Add policy references

mozilla · Aug 17, 2016 · 20960fd · 20960fd
1 parent 1449448
commit 20960fd
Show file tree

Hide file tree

Showing 6 changed files with 108 additions and 4 deletions.
diff --git a/examples/github.com.json b/examples/github.com.json
@@ -0,0 +1,94 @@
+[
+  {
+    "ssh_scan_version": "0.0.9",
+    "hostname": "github.com",
+    "ip": "192.30.253.113",
+    "port": 22,
+    "server_banner": "SSH-2.0-libssh-0.7.0",
+    "ssh_version": 2.0,
+    "os": "unknown",
+    "os_cpe": "o:unknown",
+    "ssh_lib": "libssh",
+    "ssh_lib_cpe": "a:libssh:libssh",
+    "key_algorithms": [
+      "curve25519-sha256@libssh.org",
+      "ecdh-sha2-nistp256",
+      "diffie-hellman-group14-sha1",
+      "diffie-hellman-group1-sha1"
+    ],
+    "server_host_key_algorithms": [
+      "ssh-dss",
+      "ssh-rsa"
+    ],
+    "encryption_algorithms_client_to_server": [
+      "chacha20-poly1305@openssh.com",
+      "aes256-ctr",
+      "aes192-ctr",
+      "aes128-ctr",
+      "aes256-cbc",
+      "aes192-cbc",
+      "aes128-cbc",
+      "blowfish-cbc"
+    ],
+    "encryption_algorithms_server_to_client": [
+      "chacha20-poly1305@openssh.com",
+      "aes256-ctr",
+      "aes192-ctr",
+      "aes128-ctr",
+      "aes256-cbc",
+      "aes192-cbc",
+      "aes128-cbc",
+      "blowfish-cbc"
+    ],
+    "mac_algorithms_client_to_server": [
+      "hmac-sha1",
+      "hmac-sha2-256",
+      "hmac-sha2-512"
+    ],
+    "mac_algorithms_server_to_client": [
+      "hmac-sha1",
+      "hmac-sha2-256",
+      "hmac-sha2-512"
+    ],
+    "compression_algorithms_client_to_server": [
+      "none",
+      "zlib",
+      "zlib@openssh.com"
+    ],
+    "compression_algorithms_server_to_client": [
+      "none",
+      "zlib",
+      "zlib@openssh.com"
+    ],
+    "languages_client_to_server": [
+
+    ],
+    "languages_server_to_client": [
+
+    ],
+    "auth_methods": [
+      "publickey"
+    ],
+    "fingerprints": {
+      "md5": "f6:ce:1e:d1:87:52:2d:26:81:89:ec:e6:d3:8f:9f:69",
+      "sha1": "4d:b1:29:4f:e8:de:1c:14:1f:11:47:45:4e:8c:9a:c8:a8:45:76:40",
+      "sha256": "9e:16:bf:1a:99:1b:b9:f6:9a:f9:24:fd:b2:55:29:51:d8:d2:20:06:14:c8:03:b0:bf:bb:95:9a:d1:a7:83:0f"
+    },
+    "compliance": {
+      "policy": "Mozilla Modern",
+      "compliant": false,
+      "recommendations": [
+        "Add these Key Exchange Algos: ecdh-sha2-nistp521,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha256",
+        "Add these MAC Algos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,umac-128@openssh.com",
+        "Add these Encryption Ciphers: aes256-gcm@openssh.com,aes128-gcm@openssh.com",
+        "Remove these Key Exchange Algos: diffie-hellman-group14-sha1, diffie-hellman-group1-sha1",
+        "Remove these MAC Algos: hmac-sha1",
+        "Remove these Encryption Ciphers: aes256-cbc, aes192-cbc, aes128-cbc, blowfish-cbc",
+        "Remove these Compression Algos: zlib"
+      ],
+      "references": [
+        "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
+      ]
+    }
+  }
+]
diff --git a/lib/ssh_scan/policy.rb b/lib/ssh_scan/policy.rb
@@ -2,14 +2,15 @@
 
 module SSHScan
   class Policy
-    attr_reader :name, :kex, :macs, :encryption, :compression
+    attr_reader :name, :kex, :macs, :encryption, :compression, :references
 
     def initialize(opts = {})
       @name = opts['name'] || []
       @kex = opts['kex'] || []
       @macs = opts['macs'] || []
       @encryption = opts['encryption'] || []
       @compression = opts['compression'] || []
+      @references = opts['references'] || []
     end
 
     def self.from_file(file)

diff --git a/lib/ssh_scan/policy_manager.rb b/lib/ssh_scan/policy_manager.rb
@@ -120,7 +120,8 @@ def compliance_results
       {
         :policy => @policy.name,
         :compliant => compliant?,
-        :recommendations => recommendations
+        :recommendations => recommendations,
+        :references => @policy.references,
       }
     end
   end

diff --git a/policies/mozilla_intermediate.yml b/policies/mozilla_intermediate.yml
@@ -12,3 +12,5 @@ macs:
 compression:
 - none
 - zlib@openssh.com
+references:
+- https://wiki.mozilla.org/Security/Guidelines/OpenSSH
diff --git a/policies/mozilla_modern.yml b/policies/mozilla_modern.yml
@@ -23,3 +23,5 @@ macs:
 compression:
 - none
 - zlib@openssh.com
+references:
+- https://wiki.mozilla.org/Security/Guidelines/OpenSSH
diff --git a/spec/ssh_scan/policy_spec.rb b/spec/ssh_scan/policy_spec.rb
@@ -9,7 +9,8 @@
                   "encryption:\n- aes256-ctr\n- aes192-ctr\n" +
                   "- aes128-ctr\nmacs:\n- hmac-sha2-512\n" +
                   "- hmac-sha2-256\ncompression:\n- none\n" +
-                  "- zlib@openssh.com"
+                  "- zlib@openssh.com\n" +
+                  "references:\n- https://wiki.mozilla.org/Security/Guidelines/OpenSSH\n"
 
     it "should load all the attributes properly" do
       policy = SSHScan::Policy.from_string(yaml_string)
@@ -19,6 +20,7 @@
       expect(policy.kex).to eql(["diffie-hellman-group-exchange-sha256"])
       expect(policy.macs).to eql(["hmac-sha2-512", "hmac-sha2-256"])
       expect(policy.compression).to eql(["none", "zlib@openssh.com"])
+      expect(policy.references).to eql(["https://wiki.mozilla.org/Security/Guidelines/OpenSSH"])
     end
   end
 
@@ -28,7 +30,8 @@
                   "encryption:\n- aes256-ctr\n- aes192-ctr\n" +
                   "- aes128-ctr\nmacs:\n- hmac-sha2-512\n" +
                   "- hmac-sha2-256\ncompression:\n- none\n" +
-                  "- zlib@openssh.com"
+                  "- zlib@openssh.com\n" +
+                  "references:\n- https://wiki.mozilla.org/Security/Guidelines/OpenSSH\n"
 
     it "should load all the attributes properly" do
       file = Tempfile.new('foo')
@@ -44,6 +47,7 @@
       expect(policy.kex).to eql(["diffie-hellman-group-exchange-sha256"])
       expect(policy.macs).to eql(["hmac-sha2-512", "hmac-sha2-256"])
       expect(policy.compression).to eql(["none", "zlib@openssh.com"])
+      expect(policy.references).to eql(["https://wiki.mozilla.org/Security/Guidelines/OpenSSH"])
     end
   end