def process(self): openssh_messages = self.consume(OpenSshConfig) config = next(openssh_messages, None) if list(openssh_messages): api.current_logger().warning( 'Unexpectedly received more than one OpenSshConfig message.') if not config: raise StopActorExecutionError( 'Could not check openssh configuration', details={'details': 'No OpenSshConfig facts found.'}) resources = [ reporting.RelatedResource('package', 'openssh-server'), reporting.RelatedResource('file', '/etc/ssh/sshd_config') ] if not config.permit_root_login: # TODO find out whether the file was modified and will be # replaced by the update. If so, this message is bogus create_report([ reporting.Title( 'Possible problems with remote login using root account'), reporting.Summary( 'OpenSSH configuration file does not explicitly state ' 'the option PermitRootLogin in sshd_config file, ' 'which will default in RHEL8 to "prohibit-password".'), reporting.Severity(reporting.Severity.HIGH), reporting.Tags(COMMON_REPORT_TAGS), reporting.Remediation( hint='If you depend on remote root logins using ' 'passwords, consider setting up a different ' 'user for remote administration or adding ' '"PermitRootLogin yes" to sshd_config.'), reporting.Flags([reporting.Flags.INHIBITOR]) ] + resources) # Check if there is at least one PermitRootLogin other than "no" # in match blocks (other than Match All). # This usually means some more complicated setup depending on the # default value being globally "yes" and being overwritten by this # match block if semantics_changes(config): create_report([ reporting.Title('OpenSSH configured to allow root login'), reporting.Summary( 'OpenSSH is configured to deny root logins in match ' 'blocks, but not explicitly enabled in global or ' '"Match all" context. This update changes the ' 'default to disable root logins using paswords ' 'so your server migth get inaccessible.'), reporting.Severity(reporting.Severity.HIGH), reporting.Tags(COMMON_REPORT_TAGS), reporting.Remediation( hint='Consider using different user for administrative ' 'logins or make sure your configration file ' 'contains the line "PermitRootLogin yes" ' 'in global context if desired.'), reporting.Flags([reporting.Flags.INHIBITOR]) ] + resources)
def test_globally_enabled(): """ Configuration file in this format: PermitRootLogin yes # explicit """ config = OpenSshConfig( permit_root_login=[OpenSshPermitRootLogin(value='yes', in_match=None)], deprecated_directives=[]) assert not semantics_changes(config)
def test_in_match_all_disabled(): """ Configuration file in this format: # PermitRootLogin yes # implicit Match all PermitRootLogin no """ config = OpenSshConfig(permit_root_login=[ OpenSshPermitRootLogin(value='no', in_match=['all']) ], deprecated_directives=[]) assert not semantics_changes(config)
def test_globally_disabled_password(): """ Configuration file in this format: PermitRootLogin prohibit-password # explicit """ config = OpenSshConfig( permit_root_login=[ OpenSshPermitRootLogin( value='prohibit-password', in_match=None) ], ) assert not semantics_changes(config)
def test_in_match_enabled(): """ Configuration file in this format: # PermitRootLogin yes # implicit Match address 192.168.* PermitRootLogin yes """ # TODO This is suspicious configuration we should probably handle separately config = OpenSshConfig(permit_root_login=[ OpenSshPermitRootLogin(value='yes', in_match=['address', '192.168.*']) ], deprecated_directives=[]) assert not semantics_changes(config)
def test_in_match_disabled_password(): """ Configuration file in this format: # PermitRootLogin yes # implicit Match address 192.168.* PermitRootLogin prohibit-password """ config = OpenSshConfig(permit_root_login=[ OpenSshPermitRootLogin(value='prohibit-password', in_match=['address', '10.10.*']) ], deprecated_directives=[]) assert semantics_changes(config)
def test_in_match_disabled_globally_enabled(): """ Configuration file in this format: PermitRootLogin yes # explicit Match address 192.* PermitRootLogin no """ config = OpenSshConfig(permit_root_login=[ OpenSshPermitRootLogin(value='yes', in_match=None), OpenSshPermitRootLogin(value='no', in_match=['address', '192.*']) ], deprecated_directives=[]) assert not semantics_changes(config)
def test_in_match_disabled(): """ Configuration file in this format: # PermitRootLogin yes # implicit Match address 10.10.* PermitRootLogin no """ config = OpenSshConfig( permit_root_login=[ OpenSshPermitRootLogin( value='no', in_match=['address', '10.10.*']) ], ) assert semantics_changes(config)
def test_in_match_all_enabled(): """ Configuration file in this format: # PermitRootLogin yes # implicit Match all PermitRootLogin yes """ config = OpenSshConfig( permit_root_login=[ OpenSshPermitRootLogin( value='yes', in_match=['all']) ], ) assert not semantics_changes(config)