Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't start sshd baseline config at ssh server #196

Open
nbublikov opened this issue May 26, 2021 · 28 comments
Open

Can't start sshd baseline config at ssh server #196

nbublikov opened this issue May 26, 2021 · 28 comments

Comments

@nbublikov
Copy link

nbublikov commented May 26, 2021
edited
Loading

Describe the bug
Can't start sshd baseline config at ssh server

Expected behavior
expected that sshd config start without errors

Actual behavior
in attached screen

Example code
in attached screen


**OS / Environment**

<!--- Provide all relevant information below, e.g. target OS versions, network device firmware, etc. -->

**Inspec Version**
4.37.17

Baseline Version
https://github.com/dev-sec/ssh-baseline/blob/master/controls/sshd_spec.rb


**Additional context**
Add any other context about the problem here.
@nbublikov
Copy link
Author

Screenshot_5

@rndmh3ro
Copy link
Member

Can you try running the command like this?

sudo inspec exec /opt/inspec/test/ssh-baseline/ -t ssh://...

@nbublikov
Copy link
Author

nbublikov commented May 26, 2021
edited by rndmh3ro
Loading

yes, please see output

Version: 2.6.4
Target:  ssh://root@xxxx

  ×  ssh-01: client: Check ssh_config owner, group and permissions. (6 failed)
     ✔  File /etc/ssh/ssh_config is expected to exist
     ×  File /etc/ssh/ssh_config is expected to be file
     expected `File /etc/ssh/ssh_config.file?` to be truthy, got false
     ×  File /etc/ssh/ssh_config is expected to be owned by "root"
     expected `File /etc/ssh/ssh_config.owned_by?("root")` to be truthy, got false
     ×  File /etc/ssh/ssh_config is expected to be grouped into "root"
     expected `File /etc/ssh/ssh_config.grouped_into?("root")` to be truthy, got false
     ×  File /etc/ssh/ssh_config is expected not to be executable
     expected File /etc/ssh/ssh_config not to be executable
     ✔  File /etc/ssh/ssh_config is expected to be readable by owner
     ✔  File /etc/ssh/ssh_config is expected to be readable by group
     ✔  File /etc/ssh/ssh_config is expected to be readable by other
     ✔  File /etc/ssh/ssh_config is expected to be writable by owner
     ×  File /etc/ssh/ssh_config is expected not to be writable by group
     expected File /etc/ssh/ssh_config not to be writable by group
     ×  File /etc/ssh/ssh_config is expected not to be writable by other
     expected File /etc/ssh/ssh_config not to be writable by other
  ↺  ssh-02: Client: Specify the AddressFamily to your need
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-03: Client: Specify expected ssh port
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-04: Client: Specify protocol version 2
     ↺  Skipped control due to only_if condition.
  ↺  ssh-05: Client: Disable batch mode
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-06: Client: Check Host IPs
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-07: Client: Ask when checking host keys
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-08: Client: Check for secure ssh ciphers
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-09: Client: Check for secure ssh Key-Exchange Algorithm
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-10: Client: Check for secure ssh Message Authentication Codes
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-11: Client: Disable agent forwarding
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-12: Client: Disable X11Forwarding
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-13: Client: Disable HostbasedAuthentication
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-14: Client: Disable rhosts-based authentication
     ↺  Skipped control due to only_if condition.
  ↺  ssh-15: Client: Enable RSA authentication
     ↺  Skipped control due to only_if condition.
  ↺  ssh-16: Client: Disable password-based authentication
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-17: Client: Disable GSSAPIAuthentication
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-18: Client: Disable GSSAPIDelegateCredentials
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-19: Client: Disable tunnels
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-20: Client: Do not permit local commands
     ↺  Can't find file: /etc/ssh/ssh_config
  ↺  ssh-21: Client: Do not allow Roaming
     ↺  Skipped control due to only_if condition.
  ×  ssh-22: Client: CRYPTO_POLICY (3 failed)
     ×  Bash command ssh -G localhost stdout is expected to match "ciphers aes256-ctr,aes192-ctr,aes128-ctr"
     expected "user root\nhostname localhost\nport 22\naddkeystoagent false\naddressfamily any\nbatchmode no\ncanon...t no\nescapechar ~\nipqos af21 cs1\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n" to match "ciphers aes256-ctr,aes192-ctr,aes128-ctr"
     Diff:
     @@ -1,68 +1,135 @@
     -ciphers aes256-ctr,aes192-ctr,aes128-ctr
     +user root
     +hostname localhost
     +port 22
     +addkeystoagent false
     +addressfamily any
     +batchmode no
     +canonicalizefallbacklocal yes
     +canonicalizehostname false
     +challengeresponseauthentication yes
     +checkhostip yes
     +compression no
     +controlmaster false
     +enablesshkeysign no
     +clearallforwardings no
     +exitonforwardfailure yes
     +fingerprinthash SHA256
     +forwardagent yes
     +forwardx11 yes
     +forwardx11trusted no
     +gatewayports no
     +hashknownhosts no
     +hostbasedauthentication no
     +identitiesonly no
     +kbdinteractiveauthentication yes
     +nohostauthenticationforlocalhost no
     +passwordauthentication yes
     +permitlocalcommand no
     +proxyusefdpass no
     +pubkeyauthentication yes
     +requesttty auto
     +streamlocalbindunlink no
     +stricthostkeychecking ask
     +tcpkeepalive yes
     +tunnel false
     +verifyhostkeydns false
     +visualhostkey no
     +updatehostkeys false
     +canonicalizemaxdots 1
     +connectionattempts 1
     +forwardx11timeout 1200
     +numberofpasswordprompts 3
     +serveralivecountmax 5
     +serveraliveinterval 30
     +ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
     +hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
     +casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +loglevel INFO
     +macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
     +pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +xauthlocation /usr/bin/xauth
     +identityfile ~/.ssh/id_rsa
     +identityfile ~/.ssh/id_dsa
     +identityfile ~/.ssh/id_ecdsa
     +identityfile ~/.ssh/id_ed25519
     +identityfile ~/.ssh/id_xmss
     +canonicaldomains
     +globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
     +userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2
     +connecttimeout none
     +tunneldevice any:any
     +controlpersist no
     +escapechar ~
     +ipqos af21 cs1
     +rekeylimit 0 0
     +streamlocalbindmask 0177
     +syslogfacility USER

     ×  Bash command ssh -G localhost stdout is expected to match "kexalgorithms diffie-hellman-group-exchange-sha256"
     expected "user root\nhostname localhost\nport 22\naddkeystoagent false\naddressfamily any\nbatchmode no\ncanon...t no\nescapechar ~\nipqos af21 cs1\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n" to match "kexalgorithms diffie-hellman-group-exchange-sha256"
     Diff:
     @@ -1,68 +1,135 @@
     -kexalgorithms diffie-hellman-group-exchange-sha256
     +user root
     +hostname localhost
     +port 22
     +addkeystoagent false
     +addressfamily any
     +batchmode no
     +canonicalizefallbacklocal yes
     +canonicalizehostname false
     +challengeresponseauthentication yes
     +checkhostip yes
     +compression no
     +controlmaster false
     +enablesshkeysign no
     +clearallforwardings no
     +exitonforwardfailure yes
     +fingerprinthash SHA256
     +forwardagent yes
     +forwardx11 yes
     +forwardx11trusted no
     +gatewayports no
     +hashknownhosts no
     +hostbasedauthentication no
     +identitiesonly no
     +kbdinteractiveauthentication yes
     +nohostauthenticationforlocalhost no
     +passwordauthentication yes
     +permitlocalcommand no
     +proxyusefdpass no
     +pubkeyauthentication yes
     +requesttty auto
     +streamlocalbindunlink no
     +stricthostkeychecking ask
     +tcpkeepalive yes
     +tunnel false
     +verifyhostkeydns false
     +visualhostkey no
     +updatehostkeys false
     +canonicalizemaxdots 1
     +connectionattempts 1
     +forwardx11timeout 1200
     +numberofpasswordprompts 3
     +serveralivecountmax 5
     +serveraliveinterval 30
     +ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
     +hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
     +casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +loglevel INFO
     +macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
     +pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +xauthlocation /usr/bin/xauth
     +identityfile ~/.ssh/id_rsa
     +identityfile ~/.ssh/id_dsa
     +identityfile ~/.ssh/id_ecdsa
     +identityfile ~/.ssh/id_ed25519
     +identityfile ~/.ssh/id_xmss
     +canonicaldomains
     +globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
     +userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2
     +connecttimeout none
     +tunneldevice any:any
     +controlpersist no
     +escapechar ~
     +ipqos af21 cs1
     +rekeylimit 0 0
     +streamlocalbindmask 0177
     +syslogfacility USER

     ×  Bash command ssh -G localhost stdout is expected to match "macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
     expected "user root\nhostname localhost\nport 22\naddkeystoagent false\naddressfamily any\nbatchmode no\ncanon...t no\nescapechar ~\nipqos af21 cs1\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n" to match "macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
     Diff:
     @@ -1,68 +1,135 @@
     -macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
     +user root
     +hostname localhost
     +port 22
     +addkeystoagent false
     +addressfamily any
     +batchmode no
     +canonicalizefallbacklocal yes
     +canonicalizehostname false
     +challengeresponseauthentication yes
     +checkhostip yes
     +compression no
     +controlmaster false
     +enablesshkeysign no
     +clearallforwardings no
     +exitonforwardfailure yes
     +fingerprinthash SHA256
     +forwardagent yes
     +forwardx11 yes
     +forwardx11trusted no
     +gatewayports no
     +hashknownhosts no
     +hostbasedauthentication no
     +identitiesonly no
     +kbdinteractiveauthentication yes
     +nohostauthenticationforlocalhost no
     +passwordauthentication yes
     +permitlocalcommand no
     +proxyusefdpass no
     +pubkeyauthentication yes
     +requesttty auto
     +streamlocalbindunlink no
     +stricthostkeychecking ask
     +tcpkeepalive yes
     +tunnel false
     +verifyhostkeydns false
     +visualhostkey no
     +updatehostkeys false
     +canonicalizemaxdots 1
     +connectionattempts 1
     +forwardx11timeout 1200
     +numberofpasswordprompts 3
     +serveralivecountmax 5
     +serveraliveinterval 30
     +ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
     +hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
     +casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +loglevel INFO
     +macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
     +pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +xauthlocation /usr/bin/xauth
     +identityfile ~/.ssh/id_rsa
     +identityfile ~/.ssh/id_dsa
     +identityfile ~/.ssh/id_ecdsa
     +identityfile ~/.ssh/id_ed25519
     +identityfile ~/.ssh/id_xmss
     +canonicaldomains
     +globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
     +userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2
     +connecttimeout none
     +tunneldevice any:any
     +controlpersist no
     +escapechar ~
     +ipqos af21 cs1
     +rekeylimit 0 0
     +streamlocalbindmask 0177
     +syslogfacility USER

  ↺  sshd-01: Server: Check for secure ssh ciphers
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-02: Server: Check for secure ssh Key-Exchange Algorithm
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-03: Server: Check for secure ssh Message Authentication Codes
     ↺  Can't find file: /etc/ssh/sshd_config
  ×  sshd-04: Server: Check SSH folder owner, group and permissions. (5 failed)
     ✔  File /etc/ssh is expected to exist
     ×  File /etc/ssh is expected to be directory
     expected `File /etc/ssh.directory?` to be truthy, got false
     ×  File /etc/ssh is expected to be owned by "root"
     expected `File /etc/ssh.owned_by?("root")` to be truthy, got false
     ×  File /etc/ssh is expected to be grouped into "root"
     expected `File /etc/ssh.grouped_into?("root")` to be truthy, got false
     ✔  File /etc/ssh is expected to be executable
     ✔  File /etc/ssh is expected to be readable by owner
     ✔  File /etc/ssh is expected to be readable by group
     ✔  File /etc/ssh is expected to be readable by other
     ✔  File /etc/ssh is expected to be writable by owner
     ×  File /etc/ssh is expected not to be writable by group
     expected File /etc/ssh not to be writable by group
     ×  File /etc/ssh is expected not to be writable by other
     expected File /etc/ssh not to be writable by other
  ×  sshd-05: Server: Check sshd_config owner, group and permissions. (8 failed)
     ✔  File /etc/ssh/sshd_config is expected to exist
     ×  File /etc/ssh/sshd_config is expected to be file
     expected `File /etc/ssh/sshd_config.file?` to be truthy, got false
     ×  File /etc/ssh/sshd_config is expected to be owned by "root"
     expected `File /etc/ssh/sshd_config.owned_by?("root")` to be truthy, got false
     ×  File /etc/ssh/sshd_config is expected to be grouped into "root"
     expected `File /etc/ssh/sshd_config.grouped_into?("root")` to be truthy, got false
     ×  File /etc/ssh/sshd_config is expected not to be executable
     expected File /etc/ssh/sshd_config not to be executable
     ✔  File /etc/ssh/sshd_config is expected to be readable by owner
     ×  File /etc/ssh/sshd_config is expected not to be readable by group
     expected File /etc/ssh/sshd_config not to be readable by group
     ×  File /etc/ssh/sshd_config is expected not to be readable by other
     expected File /etc/ssh/sshd_config not to be readable by other
     ✔  File /etc/ssh/sshd_config is expected to be writable by owner
     ×  File /etc/ssh/sshd_config is expected not to be writable by group
     expected File /etc/ssh/sshd_config not to be writable by group
     ×  File /etc/ssh/sshd_config is expected not to be writable by other
     expected File /etc/ssh/sshd_config not to be writable by other
  ↺  sshd-06: Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-07: Server: Specify the listen ssh Port
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-08: Server: Specify the AddressFamily to your need
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-09: Server: Specify ListenAddress
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-11: Server: Enable StrictModes
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-12: Server: Specify SyslogFacility to AUTH
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-13: Server: Specify LogLevel to VERBOSE
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-14: Server: Specify SSH HostKeys
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-15: Server: Specify UseLogin to NO
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-16: Server: Use privilege separation
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-17: Server: Disable PermitUserEnvironment
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-18: Server: Specify LoginGraceTime
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-19: Server: Specify Limit for maximum authentication retries
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-20: Server: Specify maximum sessions
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-21: Server: Specify maximum startups
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-22: Server: Enable PubkeyAuthentication
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-23: Server: Enable IgnoreRhosts
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-24: Server: Enable IgnoreUserKnownHosts
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-25: Server: Disable HostbasedAuthentication
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-27: Server: Disable password-based authentication
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-28: Server: Disable PermitEmptyPasswords
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-29: Server: Disable ChallengeResponseAuthentication
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-30: Server: Disable Kerberos
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-31: Server: Disable Kerberos or Local Password
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-32: Server: Enable KerberosTicketCleanup
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-33: Server: Disable GSSAPIAuthentication
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-34: Server: Enable GSSAPICleanupCredentials
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-35: Server: Disable TCPKeepAlive
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-36: Server: Set a client alive interval
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-37: Server: Configure a few client alive counters
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-38: Server: Disable tunnels
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-39: Server: Disable TCP forwarding
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-40: Server: Disable Agent forwarding
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-41: Server: Disable gateway ports
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-42: Server: Disable X11Forwarding
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-43: Server: Enable X11UseLocalhost
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-44: Server: Disable PrintMotd
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-45: Server: PrintLastLog
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-46: Server: Banner
     ↺  Can't find file: /etc/ssh/sshd_config
  ↺  sshd-47: Server: DebianBanner
     ↺  Can't find file: /etc/ssh/sshd_config
  ✔  sshd-48: Server: DH primes
     ✔  Bash command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 exit_status is expected to eq 0
     ✔  Bash command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stdout is expected to eq ""
     ✔  Bash command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stderr is expected to eq ""
  ✔  sshd-49: Server: CRYPTO_POLICY
     ✔  Processes sshd -D entries.length is expected to eq 1
     ✔  Processes sshd -D commands.first is expected not to match /-oCiphers/
     ✔  Processes sshd -D commands.first is expected not to match /-oKexAlgorithms/
     ✔  Processes sshd -D commands.first is expected not to match /-oHostKeyAlgorithms/
  ×  sshd-50: Server: RSA HostKey size (1 failed)
     ✔  Bash command test $(ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | awk '$1 < 4096 { print $1 }' | wc -l) -eq 0 exit_status is expected to eq 0
     ✔  Bash command test $(ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | awk '$1 < 4096 { print $1 }' | wc -l) -eq 0 stdout is expected to eq ""
     ×  Bash command test $(ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | awk '$1 < 4096 { print $1 }' | wc -l) -eq 0 stderr is expected to eq ""
     
     expected: ""
          got: "ssh-keygen: /etc/ssh/ssh_host_rsa_key: No such file or directory\r\n"
     
     (compared using ==)
     
     Diff:
     @@ -1 +1,2 @@
     +ssh-keygen: /etc/ssh/ssh_host_rsa_key: No such file or directory

@nbublikov
Copy link
Author

i know my server is configured for password access and want sshd check 022 to say you don't have keys used

But this check is simply skipped like many others

@nbublikov
Copy link
Author

nbublikov commented May 26, 2021
edited
Loading

image

hmm, what do you think, can it be cause of problem? that at ssh server many line in sshd_config are commented?

@rndmh3ro
Copy link
Member

There seems to be a problem with accessing the files.. Can you run the following command on the target server and paste the output?

ls -lsah /etc/ssh/

@nbublikov
Copy link
Author

nbublikov commented May 26, 2021
edited
Loading

Yes. please
image

it's read-only file system by default. But i think inspec just need read files

@rndmh3ro
Copy link
Member

Can you please run ls -lsah /etc/ | grep ssh?

@nbublikov
Copy link
Author

image

@nbublikov
Copy link
Author

nbublikov commented May 26, 2021
edited
Loading

uname -a (ssh server)
Linux xxx-dev 4.14.98 #1 SMP PREEMPT Wed Mar 17 21:18:09 MSK 2021 armv7l GNU/Linux

@nbublikov

This comment has been minimized.

Sign in to view
@nbublikov

This comment has been minimized.

Sign in to view
@rndmh3ro
Copy link
Member

Don't comment any code you don't know, it just breaks things. :)

This is probably not a problem with the inspec profile but rather with your machine.

Do you have other machines you can test?

@nbublikov
Copy link
Author

nbublikov commented May 26, 2021
edited
Loading

Yes, see please, what do you think?


Profile: DevSec SSH Baseline (ssh-baseline)
Version: 2.6.4
Target:  ssh://user@xxxx:22

  ✔  ssh-01: client: Check ssh_config owner, group and permissions.
     ✔  File /etc/ssh/ssh_config is expected to exist
     ✔  File /etc/ssh/ssh_config is expected to be file
     ✔  File /etc/ssh/ssh_config is expected to be owned by "root"
     ✔  File /etc/ssh/ssh_config is expected to be grouped into "root"
     ✔  File /etc/ssh/ssh_config is expected not to be executable
     ✔  File /etc/ssh/ssh_config is expected to be readable by owner
     ✔  File /etc/ssh/ssh_config is expected to be readable by group
     ✔  File /etc/ssh/ssh_config is expected to be readable by other
     ✔  File /etc/ssh/ssh_config is expected to be writable by owner
     ✔  File /etc/ssh/ssh_config is expected not to be writable by group
     ✔  File /etc/ssh/ssh_config is expected not to be writable by other
  ×  ssh-02: Client: Specify the AddressFamily to your need
     ×  SSH Configuration AddressFamily is expected to match /inet|inet6|any/
     expected nil to match /inet|inet6|any/
  ×  ssh-03: Client: Specify expected ssh port
     ×  SSH Configuration Port is expected to eq "22"
     
     expected: "22"
          got: nil
     
     (compared using ==)

  ↺  ssh-04: Client: Specify protocol version 2
     ↺  Skipped control due to only_if condition.
  ×  ssh-05: Client: Disable batch mode
     ×  SSH Configuration BatchMode is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  ssh-06: Client: Check Host IPs
     ×  SSH Configuration CheckHostIP is expected to eq "yes"
     
     expected: "yes"
          got: nil
     
     (compared using ==)

  ×  ssh-07: Client: Ask when checking host keys
     ×  SSH Configuration StrictHostKeyChecking is expected to match /ask|yes/
     expected nil to match /ask|yes/
  ×  ssh-08: Client: Check for secure ssh ciphers
     ×  SSH Configuration Ciphers is expected to eq "aes256-ctr,aes192-ctr,aes128-ctr"
     
     expected: "aes256-ctr,aes192-ctr,aes128-ctr"
          got: nil
     
     (compared using ==)

  ×  ssh-09: Client: Check for secure ssh Key-Exchange Algorithm
     ×  SSH Configuration KexAlgorithms is expected to eq "diffie-hellman-group-exchange-sha256"
     
     expected: "diffie-hellman-group-exchange-sha256"
          got: nil
     
     (compared using ==)

  ×  ssh-10: Client: Check for secure ssh Message Authentication Codes
     ×  SSH Configuration MACs is expected to eq "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
     
     expected: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
          got: nil
     
     (compared using ==)

  ×  ssh-11: Client: Disable agent forwarding
     ×  SSH Configuration ForwardAgent is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  ssh-12: Client: Disable X11Forwarding
     ×  SSH Configuration ForwardX11 is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  ssh-13: Client: Disable HostbasedAuthentication
     ×  SSH Configuration HostbasedAuthentication is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ↺  ssh-14: Client: Disable rhosts-based authentication
     ↺  Skipped control due to only_if condition.
  ↺  ssh-15: Client: Enable RSA authentication
     ↺  Skipped control due to only_if condition.
  ×  ssh-16: Client: Disable password-based authentication
     ×  SSH Configuration PasswordAuthentication is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  ssh-17: Client: Disable GSSAPIAuthentication
     ×  SSH Configuration GSSAPIAuthentication is expected to eq "no"
     
     expected: "no"
          got: "yes"
     
     (compared using ==)

  ×  ssh-18: Client: Disable GSSAPIDelegateCredentials
     ×  SSH Configuration GSSAPIDelegateCredentials is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  ssh-19: Client: Disable tunnels
     ×  SSH Configuration Tunnel is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  ssh-20: Client: Do not permit local commands
     ×  SSH Configuration PermitLocalCommand is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ↺  ssh-21: Client: Do not allow Roaming
     ↺  Skipped control due to only_if condition.
  ×  ssh-22: Client: CRYPTO_POLICY (3 failed)
     ×  Bash command ssh -G localhost stdout is expected to match "ciphers aes256-ctr,aes192-ctr,aes128-ctr"
     expected "user nbublikov\nhostname localhost\nport 22\naddressfamily any\nbatchmode no\ncanonicalizefallbacklo...echar ~\nipqos lowdelay throughput\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n" to match "ciphers aes256-ctr,aes192-ctr,aes128-ctr"
     Diff:
     @@ -1,79 +1,157 @@
     -ciphers aes256-ctr,aes192-ctr,aes128-ctr
     +user nbublikov
     +hostname localhost
     +port 22
     +addressfamily any
     +batchmode no
     +canonicalizefallbacklocal yes
     +canonicalizehostname false
     +challengeresponseauthentication yes
     +checkhostip yes
     +compression no
     +controlmaster false
     +enablesshkeysign no
     +clearallforwardings no
     +exitonforwardfailure no
     +fingerprinthash SHA256
     +forwardx11 no
     +forwardx11trusted yes
     +gatewayports no
     +gssapiauthentication yes
     +gssapikeyexchange no
     +gssapidelegatecredentials no
     +gssapitrustdns no
     +gssapirenewalforcesrekey no
     +gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
     +hashknownhosts yes
     +hostbasedauthentication no
     +identitiesonly no
     +kbdinteractiveauthentication yes
     +nohostauthenticationforlocalhost no
     +passwordauthentication yes
     +permitlocalcommand no
     +proxyusefdpass no
     +pubkeyauthentication yes
     +requesttty auto
     +streamlocalbindunlink no
     +stricthostkeychecking ask
     +tcpkeepalive yes
     +tunnel false
     +verifyhostkeydns false
     +visualhostkey no
     +updatehostkeys false
     +canonicalizemaxdots 1
     +connectionattempts 1
     +forwardx11timeout 1200
     +numberofpasswordprompts 3
     +serveralivecountmax 3
     +serveraliveinterval 0
     +ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
     +hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
     +casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256
     +loglevel INFO
     +macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
     +securitykeyprovider internal
     +pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +xauthlocation /usr/bin/xauth
     +identityfile ~/.ssh/id_rsa
     +identityfile ~/.ssh/id_dsa
     +identityfile ~/.ssh/id_ecdsa
     +identityfile ~/.ssh/id_ecdsa_sk
     +identityfile ~/.ssh/id_ed25519
     +identityfile ~/.ssh/id_ed25519_sk
     +identityfile ~/.ssh/id_xmss
     +canonicaldomains
     +globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
     +userknownhostsfile /home/nbublikov/.ssh/known_hosts /home/nbublikov/.ssh/known_hosts2
     +sendenv LANG
     +sendenv LC_*
     +addkeystoagent false
     +forwardagent no
     +connecttimeout none
     +tunneldevice any:any
     +controlpersist no
     +escapechar ~
     +ipqos lowdelay throughput
     +rekeylimit 0 0
     +streamlocalbindmask 0177
     +syslogfacility USER

     ×  Bash command ssh -G localhost stdout is expected to match "kexalgorithms diffie-hellman-group-exchange-sha256"
     expected "user nbublikov\nhostname localhost\nport 22\naddressfamily any\nbatchmode no\ncanonicalizefallbacklo...echar ~\nipqos lowdelay throughput\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n" to match "kexalgorithms diffie-hellman-group-exchange-sha256"
     Diff:
     @@ -1,79 +1,157 @@
     -kexalgorithms diffie-hellman-group-exchange-sha256
     +user nbublikov
     +hostname localhost
     +port 22
     +addressfamily any
     +batchmode no
     +canonicalizefallbacklocal yes
     +canonicalizehostname false
     +challengeresponseauthentication yes
     +checkhostip yes
     +compression no
     +controlmaster false
     +enablesshkeysign no
     +clearallforwardings no
     +exitonforwardfailure no
     +fingerprinthash SHA256
     +forwardx11 no
     +forwardx11trusted yes
     +gatewayports no
     +gssapiauthentication yes
     +gssapikeyexchange no
     +gssapidelegatecredentials no
     +gssapitrustdns no
     +gssapirenewalforcesrekey no
     +gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
     +hashknownhosts yes
     +hostbasedauthentication no
     +identitiesonly no
     +kbdinteractiveauthentication yes
     +nohostauthenticationforlocalhost no
     +passwordauthentication yes
     +permitlocalcommand no
     +proxyusefdpass no
     +pubkeyauthentication yes
     +requesttty auto
     +streamlocalbindunlink no
     +stricthostkeychecking ask
     +tcpkeepalive yes
     +tunnel false
     +verifyhostkeydns false
     +visualhostkey no
     +updatehostkeys false
     +canonicalizemaxdots 1
     +connectionattempts 1
     +forwardx11timeout 1200
     +numberofpasswordprompts 3
     +serveralivecountmax 3
     +serveraliveinterval 0
     +ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
     +hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
     +casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256
     +loglevel INFO
     +macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
     +securitykeyprovider internal
     +pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +xauthlocation /usr/bin/xauth
     +identityfile ~/.ssh/id_rsa
     +identityfile ~/.ssh/id_dsa
     +identityfile ~/.ssh/id_ecdsa
     +identityfile ~/.ssh/id_ecdsa_sk
     +identityfile ~/.ssh/id_ed25519
     +identityfile ~/.ssh/id_ed25519_sk
     +identityfile ~/.ssh/id_xmss
     +canonicaldomains
     +globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
     +userknownhostsfile /home/nbublikov/.ssh/known_hosts /home/nbublikov/.ssh/known_hosts2
     +sendenv LANG
     +sendenv LC_*
     +addkeystoagent false
     +forwardagent no
     +connecttimeout none
     +tunneldevice any:any
     +controlpersist no
     +escapechar ~
     +ipqos lowdelay throughput
     +rekeylimit 0 0
     +streamlocalbindmask 0177
     +syslogfacility USER

     ×  Bash command ssh -G localhost stdout is expected to match "macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
     expected "user nbublikov\nhostname localhost\nport 22\naddressfamily any\nbatchmode no\ncanonicalizefallbacklo...echar ~\nipqos lowdelay throughput\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n" to match "macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
     Diff:
     @@ -1,79 +1,157 @@
     -macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
     +user nbublikov
     +hostname localhost
     +port 22
     +addressfamily any
     +batchmode no
     +canonicalizefallbacklocal yes
     +canonicalizehostname false
     +challengeresponseauthentication yes
     +checkhostip yes
     +compression no
     +controlmaster false
     +enablesshkeysign no
     +clearallforwardings no
     +exitonforwardfailure no
     +fingerprinthash SHA256
     +forwardx11 no
     +forwardx11trusted yes
     +gatewayports no
     +gssapiauthentication yes
     +gssapikeyexchange no
     +gssapidelegatecredentials no
     +gssapitrustdns no
     +gssapirenewalforcesrekey no
     +gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
     +hashknownhosts yes
     +hostbasedauthentication no
     +identitiesonly no
     +kbdinteractiveauthentication yes
     +nohostauthenticationforlocalhost no
     +passwordauthentication yes
     +permitlocalcommand no
     +proxyusefdpass no
     +pubkeyauthentication yes
     +requesttty auto
     +streamlocalbindunlink no
     +stricthostkeychecking ask
     +tcpkeepalive yes
     +tunnel false
     +verifyhostkeydns false
     +visualhostkey no
     +updatehostkeys false
     +canonicalizemaxdots 1
     +connectionattempts 1
     +forwardx11timeout 1200
     +numberofpasswordprompts 3
     +serveralivecountmax 3
     +serveraliveinterval 0
     +ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
     +hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
     +casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256
     +loglevel INFO
     +macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
     +securitykeyprovider internal
     +pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
     +xauthlocation /usr/bin/xauth
     +identityfile ~/.ssh/id_rsa
     +identityfile ~/.ssh/id_dsa
     +identityfile ~/.ssh/id_ecdsa
     +identityfile ~/.ssh/id_ecdsa_sk
     +identityfile ~/.ssh/id_ed25519
     +identityfile ~/.ssh/id_ed25519_sk
     +identityfile ~/.ssh/id_xmss
     +canonicaldomains
     +globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
     +userknownhostsfile /home/nbublikov/.ssh/known_hosts /home/nbublikov/.ssh/known_hosts2
     +sendenv LANG
     +sendenv LC_*
     +addkeystoagent false
     +forwardagent no
     +connecttimeout none
     +tunneldevice any:any
     +controlpersist no
     +escapechar ~
     +ipqos lowdelay throughput
     +rekeylimit 0 0
     +streamlocalbindmask 0177
     +syslogfacility USER

  ×  sshd-01: Server: Check for secure ssh ciphers
     ×  SSHD Configuration Ciphers is expected to eq "aes256-ctr,aes192-ctr,aes128-ctr"
     
     expected: "aes256-ctr,aes192-ctr,aes128-ctr"
          got: nil
     
     (compared using ==)

  ×  sshd-02: Server: Check for secure ssh Key-Exchange Algorithm
     ×  SSHD Configuration KexAlgorithms is expected to eq "diffie-hellman-group-exchange-sha256"
     
     expected: "diffie-hellman-group-exchange-sha256"
          got: nil
     
     (compared using ==)

  ×  sshd-03: Server: Check for secure ssh Message Authentication Codes
     ×  SSHD Configuration MACs is expected to eq "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
     
     expected: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
          got: nil
     
     (compared using ==)

  ✔  sshd-04: Server: Check SSH folder owner, group and permissions.
     ✔  File /etc/ssh is expected to exist
     ✔  File /etc/ssh is expected to be directory
     ✔  File /etc/ssh is expected to be owned by "root"
     ✔  File /etc/ssh is expected to be grouped into "root"
     ✔  File /etc/ssh is expected to be executable
     ✔  File /etc/ssh is expected to be readable by owner
     ✔  File /etc/ssh is expected to be readable by group
     ✔  File /etc/ssh is expected to be readable by other
     ✔  File /etc/ssh is expected to be writable by owner
     ✔  File /etc/ssh is expected not to be writable by group
     ✔  File /etc/ssh is expected not to be writable by other
  ×  sshd-05: Server: Check sshd_config owner, group and permissions. (2 failed)
     ✔  File /etc/ssh/sshd_config is expected to exist
     ✔  File /etc/ssh/sshd_config is expected to be file
     ✔  File /etc/ssh/sshd_config is expected to be owned by "root"
     ✔  File /etc/ssh/sshd_config is expected to be grouped into "root"
     ✔  File /etc/ssh/sshd_config is expected not to be executable
     ✔  File /etc/ssh/sshd_config is expected to be readable by owner
     ×  File /etc/ssh/sshd_config is expected not to be readable by group
     expected File /etc/ssh/sshd_config not to be readable by group
     ×  File /etc/ssh/sshd_config is expected not to be readable by other
     expected File /etc/ssh/sshd_config not to be readable by other
     ✔  File /etc/ssh/sshd_config is expected to be writable by owner
     ✔  File /etc/ssh/sshd_config is expected not to be writable by group
     ✔  File /etc/ssh/sshd_config is expected not to be writable by other
  ✔  sshd-06: Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication
     ✔  SSHD Configuration PermitRootLogin is expected to match /no|without-password|prohibit-password/
  ✔  sshd-07: Server: Specify the listen ssh Port
     ✔  SSHD Configuration Port is expected to eq "22"
  ✔  sshd-08: Server: Specify the AddressFamily to your need
     ✔  SSHD Configuration AddressFamily is expected to match /inet|inet6|any/
  ×  sshd-09: Server: Specify ListenAddress (1 failed)
     ×  SSHD Configuration ListenAddress is expected not to eq nil
     
     expected: value != nil
          got: nil
     
     (compared using ==)

     ✔  SSHD Configuration ListenAddress is expected not to match /^\s*$/
     ✔  SSHD Configuration ListenAddress is expected not to eq []
  ↺  sshd-10: Server: Specify protocol version 2
     ↺  Skipped control due to only_if condition.
  ×  sshd-11: Server: Enable StrictModes
     ×  SSHD Configuration StrictModes is expected to eq "yes"
     
     expected: "yes"
          got: nil
     
     (compared using ==)

  ×  sshd-12: Server: Specify SyslogFacility to AUTH
     ×  SSHD Configuration SyslogFacility is expected to eq "AUTH"
     
     expected: "AUTH"
          got: nil
     
     (compared using ==)

  ×  sshd-13: Server: Specify LogLevel to VERBOSE
     ×  SSHD Configuration LogLevel is expected to eq "VERBOSE"
     
     expected: "VERBOSE"
          got: nil
     
     (compared using ==)

  ×  sshd-14: Server: Specify SSH HostKeys
     ×  SSHD Configuration HostKey is expected to cmp == ["/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_ecdsa_key", "/etc/ssh/ssh_host_ed25519_key"]
     
     expected: ["/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_ecdsa_key", "/etc/ssh/ssh_host_ed25519_key"]
          got: 
     
     (compared using `cmp` matcher)

  ✔  sshd-15: Server: Specify UseLogin to NO
     ✔  SSHD Configuration UseLogin is expected to eq nil
  ×  sshd-16: Server: Use privilege separation
     ×  SSHD Configuration UsePrivilegeSeparation is expected to eq "sandbox"
     
     expected: "sandbox"
          got: nil
     
     (compared using ==)

  ×  sshd-17: Server: Disable PermitUserEnvironment
     ×  SSHD Configuration PermitUserEnvironment is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  sshd-18: Server: Specify LoginGraceTime
     ×  SSHD Configuration LoginGraceTime is expected to eq "30s"
     
     expected: "30s"
          got: nil
     
     (compared using ==)

  ×  sshd-19: Server: Specify Limit for maximum authentication retries
     ×  SSHD Configuration MaxAuthTries is expected to cmp == 2
     
     expected: 2
          got: 
     
     (compared using `cmp` matcher)

  ×  sshd-20: Server: Specify maximum sessions
     ×  SSHD Configuration MaxSessions is expected to eq "10"
     
     expected: "10"
          got: nil
     
     (compared using ==)

  ×  sshd-21: Server: Specify maximum startups
     ×  SSHD Configuration MaxStartups is expected to eq "10:30:60"
     
     expected: "10:30:60"
          got: nil
     
     (compared using ==)

  ×  sshd-22: Server: Enable PubkeyAuthentication
     ×  SSHD Configuration PubkeyAuthentication is expected to eq "yes"
     
     expected: "yes"
          got: nil
     
     (compared using ==)

  ×  sshd-23: Server: Enable IgnoreRhosts
     ×  SSHD Configuration IgnoreRhosts is expected to eq "yes"
     
     expected: "yes"
          got: nil
     
     (compared using ==)

  ×  sshd-24: Server: Enable IgnoreUserKnownHosts
     ×  SSHD Configuration IgnoreUserKnownHosts is expected to eq "yes"
     
     expected: "yes"
          got: nil
     
     (compared using ==)

  ×  sshd-25: Server: Disable HostbasedAuthentication
     ×  SSHD Configuration HostbasedAuthentication is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  sshd-27: Server: Disable password-based authentication
     ×  SSHD Configuration PasswordAuthentication is expected to eq "no"
     
     expected: "no"
          got: "yes"
     
     (compared using ==)

  ✔  sshd-28: Server: Disable PermitEmptyPasswords
     ✔  SSHD Configuration PermitEmptyPasswords is expected to eq "no"
  ×  sshd-29: Server: Disable ChallengeResponseAuthentication
     ×  SSHD Configuration ChallengeResponseAuthentication is expected to eq "no"
     
     expected: "no"
          got: "yes"
     
     (compared using ==)

  ×  sshd-30: Server: Disable Kerberos
     ×  SSHD Configuration KerberosAuthentication is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  sshd-31: Server: Disable Kerberos or Local Password
     ×  SSHD Configuration KerberosOrLocalPasswd is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  sshd-32: Server: Enable KerberosTicketCleanup
     ×  SSHD Configuration KerberosTicketCleanup is expected to eq "yes"
     
     expected: "yes"
          got: nil
     
     (compared using ==)

  ×  sshd-33: Server: Disable GSSAPIAuthentication
     ×  SSHD Configuration GSSAPIAuthentication is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  sshd-34: Server: Enable GSSAPICleanupCredentials
     ×  SSHD Configuration GSSAPICleanupCredentials is expected to eq "yes"
     
     expected: "yes"
          got: nil
     
     (compared using ==)

  ×  sshd-35: Server: Disable TCPKeepAlive
     ×  SSHD Configuration TCPKeepAlive is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  sshd-36: Server: Set a client alive interval
     ×  SSHD Configuration ClientAliveInterval is expected to eq "300"
     
     expected: "300"
          got: nil
     
     (compared using ==)

  ×  sshd-37: Server: Configure a few client alive counters
     ×  SSHD Configuration ClientAliveCountMax is expected to eq "3"
     
     expected: "3"
          got: nil
     
     (compared using ==)

  ×  sshd-38: Server: Disable tunnels
     ×  SSHD Configuration PermitTunnel is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  sshd-39: Server: Disable TCP forwarding
     ×  SSHD Configuration AllowTcpForwarding is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  sshd-40: Server: Disable Agent forwarding
     ×  SSHD Configuration AllowAgentForwarding is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  sshd-41: Server: Disable gateway ports
     ×  SSHD Configuration GatewayPorts is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  sshd-42: Server: Disable X11Forwarding
     ×  SSHD Configuration X11Forwarding is expected to eq "no"
     
     expected: "no"
          got: "yes"
     
     (compared using ==)

  ×  sshd-43: Server: Enable X11UseLocalhost
     ×  SSHD Configuration X11UseLocalhost is expected to eq "yes"
     
     expected: "yes"
          got: nil
     
     (compared using ==)

  ✔  sshd-44: Server: Disable PrintMotd
     ✔  SSHD Configuration PrintMotd is expected to eq "no"
  ×  sshd-45: Server: PrintLastLog
     ×  SSHD Configuration PrintLastLog is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ×  sshd-46: Server: Banner
     ×  SSHD Configuration Banner is expected to eq "none"
     
     expected: "none"
          got: nil
     
     (compared using ==)

  ×  sshd-47: Server: DebianBanner
     ×  SSHD Configuration DebianBanner is expected to eq "no"
     
     expected: "no"
          got: nil
     
     (compared using ==)

  ✔  sshd-48: Server: DH primes
     ✔  Bash command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 exit_status is expected to eq 0
     ✔  Bash command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stdout is expected to eq ""
     ✔  Bash command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stderr is expected to eq ""
  ↺  sshd-49: Server: CRYPTO_POLICY
     ↺  Skipped control due to only_if condition: sshd with options is running
  ↺  sshd-50: Server: RSA HostKey size
     ↺  Skipped control due to only_if condition: RSA HostKey is readable


Profile Summary: 9 successful controls, 55 control failures, 7 controls skipped
Test Summary: 42 successful, 58 failures, 7 skipped

@nbublikov
Copy link
Author

you say that "There seems to be a problem with accessing the files" - access for what files inspec need on target ssh server?
It is really very important for me to figure it out, since tests should be run on it.

Thank a lot, for you help

@rndmh3ro
Copy link
Member

access for what files inspec need on target ssh server?

/etc/ssh/ssh_config
/etc/ssh/sshd_config

@nbublikov
Copy link
Author

nbublikov commented May 26, 2021
edited
Loading

ok, tell me please. how this access should be configured? what right we should assign to this files?

@rndmh3ro
Copy link
Member

The permissions are correct.
Do you connect with root to the target host?

@nbublikov
Copy link
Author

nbublikov commented May 26, 2021
edited
Loading

yes. i connect with root and with empty password

@rndmh3ro
Copy link
Member

Please test:

inspec shell -t ssh://...
inspec> cat /etc/ssh/sshd_config

@nbublikov
Copy link
Author

image

@nbublikov
Copy link
Author

nbublikov commented May 26, 2021
edited
Loading

inspec> cat /etc/ssh/sshd_config
file.txt

ps. it linux running at IoT device

@micheelengronne
Copy link
Member

Is the file you attached the exact content of the cat ? Or does it also contain the cat line ?

@micheelengronne
Copy link
Member

micheelengronne commented May 26, 2021
edited
Loading

There seems to be a malformed sshd_config file as the internal inspec sshd_config method does not detect it correctly.

You also open a similar issue here dev-sec/cis-dil-benchmark#113

Let's solve it there. If we need to fix something on our side, we will port the fix on CIS after.

@nbublikov
Copy link
Author

nbublikov commented May 26, 2021
edited
Loading

Is the file you attached the exact content of the cat ? Or does it also contain the cat line ?

It's actual config of ssh server, output of sshd_config

@nbublikov
Copy link
Author

nbublikov commented May 26, 2021
edited
Loading

There seems to be a malformed sshd_config file as the internal inspec sshd_config method does not detect it correctly.

You also open a similar issue here dev-sec/cis-dil-benchmark#113

Let's solve it there. If we need to fix something on our side, we will port the fix on CIS after.

Ok! Thanks, lets fix it there

Perhaps, since sshd could be done by our developers

Can you tell me what sshd_config should look like correctly? We would then correct him, if necessary.

Or how i should formulate question for my developers? For sshd fixing, if needed

file.txt it's my sshd_config

@micheelengronne
Copy link
Member

micheelengronne commented May 26, 2021
edited
Loading

Ok, what troubles me is that file.txt starts with inspec> cat /etc/ssh/sshd_config so I don't know if you put that line inadvertently in the file or if it is just that you included the line in the output you copy-pasted.

The internal method not detecting the file paramters is concerning. What is your linux distrib exactly ? You said that it runs an IoT device, perhaps are we in presence of a border effect due to a very peculiar linux distrib.

If it is the case, you should send a reply to this ticket inspec/inspec#4782 explaining the specific OS you are in and help the core team increasing the supported OSes list.

@nbublikov
Copy link
Author

oh, i remove line with cat, it's actual sshd_config
sshd_config.txt

Regarding the unusual distribution, you are right.
We build a fairly minimalistic file system ourselves using Buildroot.

I try to get some info from our team for this ticket inspec/inspec#4782

This was referenced May 26, 2021
Open
Open
@nbublikov nbublikov mentioned this issue May 30, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rndmh3ro @micheelengronne @nbublikov