|
18 | 18 |
|
19 | 19 | title 'SSH server config' |
20 | 20 |
|
| 21 | +sshd_valid_ciphers = attribute('sshd_valid_ciphers', default: ssh_crypto.valid_ciphers, description: 'Expected value for sshd_config ciphers') |
| 22 | +sshd_valid_kexs = attribute('sshd_valid_kexs', default: ssh_crypto.valid_kexs, description: 'Expected value for sshd_config kexs') |
| 23 | +sshd_valid_macs = attribute('sshd_valid_macs', default: ssh_crypto.valid_macs, description: 'Expected value for sshd_config macs') |
| 24 | +sshd_permittunnel = attribute('sshd_permittunnel', default: 'no', description: 'Expected value for sshd_config PermitTunnel') |
| 25 | +sshd_tcpforwarding = attribute('sshd_tcpforwarding', default: 'no', description: 'Expected value for sshd_config TcpForwarding') |
| 26 | +sshd_agentforwarding = attribute('sshd_agentforwarding', default: 'no', description: 'Expected value for sshd_config AgentForwarding') |
| 27 | +sshd_gatewayports = attribute('sshd_gatewayports', default: 'no', description: 'Expected value for sshd_config GatewayPorts') |
| 28 | +sshd_x11forwarding = attribute('sshd_x11forwarding', default: 'no', description: 'Expected value for sshd_config X11Forwarding') |
| 29 | +sshd_banner = attribute('sshd_banner', default: 'none', description: 'Expected value for sshd_config Banner') |
| 30 | + |
21 | 31 | only_if do |
22 | 32 | command('sshd').exist? |
23 | 33 | end |
|
27 | 37 | title 'Server: Check for secure ssh ciphers' |
28 | 38 | desc 'Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)' |
29 | 39 | describe sshd_config do |
30 | | - its('Ciphers') { should eq(ssh_crypto.valid_ciphers) } |
| 40 | + its('Ciphers') { should eq(sshd_valid_ciphers) } |
31 | 41 | end |
32 | 42 | end |
33 | 43 |
|
|
36 | 46 | title 'Server: Check for secure ssh Key-Exchange Algorithm' |
37 | 47 | desc 'Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)' |
38 | 48 | describe sshd_config do |
39 | | - its('KexAlgorithms') { should eq(ssh_crypto.valid_kexs) } |
| 49 | + its('KexAlgorithms') { should eq(sshd_valid_kexs) } |
40 | 50 | end |
41 | 51 | end |
42 | 52 |
|
|
45 | 55 | title 'Server: Check for secure ssh Message Authentication Codes' |
46 | 56 | desc 'Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)' |
47 | 57 | describe sshd_config do |
48 | | - its('MACs') { should eq(ssh_crypto.valid_macs) } |
| 58 | + its('MACs') { should eq(sshd_valid_macs) } |
49 | 59 | end |
50 | 60 | end |
51 | 61 |
|
|
372 | 382 | title 'Server: Disable tunnels' |
373 | 383 | desc 'Avoid to use tunnels.' |
374 | 384 | describe sshd_config do |
375 | | - its('PermitTunnel') { should eq('no') } |
| 385 | + its('PermitTunnel') { should eq(sshd_permittunnel) } |
376 | 386 | end |
377 | 387 | end |
378 | 388 |
|
|
381 | 391 | title 'Server: Disable TCP forwarding' |
382 | 392 | desc 'If you use TCP forwarding in an uncontrolled manner then you can bypass the firewalls' |
383 | 393 | describe sshd_config do |
384 | | - its('AllowTcpForwarding') { should eq('no') } |
| 394 | + its('AllowTcpForwarding') { should eq(sshd_tcpforwarding) } |
385 | 395 | end |
386 | 396 | end |
387 | 397 |
|
|
390 | 400 | title 'Server: Disable Agent forwarding' |
391 | 401 | desc "Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent." |
392 | 402 | describe sshd_config do |
393 | | - its('AllowAgentForwarding') { should eq('no') } |
| 403 | + its('AllowAgentForwarding') { should eq(sshd_agentforwarding) } |
394 | 404 | end |
395 | 405 | end |
396 | 406 |
|
|
399 | 409 | title 'Server: Disable gateway ports' |
400 | 410 | desc 'Prevent remote hosts from connecting to forwarded ports on the node.' |
401 | 411 | describe sshd_config do |
402 | | - its('GatewayPorts') { should eq('no') } |
| 412 | + its('GatewayPorts') { should eq(sshd_gatewayports) } |
403 | 413 | end |
404 | 414 | end |
405 | 415 |
|
|
408 | 418 | title 'Server: Disable X11Forwarding' |
409 | 419 | desc 'Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.' |
410 | 420 | describe sshd_config do |
411 | | - its('X11Forwarding') { should eq('no') } |
| 421 | + its('X11Forwarding') { should eq(sshd_x11forwarding) } |
412 | 422 | end |
413 | 423 | end |
414 | 424 |
|
|
444 | 454 | title 'Server: Banner' |
445 | 455 | desc 'Specifies a banner file to serve before authentication succeeds' |
446 | 456 | describe sshd_config do |
447 | | - its('Banner') { should eq('none') } |
| 457 | + its('Banner') { should eq(sshd_banner) } |
448 | 458 | end |
449 | 459 | end |
450 | 460 |
|
|
0 commit comments