_ver: str, clientserver: str) -> None:
|
||||
print(" ")
|
||||
print(f"\033[1mssh-audit Version : {VERSION}\033[0m")
|
||||
print(" ")
|
||||
print(f"\033[1mGuides Last modified : {HARDENING_GUIDES}\033[0m")
|
||||
print(" ")
|
||||
print(f"\033[1mError unknown varient : {os_type} {os_ver} {clientserver} \033[0m")
|
||||
def supported_varient() -> None:
|
||||
retval = exitcodes.GOOD
|
||||
print(" ")
|
||||
print("For current, community developed and legacy guides")
|
||||
print("check the website : https://www.ssh-audit.com/hardening_guides.html")
|
||||
print(" ")
|
||||
print("\033[1mSupported Server Configurations : \033[0m")
|
||||
print(" ")
|
||||
print(r"Amazon 2023 Server")
|
||||
print(r"Debian Bookworm Server")
|
||||
print(r"Debian Bullseye Server")
|
||||
@ -213,6 +233,7 @@ class PrintHardeningGuides:
|
||||
print("\033[1mExample Usage : \033[0m ")
|
||||
print(r"python3 ssh-audit.py --get-hardening-guides Ubuntu 2404 Server")
|
||||
print(" ")
|
||||
sys.exit(retval)
|
||||
|
||||
|
||||
# Client Configurations
|
||||
@ -435,24 +456,22 @@ class PrintHardeningGuides:
|
||||
print(" ")
|
||||
|
||||
@staticmethod
|
||||
def print_ver_changelog(BUILTIN_GUIDES, policy_name: str) -> None:
|
||||
'''Returns a Policy with the specified built-in policy name loaded, or None if no policy of that name exists.'''
|
||||
def print_ver_changelog(policy_name: str) -> None:
|
||||
'''Prints ssh-audit version and change log for a supported configuration'''
|
||||
|
||||
for key_name, policy in BUILTIN_GUIDES.items():
|
||||
if policy_name in key_name:
|
||||
|
||||
policy_struct = BUILTIN_GUIDES[key_name]
|
||||
policy_struct = policy
|
||||
policy_name_without_version = policy_name.split('(')[0]
|
||||
name = policy_name_without_version # pylint: disable=protected-access
|
||||
|
||||
version = cast(str, policy_struct['version']) # pylint: disable=protected-access
|
||||
changelog_struct = policy_struct['changelog'] # pylint: disable=protected-access
|
||||
print(" ")
|
||||
print(f"\033[1mssh-audit Version : {VERSION}\033[0m")
|
||||
print(" ")
|
||||
print(f"\033[1mLocating configuration for {name}\033[0m")
|
||||
print(" ")
|
||||
print(f"\033[1mChange Log :\033[0m")
|
||||
print("\033[1mChange Log :\033[0m")
|
||||
for date, change in changelog_struct.items():
|
||||
print(f"\033[1m{date} : {change}\033[0m")
|
||||
print(" ")
|
||||
print(" ")
|
||||
|
||||
@ -818,7 +818,8 @@ def process_commandline(out: OutputBuffer, args: List[str]) -> 'AuditConf': # p
|
||||
parser.add_argument("--threads", action="store", dest="threads", metavar="N", type=int, default=32, help="number of threads to use when scanning multiple targets (-T/--targets) (default: %(default)s)")
|
||||
|
||||
# Print Suggested Configurations from : https://www.ssh-audit.com/hardening_guides.html
|
||||
parser.add_argument("--get-hardening-guides", nargs="*", action="append", metavar="OS Ver Client/Server", dest="get_hardening_guides", type=str, default=None, help="print suggested server or client configurations. Usage Example : Ubuntu 2404 Server")
|
||||
parser.add_argument("--get-hardening-guides", nargs="*", action="append", metavar="OS Ver Client/Server", dest="get_hardening_guides", type=str, default=None, help="Print suggested server or client configurations. Usage Example : Ubuntu 2404 Server")
|
||||
parser.add_argument("--list-hardening-guides", action="store_true", dest="list_hardening_guides", default=False, help="List supported server and client configurations.")
|
||||
|
||||
# The mandatory target option. Or rather, mandatory when -L, -T, --lookup or --print-config are not used.
|
||||
parser.add_argument("host", nargs="?", action="store", type=str, default="", help="target hostname or IPv4/IPv6 address")
|
||||
@ -832,14 +833,18 @@ def process_commandline(out: OutputBuffer, args: List[str]) -> 'AuditConf': # p
|
||||
try:
|
||||
argument = parser.parse_args(args=args)
|
||||
|
||||
if argument.list_hardening_guides is True:
|
||||
PrintHardeningGuides.supported_varient()
|
||||
|
||||
if argument.get_hardening_guides is not None:
|
||||
print_guides = (getattr(argument, 'get_hardening_guides'))[0]
|
||||
if len(print_guides) <= 2:
|
||||
print_guides = "OS Version Edition"
|
||||
print_guides = print_guides.split(" ")
|
||||
os_type = print_guides[0]
|
||||
os_ver = print_guides[1]
|
||||
clientserver = print_guides[2]
|
||||
arg_len = len(print_guides)
|
||||
if arg_len <= 2:
|
||||
user_arg = ""
|
||||
for i in range(arg_len):
|
||||
user_arg = user_arg + " " + str(print_guides[i])
|
||||
print(f"\033[1mUnsupported configuration : {user_arg}\033[0m")
|
||||
PrintHardeningGuides.supported_varient()
|
||||
else:
|
||||
print_guides = (getattr(argument, 'get_hardening_guides'))[0]
|
||||
os_type = print_guides[0]
|
||||
|
||||
@ -12,7 +12,7 @@ class TestHardeningGuides:
|
||||
@staticmethod
|
||||
def _test_conf(conf, **kwargs):
|
||||
options = {
|
||||
'get_hardening_guides': ''
|
||||
'get_hardening_guides': '',
|
||||
}
|
||||
for k, v in kwargs.items():
|
||||
options[k] = v
|
||||
@ -26,13 +26,16 @@ class TestHardeningGuides:
|
||||
with pytest.raises(SystemExit):
|
||||
conf = c('--get-hardening-guides')
|
||||
self._test_conf(conf)
|
||||
with pytest.raises(SystemExit):
|
||||
conf = c('--list-hardening-guides')
|
||||
self._test_conf(conf)
|
||||
|
||||
for vendor in ["Amazon", "Debian", "Rocky", "Mint", "Ubuntu", "NoOS"]:
|
||||
for vendor in ["Amazon", "Debian", "Rocky", "Mint", "Ubuntu", "NoOS", " "]:
|
||||
vendor = vendor
|
||||
for os_ver in ["2404", "2204", "2004", "1804", "2023", "22", "21", "20", "9", "Bookworm", "Bullseye", "NoVersion"]:
|
||||
for os_ver in ["2404", "2204", "2004", "1804", "2023", "22", "21", "20", "9", "Bookworm", "Bullseye", "NoVersion", ""]:
|
||||
os_ver = os_ver
|
||||
for cs_type in ["Client", "Server", "Mistake"]:
|
||||
for cs_type in ["Client", "Server", "Mistake", ""]:
|
||||
cs_type = cs_type
|
||||
with pytest.raises(SystemExit):
|
||||
conf = c(f'--print-config {vendor} {os_ver} {cs_type}')
|
||||
conf = c(f'--get-hardening-guides {vendor} {os_ver} {cs_type}')
|
||||
self._test_conf(conf)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user