PublicMirrors/vps-audit
1
0
Fork 0
mirror of https://github.com/vernu/vps-audit.git synced 2025-01-23 13:35:06 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

handle cases where sshd_config.d override is missing

Browse Source
This commit is contained in:
Israel Abebe 2024-12-14 23:00:34 +03:00 committed by GitHub
parent 1a7cfaf42f
commit e52459b719
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
vps-audit.sh
View File

@ -111,10 +111,14 @@ else
fi fi
# Check SSH config overrides # Check SSH config overrides
SSH_OVERRIDES=$(grep "^Include" /etc/ssh/sshd_config | awk '{print $2}') SSH_CONFIG_OVERRIDES=$(grep "^Include" /etc/ssh/sshd_config 2>/dev/null | awk '{print $2}')
# Check SSH root login # Check SSH root login (handle both main config and overrides if they exist)
SSH_ROOT=$(grep "^PermitRootLogin" $SSH_OVERRIDES /etc/ssh/sshd_config | head -1 | awk '{print $2}') if [ -n "$SSH_CONFIG_OVERRIDES" ] && [ -d "$(dirname "$SSH_CONFIG_OVERRIDES")" ]; then
SSH_ROOT=$(grep "^PermitRootLogin" $SSH_CONFIG_OVERRIDES /etc/ssh/sshd_config 2>/dev/null | head -1 | awk '{print $2}')
else
SSH_ROOT=$(grep "^PermitRootLogin" /etc/ssh/sshd_config 2>/dev/null | head -1 | awk '{print $2}')
fi
if [ -z "$SSH_ROOT" ]; then if [ -z "$SSH_ROOT" ]; then
SSH_ROOT="prohibit-password" SSH_ROOT="prohibit-password"
fi fi
@ -124,8 +128,12 @@ else
check_security "SSH Root Login" "FAIL" "Root login is currently allowed - this is a security risk. Disable it in /etc/ssh/sshd_config" check_security "SSH Root Login" "FAIL" "Root login is currently allowed - this is a security risk. Disable it in /etc/ssh/sshd_config"
fi fi
# Check SSH password authentication # Check SSH password authentication (handle both main config and overrides if they exist)
SSH_PASSWORD=$(grep "^PasswordAuthentication" $SSH_OVERRIDES /etc/ssh/sshd_config | head -1 | awk '{print $2}') if [ -n "$SSH_CONFIG_OVERRIDES" ] && [ -d "$(dirname "$SSH_CONFIG_OVERRIDES")" ]; then
SSH_PASSWORD=$(grep "^PasswordAuthentication" $SSH_CONFIG_OVERRIDES /etc/ssh/sshd_config 2>/dev/null | head -1 | awk '{print $2}')
else
SSH_PASSWORD=$(grep "^PasswordAuthentication" /etc/ssh/sshd_config 2>/dev/null | head -1 | awk '{print $2}')
fi
if [ -z "$SSH_PASSWORD" ]; then if [ -z "$SSH_PASSWORD" ]; then
SSH_PASSWORD="yes" SSH_PASSWORD="yes"
fi fi
@ -136,7 +144,11 @@ else
fi fi
# Check SSH default port # Check SSH default port
SSH_PORT=$(grep "^Port" $SSH_OVERRIDES /etc/ssh/sshd_config | head -1 | awk '{print $2}') if [ -n "$SSH_CONFIG_OVERRIDES" ] && [ -d "$(dirname "$SSH_CONFIG_OVERRIDES")" ]; then
SSH_PORT=$(grep "^Port" $SSH_CONFIG_OVERRIDES /etc/ssh/sshd_config 2>/dev/null | head -1 | awk '{print $2}')
else
SSH_PORT=$(grep "^Port" /etc/ssh/sshd_config 2>/dev/null | head -1 | awk '{print $2}')
fi
if [ -z "$SSH_PORT" ]; then if [ -z "$SSH_PORT" ]; then
SSH_PORT="22" SSH_PORT="22"
fi fi