Skip to content

Instantly share code, notes, and snippets.

@vjeffrey

vjeffrey/compliance-report.json

Created April 5, 2019 23:19
Show Gist options
  • Save vjeffrey/16a67353bc2b151fa95cf350314f7355 to your computer and use it in GitHub Desktop.
Save vjeffrey/16a67353bc2b151fa95cf350314f7355 to your computer and use it in GitHub Desktop.
Download ZIP
compliance-report.json
Raw
compliance-report.json
{
"version": "2.30.0",
"profiles": [
{
"name": "ssh",
"title": "Basic SSH",
"maintainer": "Chef Software, Inc.",
"copyright": "Chef Software, Inc.",
"copyright_email": "[email protected]",
"license": "Proprietary, All rights reserved",
"summary": "Verify that SSH Server and SSH Client are configured securely",
"version": "1.1.0",
"supports": [
{
"os-family": "unix"
}
],
"controls": [
{
"title": "/etc/ssh should be a directory",
"desc": "In order for OpenSSH to function correctly, its\nconfiguration path must be a folder.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'basic-1' do\n impact 1.0\n title '/etc/ssh should be a directory'\n desc '\n In order for OpenSSH to function correctly, its\n configuration path must be a folder.\n '\n describe file('/etc/ssh') do\n it { should be_directory }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_folder_spec.rb",
"line": 11
},
"id": "basic-1",
"results": [
{
"status": "passed",
"code_desc": "File /etc/ssh should be directory",
"run_time": 0.002151,
"start_time": "2017-07-05 14:08:05 +0200"
}
]
},
{
"title": "/etc/ssh should be owned by root",
"desc": "The OpenSSH configuration folder should be owned\nby the root user. It is an important step towards making\nsure, that configuration files are only changed by\npriviledged users.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'basic-2' do\n impact 1.0\n title '/etc/ssh should be owned by root'\n desc '\n The OpenSSH configuration folder should be owned\n by the root user. It is an important step towards making\n sure, that configuration files are only changed by\n priviledged users.\n '\n describe file('/etc/ssh') do\n it { should be_owned_by 'root' }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_folder_spec.rb",
"line": 23
},
"id": "basic-2",
"results": [
{
"status": "passed",
"code_desc": "File /etc/ssh should be owned by \"root\"",
"run_time": 0.026845,
"start_time": "2017-07-05 14:08:05 +0200"
}
]
},
{
"title": "/etc/ssh should have limited access to 0755",
"desc": "The OpenSSH configuration folder should have restricted\naccess permissions. It is an important step towards making\nsure, that configuration files are only changed by\npriviledged users, while leaving them readable for the\nSSH client.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'basic-3' do\n impact 0.5\n title '/etc/ssh should have limited access to 0755'\n desc '\n The OpenSSH configuration folder should have restricted\n access permissions. It is an important step towards making\n sure, that configuration files are only changed by\n priviledged users, while leaving them readable for the\n SSH client.\n '\n describe file('/etc/ssh') do\n it { should_not be_writable.by('group') }\n it { should_not be_writable.by('others') }\n it { should_not be_readable.by('others') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_folder_spec.rb",
"line": 37
},
"id": "basic-3",
"results": [
{
"status": "passed",
"code_desc": "File /etc/ssh should not be writable by group",
"run_time": 0.000469,
"start_time": "2017-07-05 14:08:05 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh should not be writable by others",
"run_time": 0.000217,
"start_time": "2017-07-05 14:08:05 +0200"
},
{
"status": "failed",
"code_desc": "File /etc/ssh should not be readable by others",
"run_time": 0.003424,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "expected File /etc/ssh not to be readable by others"
}
]
},
{
"title": "ssh_config should have restricted access to 0644",
"desc": "The system-wide client ssh configuration file\nshould only be modified by its owner (root).",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'basic-6' do\n impact 0.5\n title 'ssh_config should have restricted access to 0644'\n desc '\n The system-wide client ssh configuration file\n should only be modified by its owner (root).\n '\n describe file('/etc/ssh/ssh_config') do\n it { should be_mode 0o644 }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 11
},
"id": "basic-6",
"results": [
{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be mode 420",
"run_time": 0.024732,
"start_time": "2017-07-05 14:08:05 +0200"
}
]
},
{
"title": "Client: Configure address family",
"desc": "OpenSSH should be configured to the network family.\nSet it to inet if you use IPv4 only. For IPv6 only set it\nto inet6.",
"impact": 0.1,
"refs": [],
"tags": {},
"code": "control 'ssh-1' do\n impact 0.1\n title 'Client: Configure address family'\n desc '\n OpenSSH should be configured to the network family.\n Set it to inet if you use IPv4 only. For IPv6 only set it\n to inet6.\n '\n describe ssh_config do\n its('AddressFamily') { should match(/inet|any/) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 23
},
"id": "ssh-1",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration AddressFamily should match /inet|any/",
"run_time": 0.002618,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "expected nil to match /inet|any/"
}
]
},
{
"title": "Client: Configure expected port",
"desc": "Configure the port which you expect your SSH client to\nconnect to.",
"impact": 0.1,
"refs": [],
"tags": {},
"code": "control 'ssh-3' do\n impact 0.1\n title 'Client: Configure expected port'\n desc '\n Configure the port which you expect your SSH client to\n connect to.\n '\n describe ssh_config do\n its('Port') { should eq('22') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 36
},
"id": "ssh-3",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration Port should eq \"22\"",
"run_time": 0.0014,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"22\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Set SSH protocol version to 2",
"desc": "Set the SSH protocol version to 2. Don't use legacy\ninsecure SSHv1 connections anymore.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-4' do\n impact 1.0\n title 'Client: Set SSH protocol version to 2'\n desc \"\n Set the SSH protocol version to 2. Don't use legacy\n insecure SSHv1 connections anymore.\n \"\n describe ssh_config do\n its('Protocol') { should eq('2') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 48
},
"id": "ssh-4",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration Protocol should eq \"2\"",
"run_time": 0.000498,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"2\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable batch mode",
"desc": "Avoid batch mode in the default configuration.",
"impact": 0.1,
"refs": [],
"tags": {},
"code": "control 'ssh-5' do\n impact 0.1\n title 'Client: Disable batch mode'\n desc '\n Avoid batch mode in the default configuration.\n '\n describe ssh_config do\n its('BatchMode') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 60
},
"id": "ssh-5",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration BatchMode should eq \"no\"",
"run_time": 0.000551,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Check Host IPs",
"desc": "Make sure that SSH checks the host IP address in the\nknown_hosts file, to avoid DNS spoofing effects.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'ssh-6' do\n impact 0.5\n title 'Client: Check Host IPs'\n desc '\n Make sure that SSH checks the host IP address in the\n known_hosts file, to avoid DNS spoofing effects.\n '\n describe ssh_config do\n its('CheckHostIP') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 71
},
"id": "ssh-6",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration CheckHostIP should eq \"yes\"",
"run_time": 0.000424,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Ask when checking host keys",
"desc": "Don't automatically add new host keys to the list of\nknown hosts.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'ssh-7' do\n impact 0.5\n title 'Client: Ask when checking host keys'\n desc \"\n Don't automatically add new host keys to the list of\n known hosts.\n \"\n describe ssh_config do\n its('StrictHostKeyChecking') { should match(/ask|yes/) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 83
},
"id": "ssh-7",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration StrictHostKeyChecking should match /ask|yes/",
"run_time": 0.000437,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "expected nil to match /ask|yes/"
}
]
},
{
"title": "Client: Configure safe ciphers",
"desc": "Configure a list of current ciphers and avoid older\nand weaker settings.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'ssh-8' do\n impact 0.5\n title 'Client: Configure safe ciphers'\n desc '\n Configure a list of current ciphers and avoid older\n and weaker settings.\n '\n describe ssh_config do\n its('Ciphers') { should match(ssh_crypto.valid_ciphers) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 95
},
"id": "ssh-8",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration Ciphers should match \"aes256-ctr,aes192-ctr,aes128-ctr\"",
"run_time": 0.000651,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "expected nil to match \"aes256-ctr,aes192-ctr,aes128-ctr\""
}
]
},
{
"title": "Client: Configure safe MACs",
"desc": "Configure a list of current MACs and avoid older\nand weaker settings.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'ssh-9' do\n impact 0.5\n title 'Client: Configure safe MACs'\n desc '\n Configure a list of current MACs and avoid older\n and weaker settings.\n '\n describe ssh_config do\n its('MACs') { should match(ssh_crypto.valid_macs) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 107
},
"id": "ssh-9",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration MACs should match \"hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"",
"run_time": 0.00044,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "expected nil to match \"hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\""
}
]
},
{
"title": "Client: Configure safe Key Exchange algorithms",
"desc": "Configure a list of current key-exchange algorithms\nand avoid older and weaker settings.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'ssh-10' do\n impact 0.5\n title 'Client: Configure safe Key Exchange algorithms'\n desc '\n Configure a list of current key-exchange algorithms\n and avoid older and weaker settings.\n '\n describe ssh_config do\n its('KexAlgorithms') { should match(ssh_crypto.valid_kexs) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 119
},
"id": "ssh-10",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration KexAlgorithms should match \"diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1\"",
"run_time": 0.000503,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "expected nil to match \"diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1\""
}
]
},
{
"title": "Client: Disable agent forwarding",
"desc": "Prevent agent forwarding by default, as it can\nbe used in a limited way to enable attacks.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'ssh-11' do\n impact 0.5\n title 'Client: Disable agent forwarding'\n desc '\n Prevent agent forwarding by default, as it can\n be used in a limited way to enable attacks.\n '\n describe ssh_config do\n its('ForwardAgent') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 131
},
"id": "ssh-11",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration ForwardAgent should eq \"no\"",
"run_time": 0.000492,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable X11 forwarding",
"desc": "Prevent X11 forwarding by default, as it can\nbe used in a limited way to enable attacks.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'ssh-12' do\n impact 0.5\n title 'Client: Disable X11 forwarding'\n desc '\n Prevent X11 forwarding by default, as it can\n be used in a limited way to enable attacks.\n '\n describe ssh_config do\n its('ForwardX11') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 143
},
"id": "ssh-12",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration ForwardX11 should eq \"no\"",
"run_time": 0.00046,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable host-based authentication",
"desc": "Avoid host-based authentication, as it opens more ways\nfor an attacker to enter a system.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'ssh-13' do\n impact 0.5\n title 'Client: Disable host-based authentication'\n desc '\n Avoid host-based authentication, as it opens more ways\n for an attacker to enter a system.\n '\n describe ssh_config do\n its('HostbasedAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 155
},
"id": "ssh-13",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration HostbasedAuthentication should eq \"no\"",
"run_time": 0.000514,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable rhosts-based authentication",
"desc": "Avoid rhosts-based authentication, as it opens more ways\nfor an attacker to enter a system.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'ssh-14' do\n impact 0.5\n title 'Client: Disable rhosts-based authentication'\n desc '\n Avoid rhosts-based authentication, as it opens more ways\n for an attacker to enter a system.\n '\n describe ssh_config do\n its('RhostsRSAAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 167
},
"id": "ssh-14",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration RhostsRSAAuthentication should eq \"no\"",
"run_time": 0.000444,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Enable RSA authentication",
"desc": "Make sure RSA authentication is used by default.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'ssh-15' do\n impact 0.5\n title 'Client: Enable RSA authentication'\n desc '\n Make sure RSA authentication is used by default.\n '\n describe ssh_config do\n its('RSAAuthentication') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 179
},
"id": "ssh-15",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration RSAAuthentication should eq \"yes\"",
"run_time": 0.000353,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable password-based authentication",
"desc": "Avoid all password-based authentications. They are\noften weaker than key-based authentication and may enable\nweak passwords to enter a system.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'ssh-16' do\n impact 0.5\n title 'Client: Disable password-based authentication'\n desc '\n Avoid all password-based authentications. They are\n often weaker than key-based authentication and may enable\n weak passwords to enter a system.\n '\n describe ssh_config do\n its('PasswordAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 190
},
"id": "ssh-16",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration PasswordAuthentication should eq \"no\"",
"run_time": 0.000412,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable tunnels",
"desc": "Avoid using SSH tunnels.",
"impact": 0.1,
"refs": [],
"tags": {},
"code": "control 'ssh-19' do\n impact 0.1\n title 'Client: Disable tunnels'\n desc '\n Avoid using SSH tunnels.\n '\n describe ssh_config do\n its('Tunnel') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 203
},
"id": "ssh-19",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration Tunnel should eq \"no\"",
"run_time": 0.000386,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Do not permit local commands",
"desc": "Do not permit any local command execution.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'ssh-20' do\n impact 0.5\n title 'Client: Do not permit local commands'\n desc '\n Do not permit any local command execution.\n '\n describe ssh_config do\n its('PermitLocalCommand') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/ssh_spec.rb",
"line": 214
},
"id": "ssh-20",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration PermitLocalCommand should eq \"no\"",
"run_time": 0.000476,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "sshd_config should be owned by root",
"desc": "The SSH server configuration file\nshould only be modified by its owner (root).",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'basic-4' do\n impact 1.0\n title 'sshd_config should be owned by root'\n desc '\n The SSH server configuration file\n should only be modified by its owner (root).\n '\n describe file('/etc/ssh/sshd_config') do\n it { should be_owned_by 'root' }\n it { should be_grouped_into 'root' }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 11
},
"id": "basic-4",
"results": [
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be owned by \"root\"",
"run_time": 0.024554,
"start_time": "2017-07-05 14:08:05 +0200"
},
{
"status": "failed",
"code_desc": "File /etc/ssh/sshd_config should be grouped into \"root\"",
"run_time": 0.000407,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "expected `File /etc/ssh/sshd_config.grouped_into?(\"root\")` to return true, got false"
}
]
},
{
"title": "sshd_config should not be group-writable/executable",
"desc": "The SSH server configuration file\nshould not be executable (to its owner).",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'basic-4.1' do\n impact 0.5\n title 'sshd_config should not be group-writable/executable'\n desc '\n The SSH server configuration file\n should not be executable (to its owner).\n '\n describe file('/etc/ssh/sshd_config') do\n it { should_not be_executable.by('owner') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 24
},
"id": "basic-4.1",
"results": [
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be executable by owner",
"run_time": 0.000315,
"start_time": "2017-07-05 14:08:05 +0200"
}
]
},
{
"title": "sshd_config should not be group-writable/executable",
"desc": "The SSH server configuration file\nshould only be modified and used by its owner (root).",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'basic-5' do\n impact 0.5\n title 'sshd_config should not be group-writable/executable'\n desc '\n The SSH server configuration file\n should only be modified and used by its owner (root).\n '\n describe file('/etc/ssh/sshd_config') do\n it { should_not be_writable.by('group') }\n it { should_not be_executable.by('group') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 36
},
"id": "basic-5",
"results": [
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be writable by group",
"run_time": 0.000174,
"start_time": "2017-07-05 14:08:05 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be executable by group",
"run_time": 0.000132,
"start_time": "2017-07-05 14:08:05 +0200"
}
]
},
{
"title": "sshd_config should not be writable/executable to others",
"desc": "The SSH server configuration file\nshould only be modified and used by its owner (root).",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'basic-6.1' do\n impact 1.0\n title 'sshd_config should not be writable/executable to others'\n desc '\n The SSH server configuration file\n should only be modified and used by its owner (root).\n '\n describe file('/etc/ssh/sshd_config') do\n it { should_not be_writable.by('others') }\n it { should_not be_executable.by('others') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 49
},
"id": "basic-6.1",
"results": [
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be writable by others",
"run_time": 0.000153,
"start_time": "2017-07-05 14:08:05 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be executable by others",
"run_time": 0.000138,
"start_time": "2017-07-05 14:08:05 +0200"
}
]
},
{
"title": "sshd_config should not be accessible to others",
"desc": "The SSH server configuration file\nshould only be modified and used by its owner (root).",
"impact": 0.1,
"refs": [],
"tags": {},
"code": "control 'basic-6.2' do\n impact 0.1\n title 'sshd_config should not be accessible to others'\n desc '\n The SSH server configuration file\n should only be modified and used by its owner (root).\n '\n describe file('/etc/ssh/sshd_config') do\n it { should_not be_readable.by('others') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 62
},
"id": "basic-6.2",
"results": [
{
"status": "failed",
"code_desc": "File /etc/ssh/sshd_config should not be readable by others",
"run_time": 0.000252,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "expected File /etc/ssh/sshd_config not to be readable by others"
}
]
},
{
"title": "Server: Do not permit root-based login",
"desc": "To reduce the potential to gain full privileges\nof a system in the course of one attack (by either misconfiguration\nor vulnerabilities), do not allow logging in as the root user.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-7' do\n impact 1.0\n title 'Server: Do not permit root-based login'\n desc '\n To reduce the potential to gain full privileges\n of a system in the course of one attack (by either misconfiguration\n or vulnerabilities), do not allow logging in as the root user.\n '\n describe sshd_config do\n its('PermitRootLogin') { should match(/no|without-password/) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 74
},
"id": "sshd-7",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PermitRootLogin should match /no|without-password/",
"run_time": 0.001331,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "expected nil to match /no|without-password/"
}
]
},
{
"title": "Server: Configure the service port",
"desc": "Always specify which port the SSH server should listen to.\nPrevent unexpected settings.",
"impact": 0.6,
"refs": [],
"tags": {},
"code": "control 'sshd-8' do\n impact 0.6\n title 'Server: Configure the service port'\n desc '\n Always specify which port the SSH server should listen to.\n Prevent unexpected settings.\n '\n describe sshd_config do\n its('Port') { should eq('22') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 87
},
"id": "sshd-8",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration Port should eq \"22\"",
"run_time": 0.001236,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"22\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Specify a valid address family",
"desc": "OpenSSH should be configured to the network family.\nSet it to inet if you use IPv4 only. For IPv6 only set it\nto inet6.",
"impact": 0.1,
"refs": [],
"tags": {},
"code": "control 'sshd-9' do\n impact 0.1\n title 'Server: Specify a valid address family'\n desc '\n OpenSSH should be configured to the network family.\n Set it to inet if you use IPv4 only. For IPv6 only set it\n to inet6.\n '\n describe sshd_config do\n its('AddressFamily') { should match(/inet|any/) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 99
},
"id": "sshd-9",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration AddressFamily should match /inet|any/",
"run_time": 0.001262,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "expected nil to match /inet|any/"
}
]
},
{
"title": "Server: Configure a listen address",
"desc": "Limit the SSH server to listen to a specific\naddress. Don't let it listen on all interfaces to avoid\nlogins from unexpected sources.",
"impact": 0.6,
"refs": [],
"tags": {},
"code": "control 'sshd-10' do\n impact 0.6\n title 'Server: Configure a listen address'\n desc \"\n Limit the SSH server to listen to a specific\n address. Don't let it listen on all interfaces to avoid\n logins from unexpected sources.\n \"\n describe sshd_config do\n its('ListenAddress') { should_not eq('0.0.0.0') }\n its('ListenAddress') { should_not eq('::') }\n its('ListenAddress') { should_not eq(nil) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 112
},
"id": "sshd-10",
"results": [
{
"status": "passed",
"code_desc": "SSHD Configuration ListenAddress should not eq \"0.0.0.0\"",
"run_time": 0.00091,
"start_time": "2017-07-05 14:08:05 +0200"
},
{
"status": "passed",
"code_desc": "SSHD Configuration ListenAddress should not eq \"::\"",
"run_time": 0.000097,
"start_time": "2017-07-05 14:08:05 +0200"
},
{
"status": "failed",
"code_desc": "SSHD Configuration ListenAddress should not eq nil",
"run_time": 0.000139,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: value != nil\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Set protocol version to SSHv2",
"desc": "Set the SSH protocol version to 2. Don't use legacy\ninsecure SSHv1 connections anymore.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-11' do\n impact 1.0\n title 'Server: Set protocol version to SSHv2'\n desc \"\n Set the SSH protocol version to 2. Don't use legacy\n insecure SSHv1 connections anymore.\n \"\n describe sshd_config do\n its('Protocol') { should eq('2') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 127
},
"id": "sshd-11",
"results": [
{
"status": "passed",
"code_desc": "SSHD Configuration Protocol should eq \"2\"",
"run_time": 0.000863,
"start_time": "2017-07-05 14:08:05 +0200"
}
]
},
{
"title": "Server: Enable strict mode",
"desc": "Verify file modes and ownerships before accepting a\nuser's login. Prevent misconfiguration of novice users.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-12' do\n impact 1.0\n title 'Server: Enable strict mode'\n desc \"\n Verify file modes and ownerships before accepting a\n user's login. Prevent misconfiguration of novice users.\n \"\n describe sshd_config do\n its('StrictModes') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 139
},
"id": "sshd-12",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration StrictModes should eq \"yes\"",
"run_time": 0.0009,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Enable verbose logging",
"desc": "Be verbose in logging, to allow analysis in case\nof unexpected behavior.",
"impact": 0.1,
"refs": [],
"tags": {},
"code": "control 'sshd-14.1' do\n impact 0.1\n title 'Server: Enable verbose logging'\n desc '\n Be verbose in logging, to allow analysis in case\n of unexpected behavior.\n '\n describe sshd_config do\n its('LogLevel') { should match(/VERBOSE|DEBUG/) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 151
},
"id": "sshd-14.1",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration LogLevel should match /VERBOSE|DEBUG/",
"run_time": 0.000819,
"start_time": "2017-07-05 14:08:05 +0200",
"message": "expected nil to match /VERBOSE|DEBUG/"
}
]
},
{
"title": "Server: Set the minimum log level to info",
"desc": "Don't reduce logs below info level, to gain\nall necessary information for later analysis.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-14.2' do\n impact 0.5\n title 'Server: Set the minimum log level to info'\n desc \"\n Don't reduce logs below info level, to gain\n all necessary information for later analysis.\n \"\n describe sshd_config do\n its('LogLevel') { should match(/INFO|VERBOSE|DEBUG/) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 163
},
"id": "sshd-14.2",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration LogLevel should match /INFO|VERBOSE|DEBUG/",
"run_time": 0.000751,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected nil to match /INFO|VERBOSE|DEBUG/"
}
]
},
{
"title": "Server: Configure a valid cipher",
"desc": "Configure a list of current ciphers and avoid older\nand weaker settings.",
"impact": 0.3,
"refs": [],
"tags": {},
"code": "control 'sshd-15' do\n impact 0.3\n title 'Server: Configure a valid cipher'\n desc '\n Configure a list of current ciphers and avoid older\n and weaker settings.\n '\n describe sshd_config do\n its('Ciphers') { should eq(ssh_crypto.valid_ciphers) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 175
},
"id": "sshd-15",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration Ciphers should eq \"aes256-ctr,aes192-ctr,aes128-ctr\"",
"run_time": 0.000928,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"aes256-ctr,aes192-ctr,aes128-ctr\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Configure a valid MAC",
"desc": "Configure a list of current MACs and avoid older\nand weaker settings.",
"impact": 0.3,
"refs": [],
"tags": {},
"code": "control 'sshd-16' do\n impact 0.3\n title 'Server: Configure a valid MAC'\n desc '\n Configure a list of current MACs and avoid older\n and weaker settings.\n '\n describe sshd_config do\n its('MACs') { should eq(ssh_crypto.valid_macs) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 187
},
"id": "sshd-16",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration MACs should eq \"hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"",
"run_time": 0.000835,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Configure a valid Key-Exchange Algorithm",
"desc": "Configure a list of current key-exchange algorithms\nand avoid older and weaker settings.",
"impact": 0.3,
"refs": [],
"tags": {},
"code": "control 'sshd-17' do\n impact 0.3\n title 'Server: Configure a valid Key-Exchange Algorithm'\n desc '\n Configure a list of current key-exchange algorithms\n and avoid older and weaker settings.\n '\n describe sshd_config do\n its('KexAlgorithms') { should eq(ssh_crypto.valid_kexs) }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 199
},
"id": "sshd-17",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration KexAlgorithms should eq \"diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1\"",
"run_time": 0.00081,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable legacy login mechanism",
"desc": "Do not use login for interactive login sessions.",
"impact": 0.3,
"refs": [],
"tags": {},
"code": "control 'sshd-18' do\n impact 0.3\n title 'Server: Disable legacy login mechanism'\n desc '\n Do not use login for interactive login sessions.\n '\n describe sshd_config do\n its('UseLogin') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 211
},
"id": "sshd-18",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration UseLogin should eq \"no\"",
"run_time": 0.000804,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Use priviledge separation",
"desc": "Use an unprivileged child process to deal with\nincoming network traffic, to avoid privilege escalation\nby an attacker.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-19' do\n impact 0.5\n title 'Server: Use priviledge separation'\n desc '\n Use an unprivileged child process to deal with\n incoming network traffic, to avoid privilege escalation\n by an attacker.\n '\n describe sshd_config do\n its('UsePrivilegeSeparation') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 222
},
"id": "sshd-19",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration UsePrivilegeSeparation should eq \"yes\"",
"run_time": 0.000856,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable users loading their environment variables",
"desc": "Do not enable custom user environments. They may be used\nto bypass access restrictions in certain configurations.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-20' do\n impact 0.5\n title 'Server: Disable users loading their environment variables'\n desc '\n Do not enable custom user environments. They may be used\n to bypass access restrictions in certain configurations.\n '\n describe sshd_config do\n its('PermitUserEnvironment') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 235
},
"id": "sshd-20",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PermitUserEnvironment should eq \"no\"",
"run_time": 0.00091,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Set a grace-time for login",
"desc": "Limit the login time to avoid resource starvation attacks.",
"impact": 0.3,
"refs": [],
"tags": {},
"code": "control 'sshd-21' do\n impact 0.3\n title 'Server: Set a grace-time for login'\n desc '\n Limit the login time to avoid resource starvation attacks.\n '\n describe sshd_config do\n its('LoginGraceTime') { should eq('30s') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 247
},
"id": "sshd-21",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration LoginGraceTime should eq \"30s\"",
"run_time": 0.000768,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"30s\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Limit maximum auth retries",
"desc": "Limit the maximum number of authentication retries in one\nrun, to prevent resource starvation attacks.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-22' do\n impact 0.5\n title 'Server: Limit maximum auth retries'\n desc '\n Limit the maximum number of authentication retries in one\n run, to prevent resource starvation attacks.\n '\n describe sshd_config do\n its('MaxAuthTries') { should eq('2') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 258
},
"id": "sshd-22",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration MaxAuthTries should eq \"2\"",
"run_time": 0.000736,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"2\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Limit maximum user sessions to 10",
"desc": "Limit the maximum number of user sessions to a reasonable\nnumber. This avoid resource starvation attacks.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-23' do\n impact 0.5\n title 'Server: Limit maximum user sessions to 10'\n desc '\n Limit the maximum number of user sessions to a reasonable\n number. This avoid resource starvation attacks.\n '\n describe sshd_config do\n its('MaxSessions') { should eq('10') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 270
},
"id": "sshd-23",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration MaxSessions should eq \"10\"",
"run_time": 0.000784,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"10\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Limit maximum startups",
"desc": "Limit the number of concurrent unauthenticated sessions\nto prevent resource starvation attacks.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-24' do\n impact 0.5\n title 'Server: Limit maximum startups'\n desc '\n Limit the number of concurrent unauthenticated sessions\n to prevent resource starvation attacks.\n '\n describe sshd_config do\n its('MaxStartups') { should eq('10:30:100') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 282
},
"id": "sshd-24",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration MaxStartups should eq \"10:30:100\"",
"run_time": 0.000877,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"10:30:100\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Activate public key authentication",
"desc": "Prefer public key authentication mechanisms. Other methods\nare noticeably weaker (e.g. passwords). This is the preferred\nlogin mechanism.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-25' do\n impact 0.5\n title 'Server: Activate public key authentication'\n desc '\n Prefer public key authentication mechanisms. Other methods\n are noticeably weaker (e.g. passwords). This is the preferred\n login mechanism.\n '\n describe sshd_config do\n its('PubkeyAuthentication') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 294
},
"id": "sshd-25",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PubkeyAuthentication should eq \"yes\"",
"run_time": 0.001021,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Ignore legacy .rhosts configuration",
"desc": "Avoid host-based authentication, as it opens more ways\nfor an attacker to enter a system.",
"impact": 0.7,
"refs": [],
"tags": {},
"code": "control 'sshd-26' do\n impact 0.7\n title 'Server: Ignore legacy .rhosts configuration'\n desc '\n Avoid host-based authentication, as it opens more ways\n for an attacker to enter a system.\n '\n describe sshd_config do\n its('IgnoreRhosts') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 307
},
"id": "sshd-26",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration IgnoreRhosts should eq \"yes\"",
"run_time": 0.000851,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Ignore user known hosts",
"desc": "Avoid host-based authentication, as it opens more ways\nfor an attacker to enter a system.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-27' do\n impact 0.5\n title 'Server: Ignore user known hosts'\n desc '\n Avoid host-based authentication, as it opens more ways\n for an attacker to enter a system.\n '\n describe sshd_config do\n its('IgnoreUserKnownHosts') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 319
},
"id": "sshd-27",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration IgnoreUserKnownHosts should eq \"yes\"",
"run_time": 0.000827,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable hostbased authentication",
"desc": "Avoid host-based authentication, as it opens more ways\nfor an attacker to enter a system.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-28' do\n impact 0.5\n title 'Server: Disable hostbased authentication'\n desc '\n Avoid host-based authentication, as it opens more ways\n for an attacker to enter a system.\n '\n describe sshd_config do\n its('HostbasedAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 331
},
"id": "sshd-28",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration HostbasedAuthentication should eq \"no\"",
"run_time": 0.001064,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable PAM",
"desc": "Avoid challenge-response and password-based authentications.",
"impact": 0.3,
"refs": [],
"tags": {},
"code": "control 'sshd-29' do\n impact 0.3\n title 'Server: Disable PAM'\n desc '\n Avoid challenge-response and password-based authentications.\n '\n describe sshd_config do\n its('UsePAM') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 343
},
"id": "sshd-29",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration UsePAM should eq \"no\"",
"run_time": 0.001199,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: \"yes\"\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable password-based authentication",
"desc": "Avoid challenge-response and password-based authentications.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-30' do\n impact 0.5\n title 'Server: Disable password-based authentication'\n desc '\n Avoid challenge-response and password-based authentications.\n '\n describe sshd_config do\n its('PasswordAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 354
},
"id": "sshd-30",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PasswordAuthentication should eq \"no\"",
"run_time": 0.001275,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable empty passwords",
"desc": "Precautionary setting if password-based authentication is used\nto avoid empy passwords.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-31' do\n impact 1.0\n title 'Server: Disable empty passwords'\n desc '\n Precautionary setting if password-based authentication is used\n to avoid empy passwords.\n '\n describe sshd_config do\n its('PermitEmptyPasswords') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 365
},
"id": "sshd-31",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PermitEmptyPasswords should eq \"no\"",
"run_time": 0.001463,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable challenge-response authentication",
"desc": "Avoid challenge-response and password-based authentications.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-32' do\n impact 0.5\n title 'Server: Disable challenge-response authentication'\n desc '\n Avoid challenge-response and password-based authentications.\n '\n describe sshd_config do\n its('ChallengeResponseAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 377
},
"id": "sshd-32",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration ChallengeResponseAuthentication should eq \"no\"",
"run_time": 0.01404,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable Kerberos or Local Password (due to the password part)",
"desc": "Avoid password-based authentication, which is used as a fallback\nwhen Kerberos fails in this setting.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-34' do\n impact 0.5\n title 'Server: Disable Kerberos or Local Password (due to the password part)'\n desc '\n Avoid password-based authentication, which is used as a fallback\n when Kerberos fails in this setting.\n '\n describe sshd_config do\n its('KerberosOrLocalPasswd') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 388
},
"id": "sshd-34",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration KerberosOrLocalPasswd should eq \"no\"",
"run_time": 0.000834,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable TCP KeepAlive",
"desc": "Use ClientAlive messages which are sent over the encrypted\nchannel and aren't spoofable to see if the client is still alive.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-38' do\n impact 0.5\n title 'Server: Disable TCP KeepAlive'\n desc \"\n Use ClientAlive messages which are sent over the encrypted\n channel and aren't spoofable to see if the client is still alive.\n \"\n describe sshd_config do\n its('TCPKeepAlive') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 400
},
"id": "sshd-38",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration TCPKeepAlive should eq \"no\"",
"run_time": 0.000757,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Configure a client alive interval",
"desc": "Use ClientAlive messages which are sent over the encrypted\nchannel and aren't spoofable to see if the client is still alive.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-39' do\n impact 0.5\n title 'Server: Configure a client alive interval'\n desc \"\n Use ClientAlive messages which are sent over the encrypted\n channel and aren't spoofable to see if the client is still alive.\n \"\n describe sshd_config do\n its('ClientAliveInterval') { should eq('600') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 412
},
"id": "sshd-39",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration ClientAliveInterval should eq \"600\"",
"run_time": 0.00081,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"600\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Configure a few client alive counters",
"desc": "Use ClientAlive messages which are sent over the encrypted\nchannel and aren't spoofable to see if the client is still alive.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-40' do\n impact 0.5\n title 'Server: Configure a few client alive counters'\n desc \"\n Use ClientAlive messages which are sent over the encrypted\n channel and aren't spoofable to see if the client is still alive.\n \"\n describe sshd_config do\n its('ClientAliveCountMax') { should eq('3') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 424
},
"id": "sshd-40",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration ClientAliveCountMax should eq \"3\"",
"run_time": 0.000815,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"3\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable tunnels",
"desc": "Avoid using SSH tunnels.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-41' do\n impact 0.5\n title 'Server: Disable tunnels'\n desc '\n Avoid using SSH tunnels.\n '\n describe sshd_config do\n its('PermitTunnel') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 436
},
"id": "sshd-41",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PermitTunnel should eq \"no\"",
"run_time": 0.000827,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable TCP forwarding",
"desc": "If shell access is disabled, this option can\nbe used to effectively disable TCP forwarders by the client.",
"impact": 0.3,
"refs": [],
"tags": {},
"code": "control 'sshd-42' do\n impact 0.3\n title 'Server: Disable TCP forwarding'\n desc '\n If shell access is disabled, this option can\n be used to effectively disable TCP forwarders by the client.\n '\n describe sshd_config do\n its('AllowTcpForwarding') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 447
},
"id": "sshd-42",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration AllowTcpForwarding should eq \"no\"",
"run_time": 0.000762,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable Agent forwarding",
"desc": "If shell access is disabled, this option can\nbe used to effectively disable agent forwarding by the client.",
"impact": 0.3,
"refs": [],
"tags": {},
"code": "control 'sshd-43' do\n impact 0.3\n title 'Server: Disable Agent forwarding'\n desc '\n If shell access is disabled, this option can\n be used to effectively disable agent forwarding by the client.\n '\n describe sshd_config do\n its('AllowAgentForwarding') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 459
},
"id": "sshd-43",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration AllowAgentForwarding should eq \"no\"",
"run_time": 0.000742,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable gateway ports",
"desc": "Prevent remote hosts from connecting to\nforwarded ports on the node.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'sshd-44' do\n impact 0.5\n title 'Server: Disable gateway ports'\n desc '\n Prevent remote hosts from connecting to\n forwarded ports on the node.\n '\n describe sshd_config do\n its('GatewayPorts') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 471
},
"id": "sshd-44",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration GatewayPorts should eq \"no\"",
"run_time": 0.000662,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable X11 forwarding",
"desc": "Prevent X11 forwarding by default, as it can\nbe used in a limited way to enable attacks.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-45' do\n impact 1.0\n title 'Server: Disable X11 forwarding'\n desc '\n Prevent X11 forwarding by default, as it can\n be used in a limited way to enable attacks.\n '\n describe sshd_config do\n its('X11Forwarding') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 483
},
"id": "sshd-45",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration X11Forwarding should eq \"no\"",
"run_time": 0.000664,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: If X11 is used, enforce localhost",
"desc": "Prevent X11 forwarding by default, as it can\nbe used in a limited way to enable attacks.",
"impact": 0.7,
"refs": [],
"tags": {},
"code": "control 'sshd-46' do\n impact 0.7\n title 'Server: If X11 is used, enforce localhost'\n desc '\n Prevent X11 forwarding by default, as it can\n be used in a limited way to enable attacks.\n '\n describe sshd_config do\n its('X11UseLocalhost') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "base/ssh/controls/sshd_spec.rb",
"line": 495
},
"id": "sshd-46",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration X11UseLocalhost should eq \"yes\"",
"run_time": 0.000847,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
}
],
"groups": [
{
"title": "SSH Folder Configuration",
"controls": [
"basic-1",
"basic-2",
"basic-3"
],
"id": "controls/ssh_folder_spec.rb"
},
{
"title": "SSH Client Config",
"controls": [
"basic-6",
"ssh-1",
"ssh-3",
"ssh-4",
"ssh-5",
"ssh-6",
"ssh-7",
"ssh-8",
"ssh-9",
"ssh-10",
"ssh-11",
"ssh-12",
"ssh-13",
"ssh-14",
"ssh-15",
"ssh-16",
"ssh-19",
"ssh-20"
],
"id": "controls/ssh_spec.rb"
},
{
"title": "SSH Server Config",
"controls": [
"basic-4",
"basic-4.1",
"basic-5",
"basic-6.1",
"basic-6.2",
"sshd-7",
"sshd-8",
"sshd-9",
"sshd-10",
"sshd-11",
"sshd-12",
"sshd-14.1",
"sshd-14.2",
"sshd-15",
"sshd-16",
"sshd-17",
"sshd-18",
"sshd-19",
"sshd-20",
"sshd-21",
"sshd-22",
"sshd-23",
"sshd-24",
"sshd-25",
"sshd-26",
"sshd-27",
"sshd-28",
"sshd-29",
"sshd-30",
"sshd-31",
"sshd-32",
"sshd-34",
"sshd-38",
"sshd-39",
"sshd-40",
"sshd-41",
"sshd-42",
"sshd-43",
"sshd-44",
"sshd-45",
"sshd-46"
],
"id": "controls/sshd_spec.rb"
}
],
"attributes": [],
"sha256": "f56ef31e9e8be7c9064e84f1db699d3f0175924a0ee4517e3a626c38727ebf93"
},
{
"name": "acme-inspec-profile",
"title": "Meta profile for Acme Inc",
"maintainer": "Christoph Hartmann",
"copyright": "Christoph Hartmann",
"copyright_email": "[email protected]",
"license": "Apache 2.0",
"summary": "This profile collects all compliance and security related requirements for Acme Inc.",
"version": "0.2.0",
"depends": [
{
"name": "ssh-baseline",
"url": "https://github.com/dev-sec/ssh-baseline"
},
{
"name": "apache-baseline",
"url": "https://github.com/dev-sec/apache-baseline"
}
],
"supports": [],
"controls": [
{
"title": "client: Check ssh_config owner, group and permissions.",
"desc": "The ssh_config should owned by root, only be writable by owner and readable to all.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 25
},
"id": "ssh-01"
},
{
"title": "Client: Specify the AddressFamily to your need",
"desc": "OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 45
},
"id": "ssh-02"
},
{
"title": "Client: Specify expected ssh port",
"desc": "Always specify which port the SSH client should connect. Prevent unexpected settings.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 54
},
"id": "ssh-03"
},
{
"title": "Client: Specify protocol version 2",
"desc": "Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 63
},
"id": "ssh-04"
},
{
"title": "Client: Disable batch mode",
"desc": "Avoid batch mode in the default configuration.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 72
},
"id": "ssh-05"
},
{
"title": "Client: Check Host IPs",
"desc": "Make sure that SSH checks the host IP address in the known_hosts file, to avoid DNS spoofing effects.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 81
},
"id": "ssh-06"
},
{
"title": "Client: Ask when checking host keys",
"desc": "Don't automatically add new hosts keys to the list of known hosts.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 90
},
"id": "ssh-07"
},
{
"title": "Client: Check for secure ssh ciphers",
"desc": "Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 99
},
"id": "ssh-08"
},
{
"title": "Client: Check for secure ssh Key-Exchange Algorithm",
"desc": "Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 108
},
"id": "ssh-09"
},
{
"title": "Client: Check for secure ssh Message Authentication Codes",
"desc": "Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 117
},
"id": "ssh-10"
},
{
"title": "Client: Disable agent forwarding",
"desc": "Prevent agent forwarding by default, as it can be used in a limited way to enable attacks.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 126
},
"id": "ssh-11"
},
{
"title": "Client: Disable X11Forwarding",
"desc": "Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 135
},
"id": "ssh-12"
},
{
"title": "Client: Disable HostbasedAuthentication",
"desc": "This option is a weak way for authentication and provide attacker more ways to enter the system.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 144
},
"id": "ssh-13"
},
{
"title": "Client: Disable rhosts-based authentication",
"desc": "Avoid rhosts-based authentication, as it opens more ways for an attacker to enter a system.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 153
},
"id": "ssh-14"
},
{
"title": "Client: Enable RSA authentication",
"desc": "Make sure RSA authentication is used by default.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 162
},
"id": "ssh-15"
},
{
"title": "Client: Disable password-based authentication",
"desc": "Avoid password-based authentications.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 171
},
"id": "ssh-16"
},
{
"title": "Client: Disable GSSAPIAuthentication",
"desc": "If you do not use GSSAPI authentication then disable it.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 180
},
"id": "ssh-17"
},
{
"title": "Client: Disable GSSAPIDelegateCredentials",
"desc": "If you do not use GSSAPI authentication then disable it.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 189
},
"id": "ssh-18"
},
{
"title": "Client: Disable tunnels",
"desc": "Avoid using SSH tunnels.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 198
},
"id": "ssh-19"
},
{
"title": "Client: Do not permit local commands",
"desc": "Do not permit any local command execution.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 207
},
"id": "ssh-20"
},
{
"title": "Client: Do not allow Roaming",
"desc": "Workaround for SSH Client Bug CVE-2016-0777 and CVE-2016-0778",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 216
},
"id": "ssh-21"
},
{
"title": "Server: Check for secure ssh ciphers",
"desc": "Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 25
},
"id": "sshd-01"
},
{
"title": "Server: Check for secure ssh Key-Exchange Algorithm",
"desc": "Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 34
},
"id": "sshd-02"
},
{
"title": "Server: Check for secure ssh Message Authentication Codes",
"desc": "Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 43
},
"id": "sshd-03"
},
{
"title": "Server: Check SSH folder owner, group and permissions.",
"desc": "The SSH folder should owned by root, only be writable by owner and readable by others.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 52
},
"id": "sshd-04"
},
{
"title": "Server: Check sshd_config owner, group and permissions.",
"desc": "The sshd_config should owned by root, only be writable/readable by owner and not be executable.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 71
},
"id": "sshd-05"
},
{
"title": "Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication",
"desc": "Reduce the potential risk to gain full privileges access of the system because of weak password and keyboard-interactive authentication, do not allow logging in as the root user or with password authentication.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 91
},
"id": "sshd-06"
},
{
"title": "Server: Specify the listen ssh Port",
"desc": "Always specify which port the SSH server should listen to. Prevent unexpected settings.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 100
},
"id": "sshd-07"
},
{
"title": "Server: Specify the AddressFamily to your need",
"desc": "OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 109
},
"id": "sshd-08"
},
{
"title": "Server: Specify ListenAddress",
"desc": "Limit the SSH server to listen to a specific address. Don't let it listen on all interfaces to avoid logins from unexpected sources.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 118
},
"id": "sshd-09"
},
{
"title": "Server: Specify protocol version 2",
"desc": "Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 127
},
"id": "sshd-10"
},
{
"title": "Server: Enable StrictModes",
"desc": "Prevent the use of insecure home directory and key file permissions.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 136
},
"id": "sshd-11"
},
{
"title": "Server: Specify SyslogFacility to AUTH",
"desc": "Logging should be set to go to the /var/log/auth.log facility by using the SysLog AUTH parameter. This will ensure that any problems around invalid logins or the like are forwarded to a central security file for auditing purposes",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 145
},
"id": "sshd-12"
},
{
"title": "Server: Specify LogLevel to VERBOSE",
"desc": "Be verbose in logging, to allow analysis in case of unexpected behavior.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 154
},
"id": "sshd-13"
},
{
"title": "Server: Specify SSH HostKeys",
"desc": "Specify HostKey for protection against Man-In-The-Middle Attacks",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 163
},
"id": "sshd-14"
},
{
"title": "Server: Specify UseLogin to NO",
"desc": "Disable legacy login mechanism and do not use login for interactive login sessions.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 172
},
"id": "sshd-15"
},
{
"title": "Server: Use privilege separation",
"desc": "UsePrivilegeSeparation is an option, when enabled will allow the OpenSSH server to run a small (necessary) amount of code as root and the of the code in a chroot jail environment. This enables ssh to deal incoming network traffic in an unprivileged child process to avoid privilege escalation by an attacker.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 181
},
"id": "sshd-16"
},
{
"title": "Server: Disable PermitUserEnvironment",
"desc": "Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 190
},
"id": "sshd-17"
},
{
"title": "Server: Specify LoginGraceTime",
"desc": "The LoginGraceTime gives the user 30 seconds to accomplish a login. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 199
},
"id": "sshd-18"
},
{
"title": "Server: Specify Limit for maximum authentication retries",
"desc": "MaxAuthTries limits the user to three wrong attempts before the login attempt is denied. This avoid resource starvation attacks.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 208
},
"id": "sshd-19"
},
{
"title": "Server: Specify maximum sessions",
"desc": "Specifies the maximum number of open sessions permitted per network connection. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 217
},
"id": "sshd-20"
},
{
"title": "Server: Specify maximum startups",
"desc": "Limit the number of concurrent unauthenticated sessions to prevent Denial of Service (DoS) against a running SSH daemon.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 226
},
"id": "sshd-21"
},
{
"title": "Server: Enable PubkeyAuthentication",
"desc": "Prefer public key authentication mechanisms, because other methods are weaker (e.g. passwords).",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 235
},
"id": "sshd-22"
},
{
"title": "Server: Disable IgnoreRhosts",
"desc": "Ignore legacy .rhosts configuration, because rhosts are a weak way to authenticate systems and provide attacker more ways to enter the system.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 244
},
"id": "sshd-23"
},
{
"title": "Server: Enable IgnoreUserKnownHosts",
"desc": "This option is a weak way for authentication and provide attacker more ways to enter the system.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 253
},
"id": "sshd-24"
},
{
"title": "Server: Disable HostbasedAuthentication",
"desc": "This option is a weak way for authentication and provide attacker more ways to enter the system.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 262
},
"id": "sshd-25"
},
{
"title": "Server: Disable password-based authentication",
"desc": "Avoid password-based authentications.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 271
},
"id": "sshd-27"
},
{
"title": "Server: Disable PermitEmptyPasswords",
"desc": "Accounts should be protected and users should be accountable. For this reason the usage of empty passwords should never be allowed.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 280
},
"id": "sshd-28"
},
{
"title": "Server: Disable ChallengeResponseAuthentication",
"desc": "Avoid challenge-response and password-based authentications.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 289
},
"id": "sshd-29"
},
{
"title": "Server: Disable Kerberos",
"desc": "Avoid kerberos authentication.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 298
},
"id": "sshd-30"
},
{
"title": "Server: Disable Kerberos or Local Password",
"desc": "Avoid kerberos authentication because it use password-based authentication as fallback.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 307
},
"id": "sshd-31"
},
{
"title": "Server: Enable KerberosTicketCleanup",
"desc": "Specifies whether to automatically destroy the user's ticket cache file on logout.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 316
},
"id": "sshd-32"
},
{
"title": "Server: Disable GSSAPIAuthentication",
"desc": "If you do not use GSSAPI authentication then disable it.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 325
},
"id": "sshd-33"
},
{
"title": "Server: Enable GSSAPICleanupCredentials",
"desc": "Automatically destroy the user's credentials cache on logout.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 334
},
"id": "sshd-34"
},
{
"title": "Server: Disable TCPKeepAlive",
"desc": "Avoid the TCPKeepAlive messages to see if the client is still alive, because they are sent over unencrypted connection and are spoofable.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 343
},
"id": "sshd-35"
},
{
"title": "Server: Set a client alive interval",
"desc": "ClientAlive messages are sent over encrypted connection and are not spoofable.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 352
},
"id": "sshd-36"
},
{
"title": "Server: Configure a few client alive counters",
"desc": "This indicates the total number of checkalive message sent by the ssh server without getting any response from the ssh client. ClientAlive messages are sent over encrypted connection and are not spoofable.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 361
},
"id": "sshd-37"
},
{
"title": "Server: Disable tunnels",
"desc": "Avoid to use tunnels.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 370
},
"id": "sshd-38"
},
{
"title": "Server: Disable TCP forwarding",
"desc": "If you use TCP forwarding in an uncontrolled manner then you can bypass the firewalls",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 379
},
"id": "sshd-39"
},
{
"title": "Server: Disable Agent forwarding",
"desc": "Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 388
},
"id": "sshd-40"
},
{
"title": "Server: Disable gateway ports",
"desc": "Prevent remote hosts from connecting to forwarded ports on the node.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 397
},
"id": "sshd-41"
},
{
"title": "Server: Disable X11Forwarding",
"desc": "Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 406
},
"id": "sshd-42"
},
{
"title": "Server: Enable X11UseLocalhost",
"desc": "SSH daemon should bind the X11 forwarding server to the loopback address. This prevents remote hosts from connecting to the proxy display and reduce the attack surface",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 415
},
"id": "sshd-43"
},
{
"title": "Server: Disable PrintMotd",
"desc": "This specifies that the SSH daemon itself should not read and display the message of the day file.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 424
},
"id": "sshd-44"
},
{
"title": "Server: PrintLastLog",
"desc": "This tells the SSH daemon to print out information about the last time you logged in.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 433
},
"id": "sshd-45"
},
{
"title": "Server: Banner",
"desc": "Specifies a banner file to serve before authentication succeeds",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 442
},
"id": "sshd-46"
},
{
"title": "Server: DebianBanner",
"desc": "Specifies whether to include OS distribution in version information",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 451
},
"id": "sshd-47"
},
{
"title": "Server: DH primes",
"desc": "Verifies if strong DH primes are used in /etc/ssh/moduli",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 467
},
"id": "sshd-48"
},
{
"title": "Apache should be running",
"desc": "Apache should be running.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 29
},
"id": "apache-01"
},
{
"title": "Apache should be enabled",
"desc": "Configure apache service to be automatically started at boot time",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 39
},
"id": "apache-02"
},
{
"title": "Apache should start max. 1 root-task",
"desc": "The Apache service in its own non-privileged account. If the web server process runs with administrative privileges, an attack who obtains control over the apache process may control the entire system.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 49
},
"id": "apache-03"
},
{
"title": "Check Apache config folder owner, group and permissions.",
"desc": "The Apache config folder should owned and grouped by root, be writable, readable and executable by owner. It should be readable, executable by group and not readable, not writeable by others.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 58
},
"id": "apache-04"
},
{
"title": "Check Apache config file owner, group and permissions.",
"desc": "The Apache config file should owned and grouped by root, only be writable and readable by owner and not write- and readable by others.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 77
},
"id": "apache-05"
},
{
"title": "User and group should be set properly",
"desc": "For security reasons it is recommended to run Apache in its own non-privileged account.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 109
},
"id": "apache-06"
},
{
"title": "Set the apache server token",
"desc": "'ServerTokens Prod' tells Apache to return only Apache as product in the server response header on the every page request",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 119
},
"id": "apache-07"
},
{
"title": "Should not load certain modules",
"desc": "Apache HTTP should not load legacy modules",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 134
},
"id": "apache-08"
},
{
"title": "Disable TRACE-methods",
"desc": "The web server doesn’t allow TRACE request and help in blocking Cross Site Tracing attack.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 164
},
"id": "apache-09"
},
{
"title": "Disable insecure HTTP-methods",
"desc": "Disable insecure HTTP-methods and allow only necessary methods.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 179
},
"id": "apache-10"
},
{
"title": "Disable Apache’s follows Symbolic Links for directories in alias.conf",
"desc": "Should include -FollowSymLinks or +SymLinksIfOwnerMatch for directories in alias.conf",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 194
},
"id": "apache-11"
},
{
"title": "Disable Directory Listing for directories in alias.conf",
"desc": "Should include -Indexes for directories in alias.conf",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 204
},
"id": "apache-12"
},
{
"title": "SSL honor cipher order",
"desc": "When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client's preference is used. If this directive is enabled, the server's preference will be used instead.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 214
},
"id": "apache-13"
},
{
"title": "Enable Apache Logging",
"desc": "Apache allows you to logging independently of your OS logging. It is wise to enable Apache logging, because it provides more information, such as the commands entered by users that have interacted with your Web server.",
"impact": 1,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 235
},
"id": "apache-14"
}
],
"groups": [
{
"title": "SSH client config",
"controls": [
"ssh-01",
"ssh-02",
"ssh-03",
"ssh-04",
"ssh-05",
"ssh-06",
"ssh-07",
"ssh-08",
"ssh-09",
"ssh-10",
"ssh-11",
"ssh-12",
"ssh-13",
"ssh-14",
"ssh-15",
"ssh-16",
"ssh-17",
"ssh-18",
"ssh-19",
"ssh-20",
"ssh-21"
],
"id": "ssh-baseline-master/controls/ssh_spec.rb"
},
{
"title": "SSH server config",
"controls": [
"sshd-01",
"sshd-02",
"sshd-03",
"sshd-04",
"sshd-05",
"sshd-06",
"sshd-07",
"sshd-08",
"sshd-09",
"sshd-10",
"sshd-11",
"sshd-12",
"sshd-13",
"sshd-14",
"sshd-15",
"sshd-16",
"sshd-17",
"sshd-18",
"sshd-19",
"sshd-20",
"sshd-21",
"sshd-22",
"sshd-23",
"sshd-24",
"sshd-25",
"sshd-27",
"sshd-28",
"sshd-29",
"sshd-30",
"sshd-31",
"sshd-32",
"sshd-33",
"sshd-34",
"sshd-35",
"sshd-36",
"sshd-37",
"sshd-38",
"sshd-39",
"sshd-40",
"sshd-41",
"sshd-42",
"sshd-43",
"sshd-44",
"sshd-45",
"sshd-46",
"sshd-47",
"sshd-48"
],
"id": "ssh-baseline-master/controls/sshd_spec.rb"
},
{
"title": "Apache server config",
"controls": [
"apache-01",
"apache-02",
"apache-03",
"apache-04",
"apache-05",
"apache-06",
"apache-07",
"apache-08",
"apache-09",
"apache-10",
"apache-11",
"apache-12",
"apache-13",
"apache-14"
],
"id": "apache-baseline-master/controls/apache_spec.rb"
}
],
"attributes": [],
"sha256": "d29eec83a380dfaa278f9eaa70f0a0f08ac310f1275d38ef5171cd9806a7dbe1"
},
{
"name": "ssh-baseline",
"title": "DevSec SSH Baseline",
"maintainer": "DevSec Hardening Framework Team",
"copyright": "DevSec Hardening Framework Team",
"copyright_email": "[email protected]",
"license": "Apache-2.0",
"summary": "Test-suite for best-practice SSH hardening",
"version": "2.2.0",
"supports": [
{
"os-family": "unix"
}
],
"controls": [
{
"title": "client: Check ssh_config owner, group and permissions.",
"desc": "The ssh_config should owned by root, only be writable by owner and readable to all.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-01' do\n impact 1.0\n title 'client: Check ssh_config owner, group and permissions.'\n desc 'The ssh_config should owned by root, only be writable by owner and readable to all.'\n\n describe file('/etc/ssh/ssh_config') do\n it { should exist }\n it { should be_file }\n it { should be_owned_by 'root' }\n it { should be_grouped_into os.darwin? ? 'wheel' : 'root' }\n it { should_not be_executable }\n it { should be_readable.by('owner') }\n it { should be_readable.by('group') }\n it { should be_readable.by('other') }\n it { should be_writable.by('owner') }\n it { should_not be_writable.by('group') }\n it { should_not be_writable.by('other') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 25
},
"id": "ssh-01",
"results": [
{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should exist",
"run_time": 0.001499,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be file",
"run_time": 0.000208,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be owned by \"root\"",
"run_time": 0.000243,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be grouped into \"wheel\"",
"run_time": 0.000115,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should not be executable",
"run_time": 0.000226,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be readable by owner",
"run_time": 0.000106,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be readable by group",
"run_time": 0.000151,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be readable by other",
"run_time": 0.000091,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be writable by owner",
"run_time": 0.000125,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should not be writable by group",
"run_time": 0.000098,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should not be writable by other",
"run_time": 0.000139,
"start_time": "2017-07-05 14:08:06 +0200"
}
]
},
{
"title": "Client: Specify the AddressFamily to your need",
"desc": "OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-02' do\n impact 1.0\n title 'Client: Specify the AddressFamily to your need'\n desc 'OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.'\n describe ssh_config do\n its('AddressFamily') { should match(/inet|inet6|any/) }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 45
},
"id": "ssh-02",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration AddressFamily should match /inet|inet6|any/",
"run_time": 0.001173,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected nil to match /inet|inet6|any/"
}
]
},
{
"title": "Client: Specify expected ssh port",
"desc": "Always specify which port the SSH client should connect. Prevent unexpected settings.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-03' do\n impact 1.0\n title 'Client: Specify expected ssh port'\n desc 'Always specify which port the SSH client should connect. Prevent unexpected settings.'\n describe ssh_config do\n its('Port') { should eq('22') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 54
},
"id": "ssh-03",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration Port should eq \"22\"",
"run_time": 0.000502,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"22\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Specify protocol version 2",
"desc": "Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-04' do\n impact 1.0\n title 'Client: Specify protocol version 2'\n desc \"Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore.\"\n describe ssh_config do\n its('Protocol') { should eq('2') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 63
},
"id": "ssh-04",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration Protocol should eq \"2\"",
"run_time": 0.000494,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"2\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable batch mode",
"desc": "Avoid batch mode in the default configuration.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-05' do\n impact 1.0\n title 'Client: Disable batch mode'\n desc 'Avoid batch mode in the default configuration.'\n describe ssh_config do\n its('BatchMode') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 72
},
"id": "ssh-05",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration BatchMode should eq \"no\"",
"run_time": 0.000746,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Check Host IPs",
"desc": "Make sure that SSH checks the host IP address in the known_hosts file, to avoid DNS spoofing effects.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-06' do\n impact 1.0\n title 'Client: Check Host IPs'\n desc 'Make sure that SSH checks the host IP address in the known_hosts file, to avoid DNS spoofing effects.'\n describe ssh_config do\n its('CheckHostIP') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 81
},
"id": "ssh-06",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration CheckHostIP should eq \"yes\"",
"run_time": 0.000484,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Ask when checking host keys",
"desc": "Don't automatically add new hosts keys to the list of known hosts.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-07' do\n impact 1.0\n title 'Client: Ask when checking host keys'\n desc \"Don't automatically add new hosts keys to the list of known hosts.\"\n describe ssh_config do\n its('StrictHostKeyChecking') { should match(/ask|yes/) }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 90
},
"id": "ssh-07",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration StrictHostKeyChecking should match /ask|yes/",
"run_time": 0.004391,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected nil to match /ask|yes/"
}
]
},
{
"title": "Client: Check for secure ssh ciphers",
"desc": "Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-08' do\n impact 1.0\n title 'Client: Check for secure ssh ciphers'\n desc 'Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)'\n describe ssh_config do\n its('Ciphers') { should eq(ssh_crypto.valid_ciphers) }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 99
},
"id": "ssh-08",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration Ciphers should eq \"[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\"",
"run_time": 0.000688,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Check for secure ssh Key-Exchange Algorithm",
"desc": "Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-09' do\n impact 1.0\n title 'Client: Check for secure ssh Key-Exchange Algorithm'\n desc 'Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)'\n describe ssh_config do\n its('KexAlgorithms') { should eq(ssh_crypto.valid_kexs) }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 108
},
"id": "ssh-09",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration KexAlgorithms should eq \"[email protected],diffie-hellman-group-exchange-sha256\"",
"run_time": 0.00059,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"[email protected],diffie-hellman-group-exchange-sha256\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Check for secure ssh Message Authentication Codes",
"desc": "Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-10' do\n impact 1.0\n title 'Client: Check for secure ssh Message Authentication Codes'\n desc 'Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)'\n describe ssh_config do\n its('MACs') { should eq(ssh_crypto.valid_macs) }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 117
},
"id": "ssh-10",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration MACs should eq \"[email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"",
"run_time": 0.003887,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"[email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable agent forwarding",
"desc": "Prevent agent forwarding by default, as it can be used in a limited way to enable attacks.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-11' do\n impact 1.0\n title 'Client: Disable agent forwarding'\n desc 'Prevent agent forwarding by default, as it can be used in a limited way to enable attacks.'\n describe ssh_config do\n its('ForwardAgent') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 126
},
"id": "ssh-11",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration ForwardAgent should eq \"no\"",
"run_time": 0.000701,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable X11Forwarding",
"desc": "Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-12' do\n impact 1.0\n title 'Client: Disable X11Forwarding'\n desc 'Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.'\n describe ssh_config do\n its('ForwardX11') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 135
},
"id": "ssh-12",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration ForwardX11 should eq \"no\"",
"run_time": 0.000674,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable HostbasedAuthentication",
"desc": "This option is a weak way for authentication and provide attacker more ways to enter the system.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-13' do\n impact 1.0\n title 'Client: Disable HostbasedAuthentication'\n desc 'This option is a weak way for authentication and provide attacker more ways to enter the system.'\n describe ssh_config do\n its('HostbasedAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 144
},
"id": "ssh-13",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration HostbasedAuthentication should eq \"no\"",
"run_time": 0.000563,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable rhosts-based authentication",
"desc": "Avoid rhosts-based authentication, as it opens more ways for an attacker to enter a system.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-14' do\n impact 1.0\n title 'Client: Disable rhosts-based authentication'\n desc 'Avoid rhosts-based authentication, as it opens more ways for an attacker to enter a system.'\n describe ssh_config do\n its('RhostsRSAAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 153
},
"id": "ssh-14",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration RhostsRSAAuthentication should eq \"no\"",
"run_time": 0.000424,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Enable RSA authentication",
"desc": "Make sure RSA authentication is used by default.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-15' do\n impact 1.0\n title 'Client: Enable RSA authentication'\n desc 'Make sure RSA authentication is used by default.'\n describe ssh_config do\n its('RSAAuthentication') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 162
},
"id": "ssh-15",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration RSAAuthentication should eq \"yes\"",
"run_time": 0.000427,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable password-based authentication",
"desc": "Avoid password-based authentications.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-16' do\n impact 1.0\n title 'Client: Disable password-based authentication'\n desc 'Avoid password-based authentications.'\n describe ssh_config do\n its('PasswordAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 171
},
"id": "ssh-16",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration PasswordAuthentication should eq \"no\"",
"run_time": 0.000389,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable GSSAPIAuthentication",
"desc": "If you do not use GSSAPI authentication then disable it.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-17' do\n impact 1.0\n title 'Client: Disable GSSAPIAuthentication'\n desc 'If you do not use GSSAPI authentication then disable it.'\n describe ssh_config do\n its('GSSAPIAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 180
},
"id": "ssh-17",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration GSSAPIAuthentication should eq \"no\"",
"run_time": 0.000479,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable GSSAPIDelegateCredentials",
"desc": "If you do not use GSSAPI authentication then disable it.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-18' do\n impact 1.0\n title 'Client: Disable GSSAPIDelegateCredentials'\n desc 'If you do not use GSSAPI authentication then disable it.'\n describe ssh_config do\n its('GSSAPIDelegateCredentials') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 189
},
"id": "ssh-18",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration GSSAPIDelegateCredentials should eq \"no\"",
"run_time": 0.000649,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Disable tunnels",
"desc": "Avoid using SSH tunnels.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-19' do\n impact 1.0\n title 'Client: Disable tunnels'\n desc 'Avoid using SSH tunnels.'\n describe ssh_config do\n its('Tunnel') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 198
},
"id": "ssh-19",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration Tunnel should eq \"no\"",
"run_time": 0.000595,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Do not permit local commands",
"desc": "Do not permit any local command execution.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-20' do\n impact 1.0\n title 'Client: Do not permit local commands'\n desc 'Do not permit any local command execution.'\n describe ssh_config do\n its('PermitLocalCommand') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 207
},
"id": "ssh-20",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration PermitLocalCommand should eq \"no\"",
"run_time": 0.000716,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Client: Do not allow Roaming",
"desc": "Workaround for SSH Client Bug CVE-2016-0777 and CVE-2016-0778",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'ssh-21' do\n impact 1.0\n title 'Client: Do not allow Roaming'\n desc 'Workaround for SSH Client Bug CVE-2016-0777 and CVE-2016-0778'\n describe ssh_config do\n its('UseRoaming') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 216
},
"id": "ssh-21",
"results": [
{
"status": "failed",
"code_desc": "SSH Configuration UseRoaming should eq \"no\"",
"run_time": 0.00051,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Check for secure ssh ciphers",
"desc": "Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-01' do\n impact 1.0\n title 'Server: Check for secure ssh ciphers'\n desc 'Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)'\n describe sshd_config do\n its('Ciphers') { should eq(ssh_crypto.valid_ciphers) }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 25
},
"id": "sshd-01",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration Ciphers should eq \"[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\"",
"run_time": 0.00126,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Check for secure ssh Key-Exchange Algorithm",
"desc": "Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-02' do\n impact 1.0\n title 'Server: Check for secure ssh Key-Exchange Algorithm'\n desc 'Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)'\n describe sshd_config do\n its('KexAlgorithms') { should eq(ssh_crypto.valid_kexs) }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 34
},
"id": "sshd-02",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration KexAlgorithms should eq \"[email protected],diffie-hellman-group-exchange-sha256\"",
"run_time": 0.001071,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"[email protected],diffie-hellman-group-exchange-sha256\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Check for secure ssh Message Authentication Codes",
"desc": "Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-03' do\n impact 1.0\n title 'Server: Check for secure ssh Message Authentication Codes'\n desc 'Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)'\n describe sshd_config do\n its('MACs') { should eq(ssh_crypto.valid_macs) }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 43
},
"id": "sshd-03",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration MACs should eq \"[email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"",
"run_time": 0.000877,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"[email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Check SSH folder owner, group and permissions.",
"desc": "The SSH folder should owned by root, only be writable by owner and readable by others.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-04' do\n impact 1.0\n title 'Server: Check SSH folder owner, group and permissions.'\n desc 'The SSH folder should owned by root, only be writable by owner and readable by others.'\n describe file('/etc/ssh') do\n it { should exist }\n it { should be_directory }\n it { should be_owned_by 'root' }\n it { should be_grouped_into os.darwin? ? 'wheel' : 'root' }\n it { should be_executable }\n it { should be_readable.by('owner') }\n it { should be_readable.by('group') }\n it { should be_readable.by('other') }\n it { should be_writable.by('owner') }\n it { should_not be_writable.by('group') }\n it { should_not be_writable.by('other') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 52
},
"id": "sshd-04",
"results": [
{
"status": "passed",
"code_desc": "File /etc/ssh should exist",
"run_time": 0.000117,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh should be directory",
"run_time": 0.000096,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh should be owned by \"root\"",
"run_time": 0.000142,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh should be grouped into \"wheel\"",
"run_time": 0.000098,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh should be executable",
"run_time": 0.000116,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh should be readable by owner",
"run_time": 0.00015,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh should be readable by group",
"run_time": 0.000167,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh should be readable by other",
"run_time": 0.000088,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh should be writable by owner",
"run_time": 0.000093,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh should not be writable by group",
"run_time": 0.000264,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh should not be writable by other",
"run_time": 0.000152,
"start_time": "2017-07-05 14:08:06 +0200"
}
]
},
{
"title": "Server: Check sshd_config owner, group and permissions.",
"desc": "The sshd_config should owned by root, only be writable/readable by owner and not be executable.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-05' do\n impact 1.0\n title 'Server: Check sshd_config owner, group and permissions.'\n desc 'The sshd_config should owned by root, only be writable/readable by owner and not be executable.'\n\n describe file('/etc/ssh/sshd_config') do\n it { should exist }\n it { should be_file }\n it { should be_owned_by 'root' }\n it { should be_grouped_into os.darwin? ? 'wheel' : 'root' }\n it { should_not be_executable }\n it { should be_readable.by('owner') }\n it { should_not be_readable.by('group') }\n it { should_not be_readable.by('other') }\n it { should be_writable.by('owner') }\n it { should_not be_writable.by('group') }\n it { should_not be_writable.by('other') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 71
},
"id": "sshd-05",
"results": [
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should exist",
"run_time": 0.000091,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be file",
"run_time": 0.000152,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be owned by \"root\"",
"run_time": 0.000102,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be grouped into \"wheel\"",
"run_time": 0.00014,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be executable",
"run_time": 0.000172,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be readable by owner",
"run_time": 0.000091,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "failed",
"code_desc": "File /etc/ssh/sshd_config should not be readable by group",
"run_time": 0.000195,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/ssh/sshd_config not to be readable by group"
},
{
"status": "failed",
"code_desc": "File /etc/ssh/sshd_config should not be readable by other",
"run_time": 0.000147,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/ssh/sshd_config not to be readable by other"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be writable by owner",
"run_time": 0.0001,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be writable by group",
"run_time": 0.000112,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be writable by other",
"run_time": 0.000121,
"start_time": "2017-07-05 14:08:06 +0200"
}
]
},
{
"title": "Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication",
"desc": "Reduce the potential risk to gain full privileges access of the system because of weak password and keyboard-interactive authentication, do not allow logging in as the root user or with password authentication.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-06' do\n impact 1.0\n title 'Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication'\n desc 'Reduce the potential risk to gain full privileges access of the system because of weak password and keyboard-interactive authentication, do not allow logging in as the root user or with password authentication.'\n describe sshd_config do\n its('PermitRootLogin') { should match(/no|without-password/) }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 91
},
"id": "sshd-06",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PermitRootLogin should match /no|without-password/",
"run_time": 0.001318,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected nil to match /no|without-password/"
}
]
},
{
"title": "Server: Specify the listen ssh Port",
"desc": "Always specify which port the SSH server should listen to. Prevent unexpected settings.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-07' do\n impact 1.0\n title 'Server: Specify the listen ssh Port'\n desc 'Always specify which port the SSH server should listen to. Prevent unexpected settings.'\n describe sshd_config do\n its('Port') { should eq('22') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 100
},
"id": "sshd-07",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration Port should eq \"22\"",
"run_time": 0.001107,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"22\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Specify the AddressFamily to your need",
"desc": "OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-08' do\n impact 1.0\n title 'Server: Specify the AddressFamily to your need'\n desc 'OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.'\n describe sshd_config do\n its('AddressFamily') { should match(/inet|inet6|any/) }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 109
},
"id": "sshd-08",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration AddressFamily should match /inet|inet6|any/",
"run_time": 0.000958,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected nil to match /inet|inet6|any/"
}
]
},
{
"title": "Server: Specify ListenAddress",
"desc": "Limit the SSH server to listen to a specific address. Don't let it listen on all interfaces to avoid logins from unexpected sources.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-09' do\n impact 1.0\n title 'Server: Specify ListenAddress'\n desc \"Limit the SSH server to listen to a specific address. Don't let it listen on all interfaces to avoid logins from unexpected sources.\"\n describe sshd_config do\n its('ListenAddress') { should match(/.*/) }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 118
},
"id": "sshd-09",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration ListenAddress should match /.*/",
"run_time": 0.000975,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected nil to match /.*/"
}
]
},
{
"title": "Server: Specify protocol version 2",
"desc": "Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-10' do\n impact 1.0\n title 'Server: Specify protocol version 2'\n desc \"Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore.\"\n describe sshd_config do\n its('Protocol') { should eq('2') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 127
},
"id": "sshd-10",
"results": [
{
"status": "passed",
"code_desc": "SSHD Configuration Protocol should eq \"2\"",
"run_time": 0.000855,
"start_time": "2017-07-05 14:08:06 +0200"
}
]
},
{
"title": "Server: Enable StrictModes",
"desc": "Prevent the use of insecure home directory and key file permissions.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-11' do\n impact 1.0\n title 'Server: Enable StrictModes'\n desc 'Prevent the use of insecure home directory and key file permissions.'\n describe sshd_config do\n its('StrictModes') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 136
},
"id": "sshd-11",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration StrictModes should eq \"yes\"",
"run_time": 0.000936,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Specify SyslogFacility to AUTH",
"desc": "Logging should be set to go to the /var/log/auth.log facility by using the SysLog AUTH parameter. This will ensure that any problems around invalid logins or the like are forwarded to a central security file for auditing purposes",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-12' do\n impact 1.0\n title 'Server: Specify SyslogFacility to AUTH'\n desc 'Logging should be set to go to the /var/log/auth.log facility by using the SysLog AUTH parameter. This will ensure that any problems around invalid logins or the like are forwarded to a central security file for auditing purposes'\n describe sshd_config do\n its('SyslogFacility') { should eq('AUTH') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 145
},
"id": "sshd-12",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration SyslogFacility should eq \"AUTH\"",
"run_time": 0.000844,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"AUTH\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Specify LogLevel to VERBOSE",
"desc": "Be verbose in logging, to allow analysis in case of unexpected behavior.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-13' do\n impact 1.0\n title 'Server: Specify LogLevel to VERBOSE'\n desc 'Be verbose in logging, to allow analysis in case of unexpected behavior.'\n describe sshd_config do\n its('LogLevel') { should eq('VERBOSE') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 154
},
"id": "sshd-13",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration LogLevel should eq \"VERBOSE\"",
"run_time": 0.000801,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"VERBOSE\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Specify SSH HostKeys",
"desc": "Specify HostKey for protection against Man-In-The-Middle Attacks",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-14' do\n impact 1.0\n title 'Server: Specify SSH HostKeys'\n desc 'Specify HostKey for protection against Man-In-The-Middle Attacks'\n describe sshd_config do\n its('HostKey') { should cmp ssh_crypto.valid_hostkeys }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 163
},
"id": "sshd-14",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration HostKey should cmp == [\"/etc/ssh/ssh_host_rsa_key\", \"/etc/ssh/ssh_host_ecdsa_key\", \"/etc/ssh/ssh_host_ed25519_key\"]",
"run_time": 0.001025,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: [\"/etc/ssh/ssh_host_rsa_key\", \"/etc/ssh/ssh_host_ecdsa_key\", \"/etc/ssh/ssh_host_ed25519_key\"]\n got: \n\n(compared using `cmp` matcher)\n"
}
]
},
{
"title": "Server: Specify UseLogin to NO",
"desc": "Disable legacy login mechanism and do not use login for interactive login sessions.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-15' do\n impact 1.0\n title 'Server: Specify UseLogin to NO'\n desc 'Disable legacy login mechanism and do not use login for interactive login sessions.'\n describe sshd_config do\n its('UseLogin') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 172
},
"id": "sshd-15",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration UseLogin should eq \"no\"",
"run_time": 0.000864,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Use privilege separation",
"desc": "UsePrivilegeSeparation is an option, when enabled will allow the OpenSSH server to run a small (necessary) amount of code as root and the of the code in a chroot jail environment. This enables ssh to deal incoming network traffic in an unprivileged child process to avoid privilege escalation by an attacker.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-16' do\n impact 1.0\n title 'Server: Use privilege separation'\n desc 'UsePrivilegeSeparation is an option, when enabled will allow the OpenSSH server to run a small (necessary) amount of code as root and the of the code in a chroot jail environment. This enables ssh to deal incoming network traffic in an unprivileged child process to avoid privilege escalation by an attacker.'\n describe sshd_config do\n its('UsePrivilegeSeparation') { should eq(ssh_crypto.valid_privseparation) }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 181
},
"id": "sshd-16",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration UsePrivilegeSeparation should eq \"sandbox\"",
"run_time": 0.000869,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"sandbox\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable PermitUserEnvironment",
"desc": "Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-17' do\n impact 1.0\n title 'Server: Disable PermitUserEnvironment'\n desc 'Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.'\n describe sshd_config do\n its('PermitUserEnvironment') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 190
},
"id": "sshd-17",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PermitUserEnvironment should eq \"no\"",
"run_time": 0.000838,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Specify LoginGraceTime",
"desc": "The LoginGraceTime gives the user 30 seconds to accomplish a login. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-18' do\n impact 1.0\n title 'Server: Specify LoginGraceTime'\n desc 'The LoginGraceTime gives the user 30 seconds to accomplish a login. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.'\n describe sshd_config do\n its('LoginGraceTime') { should eq('30s') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 199
},
"id": "sshd-18",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration LoginGraceTime should eq \"30s\"",
"run_time": 0.000817,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"30s\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Specify Limit for maximum authentication retries",
"desc": "MaxAuthTries limits the user to three wrong attempts before the login attempt is denied. This avoid resource starvation attacks.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-19' do\n impact 1.0\n title 'Server: Specify Limit for maximum authentication retries'\n desc 'MaxAuthTries limits the user to three wrong attempts before the login attempt is denied. This avoid resource starvation attacks.'\n describe sshd_config do\n its('MaxAuthTries') { should eq('2') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 208
},
"id": "sshd-19",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration MaxAuthTries should eq \"2\"",
"run_time": 0.000852,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"2\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Specify maximum sessions",
"desc": "Specifies the maximum number of open sessions permitted per network connection. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-20' do\n impact 1.0\n title 'Server: Specify maximum sessions'\n desc 'Specifies the maximum number of open sessions permitted per network connection. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.'\n describe sshd_config do\n its('MaxSessions') { should eq('10') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 217
},
"id": "sshd-20",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration MaxSessions should eq \"10\"",
"run_time": 0.000771,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"10\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Specify maximum startups",
"desc": "Limit the number of concurrent unauthenticated sessions to prevent Denial of Service (DoS) against a running SSH daemon.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-21' do\n impact 1.0\n title 'Server: Specify maximum startups'\n desc 'Limit the number of concurrent unauthenticated sessions to prevent Denial of Service (DoS) against a running SSH daemon.'\n describe sshd_config do\n its('MaxStartups') { should eq('10:30:100') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 226
},
"id": "sshd-21",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration MaxStartups should eq \"10:30:100\"",
"run_time": 0.000989,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"10:30:100\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Enable PubkeyAuthentication",
"desc": "Prefer public key authentication mechanisms, because other methods are weaker (e.g. passwords).",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-22' do\n impact 1.0\n title 'Server: Enable PubkeyAuthentication'\n desc 'Prefer public key authentication mechanisms, because other methods are weaker (e.g. passwords).'\n describe sshd_config do\n its('PubkeyAuthentication') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 235
},
"id": "sshd-22",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PubkeyAuthentication should eq \"yes\"",
"run_time": 0.000841,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable IgnoreRhosts",
"desc": "Ignore legacy .rhosts configuration, because rhosts are a weak way to authenticate systems and provide attacker more ways to enter the system.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-23' do\n impact 1.0\n title 'Server: Disable IgnoreRhosts'\n desc 'Ignore legacy .rhosts configuration, because rhosts are a weak way to authenticate systems and provide attacker more ways to enter the system.'\n describe sshd_config do\n its('IgnoreRhosts') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 244
},
"id": "sshd-23",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration IgnoreRhosts should eq \"yes\"",
"run_time": 0.000904,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Enable IgnoreUserKnownHosts",
"desc": "This option is a weak way for authentication and provide attacker more ways to enter the system.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-24' do\n impact 1.0\n title 'Server: Enable IgnoreUserKnownHosts'\n desc 'This option is a weak way for authentication and provide attacker more ways to enter the system.'\n describe sshd_config do\n its('IgnoreUserKnownHosts') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 253
},
"id": "sshd-24",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration IgnoreUserKnownHosts should eq \"yes\"",
"run_time": 0.000811,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable HostbasedAuthentication",
"desc": "This option is a weak way for authentication and provide attacker more ways to enter the system.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-25' do\n impact 1.0\n title 'Server: Disable HostbasedAuthentication'\n desc 'This option is a weak way for authentication and provide attacker more ways to enter the system.'\n describe sshd_config do\n its('HostbasedAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 262
},
"id": "sshd-25",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration HostbasedAuthentication should eq \"no\"",
"run_time": 0.000818,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable password-based authentication",
"desc": "Avoid password-based authentications.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-27' do\n impact 1.0\n title 'Server: Disable password-based authentication'\n desc 'Avoid password-based authentications.'\n describe sshd_config do\n its('PasswordAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 271
},
"id": "sshd-27",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PasswordAuthentication should eq \"no\"",
"run_time": 0.001019,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable PermitEmptyPasswords",
"desc": "Accounts should be protected and users should be accountable. For this reason the usage of empty passwords should never be allowed.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-28' do\n impact 1.0\n title 'Server: Disable PermitEmptyPasswords'\n desc 'Accounts should be protected and users should be accountable. For this reason the usage of empty passwords should never be allowed.'\n describe sshd_config do\n its('PermitEmptyPasswords') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 280
},
"id": "sshd-28",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PermitEmptyPasswords should eq \"no\"",
"run_time": 0.000845,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable ChallengeResponseAuthentication",
"desc": "Avoid challenge-response and password-based authentications.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-29' do\n impact 1.0\n title 'Server: Disable ChallengeResponseAuthentication'\n desc 'Avoid challenge-response and password-based authentications.'\n describe sshd_config do\n its('ChallengeResponseAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 289
},
"id": "sshd-29",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration ChallengeResponseAuthentication should eq \"no\"",
"run_time": 0.000907,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable Kerberos",
"desc": "Avoid kerberos authentication.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-30' do\n impact 1.0\n title 'Server: Disable Kerberos'\n desc 'Avoid kerberos authentication.'\n describe sshd_config do\n its('KerberosAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 298
},
"id": "sshd-30",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration KerberosAuthentication should eq \"no\"",
"run_time": 0.000836,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable Kerberos or Local Password",
"desc": "Avoid kerberos authentication because it use password-based authentication as fallback.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-31' do\n impact 1.0\n title 'Server: Disable Kerberos or Local Password'\n desc 'Avoid kerberos authentication because it use password-based authentication as fallback.'\n describe sshd_config do\n its('KerberosOrLocalPasswd') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 307
},
"id": "sshd-31",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration KerberosOrLocalPasswd should eq \"no\"",
"run_time": 0.000843,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Enable KerberosTicketCleanup",
"desc": "Specifies whether to automatically destroy the user's ticket cache file on logout.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-32' do\n impact 1.0\n title 'Server: Enable KerberosTicketCleanup'\n desc \"Specifies whether to automatically destroy the user's ticket cache file on logout.\"\n describe sshd_config do\n its('KerberosTicketCleanup') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 316
},
"id": "sshd-32",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration KerberosTicketCleanup should eq \"yes\"",
"run_time": 0.000718,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable GSSAPIAuthentication",
"desc": "If you do not use GSSAPI authentication then disable it.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-33' do\n impact 1.0\n title 'Server: Disable GSSAPIAuthentication'\n desc 'If you do not use GSSAPI authentication then disable it.'\n describe sshd_config do\n its('GSSAPIAuthentication') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 325
},
"id": "sshd-33",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration GSSAPIAuthentication should eq \"no\"",
"run_time": 0.000701,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Enable GSSAPICleanupCredentials",
"desc": "Automatically destroy the user's credentials cache on logout.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-34' do\n impact 1.0\n title 'Server: Enable GSSAPICleanupCredentials'\n desc \"Automatically destroy the user's credentials cache on logout.\"\n describe sshd_config do\n its('GSSAPICleanupCredentials') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 334
},
"id": "sshd-34",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration GSSAPICleanupCredentials should eq \"yes\"",
"run_time": 0.000769,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable TCPKeepAlive",
"desc": "Avoid the TCPKeepAlive messages to see if the client is still alive, because they are sent over unencrypted connection and are spoofable.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-35' do\n impact 1.0\n title 'Server: Disable TCPKeepAlive'\n desc 'Avoid the TCPKeepAlive messages to see if the client is still alive, because they are sent over unencrypted connection and are spoofable.'\n describe sshd_config do\n its('TCPKeepAlive') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 343
},
"id": "sshd-35",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration TCPKeepAlive should eq \"no\"",
"run_time": 0.000823,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Set a client alive interval",
"desc": "ClientAlive messages are sent over encrypted connection and are not spoofable.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-36' do\n impact 1.0\n title 'Server: Set a client alive interval'\n desc 'ClientAlive messages are sent over encrypted connection and are not spoofable.'\n describe sshd_config do\n its('ClientAliveInterval') { should eq('600') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 352
},
"id": "sshd-36",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration ClientAliveInterval should eq \"600\"",
"run_time": 0.0008,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"600\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Configure a few client alive counters",
"desc": "This indicates the total number of checkalive message sent by the ssh server without getting any response from the ssh client. ClientAlive messages are sent over encrypted connection and are not spoofable.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-37' do\n impact 1.0\n title 'Server: Configure a few client alive counters'\n desc 'This indicates the total number of checkalive message sent by the ssh server without getting any response from the ssh client. ClientAlive messages are sent over encrypted connection and are not spoofable.'\n describe sshd_config do\n its('ClientAliveCountMax') { should eq('3') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 361
},
"id": "sshd-37",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration ClientAliveCountMax should eq \"3\"",
"run_time": 0.000782,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"3\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable tunnels",
"desc": "Avoid to use tunnels.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-38' do\n impact 1.0\n title 'Server: Disable tunnels'\n desc 'Avoid to use tunnels.'\n describe sshd_config do\n its('PermitTunnel') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 370
},
"id": "sshd-38",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PermitTunnel should eq \"no\"",
"run_time": 0.000719,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable TCP forwarding",
"desc": "If you use TCP forwarding in an uncontrolled manner then you can bypass the firewalls",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-39' do\n impact 1.0\n title 'Server: Disable TCP forwarding'\n desc 'If you use TCP forwarding in an uncontrolled manner then you can bypass the firewalls'\n describe sshd_config do\n its('AllowTcpForwarding') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 379
},
"id": "sshd-39",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration AllowTcpForwarding should eq \"no\"",
"run_time": 0.000673,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable Agent forwarding",
"desc": "Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-40' do\n impact 1.0\n title 'Server: Disable Agent forwarding'\n desc \"Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.\"\n describe sshd_config do\n its('AllowAgentForwarding') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 388
},
"id": "sshd-40",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration AllowAgentForwarding should eq \"no\"",
"run_time": 0.000677,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable gateway ports",
"desc": "Prevent remote hosts from connecting to forwarded ports on the node.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-41' do\n impact 1.0\n title 'Server: Disable gateway ports'\n desc 'Prevent remote hosts from connecting to forwarded ports on the node.'\n describe sshd_config do\n its('GatewayPorts') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 397
},
"id": "sshd-41",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration GatewayPorts should eq \"no\"",
"run_time": 0.000684,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable X11Forwarding",
"desc": "Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-42' do\n impact 1.0\n title 'Server: Disable X11Forwarding'\n desc 'Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.'\n describe sshd_config do\n its('X11Forwarding') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 406
},
"id": "sshd-42",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration X11Forwarding should eq \"no\"",
"run_time": 0.000789,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Enable X11UseLocalhost",
"desc": "SSH daemon should bind the X11 forwarding server to the loopback address. This prevents remote hosts from connecting to the proxy display and reduce the attack surface",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-43' do\n impact 1.0\n title 'Server: Enable X11UseLocalhost'\n desc 'SSH daemon should bind the X11 forwarding server to the loopback address. This prevents remote hosts from connecting to the proxy display and reduce the attack surface'\n describe sshd_config do\n its('X11UseLocalhost') { should eq('yes') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 415
},
"id": "sshd-43",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration X11UseLocalhost should eq \"yes\"",
"run_time": 0.000767,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Disable PrintMotd",
"desc": "This specifies that the SSH daemon itself should not read and display the message of the day file.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-44' do\n impact 1.0\n title 'Server: Disable PrintMotd'\n desc 'This specifies that the SSH daemon itself should not read and display the message of the day file.'\n describe sshd_config do\n its('PrintMotd') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 424
},
"id": "sshd-44",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PrintMotd should eq \"no\"",
"run_time": 0.000778,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: PrintLastLog",
"desc": "This tells the SSH daemon to print out information about the last time you logged in.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-45' do\n impact 1.0\n title 'Server: PrintLastLog'\n desc 'This tells the SSH daemon to print out information about the last time you logged in.'\n describe sshd_config do\n its('PrintLastLog') { should eq('no') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 433
},
"id": "sshd-45",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration PrintLastLog should eq \"no\"",
"run_time": 0.000835,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: Banner",
"desc": "Specifies a banner file to serve before authentication succeeds",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-46' do\n impact 1.0\n title 'Server: Banner'\n desc 'Specifies a banner file to serve before authentication succeeds'\n describe sshd_config do\n its('Banner') { should eq('none') }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 442
},
"id": "sshd-46",
"results": [
{
"status": "failed",
"code_desc": "SSHD Configuration Banner should eq \"none\"",
"run_time": 0.000833,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: \"none\"\n got: nil\n\n(compared using ==)\n"
}
]
},
{
"title": "Server: DebianBanner",
"desc": "Specifies whether to include OS distribution in version information",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-47' do\n impact 1.0\n title 'Server: DebianBanner'\n desc 'Specifies whether to include OS distribution in version information'\n case os[:family]\n when 'debian' then\n describe sshd_config do\n its('DebianBanner') { should eq('no') }\n end\n else\n describe file(sshd_config.path) do\n its('content') { should_not match(/DebianBanner/) }\n end\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 451
},
"id": "sshd-47",
"results": [
{
"status": "passed",
"code_desc": "File content should not match /DebianBanner/",
"run_time": 0.000169,
"start_time": "2017-07-05 14:08:06 +0200"
}
]
},
{
"title": "Server: DH primes",
"desc": "Verifies if strong DH primes are used in /etc/ssh/moduli",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'sshd-48' do\n impact 1.0\n title 'Server: DH primes'\n desc 'Verifies if strong DH primes are used in /etc/ssh/moduli'\n describe command(\"test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0\") do\n its('exit_status') { should eq 0 }\n its('stdout') { should eq '' }\n its('stderr') { should eq '' }\n end\nend\n",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 467
},
"id": "sshd-48",
"results": [
{
"status": "passed",
"code_desc": "Command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 exit_status should eq 0",
"run_time": 0.035229,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "Command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stdout should eq \"\"",
"run_time": 0.000245,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "Command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stderr should eq \"\"",
"run_time": 0.001903,
"start_time": "2017-07-05 14:08:06 +0200"
}
]
}
],
"groups": [
{
"title": "SSH client config",
"controls": [
"ssh-01",
"ssh-02",
"ssh-03",
"ssh-04",
"ssh-05",
"ssh-06",
"ssh-07",
"ssh-08",
"ssh-09",
"ssh-10",
"ssh-11",
"ssh-12",
"ssh-13",
"ssh-14",
"ssh-15",
"ssh-16",
"ssh-17",
"ssh-18",
"ssh-19",
"ssh-20",
"ssh-21"
],
"id": "controls/ssh_spec.rb"
},
{
"title": "SSH server config",
"controls": [
"sshd-01",
"sshd-02",
"sshd-03",
"sshd-04",
"sshd-05",
"sshd-06",
"sshd-07",
"sshd-08",
"sshd-09",
"sshd-10",
"sshd-11",
"sshd-12",
"sshd-13",
"sshd-14",
"sshd-15",
"sshd-16",
"sshd-17",
"sshd-18",
"sshd-19",
"sshd-20",
"sshd-21",
"sshd-22",
"sshd-23",
"sshd-24",
"sshd-25",
"sshd-27",
"sshd-28",
"sshd-29",
"sshd-30",
"sshd-31",
"sshd-32",
"sshd-33",
"sshd-34",
"sshd-35",
"sshd-36",
"sshd-37",
"sshd-38",
"sshd-39",
"sshd-40",
"sshd-41",
"sshd-42",
"sshd-43",
"sshd-44",
"sshd-45",
"sshd-46",
"sshd-47",
"sshd-48"
],
"id": "controls/sshd_spec.rb"
}
],
"attributes": [],
"sha256": "3cd02faf99fcb75aefe3e3932498dbeadb668b056fa4a4c61455a6e920e5a17c"
},
{
"name": "apache-baseline",
"title": "DevSec Apache Baseline",
"maintainer": "DevSec Hardening Framework Team",
"copyright": "DevSec Hardening Framework Team",
"copyright_email": "[email protected]",
"license": "Apache-2.0",
"summary": "Test-suite for best-practice apache hardening",
"version": "2.0.2",
"supports": [
{
"os-family": "unix"
}
],
"controls": [
{
"title": "Apache should be running",
"desc": "Apache should be running.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-01' do\n impact 1.0\n title 'Apache should be running'\n desc 'Apache should be running.'\n describe service(apache.service) do\n it { should be_installed }\n it { should be_running }\n end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 29
},
"id": "apache-01",
"results": [
{
"status": "failed",
"code_desc": "Service httpd should be installed",
"run_time": 0.020782,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected that `Service httpd` is installed"
},
{
"status": "failed",
"code_desc": "Service httpd should be running",
"run_time": 0.01903,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected that `Service httpd` is running"
}
]
},
{
"title": "Apache should be enabled",
"desc": "Configure apache service to be automatically started at boot time",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-02' do\n impact 1.0\n title 'Apache should be enabled'\n desc 'Configure apache service to be automatically started at boot time'\n only_if { os[:family] != 'ubuntu' && os[:release] != '16.04' } || only_if { os[:family] != 'debian' && os[:release] != '8' }\n describe service(apache.service) do\n it { should be_enabled }\n end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 39
},
"id": "apache-02",
"results": [
{
"status": "failed",
"code_desc": "Service httpd should be enabled",
"run_time": 0.018694,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected that `Service httpd` is enabled"
}
]
},
{
"title": "Apache should start max. 1 root-task",
"desc": "The Apache service in its own non-privileged account. If the web server process runs with administrative privileges, an attack who obtains control over the apache process may control the entire system.",
"impact": 0.5,
"refs": [],
"tags": {},
"code": "control 'apache-03' do\n title 'Apache should start max. 1 root-task'\n desc 'The Apache service in its own non-privileged account. If the web server process runs with administrative privileges, an attack who obtains control over the apache process may control the entire system.'\n total_tasks = command(\"ps aux | grep #{apache.service} | grep -v grep | grep root | wc -l | tr -d [:space:]\").stdout.to_i\n describe total_tasks do\n it { should eq 1 }\n end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 49
},
"id": "apache-03",
"results": [
{
"status": "failed",
"code_desc": "0 should eq 1",
"run_time": 0.000301,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "\nexpected: 1\n got: 0\n\n(compared using ==)\n"
}
]
},
{
"title": "Check Apache config folder owner, group and permissions.",
"desc": "The Apache config folder should owned and grouped by root, be writable, readable and executable by owner. It should be readable, executable by group and not readable, not writeable by others.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-04' do\n impact 1.0\n title 'Check Apache config folder owner, group and permissions.'\n desc 'The Apache config folder should owned and grouped by root, be writable, readable and executable by owner. It should be readable, executable by group and not readable, not writeable by others.'\n describe file(apache.conf_dir) do\n it { should be_owned_by 'root' }\n it { should be_grouped_into 'root' }\n it { should be_readable.by('owner') }\n it { should be_writable.by('owner') }\n it { should be_executable.by('owner') }\n it { should be_readable.by('group') }\n it { should_not be_writable.by('group') }\n it { should be_executable.by('group') }\n it { should_not be_readable.by('others') }\n it { should_not be_writable.by('others') }\n it { should be_executable.by('others') }\n end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 58
},
"id": "apache-04",
"results": [
{
"status": "failed",
"code_desc": "File /etc/httpd/ should be owned by \"root\"",
"run_time": 0.000865,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected `File /etc/httpd/.owned_by?(\"root\")` to return true, got false"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/ should be grouped into \"root\"",
"run_time": 0.000263,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected `File /etc/httpd/.grouped_into?(\"root\")` to return true, got false"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/ should be readable by owner",
"run_time": 0.000692,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/httpd/ to be readable by owner"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/ should be writable by owner",
"run_time": 0.00022,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/httpd/ to be writable by owner"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/ should be executable by owner",
"run_time": 0.000676,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/httpd/ to be executable by owner"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/ should be readable by group",
"run_time": 0.000229,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/httpd/ to be readable by group"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/ should not be writable by group",
"run_time": 0.000191,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/ should be executable by group",
"run_time": 0.000214,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/httpd/ to be executable by group"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/ should not be readable by others",
"run_time": 0.000516,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/ should not be writable by others",
"run_time": 0.000139,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/ should be executable by others",
"run_time": 0.000213,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/httpd/ to be executable by others"
}
]
},
{
"title": "Check Apache config file owner, group and permissions.",
"desc": "The Apache config file should owned and grouped by root, only be writable and readable by owner and not write- and readable by others.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-05' do\n impact 1.0\n title 'Check Apache config file owner, group and permissions.'\n desc 'The Apache config file should owned and grouped by root, only be writable and readable by owner and not write- and readable by others.'\n describe file(apache.conf_path) do\n it { should be_owned_by 'root' }\n it { should be_grouped_into 'root' }\n it { should be_readable.by('owner') }\n it { should be_writable.by('owner') }\n it { should_not be_executable.by('owner') }\n it { should be_readable.by('group') }\n it { should_not be_writable.by('group') }\n it { should_not be_executable.by('group') }\n it { should_not be_readable.by('others') }\n it { should_not be_writable.by('others') }\n it { should_not be_executable.by('others') }\n end\n describe file(File.join(apache.conf_dir, '/conf-enabled/hardening.conf')) do\n it { should be_owned_by 'root' }\n it { should be_grouped_into 'root' }\n it { should be_readable.by('owner') }\n it { should be_writable.by('owner') }\n it { should_not be_executable.by('owner') }\n it { should be_readable.by('group') }\n it { should_not be_writable.by('group') }\n it { should_not be_executable.by('group') }\n it { should_not be_readable.by('others') }\n it { should_not be_writable.by('others') }\n it { should_not be_executable.by('others') }\n end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 77
},
"id": "apache-05",
"results": [
{
"status": "failed",
"code_desc": "File /etc/httpd/conf/httpd.conf should be owned by \"root\"",
"run_time": 0.00027,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected `File /etc/httpd/conf/httpd.conf.owned_by?(\"root\")` to return true, got false"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/conf/httpd.conf should be grouped into \"root\"",
"run_time": 0.00043,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected `File /etc/httpd/conf/httpd.conf.grouped_into?(\"root\")` to return true, got false"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/conf/httpd.conf should be readable by owner",
"run_time": 0.000236,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/httpd/conf/httpd.conf to be readable by owner"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/conf/httpd.conf should be writable by owner",
"run_time": 0.000418,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/httpd/conf/httpd.conf to be writable by owner"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/conf/httpd.conf should not be executable by owner",
"run_time": 0.000163,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/conf/httpd.conf should be readable by group",
"run_time": 0.00022,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/httpd/conf/httpd.conf to be readable by group"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/conf/httpd.conf should not be writable by group",
"run_time": 0.000214,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/conf/httpd.conf should not be executable by group",
"run_time": 0.000167,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/conf/httpd.conf should not be readable by others",
"run_time": 0.000417,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/conf/httpd.conf should not be writable by others",
"run_time": 0.000175,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/conf/httpd.conf should not be executable by others",
"run_time": 0.000147,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/conf-enabled/hardening.conf should be owned by \"root\"",
"run_time": 0.000289,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected `File /etc/httpd/conf-enabled/hardening.conf.owned_by?(\"root\")` to return true, got false"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/conf-enabled/hardening.conf should be grouped into \"root\"",
"run_time": 0.000197,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected `File /etc/httpd/conf-enabled/hardening.conf.grouped_into?(\"root\")` to return true, got false"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/conf-enabled/hardening.conf should be readable by owner",
"run_time": 0.000254,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/httpd/conf-enabled/hardening.conf to be readable by owner"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/conf-enabled/hardening.conf should be writable by owner",
"run_time": 0.000194,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/httpd/conf-enabled/hardening.conf to be writable by owner"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/conf-enabled/hardening.conf should not be executable by owner",
"run_time": 0.000194,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "failed",
"code_desc": "File /etc/httpd/conf-enabled/hardening.conf should be readable by group",
"run_time": 0.000226,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected File /etc/httpd/conf-enabled/hardening.conf to be readable by group"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/conf-enabled/hardening.conf should not be writable by group",
"run_time": 0.000388,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/conf-enabled/hardening.conf should not be executable by group",
"run_time": 0.000157,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/conf-enabled/hardening.conf should not be readable by others",
"run_time": 0.000385,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/conf-enabled/hardening.conf should not be writable by others",
"run_time": 0.00022,
"start_time": "2017-07-05 14:08:06 +0200"
},
{
"status": "passed",
"code_desc": "File /etc/httpd/conf-enabled/hardening.conf should not be executable by others",
"run_time": 0.000164,
"start_time": "2017-07-05 14:08:06 +0200"
}
]
},
{
"title": "User and group should be set properly",
"desc": "For security reasons it is recommended to run Apache in its own non-privileged account.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-06' do\n impact 1.0\n title 'User and group should be set properly'\n desc 'For security reasons it is recommended to run Apache in its own non-privileged account.'\n describe apache_conf do\n its('User') { should eq [apache.user] }\n its('Group') { should eq [apache.user] }\n end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 109
},
"id": "apache-06",
"results": [
{
"status": "skipped",
"code_desc": "Apache Config /etc/httpd/conf/httpd.conf",
"skip_message": "Can't find file \"/etc/httpd/conf/httpd.conf\"",
"resource": "Apache Config /etc/httpd/conf/httpd.conf",
"run_time": 0.000024,
"start_time": "2017-07-05 14:08:06 +0200"
}
]
},
{
"title": "Set the apache server token",
"desc": "'ServerTokens Prod' tells Apache to return only Apache as product in the server response header on the every page request",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-07' do\n impact 1.0\n title 'Set the apache server token'\n desc '\\'ServerTokens Prod\\' tells Apache to return only Apache as product in the server response header on the every page request'\n\n describe file(File.join(apache.conf_dir, '/conf-enabled/security.conf')) do\n its('content') { should match(/^ServerTokens Prod/) }\n end\n\n # open bug https://github.com/chef/inspec/issues/786, if the bug solved use this test\n # describe apache_conf do\n # its('ServerTokens') { should eq 'Prod' }\n # end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 119
},
"id": "apache-07",
"results": [
{
"status": "failed",
"code_desc": "File /etc/httpd/conf-enabled/security.conf content should match /^ServerTokens Prod/",
"run_time": 0.000254,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected nil to match /^ServerTokens Prod/"
}
]
},
{
"title": "Should not load certain modules",
"desc": "Apache HTTP should not load legacy modules",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-08' do\n impact 1.0\n title 'Should not load certain modules'\n desc 'Apache HTTP should not load legacy modules'\n\n module_path = File.join(apache.conf_dir, '/mods-enabled/')\n loaded_modules = command('ls ' << module_path).stdout.split.keep_if { |file_name| /.load/.match(file_name) }\n\n loaded_modules.each do |id|\n describe file(File.join(module_path, id)) do\n its('content') { should_not match(/^\\s*?LoadModule\\s+?dav_module/) }\n its('content') { should_not match(/^\\s*?LoadModule\\s+?cgid_module/) }\n its('content') { should_not match(/^\\s*?LoadModule\\s+?cgi_module/) }\n its('content') { should_not match(/^\\s*?LoadModule\\s+?include_module/) }\n end\n end\n\n # open bug https://github.com/chef/inspec/issues/786, if the bug solved use this test\n # describe apache_conf do\n # its('LoadModule') { should_not eq 'dav_module' }\n # its('LoadModule') { should_not eq 'cgid_module' }\n # its('LoadModule') { should_not eq 'cgi_module' }\n # its('LoadModule') { should_not eq 'include_module' }\n # its('content') { should_not match(/^\\s*?LoadModule\\s+?dav_module/) }\n # its('content') { should_not match(/^\\s*?LoadModule\\s+?cgid_module/) }\n # its('content') { should_not match(/^\\s*?LoadModule\\s+?cgi_module/) }\n # its('content') { should_not match(/^\\s*?LoadModule\\s+?include_module/) }\n # end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 134
},
"id": "apache-08"
},
{
"title": "Disable TRACE-methods",
"desc": "The web server doesn’t allow TRACE request and help in blocking Cross Site Tracing attack.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-09' do\n impact 1.0\n title 'Disable TRACE-methods'\n desc 'The web server doesn’t allow TRACE request and help in blocking Cross Site Tracing attack.'\n\n describe file(File.join(apache.conf_dir, '/conf-enabled/security.conf')) do\n its('content') { should match(/^\\s*?TraceEnable\\s+?Off/) }\n end\n\n # open bug https://github.com/chef/inspec/issues/786, if the bug solved use this test\n # describe apache_conf do\n # its('TraceEnable') { should eq 'Off' }\n # end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 164
},
"id": "apache-09",
"results": [
{
"status": "failed",
"code_desc": "File /etc/httpd/conf-enabled/security.conf content should match /^\\s*?TraceEnable\\s+?Off/",
"run_time": 0.00044,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected nil to match /^\\s*?TraceEnable\\s+?Off/"
}
]
},
{
"title": "Disable insecure HTTP-methods",
"desc": "Disable insecure HTTP-methods and allow only necessary methods.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-10' do\n impact 1.0\n title 'Disable insecure HTTP-methods'\n desc 'Disable insecure HTTP-methods and allow only necessary methods.'\n\n describe file(File.join(apache.conf_dir, '/conf-enabled/hardening.conf')) do\n its('content') { should match(/^\\s*?<LimitExcept\\s+?GET\\s+?POST>/) }\n end\n\n # open bug https://github.com/chef/inspec/issues/786, if the bug solved use this test\n # describe apache_conf do\n # its('LimitExcept') { should eq ['GET','POST'] }\n # end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 179
},
"id": "apache-10",
"results": [
{
"status": "failed",
"code_desc": "File /etc/httpd/conf-enabled/hardening.conf content should match /^\\s*?<LimitExcept\\s+?GET\\s+?POST>/",
"run_time": 0.000285,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected nil to match /^\\s*?<LimitExcept\\s+?GET\\s+?POST>/"
}
]
},
{
"title": "Disable Apache’s follows Symbolic Links for directories in alias.conf",
"desc": "Should include -FollowSymLinks or +SymLinksIfOwnerMatch for directories in alias.conf",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-11' do\n impact 1.0\n title 'Disable Apache’s follows Symbolic Links for directories in alias.conf'\n desc 'Should include -FollowSymLinks or +SymLinksIfOwnerMatch for directories in alias.conf'\n\n describe file(File.join(apache.conf_dir, '/mods-enabled/alias.conf')) do\n its('content') { should match(/-FollowSymLinks/).or match(/\\+SymLinksIfOwnerMatch/) }\n end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 194
},
"id": "apache-11",
"results": [
{
"status": "failed",
"code_desc": "File /etc/httpd/mods-enabled/alias.conf content should match /-FollowSymLinks/ or match /\\+SymLinksIfOwnerMatch/",
"run_time": 0.003358,
"start_time": "2017-07-05 14:08:06 +0200",
"message": " expected nil to match /-FollowSymLinks/\n\n...or:\n\n expected nil to match /\\+SymLinksIfOwnerMatch/"
}
]
},
{
"title": "Disable Directory Listing for directories in alias.conf",
"desc": "Should include -Indexes for directories in alias.conf",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-12' do\n impact 1.0\n title 'Disable Directory Listing for directories in alias.conf'\n desc 'Should include -Indexes for directories in alias.conf'\n\n describe file(File.join(apache.conf_dir, '/mods-enabled/alias.conf')) do\n its('content') { should match(/-Indexes/) }\n end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 204
},
"id": "apache-12",
"results": [
{
"status": "failed",
"code_desc": "File /etc/httpd/mods-enabled/alias.conf content should match /-Indexes/",
"run_time": 0.000439,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected nil to match /-Indexes/"
}
]
},
{
"title": "SSL honor cipher order",
"desc": "When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client's preference is used. If this directive is enabled, the server's preference will be used instead.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-13' do\n impact 1.0\n title 'SSL honor cipher order'\n desc 'When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client\\'s preference is used. If this directive is enabled, the server\\'s preference will be used instead.'\n\n describe file(File.join(apache.conf_dir, '/mods-enabled/ssl.conf')) do\n its('content') { should match(/^\\s*?SSLHonorCipherOrder\\s+?On/i) }\n end\n\n sites_enabled_path = File.join(apache.conf_dir, '/sites-enabled/')\n loaded_sites = command('ls ' << sites_enabled_path).stdout.split.keep_if { |file_name| /.conf/.match(file_name) }\n\n loaded_sites.each do |id|\n virtual_host = file(File.join(sites_enabled_path, id)).content.gsub(/#.*$/, '').scan(%r{<virtualhost.*443(.*?)<\\/virtualhost>}im).flatten\n next if virtual_host.empty?\n describe virtual_host do\n it { should include(/^\\s*?SSLHonorCipherOrder\\s+?On/i) }\n end\n end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 214
},
"id": "apache-13",
"results": [
{
"status": "failed",
"code_desc": "File /etc/httpd/mods-enabled/ssl.conf content should match /^\\s*?SSLHonorCipherOrder\\s+?On/i",
"run_time": 0.000194,
"start_time": "2017-07-05 14:08:06 +0200",
"message": "expected nil to match /^\\s*?SSLHonorCipherOrder\\s+?On/i"
}
]
},
{
"title": "Enable Apache Logging",
"desc": "Apache allows you to logging independently of your OS logging. It is wise to enable Apache logging, because it provides more information, such as the commands entered by users that have interacted with your Web server.",
"impact": 1,
"refs": [],
"tags": {},
"code": "control 'apache-14' do\n impact 1.0\n title 'Enable Apache Logging'\n desc 'Apache allows you to logging independently of your OS logging. It is wise to enable Apache logging, because it provides more information, such as the commands entered by users that have interacted with your Web server.'\n\n sites_enabled_path = File.join(apache.conf_dir, '/sites-enabled/')\n loaded_sites = command('ls ' << sites_enabled_path).stdout.split.keep_if { |file_name| /.conf/.match(file_name) }\n\n loaded_sites.each do |id|\n describe file(File.join(sites_enabled_path, id)).content.gsub(/#.*$/, '').scan(%r{<virtualhost(.*?)<\\/virtualhost>}im).flatten do\n it { should include(/CustomLog.*$/i) }\n end\n end\nend\n",
"source_location": {
"ref": "apache-baseline-master/controls/apache_spec.rb",
"line": 235
},
"id": "apache-14"
}
],
"groups": [
{
"title": "Apache server config",
"controls": [
"apache-01",
"apache-02",
"apache-03",
"apache-04",
"apache-05",
"apache-06",
"apache-07",
"apache-08",
"apache-09",
"apache-10",
"apache-11",
"apache-12",
"apache-13",
"apache-14"
],
"id": "controls/apache_spec.rb"
}
],
"attributes": [],
"sha256": "678ce3873016a080288af9e22593269c5c7d294f766ccb4b2516ef8d80d4f10d"
}
],
"platform": {
"name": "mac_os_x",
"release": "10.12.5"
},
"statistics": {
"duration": 0.348947
},
"node_uuid": "1234abcd-c628-4f82-86df-61c43866db6a",
"report_uuid": "5678abcd-36d6-439e-ac70-a41504242605",
"job_uuid": "6789abcd-36d6-439e-ac70-a41504242605",
"node_name": "My Uncompliant Node",
"environment": "DevSec Prod Alpha",
"roles": ["base_linux", "apache_linux", "linux-hardening-prod", "dot.role"],
"recipes": ["apache_extras", "apache_extras::harden", "java::default", "nagios::fix"],
"end_time": "2017-04-03T10:18:41+01:00"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment