f60de7c2da
- SSH scanning via ssh-audit (KEX, encryption, MAC, host keys) - BSI TR-02102-4 and IANA compliance validation for SSH - CSV/Markdown/reST reports for SSH results - Unified compliance schema and database views - Code optimization: modular query/writer architecture
96 lines
4.0 KiB
Python
96 lines
4.0 KiB
Python
"""Representative scan data fixtures for compliance testing."""
|
|
|
|
# Sample scan data with realistic values that match the expected structure for the database writer
|
|
SAMPLE_SCAN_DATA = {
|
|
"hostname": "test.example.com",
|
|
"ports": [22, 443],
|
|
"scan_results": {
|
|
22: {
|
|
# SSH scan results with the structure expected by the generic writer
|
|
"kex_algorithms": [
|
|
"curve25519-sha256", # Known to be compliant with BSI standards
|
|
"diffie-hellman-group14-sha256", # Known to be compliant
|
|
"diffie-hellman-group1-sha1", # Known to be non-compliant
|
|
],
|
|
# Expected by the extraction function
|
|
"encryption_algorithms_client_to_server": [
|
|
"chacha20-poly1305@openssh.com", # Known to be compliant
|
|
"aes256-ctr", # Known to be compliant
|
|
"aes128-cbc", # Known to be less secure
|
|
],
|
|
"encryption_algorithms_server_to_client": [
|
|
"chacha20-poly1305@openssh.com", # Known to be compliant
|
|
"aes256-ctr", # Known to be compliant
|
|
"aes128-cbc", # Known to be less secure
|
|
],
|
|
# Expected by the extraction function
|
|
"mac_algorithms_client_to_server": [
|
|
"hmac-sha2-256", # Known to be compliant
|
|
"hmac-sha1", # Known to be weak
|
|
"hmac-sha2-512", # Known to be compliant
|
|
],
|
|
"mac_algorithms_server_to_client": [
|
|
"hmac-sha2-256", # Known to be compliant
|
|
"hmac-sha1", # Known to be weak
|
|
"hmac-sha2-512", # Known to be compliant
|
|
],
|
|
"host_keys": [
|
|
{
|
|
"algorithm": "rsa-sha2-512",
|
|
"type": "rsa", # Changed from 'key_type' to 'type'
|
|
"bits": 4096,
|
|
"fingerprint": "aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:mm:nn:oo:pp",
|
|
},
|
|
{
|
|
"algorithm": "ecdsa-sha2-nistp256",
|
|
"type": "ecdsa", # Changed from 'key_type' to 'type'
|
|
"bits": 256,
|
|
"fingerprint": "qq:rr:ss:tt:uu:vv:ww:xx:yy:zz:aa:bb:cc:dd:ee:ff",
|
|
},
|
|
{
|
|
"algorithm": "ssh-rsa",
|
|
"type": "rsa", # Changed from 'key_type' to 'type'
|
|
"bits": 1024, # Too weak
|
|
"fingerprint": "gg:hh:ii:jj:kk:ll:mm:nn:oo:pp:qq:rr:ss:tt:uu:vv",
|
|
},
|
|
],
|
|
},
|
|
443: {
|
|
"tls_versions": ["TLS_1_2", "TLS_1_3"],
|
|
"cipher_suites": {
|
|
"TLS_1_3": [
|
|
"TLS_AES_256_GCM_SHA384", # Known to be compliant
|
|
"TLS_CHACHA20_POLY1305_SHA256", # Known to be compliant
|
|
"TLS_AES_128_GCM_SHA256", # Known to be compliant
|
|
],
|
|
"TLS_1_2": [
|
|
"ECDHE-RSA-AES256-GCM-SHA384", # Known to be compliant
|
|
"ECDHE-RSA-AES128-GCM-SHA256", # Known to be compliant
|
|
"ECDHE-RSA-AES256-SHA", # Known to be less secure
|
|
],
|
|
},
|
|
"supported_groups": [
|
|
"X25519", # Known to be compliant
|
|
"secp256r1", # Known to be compliant
|
|
"sect163k1", # Known to be non-compliant
|
|
],
|
|
"certificates": [
|
|
{
|
|
"subject": "CN=test.example.com",
|
|
"issuer": "CN=Test CA",
|
|
"key_type": "RSA",
|
|
"key_bits": 4096,
|
|
"signature_algorithm": "sha256WithRSAEncryption",
|
|
},
|
|
{
|
|
"subject": "CN=test.example.com",
|
|
"issuer": "CN=Weak CA",
|
|
"key_type": "RSA",
|
|
"key_bits": 1024,
|
|
"signature_algorithm": "sha1WithRSAEncryption",
|
|
},
|
|
],
|
|
},
|
|
},
|
|
}
|