Skip to content

Instantly share code, notes, and snippets.

@vjeffrey

vjeffrey/gist:f175887c75f6812560cd8bad6c0bfe01

Last active February 27, 2017 21:14
Show Gist options
  • Save vjeffrey/f175887c75f6812560cd8bad6c0bfe01 to your computer and use it in GitHub Desktop.
Save vjeffrey/f175887c75f6812560cd8bad6c0bfe01 to your computer and use it in GitHub Desktop.
Download ZIP
automate-compliance-reporting
Raw
gistfile1.txt
UX Designs: https://chef.invisionapp.com/d/main#/console/10153068/217133467/preview
Last spike that determined what data UI needs: https://github.com/chef/chef-compliance/issues/1037
inspec exec https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip -i .vagrant/machines/default/virtualbox/private_key -t ssh://[email protected] --format json
runs https://github.com/dev-sec/ssh-baseline (name i used above is old name) profile against my vm and results are:
(scroll down to about line 570 to see where the full profiles results are, starting with the metadata (inspec.yml) of the profile and then each control's info, which includes id, impast, tags, etc and a results array with the result of each test included inside that control)
{
"version": "1.11.0",
"controls": [{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should exist",
"run_time": 0.004112,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be file",
"run_time": 0.005094,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be owned by \"root\"",
"run_time": 0.000152,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be grouped into \"root\"",
"run_time": 9.2e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should not be executable",
"run_time": 0.000117,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be readable by owner",
"run_time": 7.6e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be readable by group",
"run_time": 8.4e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be readable by other",
"run_time": 6.5e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be writable by owner",
"run_time": 9.3e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should not be writable by group",
"run_time": 6.9e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should not be writable by other",
"run_time": 6.7e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "failed",
"code_desc": "SSH Configuration AddressFamily should match /inet|inet6|any/",
"run_time": 0.014197,
"start_time": "2017-02-27 12:06:12 -0700",
"message": "expected nil to match /inet|inet6|any/"
}, {
"status": "failed",
"code_desc": "SSH Configuration Port should eq \"22\"",
"run_time": 0.000976,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"22\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration Protocol should eq \"2\"",
"run_time": 0.00035,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"2\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration BatchMode should eq \"no\"",
"run_time": 0.000283,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration CheckHostIP should eq \"yes\"",
"run_time": 0.000313,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration StrictHostKeyChecking should match /ask|yes/",
"run_time": 0.000322,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "expected nil to match /ask|yes/"
}, {
"status": "failed",
"code_desc": "SSH Configuration Ciphers should eq \"aes256-ctr,aes192-ctr,aes128-ctr\"",
"run_time": 0.000302,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"aes256-ctr,aes192-ctr,aes128-ctr\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration KexAlgorithms should eq \"diffie-hellman-group-exchange-sha256\"",
"run_time": 0.000308,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"diffie-hellman-group-exchange-sha256\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration MACs should eq \"hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"",
"run_time": 0.000296,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration ForwardAgent should eq \"no\"",
"run_time": 0.000267,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration ForwardX11 should eq \"no\"",
"run_time": 0.000281,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration HostbasedAuthentication should eq \"no\"",
"run_time": 0.0003,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration RhostsRSAAuthentication should eq \"no\"",
"run_time": 0.000303,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration RSAAuthentication should eq \"yes\"",
"run_time": 0.000274,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration PasswordAuthentication should eq \"no\"",
"run_time": 0.000616,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration GSSAPIAuthentication should eq \"no\"",
"run_time": 0.000712,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: \"yes\"\n\n(compared using ==)\n"
}, {
"status": "passed",
"code_desc": "SSH Configuration GSSAPIDelegateCredentials should eq \"no\"",
"run_time": 0.000374,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "failed",
"code_desc": "SSH Configuration Tunnel should eq \"no\"",
"run_time": 0.00031,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration PermitLocalCommand should eq \"no\"",
"run_time": 0.000348,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration UseRoaming should eq \"no\"",
"run_time": 0.000304,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration Ciphers should eq \"aes256-ctr,aes192-ctr,aes128-ctr\"",
"run_time": 0.007864,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"aes256-ctr,aes192-ctr,aes128-ctr\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration KexAlgorithms should eq \"diffie-hellman-group-exchange-sha256\"",
"run_time": 0.000465,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"diffie-hellman-group-exchange-sha256\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration MACs should eq \"hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"",
"run_time": 0.000502,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should exist",
"run_time": 0.002463,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be directory",
"run_time": 0.00307,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be owned by \"root\"",
"run_time": 9.7e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be grouped into \"root\"",
"run_time": 8.1e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be executable",
"run_time": 9.4e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be readable by owner",
"run_time": 7.1e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be readable by group",
"run_time": 9.3e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be readable by other",
"run_time": 6.4e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be writable by owner",
"run_time": 6.4e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should not be writable by group",
"run_time": 7.7e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should not be writable by other",
"run_time": 6.4e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should exist",
"run_time": 0.002415,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be file",
"run_time": 0.000119,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be owned by \"root\"",
"run_time": 8.2e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be grouped into \"root\"",
"run_time": 0.000116,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be executable",
"run_time": 8.3e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be readable by owner",
"run_time": 7.3e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "failed",
"code_desc": "File /etc/ssh/sshd_config should not be readable by group",
"run_time": 0.000133,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "expected File /etc/ssh/sshd_config not to be readable by group"
}, {
"status": "failed",
"code_desc": "File /etc/ssh/sshd_config should not be readable by other",
"run_time": 0.000131,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "expected File /etc/ssh/sshd_config not to be readable by other"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be writable by owner",
"run_time": 8.2e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be writable by group",
"run_time": 7.1e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be writable by other",
"run_time": 7.0e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "failed",
"code_desc": "SSH Configuration PermitRootLogin should match /no|without-password/",
"run_time": 0.000747,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "expected \"yes\" to match /no|without-password/\nDiff:\n@@ -1,2 +1,2 @@\n-/no|without-password/\n+\"yes\"\n"
}, {
"status": "passed",
"code_desc": "SSH Configuration Port should eq \"22\"",
"run_time": 0.000385,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "failed",
"code_desc": "SSH Configuration AddressFamily should match /inet|inet6|any/",
"run_time": 0.000412,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "expected nil to match /inet|inet6|any/"
}, {
"status": "failed",
"code_desc": "SSH Configuration ListenAddress should match /.*/",
"run_time": 0.000373,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "expected nil to match /.*/"
}, {
"status": "passed",
"code_desc": "SSH Configuration Protocol should eq \"2\"",
"run_time": 0.000451,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "SSH Configuration StrictModes should eq \"yes\"",
"run_time": 0.000356,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "SSH Configuration SyslogFacility should eq \"AUTH\"",
"run_time": 0.000357,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "failed",
"code_desc": "SSH Configuration LogLevel should eq \"VERBOSE\"",
"run_time": 0.000405,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"VERBOSE\"\n got: \"INFO\"\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration HostKey should cmp == \"/etc/ssh/ssh_host_rsa_key\"",
"run_time": 0.000494,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"/etc/ssh/ssh_host_rsa_key\"\n got: [\"/etc/ssh/ssh_host_rsa_key\", \"/etc/ssh/ssh_host_dsa_key\", \"/etc/ssh/ssh_host_ecdsa_key\"]\n\n(compared using `cmp` matcher)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration UseLogin should eq \"no\"",
"run_time": 0.000424,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration UsePrivilegeSeparation should eq \"sandbox\"",
"run_time": 0.000428,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"sandbox\"\n got: \"yes\"\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration PermitUserEnvironment should eq \"no\"",
"run_time": 0.000414,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration LoginGraceTime should eq \"30s\"",
"run_time": 0.000374,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"30s\"\n got: \"120\"\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration MaxAuthTries should eq \"2\"",
"run_time": 0.000396,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"2\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration MaxSessions should eq \"10\"",
"run_time": 0.000423,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"10\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration MaxStartups should eq \"10:30:100\"",
"run_time": 0.000418,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"10:30:100\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "passed",
"code_desc": "SSH Configuration PubkeyAuthentication should eq \"yes\"",
"run_time": 0.000455,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "SSH Configuration IgnoreRhosts should eq \"yes\"",
"run_time": 0.000358,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "failed",
"code_desc": "SSH Configuration IgnoreUserKnownHosts should eq \"yes\"",
"run_time": 0.000422,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "passed",
"code_desc": "SSH Configuration HostbasedAuthentication should eq \"no\"",
"run_time": 0.00041,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "failed",
"code_desc": "SSH Configuration PasswordAuthentication should eq \"no\"",
"run_time": 0.000443,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "passed",
"code_desc": "SSH Configuration PermitEmptyPasswords should eq \"no\"",
"run_time": 0.000372,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "SSH Configuration ChallengeResponseAuthentication should eq \"no\"",
"run_time": 0.000374,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "failed",
"code_desc": "SSH Configuration KerberosAuthentication should eq \"no\"",
"run_time": 0.00046,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration KerberosOrLocalPasswd should eq \"no\"",
"run_time": 0.00046,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration KerberosTicketCleanup should eq \"yes\"",
"run_time": 0.000421,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration GSSAPIAuthentication should eq \"no\"",
"run_time": 0.000421,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration GSSAPICleanupCredentials should eq \"yes\"",
"run_time": 0.000394,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration TCPKeepAlive should eq \"no\"",
"run_time": 0.000453,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: \"yes\"\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration ClientAliveInterval should eq \"600\"",
"run_time": 0.000432,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"600\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration ClientAliveCountMax should eq \"3\"",
"run_time": 0.000434,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"3\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration PermitTunnel should eq \"no\"",
"run_time": 0.000448,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration AllowTcpForwarding should eq \"no\"",
"run_time": 0.000484,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration AllowAgentForwarding should eq \"no\"",
"run_time": 0.000396,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration GatewayPorts should eq \"no\"",
"run_time": 0.000435,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration X11Forwarding should eq \"no\"",
"run_time": 0.000506,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: \"yes\"\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration X11UseLocalhost should eq \"yes\"",
"run_time": 0.00054,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "passed",
"code_desc": "SSH Configuration PrintMotd should eq \"no\"",
"run_time": 0.00046,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "failed",
"code_desc": "SSH Configuration PrintLastLog should eq \"no\"",
"run_time": 0.000481,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: \"yes\"\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration Banner should eq \"none\"",
"run_time": 0.000496,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"none\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "SSH Configuration DebianBanner should eq \"no\"",
"run_time": 0.000422,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}, {
"status": "failed",
"code_desc": "Command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 exit_status should eq 0",
"run_time": 0.008054,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: 0\n got: 1\n\n(compared using ==)\n"
}, {
"status": "passed",
"code_desc": "Command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stdout should eq \"\"",
"run_time": 0.000112,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "Command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stderr should eq \"\"",
"run_time": 7.2e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}],
"other_checks": [],
"profiles": [{
"name": "ssh-baseline",
"title": "DevSec SSH Baseline",
"maintainer": "Hardening Framework Team",
"copyright": "Hardening Framework Team",
"copyright_email": "[email protected]",
"license": "Apache 2 license",
"summary": "Test-suite for best-practice SSH hardening",
"version": "2.1.1",
"supports": [{
"os-family": "unix"
}],
"controls": [{
"title": "client: Check ssh_config owner, group and permissions.",
"desc": "The ssh_config should owned by root, only be writable by owner and readable to all.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 25
},
"id": "ssh-01",
"results": [{
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should exist",
"run_time": 0.004112,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be file",
"run_time": 0.005094,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be owned by \"root\"",
"run_time": 0.000152,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be grouped into \"root\"",
"run_time": 9.2e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should not be executable",
"run_time": 0.000117,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be readable by owner",
"run_time": 7.6e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be readable by group",
"run_time": 8.4e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be readable by other",
"run_time": 6.5e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should be writable by owner",
"run_time": 9.3e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should not be writable by group",
"run_time": 6.9e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/ssh_config should not be writable by other",
"run_time": 6.7e-05,
"start_time": "2017-02-27 12:06:12 -0700"
}]
}, {
"title": "Client: Specify the AddressFamily to your need",
"desc": "OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 45
},
"id": "ssh-02",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration AddressFamily should match /inet|inet6|any/",
"run_time": 0.014197,
"start_time": "2017-02-27 12:06:12 -0700",
"message": "expected nil to match /inet|inet6|any/"
}]
}, {
"title": "Client: Specify expected ssh port",
"desc": "Always specify which port the SSH client should connect. Prevent unexpected settings.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 54
},
"id": "ssh-03",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration Port should eq \"22\"",
"run_time": 0.000976,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"22\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Specify protocol version 2",
"desc": "Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 63
},
"id": "ssh-04",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration Protocol should eq \"2\"",
"run_time": 0.00035,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"2\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Disable batch mode",
"desc": "Avoid batch mode in the default configuration.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 72
},
"id": "ssh-05",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration BatchMode should eq \"no\"",
"run_time": 0.000283,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Check Host IPs",
"desc": "Make sure that SSH checks the host IP address in the known_hosts file, to avoid DNS spoofing effects.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 81
},
"id": "ssh-06",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration CheckHostIP should eq \"yes\"",
"run_time": 0.000313,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Ask when checking host keys",
"desc": "Don't automatically add new hosts keys to the list of known hosts.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 90
},
"id": "ssh-07",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration StrictHostKeyChecking should match /ask|yes/",
"run_time": 0.000322,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "expected nil to match /ask|yes/"
}]
}, {
"title": "Client: Check for secure ssh ciphers",
"desc": "Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 99
},
"id": "ssh-08",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration Ciphers should eq \"aes256-ctr,aes192-ctr,aes128-ctr\"",
"run_time": 0.000302,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"aes256-ctr,aes192-ctr,aes128-ctr\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Check for secure ssh Key-Exchange Algorithm",
"desc": "Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 108
},
"id": "ssh-09",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration KexAlgorithms should eq \"diffie-hellman-group-exchange-sha256\"",
"run_time": 0.000308,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"diffie-hellman-group-exchange-sha256\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Check for secure ssh Message Authentication Codes",
"desc": "Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 117
},
"id": "ssh-10",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration MACs should eq \"hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"",
"run_time": 0.000296,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Disable agent forwarding",
"desc": "Prevent agent forwarding by default, as it can be used in a limited way to enable attacks.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 126
},
"id": "ssh-11",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration ForwardAgent should eq \"no\"",
"run_time": 0.000267,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Disable X11Forwarding",
"desc": "Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 135
},
"id": "ssh-12",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration ForwardX11 should eq \"no\"",
"run_time": 0.000281,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Disable HostbasedAuthentication",
"desc": "This option is a weak way for authentication and provide attacker more ways to enter the system.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 144
},
"id": "ssh-13",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration HostbasedAuthentication should eq \"no\"",
"run_time": 0.0003,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Disable rhosts-based authentication",
"desc": "Avoid rhosts-based authentication, as it opens more ways for an attacker to enter a system.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 153
},
"id": "ssh-14",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration RhostsRSAAuthentication should eq \"no\"",
"run_time": 0.000303,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Enable RSA authentication",
"desc": "Make sure RSA authentication is used by default.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 162
},
"id": "ssh-15",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration RSAAuthentication should eq \"yes\"",
"run_time": 0.000274,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Disable password-based authentication",
"desc": "Avoid password-based authentications.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 171
},
"id": "ssh-16",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration PasswordAuthentication should eq \"no\"",
"run_time": 0.000616,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Disable GSSAPIAuthentication",
"desc": "If you do not use GSSAPI authentication then disable it.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 180
},
"id": "ssh-17",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration GSSAPIAuthentication should eq \"no\"",
"run_time": 0.000712,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: \"yes\"\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Disable GSSAPIDelegateCredentials",
"desc": "If you do not use GSSAPI authentication then disable it.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 189
},
"id": "ssh-18",
"results": [{
"status": "passed",
"code_desc": "SSH Configuration GSSAPIDelegateCredentials should eq \"no\"",
"run_time": 0.000374,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Client: Disable tunnels",
"desc": "Avoid using SSH tunnels.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 198
},
"id": "ssh-19",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration Tunnel should eq \"no\"",
"run_time": 0.00031,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Do not permit local commands",
"desc": "Do not permit any local command execution.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 207
},
"id": "ssh-20",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration PermitLocalCommand should eq \"no\"",
"run_time": 0.000348,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Client: Do not allow Roaming",
"desc": "Workaround for SSH Client Bug CVE-2016-0777 and CVE-2016-0778",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/ssh_spec.rb",
"line": 216
},
"id": "ssh-21",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration UseRoaming should eq \"no\"",
"run_time": 0.000304,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Check for secure ssh ciphers",
"desc": "Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 25
},
"id": "sshd-01",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration Ciphers should eq \"aes256-ctr,aes192-ctr,aes128-ctr\"",
"run_time": 0.007864,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"aes256-ctr,aes192-ctr,aes128-ctr\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Check for secure ssh Key-Exchange Algorithm",
"desc": "Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 34
},
"id": "sshd-02",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration KexAlgorithms should eq \"diffie-hellman-group-exchange-sha256\"",
"run_time": 0.000465,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"diffie-hellman-group-exchange-sha256\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Check for secure ssh Message Authentication Codes",
"desc": "Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 43
},
"id": "sshd-03",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration MACs should eq \"hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"",
"run_time": 0.000502,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"hmac-sha2-512,hmac-sha2-256,hmac-ripemd160\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Check SSH folder owner, group and permissions.",
"desc": "The SSH folder should owned by root, only be writable by owner and readable by others.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 52
},
"id": "sshd-04",
"results": [{
"status": "passed",
"code_desc": "File /etc/ssh should exist",
"run_time": 0.002463,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be directory",
"run_time": 0.00307,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be owned by \"root\"",
"run_time": 9.7e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be grouped into \"root\"",
"run_time": 8.1e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be executable",
"run_time": 9.4e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be readable by owner",
"run_time": 7.1e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be readable by group",
"run_time": 9.3e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be readable by other",
"run_time": 6.4e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should be writable by owner",
"run_time": 6.4e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should not be writable by group",
"run_time": 7.7e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh should not be writable by other",
"run_time": 6.4e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Server: Check sshd_config owner, group and permissions.",
"desc": "The sshd_config should owned by root, only be writable/readable by owner and not be executable.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 71
},
"id": "sshd-05",
"results": [{
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should exist",
"run_time": 0.002415,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be file",
"run_time": 0.000119,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be owned by \"root\"",
"run_time": 8.2e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be grouped into \"root\"",
"run_time": 0.000116,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be executable",
"run_time": 8.3e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be readable by owner",
"run_time": 7.3e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "failed",
"code_desc": "File /etc/ssh/sshd_config should not be readable by group",
"run_time": 0.000133,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "expected File /etc/ssh/sshd_config not to be readable by group"
}, {
"status": "failed",
"code_desc": "File /etc/ssh/sshd_config should not be readable by other",
"run_time": 0.000131,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "expected File /etc/ssh/sshd_config not to be readable by other"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should be writable by owner",
"run_time": 8.2e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be writable by group",
"run_time": 7.1e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "File /etc/ssh/sshd_config should not be writable by other",
"run_time": 7.0e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication",
"desc": "Reduce the potential risk to gain full privileges access of the system because of weak password and keyboard-interactive authentication, do not allow logging in as the root user or with password authentication.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 91
},
"id": "sshd-06",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration PermitRootLogin should match /no|without-password/",
"run_time": 0.000747,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "expected \"yes\" to match /no|without-password/\nDiff:\n@@ -1,2 +1,2 @@\n-/no|without-password/\n+\"yes\"\n"
}]
}, {
"title": "Server: Specify the listen ssh Port",
"desc": "Always specify which port the SSH server should listen to. Prevent unexpected settings.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 100
},
"id": "sshd-07",
"results": [{
"status": "passed",
"code_desc": "SSH Configuration Port should eq \"22\"",
"run_time": 0.000385,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Server: Specify the AddressFamily to your need",
"desc": "OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 109
},
"id": "sshd-08",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration AddressFamily should match /inet|inet6|any/",
"run_time": 0.000412,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "expected nil to match /inet|inet6|any/"
}]
}, {
"title": "Server: Specify ListenAddress",
"desc": "Limit the SSH server to listen to a specific address. Don't let it listen on all interfaces to avoid logins from unexpected sources.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 118
},
"id": "sshd-09",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration ListenAddress should match /.*/",
"run_time": 0.000373,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "expected nil to match /.*/"
}]
}, {
"title": "Server: Specify protocol version 2",
"desc": "Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 127
},
"id": "sshd-10",
"results": [{
"status": "passed",
"code_desc": "SSH Configuration Protocol should eq \"2\"",
"run_time": 0.000451,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Server: Enable StrictModes",
"desc": "Prevent the use of insecure home directory and key file permissions.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 136
},
"id": "sshd-11",
"results": [{
"status": "passed",
"code_desc": "SSH Configuration StrictModes should eq \"yes\"",
"run_time": 0.000356,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Server: Specify SyslogFacility to AUTH",
"desc": "Logging should be set to go to the /var/log/auth.log facility by using the SysLog AUTH parameter. This will ensure that any problems around invalid logins or the like are forwarded to a central security file for auditing purposes",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 145
},
"id": "sshd-12",
"results": [{
"status": "passed",
"code_desc": "SSH Configuration SyslogFacility should eq \"AUTH\"",
"run_time": 0.000357,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Server: Specify LogLevel to VERBOSE",
"desc": "Be verbose in logging, to allow analysis in case of unexpected behavior.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 154
},
"id": "sshd-13",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration LogLevel should eq \"VERBOSE\"",
"run_time": 0.000405,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"VERBOSE\"\n got: \"INFO\"\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Specify SSH HostKeys",
"desc": "Specify HostKey for protection against Man-In-The-Middle Attacks",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 163
},
"id": "sshd-14",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration HostKey should cmp == \"/etc/ssh/ssh_host_rsa_key\"",
"run_time": 0.000494,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"/etc/ssh/ssh_host_rsa_key\"\n got: [\"/etc/ssh/ssh_host_rsa_key\", \"/etc/ssh/ssh_host_dsa_key\", \"/etc/ssh/ssh_host_ecdsa_key\"]\n\n(compared using `cmp` matcher)\n"
}]
}, {
"title": "Server: Specify UseLogin to NO",
"desc": "Disable legacy login mechanism and do not use login for interactive login sessions.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 172
},
"id": "sshd-15",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration UseLogin should eq \"no\"",
"run_time": 0.000424,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Use privilege separation",
"desc": "UsePrivilegeSeparation is an option, when enabled will allow the OpenSSH server to run a small (necessary) amount of code as root and the of the code in a chroot jail environment. This enables ssh to deal incoming network traffic in an unprivileged child process to avoid privilege escalation by an attacker.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 181
},
"id": "sshd-16",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration UsePrivilegeSeparation should eq \"sandbox\"",
"run_time": 0.000428,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"sandbox\"\n got: \"yes\"\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Disable PermitUserEnvironment",
"desc": "Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 190
},
"id": "sshd-17",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration PermitUserEnvironment should eq \"no\"",
"run_time": 0.000414,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Specify LoginGraceTime",
"desc": "The LoginGraceTime gives the user 30 seconds to accomplish a login. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 199
},
"id": "sshd-18",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration LoginGraceTime should eq \"30s\"",
"run_time": 0.000374,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"30s\"\n got: \"120\"\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Specify Limit for maximum authentication retries",
"desc": "MaxAuthTries limits the user to three wrong attempts before the login attempt is denied. This avoid resource starvation attacks.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 208
},
"id": "sshd-19",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration MaxAuthTries should eq \"2\"",
"run_time": 0.000396,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"2\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Specify maximum sessions",
"desc": "Specifies the maximum number of open sessions permitted per network connection. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 217
},
"id": "sshd-20",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration MaxSessions should eq \"10\"",
"run_time": 0.000423,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"10\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Specify maximum startups",
"desc": "Limit the number of concurrent unauthenticated sessions to prevent Denial of Service (DoS) against a running SSH daemon.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 226
},
"id": "sshd-21",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration MaxStartups should eq \"10:30:100\"",
"run_time": 0.000418,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"10:30:100\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Enable PubkeyAuthentication",
"desc": "Prefer public key authentication mechanisms, because other methods are weaker (e.g. passwords).",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 235
},
"id": "sshd-22",
"results": [{
"status": "passed",
"code_desc": "SSH Configuration PubkeyAuthentication should eq \"yes\"",
"run_time": 0.000455,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Server: Disable IgnoreRhosts",
"desc": "Ignore legacy .rhosts configuration, because rhosts are a weak way to authenticate systems and provide attacker more ways to enter the system.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 244
},
"id": "sshd-23",
"results": [{
"status": "passed",
"code_desc": "SSH Configuration IgnoreRhosts should eq \"yes\"",
"run_time": 0.000358,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Server: Enable IgnoreUserKnownHosts",
"desc": "This option is a weak way for authentication and provide attacker more ways to enter the system.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 253
},
"id": "sshd-24",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration IgnoreUserKnownHosts should eq \"yes\"",
"run_time": 0.000422,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Disable HostbasedAuthentication",
"desc": "This option is a weak way for authentication and provide attacker more ways to enter the system.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 262
},
"id": "sshd-25",
"results": [{
"status": "passed",
"code_desc": "SSH Configuration HostbasedAuthentication should eq \"no\"",
"run_time": 0.00041,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Server: Disable password-based authentication",
"desc": "Avoid password-based authentications.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 271
},
"id": "sshd-27",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration PasswordAuthentication should eq \"no\"",
"run_time": 0.000443,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Disable PermitEmptyPasswords",
"desc": "Accounts should be protected and users should be accountable. For this reason the usage of empty passwords should never be allowed.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 280
},
"id": "sshd-28",
"results": [{
"status": "passed",
"code_desc": "SSH Configuration PermitEmptyPasswords should eq \"no\"",
"run_time": 0.000372,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Server: Disable ChallengeResponseAuthentication",
"desc": "Avoid challenge-response and password-based authentications.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 289
},
"id": "sshd-29",
"results": [{
"status": "passed",
"code_desc": "SSH Configuration ChallengeResponseAuthentication should eq \"no\"",
"run_time": 0.000374,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Server: Disable Kerberos",
"desc": "Avoid kerberos authentication.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 298
},
"id": "sshd-30",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration KerberosAuthentication should eq \"no\"",
"run_time": 0.00046,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Disable Kerberos or Local Password",
"desc": "Avoid kerberos authentication because it use password-based authentication as fallback.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 307
},
"id": "sshd-31",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration KerberosOrLocalPasswd should eq \"no\"",
"run_time": 0.00046,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Enable KerberosTicketCleanup",
"desc": "Specifies whether to automatically destroy the user's ticket cache file on logout.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 316
},
"id": "sshd-32",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration KerberosTicketCleanup should eq \"yes\"",
"run_time": 0.000421,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Disable GSSAPIAuthentication",
"desc": "If you do not use GSSAPI authentication then disable it.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 325
},
"id": "sshd-33",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration GSSAPIAuthentication should eq \"no\"",
"run_time": 0.000421,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Enable GSSAPICleanupCredentials",
"desc": "Automatically destroy the user's credentials cache on logout.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 334
},
"id": "sshd-34",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration GSSAPICleanupCredentials should eq \"yes\"",
"run_time": 0.000394,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Disable TCPKeepAlive",
"desc": "Avoid the TCPKeepAlive messages to see if the client is still alive, because they are sent over unencrypted connection and are spoofable.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 343
},
"id": "sshd-35",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration TCPKeepAlive should eq \"no\"",
"run_time": 0.000453,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: \"yes\"\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Set a client alive interval",
"desc": "ClientAlive messages are sent over encrypted connection and are not spoofable.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 352
},
"id": "sshd-36",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration ClientAliveInterval should eq \"600\"",
"run_time": 0.000432,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"600\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Configure a few client alive counters",
"desc": "This indicates the total number of checkalive message sent by the ssh server without getting any response from the ssh client. ClientAlive messages are sent over encrypted connection and are not spoofable.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 361
},
"id": "sshd-37",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration ClientAliveCountMax should eq \"3\"",
"run_time": 0.000434,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"3\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Disable tunnels",
"desc": "Avoid to use tunnels.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 370
},
"id": "sshd-38",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration PermitTunnel should eq \"no\"",
"run_time": 0.000448,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Disable TCP forwarding",
"desc": "If you use TCP forwarding in an uncontrolled manner then you can bypass the firewalls",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 379
},
"id": "sshd-39",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration AllowTcpForwarding should eq \"no\"",
"run_time": 0.000484,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Disable Agent forwarding",
"desc": "Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 388
},
"id": "sshd-40",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration AllowAgentForwarding should eq \"no\"",
"run_time": 0.000396,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Disable gateway ports",
"desc": "Prevent remote hosts from connecting to forwarded ports on the node.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 397
},
"id": "sshd-41",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration GatewayPorts should eq \"no\"",
"run_time": 0.000435,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Disable X11Forwarding",
"desc": "Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 406
},
"id": "sshd-42",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration X11Forwarding should eq \"no\"",
"run_time": 0.000506,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: \"yes\"\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Enable X11UseLocalhost",
"desc": "SSH daemon should bind the X11 forwarding server to the loopback address. This prevents remote hosts from connecting to the proxy display and reduce the attack surface",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 415
},
"id": "sshd-43",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration X11UseLocalhost should eq \"yes\"",
"run_time": 0.00054,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Disable PrintMotd",
"desc": "This specifies that the SSH daemon itself should not read and display the message of the day file.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 424
},
"id": "sshd-44",
"results": [{
"status": "passed",
"code_desc": "SSH Configuration PrintMotd should eq \"no\"",
"run_time": 0.00046,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}, {
"title": "Server: PrintLastLog",
"desc": "This tells the SSH daemon to print out information about the last time you logged in.",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 433
},
"id": "sshd-45",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration PrintLastLog should eq \"no\"",
"run_time": 0.000481,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: \"yes\"\n\n(compared using ==)\n"
}]
}, {
"title": "Server: Banner",
"desc": "Specifies a banner file to serve before authentication succeeds",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 442
},
"id": "sshd-46",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration Banner should eq \"none\"",
"run_time": 0.000496,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"none\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: DebianBanner",
"desc": "Specifies whether to include OS distribution in version information",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 451
},
"id": "sshd-47",
"results": [{
"status": "failed",
"code_desc": "SSH Configuration DebianBanner should eq \"no\"",
"run_time": 0.000422,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"
}]
}, {
"title": "Server: DH primes",
"desc": "Verifies if strong DH primes are used in /etc/ssh/moduli",
"impact": 1.0,
"refs": [],
"tags": {},
"code": "",
"source_location": {
"ref": "ssh-baseline-master/controls/sshd_spec.rb",
"line": 467
},
"id": "sshd-48",
"results": [{
"status": "failed",
"code_desc": "Command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 exit_status should eq 0",
"run_time": 0.008054,
"start_time": "2017-02-27 12:06:13 -0700",
"message": "\nexpected: 0\n got: 1\n\n(compared using ==)\n"
}, {
"status": "passed",
"code_desc": "Command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stdout should eq \"\"",
"run_time": 0.000112,
"start_time": "2017-02-27 12:06:13 -0700"
}, {
"status": "passed",
"code_desc": "Command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stderr should eq \"\"",
"run_time": 7.2e-05,
"start_time": "2017-02-27 12:06:13 -0700"
}]
}],
"groups": [{
"title": "SSH client config",
"controls": ["ssh-01", "ssh-02", "ssh-03", "ssh-04", "ssh-05", "ssh-06", "ssh-07", "ssh-08", "ssh-09", "ssh-10", "ssh-11", "ssh-12", "ssh-13", "ssh-14", "ssh-15", "ssh-16", "ssh-17", "ssh-18", "ssh-19", "ssh-20", "ssh-21"],
"id": "controls/ssh_spec.rb"
}, {
"title": "SSH server config",
"controls": ["sshd-01", "sshd-02", "sshd-03", "sshd-04", "sshd-05", "sshd-06", "sshd-07", "sshd-08", "sshd-09", "sshd-10", "sshd-11", "sshd-12", "sshd-13", "sshd-14", "sshd-15", "sshd-16", "sshd-17", "sshd-18", "sshd-19", "sshd-20", "sshd-21", "sshd-22", "sshd-23", "sshd-24", "sshd-25", "sshd-27", "sshd-28", "sshd-29", "sshd-30", "sshd-31", "sshd-32", "sshd-33", "sshd-34", "sshd-35", "sshd-36", "sshd-37", "sshd-38", "sshd-39", "sshd-40", "sshd-41", "sshd-42", "sshd-43", "sshd-44", "sshd-45", "sshd-46", "sshd-47", "sshd-48"],
"id": "controls/sshd_spec.rb"
}],
"attributes": []
}],
"statistics": {
"duration": 0.085361
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment