Skip to content

Commit 9305835

Browse files
micheelengronnemicheelengronne
committed
custom path and user added
Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
1 parent 5dc04cb commit 9305835

1 file changed

Lines changed: 7 additions & 5 deletions

File tree

controls/sshd_spec.rb

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,8 @@
2828
sshd_x11forwarding = attribute('sshd_x11forwarding', value: 'no', description: 'Expected value for sshd_config X11Forwarding')
2929
sshd_banner = attribute('sshd_banner', value: 'none', description: 'Expected value for sshd_config Banner')
3030
sshd_max_auth_tries = attribute('sshd_max_auth_tries', value: 2, description: 'Expected value for max_auth_retries')
31+
sshd_custom_user = attribute('custom_user', value: 'root', description: 'The SSH user is not always root. It must be an unprivileged user in a container')
32+
sshd_custom_path = attribute('custom_path', value: '/etc/ssh', description: 'Sometimes ssh configuration files are present in another location and ssh use them with the -f flag')
3133

3234
only_if do
3335
command('sshd').exist?
@@ -63,12 +65,12 @@
6365
control 'sshd-04' do
6466
impact 1.0
6567
title 'Server: Check SSH folder owner, group and permissions.'
66-
desc 'The SSH folder should owned by root, only be writable by owner and readable by others.'
67-
describe file('/etc/ssh') do
68+
desc 'The SSH folder should owned by root or a defined user, only be writable by owner and readable by others.'
69+
describe file(sshd_custom_path) do
6870
it { should exist }
6971
it { should be_directory }
7072
it { should be_owned_by 'root' }
71-
it { should be_grouped_into os.darwin? ? 'wheel' : 'root' }
73+
it { should be_grouped_into os.darwin? ? 'wheel' : sshd_custom_user }
7274
it { should be_executable }
7375
it { should be_readable.by('owner') }
7476
it { should be_readable.by('group') }
@@ -84,7 +86,7 @@
8486
title 'Server: Check sshd_config owner, group and permissions.'
8587
desc 'The sshd_config should owned by root, only be writable/readable by owner and not be executable.'
8688

87-
describe file('/etc/ssh/sshd_config') do
89+
describe file(sshd_custom_path + '/sshd_config') do
8890
it { should exist }
8991
it { should be_file }
9092
it { should be_owned_by 'root' }
@@ -481,7 +483,7 @@
481483
impact 1.0
482484
title 'Server: DH primes'
483485
desc 'Verifies if strong DH primes are used in /etc/ssh/moduli'
484-
describe bash("test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0") do
486+
describe bash("test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' " + sshd_custom_path + "/moduli | uniq | wc -c) -eq 0") do
485487
its('exit_status') { should eq 0 }
486488
its('stdout') { should eq '' }
487489
its('stderr') { should eq '' }

0 commit comments

Comments
 (0)