Include policy violation finding in ssh_scan

J12934 · J12934 · commit e258aaf8b056 · 2020-04-02T23:36:36.000+02:00
diff --git a/integrations/ssh_scan/parser/parser.js b/integrations/ssh_scan/parser/parser.js
@@ -1,3 +1,129 @@
+const policyViolationFindingRules = [
+  {
+    policyViolationPrefix: /^Add these key exchange algorithms/,
+    findingTemplate: {
+      description: "Good / encouraged SSH key algorithms are missing",
+      name: "Missing SSH Key Algorithms"
+    }
+  },
+  {
+    policyViolationPrefix: /^Add these MAC algorithms/,
+    findingTemplate: {
+      description: "Good / encouraged SSH MAC algorithms are missing",
+      name: "Missing SSH MAC Algorithms"
+    }
+  },
+  {
+    policyViolationPrefix: /^Add these encryption ciphers/,
+    findingTemplate: {
+      description: "Good / encouraged SSH encryption ciphers are missing",
+      name: "Missing SSH encryption Ciphers"
+    }
+  },
+  {
+    policyViolationPrefix: /^Add these compression algorithms/,
+    findingTemplate: {
+      description: "Good / encouraged SSH compression algorithms are missing",
+      name: "Missing SSH compression algorithms"
+    }
+  },
+  {
+    policyViolationPrefix: /^Add these authentication methods/,
+    findingTemplate: {
+      description: "Good / encouraged SSH authentication methods are missing",
+      name: "Missing SSH authentication methods"
+    }
+  },
+  {
+    policyViolationPrefix: /^Remove these key exchange algorithms/,
+    findingTemplate: {
+      description: "Deprecated / discouraged SSH key algorithms are used",
+      name: "Insecure SSH Key Algorithms"
+    }
+  },
+  {
+    policyViolationPrefix: /^Remove these MAC algorithms/,
+    findingTemplate: {
+      description: "Deprecated / discouraged SSH MAC algorithms are used",
+      name: "Insecure SSH MAC Algorithms"
+    }
+  },
+  {
+    policyViolationPrefix: /^Remove these encryption ciphers/,
+    findingTemplate: {
+      description: "Deprecated / discouraged SSH encryption ciphers are used",
+      name: "Insecure SSH encryption Ciphers"
+    }
+  },
+  {
+    policyViolationPrefix: /^Remove these compression algorithms/,
+    findingTemplate: {
+      description:
+        "Deprecated / discouraged SSH compression algorithms are used",
+      name: "Insecure SSH compression algorithms"
+    }
+  },
+  {
+    policyViolationPrefix: /^Remove these authentication methods/,
+    findingTemplate: {
+      description: "Discouraged SSH authentication methods are used",
+      name: "Discouraged SSH authentication methods"
+    }
+  },
+  {
+    policyViolationPrefix: /^Update your ssh version to/,
+    findingTemplate: {
+      description: "Outdated SSH protocol version used",
+      name: "Outdated SSH Protocol Version"
+    }
+  }
+];
+
+function createPolicyViolationFinding({
+  name,
+  description,
+  recommendation,
+  host: { hostname, ipAddress }
+}) {
+  const payload = recommendation.split(": ")[1].split(", ");
+
+  return {
+    name,
+    description,
+    category: "SSH Policy Violation",
+    osi_layer: "NETWORK",
+    severity: "MEDIUM",
+    reference: {},
+    hint: recommendation,
+    location: hostname || ipAddress,
+    attributes: {
+      hostname: hostname,
+      ip_address: ipAddress,
+      payload: payload
+    }
+  };
+}
+
+/**
+ * Transforms a recommendation string from the Mozilla SSH_Scan Tools into a SSH Policy Violation Findings
+ * @param {string} recommendation
+ */
+function transformRecommendationToFinding(
+  recommendation,
+  { hostname, ipAddress }
+) {
+  for (const rule of policyViolationFindingRules) {
+    if (rule.policyViolationPrefix.test(recommendation)) {
+      return createPolicyViolationFinding({
+        name: rule.findingTemplate.name,
+        description: rule.findingTemplate.description,
+        recommendation,
+        host: { hostname, ipAddress }
+      });
+    }
+  }
+}
+
 async function parse(fileContent) {
   const hosts = fileContent;
 
@@ -7,17 +133,28 @@ async function parse(fileContent) {
         return undefined;
       }
 
-      const location = host.hostname || host.ip;
+      const hostname = host.hostname || null;
+      const ipAddress = host.ip;
+
+      const recommendations = host.compliance.recommendations || [];
+      const policyViolationFindings = recommendations.map(recommendation =>
+        transformRecommendationToFinding(recommendation, {
+          hostname,
+          ipAddress
+        })
+      );
+
+      const location = hostname || ipAddress;
       const compliance = host.compliance;
 
-      return {
-        name: 'SSH Service',
-        description: 'SSH Service Information',
-        category: 'SSH Service',
-        osi_layer: 'APPLICATION',
-        severity: 'INFORMATIONAL',
+      const serviceFinding = {
+        name: "SSH Service",
+        description: "SSH Service Information",
+        category: "SSH Service",
+        osi_layer: "APPLICATION",
+        severity: "INFORMATIONAL",
         reference: {},
-        hint: '',
+        hint: "",
         location: location,
         attributes: {
           hostname: host.hostname || null,
@@ -34,9 +171,11 @@ async function parse(fileContent) {
           key_algorithms: host.key_algorithms,
           encryption_algorithms: host.encryption_algorithms_server_to_client,
           mac_algorithms: host.mac_algorithms_server_to_client,
-          compression_algorithms: host.compression_algorithms_server_to_client,
-        },
+          compression_algorithms: host.compression_algorithms_server_to_client
+        }
       };
+
+      return [serviceFinding, ...policyViolationFindings];
     })
     .filter(Boolean);
 }
diff --git a/integrations/ssh_scan/parser/parser.test.js b/integrations/ssh_scan/parser/parser.test.js
@@ -1,25 +1,25 @@
-const fs = require('fs');
-const util = require('util');
+const fs = require("fs");
+const util = require("util");
 
 // eslint-disable-next-line security/detect-non-literal-fs-filename
 const readFile = util.promisify(fs.readFile);
 
-const { parse } = require('./parser');
+const { parse } = require("./parser");
 
-test('ssh-scan parser parses errored result (no ssh server) to zero findings', async () => {
+test("ssh-scan parser parses errored result (no ssh server) to zero findings", async () => {
   const hosts = JSON.parse(
-    await readFile(__dirname + '/__testFiles__/localhost.json', {
-      encoding: 'utf8',
+    await readFile(__dirname + "/__testFiles__/localhost.json", {
+      encoding: "utf8"
     })
   );
 
   expect(await parse(hosts)).toEqual([]);
 });
 
-test('ssh-scan parser parses a proper result to proper findings', async () => {
+test("ssh-scan parser parses a proper result to proper findings", async () => {
   const hosts = JSON.parse(
-    await readFile(__dirname + '/__testFiles__/securecodebox.io.json', {
-      encoding: 'utf8',
+    await readFile(__dirname + "/__testFiles__/securecodebox.io.json", {
+      encoding: "utf8"
     })
   );
 
@@ -84,14 +84,51 @@ test('ssh-scan parser parses a proper result to proper findings', async () => {
         "reference": Object {},
         "severity": "INFORMATIONAL",
       },
+      Object {
+        "attributes": Object {
+          "hostname": "securecodebox.io",
+          "ip_address": "138.201.126.99",
+          "payload": Array [
+            "diffie-hellman-group14-sha1",
+          ],
+        },
+        "category": "SSH Policy Violation",
+        "description": "Deprecated / discouraged SSH key algorithms are used",
+        "hint": "Remove these key exchange algorithms: diffie-hellman-group14-sha1",
+        "location": "securecodebox.io",
+        "name": "Insecure SSH Key Algorithms",
+        "osi_layer": "NETWORK",
+        "reference": Object {},
+        "severity": "MEDIUM",
+      },
+      Object {
+        "attributes": Object {
+          "hostname": "securecodebox.io",
+          "ip_address": "138.201.126.99",
+          "payload": Array [
+            "umac-64-etm@openssh.com",
+            "hmac-sha1-etm@openssh.com",
+            "umac-64@openssh.com",
+            "hmac-sha1",
+          ],
+        },
+        "category": "SSH Policy Violation",
+        "description": "Deprecated / discouraged SSH MAC algorithms are used",
+        "hint": "Remove these MAC algorithms: umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1",
+        "location": "securecodebox.io",
+        "name": "Insecure SSH MAC Algorithms",
+        "osi_layer": "NETWORK",
+        "reference": Object {},
+        "severity": "MEDIUM",
+      },
     ]
   `);
 });
 
-test('ssh-scan parser parses a result without a hostname into proper findings', async () => {
+test("ssh-scan parser parses a result without a hostname into proper findings", async () => {
   const hosts = JSON.parse(
-    await readFile(__dirname + '/__testFiles__/192.168.42.42.json', {
-      encoding: 'utf8',
+    await readFile(__dirname + "/__testFiles__/192.168.42.42.json", {
+      encoding: "utf8"
     })
   );
 
@@ -157,6 +194,60 @@ test('ssh-scan parser parses a result without a hostname into proper findings',
         "reference": Object {},
         "severity": "INFORMATIONAL",
       },
+      Object {
+        "attributes": Object {
+          "hostname": null,
+          "ip_address": "192.168.42.42",
+          "payload": Array [
+            "diffie-hellman-group14-sha1",
+          ],
+        },
+        "category": "SSH Policy Violation",
+        "description": "Deprecated / discouraged SSH key algorithms are used",
+        "hint": "Remove these key exchange algorithms: diffie-hellman-group14-sha1",
+        "location": "192.168.42.42",
+        "name": "Insecure SSH Key Algorithms",
+        "osi_layer": "NETWORK",
+        "reference": Object {},
+        "severity": "MEDIUM",
+      },
+      Object {
+        "attributes": Object {
+          "hostname": null,
+          "ip_address": "192.168.42.42",
+          "payload": Array [
+            "umac-64-etm@openssh.com",
+            "hmac-sha1-etm@openssh.com",
+            "umac-64@openssh.com",
+            "hmac-sha1",
+          ],
+        },
+        "category": "SSH Policy Violation",
+        "description": "Deprecated / discouraged SSH MAC algorithms are used",
+        "hint": "Remove these MAC algorithms: umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1",
+        "location": "192.168.42.42",
+        "name": "Insecure SSH MAC Algorithms",
+        "osi_layer": "NETWORK",
+        "reference": Object {},
+        "severity": "MEDIUM",
+      },
+      Object {
+        "attributes": Object {
+          "hostname": null,
+          "ip_address": "192.168.42.42",
+          "payload": Array [
+            "password",
+          ],
+        },
+        "category": "SSH Policy Violation",
+        "description": "Discouraged SSH authentication methods are used",
+        "hint": "Remove these authentication methods: password",
+        "location": "192.168.42.42",
+        "name": "Discouraged SSH authentication methods",
+        "osi_layer": "NETWORK",
+        "reference": Object {},
+        "severity": "MEDIUM",
+      },
     ]
   `);
 });
