ssh-audit icon indicating copy to clipboard operation
ssh-audit copied to clipboard

Published 20 hours ago verified publisher icon arthepsy

feature: exit with non-zero exit code

Open maticmeznar opened this issue 9 years ago • 3 comments

Since ssh-audit can used in a script, it would be nice if ssh-audit would exit with exit code of 2 if there are 1 or more recommendations. I'd be fine with this requiring an optional command argument.

maticmeznar avatar Oct 16 '16 18:10 maticmeznar

Currently this tool has pretty standard behavior - exits with 0 on success and with 1 if something failed (connection, data, etc). I don't think it is wise to change exit code to < 0 if everything was run fine, therefore I would opt for the option to control this behavior, as You suggested.

I'd like to have a bit more of Your thoughts on this. For example:

  • recommendations are given only on what can be done to make configuration better for specific software and version, but that means that sometimes, even if there are no recommendations, there will be fail-s reported. In this case only "recommendation" could be: "upgrade". And as in this case, the output of recommendations would be empty, what would be the error code, - zero? Maybe it's better to handle exit code based on given fail-s and warn-s?
  • there can be situation, when there are no recommendations, but this specific software has known vulnerabilities or exploits (reported in security section). What exit code to use then?

See where I'm getting with this? A bit more careful planning must be done before implementing this feature.

arthepsy avatar Oct 20 '16 17:10 arthepsy

Thank you for the reply @arthepsy

My hypothetical use case would be to use ssh-audit as part of continuous auditing of all SSH servers using Sensu or Nagios checks. In Nagios compatible checks, exit code 0 means PASS, 1=WARN, 2=CRITICAL,3=CHECKERROR. This is the primary reason behind wanting exit code 2.

there can be situation, when there are no recommendations, but this specific software has known vulnerabilities or exploits (reported in security section). What exit code to use then?

Exit code 2. I think running ssh-agent in my proposed mode should only return 2 if there are security issues or a severe case of misconfiguration that could lead to problems, regardless of SSH server version. If upgrading SSH server is the only way to fix them, then upgrade is what should be done to silence the alarm (get exit code 0).

Basically, exit code 0 should mean "based on all information available to ssh-audit, this SSH server version and configuration are secure".

maticmeznar avatar Oct 21 '16 07:10 maticmeznar

Once possibility is to define an environment variable detailing the error code further.

egberts avatar May 20 '22 14:05 egberts