Git/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2025-01-26 01:49:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

pr307 update 2

Browse Source
This commit is contained in:
OAM7575 2024-12-23 17:43:37 +11:00
parent 48b9ee7deb
commit 231a47959a
4 changed files with 120 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/ssh_audit/globals.py
View File

@ -38,6 +38,3 @@ SNAP_PACKAGE = False
# Error message when installed as a Snap package and a file access fails.
SNAP_PERMISSIONS_ERROR = 'Error while accessing file. It appears that ssh-audit was installed as a Snap package. In that case, there are two options: 1.) only try to read & write files in the $HOME/snap/ssh-audit/common/ directory, or 2.) grant permissions to read & write files in $HOME using the following command: "sudo snap connect ssh-audit:home :home"'
# Last update to Hardening Guides
GUIDES_UPDATED = "2024-10-01"

111
src/ssh_audit/hardeningguides.py
View File

@ -1,23 +1,38 @@
"""
The MIT License (MIT)
Copyright (C) 2020-2024 Joe Testa (jtesta@positronsecurity.com)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
"""
from typing import Dict, Any
import sys
from ssh_audit import exitcodes
from ssh_audit.globals import VERSION
from ssh_audit.globals import HARDENING_GUIDES
from typing import Any, Dict, List, Optional, Union, Tuple
from typing import Optional, Any, Union, cast
class PrintHardeningGuides:
def __init__(self, os_type: str, os_ver: str, clientserver: str) -> None:
self.os_type = os_type
self.os_ver = os_ver
self.clientserver = clientserver
self.BUILTIN_GUIDES: Dict[str, Dict[str]] = {
BUILTIN_GUIDES: Dict[str, Dict[str, Any]] = {
# Server
# Amazon Server
'Amazon 2023 Client (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', '2024-04-22': 'added connection throttling instructions to counteract the DHEat denial-of-service attack.', '2024-03-15': 'Initial revision'}, 'server_policy': False},
'Amazon 2023 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered host keys to prioritize ED25519 due to efficiency. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks', '2024-04-22': 'added connection throttling instructions to counteract the DHEat denial-of-service attack.', '2024-03-15': 'Initial revision'}, 'server_policy': True},
# Debian Server
@ -51,9 +66,15 @@ class PrintHardeningGuides:
'Ubuntu 2004 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
'Ubuntu 2204 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
'Ubuntu 2404 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
}
}
class PrintHardeningGuides:
def __init__(self, os_type: str, os_ver: str, clientserver: str) -> None:
self.os_type = os_type
self.os_ver = os_ver
self.clientserver = clientserver
self.get_config()
@ -64,67 +85,70 @@ class PrintHardeningGuides:
os_type = self.os_type
os_ver = self.os_ver
clientserver = self.clientserver
BUILTIN_GUIDES = self.BUILTIN_GUIDES
policy_name = os_type + " " + os_ver + " " + clientserver
supported_os = ["Amazon", "Debian", "Mint", "Rocky", "Ubuntu"]
supported_edition = ["2404", "2204", "2004", "1804", "2023", "22", "21", "20", "9", "Bookworm", "Bullseye"]
if clientserver not in ["Server", "Client"] or os_type not in supported_os and os_ver not in supported_edition:
PrintHardeningGuides.unknown_variant(os_type, os_ver, clientserver)
print(" ")
print(f"\033[1mssh-audit Version : {VERSION}\033[0m")
print(" ")
print(f"\033[1mConfiguration : {os_type} {os_ver} {clientserver} is not supported\033[0m")
PrintHardeningGuides.supported_varient()
sys.exit(retval)
# Server Configs
if clientserver in ["Server"]:
# Amazon Linux
if os_type in ["Amazon"] and os_ver in ["2023"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.server_modern_common()
PrintHardeningGuides.amazon_server_2023()
sys.exit(retval)
# Debian
elif os_type in ["Debian"] and os_ver in ["Bookworm"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.server_modern_common()
PrintHardeningGuides.bookworm_server()
PrintHardeningGuides.debian_ubuntu_rate_throttling()
sys.exit(retval)
elif os_type in ["Debian"] and os_ver in ["Bullseye"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.server_modern_common()
PrintHardeningGuides.bullseye_server()
sys.exit(retval)
# Rocky Linux
elif os_type in ["Rocky"] and os_ver in ["9"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.server_modern_common()
PrintHardeningGuides.rocky_9_server()
sys.exit(retval)
# Ubuntu
elif os_type in ["Ubuntu"] and os_ver in ["2404"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.server_modern_common()
PrintHardeningGuides.ubuntu_server_2404()
PrintHardeningGuides.debian_ubuntu_rate_throttling()
sys.exit(retval)
elif os_type in ["Ubuntu"] and os_ver in ["2204"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.server_modern_common()
PrintHardeningGuides.ubuntu_server_2204()
PrintHardeningGuides.debian_ubuntu_rate_throttling()
sys.exit(retval)
elif os_type in ["Ubuntu"] and os_ver in ["2004"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.server_modern_common()
PrintHardeningGuides.ubuntu_server_2004()
PrintHardeningGuides.debian_ubuntu_rate_throttling()
sys.exit(retval)
elif os_type in ["Ubuntu"] and os_ver in ["1804"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.server_legacy_common()
PrintHardeningGuides.ubuntu_server_1804()
sys.exit(retval)
else:
PrintHardeningGuides.unknown_variant(os_type, os_ver, clientserver)
PrintHardeningGuides.supported_varient()
sys.exit(retval)
@ -132,65 +156,61 @@ class PrintHardeningGuides:
if clientserver in ["Client"]:
# Amazon
if os_type in ["Amazon"] and os_ver in ["2023"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.amazon_2023_client()
sys.exit(retval)
# Debian
elif os_type in ["Debian"] and os_ver in ["Bookworm"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.debian_bookworm_client()
sys.exit(retval)
# Mint
elif os_type in ["Mint"] and os_ver in ["22"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.ubuntu_2404_mint_22_client()
sys.exit(retval)
elif os_type in ["Mint"] and os_ver in ["21"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.ubuntu_2204_mint_21_client()
sys.exit(retval)
elif os_type in ["Mint"] and os_ver in ["20"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.ubuntu_2004_mint_20_client()
sys.exit(retval)
# Rocky
elif os_type in ["Rocky"] and os_ver in ["9"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.rocky_9_client()
sys.exit(retval)
# Ubuntu
elif os_type in ["Ubuntu"] and os_ver in ["2404"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.ubuntu_2404_mint_22_client()
sys.exit(retval)
elif os_type in ["Ubuntu"] and os_ver in ["2204"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.ubuntu_2204_mint_21_client()
sys.exit(retval)
elif os_type in ["Ubuntu"] and os_ver in ["2004"]:
PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
PrintHardeningGuides.print_ver_changelog(policy_name)
PrintHardeningGuides.ubuntu_2004_mint_20_client()
sys.exit(retval)
else:
PrintHardeningGuides.unknown_variant(os_type, os_ver, clientserver)
PrintHardeningGuides.supported_varient()
sys.exit(retval)
@staticmethod
def unknown_variant(os_type: str, os_ver: str, clientserver: str) -> None:
print(" ")
print(f"\033[1mssh-audit Version : {VERSION}\033[0m")
print(" ")
print(f"\033[1mGuides Last modified : {HARDENING_GUIDES}\033[0m")
print(" ")
print(f"\033[1mError unknown varient : {os_type} {os_ver} {clientserver} \033[0m")
def supported_varient() -> None:
retval = exitcodes.GOOD
print(" ")
print("For current, community developed and legacy guides")
print("check the website : https://www.ssh-audit.com/hardening_guides.html")
print(" ")
print("\033[1mSupported Server Configurations : \033[0m")
print(" ")
print(r"Amazon 2023 Server")
print(r"Debian Bookworm Server")
print(r"Debian Bullseye Server")
@ -213,6 +233,7 @@ class PrintHardeningGuides:
print("\033[1mExample Usage : \033[0m ")
print(r"python3 ssh-audit.py --get-hardening-guides Ubuntu 2404 Server")
print(" ")
sys.exit(retval)
# Client Configurations
@ -435,24 +456,22 @@ class PrintHardeningGuides:
print(" ")
@staticmethod
def print_ver_changelog(BUILTIN_GUIDES, policy_name: str) -> None:
'''Returns a Policy with the specified built-in policy name loaded, or None if no policy of that name exists.'''
def print_ver_changelog(policy_name: str) -> None:
'''Prints ssh-audit version and change log for a supported configuration'''
for key_name, policy in BUILTIN_GUIDES.items():
if policy_name in key_name:
policy_struct = BUILTIN_GUIDES[key_name]
policy_struct = policy
policy_name_without_version = policy_name.split('(')[0]
name = policy_name_without_version # pylint: disable=protected-access
version = cast(str, policy_struct['version']) # pylint: disable=protected-access
changelog_struct = policy_struct['changelog'] # pylint: disable=protected-access
print(" ")
print(f"\033[1mssh-audit Version : {VERSION}\033[0m")
print(" ")
print(f"\033[1mLocating configuration for {name}\033[0m")
print(" ")
print(f"\033[1mChange Log :\033[0m")
print("\033[1mChange Log :\033[0m")
for date, change in changelog_struct.items():
print(f"\033[1m{date} : {change}\033[0m")
print(" ")

19
src/ssh_audit/ssh_audit.py
View File

@ -818,7 +818,8 @@ def process_commandline(out: OutputBuffer, args: List[str]) -> 'AuditConf': # p
parser.add_argument("--threads", action="store", dest="threads", metavar="N", type=int, default=32, help="number of threads to use when scanning multiple targets (-T/--targets) (default: %(default)s)")
# Print Suggested Configurations from : https://www.ssh-audit.com/hardening_guides.html
parser.add_argument("--get-hardening-guides", nargs="*", action="append", metavar="OS Ver Client/Server", dest="get_hardening_guides", type=str, default=None, help="print suggested server or client configurations. Usage Example : Ubuntu 2404 Server")
parser.add_argument("--get-hardening-guides", nargs="*", action="append", metavar="OS Ver Client/Server", dest="get_hardening_guides", type=str, default=None, help="Print suggested server or client configurations. Usage Example : Ubuntu 2404 Server")
parser.add_argument("--list-hardening-guides", action="store_true", dest="list_hardening_guides", default=False, help="List supported server and client configurations.")
# The mandatory target option. Or rather, mandatory when -L, -T, --lookup or --print-config are not used.
parser.add_argument("host", nargs="?", action="store", type=str, default="", help="target hostname or IPv4/IPv6 address")
@ -832,14 +833,18 @@ def process_commandline(out: OutputBuffer, args: List[str]) -> 'AuditConf': # p
try:
argument = parser.parse_args(args=args)
if argument.list_hardening_guides is True:
PrintHardeningGuides.supported_varient()
if argument.get_hardening_guides is not None:
print_guides = (getattr(argument, 'get_hardening_guides'))[0]
if len(print_guides) <= 2:
print_guides = "OS Version Edition"
print_guides = print_guides.split(" ")
os_type = print_guides[0]
os_ver = print_guides[1]
clientserver = print_guides[2]
arg_len = len(print_guides)
if arg_len <= 2:
user_arg = ""
for i in range(arg_len):
user_arg = user_arg + " " + str(print_guides[i])
print(f"\033[1mUnsupported configuration : {user_arg}\033[0m")
PrintHardeningGuides.supported_varient()
else:
print_guides = (getattr(argument, 'get_hardening_guides'))[0]
os_type = print_guides[0]

13
test/test_hardeningguides.py
View File

@ -12,7 +12,7 @@ class TestHardeningGuides:
@staticmethod
def _test_conf(conf, **kwargs):
options = {
'get_hardening_guides': ''
'get_hardening_guides': '',
}
for k, v in kwargs.items():
options[k] = v
@ -26,13 +26,16 @@ class TestHardeningGuides:
with pytest.raises(SystemExit):
conf = c('--get-hardening-guides')
self._test_conf(conf)
with pytest.raises(SystemExit):
conf = c('--list-hardening-guides')
self._test_conf(conf)
for vendor in ["Amazon", "Debian", "Rocky", "Mint", "Ubuntu", "NoOS"]:
for vendor in ["Amazon", "Debian", "Rocky", "Mint", "Ubuntu", "NoOS", " "]:
vendor = vendor
for os_ver in ["2404", "2204", "2004", "1804", "2023", "22", "21", "20", "9", "Bookworm", "Bullseye", "NoVersion"]:
for os_ver in ["2404", "2204", "2004", "1804", "2023", "22", "21", "20", "9", "Bookworm", "Bullseye", "NoVersion", ""]:
os_ver = os_ver
for cs_type in ["Client", "Server", "Mistake"]:
for cs_type in ["Client", "Server", "Mistake", ""]:
cs_type = cs_type
with pytest.raises(SystemExit):
conf = c(f'--print-config {vendor} {os_ver} {cs_type}')
conf = c(f'--get-hardening-guides {vendor} {os_ver} {cs_type}')
self._test_conf(conf)