pr307 update 1

2025-01-26 01:49:31 +01:00 · 2024-12-23 16:11:06 +11:00 · 2024-12-23 16:11:06 +11:00 · 48b9ee7deb
commit 48b9ee7deb
parent 9814d18baf
3 changed files with 151 additions and 68 deletions
--- a/src/ssh_audit/hardeningguides.py
+++ b/src/ssh_audit/hardeningguides.py
@ -2,83 +2,129 @@ import sys

 from ssh_audit import exitcodes
 from ssh_audit.globals import VERSION
-from ssh_audit.globals import GUIDES_UPDATED
+from ssh_audit.globals import HARDENING_GUIDES

+from typing import Any, Dict, List, Optional, Union, Tuple
+from typing import Optional, Any, Union, cast

-class PrintConfig:
+class PrintHardeningGuides:
    def __init__(self, os_type: str, os_ver: str, clientserver: str) -> None:
        self.os_type = os_type
        self.os_ver = os_ver
        self.clientserver = clientserver

-        self.Get_Config()
+        self.BUILTIN_GUIDES: Dict[str, Dict[str]] = {
+
+            # Server
+            # Amazon Server
+            'Amazon 2023 Client (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', '2024-04-22': 'added connection throttling instructions to counteract the DHEat denial-of-service attack.', '2024-03-15': 'Initial revision'}, 'server_policy': False},
+            'Amazon 2023 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered host keys to prioritize ED25519 due to efficiency. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks', '2024-04-22': 'added connection throttling instructions to counteract the DHEat denial-of-service attack.', '2024-03-15': 'Initial revision'}, 'server_policy': True},
+
+            # Debian Server
+            'Debian Bullseye Server (version 1)': {'version': '1', 'changelog': {'2021-09-17': 'Initial Revision.'}, 'server_policy': True},
+            'Debian Bookworm Server (version 1)': {'version': '1', 'changelog': {'2021-09-17': 'Initial Revision.'}, 'server_policy': True},
+
+            # Rocky Linux
+            'Rocky 9 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered host keys to prioritize ED25519 due to efficiency. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks', '\n2024-04-24': 'Added connection throttling instructions to counteract the DHEat denial-of-service attack.'}, 'server_policy': True},
+
+            # Ubuntu Server
+            'Ubuntu 2004 Server (version 1)': {'version': '1', 'changelog': {'2024-04-24': '\nAdded connection throttling instructions to counteract the DHEat denial-of-service attack.'}, 'server_policy': True},
+            'Ubuntu 2204 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': '\nRe-ordered host keys to prioritize ED25519 due to efficiency. \nRe-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks', '\n2024-04-22': '\nAdded connection throttling instructions to counteract the DHEat denial-of-service attack.'}, 'server_policy': True},
+            'Ubuntu 2404 Server (version 1)': {'version': '1', 'changelog': {'2024-10-01': '\nAdded Required RSASize directive to enforce a minimum of 3072-bit user and host-based authentication keys.', '\n2024-04-29': '\nInitial revision. In comparison to Ubuntu 22.04 LTS guide, the following changes were made: \n1.) For key exchanges, diffie-hellman-group18-sha512 and diffie-hellman-group-exchange-sha256 were prioritized over diffie-hellman-group16-sha512 due to greater security strength; GSS algorithms were prioritized over their non-GSS equivalents in order to match the client guide, \n2.) For ciphers, 256-bit AES ciphers were prioritized over 192 and 128-bit AES ciphers due to their increased resistence against quantum computing attacks (previously, weaker GCM ciphers had priority over CTR ciphers), \n3.) The HostbasedAcceptedAlgorithms and PubkeyAcceptedAlgorithms settings are now the same as HostKeyAlgorithms setting, \n4.) The hmac-sha2-512-etm@openssh.com MAC was increased in priority due to its increased resistence against quantum computing attacks, and \n5.) The ED25519 host keys were given priority over RSA host keys due to their greater efficiency.'}, 'server_policy': True},
+
+            # Client
+            # Amazon
+            'Amazon 2023 Client (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', '2024-04-22': 'added connection throttling instructions to counteract the DHEat denial-of-service attack.', '2024-03-15': 'Initial revision'}, 'server_policy': False},
+
+            # Debian
+            'Debian Bookworm Client (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Added RequiredRSASize directive to enforce a minimum of 3072-bit user and host-based authentication keys. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', '2024-03-15': 'Initial Revision'}, 'server_policy': False},
+
+            # Rocky Linux
+            'Rocky 9 Client (version 1)': {'version': '1', 'changelog': {'2024-10-01': 'Added RequiredRSASize directive to enforce a minimum of 3072-bit user and host-based authentication keys. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', '2024-03-15': 'Initial Revision'}, 'server_policy': False},
+
+            # Mint
+            'Mint 20 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
+            'Mint 21 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
+            'Mint 22 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
+
+            # Ubuntu
+            'Ubuntu 2004 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
+            'Ubuntu 2204 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
+            'Ubuntu 2404 Client (version 1)': {'version': '1', 'changelog': {'2020-10-20': 'Initial Revision'}, 'server_policy': False},
+
+
+        }
+
+        self.get_config()
+
+    def get_config(self) -> None:

-    def Get_Config(self) -> None:
        retval = exitcodes.GOOD

        os_type = self.os_type
        os_ver = self.os_ver
        clientserver = self.clientserver
+        BUILTIN_GUIDES = self.BUILTIN_GUIDES
+        policy_name = os_type + " " + os_ver + " " + clientserver

        supported_os = ["Amazon", "Debian", "Mint", "Rocky", "Ubuntu"]
        supported_edition = ["2404", "2204", "2004", "1804", "2023", "22", "21", "20", "9", "Bookworm", "Bullseye"]
        if clientserver not in ["Server", "Client"] or os_type not in supported_os and os_ver not in supported_edition:
-            PrintConfig.unknown_varient(os_type, os_ver, clientserver)
+            PrintHardeningGuides.unknown_variant(os_type, os_ver, clientserver)
            sys.exit(retval)
-        else:
-            print(" ")
-            print(f"\033[1mSSH-Audit Version : {VERSION}\033[0m")
-            print(" ")
-            print(f"\033[1mBGuides Last modified : {GUIDES_UPDATED}\033[0m")
-            print(" ")
-            print(f"\033[1mLocating configuration for {os_type} {os_ver} - {clientserver}\033[0m")
-            print(" ")
-

        # Server Configs
        if clientserver in ["Server"]:
            # Amazon Linux
            if os_type in ["Amazon"] and os_ver in ["2023"]:
-                PrintConfig.server_modern_common()
-                PrintConfig.amazon_server_2023()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.server_modern_common()
+                PrintHardeningGuides.amazon_server_2023()
                sys.exit(retval)
            # Debian
            elif os_type in ["Debian"] and os_ver in ["Bookworm"]:
-                PrintConfig.server_modern_common()
-                PrintConfig.bookworm_server()
-                PrintConfig.debian_ubuntu_rate_throttling()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.server_modern_common()
+                PrintHardeningGuides.bookworm_server()
+                PrintHardeningGuides.debian_ubuntu_rate_throttling()
                sys.exit(retval)
            elif os_type in ["Debian"] and os_ver in ["Bullseye"]:
-                PrintConfig.server_modern_common()
-                PrintConfig.bullseye_server()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.server_modern_common()
+                PrintHardeningGuides.bullseye_server()
                sys.exit(retval)
            # Rocky Linux
            elif os_type in ["Rocky"] and os_ver in ["9"]:
-                PrintConfig.server_modern_common()
-                PrintConfig.rocky_9_server()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.server_modern_common()
+                PrintHardeningGuides.rocky_9_server()
                sys.exit(retval)
            # Ubuntu
            elif os_type in ["Ubuntu"] and os_ver in ["2404"]:
-                PrintConfig.server_modern_common()
-                PrintConfig.ubuntu_server_2404()
-                PrintConfig.debian_ubuntu_rate_throttling()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.server_modern_common()
+                PrintHardeningGuides.ubuntu_server_2404()
+                PrintHardeningGuides.debian_ubuntu_rate_throttling()
                sys.exit(retval)
            elif os_type in ["Ubuntu"] and os_ver in ["2204"]:
-                PrintConfig.server_modern_common()
-                PrintConfig.ubuntu_server_2204()
-                PrintConfig.debian_ubuntu_rate_throttling()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.server_modern_common()
+                PrintHardeningGuides.ubuntu_server_2204()
+                PrintHardeningGuides.debian_ubuntu_rate_throttling()
                sys.exit(retval)
            elif os_type in ["Ubuntu"] and os_ver in ["2004"]:
-                PrintConfig.server_modern_common()
-                PrintConfig.ubuntu_server_2004()
-                PrintConfig.debian_ubuntu_rate_throttling()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.server_modern_common()
+                PrintHardeningGuides.ubuntu_server_2004()
+                PrintHardeningGuides.debian_ubuntu_rate_throttling()
                sys.exit(retval)
            elif os_type in ["Ubuntu"] and os_ver in ["1804"]:
-                PrintConfig.server_legacy_common()
-                PrintConfig.ubuntu_server_1804()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.server_legacy_common()
+                PrintHardeningGuides.ubuntu_server_1804()
                sys.exit(retval)
            else:
-                PrintConfig.unknown_varient(os_type, os_ver, clientserver)
+                PrintHardeningGuides.unknown_variant(os_type, os_ver, clientserver)
                sys.exit(retval)


@ -86,48 +132,58 @@ class PrintConfig:
        if clientserver in ["Client"]:
            # Amazon
            if os_type in ["Amazon"] and os_ver in ["2023"]:
-                PrintConfig.amazon_2023_client()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.amazon_2023_client()
                sys.exit(retval)
            # Debian
            elif os_type in ["Debian"] and os_ver in ["Bookworm"]:
-                PrintConfig.debian_bookworm_client()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.debian_bookworm_client()
                sys.exit(retval)
            # Mint
            elif os_type in ["Mint"] and os_ver in ["22"]:
-                PrintConfig.ubuntu_2404_mint_22_client()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.ubuntu_2404_mint_22_client()
                sys.exit(retval)
            elif os_type in ["Mint"] and os_ver in ["21"]:
-                PrintConfig.ubuntu_2204_mint_21_client()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.ubuntu_2204_mint_21_client()
                sys.exit(retval)
            elif os_type in ["Mint"] and os_ver in ["20"]:
-                PrintConfig.ubuntu_2004_mint_20_client()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.ubuntu_2004_mint_20_client()
                sys.exit(retval)
            # Rocky
            elif os_type in ["Rocky"] and os_ver in ["9"]:
-                PrintConfig.rocky_9_client()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.rocky_9_client()
                sys.exit(retval)
            # Ubuntu
            elif os_type in ["Ubuntu"] and os_ver in ["2404"]:
-                PrintConfig.ubuntu_2404_mint_22_client()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.ubuntu_2404_mint_22_client()
                sys.exit(retval)
            elif os_type in ["Ubuntu"] and os_ver in ["2204"]:
-                PrintConfig.ubuntu_2204_mint_21_client()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.ubuntu_2204_mint_21_client()
                sys.exit(retval)
            elif os_type in ["Ubuntu"] and os_ver in ["2004"]:
-                PrintConfig.ubuntu_2004_mint_20_client()
+                PrintHardeningGuides.print_ver_changelog(BUILTIN_GUIDES, policy_name)
+                PrintHardeningGuides.ubuntu_2004_mint_20_client()
                sys.exit(retval)
            else:
-                PrintConfig.unknown_varient(os_type, os_ver, clientserver)
+                PrintHardeningGuides.unknown_variant(os_type, os_ver, clientserver)
                sys.exit(retval)



    @staticmethod
-    def unknown_varient(os_type: str, os_ver: str, clientserver: str) -> None:
+    def unknown_variant(os_type: str, os_ver: str, clientserver: str) -> None:
        print(" ")
-        print(f"\033[1mSSH-Audit Version : {VERSION}\033[0m")
+        print(f"\033[1mssh-audit Version : {VERSION}\033[0m")
        print(" ")
-        print(f"\033[1mGuides Last modified : {GUIDES_UPDATED}\033[0m")
+        print(f"\033[1mGuides Last modified : {HARDENING_GUIDES}\033[0m")
        print(" ")
        print(f"\033[1mError unknown varient : {os_type} {os_ver} {clientserver} \033[0m")
        print(" ")
@ -153,6 +209,10 @@ class PrintConfig:
        print(r"Ubuntu 2404 Client")
        print(r"Ubuntu 2204 Client")
        print(r"Ubuntu 2004 Client")
+        print(" ")
+        print("\033[1mExample Usage : \033[0m ")
+        print(r"python3 ssh-audit.py --get-hardening-guides Ubuntu 2404 Server")
+        print(" ")


    # Client Configurations
@ -373,3 +433,26 @@ class PrintConfig:
        print("systemctl start iptables")
        print("systemctl start ip6tables")
        print(" ")
+
+    @staticmethod
+    def print_ver_changelog(BUILTIN_GUIDES, policy_name: str) -> None:
+        '''Returns a Policy with the specified built-in policy name loaded, or None if no policy of that name exists.'''
+
+        for key_name, policy in BUILTIN_GUIDES.items():
+            if policy_name in key_name:
+
+                policy_struct = BUILTIN_GUIDES[key_name]
+                policy_name_without_version = policy_name.split('(')[0]
+                name = policy_name_without_version  # pylint: disable=protected-access
+
+                version = cast(str, policy_struct['version'])  # pylint: disable=protected-access
+                changelog_struct = policy_struct['changelog']  # pylint: disable=protected-access
+                print(" ")
+                print(f"\033[1mssh-audit Version : {VERSION}\033[0m")
+                print(" ")
+                print(f"\033[1mLocating configuration for {name}\033[0m")
+                print(" ")
+                print(f"\033[1mChange Log :\033[0m")
+                for date, change in changelog_struct.items():
+                    print(f"\033[1m{date} : {change}\033[0m")
+                print(" ")
--- a/src/ssh_audit/ssh_audit.py
+++ b/src/ssh_audit/ssh_audit.py
@ -53,7 +53,7 @@ from ssh_audit.gextest import GEXTest
 from ssh_audit.hostkeytest import HostKeyTest
 from ssh_audit.outputbuffer import OutputBuffer
 from ssh_audit.policy import Policy
-from ssh_audit.printconfig import PrintConfig
+from ssh_audit.hardeningguides import PrintHardeningGuides
 from ssh_audit.product import Product
 from ssh_audit.protocol import Protocol
 from ssh_audit.software import Software
@ -818,7 +818,7 @@ def process_commandline(out: OutputBuffer, args: List[str]) -> 'AuditConf':  # p
    parser.add_argument("--threads", action="store", dest="threads", metavar="N", type=int, default=32, help="number of threads to use when scanning multiple targets (-T/--targets) (default: %(default)s)")

    # Print Suggested Configurations from : https://www.ssh-audit.com/hardening_guides.html
-    parser.add_argument("--print-config", nargs="*", action="append", metavar="OS Ver Client/Server", dest="print_configuration", type=str, default=None, help="print suggested server or client configurations. Usage Example : Ubuntu 2404 Server")
+    parser.add_argument("--get-hardening-guides", nargs="*", action="append", metavar="OS Ver Client/Server", dest="get_hardening_guides", type=str, default=None, help="print suggested server or client configurations. Usage Example : Ubuntu 2404 Server")

    # The mandatory target option.  Or rather, mandatory when -L, -T, --lookup or --print-config are not used.
    parser.add_argument("host", nargs="?", action="store", type=str, default="", help="target hostname or IPv4/IPv6 address")
@ -832,21 +832,21 @@ def process_commandline(out: OutputBuffer, args: List[str]) -> 'AuditConf':  # p
    try:
        argument = parser.parse_args(args=args)

-        if argument.print_configuration is not None:
-            print_conf = (getattr(argument, 'print_configuration'))[0]
-            if len(print_conf) <= 2:
-                print_conf = "OS Version Edition"
-                print_conf = print_conf.split(" ")
-                os_type = print_conf[0]
-                os_ver = print_conf[1]
-                clientserver = print_conf[2]
+        if argument.get_hardening_guides is not None:
+            print_guides = (getattr(argument, 'get_hardening_guides'))[0]
+            if len(print_guides) <= 2:
+                print_guides = "OS Version Edition"
+                print_guides = print_guides.split(" ")
+                os_type = print_guides[0]
+                os_ver = print_guides[1]
+                clientserver = print_guides[2]
            else:
-                print_conf = (getattr(argument, 'print_configuration'))[0]
-                os_type = print_conf[0]
-                os_ver = print_conf[1]
-                clientserver = print_conf[2]
+                print_guides = (getattr(argument, 'get_hardening_guides'))[0]
+                os_type = print_guides[0]
+                os_ver = print_guides[1]
+                clientserver = print_guides[2]

-            PrintConfig(os_type, os_ver, clientserver)
+            PrintHardeningGuides(os_type, os_ver, clientserver)


        # Set simple flags.
@ -936,7 +936,7 @@ def process_commandline(out: OutputBuffer, args: List[str]) -> 'AuditConf':  # p
        parser.print_help()
        sys.exit(exitcodes.UNKNOWN_ERROR)

-    if argument.host == "" and argument.client_audit is False and argument.targets is None and argument.list_policies is False and argument.lookup is None and argument.manual is False and argument.print_configuration is None:
+    if argument.host == "" and argument.client_audit is False and argument.targets is None and argument.list_policies is False and argument.lookup is None and argument.manual is False and argument.get_hardening_guides is None:
        out.fail("target host must be specified, unless -c, -m, -L, -T, --lookup or --print-configuration are used", write_now=True)
        sys.exit(exitcodes.UNKNOWN_ERROR)

--- a/test/test_hardeningguides.py
+++ b/test/test_hardeningguides.py
@ -3,7 +3,7 @@ from ssh_audit.ssh_audit import process_commandline


 # pylint: disable=attribute-defined-outside-init
-class TestAuditConf:
+class TestHardeningGuides:
    @pytest.fixture(autouse=True)
    def init(self, ssh_audit):
        self.OutputBuffer = ssh_audit.OutputBuffer()
@ -12,11 +12,11 @@ class TestAuditConf:
    @staticmethod
    def _test_conf(conf, **kwargs):
        options = {
-            'print_config': ''
+            'get_hardening_guides': ''
        }
        for k, v in kwargs.items():
            options[k] = v
-        assert conf.print_config == options['print_config']
+        assert conf.get_hardening_guides == options['get_hardening_guides']

    def test_printconfig_conf_process_commandline(self):
        # pylint: disable=too-many-statements
@ -24,7 +24,7 @@ class TestAuditConf:
        with pytest.raises(SystemExit):
            conf = c('')
        with pytest.raises(SystemExit):
-            conf = c('--print-config')
+            conf = c('--get-hardening-guides')
            self._test_conf(conf)

        for vendor in ["Amazon", "Debian", "Rocky", "Mint", "Ubuntu", "NoOS"]: