ssh_scan 0.0.2 → 0.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/ssh_scan +2 -1
- data/lib/ssh_scan.rb +1 -0
- data/lib/ssh_scan/basic_server.rb +2 -6
- data/lib/ssh_scan/policy.rb +16 -66
- data/lib/ssh_scan/policy_manager.rb +127 -0
- data/lib/ssh_scan/scan_engine.rb +0 -1
- data/lib/ssh_scan/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: fa0b0404e66c6e6f45d68662e315de4016b97c01
|
4
|
+
data.tar.gz: 69d1d439decc01dd1c25c3cf9d6737a5a8b08f74
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: cbbb0d49a507a8bda9fb29798e15f9d6a0349f3bc5f2e585280351cfc4ca4ba0aac79034d8c8ca57348184ebab4ec8440826f57d5f4af3b37f2b4047c8dab669
|
7
|
+
data.tar.gz: 000b50df34fd9df7ae3679dd67b084ace205a33c2f93f797fe3047073f10197b40dec602d6daa385e2d433e881ad8286e196d077a8c55b7f8136623400e85fe1
|
data/bin/ssh_scan
CHANGED
@@ -18,7 +18,8 @@ end
|
|
18
18
|
# Populate the info we need to perform a scan
|
19
19
|
ip = ARGV[0].chomp
|
20
20
|
port = ARGV[1].nil? ? 22 : ARGV[1].to_i
|
21
|
-
|
21
|
+
|
22
|
+
policy = SSHScan::Policy.from_file(File.expand_path("../../policies/mozilla_modern.yml", __FILE__))
|
22
23
|
|
23
24
|
# Perform scan and get results
|
24
25
|
scan_engine = SSHScan::ScanEngine.new()
|
data/lib/ssh_scan.rb
CHANGED
@@ -1,13 +1,9 @@
|
|
1
1
|
require 'sinatra'
|
2
|
-
require '
|
3
|
-
require 'socket'
|
4
|
-
require 'policy'
|
5
|
-
require 'constants'
|
6
|
-
require 'scan_engine'
|
2
|
+
require 'ssh_scan'
|
7
3
|
|
8
4
|
get '/api/v1/scan/:ip' do
|
9
5
|
if ip = params['ip']
|
10
|
-
policy = SSHScan::
|
6
|
+
policy = SSHScan::Policy.from_file(File.expand_path("../../policies/mozilla_intermediate.yml", __FILE__))
|
11
7
|
scan_engine = SSHScan::ScanEngine.new()
|
12
8
|
result = scan_engine.scan(ip, 22, policy)
|
13
9
|
content_type :json
|
data/lib/ssh_scan/policy.rb
CHANGED
@@ -1,75 +1,25 @@
|
|
1
|
-
|
2
|
-
class IntermediatePolicy
|
3
|
-
def name
|
4
|
-
self.class.to_s
|
5
|
-
end
|
6
|
-
|
7
|
-
def macs
|
8
|
-
["hmac-sha2-512","hmac-sha2-256"]
|
9
|
-
end
|
10
|
-
|
11
|
-
def encryption
|
12
|
-
["aes256-ctr","aes192-ctr","aes128-ctr"]
|
13
|
-
end
|
14
|
-
|
15
|
-
def kexs
|
16
|
-
["diffie-hellman-group-exchange-sha256"]
|
17
|
-
end
|
18
|
-
end
|
1
|
+
require 'yaml'
|
19
2
|
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
@result = result
|
24
|
-
end
|
25
|
-
|
26
|
-
def out_of_policy_encryption
|
27
|
-
target_encryption = @result[:encryption_algorithms_client_to_server] | @result[:encryption_algorithms_server_to_client]
|
28
|
-
outliers = []
|
29
|
-
target_encryption.each do |target_enc|
|
30
|
-
outliers << target_enc unless @policy.encryption.include?(target_enc)
|
31
|
-
end
|
32
|
-
return outliers
|
33
|
-
end
|
34
|
-
|
35
|
-
def out_of_policy_macs
|
36
|
-
target_macs = @result[:mac_algorithms_server_to_client] | @result[:mac_algorithms_client_to_server]
|
37
|
-
outliers = []
|
38
|
-
target_macs.each do |target_mac|
|
39
|
-
outliers << target_mac unless @policy.macs.include?(target_mac)
|
40
|
-
end
|
41
|
-
return outliers
|
42
|
-
end
|
43
|
-
|
44
|
-
def out_of_policy_kex
|
45
|
-
target_kexs = @result[:key_algorithms]
|
46
|
-
outliers = []
|
47
|
-
target_kexs.each do |target_kex|
|
48
|
-
outliers << target_kex unless @policy.kexs.include?(target_kex)
|
49
|
-
end
|
50
|
-
return outliers
|
51
|
-
end
|
3
|
+
module SSHScan
|
4
|
+
class Policy
|
5
|
+
attr_reader :name, :kex, :macs, :encryption, :compression
|
52
6
|
|
53
|
-
def
|
54
|
-
|
55
|
-
|
56
|
-
|
7
|
+
def initialize(opts = {})
|
8
|
+
@name = opts['name'] || []
|
9
|
+
@kex = opts['kex'] || []
|
10
|
+
@macs = opts['macs'] || []
|
11
|
+
@encryption = opts['encryption'] || []
|
12
|
+
@compression = opts['compression'] || []
|
57
13
|
end
|
58
14
|
|
59
|
-
def
|
60
|
-
|
61
|
-
|
62
|
-
recommendations << "Remove these MAC Algos: #{out_of_policy_macs.join(", ")}" unless out_of_policy_macs.empty?
|
63
|
-
recommendations << "Remove these Encryption Ciphers: #{out_of_policy_encryption.join(", ")}" unless out_of_policy_encryption.empty?
|
64
|
-
return recommendations
|
15
|
+
def self.from_file(file)
|
16
|
+
opts = YAML.load_file(file)
|
17
|
+
self.new(opts)
|
65
18
|
end
|
66
19
|
|
67
|
-
def
|
68
|
-
|
69
|
-
|
70
|
-
:compliant => compliant?,
|
71
|
-
:recommendations => recommendations
|
72
|
-
}
|
20
|
+
def self.from_string(string)
|
21
|
+
opts = YAML.load(string)
|
22
|
+
self.new(opts)
|
73
23
|
end
|
74
24
|
end
|
75
25
|
end
|
@@ -0,0 +1,127 @@
|
|
1
|
+
module SSHScan
|
2
|
+
class PolicyManager
|
3
|
+
def initialize(result, policy)
|
4
|
+
@policy = policy
|
5
|
+
@result = result
|
6
|
+
end
|
7
|
+
|
8
|
+
def out_of_policy_encryption
|
9
|
+
target_encryption = @result[:encryption_algorithms_client_to_server] | @result[:encryption_algorithms_server_to_client]
|
10
|
+
outliers = []
|
11
|
+
target_encryption.each do |target_enc|
|
12
|
+
outliers << target_enc unless @policy.encryption.include?(target_enc)
|
13
|
+
end
|
14
|
+
return outliers
|
15
|
+
end
|
16
|
+
|
17
|
+
def missing_policy_encryption
|
18
|
+
target_encryption = @result[:encryption_algorithms_client_to_server] | @result[:encryption_algorithms_server_to_client]
|
19
|
+
outliers = []
|
20
|
+
@policy.encryption.each do |encryption|
|
21
|
+
if target_encryption.include?(encryption) == false
|
22
|
+
outliers << encryption
|
23
|
+
end
|
24
|
+
end
|
25
|
+
return outliers
|
26
|
+
end
|
27
|
+
|
28
|
+
def out_of_policy_macs
|
29
|
+
target_macs = @result[:mac_algorithms_server_to_client] | @result[:mac_algorithms_client_to_server]
|
30
|
+
outliers = []
|
31
|
+
target_macs.each do |target_mac|
|
32
|
+
outliers << target_mac unless @policy.macs.include?(target_mac)
|
33
|
+
end
|
34
|
+
return outliers
|
35
|
+
end
|
36
|
+
|
37
|
+
def missing_policy_macs
|
38
|
+
target_macs = @result[:mac_algorithms_server_to_client] | @result[:mac_algorithms_client_to_server]
|
39
|
+
outliers = []
|
40
|
+
|
41
|
+
@policy.macs.each do |mac|
|
42
|
+
if target_macs.include?(mac) == false
|
43
|
+
outliers << mac
|
44
|
+
end
|
45
|
+
end
|
46
|
+
return outliers
|
47
|
+
end
|
48
|
+
|
49
|
+
def out_of_policy_kex
|
50
|
+
target_kexs = @result[:key_algorithms]
|
51
|
+
outliers = []
|
52
|
+
target_kexs.each do |target_kex|
|
53
|
+
outliers << target_kex unless @policy.kex.include?(target_kex)
|
54
|
+
end
|
55
|
+
return outliers
|
56
|
+
end
|
57
|
+
|
58
|
+
def missing_policy_kex
|
59
|
+
target_kex = @result[:key_algorithms]
|
60
|
+
outliers = []
|
61
|
+
|
62
|
+
@policy.kex.each do |kex|
|
63
|
+
if target_kex.include?(kex) == false
|
64
|
+
outliers << kex
|
65
|
+
end
|
66
|
+
end
|
67
|
+
return outliers
|
68
|
+
end
|
69
|
+
|
70
|
+
def out_of_policy_compression
|
71
|
+
target_compressions = @result[:compression_algorithms_server_to_client] | @result[:compression_algorithms_client_to_server]
|
72
|
+
outliers = []
|
73
|
+
target_compressions.each do |target_compression|
|
74
|
+
outliers << target_compression unless @policy.compression.include?(target_compression)
|
75
|
+
end
|
76
|
+
return outliers
|
77
|
+
end
|
78
|
+
|
79
|
+
def missing_policy_compression
|
80
|
+
target_compressions = @result[:compression_algorithms_server_to_client] | @result[:compression_algorithms_client_to_server]
|
81
|
+
outliers = []
|
82
|
+
|
83
|
+
@policy.compression.each do |compression|
|
84
|
+
if target_compressions.include?(compression) == false
|
85
|
+
outliers << compression
|
86
|
+
end
|
87
|
+
end
|
88
|
+
return outliers
|
89
|
+
end
|
90
|
+
|
91
|
+
def compliant?
|
92
|
+
out_of_policy_encryption.empty? &&
|
93
|
+
out_of_policy_macs.empty? &&
|
94
|
+
out_of_policy_kex.empty? &&
|
95
|
+
out_of_policy_compression.empty? &&
|
96
|
+
missing_policy_encryption.empty? &&
|
97
|
+
missing_policy_macs.empty? &&
|
98
|
+
missing_policy_kex.empty? &&
|
99
|
+
missing_policy_compression?
|
100
|
+
end
|
101
|
+
|
102
|
+
def recommendations
|
103
|
+
recommendations = []
|
104
|
+
|
105
|
+
# Add these items to be compliant
|
106
|
+
recommendations << "Add these Key Exchange Algos: #{missing_policy_kex.join(", ")}" unless missing_policy_kex.empty?
|
107
|
+
recommendations << "Add these MAC Algos: #{missing_policy_macs.join(", ")}" unless missing_policy_macs.empty?
|
108
|
+
recommendations << "Add these Encryption Ciphers: #{missing_policy_encryption.join(", ")}" unless missing_policy_encryption.empty?
|
109
|
+
recommendations << "Add these Compression Algos: #{missing_policy_compression.join(", ")}" unless missing_policy_compression.empty?
|
110
|
+
|
111
|
+
# Remove these items to be compliant
|
112
|
+
recommendations << "Remove these Key Exchange Algos: #{out_of_policy_kex.join(", ")}" unless out_of_policy_kex.empty?
|
113
|
+
recommendations << "Remove these MAC Algos: #{out_of_policy_macs.join(", ")}" unless out_of_policy_macs.empty?
|
114
|
+
recommendations << "Remove these Encryption Ciphers: #{out_of_policy_encryption.join(", ")}" unless out_of_policy_encryption.empty?
|
115
|
+
recommendations << "Remove these Compression Algos: #{out_of_policy_compression.join(", ")}" unless out_of_policy_compression.empty?
|
116
|
+
return recommendations
|
117
|
+
end
|
118
|
+
|
119
|
+
def compliance_results
|
120
|
+
{
|
121
|
+
:policy => @policy.name,
|
122
|
+
:compliant => compliant?,
|
123
|
+
:recommendations => recommendations
|
124
|
+
}
|
125
|
+
end
|
126
|
+
end
|
127
|
+
end
|
data/lib/ssh_scan/scan_engine.rb
CHANGED
data/lib/ssh_scan/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ssh_scan
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jonathan Claudius
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-02-
|
11
|
+
date: 2016-02-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bindata
|
@@ -99,6 +99,7 @@ files:
|
|
99
99
|
- lib/ssh_scan/basic_server.rb
|
100
100
|
- lib/ssh_scan/constants.rb
|
101
101
|
- lib/ssh_scan/policy.rb
|
102
|
+
- lib/ssh_scan/policy_manager.rb
|
102
103
|
- lib/ssh_scan/protocol.rb
|
103
104
|
- lib/ssh_scan/scan_engine.rb
|
104
105
|
- lib/ssh_scan/version.rb
|