mirror of https://github.com/jtesta/ssh-audit.git
Issue a warning if an out-dated policy is used.
This commit is contained in:
parent
d0628f6eb4
commit
720150b471
|
@ -57,6 +57,7 @@ class Policy:
|
||||||
self._allow_algorithm_subset_and_reordering = False
|
self._allow_algorithm_subset_and_reordering = False
|
||||||
self._allow_larger_keys = False
|
self._allow_larger_keys = False
|
||||||
self._errors: List[Any] = []
|
self._errors: List[Any] = []
|
||||||
|
self._updated_builtin_policy_available = False # If True, an outdated built-in policy was loaded.
|
||||||
|
|
||||||
self._name_and_version: str = ''
|
self._name_and_version: str = ''
|
||||||
|
|
||||||
|
@ -496,6 +497,11 @@ macs = %s
|
||||||
return self._name_and_version
|
return self._name_and_version
|
||||||
|
|
||||||
|
|
||||||
|
def is_outdated_builtin_policy(self) -> bool:
|
||||||
|
'''Returns True if this is a built-in policy that has a more recent version available than currently selected.'''
|
||||||
|
return self._updated_builtin_policy_available
|
||||||
|
|
||||||
|
|
||||||
def is_server_policy(self) -> bool:
|
def is_server_policy(self) -> bool:
|
||||||
'''Returns True if this is a server policy, or False if this is a client policy.'''
|
'''Returns True if this is a server policy, or False if this is a client policy.'''
|
||||||
return self._server_policy
|
return self._server_policy
|
||||||
|
@ -549,6 +555,14 @@ macs = %s
|
||||||
# Ensure this struct has all the necessary fields.
|
# Ensure this struct has all the necessary fields.
|
||||||
p._normalize_hostkey_sizes() # pylint: disable=protected-access
|
p._normalize_hostkey_sizes() # pylint: disable=protected-access
|
||||||
|
|
||||||
|
# Now check if an updated version of the requested policy exists. If so, set a warning for the user.
|
||||||
|
if p is not None and p._version is not None: # pylint: disable=protected-access
|
||||||
|
next_version = str(int(p._version) + 1) # pylint: disable=protected-access
|
||||||
|
name_version_pos = policy_name.find("(version ")
|
||||||
|
next_version_name = policy_name[0:name_version_pos] + "(version %s)" % next_version
|
||||||
|
if next_version_name in BUILTIN_POLICIES:
|
||||||
|
p._updated_builtin_policy_available = True # pylint: disable=protected-access
|
||||||
|
|
||||||
return p
|
return p
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -670,7 +670,12 @@ def evaluate_policy(out: OutputBuffer, aconf: AuditConf, banner: Optional['Banne
|
||||||
|
|
||||||
passed, error_struct, error_str = aconf.policy.evaluate(banner, kex)
|
passed, error_struct, error_str = aconf.policy.evaluate(banner, kex)
|
||||||
if aconf.json:
|
if aconf.json:
|
||||||
json_struct = {'host': aconf.host, 'port': aconf.port, 'policy': aconf.policy.get_name_and_version(), 'passed': passed, 'errors': error_struct}
|
warnings: List[str] = []
|
||||||
|
if aconf.policy.is_outdated_builtin_policy():
|
||||||
|
warnings.append("A newer version of this built-in policy is available.")
|
||||||
|
|
||||||
|
json_struct = {'host': aconf.host, 'port': aconf.port, 'policy': aconf.policy.get_name_and_version(), 'passed': passed, 'errors': error_struct, 'warnings': warnings}
|
||||||
|
|
||||||
out.info(json.dumps(json_struct, indent=4 if aconf.json_print_indent else None, sort_keys=True))
|
out.info(json.dumps(json_struct, indent=4 if aconf.json_print_indent else None, sort_keys=True))
|
||||||
else:
|
else:
|
||||||
spacing = ''
|
spacing = ''
|
||||||
|
@ -703,6 +708,10 @@ def evaluate_policy(out: OutputBuffer, aconf: AuditConf, banner: Optional['Banne
|
||||||
out.fail("%sFailed!" % icon_fail)
|
out.fail("%sFailed!" % icon_fail)
|
||||||
out.warn("\nErrors:\n%s" % error_str)
|
out.warn("\nErrors:\n%s" % error_str)
|
||||||
|
|
||||||
|
# If the user selected an out-dated built-in policy then issue a warning.
|
||||||
|
if aconf.policy.is_outdated_builtin_policy():
|
||||||
|
out.warn("Note: A newer version of this built-in policy is available. Use the -L option to view all available versions.")
|
||||||
|
|
||||||
return passed
|
return passed
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -3,5 +3,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": true,
|
"passed": true,
|
||||||
"policy": "Docker policy: test1 (version 1)",
|
"policy": "Docker policy: test1 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -28,5 +28,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": false,
|
"passed": false,
|
||||||
"policy": "Docker poliicy: test10 (version 1)",
|
"policy": "Docker poliicy: test10 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,5 +20,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": false,
|
"passed": false,
|
||||||
"policy": "Docker policy: test2 (version 1)",
|
"policy": "Docker policy: test2 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,5 +19,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": false,
|
"passed": false,
|
||||||
"policy": "Docker policy: test3 (version 1)",
|
"policy": "Docker policy: test3 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -29,5 +29,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": false,
|
"passed": false,
|
||||||
"policy": "Docker policy: test4 (version 1)",
|
"policy": "Docker policy: test4 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -28,5 +28,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": false,
|
"passed": false,
|
||||||
"policy": "Docker policy: test5 (version 1)",
|
"policy": "Docker policy: test5 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,5 +3,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": true,
|
"passed": true,
|
||||||
"policy": "Docker poliicy: test7 (version 1)",
|
"policy": "Docker poliicy: test7 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,5 +16,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": false,
|
"passed": false,
|
||||||
"policy": "Docker poliicy: test8 (version 1)",
|
"policy": "Docker poliicy: test8 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,5 +16,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": false,
|
"passed": false,
|
||||||
"policy": "Docker poliicy: test9 (version 1)",
|
"policy": "Docker poliicy: test9 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -40,5 +40,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": false,
|
"passed": false,
|
||||||
"policy": "Hardened OpenSSH Server v8.0 (version 4)",
|
"policy": "Hardened OpenSSH Server v8.0 (version 4)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -63,5 +63,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": false,
|
"passed": false,
|
||||||
"policy": "Hardened OpenSSH Server v8.0 (version 4)",
|
"policy": "Hardened OpenSSH Server v8.0 (version 4)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,5 +3,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": true,
|
"passed": true,
|
||||||
"policy": "Docker policy: test11 (version 1)",
|
"policy": "Docker policy: test11 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -40,5 +40,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": false,
|
"passed": false,
|
||||||
"policy": "Docker policy: test12 (version 1)",
|
"policy": "Docker policy: test12 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,5 +3,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": true,
|
"passed": true,
|
||||||
"policy": "Docker policy: test13 (version 1)",
|
"policy": "Docker policy: test13 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,5 +16,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": false,
|
"passed": false,
|
||||||
"policy": "Docker policy: test14 (version 1)",
|
"policy": "Docker policy: test14 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,5 +3,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": true,
|
"passed": true,
|
||||||
"policy": "Docker policy: test15 (version 1)",
|
"policy": "Docker policy: test15 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,5 +83,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": false,
|
"passed": false,
|
||||||
"policy": "Docker policy: test16 (version 1)",
|
"policy": "Docker policy: test16 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,5 +3,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": true,
|
"passed": true,
|
||||||
"policy": "Docker policy: test17 (version 1)",
|
"policy": "Docker policy: test17 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,5 +3,6 @@
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"passed": true,
|
"passed": true,
|
||||||
"policy": "Docker policy: test6 (version 1)",
|
"policy": "Docker policy: test6 (version 1)",
|
||||||
"port": 2222
|
"port": 2222,
|
||||||
|
"warnings": []
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue