|
49 | 49 | impact 1.0 |
50 | 50 | title 'Client: Specify the AddressFamily to your need' |
51 | 51 | desc 'OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.' |
52 | | - describe ssh_config do |
| 52 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
53 | 53 | its('AddressFamily') { should match(/inet|inet6|any/) } |
54 | 54 | end |
55 | 55 | end |
|
58 | 58 | impact 1.0 |
59 | 59 | title 'Client: Specify expected ssh port' |
60 | 60 | desc 'Always specify which port the SSH client should connect. Prevent unexpected settings.' |
61 | | - describe ssh_config do |
| 61 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
62 | 62 | its('Port') { should eq('22') } |
63 | 63 | end |
64 | 64 | end |
|
67 | 67 | impact 1.0 |
68 | 68 | title 'Client: Specify protocol version 2' |
69 | 69 | desc "Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore." |
70 | | - describe ssh_config do |
| 70 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
71 | 71 | its('Protocol') { should eq('2') } |
72 | 72 | end |
73 | 73 | end |
|
76 | 76 | impact 1.0 |
77 | 77 | title 'Client: Disable batch mode' |
78 | 78 | desc 'Avoid batch mode in the default configuration.' |
79 | | - describe ssh_config do |
| 79 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
80 | 80 | its('BatchMode') { should eq('no') } |
81 | 81 | end |
82 | 82 | end |
|
85 | 85 | impact 1.0 |
86 | 86 | title 'Client: Check Host IPs' |
87 | 87 | desc 'Make sure that SSH checks the host IP address in the known_hosts file, to avoid DNS spoofing effects.' |
88 | | - describe ssh_config do |
| 88 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
89 | 89 | its('CheckHostIP') { should eq('yes') } |
90 | 90 | end |
91 | 91 | end |
|
94 | 94 | impact 1.0 |
95 | 95 | title 'Client: Ask when checking host keys' |
96 | 96 | desc "Don't automatically add new hosts keys to the list of known hosts." |
97 | | - describe ssh_config do |
| 97 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
98 | 98 | its('StrictHostKeyChecking') { should match(/ask|yes/) } |
99 | 99 | end |
100 | 100 | end |
|
103 | 103 | impact 1.0 |
104 | 104 | title 'Client: Check for secure ssh ciphers' |
105 | 105 | desc 'Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)' |
106 | | - describe ssh_config do |
| 106 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
107 | 107 | its('Ciphers') { should eq(ssh_crypto.valid_ciphers) } |
108 | 108 | end |
109 | 109 | end |
|
112 | 112 | impact 1.0 |
113 | 113 | title 'Client: Check for secure ssh Key-Exchange Algorithm' |
114 | 114 | desc 'Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)' |
115 | | - describe ssh_config do |
| 115 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
116 | 116 | its('KexAlgorithms') { should eq(ssh_crypto.valid_kexs) } |
117 | 117 | end |
118 | 118 | end |
|
121 | 121 | impact 1.0 |
122 | 122 | title 'Client: Check for secure ssh Message Authentication Codes' |
123 | 123 | desc 'Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)' |
124 | | - describe ssh_config do |
| 124 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
125 | 125 | its('MACs') { should eq(ssh_crypto.valid_macs) } |
126 | 126 | end |
127 | 127 | end |
|
130 | 130 | impact 1.0 |
131 | 131 | title 'Client: Disable agent forwarding' |
132 | 132 | desc 'Prevent agent forwarding by default, as it can be used in a limited way to enable attacks.' |
133 | | - describe ssh_config do |
| 133 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
134 | 134 | its('ForwardAgent') { should eq('no') } |
135 | 135 | end |
136 | 136 | end |
|
139 | 139 | impact 1.0 |
140 | 140 | title 'Client: Disable X11Forwarding' |
141 | 141 | desc 'Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.' |
142 | | - describe ssh_config do |
| 142 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
143 | 143 | its('ForwardX11') { should eq('no') } |
144 | 144 | end |
145 | 145 | end |
|
148 | 148 | impact 1.0 |
149 | 149 | title 'Client: Disable HostbasedAuthentication' |
150 | 150 | desc 'This option is a weak way for authentication and provide attacker more ways to enter the system.' |
151 | | - describe ssh_config do |
| 151 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
152 | 152 | its('HostbasedAuthentication') { should eq('no') } |
153 | 153 | end |
154 | 154 | end |
|
158 | 158 | title 'Client: Disable rhosts-based authentication' |
159 | 159 | desc 'Avoid rhosts-based authentication, as it opens more ways for an attacker to enter a system.' |
160 | 160 | only_if { ssh_crypto.ssh_version < 7.6 } |
161 | | - describe ssh_config do |
| 161 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
162 | 162 | its('RhostsRSAAuthentication') { should eq('no') } |
163 | 163 | end |
164 | 164 | end |
|
168 | 168 | title 'Client: Enable RSA authentication' |
169 | 169 | desc 'Make sure RSA authentication is used by default.' |
170 | 170 | only_if { ssh_crypto.ssh_version < 7.6 } |
171 | | - describe ssh_config do |
| 171 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
172 | 172 | its('RSAAuthentication') { should eq('yes') } |
173 | 173 | end |
174 | 174 | end |
|
177 | 177 | impact 1.0 |
178 | 178 | title 'Client: Disable password-based authentication' |
179 | 179 | desc 'Avoid password-based authentications.' |
180 | | - describe ssh_config do |
| 180 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
181 | 181 | its('PasswordAuthentication') { should eq('no') } |
182 | 182 | end |
183 | 183 | end |
|
186 | 186 | impact 1.0 |
187 | 187 | title 'Client: Disable GSSAPIAuthentication' |
188 | 188 | desc 'If you do not use GSSAPI authentication then disable it.' |
189 | | - describe ssh_config do |
| 189 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
190 | 190 | its('GSSAPIAuthentication') { should eq('no') } |
191 | 191 | end |
192 | 192 | end |
|
195 | 195 | impact 1.0 |
196 | 196 | title 'Client: Disable GSSAPIDelegateCredentials' |
197 | 197 | desc 'If you do not use GSSAPI authentication then disable it.' |
198 | | - describe ssh_config do |
| 198 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
199 | 199 | its('GSSAPIDelegateCredentials') { should eq('no') } |
200 | 200 | end |
201 | 201 | end |
|
204 | 204 | impact 1.0 |
205 | 205 | title 'Client: Disable tunnels' |
206 | 206 | desc 'Avoid using SSH tunnels.' |
207 | | - describe ssh_config do |
| 207 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
208 | 208 | its('Tunnel') { should eq('no') } |
209 | 209 | end |
210 | 210 | end |
|
213 | 213 | impact 1.0 |
214 | 214 | title 'Client: Do not permit local commands' |
215 | 215 | desc 'Do not permit any local command execution.' |
216 | | - describe ssh_config do |
| 216 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
217 | 217 | its('PermitLocalCommand') { should eq('no') } |
218 | 218 | end |
219 | 219 | end |
|
223 | 223 | title 'Client: Do not allow Roaming' |
224 | 224 | desc 'Workaround for SSH Client Bug CVE-2016-0777 and CVE-2016-0778' |
225 | 225 | only_if { ssh_crypto.ssh_version < 7.2 } |
226 | | - describe ssh_config do |
| 226 | + describe ssh_config(ssh_custom_path + '/ssh_config') do |
227 | 227 | its('UseRoaming') { should eq('no') } |
228 | 228 | end |
229 | 229 | end |
0 commit comments