Expand SSH Finding Model into multiple Categories (#10)

Expand SSH Finding Model into multiple Categories

Author: J12934

src/main.rb

@@ -4,26 +4,24 @@
 Bundler.setup(:default)
 require 'ruby-scanner-scaffolding'
 require 'ruby-scanner-scaffolding/healthcheck'
-require_relative "./ssh_worker"
+require_relative './ssh_worker'
 
-set :port, 8080
+set :port, 8_080
 set :bind, '0.0.0.0'
 set :environment, :production
 
-client = SshWorker.new(
-	'http://localhost:8080',
-	'ssh_webserverscan',
-	['PROCESS_TARGETS']
-)
+client =
+  SshWorker.new(
+    'http://localhost:8080',
+    'ssh_webserverscan',
+    %w[PROCESS_TARGETS]
+  )
 
 healthcheckClient = Healthcheck.new
 
 get '/status' do
-	status 500
-	if client.healthy?
-		status 200
-	end
-	content_type :json
-	healthcheckClient.check(client)
+  status 500
+  status 200 if client.healthy?
+  content_type :json
+  healthcheckClient.check(client)
 end
-

src/ssh_configuration.rb

@@ -1,8 +1,9 @@
 def is_set(val)
   if val != ''
+
   elsif val.is_a?(Array)
-  val.length != 0
-end
+    val.length != 0
+  end
 end
 
 class SshConfiguration
@@ -11,14 +12,20 @@ class SshConfiguration
   attr_accessor :ssh_policy_file
   attr_accessor :ssh_timeout_seconds
 
-
-  def self.from_target(job_id, target, policies_directory = "/securecodebox/static/")
+  def self.from_target(
+    job_id, target, policies_directory = '/securecodebox/static/'
+  )
     config = SshConfiguration.new
 
     config.policies_directory = policies_directory
     config.job_id = job_id
-    config.ssh_policy_file = target.dig('attributes','SSH_POLICY_FILE') unless !target.dig('attributes','SSH_POLICY_FILE')
-    config.ssh_timeout_seconds = target.dig('attributes','SSH_TIMEOUT_SECONDS') unless !target.dig('attributes','SSH_TIMEOUT_SECONDS')
+    unless !target.dig('attributes', 'SSH_POLICY_FILE')
+      config.ssh_policy_file = target.dig('attributes', 'SSH_POLICY_FILE')
+    end
+    unless !target.dig('attributes', 'SSH_TIMEOUT_SECONDS')
+      config.ssh_timeout_seconds =
+        target.dig('attributes', 'SSH_TIMEOUT_SECONDS')
+    end
     config
   end
 

src/ssh_result_transformer.rb

@@ -3,68 +3,157 @@
 
 class SshResultTransformer
   def initialize(uuid_provider = SecureRandom)
-    @uuid_provider = uuid_provider;
+    @uuid_provider = uuid_provider
   end
 
-
   def transform(results, timed_out: false)
     findings = []
+
     results.each do |r|
-      findings << {
-          id: @uuid_provider.uuid,
-          name: 'SSH Compliance',
-          description: 'SSH Compliance Information',
-          category: 'SSH Service',
-          osi_layer: 'NETWORK',
-          severity: 'INFORMATIONAL',
-          reference: {},
-          hint: '',
-          location: r.dig('ip'),
-          attributes: {
-              hostname: r.dig('hostname'),
-              server_banner: r.dig('server_banner'),
-              ssh_version: r.dig('ssh_version'),
-              os_cpe: r.dig('os_cpe'),
-              ssh_lib_cpe: r.dig('ssh_lib_cpe'),
-              compliance_policy: r.dig('compliance', 'policy'),
-              compliant: r.dig('compliance', 'compliant'),
-              grade: r.dig('compliance', 'grade'),
-              start_time: r.dig('start_time'),
-              end_time: r.dig('end_time'),
-              scan_duration_seconds: r.dig('scan_duration_seconds'),
-              references: r.dig('compliance', 'references')
-          }
-      }
+      unless r.has_key? "error"
+        location = (r.dig('hostname').empty?) ? r.dig('ip') : r.dig('hostname')
+        hostname = (r.dig('hostname') unless r.dig('hostname').empty?)
+        findings <<
+            {
+                id: @uuid_provider.uuid,
+                name: 'SSH Service Information',
+                description: '',
+                category: 'SSH Service',
+                osi_layer: 'NETWORK',
+                severity: 'INFORMATIONAL',
+                reference: {},
+                hint: '',
+                location: location,
+                attributes: {
+                    hostname: hostname,
+                    ip_address: r.dig('ip'),
+                    server_banner:
+                        (r.dig('server_banner') unless r.dig('server_banner').empty?),
+                    ssh_version: r.dig('ssh_version'),
+                    os_cpe: r.dig('os_cpe'),
+                    ssh_lib_cpe: r.dig('ssh_lib_cpe'),
+                    compliance_policy: r.dig('compliance', 'policy'),
+                    compliant: r.dig('compliance', 'compliant'),
+                    grade: r.dig('compliance', 'grade'),
+                    start_time: r.dig('start_time'),
+                    end_time: r.dig('end_time'),
+                    scan_duration_seconds: r.dig('scan_duration_seconds'),
+                    references: r.dig('compliance', 'references'),
+                    auth_methods: r.dig('auth_methods'),
+                    key_algorithms: r.dig('key_algorithms'),
+                    encryption_algorithms:
+                        r.dig('encryption_algorithms_server_to_client'),
+                    mac_algorithms: r.dig('mac_algorithms_server_to_client'),
+                    compression_algorithms:
+                        r.dig('compression_algorithms_server_to_client')
+                }
+            }
 
-      unless r.dig('compliance', 'recommendations').nil?
-        r.dig('compliance', 'recommendations').each do |f|
-          findings << {
-              id: @uuid_provider.uuid,
-              name: f.split(':')[0],
-              description: f.split(':')[1],
-              category: 'SSH Service',
-              osi_layer: 'NETWORK',
-              severity: decideSeverity(r.dig('compliance', 'grade')),
-              reference: {},
-              hint: '',
-              location: r.dig('ip'),
-              attributes: {}
-          }
+        unless r.dig('compliance', 'recommendations').nil?
+          r.dig('compliance', 'recommendations')
+              .each do |policy_violation_message|
+            findings <<
+                create_policy_violation_finding(
+                    policy_violation_message,
+                    location,
+                    hostname,
+                    r.dig('ip')
+                )
+          end
         end
       end
     end
 
     findings
   end
 
-  def decideSeverity(grade)
-    case grade
-    when 'A', 'B'
-      'LOW'
-    when 'C', 'D'
-      'MEDIUM'
-    when 'E', 'F'
-      'HIGH'
+  # rubocop:disable MethodComplexity
+  def get_policy_violation_type(message)
+    type = message.split(': ')[0]
+
+    case type
+    when /^Add these key exchange algorithms/
+      {
+        description: 'Good / encouraged SSH key algorithms are missing',
+        name: 'Missing SSH Key Algorithms'
+      }
+    when /^Add these MAC algorithms/
+      {
+        description: 'Good / encouraged SSH MAC algorithms are missing',
+        name: 'Missing SSH MAC Algorithms'
+      }
+    when /^Add these encryption ciphers/
+      {
+        description: 'Good / encouraged SSH encryption ciphers are missing',
+        name: 'Missing SSH encryption Ciphers'
+      }
+    when /^Add these compression algorithms/
+      {
+        description: 'Good / encouraged SSH compression algorithms are missing',
+        name: 'Missing SSH compression algorithms'
+      }
+    when /^Add these authentication methods/
+      {
+        description: 'Good / encouraged SSH authentication methods are missing',
+        name: 'Missing SSH authentication methods'
+      }
+    when /^Remove these key exchange algorithms/
+      {
+        description: 'Deprecated / discouraged SSH key algorithms are used',
+        name: 'Insecure SSH Key Algorithms'
+      }
+    when /^Remove these MAC algorithms/
+      {
+        description: 'Deprecated / discouraged SSH MAC algorithms are used',
+        name: 'Insecure SSH MAC Algorithms'
+      }
+    when /^Remove these encryption ciphers/
+      {
+        description: 'Deprecated / discouraged SSH encryption ciphers are used',
+        name: 'Insecure SSH encryption Ciphers'
+      }
+    when /^Remove these compression algorithms/
+      {
+        description:
+          'Deprecated / discouraged SSH compression algorithms are used',
+        name: 'Insecure SSH compression algorithms'
+      }
+    when /^Remove these authentication methods/
+      {
+        description: 'Discouraged SSH authentication methods are used',
+        name: 'Discouraged SSH authentication methods'
+      }
+    when /^Update your ssh version to/
+      {
+        description: 'Outdated SSH protocol version used',
+        name: 'Outdated SSH Protocol Version'
+      }
+    else
+      raise Exception.new "Unexpected Policy Violation Type: '#{message}'"
     end
   end
-end
+  # rubocop:enable MethodComplexity
+
+  def create_policy_violation_finding(
+    message, location, hostname, ip_address
+  )
+    policy_violation_type = get_policy_violation_type(message)
+
+    payload = message.split(': ')[1].split(', ')
+
+    {
+      id: @uuid_provider.uuid,
+      name: policy_violation_type[:name],
+      description: policy_violation_type[:description],
+      category: 'SSH Policy Violation',
+      osi_layer: 'NETWORK',
+      severity: 'MEDIUM',
+      reference: {},
+      hint: message,
+      location: location,
+      attributes: {
+        hostname: hostname, ip_address: ip_address, payload: payload
+      }
+    }
+  end
+end

src/ssh_scan.rb

@@ -2,57 +2,61 @@
 require 'json'
 require 'logger'
 require 'pathname'
+require 'ruby-scanner-scaffolding'
 
 require_relative './ssh_result_transformer'
 
 $logger = Logger.new(STDOUT)
 $logger.level = if ENV.key? 'DEBUG' then Logger::DEBUG else Logger::INFO end
 
 class SshScan
-	attr_reader :raw_results
-	attr_reader :results
-	attr_reader :errored
-
-	def initialize(targetfile, config)
-		@targetfile = targetfile
-		@config = config
-		@errored = false
-		@transformer = SshResultTransformer.new
-	end
-
-	def start
-		$logger.info "Running scan for #{File.basename(@targetfile, File.extname(@targetfile))}"
-			start_scan
-			$logger.info "Retrieving scan results for #{File.basename(@targetfile, File.extname(@targetfile))}"
-			get_scan_report
-	end
-
-	def start_scan
-		begin
-      resultsFile = File.open("/tmp/raw-results.txt", "w+")
-
-			sshCommandLine = "ssh_scan --fingerprint-db /tmp/fingerprint-db.yml -f #{Pathname.new(@targetfile)} -o #{Pathname.new(resultsFile)}"
-
-			if not @config.ssh_policy_file.nil?
-				sshCommandLine += "-P #{@config.filePath} "
-			end
-			if not @config.ssh_timeout_seconds.nil?
-				sshCommandLine += "-T #{@config.ssh_timeout_seconds}"
+  attr_reader :raw_results
+  attr_reader :results
+  attr_reader :errored
+
+  def initialize(target_file_path, config)
+    @target_file_path = target_file_path
+    @config = config
+    @errored = false
+    @transformer = SshResultTransformer.new
+  end
+
+  def start
+    $logger.info "Running scan for #{@target_file_path.basename}"
+    start_scan
+    $logger.info "Retrieving scan results for #{@target_file_path.basename}"
+    get_scan_report
+  end
+
+  def start_scan
+      result_file_path = Pathname.new "/tmp/raw-results.txt"
+      ssh_command_line = "ssh_scan --fingerprint-db /tmp/fingerprint-db.yml -f #{@target_file_path} -o #{result_file_path}"
+
+      unless @config.ssh_policy_file.nil?
+        ssh_command_line += "-P #{@config.filePath} "
       end
-      resultsFile.write(`#{sshCommandLine}`)
-      @raw_results = JSON.parse(resultsFile.read)
-      File.delete(resultsFile)
-    rescue => err
-			$logger.warn err
-			raise CamundaIncident.new("Failed to start SSH scan.", "This is most likely related to a error in the configuration. Check the SSH logs for more details.")
-		end
-	end
-
-	def get_scan_report
-		begin
-			@results = @transformer.transform(@raw_results)
-		rescue => err
-			$logger.warn err
-		end
-	end
+      unless @config.ssh_timeout_seconds.nil?
+        ssh_command_line += "-T #{@config.ssh_timeout_seconds}"
+      end
+
+      # Execute the Scanner via command line
+      `#{ssh_command_line}`
+
+      File.open(result_file_path) do |results_file|
+        @raw_results = JSON.parse(results_file.read)
+        File.delete(results_file)
+      end
+  rescue => err
+    $logger.warn err
+    raise CamundaIncident.new(
+            'Failed to start SSH scan.',
+            'This is most likely related to a error in the configuration. Check the SSH logs for more details.'
+          )
+  end
+
+  def get_scan_report
+    @results = @transformer.transform(@raw_results)
+  rescue => err
+    $logger.warn err
+  end
 end