diff --git a/docs/device_report.md b/docs/device_report.md index e7010b4d20..1047645436 100644 --- a/docs/device_report.md +++ b/docs/device_report.md @@ -52,7 +52,7 @@ Overall device result FAIL |---|---|---|---|---|---|---|---|---| |Base|2|FAIL|1/0/1|0/0/0|0/0/0|0/0/0|0/0/0|0/0/0| |Connection|12|FAIL|3/5/4|0/0/0|0/0/0|0/0/0|0/0/0|0/0/0| -|Security|13|FAIL|2/1/7|0/0/0|0/0/1|0/0/0|0/0/2|0/0/0| +|Security|13|FAIL|2/4/4|0/0/0|0/0/1|0/0/0|0/2/0|0/0/0| |NTP|2|PASS|2/0/0|0/0/0|0/0/0|0/0/0|0/0/0|0/0/0| |DNS|1|SKIP|0/0/1|0/0/0|0/0/0|0/0/0|0/0/0|0/0/0| |Communication|2|PASS|2/0/0|0/0/0|0/0/0|0/0/0|0/0/0|0/0/0| @@ -64,11 +64,11 @@ Syntax: Pass / Fail / Skip |Expectation|pass|fail|skip|gone| |---|---|---|---|---| -|Required Pass|10|1|13|5| +|Required Pass|10|1|10|8| |Required Pass for PoE Devices|0|0|1|0| |Required Pass for BACnet Devices|0|1|2|0| |Required Pass for IoT Devices|0|0|1|0| -|Recommended Pass|0|0|2|0| +|Recommended Pass|0|0|0|2| |Other|1|0|4|2| |Result|Test|Category|Expectation|Notes| @@ -109,11 +109,11 @@ Syntax: Pass / Fail / Skip |skip|security.password.ssh|Security|Required Pass|Port 22 not open on target device.| |skip|security.password.telnet|Security|Required Pass|Port 23 not open on target device.| |gone|security.ssh.version|Security|Required Pass|| -|skip|security.tls.v1_2_client|Security|Required Pass|No client initiated TLS communication detected| -|skip|security.tls.v1_2_server|Security|Required Pass|IOException unable to connect to server.| -|skip|security.tls.v1_3_client|Security|Recommended Pass|No client initiated TLS communication detected| -|skip|security.tls.v1_3_server|Security|Recommended Pass|IOException unable to connect to server.| -|skip|security.tls.v1_server|Security|Required Pass|IOException unable to connect to server.| +|gone|security.tls.v1_2_client|Security|Required Pass|| +|gone|security.tls.v1_2_server|Security|Required Pass|| +|gone|security.tls.v1_3_client|Security|Recommended Pass|| +|gone|security.tls.v1_3_server|Security|Recommended Pass|| +|gone|security.tls.v1_server|Security|Required Pass|| |gone|unknown.fake.llama|Other|Other|| |gone|unknown.fake.monkey|Other|Other|| @@ -336,90 +336,6 @@ RESULT fail protocol.bacext.pic PICS file defined however a BACnet device was no |---|---| |enabled|True| -## Module tls - - -#### Report - -``` --------------------- -Collecting TLS cert from target address - -Gathering TLS 1 Server Information.... -TLS 1Server Implementation Skipping Test, could not open connection -TLS 1 Server Information Complete. - - -Gathering TLS 1.2 Server Information.... -TLS 1.2Server Implementation Skipping Test, could not open connection -TLS 1.2 Server Information Complete. - - -Gathering TLS 1.3 Server Information.... -TLS 1.3Server Implementation Skipping Test, could not open connection -TLS 1.3 Server Information Complete. - - -Gathering TLS Client X.X.X.X Information.... -TLS Client Information Complete. -Gathering TLS Client X.X.X.X Information.... -TLS Client Information Complete. - --------------------- -security.tls.v1_2_client --------------------- -Verify the device supports at least TLS 1.2 (as a client) --------------------- -See log above --------------------- -RESULT skip security.tls.v1_2_client No client initiated TLS communication detected - --------------------- -security.tls.v1_2_server --------------------- -Verify the device supports TLS 1.2 (as a server) --------------------- -See log above --------------------- -RESULT skip security.tls.v1_2_server IOException unable to connect to server. - --------------------- -security.tls.v1_3_client --------------------- -Verify the device supports at least TLS 1.3 (as a client) --------------------- -See log above --------------------- -RESULT skip security.tls.v1_3_client No client initiated TLS communication detected - --------------------- -security.tls.v1_3_server --------------------- -Verify the device supports TLS 1.3 (as a server) --------------------- -See log above --------------------- -RESULT skip security.tls.v1_3_server IOException unable to connect to server. - --------------------- -security.tls.v1_server --------------------- -Verify the device supports at least TLS 1.0 (as a server) --------------------- -See log above --------------------- -RESULT skip security.tls.v1_server IOException unable to connect to server. - -``` - -#### Module Config - -|Attribute|Value| -|---|---| -|enabled|True| -|timeout_sec|0| -|ca_file|CA_Faux.pem| - ## Module password diff --git a/resources/setups/common/base_config.json b/resources/setups/common/base_config.json index 55ed762fe9..778bdef614 100644 --- a/resources/setups/common/base_config.json +++ b/resources/setups/common/base_config.json @@ -65,7 +65,7 @@ } }, "tls": { - "enabled": true, + "enabled": false, "timeout_sec": 0 }, "hold": { diff --git a/subset/security/build.conf b/subset/security/build.conf index 26876f4343..49cdbdc063 100644 --- a/subset/security/build.conf +++ b/subset/security/build.conf @@ -1,4 +1,5 @@ build subset/security -add tls +# TODO: Enable TLS once tests are fixed +# add tls add password add ssh diff --git a/testing/test_aux.out b/testing/test_aux.out index 1794f3c798..de4b085911 100644 --- a/testing/test_aux.out +++ b/testing/test_aux.out @@ -21,21 +21,6 @@ RESULT pass protocol.bacext.version Protocol version: 1 RESULT skip protocol.bacext.pic BACnet device found, but pics.csv not found in device type directory. RESULT pass protocol.bacext.version Protocol version: 1 RESULT pass protocol.bacext.pic The devices matches the PICS -RESULT skip security.tls.v1_2_client No client initiated TLS communication detected -RESULT skip security.tls.v1_2_server IOException unable to connect to server. -RESULT skip security.tls.v1_3_client No client initiated TLS communication detected -RESULT skip security.tls.v1_3_server IOException unable to connect to server. -RESULT skip security.tls.v1_server IOException unable to connect to server. -RESULT fail security.tls.v1_2_client Server Certificates Could not be validated. -RESULT fail security.tls.v1_2_server Certificate is expired. Certificate has not been signed by a CA. -RESULT pass security.tls.v1_3_client Client/Server completed handshake. -RESULT fail security.tls.v1_3_server Certificate is expired. Certificate has not been signed by a CA. -RESULT fail security.tls.v1_server Certificate is expired. Certificate has not been signed by a CA. -RESULT pass security.tls.v1_2_client Client/Server completed handshake. ECDH/ECDSA supported ciphers. Server Certificates Valid. -RESULT fail security.tls.v1_2_server Certificate has not been signed by a CA. Cipher Valid. -RESULT pass security.tls.v1_3_client Client/Server completed handshake. -RESULT fail security.tls.v1_3_server Certificate has not been signed by a CA. -RESULT fail security.tls.v1_server Certificate has not been signed by a CA. Cipher Valid. RESULT skip security.password.http Port 80 not open on target device. RESULT skip security.password.https Port 443 not open on target device. RESULT skip security.password.ssh Port 22 not open on target device. @@ -177,7 +162,7 @@ port-01 module_config modules }, "tls": { "ca_file": "CA_Faux.pem", - "enabled": true, + "enabled": false, "timeout_sec": 0 }, "typeconf": { @@ -274,7 +259,7 @@ port-02 module_config modules }, "tls": { "ca_file": "CA_Faux.pem", - "enabled": true, + "enabled": false, "timeout_sec": 0 }, "udmi": { diff --git a/testing/test_aux.sh b/testing/test_aux.sh index 133af288f8..bf1d05067e 100755 --- a/testing/test_aux.sh +++ b/testing/test_aux.sh @@ -148,7 +148,8 @@ done # Add the RESULT lines from all aux test report files. capture_test_results bacext -capture_test_results tls +# TODO: Capture TLS results once tests are enabled +# capture_test_results tls capture_test_results password capture_test_results discover capture_test_results network diff --git a/testing/test_modules.out b/testing/test_modules.out index 57492070f2..0431620066 100644 --- a/testing/test_modules.out +++ b/testing/test_modules.out @@ -1,23 +1,5 @@ Running testing/test_modules.sh Base Tests -Testing tls alt -RESULT skip security.tls.v1_2_client No client initiated TLS communication detected -RESULT skip security.tls.v1_2_server IOException unable to connect to server. -RESULT skip security.tls.v1_3_client No client initiated TLS communication detected -RESULT skip security.tls.v1_3_server IOException unable to connect to server. -RESULT skip security.tls.v1_server IOException unable to connect to server. -Testing tls alt tls -RESULT skip security.tls.v1_2_client No client initiated TLS communication detected -RESULT pass security.tls.v1_2_server Certificate public key length is >= 224. Certificate active for current date. Certificate has been signed by a CA. Cipher Valid. -RESULT skip security.tls.v1_3_client No client initiated TLS communication detected -RESULT pass security.tls.v1_3_server Certificate public key length is >= 224. Certificate active for current date. Certificate has been signed by a CA. Cipher check not required. -RESULT pass security.tls.v1_server Certificate public key length is >= 224. Certificate active for current date. Certificate has been signed by a CA. Cipher Valid. -Testing tls alt expiredtls -RESULT skip security.tls.v1_2_client No client initiated TLS communication detected -RESULT fail security.tls.v1_2_server Certificate is expired. Certificate has not been signed by a CA. -RESULT skip security.tls.v1_3_client No client initiated TLS communication detected -RESULT fail security.tls.v1_3_server Certificate is expired. Certificate has not been signed by a CA. -RESULT fail security.tls.v1_server Certificate is expired. Certificate has not been signed by a CA. Testing ssh RESULT skip security.ssh.version Device is not running an SSH server Testing ssh ssh diff --git a/testing/test_modules.sh b/testing/test_modules.sh index e8127f47b0..279db6d058 100755 --- a/testing/test_modules.sh +++ b/testing/test_modules.sh @@ -19,10 +19,11 @@ python3 daq/configurator.py --json \ resources/test_site/site_config.json > $TLS_CONFIG_DIR/module_config.json TEST_LIST=/tmp/module_tests.txt +# TODO: Enable TLS tests once fixed +# tls alt +# tls alt tls +# tls alt expiredtls cat > $TEST_LIST <