CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix script so changes are actually made

Browse Source
This commit is contained in:
William Wernert
2021-04-01 14:56:05 -04:00
parent fa373e9db0
commit 43c31b4e66
1 changed files with 30 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
salt/common/tools/sbin/so-ssh-harden
View File

@@ -4,6 +4,8 @@
if [[ $1 =~ ^(-q|--quiet) ]]; then if [[ $1 =~ ^(-q|--quiet) ]]; then
quiet=true quiet=true
elif [[ $1 =~ ^(-v|--verbose) ]]; then
verbose=true
fi fi
sshd_config=/etc/ssh/sshd_config sshd_config=/etc/ssh/sshd_config
@@ -12,39 +14,27 @@ temp_config=/tmp/sshd_config
before= before=
after= after=
reload_required=false reload_required=false
change_header_printed=false
check_sshd_t() { check_sshd_t() {
local string=$1 local string=$1
local state=$2
local grep_out local grep_out
grep_out=$(sshd -T | grep "^${string}") grep_out=$(sshd -T | grep "^${string}")
if [[ $state == "Before" ]]; then before=$grep_out
before=$grep_out
else
after=$grep_out
fi
} }
print_diff() { print_diff() {
local type=$1
local diff local diff
diff=$(diff -dqbB <(echo $before) <(echo $after)) diff=$(diff -dbB <(echo $before) <(echo $after) | awk 'NR>1')
if [[ -n $diff ]]; then if [[ -n $diff ]]; then
printf '%s\n' "$type" "$diff" if [[ $change_header_printed == false ]]; then
echo "" printf '%s\n' '' "Changes" '-------' ''
fi change_header_printed=true
} fi
echo -e "$diff\n"
print_msg() {
local msg=$1
if ! [[ $quiet ]]; then
printf "%s\n" \
"----" \
"$msg" \
"----"
fi fi
} }
@@ -77,65 +67,65 @@ main() {
echo "" >> $temp_config echo "" >> $temp_config
# Ciphers # Ciphers
check_sshd_t "ciphers" "Before" check_sshd_t "ciphers"
local cipher_string local cipher_string
cipher_string=$(echo "$before" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g") cipher_string=$(echo "$before" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g")
check_sshd_t "ciphers" "After" after=$cipher_string
if ! [[ $quiet ]]; then print_diff "ciphers"; fi if [[ $verbose ]]; then print_diff; fi
if [[ $before != $after ]]; then if [[ $before != "$after" ]]; then
add_if_missing "$cipher_string" && test_config || exit 1 add_if_missing "$cipher_string" && test_config || exit 1
fi fi
# KexAlgorithms # KexAlgorithms
check_sshd_t "kexalgorithms" "Before" check_sshd_t "kexalgorithms"
local kexalg_string local kexalg_string
kexalg_string=$(echo "$before" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g") kexalg_string=$(echo "$before" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g")
check_sshd_t "kexalgorithms" "After" after=$kexalg_string
if ! [[ $quiet ]]; then print_diff "kexalgorithms"; fi if [[ $verbose ]]; then print_diff; fi
if [[ $before != $after ]]; then if [[ $before != "$after" ]]; then
add_if_missing "$kexalg_string" && test_config || exit 1 add_if_missing "$kexalg_string" && test_config || exit 1
fi fi
# Macs # Macs
check_sshd_t "macs" "Before" check_sshd_t "macs"
local macs_string local macs_string
macs_string=$(echo "$before" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g") macs_string=$(echo "$before" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g")
check_sshd_t "macs" "After" after=$macs_string
if ! [[ $quiet ]]; then print_diff "macs"; fi if [[ $verbose ]]; then print_diff; fi
if [[ $before != $after ]]; then if [[ $before != "$after" ]]; then
add_if_missing "$mac_string" && test_config || exit 1 add_if_missing "$macs_string" && test_config || exit 1
fi fi
# HostKeyAlgorithms # HostKeyAlgorithms
check_sshd_t "hostkeyalgorithms" "Before" check_sshd_t "hostkeyalgorithms"
local hostkeyalg_string local hostkeyalg_string
hostkeyalg_string=$(echo "$before" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g") hostkeyalg_string=$(echo "$before" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g")
check_sshd_t "hostkeyalgorithms" "After" after=$hostkeyalg_string
if ! [[ $quiet ]]; then print_diff "hostkeyalgorithms"; fi if [[ $verbose ]]; then print_diff; fi
if [[ $before != $after ]]; then if [[ $before != "$after" ]]; then
add_if_missing "$hostkeyalg_string" && test_config || exit 1 add_if_missing "$hostkeyalg_string" && test_config || exit 1
fi fi
if [[ $reload_required == true ]]; then if [[ $reload_required == true ]]; then
mv -f $temp_config $sshd_config mv -f $temp_config $sshd_config
if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes..."; fi if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes"; fi
systemctl reload sshd systemctl reload sshd
print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting."
else else
if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up."; fi if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up"; fi
rm -f $temp_config rm -f $temp_config
fi fi
} }