Skip to content

Commit

Permalink
Merge pull request #177 from schurzi/crypto_policy
Browse files Browse the repository at this point in the history
rework CRYPTO_POLICY check to work with fedora
  • Loading branch information
micheelengronne authored Jul 22, 2020
2 parents 0e06e3a + fd13122 commit e30a2f8
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 2 deletions.
16 changes: 16 additions & 0 deletions controls/ssh_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -227,3 +227,19 @@
its('UseRoaming') { should eq('no') }
end
end

control 'ssh-22' do
impact 1.0
title 'Client: CRYPTO_POLICY'
desc 'Verifies, that we are not running CRYPTO_POLICY and our settings from ssh_config are effective'
only_if('OS has CRYPTO_POLICY') do
file('/etc/sysconfig/sshd').exist? && file('/etc/sysconfig/sshd').content.match?(/CRYPTO_POLICY/)
end

describe bash('ssh -G localhost') do
its('exit_status') { should eq 0 }
its('stdout') { should match('ciphers ' + ssh_crypto.valid_ciphers) }
its('stdout') { should match('kexalgorithms ' + ssh_crypto.valid_kexs) }
its('stdout') { should match('macs ' + ssh_crypto.valid_macs) }
end
end
4 changes: 2 additions & 2 deletions controls/sshd_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -508,8 +508,8 @@
impact 1.0
title 'Server: CRYPTO_POLICY'
desc 'Verifies, that we are not running CRYPTO_POLICY and our settings from sshd_config are effective'
only_if('OS is RHEL 8+ or compatible') do
os[:family] == 'redhat' && ::Gem::Version.new(os.release) > ::Gem::Version.new('8')
only_if('OS has CRYPTO_POLICY') do
file('/etc/sysconfig/sshd').exist? && file('/etc/sysconfig/sshd').content.match?(/CRYPTO_POLICY/)
end

describe bash("pgrep -af 'sshd -D'") do
Expand Down

0 comments on commit e30a2f8

Please sign in to comment.