Add SSH scan support with BSI TR-02102-4 compliance

- SSH scanning via ssh-audit (KEX, encryption, MAC, host keys) - BSI TR-02102-4 and IANA compliance validation for SSH - CSV/Markdown/reST reports for SSH results - Unified compliance schema and database views - Code optimization: modular query/writer architecture
2026-01-23 11:05:01 +01:00
parent 2b27138b2a
commit f60de7c2da
68 changed files with 7189 additions and 2835 deletions
--- a/tests/fixtures/iana_xml/ssh-parameters-minimal.xml
+++ b/tests/fixtures/iana_xml/ssh-parameters-minimal.xml
@@ -0,0 +1,82 @@
+<?xml version='1.0' encoding='UTF-8' ?>
+<registry xmlns="http://www.iana.org/assignments" id="ssh-parameters">
+  <title>Secure Shell (SSH) Protocol Parameters</title>
+  <created>2005-06-02</created>
+  <updated>2025-01-21</updated>
+
+  <registry id="ssh-parameters-16">
+    <title>Key Exchange Method Names</title>
+    <record>
+      <value>curve25519-sha256</value>
+      <xref type="rfc" data="rfc8731" />
+      <implement>SHOULD</implement>
+    </record>
+    <record>
+      <value>diffie-hellman-group14-sha256</value>
+      <xref type="rfc" data="rfc8268" />
+      <implement>SHOULD</implement>
+    </record>
+    <record>
+      <value>diffie-hellman-group1-sha1</value>
+      <xref type="rfc" data="rfc4253" />
+      <implement>MUST NOT</implement>
+    </record>
+  </registry>
+
+  <registry id="ssh-parameters-17">
+    <title>Encryption Algorithm Names</title>
+    <record>
+      <value>chacha20-poly1305@openssh.com</value>
+      <xref type="text">OpenSSH</xref>
+      <implement>SHOULD</implement>
+    </record>
+    <record>
+      <value>aes128-ctr</value>
+      <xref type="rfc" data="rfc4344" />
+      <implement>SHOULD</implement>
+    </record>
+    <record>
+      <value>aes256-ctr</value>
+      <xref type="rfc" data="rfc4344" />
+      <implement>SHOULD</implement>
+    </record>
+    <record>
+      <value>3des-cbc</value>
+      <xref type="rfc" data="rfc4253" />
+      <implement>MUST NOT</implement>
+    </record>
+  </registry>
+
+  <registry id="ssh-parameters-18">
+    <title>MAC Algorithm Names</title>
+    <record>
+      <value>hmac-sha2-256</value>
+      <xref type="rfc" data="rfc6668" />
+      <implement>SHOULD</implement>
+    </record>
+    <record>
+      <value>hmac-sha2-512</value>
+      <xref type="rfc" data="rfc6668" />
+      <implement>SHOULD</implement>
+    </record>
+    <record>
+      <value>hmac-sha1</value>
+      <xref type="rfc" data="rfc4253" />
+      <implement>SHOULD NOT</implement>
+    </record>
+  </registry>
+
+  <registry id="ssh-parameters-20">
+    <title>Compression Algorithm Names</title>
+    <record>
+      <value>none</value>
+      <xref type="rfc" data="rfc4253" />
+      <implement>MUST</implement>
+    </record>
+    <record>
+      <value>zlib</value>
+      <xref type="rfc" data="rfc4253" />
+      <implement>MAY</implement>
+    </record>
+  </registry>
+</registry>