recipe_gentoo/recipes/recipe_check_ssh_config.sh

echo "-------------------------------------------------"
echo -e "-------------- ${BLUE}CHECK SSH CONFIG${NC} -----------------"
echo -e "-------------------------------------------------\n"

# Check /etc/ssh/sshd_config config file
echo -e "Check ${BLUE}SSH${NC} config file /etc/ssh/sshd_config"

# Check if PasswordAuthentication is enable (success if return code = 1)
grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*yes" /etc/ssh/sshd_config

# Return Code
RC=$?

# PasswordAuthentication is enabled
if [ $RC -eq 0 ]
then
	SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is enabled, disable it ;"
	echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n"
# PasswordAuthentication is disabled
else
	# Check if PasswordAuthentication is enable (success if return code = 0)
	grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*no" /etc/ssh/sshd_config 

	# Return Code
	RC=$?

	# PasswordAuthentication is not set to 'non'
	if [ $RC -ne 0 ]
	then
			SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is not set to 'no', set 'PasswordAuthentication no' ;"
			echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n"
	# PasswordAuthentication is set to 'non'
	else
			echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PasswordAuthentication : check OK${NC}\n"
	fi
fi

# Check if PermitRootLogin is enable (success if return code = 1)
grep -q -e "^[[:space:]]*PermitRootLogin[[:space:]]*yes" -e "^[[:space:]]*PermitRootLogin[[:space:]]*prohibit-password" /etc/ssh/sshd_config

# Return Code
RC=$?

# PermitRootLogin is enabled (with password or pubkey)
if [ $RC -eq 0 ]
then
	SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is enabled, disable it ;"
	echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n"
# Root login is disabled
else

	# Check if PermitRootLogin is set to 'no' (success if return code = 0)
	grep -q "^[[:space:]]*PermitRootLogin[[:space:]]*no" /etc/ssh/sshd_config

	# Return Code
	RC=$?

	# PermitRootLogin is set to 'no' (with password or pubkey)
	if [ $RC -ne 0 ]
	then
			SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is not set to 'no', set 'PermitRootLogin no' ;"
			echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n"
	# Root login is disabled
	else
			echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PermitRootLogin : check OK${NC}\n"
	fi
fi

# Check if SSHD only listen on Admin LAN (success if return code = 1)
# WARNING, file need to be well intented
SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN=$(grep "^ListenAddress" /etc/ssh/sshd_config | grep -v -e "^ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" -e "^ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}")

# Return Code
RC=$?

# ListenAddress other than the LAN Admin
if [ $RC -eq 0 ]
then
	SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' ;"
	echo -e "${RED}Service SSH has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' : check KO${NC}\n"
# No ListenAddress other than the LAN Admin
else

	# Check if ListenAddress IPv4 LAN Admin is configured (success if return code = 0)
	grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" /etc/ssh/sshd_config
	
	# Return Code a
	RCa=$?
	
	# Check if ListenAddress IPv6 LAN Admin is configured (success if return code = 0)
	grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}" /etc/ssh/sshd_config

	# Return Code b
	RCb=$?

	# ListenAddress for Admin LAN are NOT configured
	if [ $RCa -ne 0 ] || [ $RCb -ne 0 ]
	then
			SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN  ;"
			echo -e "${RED}Service SSH has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN : check KO${NC}\n"
	# ListenAddress for Admin LAN are configured
	else
			echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for ListenAddress : check OK${NC}\n"
	fi
fi
Initial commit 2019-03-24 15:56:17 +01:00			`echo "-------------------------------------------------"`
			`echo -e "-------------- ${BLUE}CHECK SSH CONFIG${NC} -----------------"`
			`echo -e "-------------------------------------------------\n"`

			`# Check /etc/ssh/sshd_config config file`
			`echo -e "Check ${BLUE}SSH${NC} config file /etc/ssh/sshd_config"`

			`# Check if PasswordAuthentication is enable (success if return code = 1)`
			`grep -q "^[[:space:]]PasswordAuthentication[[:space:]]yes" /etc/ssh/sshd_config`

			`# Return Code`
			`RC=$?`

			`# PasswordAuthentication is enabled`
			`if [ $RC -eq 0 ]`
			`then`
			`SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is enabled, disable it ;"`
			`echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n"`
			`# PasswordAuthentication is disabled`
			`else`
			`# Check if PasswordAuthentication is enable (success if return code = 0)`
			`grep -q "^[[:space:]]PasswordAuthentication[[:space:]]no" /etc/ssh/sshd_config`

			`# Return Code`
			`RC=$?`

			`# PasswordAuthentication is not set to 'non'`
			`if [ $RC -ne 0 ]`
			`then`
			`SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is not set to 'no', set 'PasswordAuthentication no' ;"`
			`echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n"`
			`# PasswordAuthentication is set to 'non'`
			`else`
			`echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PasswordAuthentication : check OK${NC}\n"`
			`fi`
			`fi`

			`# Check if PermitRootLogin is enable (success if return code = 1)`
			`grep -q -e "^[[:space:]]PermitRootLogin[[:space:]]yes" -e "^[[:space:]]PermitRootLogin[[:space:]]prohibit-password" /etc/ssh/sshd_config`

			`# Return Code`
			`RC=$?`

			`# PermitRootLogin is enabled (with password or pubkey)`
			`if [ $RC -eq 0 ]`
			`then`
			`SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is enabled, disable it ;"`
			`echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n"`
			`# Root login is disabled`
			`else`

			`# Check if PermitRootLogin is set to 'no' (success if return code = 0)`
			`grep -q "^[[:space:]]PermitRootLogin[[:space:]]no" /etc/ssh/sshd_config`

			`# Return Code`
			`RC=$?`

			`# PermitRootLogin is set to 'no' (with password or pubkey)`
			`if [ $RC -ne 0 ]`
			`then`
			`SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is not set to 'no', set 'PermitRootLogin no' ;"`
			`echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n"`
			`# Root login is disabled`
			`else`
			`echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PermitRootLogin : check OK${NC}\n"`
			`fi`
			`fi`

			`# Check if SSHD only listen on Admin LAN (success if return code = 1)`
			`# WARNING, file need to be well intented`
			`SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN=$(grep "^ListenAddress" /etc/ssh/sshd_config \| grep -v -e "^ListenAddress[[:space:]]${IPV4_ADMIN_NETWORK}" -e "^ListenAddress[[:space:]]${IPV6_ADMIN_NETWORK}")`

			`# Return Code`
			`RC=$?`

			`# ListenAddress other than the LAN Admin`
			`if [ $RC -eq 0 ]`
			`then`
			`SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' ;"`
			`echo -e "${RED}Service SSH has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' : check KO${NC}\n"`
			`# No ListenAddress other than the LAN Admin`
			`else`

			`# Check if ListenAddress IPv4 LAN Admin is configured (success if return code = 0)`
			`grep -q "^[[:space:]]ListenAddress[[:space:]]${IPV4_ADMIN_NETWORK}" /etc/ssh/sshd_config`

			`# Return Code a`
			`RCa=$?`

			`# Check if ListenAddress IPv6 LAN Admin is configured (success if return code = 0)`
			`grep -q "^[[:space:]]ListenAddress[[:space:]]${IPV6_ADMIN_NETWORK}" /etc/ssh/sshd_config`

			`# Return Code b`
			`RCb=$?`

			`# ListenAddress for Admin LAN are NOT configured`
			`if [ $RCa -ne 0 ] \|\| [ $RCb -ne 0 ]`
			`then`
			`SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN ;"`
			`echo -e "${RED}Service SSH has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN : check KO${NC}\n"`
			`# ListenAddress for Admin LAN are configured`
			`else`
			`echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for ListenAddress : check OK${NC}\n"`
			`fi`
			`fi`