diff --git a/providers-sdk/v1/testutils/testdata/arch.json b/providers-sdk/v1/testutils/testdata/arch.json index aad2905db3..5bf5507d91 100644 --- a/providers-sdk/v1/testutils/testdata/arch.json +++ b/providers-sdk/v1/testutils/testdata/arch.json @@ -488,7 +488,7 @@ "Fields": { "content": { "type": "\u0007", - "value": "# #\n# Ansible managed\n#\n\n# This is the ssh client system-wide configuration file.\n# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.\n\n\n# Basic configuration\n# ===================\n\n# Either disable or only allow root login via certificates.\nPermitRootLogin no\n\n# Define which port sshd should listen to. Default to `22`.\nPort 22\n\n# Address family should always be limited to the active network configuration.\nAddressFamily inet\n\n# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.\nListenAddress 0.0.0.0\n\n# List HostKeys here.\nHostKey /etc/ssh/ssh_host_rsa_key\nHostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\n\n# Specifies the host key algorithms that the server offers.\n#\n# HostKeyAlgorithms\n#\n\n# Security configuration\n# ======================\n\n# Set the protocol version to 2 for security reasons. Disables legacy support.\nProtocol 2\n\n# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.\nStrictModes yes\n\n# Logging, obsoletes QuietMode and FascistLogging\nSyslogFacility AUTH\nLogLevel VERBOSE\n\n# Cryptography\n# ------------\n\n# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added\n# CBC: is true if you want to connect with OpenSSL-base libraries\n# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work\n# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)\n#\n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n\n# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.\n# Weak HMAC is sometimes required if older package versions are used\n# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.\n#\n\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256\n\n# Alternative setting, if OpenSSH version is below v5.9\n#MACs hmac-ripemd160\n\n# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary\n# Weak kex is sometimes required if older package versions are used\n# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.\n# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf\n\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n\n# Authentication\n# --------------\n\n# Secure Login directives.\n\nLoginGraceTime 30s\nMaxAuthTries 2\nMaxSessions 10\nMaxStartups 10:30:60\n\n# Enable public key authentication\nPubkeyAuthentication yes\n\n# Never use host-based authentication. It can be exploited.\nIgnoreRhosts yes\nIgnoreUserKnownHosts yes\nHostbasedAuthentication no\n\n# Enable PAM to enforce system wide rules\nUsePAM yes\n\n# Set AuthenticationMethods per default to publickey\n# AuthenticationMethods was introduced in OpenSSH 6.2 - https://www.openssh.com/txt/release-6.2\nAuthenticationMethods publickey\n\n# Disable password-based authentication, it can allow for potentially easier brute-force attacks.\nPasswordAuthentication no\nPermitEmptyPasswords no\nChallengeResponseAuthentication no\n\n# Only enable Kerberos authentication if it is configured.\nKerberosAuthentication no\nKerberosOrLocalPasswd no\nKerberosTicketCleanup yes\n#KerberosGetAFSToken no\n\n# Only enable GSSAPI authentication if it is configured.\nGSSAPIAuthentication no\nGSSAPICleanupCredentials yes\n\n# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.\n\n\n\n\n\n\n# Network\n# -------\n\n# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel\nTCPKeepAlive no\n\n# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail.\nClientAliveInterval 300\nClientAliveCountMax 3\n\n# Disable tunneling\nPermitTunnel no\n\n# Disable forwarding tcp connections.\n# no real advantage without denied shell access\nAllowTcpForwarding no\n\n# Disable agent forwarding, since local agent could be accessed through forwarded connection.\n# no real advantage without denied shell access\nAllowAgentForwarding no\n\n# Do not allow remote port forwardings to bind to non-loopback addresses.\nGatewayPorts no\n\n# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.\nX11Forwarding no\nX11UseLocalhost yes\n\n# User environment configuration\n# ==============================\n\nPermitUserEnvironment no\n\n\n# Misc. configuration\n# ===================\n\nCompression no\n\nUseDNS no\n\nPrintMotd no\n\nPrintLastLog no\n\nBanner none\n\n\n# Reject keys that are explicitly blacklisted\nRevokedKeys /etc/ssh/revoked_keys\n\n" + "value": "# #\n# Ansible managed\n#\n\n# This is the ssh client system-wide configuration file.\n# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.\n\n\n# Basic configuration\n# ===================\n\n# Either disable or only allow root login via certificates.\nPermitRootLogin no,no\n\n# Define which port sshd should listen to. Default to `22`.\nPort 22\n\n# Address family should always be limited to the active network configuration.\nAddressFamily inet\n\n# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.\nListenAddress 0.0.0.0\n\n# List HostKeys here.\nHostKey /etc/ssh/ssh_host_rsa_key\nHostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\n\n# Specifies the host key algorithms that the server offers.\n#\n# HostKeyAlgorithms\n#\n\n# Security configuration\n# ======================\n\n# Set the protocol version to 2 for security reasons. Disables legacy support.\nProtocol 2\n\n# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.\nStrictModes yes\n\n# Logging, obsoletes QuietMode and FascistLogging\nSyslogFacility AUTH\nLogLevel VERBOSE\n\n# Cryptography\n# ------------\n\n# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added\n# CBC: is true if you want to connect with OpenSSL-base libraries\n# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work\n# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)\n#\n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n\n# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.\n# Weak HMAC is sometimes required if older package versions are used\n# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.\n#\n\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256\n\n# Alternative setting, if OpenSSH version is below v5.9\n#MACs hmac-ripemd160\n\n# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary\n# Weak kex is sometimes required if older package versions are used\n# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.\n# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf\n\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n\n# Authentication\n# --------------\n\n# Secure Login directives.\n\nLoginGraceTime 30s\nMaxAuthTries 2\nMaxSessions 10\nMaxStartups 10:30:60\n\n# Enable public key authentication\nPubkeyAuthentication yes\n\n# Never use host-based authentication. It can be exploited.\nIgnoreRhosts yes\nIgnoreUserKnownHosts yes\nHostbasedAuthentication no\n\n# Enable PAM to enforce system wide rules\nUsePAM yes\n\n# Set AuthenticationMethods per default to publickey\n# AuthenticationMethods was introduced in OpenSSH 6.2 - https://www.openssh.com/txt/release-6.2\nAuthenticationMethods publickey\n\n# Disable password-based authentication, it can allow for potentially easier brute-force attacks.\nPasswordAuthentication no\nPermitEmptyPasswords no\nChallengeResponseAuthentication no\n\n# Only enable Kerberos authentication if it is configured.\nKerberosAuthentication no\nKerberosOrLocalPasswd no\nKerberosTicketCleanup yes\n#KerberosGetAFSToken no\n\n# Only enable GSSAPI authentication if it is configured.\nGSSAPIAuthentication no\nGSSAPICleanupCredentials yes\n\n# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.\n\n\n\n\n\n\n# Network\n# -------\n\n# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel\nTCPKeepAlive no\n\n# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail.\nClientAliveInterval 300\nClientAliveCountMax 3\n\n# Disable tunneling\nPermitTunnel no\n\n# Disable forwarding tcp connections.\n# no real advantage without denied shell access\nAllowTcpForwarding no\n\n# Disable agent forwarding, since local agent could be accessed through forwarded connection.\n# no real advantage without denied shell access\nAllowAgentForwarding no\n\n# Do not allow remote port forwardings to bind to non-loopback addresses.\nGatewayPorts no\n\n# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.\nX11Forwarding no\nX11UseLocalhost yes\n\n# User environment configuration\n# ==============================\n\nPermitUserEnvironment no\n\n\n# Misc. configuration\n# ===================\n\nCompression no\n\nUseDNS no\n\nPrintMotd no\n\nPrintLastLog no\n\nBanner none\n\n\n# Reject keys that are explicitly blacklisted\nRevokedKeys /etc/ssh/revoked_keys\n\n" }, "exists": { "type": "\u0004", @@ -1075,7 +1075,7 @@ "Fields": { "content": { "type": "\u0007", - "value": "# #\n# Ansible managed\n#\n\n# This is the ssh client system-wide configuration file.\n# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.\n\n\n# Basic configuration\n# ===================\n\n# Either disable or only allow root login via certificates.\nPermitRootLogin no\n\n# Define which port sshd should listen to. Default to `22`.\nPort 22\n\n# Address family should always be limited to the active network configuration.\nAddressFamily inet\n\n# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.\nListenAddress 0.0.0.0\n\n# List HostKeys here.\nHostKey /etc/ssh/ssh_host_rsa_key\nHostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\n\n# Specifies the host key algorithms that the server offers.\n#\n# HostKeyAlgorithms\n#\n\n# Security configuration\n# ======================\n\n# Set the protocol version to 2 for security reasons. Disables legacy support.\nProtocol 2\n\n# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.\nStrictModes yes\n\n# Logging, obsoletes QuietMode and FascistLogging\nSyslogFacility AUTH\nLogLevel VERBOSE\n\n# Cryptography\n# ------------\n\n# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added\n# CBC: is true if you want to connect with OpenSSL-base libraries\n# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work\n# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)\n#\n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n\n# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.\n# Weak HMAC is sometimes required if older package versions are used\n# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.\n#\n\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256\n\n# Alternative setting, if OpenSSH version is below v5.9\n#MACs hmac-ripemd160\n\n# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary\n# Weak kex is sometimes required if older package versions are used\n# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.\n# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf\n\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n\n# Authentication\n# --------------\n\n# Secure Login directives.\n\nLoginGraceTime 30s\nMaxAuthTries 2\nMaxSessions 10\nMaxStartups 10:30:60\n\n# Enable public key authentication\nPubkeyAuthentication yes\n\n# Never use host-based authentication. It can be exploited.\nIgnoreRhosts yes\nIgnoreUserKnownHosts yes\nHostbasedAuthentication no\n\n# Enable PAM to enforce system wide rules\nUsePAM yes\n\n# Set AuthenticationMethods per default to publickey\n# AuthenticationMethods was introduced in OpenSSH 6.2 - https://www.openssh.com/txt/release-6.2\nAuthenticationMethods publickey\n\n# Disable password-based authentication, it can allow for potentially easier brute-force attacks.\nPasswordAuthentication no\nPermitEmptyPasswords no\nChallengeResponseAuthentication no\n\n# Only enable Kerberos authentication if it is configured.\nKerberosAuthentication no\nKerberosOrLocalPasswd no\nKerberosTicketCleanup yes\n#KerberosGetAFSToken no\n\n# Only enable GSSAPI authentication if it is configured.\nGSSAPIAuthentication no\nGSSAPICleanupCredentials yes\n\n# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.\n\n\n\n\n\n\n# Network\n# -------\n\n# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel\nTCPKeepAlive no\n\n# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail.\nClientAliveInterval 300\nClientAliveCountMax 3\n\n# Disable tunneling\nPermitTunnel no\n\n# Disable forwarding tcp connections.\n# no real advantage without denied shell access\nAllowTcpForwarding no\n\n# Disable agent forwarding, since local agent could be accessed through forwarded connection.\n# no real advantage without denied shell access\nAllowAgentForwarding no\n\n# Do not allow remote port forwardings to bind to non-loopback addresses.\nGatewayPorts no\n\n# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.\nX11Forwarding no\nX11UseLocalhost yes\n\n# User environment configuration\n# ==============================\n\nPermitUserEnvironment no\n\n\n# Misc. configuration\n# ===================\n\nCompression no\n\nUseDNS no\n\nPrintMotd no\n\nPrintLastLog no\n\nBanner none\n\n\n# Reject keys that are explicitly blacklisted\nRevokedKeys /etc/ssh/revoked_keys\n\n" + "value": "# #\n# Ansible managed\n#\n\n# This is the ssh client system-wide configuration file.\n# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.\n\n\n# Basic configuration\n# ===================\n\n# Either disable or only allow root login via certificates.\nPermitRootLogin no,no\n\n# Define which port sshd should listen to. Default to `22`.\nPort 22\n\n# Address family should always be limited to the active network configuration.\nAddressFamily inet\n\n# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.\nListenAddress 0.0.0.0\n\n# List HostKeys here.\nHostKey /etc/ssh/ssh_host_rsa_key\nHostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\n\n# Specifies the host key algorithms that the server offers.\n#\n# HostKeyAlgorithms\n#\n\n# Security configuration\n# ======================\n\n# Set the protocol version to 2 for security reasons. Disables legacy support.\nProtocol 2\n\n# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.\nStrictModes yes\n\n# Logging, obsoletes QuietMode and FascistLogging\nSyslogFacility AUTH\nLogLevel VERBOSE\n\n# Cryptography\n# ------------\n\n# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added\n# CBC: is true if you want to connect with OpenSSL-base libraries\n# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work\n# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)\n#\n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n\n# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.\n# Weak HMAC is sometimes required if older package versions are used\n# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.\n#\n\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256\n\n# Alternative setting, if OpenSSH version is below v5.9\n#MACs hmac-ripemd160\n\n# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary\n# Weak kex is sometimes required if older package versions are used\n# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.\n# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf\n\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n\n# Authentication\n# --------------\n\n# Secure Login directives.\n\nLoginGraceTime 30s\nMaxAuthTries 2\nMaxSessions 10\nMaxStartups 10:30:60\n\n# Enable public key authentication\nPubkeyAuthentication yes\n\n# Never use host-based authentication. It can be exploited.\nIgnoreRhosts yes\nIgnoreUserKnownHosts yes\nHostbasedAuthentication no\n\n# Enable PAM to enforce system wide rules\nUsePAM yes\n\n# Set AuthenticationMethods per default to publickey\n# AuthenticationMethods was introduced in OpenSSH 6.2 - https://www.openssh.com/txt/release-6.2\nAuthenticationMethods publickey\n\n# Disable password-based authentication, it can allow for potentially easier brute-force attacks.\nPasswordAuthentication no\nPermitEmptyPasswords no\nChallengeResponseAuthentication no\n\n# Only enable Kerberos authentication if it is configured.\nKerberosAuthentication no\nKerberosOrLocalPasswd no\nKerberosTicketCleanup yes\n#KerberosGetAFSToken no\n\n# Only enable GSSAPI authentication if it is configured.\nGSSAPIAuthentication no\nGSSAPICleanupCredentials yes\n\n# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.\n\n\n\n\n\n\n# Network\n# -------\n\n# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel\nTCPKeepAlive no\n\n# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail.\nClientAliveInterval 300\nClientAliveCountMax 3\n\n# Disable tunneling\nPermitTunnel no\n\n# Disable forwarding tcp connections.\n# no real advantage without denied shell access\nAllowTcpForwarding no\n\n# Disable agent forwarding, since local agent could be accessed through forwarded connection.\n# no real advantage without denied shell access\nAllowAgentForwarding no\n\n# Do not allow remote port forwardings to bind to non-loopback addresses.\nGatewayPorts no\n\n# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.\nX11Forwarding no\nX11UseLocalhost yes\n\n# User environment configuration\n# ==============================\n\nPermitUserEnvironment no\n\n\n# Misc. configuration\n# ===================\n\nCompression no\n\nUseDNS no\n\nPrintMotd no\n\nPrintLastLog no\n\nBanner none\n\n\n# Reject keys that are explicitly blacklisted\nRevokedKeys /etc/ssh/revoked_keys\n\n" }, "files": { "type": "\u0019\u001bfile", @@ -1242,4 +1242,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/providers/os/resources/os.lr b/providers/os/resources/os.lr index 99d156b2be..59f7d230d7 100644 --- a/providers/os/resources/os.lr +++ b/providers/os/resources/os.lr @@ -680,6 +680,8 @@ sshd.config { kexs(params) []string // Host keys configured for this SSH server hostkeys(params) []string + // PermitRootLogin setting in SSH server + permitRootLogin(params) []string } // Service on this system diff --git a/providers/os/resources/os.lr.go b/providers/os/resources/os.lr.go index 3f5c50168a..6fa704fd7e 100644 --- a/providers/os/resources/os.lr.go +++ b/providers/os/resources/os.lr.go @@ -1182,6 +1182,9 @@ var getDataFields = map[string]func(r plugin.Resource) *plugin.DataRes{ "sshd.config.hostkeys": func(r plugin.Resource) *plugin.DataRes { return (r.(*mqlSshdConfig).GetHostkeys()).ToDataRes(types.Array(types.String)) }, + "sshd.config.permitRootLogin": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlSshdConfig).GetPermitRootLogin()).ToDataRes(types.Array(types.String)) + }, "service.name": func(r plugin.Resource) *plugin.DataRes { return (r.(*mqlService).GetName()).ToDataRes(types.String) }, @@ -3135,6 +3138,10 @@ var setDataFields = map[string]func(r plugin.Resource, v *llx.RawData) bool { r.(*mqlSshdConfig).Hostkeys, ok = plugin.RawToTValue[[]interface{}](v.Value, v.Error) return }, + "sshd.config.permitRootLogin": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlSshdConfig).PermitRootLogin, ok = plugin.RawToTValue[[]interface{}](v.Value, v.Error) + return + }, "service.__id": func(r plugin.Resource, v *llx.RawData) (ok bool) { r.(*mqlService).__id, ok = v.Value.(string) return @@ -8359,6 +8366,7 @@ type mqlSshdConfig struct { Macs plugin.TValue[[]interface{}] Kexs plugin.TValue[[]interface{}] Hostkeys plugin.TValue[[]interface{}] + PermitRootLogin plugin.TValue[[]interface{}] } // createSshdConfig creates a new instance of this resource @@ -8501,6 +8509,17 @@ func (c *mqlSshdConfig) GetHostkeys() *plugin.TValue[[]interface{}] { }) } +func (c *mqlSshdConfig) GetPermitRootLogin() *plugin.TValue[[]interface{}] { + return plugin.GetOrCompute[[]interface{}](&c.PermitRootLogin, func() ([]interface{}, error) { + vargParams := c.GetParams() + if vargParams.Error != nil { + return nil, vargParams.Error + } + + return c.permitRootLogin(vargParams.Data) + }) +} + // mqlService for the service resource type mqlService struct { MqlRuntime *plugin.Runtime diff --git a/providers/os/resources/os.lr.manifest.yaml b/providers/os/resources/os.lr.manifest.yaml index 139c3feffc..0e08bbcb76 100644 --- a/providers/os/resources/os.lr.manifest.yaml +++ b/providers/os/resources/os.lr.manifest.yaml @@ -847,6 +847,8 @@ resources: kexs: {} macs: {} params: {} + permitRootLogin: + min_mondoo_version: latest min_mondoo_version: 5.15.0 snippets: - query: sshd.config.params['Banner'] == '/etc/ssh/sshd-banner' diff --git a/providers/os/resources/sshd.go b/providers/os/resources/sshd.go index 6190e9526f..37d1d4f58a 100644 --- a/providers/os/resources/sshd.go +++ b/providers/os/resources/sshd.go @@ -133,13 +133,13 @@ func (s *mqlSshdConfig) params(content string) (map[string]interface{}, error) { } func (s *mqlSshdConfig) parseConfigEntrySlice(raw interface{}) ([]interface{}, error) { - strCipher, ok := raw.(string) + str, ok := raw.(string) if !ok { return nil, errors.New("value is not a valid string") } res := []interface{}{} - entries := strings.Split(strCipher, ",") + entries := strings.Split(str, ",") for i := range entries { val := strings.TrimSpace(entries[i]) res = append(res, val) @@ -183,3 +183,12 @@ func (s *mqlSshdConfig) hostkeys(params map[string]interface{}) ([]interface{}, return s.parseConfigEntrySlice(rawHostKeys) } + +func (s *mqlSshdConfig) permitRootLogin(params map[string]interface{}) ([]interface{}, error) { + rawHostKeys, ok := params["PermitRootLogin"] + if !ok { + return nil, nil + } + + return s.parseConfigEntrySlice(rawHostKeys) +} diff --git a/providers/os/resources/sshd_test.go b/providers/os/resources/sshd_test.go index 30c920c540..669908f1dc 100644 --- a/providers/os/resources/sshd_test.go +++ b/providers/os/resources/sshd_test.go @@ -70,4 +70,11 @@ func TestResource_SSHD(t *testing.T) { assert.Empty(t, res[0].Result().Error) assert.Equal(t, []interface{}{"/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_ecdsa_key", "/etc/ssh/ssh_host_ed25519_key"}, res[0].Data.Value) }) + + t.Run("parse permitRootLogin", func(t *testing.T) { + res := x.TestQuery(t, "sshd.config.permitRootLogin") + assert.NotEmpty(t, res) + assert.Empty(t, res[0].Result().Error) + assert.Equal(t, []interface{}{"no", "no"}, res[0].Data.Value) + }) }