Update SSH examples

Heiko Kiesel · Heiko Kiesel · commit 6f9d7dd34d3d · 2023-08-25T16:34:17.000+02:00
Signed-off-by: Heiko Kiesel &lt;heiko.kiesel@iteratec.com&gt;
diff --git a/scanners/ssh-scan/examples/demo-app-ssh/README.md b/scanners/ssh-scan/examples/demo-app-ssh/README.md
@@ -0,0 +1,19 @@
+<!--
+SPDX-FileCopyrightText: the secureCodeBox authors
+SPDX-License-Identifier: Apache-2.0
+-->
+
+In this example we execute an kubeaudit scan against the intentional vulnerable [dummy-ssh](https://github.com/secureCodeBox/secureCodeBox/tree/main/demo-targets/dummy-ssh)
+
+#### Initialize dummy-ssh in cluster
+
+Before executing the scan, make sure to setup dummy-ssh
+
+```bash
+helm upgrade --install dummy-ssh secureCodeBox/dummy-ssh --wait
+```
+
+After that you can execute the scan in this directory:
+```bash
+kubectl apply -f scan.yaml
+```
diff --git a/scanners/ssh-scan/examples/demo-app-ssh/findings.json b/scanners/ssh-scan/examples/demo-app-ssh/findings.json
@@ -0,0 +1 @@
+[{"name":"SSH Service","description":"SSH Service Information","identified_at":"2023-08-23T07:50:40.000Z","category":"SSH Service","osi_layer":"APPLICATION","severity":"INFORMATIONAL","reference":{},"mitigation":null,"location":"dummy-ssh","attributes":{"hostname":"dummy-ssh","ip_addresses":["10.96.2.217"],"server_banner":"SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8","ssh_version":2,"os_cpe":"o:canonical:ubuntu:16.04","ssh_lib_cpe":"a:openssh:openssh:7.2p2","compliance_policy":"Mozilla Modern","compliant":false,"grade":"D","references":["https://wiki.mozilla.org/Security/Guidelines/OpenSSH"],"auth_methods":["publickey","password"],"key_algorithms":["curve25519-sha256@libssh.org","ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521","diffie-hellman-group-exchange-sha256","diffie-hellman-group14-sha1"],"encryption_algorithms":["chacha20-poly1305@openssh.com","aes128-ctr","aes192-ctr","aes256-ctr","aes128-gcm@openssh.com","aes256-gcm@openssh.com"],"mac_algorithms":["umac-64-etm@openssh.com","umac-128-etm@openssh.com","hmac-sha2-256-etm@openssh.com","hmac-sha2-512-etm@openssh.com","hmac-sha1-etm@openssh.com","umac-64@openssh.com","umac-128@openssh.com","hmac-sha2-256","hmac-sha2-512","hmac-sha1"],"compression_algorithms":["none","zlib@openssh.com"]},"id":"a9534b13-8a2e-4d82-b47b-3481f606caff","parsed_at":"2023-08-23T07:50:52.999Z"},{"name":"Insecure SSH Key Algorithms","description":"Deprecated / discouraged SSH key algorithms are used","category":"SSH Policy Violation","osi_layer":"NETWORK","severity":"MEDIUM","reference":{},"mitigation":"Remove these key exchange algorithms: diffie-hellman-group14-sha1","location":"dummy-ssh","attributes":{"hostname":"dummy-ssh","ip_addresses":["10.96.2.217"],"payload":["diffie-hellman-group14-sha1"]},"id":"4c16901e-2f00-4dd8-a636-5ff490a11327","parsed_at":"2023-08-23T07:50:52.999Z"},{"name":"Insecure SSH MAC Algorithms","description":"Deprecated / discouraged SSH MAC algorithms are used","category":"SSH Policy Violation","osi_layer":"NETWORK","severity":"MEDIUM","reference":{},"mitigation":"Remove these MAC algorithms: umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1","location":"dummy-ssh","attributes":{"hostname":"dummy-ssh","ip_addresses":["10.96.2.217"],"payload":["umac-64-etm@openssh.com","hmac-sha1-etm@openssh.com","umac-64@openssh.com","hmac-sha1"]},"id":"19e4cfaf-e94f-4f05-a801-422bd1ad7f3c","parsed_at":"2023-08-23T07:50:52.999Z"},{"name":"Discouraged SSH authentication methods","description":"Discouraged SSH authentication methods are used","category":"SSH Policy Violation","osi_layer":"NETWORK","severity":"MEDIUM","reference":{},"mitigation":"Remove these authentication methods: password","location":"dummy-ssh","attributes":{"hostname":"dummy-ssh","ip_addresses":["10.96.2.217"],"payload":["password"]},"id":"909882f1-e2bc-4137-9ff7-20fee5e9dd2f","parsed_at":"2023-08-23T07:50:52.999Z"}]
diff --git a/scanners/ssh-scan/examples/demo-app-ssh/findings.yaml b/scanners/ssh-scan/examples/demo-app-ssh/findings.yaml
diff --git a/scanners/ssh-scan/examples/demo-app-ssh/scan.yaml b/scanners/ssh-scan/examples/demo-app-ssh/scan.yaml
@@ -10,4 +10,4 @@ spec:
   scanType: "ssh-scan"
   parameters:
     - "-t"
-    - "dummy-ssh.demo-targets.svc"
+    - "dummy-ssh"
diff --git a/scanners/ssh-scan/examples/demo-app-ssh/ssh-scan-results.json b/scanners/ssh-scan/examples/demo-app-ssh/ssh-scan-results.json
@@ -1,8 +1,8 @@
 [
   {
-    "ssh_scan_version": "0.0.43",
-    "ip": "10.102.131.102",
-    "hostname": "dummy-ssh.demo-targets.svc",
+    "ssh_scan_version": "0.0.44",
+    "ip": "10.96.2.217",
+    "hostname": "dummy-ssh",
     "port": 22,
     "server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8",
     "ssh_version": 2.0,
@@ -124,8 +124,8 @@
       ],
       "grade": "D"
     },
-    "start_time": "2020-06-28 17:55:43 +0000",
-    "end_time": "2020-06-28 17:55:43 +0000",
-    "scan_duration_seconds": 0.2357902
+    "start_time": "2023-08-23 07:50:40 +0000",
+    "end_time": "2023-08-23 07:50:40 +0000",
+    "scan_duration_seconds": 0.151072701
   }
 ]
diff --git a/scanners/ssh-scan/examples/demo-app-ssh/ssh-scan-results.json.license b/scanners/ssh-scan/examples/demo-app-ssh/ssh-scan-results.json.license
diff --git a/scanners/ssh-scan/examples/localhost/findings.json b/scanners/ssh-scan/examples/localhost/findings.json
@@ -1,7 +1,3 @@
-# SPDX-FileCopyrightText: the secureCodeBox authors
-#
-# SPDX-License-Identifier: Apache-2.0
-
 [
   {
     "ssh_scan_version": "0.0.42",

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+[{"name":"SSH Service","description":"SSH Service Information","identified_at":"2023-08-23T07:50:40.000Z","category":"SSH Service","osi_layer":"APPLICATION","severity":"INFORMATIONAL","reference":{},"mitigation":null,"location":"dummy-ssh","attributes":{"hostname":"dummy-ssh","ip_addresses":["10.96.2.217"],"server_banner":"SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8","ssh_version":2,"os_cpe":"o:canonical:ubuntu:16.04","ssh_lib_cpe":"a:openssh:openssh:7.2p2","compliance_policy":"Mozilla Modern","compliant":false,"grade":"D","references":["https://wiki.mozilla.org/Security/Guidelines/OpenSSH"],"auth_methods":["publickey","password"],"key_algorithms":["curve25519-sha256@libssh.org","ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521","diffie-hellman-group-exchange-sha256","diffie-hellman-group14-sha1"],"encryption_algorithms":["chacha20-poly1305@openssh.com","aes128-ctr","aes192-ctr","aes256-ctr","aes128-gcm@openssh.com","aes256-gcm@openssh.com"],"mac_algorithms":["umac-64-etm@openssh.com","umac-128-etm@openssh.com","hmac-sha2-256-etm@openssh.com","hmac-sha2-512-etm@openssh.com","hmac-sha1-etm@openssh.com","umac-64@openssh.com","umac-128@openssh.com","hmac-sha2-256","hmac-sha2-512","hmac-sha1"],"compression_algorithms":["none","zlib@openssh.com"]},"id":"a9534b13-8a2e-4d82-b47b-3481f606caff","parsed_at":"2023-08-23T07:50:52.999Z"},{"name":"Insecure SSH Key Algorithms","description":"Deprecated / discouraged SSH key algorithms are used","category":"SSH Policy Violation","osi_layer":"NETWORK","severity":"MEDIUM","reference":{},"mitigation":"Remove these key exchange algorithms: diffie-hellman-group14-sha1","location":"dummy-ssh","attributes":{"hostname":"dummy-ssh","ip_addresses":["10.96.2.217"],"payload":["diffie-hellman-group14-sha1"]},"id":"4c16901e-2f00-4dd8-a636-5ff490a11327","parsed_at":"2023-08-23T07:50:52.999Z"},{"name":"Insecure SSH MAC Algorithms","description":"Deprecated / discouraged SSH MAC algorithms are used","category":"SSH Policy Violation","osi_layer":"NETWORK","severity":"MEDIUM","reference":{},"mitigation":"Remove these MAC algorithms: umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1","location":"dummy-ssh","attributes":{"hostname":"dummy-ssh","ip_addresses":["10.96.2.217"],"payload":["umac-64-etm@openssh.com","hmac-sha1-etm@openssh.com","umac-64@openssh.com","hmac-sha1"]},"id":"19e4cfaf-e94f-4f05-a801-422bd1ad7f3c","parsed_at":"2023-08-23T07:50:52.999Z"},{"name":"Discouraged SSH authentication methods","description":"Discouraged SSH authentication methods are used","category":"SSH Policy Violation","osi_layer":"NETWORK","severity":"MEDIUM","reference":{},"mitigation":"Remove these authentication methods: password","location":"dummy-ssh","attributes":{"hostname":"dummy-ssh","ip_addresses":["10.96.2.217"],"payload":["password"]},"id":"909882f1-e2bc-4137-9ff7-20fee5e9dd2f","parsed_at":"2023-08-23T07:50:52.999Z"}]
Original file line number	Diff line number	Diff line change
`@@ -1,8 +1,8 @@`
`1`	`1`	`[`
`2`	`2`	`{`
`3`		`- "ssh_scan_version": "0.0.43",`
`4`		`- "ip": "10.102.131.102",`
`5`		`- "hostname": "dummy-ssh.demo-targets.svc",`
	`3`	`+ "ssh_scan_version": "0.0.44",`
	`4`	`+ "ip": "10.96.2.217",`
	`5`	`+ "hostname": "dummy-ssh",`
`6`	`6`	`"port": 22,`
`7`	`7`	`"server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8",`
`8`	`8`	`"ssh_version": 2.0,`
`@@ -124,8 +124,8 @@`
`124`	`124`	`],`
`125`	`125`	`"grade": "D"`
`126`	`126`	`},`
`127`		`- "start_time": "2020-06-28 17:55:43 +0000",`
`128`		`- "end_time": "2020-06-28 17:55:43 +0000",`
`129`		`- "scan_duration_seconds": 0.2357902`
	`127`	`+ "start_time": "2023-08-23 07:50:40 +0000",`
	`128`	`+ "end_time": "2023-08-23 07:50:40 +0000",`
	`129`	`+ "scan_duration_seconds": 0.151072701`
`130`	`130`	`}`
`131`	`131`	`]`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,3 @@`
`1`		`-# SPDX-FileCopyrightText: the secureCodeBox authors`
`2`		`-#`
`3`		`-# SPDX-License-Identifier: Apache-2.0`
`4`		`-`
`5`	`1`	`[`
`6`	`2`	`{`
`7`	`3`	`"ssh_scan_version": "0.0.42",`