class SSHScan::PolicyManager

Policy management methods, compliance checking and recommendations.

Public Class Methods

new(result, policy) click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 6
def initialize(result, policy)
  @policy = policy
  @result = result
end

Public Instance Methods

compliance_results() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 213
def compliance_results
  {
    "policy" => @policy.name,
    "compliant" => compliant?,
    "recommendations" => recommendations,
    "references" => @policy.references,
  }
end
compliant?() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 142
def compliant?
  out_of_policy_encryption.empty? &&
  out_of_policy_macs.empty? &&
  out_of_policy_kex.empty? &&
  out_of_policy_compression.empty? &&
  missing_policy_encryption.empty? &&
  missing_policy_macs.empty? &&
  missing_policy_kex.empty? &&
  missing_policy_compression.empty? &&
  out_of_policy_auth_methods.empty? &&
  !out_of_policy_ssh_version
end
missing_policy_compression() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 100
def missing_policy_compression
  return [] if @policy.compression.empty?
  target_compressions =
    @result.compression_algorithms_server_to_client |
    @result.compression_algorithms_client_to_server
  outliers = []

  @policy.compression.each do |compression|
    if SSHScan.make_attributes(target_compressions).include?(SSHScan::Attribute.new(compression)) == false
      outliers << compression
    end
  end
  return outliers
end
missing_policy_encryption() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 23
def missing_policy_encryption
  return [] if @policy.encryption.empty?
  target_encryption =
    @result.encryption_algorithms_client_to_server |
    @result.encryption_algorithms_server_to_client
  outliers = []
  @policy.encryption.each do |encryption|
    if SSHScan.make_attributes(target_encryption).include?(SSHScan::Attribute.new(encryption)) == false
      outliers << encryption
    end
  end
  return outliers
end
missing_policy_kex() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 74
def missing_policy_kex
  return [] if @policy.kex.empty?
  target_kex = @result.key_algorithms
  outliers = []

  @policy.kex.each do |kex|
    if SSHScan.make_attributes(target_kex).include?(SSHScan::Attribute.new(kex)) == false
      outliers << kex
    end
  end
  return outliers
end
missing_policy_macs() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 49
def missing_policy_macs
  return [] if @policy.macs.empty?
  target_macs =
    @result.mac_algorithms_server_to_client |
    @result.mac_algorithms_client_to_server
  outliers = []

  @policy.macs.each do |mac|
    if SSHScan.make_attributes(target_macs).include?(SSHScan::Attribute.new(mac)) == false
      outliers << mac
    end
  end
  return outliers
end
out_of_policy_auth_methods() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 115
def out_of_policy_auth_methods
  return [] if @policy.auth_methods.empty?
  return [] if @result.auth_methods.empty?
  target_auth_methods = @result.auth_methods
  outliers = []

  if not @policy.auth_methods.empty?
    target_auth_methods.each do |auth_method|
      if not @policy.auth_methods.include?(auth_method)
        outliers << auth_method
      end
    end
  end
  return outliers
end
out_of_policy_compression() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 87
def out_of_policy_compression
  return [] if @policy.compression.empty?
  target_compressions =
    @result.compression_algorithms_server_to_client |
    @result.compression_algorithms_client_to_server
  outliers = []
  target_compressions.each do |target_compression|
    outliers << target_compression unless
      @policy.compression_attributes.include?(SSHScan::Attribute.new(target_compression))
  end
  return outliers
end
out_of_policy_encryption() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 11
def out_of_policy_encryption
  return [] if @policy.encryption.empty?
  target_encryption =
    @result.encryption_algorithms_client_to_server |
    @result.encryption_algorithms_server_to_client
  outliers = []
  target_encryption.each do |target_enc|
    outliers << target_enc unless @policy.encryption_attributes.include?(SSHScan::Attribute.new(target_enc))
  end
  return outliers
end
out_of_policy_kex() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 64
def out_of_policy_kex
  return [] if @policy.kex.empty?
  target_kexs = @result.key_algorithms
  outliers = []
  target_kexs.each do |target_kex|
    outliers << target_kex unless @policy.kex_attributes.include?(SSHScan::Attribute.new(target_kex))
  end
  return outliers
end
out_of_policy_macs() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 37
def out_of_policy_macs
  return [] if @policy.macs.empty?
  target_macs =
    @result.mac_algorithms_server_to_client |
    @result.mac_algorithms_client_to_server
  outliers = []
  target_macs.each do |target_mac|
    outliers << target_mac unless @policy.mac_attributes.include?(SSHScan::Attribute.new(target_mac))
  end
  return outliers
end
out_of_policy_ssh_version() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 131
def out_of_policy_ssh_version
  return false if @policy.ssh_version.nil?
  target_ssh_version = @result.ssh_version
  if @policy.ssh_version
    if target_ssh_version < @policy.ssh_version
      return true
    end
  end
  return false
end
recommendations() click to toggle source
# File lib/ssh_scan/policy_manager.rb, line 155
    def recommendations
      recommendations = []

      # Add these items to be compliant
      if missing_policy_kex.any?
        recommendations << "Add these key exchange algorithms: \
#{missing_policy_kex.join(",")}"
      end

      if missing_policy_macs.any?
        recommendations << "Add these MAC algorithms: \
#{missing_policy_macs.join(",")}"
      end

      if missing_policy_encryption.any?
        recommendations << "Add these encryption ciphers: \
#{missing_policy_encryption.join(",")}"
      end

      if missing_policy_compression.any?
        recommendations << "Add these compression algorithms: \
#{missing_policy_compression.join(",")}"
      end

      # Remove these items to be compliant
      if out_of_policy_kex.any?
        recommendations << "Remove these key exchange algorithms: \
#{out_of_policy_kex.join(", ")}"
      end

      if out_of_policy_macs.any?
        recommendations << "Remove these MAC algorithms: \
#{out_of_policy_macs.join(", ")}"
      end

      if out_of_policy_encryption.any?
        recommendations << "Remove these encryption ciphers: \
#{out_of_policy_encryption.join(", ")}"
      end

      if out_of_policy_compression.any?
        recommendations << "Remove these compression algorithms: \
#{out_of_policy_compression.join(", ")}"
      end

      if out_of_policy_auth_methods.any?
        recommendations << "Remove these authentication methods: \
#{out_of_policy_auth_methods.join(", ")}"
      end

      # Update these items to be compliant
      if out_of_policy_ssh_version
        recommendations << "Update your ssh version to: #{@policy.ssh_version}"
      end

      return recommendations
    end