pub/compliance-scan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add SSH scan support with BSI TR-02102-4 compliance

Browse Source 
- SSH scanning via ssh-audit (KEX, encryption, MAC, host keys)
- BSI TR-02102-4 and IANA compliance validation for SSH
- CSV/Markdown/reST reports for SSH results
- Unified compliance schema and database views
- Code optimization: modular query/writer architecture
This commit is contained in:
Heiko
2026-01-23 11:05:01 +01:00
parent 2b27138b2a
commit f60de7c2da
68 changed files with 7189 additions and 2835 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
tests/fixtures/sample_scan_data.py vendored Normal file
View File

@@ -0,0 +1,95 @@
"""Representative scan data fixtures for compliance testing."""
# Sample scan data with realistic values that match the expected structure for the database writer
SAMPLE_SCAN_DATA = {
"hostname": "test.example.com",
"ports": [22, 443],
"scan_results": {
22: {
# SSH scan results with the structure expected by the generic writer
"kex_algorithms": [
"curve25519-sha256", # Known to be compliant with BSI standards
"diffie-hellman-group14-sha256", # Known to be compliant
"diffie-hellman-group1-sha1", # Known to be non-compliant
],
# Expected by the extraction function
"encryption_algorithms_client_to_server": [
"chacha20-poly1305@openssh.com", # Known to be compliant
"aes256-ctr", # Known to be compliant
"aes128-cbc", # Known to be less secure
],
"encryption_algorithms_server_to_client": [
"chacha20-poly1305@openssh.com", # Known to be compliant
"aes256-ctr", # Known to be compliant
"aes128-cbc", # Known to be less secure
],
# Expected by the extraction function
"mac_algorithms_client_to_server": [
"hmac-sha2-256", # Known to be compliant
"hmac-sha1", # Known to be weak
"hmac-sha2-512", # Known to be compliant
],
"mac_algorithms_server_to_client": [
"hmac-sha2-256", # Known to be compliant
"hmac-sha1", # Known to be weak
"hmac-sha2-512", # Known to be compliant
],
"host_keys": [
{
"algorithm": "rsa-sha2-512",
"type": "rsa", # Changed from 'key_type' to 'type'
"bits": 4096,
"fingerprint": "aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:mm:nn:oo:pp",
},
{
"algorithm": "ecdsa-sha2-nistp256",
"type": "ecdsa", # Changed from 'key_type' to 'type'
"bits": 256,
"fingerprint": "qq:rr:ss:tt:uu:vv:ww:xx:yy:zz:aa:bb:cc:dd:ee:ff",
},
{
"algorithm": "ssh-rsa",
"type": "rsa", # Changed from 'key_type' to 'type'
"bits": 1024, # Too weak
"fingerprint": "gg:hh:ii:jj:kk:ll:mm:nn:oo:pp:qq:rr:ss:tt:uu:vv",
},
],
},
443: {
"tls_versions": ["TLS_1_2", "TLS_1_3"],
"cipher_suites": {
"TLS_1_3": [
"TLS_AES_256_GCM_SHA384", # Known to be compliant
"TLS_CHACHA20_POLY1305_SHA256", # Known to be compliant
"TLS_AES_128_GCM_SHA256", # Known to be compliant
],
"TLS_1_2": [
"ECDHE-RSA-AES256-GCM-SHA384", # Known to be compliant
"ECDHE-RSA-AES128-GCM-SHA256", # Known to be compliant
"ECDHE-RSA-AES256-SHA", # Known to be less secure
],
},
"supported_groups": [
"X25519", # Known to be compliant
"secp256r1", # Known to be compliant
"sect163k1", # Known to be non-compliant
],
"certificates": [
{
"subject": "CN=test.example.com",
"issuer": "CN=Test CA",
"key_type": "RSA",
"key_bits": 4096,
"signature_algorithm": "sha256WithRSAEncryption",
},
{
"subject": "CN=test.example.com",
"issuer": "CN=Weak CA",
"key_type": "RSA",
"key_bits": 1024,
"signature_algorithm": "sha1WithRSAEncryption",
},
],
},
},
}