ssh-baseline
ssh-baseline copied to clipboard
dev-sec
DevSec SSH Baseline - InSpec Profile
Because of historical reasons (RHEL 6 did some special things) we use OS version to detect the best usable SSH Ciphers/Kex/Mac. Instead we should use OpenSSH version to determine available...
**Describe the bug** Can't start sshd baseline config at ssh server **Expected behavior** expected that sshd config start without errors **Actual behavior** in attached screen **Example code** in attached screen...
sh-baseline | ssh-22 | Bash command ssh -G localhost stdout is expected to match "ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr" | KO | expected "user root\nhostname localhost\nport 22\naddressfamily any\nbatchmode no\ncanonicalizefallbacklocal y...trolpersist no\nescapechar ~\nipqos lowdelay...
**Describe the bug** The subject option has been deprecated since OpenSSH 7.5 (https://www.openssh.com/txt/release-7.5), hence the check shall be conditional. **Expected behavior** No error **Actual behavior** ```paste below × sshd-16: Server:...
Hi, I've been running the ssh-baseline for sometime and recently ran the CentOS 7 CIS-1 baseline and the `xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_SSH_LogLevel_is_set_to_INFO` control fails: ``` × xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_SSH_LogLevel_is_set_to_INFO: Ensure SSH LogLevel is set to...
Removing the `s` of `30s` makes it compatible with the `
**Is your feature request related to a problem? Please describe.** I use https://github.com/dev-sec/cis-dil-benchmark as well as this profile. In the cis profile the check is '
According to [this thread](https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-November/033177.html), compression can be vulnerable to CRIME/BREACH attacks (if the encrypted data carries public data as well). I am not into crypto but I guess compression should...
**Describe the bug** Currently is defined that ssh on CentOS 6 supports only macs from `macs53` [list](https://github.com/dev-sec/ssh-baseline/blob/b543c1748f74828647e4419a5291b676d3437325/libraries/ssh_crypto.rb#L156). With this settings it's impossible to connect by ssh from CentOS 6 to...
