pub/compliance-scan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add SSH scan support with BSI TR-02102-4 compliance

Browse Source 
- SSH scanning via ssh-audit (KEX, encryption, MAC, host keys)
- BSI TR-02102-4 and IANA compliance validation for SSH
- CSV/Markdown/reST reports for SSH results
- Unified compliance schema and database views
- Code optimization: modular query/writer architecture
This commit is contained in:
Heiko
2026-01-23 11:05:01 +01:00
parent 2b27138b2a
commit f60de7c2da
68 changed files with 7189 additions and 2835 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
tests/fixtures/iana_xml/ikev2-parameters-minimal.xml vendored
View File

@@ -1,4 +1,4 @@
<?xml version='1.0' encoding='UTF-8'?>
<?xml version='1.0' encoding='UTF-8' ?>
<registry xmlns="http://www.iana.org/assignments" id="ikev2-parameters">
<title>Internet Key Exchange Version 2 (IKEv2) Parameters</title>
<created>2005-01-18</created>
@@ -11,21 +11,65 @@
<description>ENCR_AES_CBC</description>
<esp>Y</esp>
<ikev2>Y</ikev2>
<xref type="rfc" data="rfc3602"/>
<xref type="rfc" data="rfc3602" />
</record>
<record>
<value>20</value>
<description>ENCR_AES_GCM_16</description>
<esp>Y</esp>
<ikev2>Y</ikev2>
<xref type="rfc" data="rfc4106"/>
<xref type="rfc" data="rfc4106" />
</record>
<record>
<value>28</value>
<description>ENCR_CHACHA20_POLY1305</description>
<esp>Y</esp>
<ikev2>Y</ikev2>
<xref type="rfc" data="rfc7634"/>
<xref type="rfc" data="rfc7634" />
</record>
</registry>
<registry id="ikev2-parameters-6">
<title>Transform Type 2 - Pseudorandom Function Transform IDs</title>
<record>
<value>2</value>
<description>PRF_HMAC_SHA1</description>
<status>RECOMMENDED</status>
<xref type="rfc" data="rfc2104" />
</record>
<record>
<value>5</value>
<description>PRF_HMAC_SHA2_256</description>
<status>RECOMMENDED</status>
<xref type="rfc" data="rfc4868" />
</record>
<record>
<value>6</value>
<description>PRF_HMAC_SHA2_384</description>
<status>RECOMMENDED</status>
<xref type="rfc" data="rfc4868" />
</record>
</registry>
<registry id="ikev2-parameters-7">
<title>Transform Type 3 - Integrity Algorithm Transform IDs</title>
<record>
<value>2</value>
<description>AUTH_HMAC_SHA1_96</description>
<status>RECOMMENDED</status>
<xref type="rfc" data="rfc2104" />
</record>
<record>
<value>12</value>
<description>AUTH_HMAC_SHA2_256_128</description>
<status>RECOMMENDED</status>
<xref type="rfc" data="rfc4868" />
</record>
<record>
<value>13</value>
<description>AUTH_HMAC_SHA2_384_192</description>
<status>RECOMMENDED</status>
<xref type="rfc" data="rfc4868" />
</record>
</registry>
@@ -35,19 +79,19 @@
<value>14</value>
<description>2048-bit MODP Group</description>
<status>RECOMMENDED</status>
<xref type="rfc" data="rfc3526"/>
<xref type="rfc" data="rfc3526" />
</record>
<record>
<value>19</value>
<description>256-bit random ECP group</description>
<status>RECOMMENDED</status>
<xref type="rfc" data="rfc5903"/>
<xref type="rfc" data="rfc5903" />
</record>
<record>
<value>31</value>
<description>Curve25519</description>
<status>RECOMMENDED</status>
<xref type="rfc" data="rfc8031"/>
<xref type="rfc" data="rfc8031" />
</record>
</registry>
@@ -57,13 +101,13 @@
<value>1</value>
<description>RSA Digital Signature</description>
<status>DEPRECATED</status>
<xref type="rfc" data="rfc7427"/>
<xref type="rfc" data="rfc7427" />
</record>
<record>
<value>14</value>
<description>Digital Signature</description>
<status>RECOMMENDED</status>
<xref type="rfc" data="rfc7427"/>
<xref type="rfc" data="rfc7427" />
</record>
</registry>
</registry>

82
tests/fixtures/iana_xml/ssh-parameters-minimal.xml vendored Normal file
View File

@@ -0,0 +1,82 @@
<?xml version='1.0' encoding='UTF-8' ?>
<registry xmlns="http://www.iana.org/assignments" id="ssh-parameters">
<title>Secure Shell (SSH) Protocol Parameters</title>
<created>2005-06-02</created>
<updated>2025-01-21</updated>
<registry id="ssh-parameters-16">
<title>Key Exchange Method Names</title>
<record>
<value>curve25519-sha256</value>
<xref type="rfc" data="rfc8731" />
<implement>SHOULD</implement>
</record>
<record>
<value>diffie-hellman-group14-sha256</value>
<xref type="rfc" data="rfc8268" />
<implement>SHOULD</implement>
</record>
<record>
<value>diffie-hellman-group1-sha1</value>
<xref type="rfc" data="rfc4253" />
<implement>MUST NOT</implement>
</record>
</registry>
<registry id="ssh-parameters-17">
<title>Encryption Algorithm Names</title>
<record>
<value>chacha20-poly1305@openssh.com</value>
<xref type="text">OpenSSH</xref>
<implement>SHOULD</implement>
</record>
<record>
<value>aes128-ctr</value>
<xref type="rfc" data="rfc4344" />
<implement>SHOULD</implement>
</record>
<record>
<value>aes256-ctr</value>
<xref type="rfc" data="rfc4344" />
<implement>SHOULD</implement>
</record>
<record>
<value>3des-cbc</value>
<xref type="rfc" data="rfc4253" />
<implement>MUST NOT</implement>
</record>
</registry>
<registry id="ssh-parameters-18">
<title>MAC Algorithm Names</title>
<record>
<value>hmac-sha2-256</value>
<xref type="rfc" data="rfc6668" />
<implement>SHOULD</implement>
</record>
<record>
<value>hmac-sha2-512</value>
<xref type="rfc" data="rfc6668" />
<implement>SHOULD</implement>
</record>
<record>
<value>hmac-sha1</value>
<xref type="rfc" data="rfc4253" />
<implement>SHOULD NOT</implement>
</record>
</registry>
<registry id="ssh-parameters-20">
<title>Compression Algorithm Names</title>
<record>
<value>none</value>
<xref type="rfc" data="rfc4253" />
<implement>MUST</implement>
</record>
<record>
<value>zlib</value>
<xref type="rfc" data="rfc4253" />
<implement>MAY</implement>
</record>
</registry>
</registry>

102
tests/fixtures/iana_xml/tls-parameters-minimal.xml vendored
View File

@@ -1,4 +1,4 @@
<?xml version='1.0' encoding='UTF-8'?>
<?xml version='1.0' encoding='UTF-8' ?>
<registry xmlns="http://www.iana.org/assignments" id="tls-parameters">
<title>Transport Layer Security (TLS) Parameters</title>
<category>Transport Layer Security (TLS)</category>
@@ -12,35 +12,35 @@
<description>TLS_AES_128_GCM_SHA256</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446"/>
<xref type="rfc" data="rfc8446" />
</record>
<record>
<value>0x13,0x02</value>
<description>TLS_AES_256_GCM_SHA384</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446"/>
<xref type="rfc" data="rfc8446" />
</record>
<record>
<value>0x00,0x9C</value>
<description>TLS_RSA_WITH_AES_128_GCM_SHA256</description>
<dtls>Y</dtls>
<rec>N</rec>
<xref type="rfc" data="rfc5288"/>
<xref type="rfc" data="rfc5288" />
</record>
<record>
<value>0x00,0x2F</value>
<description>TLS_RSA_WITH_AES_128_CBC_SHA</description>
<dtls>Y</dtls>
<rec>N</rec>
<xref type="rfc" data="rfc5246"/>
<xref type="rfc" data="rfc5246" />
</record>
<record>
<value>0x00,0x0A</value>
<description>TLS_RSA_WITH_3DES_EDE_CBC_SHA</description>
<dtls>Y</dtls>
<rec>N</rec>
<xref type="rfc" data="rfc5246"/>
<xref type="rfc" data="rfc5246" />
</record>
</registry>
@@ -51,21 +51,21 @@
<description>secp256r1</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8422"/>
<xref type="rfc" data="rfc8422" />
</record>
<record>
<value>24</value>
<description>secp384r1</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8422"/>
<xref type="rfc" data="rfc8422" />
</record>
<record>
<value>29</value>
<description>x25519</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446"/>
<xref type="rfc" data="rfc8446" />
</record>
</registry>
@@ -76,21 +76,99 @@
<description>ecdsa_secp256r1_sha256</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446"/>
<xref type="rfc" data="rfc8446" />
</record>
<record>
<value>0x0804</value>
<description>rsa_pss_rsae_sha256</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446"/>
<xref type="rfc" data="rfc8446" />
</record>
<record>
<value>0x0401</value>
<description>rsa_pkcs1_sha256</description>
<dtls>Y</dtls>
<rec>N</rec>
<xref type="rfc" data="rfc8446"/>
<xref type="rfc" data="rfc8446" />
</record>
</registry>
<registry id="tls-parameters-6">
<title>TLS Alert Messages</title>
<record>
<value>0</value>
<description>close_notify</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446" />
</record>
<record>
<value>10</value>
<description>unexpected_message</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446" />
</record>
<record>
<value>20</value>
<description>bad_record_mac</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446" />
</record>
<record>
<value>40</value>
<description>handshake_failure</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446" />
</record>
<record>
<value>80</value>
<description>internal_error</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446" />
</record>
</registry>
<registry id="tls-parameters-5">
<title>TLS ContentType</title>
<record>
<value>20</value>
<description>change_cipher_spec</description>
<dtls>Y</dtls>
<rec>N</rec>
<xref type="rfc" data="rfc8446" />
</record>
<record>
<value>21</value>
<description>alert</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446" />
</record>
<record>
<value>22</value>
<description>handshake</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446" />
</record>
<record>
<value>23</value>
<description>application_data</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc8446" />
</record>
<record>
<value>24</value>
<description>heartbeat</description>
<dtls>Y</dtls>
<rec>Y</rec>
<xref type="rfc" data="rfc6520" />
</record>
</registry>
</registry>

95
tests/fixtures/sample_scan_data.py vendored Normal file
View File

@@ -0,0 +1,95 @@
"""Representative scan data fixtures for compliance testing."""
# Sample scan data with realistic values that match the expected structure for the database writer
SAMPLE_SCAN_DATA = {
"hostname": "test.example.com",
"ports": [22, 443],
"scan_results": {
22: {
# SSH scan results with the structure expected by the generic writer
"kex_algorithms": [
"curve25519-sha256", # Known to be compliant with BSI standards
"diffie-hellman-group14-sha256", # Known to be compliant
"diffie-hellman-group1-sha1", # Known to be non-compliant
],
# Expected by the extraction function
"encryption_algorithms_client_to_server": [
"chacha20-poly1305@openssh.com", # Known to be compliant
"aes256-ctr", # Known to be compliant
"aes128-cbc", # Known to be less secure
],
"encryption_algorithms_server_to_client": [
"chacha20-poly1305@openssh.com", # Known to be compliant
"aes256-ctr", # Known to be compliant
"aes128-cbc", # Known to be less secure
],
# Expected by the extraction function
"mac_algorithms_client_to_server": [
"hmac-sha2-256", # Known to be compliant
"hmac-sha1", # Known to be weak
"hmac-sha2-512", # Known to be compliant
],
"mac_algorithms_server_to_client": [
"hmac-sha2-256", # Known to be compliant
"hmac-sha1", # Known to be weak
"hmac-sha2-512", # Known to be compliant
],
"host_keys": [
{
"algorithm": "rsa-sha2-512",
"type": "rsa", # Changed from 'key_type' to 'type'
"bits": 4096,
"fingerprint": "aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:mm:nn:oo:pp",
},
{
"algorithm": "ecdsa-sha2-nistp256",
"type": "ecdsa", # Changed from 'key_type' to 'type'
"bits": 256,
"fingerprint": "qq:rr:ss:tt:uu:vv:ww:xx:yy:zz:aa:bb:cc:dd:ee:ff",
},
{
"algorithm": "ssh-rsa",
"type": "rsa", # Changed from 'key_type' to 'type'
"bits": 1024, # Too weak
"fingerprint": "gg:hh:ii:jj:kk:ll:mm:nn:oo:pp:qq:rr:ss:tt:uu:vv",
},
],
},
443: {
"tls_versions": ["TLS_1_2", "TLS_1_3"],
"cipher_suites": {
"TLS_1_3": [
"TLS_AES_256_GCM_SHA384", # Known to be compliant
"TLS_CHACHA20_POLY1305_SHA256", # Known to be compliant
"TLS_AES_128_GCM_SHA256", # Known to be compliant
],
"TLS_1_2": [
"ECDHE-RSA-AES256-GCM-SHA384", # Known to be compliant
"ECDHE-RSA-AES128-GCM-SHA256", # Known to be compliant
"ECDHE-RSA-AES256-SHA", # Known to be less secure
],
},
"supported_groups": [
"X25519", # Known to be compliant
"secp256r1", # Known to be compliant
"sect163k1", # Known to be non-compliant
],
"certificates": [
{
"subject": "CN=test.example.com",
"issuer": "CN=Test CA",
"key_type": "RSA",
"key_bits": 4096,
"signature_algorithm": "sha256WithRSAEncryption",
},
{
"subject": "CN=test.example.com",
"issuer": "CN=Weak CA",
"key_type": "RSA",
"key_bits": 1024,
"signature_algorithm": "sha1WithRSAEncryption",
},
],
},
},
}