From 78f35b3cd62e131b274bde9db38ff3b6c4487f3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Tue, 19 May 2020 21:43:09 +0200 Subject: [PATCH 1/3] Use inspec.input to load the attribute MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- libraries/ssh_crypto.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/ssh_crypto.rb b/libraries/ssh_crypto.rb index 2acb89e..a7d9d8a 100644 --- a/libraries/ssh_crypto.rb +++ b/libraries/ssh_crypto.rb @@ -256,7 +256,7 @@ def valid_algorithms # rubocop:disable Metrics/CyclomaticComplexity # returns the hostkeys value based on valid_algorithms def valid_hostkeys - hostkeys = valid_algorithms.map { |alg| "#{sshd_custom_path}/ssh_host_#{alg}_key" } + hostkeys = valid_algorithms.map { |alg| "#{inspec.input('sshd_custom_path')}/ssh_host_#{alg}_key" } # its('HostKey') provides a string for a single-element value. # we have to return a string if we have a single-element # https://github.com/chef/inspec/issues/1434 From e1769c5509f1d97883412a6bf346fd9059625de7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20Lengronne?= Date: Wed, 20 May 2020 10:19:33 +0200 Subject: [PATCH 2/3] valid hostkeys directly in the sshd_spec.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/sshd_spec.rb | 5 ++++- libraries/ssh_crypto.rb | 11 ----------- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/controls/sshd_spec.rb b/controls/sshd_spec.rb index 3e3ea0a..2fd622c 100644 --- a/controls/sshd_spec.rb +++ b/controls/sshd_spec.rb @@ -38,6 +38,9 @@ ssh_crypto.valid_privseparation end +sshd_valid_hostkeys = ssh_crypto.valid_algorithms.map { |alg| "#{sshd_custom_path}/ssh_host_#{alg}_key" } +sshd_valid_hostkeys = sshd_valid_hostkeys[0] if sshd_valid_hostkeys.length == 1 + only_if do command('sshd').exist? end @@ -185,7 +188,7 @@ title 'Server: Specify SSH HostKeys' desc 'Specify HostKey for protection against Man-In-The-Middle Attacks' describe sshd_config(sshd_custom_path + '/sshd_config') do - its('HostKey') { should cmp ssh_crypto.valid_hostkeys } + its('HostKey') { should cmp sshd_valid_hostkeys } end end diff --git a/libraries/ssh_crypto.rb b/libraries/ssh_crypto.rb index a7d9d8a..0eda6ff 100644 --- a/libraries/ssh_crypto.rb +++ b/libraries/ssh_crypto.rb @@ -253,15 +253,4 @@ def valid_algorithms # rubocop:disable Metrics/CyclomaticComplexity alg end - - # returns the hostkeys value based on valid_algorithms - def valid_hostkeys - hostkeys = valid_algorithms.map { |alg| "#{inspec.input('sshd_custom_path')}/ssh_host_#{alg}_key" } - # its('HostKey') provides a string for a single-element value. - # we have to return a string if we have a single-element - # https://github.com/chef/inspec/issues/1434 - return hostkeys[0] if hostkeys.length == 1 - - hostkeys - end end From 472f522a4b2d3cd8d8ed8e634a96b1b695769b72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20Lengronne?= Date: Wed, 20 May 2020 10:23:00 +0200 Subject: [PATCH 3/3] code in control MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/sshd_spec.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/sshd_spec.rb b/controls/sshd_spec.rb index 2fd622c..abd0ea8 100644 --- a/controls/sshd_spec.rb +++ b/controls/sshd_spec.rb @@ -38,9 +38,6 @@ ssh_crypto.valid_privseparation end -sshd_valid_hostkeys = ssh_crypto.valid_algorithms.map { |alg| "#{sshd_custom_path}/ssh_host_#{alg}_key" } -sshd_valid_hostkeys = sshd_valid_hostkeys[0] if sshd_valid_hostkeys.length == 1 - only_if do command('sshd').exist? end @@ -187,6 +184,10 @@ impact 1.0 title 'Server: Specify SSH HostKeys' desc 'Specify HostKey for protection against Man-In-The-Middle Attacks' + + sshd_valid_hostkeys = ssh_crypto.valid_algorithms.map { |alg| "#{sshd_custom_path}/ssh_host_#{alg}_key" } + sshd_valid_hostkeys = sshd_valid_hostkeys[0] if sshd_valid_hostkeys.length == 1 + describe sshd_config(sshd_custom_path + '/sshd_config') do its('HostKey') { should cmp sshd_valid_hostkeys } end