def process(self): openssh_messages = self.consume(OpenSshConfig) config = next(openssh_messages, None) if list(openssh_messages): api.current_logger().warning( 'Unexpectedly received more than one OpenSshConfig message.') if not config: raise StopActorExecutionError( 'Could not check openssh configuration', details={'details': 'No OpenSshConfig facts found.'}) resources = [ reporting.RelatedResource('package', 'openssh-server'), reporting.RelatedResource('file', '/etc/ssh/sshd_config') ] if not config.permit_root_login: # TODO find out whether the file was modified and will be # replaced by the update. If so, this message is bogus create_report([ reporting.Title( 'Possible problems with remote login using root account'), reporting.Summary( 'OpenSSH configuration file does not explicitly state ' 'the option PermitRootLogin in sshd_config file, ' 'which will default in RHEL8 to "prohibit-password".'), reporting.Severity(reporting.Severity.HIGH), reporting.Tags(COMMON_REPORT_TAGS), reporting.Remediation( hint='If you depend on remote root logins using ' 'passwords, consider setting up a different ' 'user for remote administration or adding ' '"PermitRootLogin yes" to sshd_config.'), reporting.Flags([reporting.Flags.INHIBITOR]) ] + resources) # Check if there is at least one PermitRootLogin other than "no" # in match blocks (other than Match All). # This usually means some more complicated setup depending on the # default value being globally "yes" and being overwritten by this # match block if semantics_changes(config): create_report([ reporting.Title('OpenSSH configured to allow root login'), reporting.Summary( 'OpenSSH is configured to deny root logins in match ' 'blocks, but not explicitly enabled in global or ' '"Match all" context. This update changes the ' 'default to disable root logins using paswords ' 'so your server migth get inaccessible.'), reporting.Severity(reporting.Severity.HIGH), reporting.Tags(COMMON_REPORT_TAGS), reporting.Remediation( hint='Consider using different user for administrative ' 'logins or make sure your configration file ' 'contains the line "PermitRootLogin yes" ' 'in global context if desired.'), reporting.Flags([reporting.Flags.INHIBITOR]) ] + resources)
def test_globally_enabled(current_actor_context): """ Configuration file in this format: PermitRootLogin yes # explicit """ config = OpenSshConfig( permit_root_login=[OpenSshPermitRootLogin(value='yes', in_match=None)], ) assert not semantics_changes(config)
def test_globally_disabled_password(): """ Configuration file in this format: PermitRootLogin prohibit-password # explicit """ config = OpenSshConfig(permit_root_login=[ OpenSshPermitRootLogin(value='prohibit-password', in_match=None) ], ) assert not semantics_changes(config)
def test_in_match_all_disabled_password(current_actor_context): """ Configuration file in this format: # PermitRootLogin yes # implicit Match all PermitRootLogin prohibit-password """ config = OpenSshConfig(permit_root_login=[ OpenSshPermitRootLogin(value='prohibit-password', in_match=['all']) ], ) assert not semantics_changes(config)
def test_in_match_disabled(current_actor_context): """ Configuration file in this format: # PermitRootLogin yes # implicit Match address 10.10.* PermitRootLogin no """ config = OpenSshConfig(permit_root_login=[ OpenSshPermitRootLogin(value='no', in_match=['address', '10.10.*']) ], ) assert semantics_changes(config)
def test_in_match_all_disabled(): """ Configuration file in this format: # PermitRootLogin yes # implicit Match all PermitRootLogin no """ config = OpenSshConfig(permit_root_login=[ OpenSshPermitRootLogin(value='no', in_match=['all']) ], ) assert not semantics_changes(config)
def test_in_match_enabled(current_actor_context): """ Configuration file in this format: # PermitRootLogin yes # implicit Match address 192.168.* PermitRootLogin yes """ # TODO This is suspicious configuration we should probably handle separately config = OpenSshConfig(permit_root_login=[ OpenSshPermitRootLogin(value='yes', in_match=['address', '192.168.*']) ], ) assert not semantics_changes(config)
def test_in_match_disabled_globally_enabled(current_actor_context): """ Configuration file in this format: PermitRootLogin yes # explicit Match address 192.* PermitRootLogin no """ config = OpenSshConfig(permit_root_login=[ OpenSshPermitRootLogin(value='yes', in_match=None), OpenSshPermitRootLogin(value='no', in_match=['address', '192.*']) ], ) assert not semantics_changes(config)
def test_in_match_disabled_password(): """ Configuration file in this format: # PermitRootLogin yes # implicit Match address 192.168.* PermitRootLogin prohibit-password """ config = OpenSshConfig(permit_root_login=[ OpenSshPermitRootLogin(value='prohibit-password', in_match=['address', '10.10.*']) ], ) assert semantics_changes(config)
def process(self): for config in self.consume(OpenSshConfig): if len(config.permit_root_login) == 0: # TODO find out whether the file was modified and will be # replaced by the update. If so, this message is bogus report_with_remediation( title= 'Possible problems with remote login using root account', summary= 'OpenSSH configuration file does not explicitly state ' 'the option PermitRootLogin in sshd_config file, ' 'which will default in RHEL8 to "prohibit-password".', remediation='If you depend on remote root logins using ' 'passwords, condider setting up a different ' 'user for remote administration or adding ' '"PermitRootLogin yes" to sshd_config.', severity='high', flags=['inhibitor']) # Check if there is at least one PermitRootLogin other than "no" # in match blocks (other than Match All). # This usually means some more complicated setup depending on the # default value being globally "yes" and being overwritten by this # match block if semantics_changes(config): report_with_remediation( title='OpenSSH configured to allow root login', summary='OpenSSH is configured to deny root logins in match ' 'blocks, but not explicitly enabled in global or ' '"Match all" context. This update changes the ' 'default to disable root logins using paswords ' 'so your server migth get inaccessible.', remediation= 'Consider using different user for administrative ' 'logins or make sure your configration file ' 'contains the line "PermitRootLogin yes" ' 'in global context if desired.', severity='high', flags=['inhibitor'])