def process(self):
openssh_messages = self.consume(OpenSshConfig)
config = next(openssh_messages, None)
if list(openssh_messages):
api.current_logger().warning(
'Unexpectedly received more than one OpenSshConfig message.')
if not config:
raise StopActorExecutionError(
'Could not check openssh configuration',
details={'details': 'No OpenSshConfig facts found.'})
resources = [
reporting.RelatedResource('package', 'openssh-server'),
reporting.RelatedResource('file', '/etc/ssh/sshd_config')
]
if not config.permit_root_login:
# TODO find out whether the file was modified and will be
# replaced by the update. If so, this message is bogus
create_report([
reporting.Title(
'Possible problems with remote login using root account'),
reporting.Summary(
'OpenSSH configuration file does not explicitly state '
'the option PermitRootLogin in sshd_config file, '
'which will default in RHEL8 to "prohibit-password".'),
reporting.Severity(reporting.Severity.HIGH),
reporting.Tags(COMMON_REPORT_TAGS),
reporting.Remediation(
hint='If you depend on remote root logins using '
'passwords, consider setting up a different '
'user for remote administration or adding '
'"PermitRootLogin yes" to sshd_config.'),
reporting.Flags([reporting.Flags.INHIBITOR])
] + resources)
# Check if there is at least one PermitRootLogin other than "no"
# in match blocks (other than Match All).
# This usually means some more complicated setup depending on the
# default value being globally "yes" and being overwritten by this
# match block
if semantics_changes(config):
create_report([
reporting.Title('OpenSSH configured to allow root login'),
reporting.Summary(
'OpenSSH is configured to deny root logins in match '
'blocks, but not explicitly enabled in global or '
'"Match all" context. This update changes the '
'default to disable root logins using paswords '
'so your server migth get inaccessible.'),
reporting.Severity(reporting.Severity.HIGH),
reporting.Tags(COMMON_REPORT_TAGS),
reporting.Remediation(
hint='Consider using different user for administrative '
'logins or make sure your configration file '
'contains the line "PermitRootLogin yes" '
'in global context if desired.'),
reporting.Flags([reporting.Flags.INHIBITOR])
] + resources)
def test_globally_enabled(current_actor_context):
""" Configuration file in this format:
PermitRootLogin yes # explicit
"""
config = OpenSshConfig(
permit_root_login=[OpenSshPermitRootLogin(value='yes',
in_match=None)], )
assert not semantics_changes(config)
def test_globally_disabled_password():
""" Configuration file in this format:
PermitRootLogin prohibit-password # explicit
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='prohibit-password', in_match=None)
], )
assert not semantics_changes(config)
def test_in_match_all_disabled_password(current_actor_context):
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match all
PermitRootLogin prohibit-password
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='prohibit-password', in_match=['all'])
], )
assert not semantics_changes(config)
def test_in_match_disabled(current_actor_context):
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match address 10.10.*
PermitRootLogin no
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='no', in_match=['address', '10.10.*'])
], )
assert semantics_changes(config)
def test_in_match_all_disabled():
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match all
PermitRootLogin no
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='no', in_match=['all'])
], )
assert not semantics_changes(config)
def test_in_match_enabled(current_actor_context):
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match address 192.168.*
PermitRootLogin yes
"""
# TODO This is suspicious configuration we should probably handle separately
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='yes', in_match=['address', '192.168.*'])
], )
assert not semantics_changes(config)
def test_in_match_disabled_globally_enabled(current_actor_context):
""" Configuration file in this format:
PermitRootLogin yes # explicit
Match address 192.*
PermitRootLogin no
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='yes', in_match=None),
OpenSshPermitRootLogin(value='no', in_match=['address', '192.*'])
], )
assert not semantics_changes(config)
def test_in_match_disabled_password():
""" Configuration file in this format:
# PermitRootLogin yes # implicit
Match address 192.168.*
PermitRootLogin prohibit-password
"""
config = OpenSshConfig(permit_root_login=[
OpenSshPermitRootLogin(value='prohibit-password',
in_match=['address', '10.10.*'])
], )
assert semantics_changes(config)
def process(self):
for config in self.consume(OpenSshConfig):
if len(config.permit_root_login) == 0:
# TODO find out whether the file was modified and will be
# replaced by the update. If so, this message is bogus
report_with_remediation(
title=
'Possible problems with remote login using root account',
summary=
'OpenSSH configuration file does not explicitly state '
'the option PermitRootLogin in sshd_config file, '
'which will default in RHEL8 to "prohibit-password".',
remediation='If you depend on remote root logins using '
'passwords, condider setting up a different '
'user for remote administration or adding '
'"PermitRootLogin yes" to sshd_config.',
severity='high',
flags=['inhibitor'])
# Check if there is at least one PermitRootLogin other than "no"
# in match blocks (other than Match All).
# This usually means some more complicated setup depending on the
# default value being globally "yes" and being overwritten by this
# match block
if semantics_changes(config):
report_with_remediation(
title='OpenSSH configured to allow root login',
summary='OpenSSH is configured to deny root logins in match '
'blocks, but not explicitly enabled in global or '
'"Match all" context. This update changes the '
'default to disable root logins using paswords '
'so your server migth get inaccessible.',
remediation=
'Consider using different user for administrative '
'logins or make sure your configration file '
'contains the line "PermitRootLogin yes" '
'in global context if desired.',
severity='high',
flags=['inhibitor'])
