Skip to content

In a container, sshd should not run as root #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chris-rock merged 8 commits into from
May 8, 2020
Merged

In a container, sshd should not run as root #152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
5dc04cb
In a container, ssh should not run as root
micheelengronne May 5, 2020
9305835
custom path and user added
micheelengronne May 5, 2020
1081581
correct ssh custom parameters names
micheelengronne May 5, 2020
365f2f9
variable interpolation
micheelengronne May 5, 2020
5fafd0a
ssh privilege separation for a non root user
micheelengronne May 5, 2020
d47a8eb
syntax correction
micheelengronne May 5, 2020
7fda767
EnforcedStyle: assign_to_condition
micheelengronne May 5, 2020
37a07a4
variables names fixed
micheelengronne May 7, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions controls/ssh_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,19 @@
command('ssh').exist?
end

ssh_custom_user = attribute('ssh_custom_user', value: 'root', description: 'The SSH user is not always root. It must be an unprivileged user in a container')
ssh_custom_path = attribute('ssh_custom_path', value: '/etc/ssh', description: 'Sometimes ssh configuration files are present in another location and ssh use them with the -f flag')

control 'ssh-01' do
impact 1.0
title 'client: Check ssh_config owner, group and permissions.'
desc 'The ssh_config should owned by root, only be writable by owner and readable to all.'
desc 'The ssh_config should owned by root or a specified user, only be writable by owner and readable to all.'

describe file('/etc/ssh/ssh_config') do
describe file(ssh_custom_path + '/ssh_config') do
it { should exist }
it { should be_file }
it { should be_owned_by 'root' }
it { should be_grouped_into os.darwin? ? 'wheel' : 'root' }
it { should be_owned_by ssh_custom_user }
it { should be_grouped_into os.darwin? ? 'wheel' : ssh_custom_user }
it { should_not be_executable }
it { should be_readable.by('owner') }
it { should be_readable.by('group') }
Expand Down
20 changes: 14 additions & 6 deletions controls/sshd_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@
sshd_x11forwarding = attribute('sshd_x11forwarding', value: 'no', description: 'Expected value for sshd_config X11Forwarding')
sshd_banner = attribute('sshd_banner', value: 'none', description: 'Expected value for sshd_config Banner')
sshd_max_auth_tries = attribute('sshd_max_auth_tries', value: 2, description: 'Expected value for max_auth_retries')
sshd_custom_user = attribute('sshd_custom_user', value: 'root', description: 'The SSH user is not always root. It must be an unprivileged user in a container')
sshd_custom_path = attribute('sshd_custom_path', value: '/etc/ssh', description: 'Sometimes ssh configuration files are present in another location and ssh use them with the -f flag')

sshd_valid_privseparation = if sshd_custom_user != 'root'
'no'
else
ssh_crypto.valid_privseparation
end

only_if do
command('sshd').exist?
Expand Down Expand Up @@ -63,12 +71,12 @@
control 'sshd-04' do
impact 1.0
title 'Server: Check SSH folder owner, group and permissions.'
desc 'The SSH folder should owned by root, only be writable by owner and readable by others.'
describe file('/etc/ssh') do
desc 'The SSH folder should owned by root or a defined user, only be writable by owner and readable by others.'
describe file(sshd_custom_path) do
it { should exist }
it { should be_directory }
it { should be_owned_by 'root' }
it { should be_grouped_into os.darwin? ? 'wheel' : 'root' }
it { should be_grouped_into os.darwin? ? 'wheel' : sshd_custom_user }
it { should be_executable }
it { should be_readable.by('owner') }
it { should be_readable.by('group') }
Expand All @@ -84,7 +92,7 @@
title 'Server: Check sshd_config owner, group and permissions.'
desc 'The sshd_config should owned by root, only be writable/readable by owner and not be executable.'

describe file('/etc/ssh/sshd_config') do
describe file(sshd_custom_path + '/sshd_config') do
it { should exist }
it { should be_file }
it { should be_owned_by 'root' }
Expand Down Expand Up @@ -194,7 +202,7 @@
title 'Server: Use privilege separation'
desc 'UsePrivilegeSeparation is an option, when enabled will allow the OpenSSH server to run a small (necessary) amount of code as root and the of the code in a chroot jail environment. This enables ssh to deal incoming network traffic in an unprivileged child process to avoid privilege escalation by an attacker.'
describe sshd_config do
its('UsePrivilegeSeparation') { should eq(ssh_crypto.valid_privseparation) }
its('UsePrivilegeSeparation') { should eq(sshd_valid_privseparation) }
end
end

Expand Down Expand Up @@ -481,7 +489,7 @@
impact 1.0
title 'Server: DH primes'
desc 'Verifies if strong DH primes are used in /etc/ssh/moduli'
describe bash("test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0") do
describe bash("test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' #{sshd_custom_path}/moduli | uniq | wc -c) -eq 0") do
its('exit_status') { should eq 0 }
its('stdout') { should eq '' }
its('stderr') { should eq '' }
Expand Down