122 lines
4.5 KiB
Go
122 lines
4.5 KiB
Go
// This file is part of the happyDomain (R) project.
|
|
// Copyright (c) 2020-2026 happyDomain
|
|
// Authors: Pierre-Olivier Mercier, et al.
|
|
//
|
|
// This program is offered under a commercial and under the AGPL license.
|
|
// For commercial licensing, contact us at <contact@happydomain.org>.
|
|
//
|
|
// For AGPL licensing:
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
package checker
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
// protocolVersionRule flags servers advertising SSH-1.x, which has
|
|
// not been safe for decades.
|
|
type protocolVersionRule struct{}
|
|
|
|
func (r *protocolVersionRule) Name() string { return "ssh.protocol_version" }
|
|
func (r *protocolVersionRule) Description() string {
|
|
return "Verifies every endpoint advertises SSH-2 and rejects the legacy SSH-1 protocol."
|
|
}
|
|
|
|
func (r *protocolVersionRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
|
|
data, errSt := loadSSHData(ctx, obs)
|
|
if errSt != nil {
|
|
return []sdk.CheckState{*errSt}
|
|
}
|
|
if len(data.Endpoints) == 0 {
|
|
return []sdk.CheckState{noEndpointsState("ssh.protocol_version.no_endpoints")}
|
|
}
|
|
var states []sdk.CheckState
|
|
for _, ep := range data.Endpoints {
|
|
if ep.Banner == "" {
|
|
continue
|
|
}
|
|
if !strings.HasPrefix(ep.ProtoVer, "2.") && ep.ProtoVer != "2" {
|
|
states = append(states, sdk.CheckState{
|
|
Status: sdk.StatusCrit,
|
|
Code: "ssh_legacy_protocol",
|
|
Subject: ep.Address,
|
|
Message: fmt.Sprintf("Server advertises SSH protocol %q (banner %q). SSH-1 is obsolete and insecure.", ep.ProtoVer, ep.Banner),
|
|
Meta: map[string]any{"fix": "Disable SSH-1 support; run an sshd that only speaks SSH-2."},
|
|
})
|
|
}
|
|
}
|
|
if len(states) == 0 {
|
|
return []sdk.CheckState{passState("ssh.protocol_version.ok", "Every endpoint advertises SSH-2.")}
|
|
}
|
|
return states
|
|
}
|
|
|
|
// bannerSoftwareRule reports when a server's software identifier does
|
|
// not look like a recognised OpenSSH build.
|
|
type bannerSoftwareRule struct{}
|
|
|
|
func (r *bannerSoftwareRule) Name() string { return "ssh.banner_software" }
|
|
func (r *bannerSoftwareRule) Description() string {
|
|
return "Flags servers whose banner is not a recognised OpenSSH build (so their maintenance status cannot be inferred)."
|
|
}
|
|
|
|
func (r *bannerSoftwareRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
|
|
data, errSt := loadSSHData(ctx, obs)
|
|
if errSt != nil {
|
|
return []sdk.CheckState{*errSt}
|
|
}
|
|
if len(data.Endpoints) == 0 {
|
|
return []sdk.CheckState{noEndpointsState("ssh.banner_software.no_endpoints")}
|
|
}
|
|
var issues []Issue
|
|
for _, ep := range data.Endpoints {
|
|
issues = append(issues, analyseBannerSoftware(ep.Address, ep.Banner, ep.SoftVer)...)
|
|
}
|
|
if len(issues) == 0 {
|
|
return []sdk.CheckState{passState("ssh.banner_software.ok", "All probed servers advertise a recognised OpenSSH build.")}
|
|
}
|
|
return statesFromIssues(issues)
|
|
}
|
|
|
|
// knownVulnsRule maps the observed banner against an OpenSSH CVE
|
|
// catalog and emits one state per matched vulnerability.
|
|
type knownVulnsRule struct{}
|
|
|
|
func (r *knownVulnsRule) Name() string { return "ssh.known_vulnerabilities" }
|
|
func (r *knownVulnsRule) Description() string {
|
|
return "Matches the advertised OpenSSH version against a curated catalog of remotely-observable CVEs."
|
|
}
|
|
|
|
func (r *knownVulnsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
|
|
data, errSt := loadSSHData(ctx, obs)
|
|
if errSt != nil {
|
|
return []sdk.CheckState{*errSt}
|
|
}
|
|
if len(data.Endpoints) == 0 {
|
|
return []sdk.CheckState{noEndpointsState("ssh.known_vulnerabilities.no_endpoints")}
|
|
}
|
|
var issues []Issue
|
|
for _, ep := range data.Endpoints {
|
|
issues = append(issues, analyseBannerVulns(ep.Address, ep.Banner, ep.SoftVer)...)
|
|
}
|
|
if len(issues) == 0 {
|
|
return []sdk.CheckState{passState("ssh.known_vulnerabilities.ok", "No known CVE match against the advertised OpenSSH versions.")}
|
|
}
|
|
return statesFromIssues(issues)
|
|
}
|