int ProcessSshAuditCheck()

in src/common/commonutils/SshUtils.c [1332:1505]

• 167 lines of code
• 99 McCabe index (conditional complexity)

int ProcessSshAuditCheck(const char* name, char* value, char** reason, OsConfigLogHandle log)
{
    char* lowercase = NULL;
    int status = 0;

    if (NULL == name)
    {
        OsConfigLogError(log, "ProcessSshAuditCheck: invalid check name argument");
        return EINVAL;
    }

    OsConfigResetReason(reason);

    if (0 == strcmp(name, g_auditEnsurePermissionsOnEtcSshSshdConfigObject))
    {
        CheckFileAccess(g_sshServerConfiguration, 0, 0, strtol(g_desiredPermissionsOnEtcSshSshdConfig ?
            g_desiredPermissionsOnEtcSshSshdConfig : g_sshDefaultSshSshdConfigAccess, NULL, 8), reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureSshPortIsConfiguredObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshPort);
        CheckSshOptionIsSet(lowercase, g_desiredSshPort ? g_desiredSshPort : g_sshDefaultSshPort, NULL, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureSshBestPracticeProtocolObject))
    {
        CheckSshProtocol(reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureSshBestPracticeIgnoreRhostsObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshIgnoreHosts);
        CheckSshOptionIsSet(lowercase, g_desiredSshBestPracticeIgnoreRhosts ? g_desiredSshBestPracticeIgnoreRhosts : g_sshDefaultSshYes, NULL, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureSshLogLevelIsSetObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshLogLevel);
        CheckSshOptionIsSet(lowercase, g_desiredSshLogLevelIsSet ? g_desiredSshLogLevelIsSet : g_sshDefaultSshLogLevel, NULL, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureSshMaxAuthTriesIsSetObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshMaxAuthTries);
        CheckSshOptionIsSet(lowercase, g_desiredSshMaxAuthTriesIsSet ? g_desiredSshMaxAuthTriesIsSet : g_sshDefaultSshMaxAuthTries, NULL, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureAllowUsersIsConfiguredObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshAllowUsers);
        CheckAllowDenyUsersGroups(lowercase, g_desiredAllowUsersIsConfigured ? g_desiredAllowUsersIsConfigured : g_sshDefaultSshAllowUsers, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureDenyUsersIsConfiguredObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshDenyUsers);
        CheckAllowDenyUsersGroups(lowercase, g_desiredDenyUsersIsConfigured ? g_desiredDenyUsersIsConfigured : g_sshDefaultSshDenyUsers, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureAllowGroupsIsConfiguredObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshAllowGroups);
        CheckAllowDenyUsersGroups(lowercase, g_desiredAllowGroupsIsConfigured ? g_desiredAllowGroupsIsConfigured : g_sshDefaultSshAllowGroups, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureDenyGroupsConfiguredObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshDenyGroups);
        CheckAllowDenyUsersGroups(lowercase, g_desiredDenyGroupsConfigured ? g_desiredDenyGroupsConfigured : g_sshDefaultSshDenyGroups, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureSshHostbasedAuthenticationIsDisabledObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshHostBasedAuthentication);
        CheckSshOptionIsSet(lowercase, g_desiredSshHostbasedAuthenticationIsDisabled ? g_desiredSshHostbasedAuthenticationIsDisabled : g_sshDefaultSshNo, NULL, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureSshPermitRootLoginIsDisabledObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshPermitRootLogin);
        CheckSshOptionIsSet(lowercase, g_desiredSshPermitRootLoginIsDisabled ? g_desiredSshPermitRootLoginIsDisabled : g_sshDefaultSshNo, NULL, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureSshPermitEmptyPasswordsIsDisabledObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshPermitEmptyPasswords);
        CheckSshOptionIsSet(lowercase, g_desiredSshPermitEmptyPasswordsIsDisabled ? g_desiredSshPermitEmptyPasswordsIsDisabled : g_sshDefaultSshNo, NULL, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureSshClientIntervalCountMaxIsConfiguredObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshClientAliveCountMax);
        CheckSshOptionIsSet(lowercase, g_desiredSshClientIntervalCountMaxIsConfigured ? g_desiredSshClientIntervalCountMaxIsConfigured : g_sshDefaultSshClientIntervalCountMax, NULL, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureSshClientAliveIntervalIsConfiguredObject))
    {
        CheckSshClientAliveInterval(reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureSshLoginGraceTimeIsSetObject))
    {
        CheckSshLoginGraceTime(g_desiredSshLoginGraceTimeIsSet ? g_desiredSshLoginGraceTimeIsSet : g_sshDefaultSshLoginGraceTime, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureOnlyApprovedMacAlgorithmsAreUsedObject))
    {
        CheckOnlyApprovedMacAlgorithmsAreUsed(g_desiredOnlyApprovedMacAlgorithmsAreUsed ? g_desiredOnlyApprovedMacAlgorithmsAreUsed : g_sshDefaultSshMacs, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureSshWarningBannerIsEnabledObject))
    {
        CheckSshWarningBanner(g_sshBannerFile, g_desiredSshWarningBannerIsEnabled ? g_desiredSshWarningBannerIsEnabled : g_sshDefaultSshBannerText,
            strtol(g_desiredPermissionsOnEtcSshSshdConfig ? g_desiredPermissionsOnEtcSshSshdConfig : g_sshDefaultSshSshdConfigAccess, NULL, 8), reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureUsersCannotSetSshEnvironmentOptionsObject))
    {
        lowercase = DuplicateStringToLowercase(g_sshPermitUserEnvironment);
        CheckSshOptionIsSet(lowercase, g_desiredUsersCannotSetSshEnvironmentOptions ? g_desiredUsersCannotSetSshEnvironmentOptions : g_sshDefaultSshNo, NULL, reason, log);
    }
    else if (0 == strcmp(name, g_auditEnsureAppropriateCiphersForSshObject))
    {
        CheckAppropriateCiphersForSsh(g_desiredAppropriateCiphersForSsh ? g_desiredAppropriateCiphersForSsh : g_sshDefaultSshCiphers, reason, log);
    }
    else if (0 == strcmp(name, g_remediateEnsurePermissionsOnEtcSshSshdConfigObject))
    {
        if (0 == (status = InitializeSshAuditCheck(name, value, log)))
        {
            status = SetFileAccess(g_sshServerConfiguration, 0, 0, strtol(g_desiredPermissionsOnEtcSshSshdConfig ?
                g_desiredPermissionsOnEtcSshSshdConfig : g_sshDefaultSshSshdConfigAccess, NULL, 8), log);
        }
    }
    else if ((0 == strcmp(name, g_remediateEnsureSshPortIsConfiguredObject)) ||
        (0 == strcmp(name, g_remediateEnsureSshBestPracticeProtocolObject)) ||
        (0 == strcmp(name, g_remediateEnsureSshBestPracticeIgnoreRhostsObject)) ||
        (0 == strcmp(name, g_remediateEnsureSshLogLevelIsSetObject)) ||
        (0 == strcmp(name, g_remediateEnsureSshMaxAuthTriesIsSetObject)) ||
        (0 == strcmp(name, g_remediateEnsureAllowUsersIsConfiguredObject)) ||
        (0 == strcmp(name, g_remediateEnsureDenyUsersIsConfiguredObject)) ||
        (0 == strcmp(name, g_remediateEnsureAllowGroupsIsConfiguredObject)) ||
        (0 == strcmp(name, g_remediateEnsureDenyGroupsConfiguredObject)) ||
        (0 == strcmp(name, g_remediateEnsureSshHostbasedAuthenticationIsDisabledObject)) ||
        (0 == strcmp(name, g_remediateEnsureSshPermitRootLoginIsDisabledObject)) ||
        (0 == strcmp(name, g_remediateEnsureSshPermitEmptyPasswordsIsDisabledObject)) ||
        (0 == strcmp(name, g_remediateEnsureSshClientIntervalCountMaxIsConfiguredObject)) ||
        (0 == strcmp(name, g_remediateEnsureSshClientAliveIntervalIsConfiguredObject)) ||
        (0 == strcmp(name, g_remediateEnsureSshLoginGraceTimeIsSetObject)) ||
        (0 == strcmp(name, g_remediateEnsureOnlyApprovedMacAlgorithmsAreUsedObject)) ||
        (0 == strcmp(name, g_remediateEnsureUsersCannotSetSshEnvironmentOptionsObject)) ||
        (0 == strcmp(name, g_remediateEnsureAppropriateCiphersForSshObject)))
    {
        status = InitializeSshAuditCheck(name, value, log);
    }
    else if (0 == strcmp(name, g_remediateEnsureSshWarningBannerIsEnabledObject))
    {
        if (0 == (status = InitializeSshAuditCheck(name, value, log)))
        {
            status = SetSshWarningBanner(strtol(g_desiredPermissionsOnEtcSshSshdConfig ?
                g_desiredPermissionsOnEtcSshSshdConfig : g_sshDefaultSshSshdConfigAccess, NULL, 8), g_desiredSshWarningBannerIsEnabled, log);
        }
    }
    else
    {
        OsConfigLogError(log, "ProcessSshAuditCheck: unsupported check name '%s', nothing done", name);
        status = 0;
    }

    FREE_MEMORY(lowercase);

    if ((NULL != reason) && (NULL == *reason))
    {
        if (0 != IsSshServerActive(log))
        {
            OsConfigCaptureSuccessReason(reason, "%s is not present or active, nothing to audit", g_sshServerService);
        }
        else
        {
            OsConfigLogInfo(log, "ProcessSshAuditCheck(%s): audit failure without a reason", name);
            OsConfigCaptureReason(reason, SECURITY_AUDIT_FAIL);
        }
    }
    else if ((NULL != value) && (NULL == reason))
    {
        g_auditOnlySession = false;
    }

    OsConfigLogInfo(log, "ProcessSshAuditCheck(%s, '%s'): '%s' and %d", name, value ? value : "", (NULL != reason) ? *reason : "", status);

    return status;
}