SSH-audit
What is SSH-audit?
ssh-audit is a tool for ssh server & client configuration auditing.
To learn more about the ssh-audit scanner itself visit ssh-audit GitHub.
Deployment
The ssh-audit chart can be deployed via helm:
# Install HelmChart (use -n to configure another namespace)
helm upgrade --install ssh-audit secureCodeBox/ssh-audit
Scanner Configuration
The following security scan configuration example are based on the ssh-audit Documentation, please take a look at the original documentation for more configuration examples.
usage: ssh-audit.py [options] <host>
-h, --help print this help
-1, --ssh1 force ssh version 1 only
-2, --ssh2 force ssh version 2 only
-4, --ipv4 enable IPv4 (order of precedence)
-6, --ipv6 enable IPv6 (order of precedence)
-b, --batch batch output
-c, --client-audit starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-d, --debug Enable debug output.
-g, --gex-test=<x[,y,...]> dh gex modulus size test
<min1:pref1:max1[,min2:pref2:max2,...]>
<x-y[:step]>
-j, --json JSON output (use -jj to enable indents)
-l, --level=<level> minimum output level (info|warn|fail)
-L, --list-policies list all the official, built-in policies
--lookup=<alg1,alg2,...> looks up an algorithm(s) without
connecting to a server
-m, --manual print the man page (Windows only)
-M, --make-policy=<policy.txt> creates a policy based on the target server
(i.e.: the target server has the ideal
configuration that other servers should
adhere to)
-n, --no-colors disable colors
-p, --port=<port> port to connect
-P, --policy=<"policy name" | policy.txt> run a policy test using the
specified policy
-t, --timeout=<secs> timeout (in seconds) for connection and reading
(default: 5)
-T, --targets=<hosts.txt> a file containing a list of target hosts (one
per line, format HOST[:PORT])
--threads=<threads> number of threads to use when scanning multiple
targets (-T/--targets) (default: 32)
-v, --verbose verbose output
Requirements
Kubernetes: >=v1.11.0-0
Values
| Key | Type | Default | Description |
|---|---|---|---|
| cascadingRules.enabled | bool | false | Enables or disables the installation of the default cascading rules for this scanner |
| parser.affinity | object | {} | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
| parser.env | list | [] | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
| parser.image.pullPolicy | string | "IfNotPresent" | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
| parser.image.repository | string | "docker.io/securecodebox/parser-ssh-audit" | |
| parser.image.tag | string | defaults to the charts version | Parser image tag |
| parser.resources | object | { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } } | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| parser.scopeLimiterAliases | object | {} | Optional finding aliases to be used in the scopeLimiter. |
| parser.tolerations | list | [] | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
| parser.ttlSecondsAfterFinished | string | nil | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| scanner.activeDeadlineSeconds | string | nil | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) |
| scanner.affinity | object | {} | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
| scanner.env | list | [] | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
| scanner.extraContainers | list | [] | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
| scanner.extraVolumeMounts | list | [] | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scanner.extraVolumes | list | [] | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scanner.image.repository | string | "docker.io/securecodebox/scanner-ssh-audit" | |
| scanner.image.tag | string | nil | |
| scanner.nameAppend | string | nil | append a string to the default scantype name. |
| scanner.podSecurityContext | object | {} | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
| scanner.resources | object | {} | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
| scanner.securityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false} | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
| scanner.securityContext.allowPrivilegeEscalation | bool | false | Ensure that users privileges cannot be escalated |
| scanner.securityContext.capabilities.drop[0] | string | "all" | This drops all linux privileges from the container. |
| scanner.securityContext.privileged | bool | false | Ensures that the scanner container is not run in privileged mode |
| scanner.securityContext.readOnlyRootFilesystem | bool | false | Prevents write access to the containers file system |
| scanner.securityContext.runAsNonRoot | bool | false | Enforces that the scanner image is run as a non root user |
| scanner.suspend | bool | false | if set to true the scan job will be suspended after creation. You can then resume the job using kubectl resume <jobname> or using a job scheduler like kueue |
| scanner.tolerations | list | [] | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
| scanner.ttlSecondsAfterFinished | string | nil | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
License
Code of secureCodeBox is licensed under the Apache License 2.0.
CPU architectures
The scanner is currently supported for these CPU architectures:
- linux/amd64
Examples
dummy-ssh
- Scan
- Findings
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "ssh-ssh-demo-cluster-internal"
spec:
scanType: "ssh-audit"
parameters:
- "dummy-ssh.demo-targets.svc"
[
{
"name": "SSH Service",
"description": "Information about Used SSH Algorithms",
"category": "SSH Service",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"location": "ssh://dummy-ssh.demo-targets.svc",
"port": "22",
"attributes":
{
"hostname": "dummy-ssh.demo-targets.svc",
"ip_address": null,
"server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8",
"ssh_version": 2,
"ssh_lib_cpe": "OpenSSH_7.2p2",
"key_algorithms":
[
{"algorithm": "ssh-rsa", "keysize": 2048},
{"algorithm": "rsa-sha2-512", "keysize": 2048},
{"algorithm": "rsa-sha2-256", "keysize": 2048},
{"algorithm": "ecdsa-sha2-nistp256"},
{"algorithm": "ssh-ed25519"},
],
"encryption_algorithms":
[
"chacha20-poly1305@openssh.com",
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
],
"mac_algorithms":
[
"umac-64-etm@openssh.com",
"umac-128-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-sha1-etm@openssh.com",
"umac-64@openssh.com",
"umac-128@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1",
],
"compression_algorithms": ["none", "zlib@openssh.com"],
"key_exchange_algorithms":
[
{"algorithm": "curve25519-sha256@libssh.org"},
{"algorithm": "ecdh-sha2-nistp256"},
{"algorithm": "ecdh-sha2-nistp384"},
{"algorithm": "ecdh-sha2-nistp521"},
{
"algorithm": "diffie-hellman-group-exchange-sha256",
"keysize": 2048,
},
{"algorithm": "diffie-hellman-group14-sha1"},
],
"fingerprints":
[
{
"hash": "eLwgzyjvrpwDbDr+pDbIfUhlNANB4DPH9/0w1vGa87E",
"hash_alg": "SHA256",
"hostkey": "ssh-ed25519",
},
{
"hash": "c8:65:6b:d1:59:03:56:21:d9:0f:84:83:ce:ac:40:86",
"hash_alg": "MD5",
"hostkey": "ssh-ed25519",
},
{
"hash": "MbRX/CgQyN6/p8/ZjORurfaJqDhu4VEIWfXo0BnxaCE",
"hash_alg": "SHA256",
"hostkey": "ssh-rsa",
},
{
"hash": "a5:6f:62:26:81:03:b7:5e:06:48:10:04:79:4b:ac:32",
"hash_alg": "MD5",
"hostkey": "ssh-rsa",
},
],
},
"id": "32b5daad-2421-4731-b06f-ecdb9c238dfe",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
{
"name": "Insecure SSH KEX Algorithms",
"description": "Discouraged SSH key exchange algorithms in use",
"mitigation": "Remove these KEX algorithms",
"severity": "HIGH",
"category": "SSH Policy Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"attributes":
{
"algorithms":
[
"diffie-hellman-group14-sha1",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
],
},
"id": "0692f9e0-443d-4b08-ac18-2b6751ebf90f",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
{
"name": "Insecure SSH Key Algorithms",
"description": "Discouraged SSH key algorithms in use",
"mitigation": "Remove these key algorithms",
"severity": "HIGH",
"category": "SSH Policy Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"attributes": {"algorithms": ["ecdsa-sha2-nistp256", "ssh-rsa"]},
"id": "6fec8829-3c6a-4366-8006-b8f7c180e4bd",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
{
"name": "Insecure SSH MAC Algorithms",
"description": "Discouraged SSH message authentication code algorithms in use",
"mitigation": "Remove these MAC algorithms",
"severity": "HIGH",
"category": "SSH Policy Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"attributes": {"algorithms": ["hmac-sha1", "hmac-sha1-etm@openssh.com"]},
"id": "42947f7f-64ec-4f25-bb96-98515ba8296a",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
{
"name": "SSH Key Algorithms must be changed",
"description": "Weak SSH key algorithms in use",
"mitigation": "Change these key algorithms",
"severity": "MEDIUM",
"category": "SSH Policy Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"attributes":
{
"algorithms":
[
"rsa-sha2-256 (Note: increase modulus size to 3072 bits or larger)",
"rsa-sha2-512 (Note: increase modulus size to 3072 bits or larger)",
],
},
"id": "17d34bda-8944-4311-9986-d149967b2727",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
{
"name": "Insecure SSH MAC Algorithms",
"description": "Discouraged SSH message authentication code algorithms in use",
"mitigation": "Remove these MAC algorithms",
"severity": "MEDIUM",
"category": "SSH Policy Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"attributes":
{
"algorithms":
[
"hmac-sha2-256",
"hmac-sha2-512",
"umac-128@openssh.com",
"umac-64-etm@openssh.com",
"umac-64@openssh.com",
],
},
"id": "39479a40-2c2a-46cc-8289-b38dae8a32af",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
{
"name": "CVE-2021-41617",
"description": "privilege escalation via supplemental groups",
"category": "SSH Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"severity": "HIGH",
"attributes": {"cvssv2": 7},
"references":
[
{"type": "CVE", "value": "CVE-2021-41617"},
{
"type": "URL",
"value": "https://nvd.nist.gov/vuln/detail/CVE-2021-41617",
},
],
"id": "2b97dd59-760a-4245-b560-07b57796454d",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
{
"name": "CVE-2020-15778",
"description": "command injection via anomalous argument transfers",
"category": "SSH Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"severity": "HIGH",
"attributes": {"cvssv2": 7.8},
"references":
[
{"type": "CVE", "value": "CVE-2020-15778"},
{
"type": "URL",
"value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15778",
},
],
"id": "80ea0ec2-b558-480f-90d6-2b335e1f24ef",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
{
"name": "CVE-2018-15919",
"description": "username enumeration via GS2",
"category": "SSH Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"severity": "MEDIUM",
"attributes": {"cvssv2": 5.3},
"references":
[
{"type": "CVE", "value": "CVE-2018-15919"},
{
"type": "URL",
"value": "https://nvd.nist.gov/vuln/detail/CVE-2018-15919",
},
],
"id": "9bbc1631-1eec-4fbe-91fc-ab9998da801a",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
{
"name": "CVE-2018-15473",
"description": "enumerate usernames due to timing discrepancies",
"category": "SSH Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"severity": "MEDIUM",
"attributes": {"cvssv2": 5.3},
"references":
[
{"type": "CVE", "value": "CVE-2018-15473"},
{
"type": "URL",
"value": "https://nvd.nist.gov/vuln/detail/CVE-2018-15473",
},
],
"id": "29fb98fd-d165-4657-8f42-c25a9ab1bcaa",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
{
"name": "CVE-2016-20012",
"description": "enumerate usernames via challenge response",
"category": "SSH Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"severity": "MEDIUM",
"attributes": {"cvssv2": 5.3},
"references":
[
{"type": "CVE", "value": "CVE-2016-20012"},
{
"type": "URL",
"value": "https://nvd.nist.gov/vuln/detail/CVE-2016-20012",
},
],
"id": "e9230054-4fce-4c78-ba92-dcbdba65de93",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
{
"name": "CVE-2016-6515",
"description": "cause DoS via long password string (crypt CPU consumption)",
"category": "SSH Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"severity": "HIGH",
"attributes": {"cvssv2": 7.8},
"references":
[
{"type": "CVE", "value": "CVE-2016-6515"},
{
"type": "URL",
"value": "https://nvd.nist.gov/vuln/detail/CVE-2016-6515",
},
],
"id": "b3d1eb1d-3711-439b-a722-ea33f064cb47",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
{
"name": "CVE-2015-8325",
"description": "privilege escalation via triggering crafted environment",
"category": "SSH Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"severity": "HIGH",
"attributes": {"cvssv2": 7.2},
"references":
[
{"type": "CVE", "value": "CVE-2015-8325"},
{
"type": "URL",
"value": "https://nvd.nist.gov/vuln/detail/CVE-2015-8325",
},
],
"id": "b4fde106-ca72-44ce-902c-f5287dcf663b",
"parsed_at": "2023-05-11T08:51:15.833Z",
},
]
port-example
- Scan
- Findings
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "ssh-audit-port-example"
spec:
scanType: "ssh-audit"
parameters:
- "127.0.0.1"
- "-p"
- "29683"
[
{
"name": "SSH Service",
"description": "Information about Used SSH Algorithms",
"category": "SSH Service",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"location": "ssh://127.0.0.1",
"port": "29683",
"attributes":
{
"hostname": null,
"ip_address": "127.0.0.1",
"server_banner": "SSH-2.0-OpenSSH_8.2p1",
"ssh_version": 2,
"ssh_lib_cpe": "OpenSSH_8.2p1",
"key_algorithms":
[
{"algorithm": "rsa-sha2-512", "keysize": 3072},
{"algorithm": "rsa-sha2-256", "keysize": 3072},
{"algorithm": "ssh-rsa", "keysize": 3072},
{"algorithm": "ecdsa-sha2-nistp256"},
{"algorithm": "ssh-ed25519"},
],
"encryption_algorithms":
[
"chacha20-poly1305@openssh.com",
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr",
"aes128-ctr",
],
"mac_algorithms":
[
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"umac-128-etm@openssh.com",
"umac-128@openssh.com",
"hmac-sha2-512",
"hmac-sha2-256",
],
"compression_algorithms": ["none"],
"key_exchange_algorithms":
[
{"algorithm": "curve25519-sha256@libssh.org"},
{
"algorithm": "diffie-hellman-group-exchange-sha256",
"keysize": 2048,
},
{"algorithm": "ecdh-sha2-nistp521"},
{"algorithm": "ecdh-sha2-nistp384"},
{"algorithm": "ecdh-sha2-nistp256"},
],
"fingerprints":
[
{
"hash": "zDyiQDFSdBbKGL0vFgMWa0cdEI1R4QGtkEMHY/BlqT0",
"hash_alg": "SHA256",
"hostkey": "ssh-ed25519",
},
{
"hash": "c8:2c:ee:3b:bc:ae:0e:8b:0d:6f:f2:b6:77:25:69:aa",
"hash_alg": "MD5",
"hostkey": "ssh-ed25519",
},
{
"hash": "khLYpAPy+wFXAh+p6PBgNrmO4Qjs0KIDBuyb83m/1j4",
"hash_alg": "SHA256",
"hostkey": "ssh-rsa",
},
{
"hash": "62:b4:fe:be:11:54:61:6b:c3:b8:e4:98:f3:41:84:73",
"hash_alg": "MD5",
"hostkey": "ssh-rsa",
},
],
},
"id": "db665096-f1a6-4f2b-b51d-77c79ff71df5",
"parsed_at": "2023-05-11T08:50:57.430Z",
},
{
"name": "Insecure SSH KEX Algorithms",
"description": "Discouraged SSH key exchange algorithms in use",
"mitigation": "Remove these KEX algorithms",
"severity": "HIGH",
"category": "SSH Policy Violation",
"location": "ssh://127.0.0.1",
"attributes":
{
"algorithms":
["ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521"],
},
"id": "5d037bd0-dcea-4b88-b041-0ec8f206397f",
"parsed_at": "2023-05-11T08:50:57.430Z",
},
{
"name": "Insecure SSH Key Algorithms",
"description": "Discouraged SSH key algorithms in use",
"mitigation": "Remove these key algorithms",
"severity": "HIGH",
"category": "SSH Policy Violation",
"location": "ssh://127.0.0.1",
"attributes": {"algorithms": ["ecdsa-sha2-nistp256", "ssh-rsa"]},
"id": "66608534-102d-46db-adf1-d864af4a2378",
"parsed_at": "2023-05-11T08:50:57.430Z",
},
{
"name": "SSH KEX Algorithms must be added",
"description": "SSH key exchange algorithms missing",
"mitigation": "Add these KEX algorithms",
"severity": "LOW",
"category": "SSH Policy Violation",
"location": "ssh://127.0.0.1",
"attributes":
{
"algorithms":
[
"curve25519-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
],
},
"id": "baa8ec32-b2f9-4081-b725-0203efd3ea3e",
"parsed_at": "2023-05-11T08:50:57.430Z",
},
{
"name": "Insecure SSH MAC Algorithms",
"description": "Discouraged SSH message authentication code algorithms in use",
"mitigation": "Remove these MAC algorithms",
"severity": "MEDIUM",
"category": "SSH Policy Violation",
"location": "ssh://127.0.0.1",
"attributes":
{
"algorithms":
["hmac-sha2-256", "hmac-sha2-512", "umac-128@openssh.com"],
},
"id": "7e1bf6ee-a74d-409c-9dcc-20e66162ab5b",
"parsed_at": "2023-05-11T08:50:57.430Z",
},
{
"name": "CVE-2021-41617",
"description": "privilege escalation via supplemental groups",
"category": "SSH Violation",
"location": "ssh://127.0.0.1",
"severity": "HIGH",
"attributes": {"cvssv2": 7},
"references":
[
{"type": "CVE", "value": "CVE-2021-41617"},
{
"type": "URL",
"value": "https://nvd.nist.gov/vuln/detail/CVE-2021-41617",
},
],
"id": "7475dd22-b8b6-49be-8277-e6a3d574b556",
"parsed_at": "2023-05-11T08:50:57.430Z",
},
{
"name": "CVE-2020-15778",
"description": "command injection via anomalous argument transfers",
"category": "SSH Violation",
"location": "ssh://127.0.0.1",
"severity": "HIGH",
"attributes": {"cvssv2": 7.8},
"references":
[
{"type": "CVE", "value": "CVE-2020-15778"},
{
"type": "URL",
"value": "https://nvd.nist.gov/vuln/detail/CVE-2020-15778",
},
],
"id": "6d2b751b-8839-4172-a43f-e22d3426cf01",
"parsed_at": "2023-05-11T08:50:57.430Z",
},
{
"name": "CVE-2016-20012",
"description": "enumerate usernames via challenge response",
"category": "SSH Violation",
"location": "ssh://127.0.0.1",
"severity": "MEDIUM",
"attributes": {"cvssv2": 5.3},
"references":
[
{"type": "CVE", "value": "CVE-2016-20012"},
{
"type": "URL",
"value": "https://nvd.nist.gov/vuln/detail/CVE-2016-20012",
},
],
"id": "d4a5a676-5bf2-4df6-bac0-f479e0a88fbd",
"parsed_at": "2023-05-11T08:50:57.430Z",
},
]