Initial commit
This commit is contained in:
commit
06036c89d9
29 changed files with 4891 additions and 0 deletions
122
checker/rules_banner.go
Normal file
122
checker/rules_banner.go
Normal file
|
|
@ -0,0 +1,122 @@
|
|||
// This file is part of the happyDomain (R) project.
|
||||
// Copyright (c) 2020-2026 happyDomain
|
||||
// Authors: Pierre-Olivier Mercier, et al.
|
||||
//
|
||||
// This program is offered under a commercial and under the AGPL license.
|
||||
// For commercial licensing, contact us at <contact@happydomain.org>.
|
||||
//
|
||||
// For AGPL licensing:
|
||||
// This program is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Affero General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Affero General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Affero General Public License
|
||||
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
package checker
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
sdk "git.happydns.org/checker-sdk-go/checker"
|
||||
)
|
||||
|
||||
// protocolVersionRule flags servers advertising SSH-1.x, which has
|
||||
// not been safe for decades.
|
||||
type protocolVersionRule struct{}
|
||||
|
||||
func (r *protocolVersionRule) Name() string { return "ssh.protocol_version" }
|
||||
func (r *protocolVersionRule) Description() string {
|
||||
return "Verifies every endpoint advertises SSH-2 and rejects the legacy SSH-1 protocol."
|
||||
}
|
||||
|
||||
func (r *protocolVersionRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
|
||||
data, errSt := loadSSHData(ctx, obs)
|
||||
if errSt != nil {
|
||||
return []sdk.CheckState{*errSt}
|
||||
}
|
||||
if len(data.Endpoints) == 0 {
|
||||
return []sdk.CheckState{noEndpointsState("ssh.protocol_version.no_endpoints")}
|
||||
}
|
||||
var states []sdk.CheckState
|
||||
for _, ep := range data.Endpoints {
|
||||
if ep.Banner == "" {
|
||||
continue
|
||||
}
|
||||
if !strings.HasPrefix(ep.ProtoVer, "2.") && ep.ProtoVer != "2" {
|
||||
states = append(states, sdk.CheckState{
|
||||
Status: sdk.StatusCrit,
|
||||
Code: "ssh_legacy_protocol",
|
||||
Subject: ep.Address,
|
||||
Message: fmt.Sprintf("Server advertises SSH protocol %q (banner %q). SSH-1 is obsolete and insecure.", ep.ProtoVer, ep.Banner),
|
||||
Meta: map[string]any{"fix": "Disable SSH-1 support; run an sshd that only speaks SSH-2."},
|
||||
})
|
||||
}
|
||||
}
|
||||
if len(states) == 0 {
|
||||
return []sdk.CheckState{passState("ssh.protocol_version.ok", "Every endpoint advertises SSH-2.")}
|
||||
}
|
||||
return states
|
||||
}
|
||||
|
||||
// bannerSoftwareRule reports when a server's software identifier does
|
||||
// not look like a recognised OpenSSH build.
|
||||
type bannerSoftwareRule struct{}
|
||||
|
||||
func (r *bannerSoftwareRule) Name() string { return "ssh.banner_software" }
|
||||
func (r *bannerSoftwareRule) Description() string {
|
||||
return "Flags servers whose banner is not a recognised OpenSSH build (so their maintenance status cannot be inferred)."
|
||||
}
|
||||
|
||||
func (r *bannerSoftwareRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
|
||||
data, errSt := loadSSHData(ctx, obs)
|
||||
if errSt != nil {
|
||||
return []sdk.CheckState{*errSt}
|
||||
}
|
||||
if len(data.Endpoints) == 0 {
|
||||
return []sdk.CheckState{noEndpointsState("ssh.banner_software.no_endpoints")}
|
||||
}
|
||||
var issues []Issue
|
||||
for _, ep := range data.Endpoints {
|
||||
issues = append(issues, analyseBannerSoftware(ep.Address, ep.Banner, ep.SoftVer)...)
|
||||
}
|
||||
if len(issues) == 0 {
|
||||
return []sdk.CheckState{passState("ssh.banner_software.ok", "All probed servers advertise a recognised OpenSSH build.")}
|
||||
}
|
||||
return statesFromIssues(issues)
|
||||
}
|
||||
|
||||
// knownVulnsRule maps the observed banner against an OpenSSH CVE
|
||||
// catalog and emits one state per matched vulnerability.
|
||||
type knownVulnsRule struct{}
|
||||
|
||||
func (r *knownVulnsRule) Name() string { return "ssh.known_vulnerabilities" }
|
||||
func (r *knownVulnsRule) Description() string {
|
||||
return "Matches the advertised OpenSSH version against a curated catalog of remotely-observable CVEs."
|
||||
}
|
||||
|
||||
func (r *knownVulnsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
|
||||
data, errSt := loadSSHData(ctx, obs)
|
||||
if errSt != nil {
|
||||
return []sdk.CheckState{*errSt}
|
||||
}
|
||||
if len(data.Endpoints) == 0 {
|
||||
return []sdk.CheckState{noEndpointsState("ssh.known_vulnerabilities.no_endpoints")}
|
||||
}
|
||||
var issues []Issue
|
||||
for _, ep := range data.Endpoints {
|
||||
issues = append(issues, analyseBannerVulns(ep.Address, ep.Banner, ep.SoftVer)...)
|
||||
}
|
||||
if len(issues) == 0 {
|
||||
return []sdk.CheckState{passState("ssh.known_vulnerabilities.ok", "No known CVE match against the advertised OpenSSH versions.")}
|
||||
}
|
||||
return statesFromIssues(issues)
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue