Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl-baseline skipped all checks #44

Open
nbublikov opened this issue Jun 1, 2021 · 4 comments
Open

ssl-baseline skipped all checks #44

nbublikov opened this issue Jun 1, 2021 · 4 comments

Comments

@nbublikov
Copy link

nbublikov commented Jun 1, 2021
edited

Describe the bug
ssl-baseline skipped checks, please see attached code

Expected behavior
ssl-baseline start all checks

Example code
`Profile: DevSec SSL/TLS Baseline (ssl-baseline)
Version: 1.6.4
Target: ssh://root@xxxx:22

✔ debugging: Inspec::Version=4.37.20
✔ tcpports=
{:port=>22, :socket=>#<struct port=22, address="0.0.0.0", protocol="tcp", process="sshd", pid=494>}
{:port=>22, :socket=>#<struct port=22, address="::", protocol="tcp6", process="sshd", pid=494>}
{:port=>53, :socket=>#<struct port=53, address="127.0.0.1", protocol="tcp", process="connmand", pid=468>}
{:port=>53, :socket=>#<struct port=53, address="::1", protocol="tcp6", process="connmand", pid=468>}
{:port=>2947, :socket=>#<struct port=2947, address="127.0.0.1", protocol="tcp", process="systemd", pid=1>}
{:port=>2947, :socket=>#<struct port=2947, address="::1", protocol="tcp6", process="systemd", pid=1>}
{:port=>3333, :socket=>#<struct port=3333, address="0.0.0.0", protocol="tcp", process="StateReporterAg", pid=824>}
{:port=>4000, :socket=>#<struct port=4000, address="0.0.0.0", protocol="tcp", process="Monitoring", pid=805>}
{:port=>8080, :socket=>#<struct port=8080, address="0.0.0.0", protocol="tcp", process="python3", pid=1018>}
{:port=>8081, :socket=>#<struct port=8081, address="0.0.0.0", protocol="tcp", process="python3", pid=1219>}
{:port=>8082, :socket=>#<struct port=8082, address="0.0.0.0", protocol="tcp", process="python3", pid=1233>}
{:port=>8090, :socket=>#<struct port=8090, address="0.0.0.0", protocol="tcp", process="iomci_main", pid=629>} is expected not to eq nil
✔ sslports=
is expected not to eq nil
↺ ssl2: Disable SSL 2 from all exposed SSL ports.
↺ Skipped control due to only_if condition.
↺ ssl3: Disable SSL 3 from all exposed SSL ports.
↺ Skipped control due to only_if condition.
↺ tls1.0: Disable TLS 1.0 on exposed ports.
↺ Skipped control due to only_if condition.
↺ tls1.1: Disable TLS 1.1 on exposed ports.
↺ Skipped control due to only_if condition.
↺ tls1.2: Enable TLS 1.2 on exposed ports.
↺ Skipped control due to only_if condition.
↺ kx-ecdh: Enable ECDH as KX from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ kx-rsa: Disable RSA as KX from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ kx-dh: Disable DH as KX from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ kx-krb5: Disable KRB5 as KX from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ kx-psk: Disable PSK as KX from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ kx-gostr: Disable GOSTR as KX from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ kx-srp: Disable SRP as KX from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ au-ecdsa-rsa: Enable ECDSA or RSA as AU from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ au-anon: Disable ANON as AU from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ au-dss: Disable DSS as AU from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ au-psk: Disable PSK as AU from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ au-export: Disable EXPORT as AU from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ enc-aes-gcm-chacha20: Enable AES256 or AES128 or AES256-GCM or AES128-GCM or CHACHA20 as Enc
↺ Skipped control due to only_if condition.
↺ enc-cbc: Disable CBC as ENC from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ enc-rc4: Disable RC4 as ENC from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ enc-export: Disable EXPORT as ENC from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ enc-des: Disable DES, 3DES as ENC from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ enc-enull: Disable eNULL as ENC from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ enc-camellia: Disable CAMELLIA as ENC from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ enc-seed: Disable SEED as ENC from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ enc-idea: Disable IDEA as ENC from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ enc-aes-ccm: Disable AES-CCM from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ mac-sha384-sha256-poly1305: Enable SHA384 or SHA256 or POLY1305 as Mac from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ mac-md5: Disable MD5 Mac from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ mac-sha: Disable SHA(1) Mac from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ mac-null: Disable NULL Mac from all exposed SSL/TLS ports and versions.
↺ Skipped control due to only_if condition.
↺ robotattack: Return Of Bleichenbacher's Oracle Threat
↺ Skipped control due to only_if condition.

Profile Summary: 1 successful control, 0 control failures, 32 controls skipped
Test Summary: 2 successful, 0 failures, 32 skipped`

Inspec Version
4.37.20

Baseline Version
https://github.com/dev-sec/ssl-baseline
@xorima
Copy link

xorima commented Jun 1, 2021

Hey,

Not a consumer of this at all, but as per community convo:

It looks like it will be skipped if ssl_ports is not fill out, https://github.com/dev-sec/ssl-baseline/blob/master/controls/ssl_test.rb#L110

https://github.com/dev-sec/ssl-baseline/blob/master/controls/ssl_test.rb#L65-L72 seems to be how it is set

@nbublikov
Copy link
Author

I wonder how to do this, if it was not even found on the ssl / tls ports, the test crashed and reported that ssl / tls was not found at all, and did not skip the test, as now

@micheelengronne
Copy link
Member

Do you use TLS1.3 ? If yes, this baseline is sadly not compatible with it yet.

For ref:

@nbublikov
Copy link
Author

nbublikov commented Jun 1, 2021
edited

Now no tls is used,(but our apps should be used it and tls1.2, and test should fails when ssl 1,2,3 or tls1, 1.1 will be enabled). I want to be able to check tls 1.3 also including

thanks for ref, we need to wait when they will be merged?

But I noticed that ssl-baseline just skips tests, but doesn't fail? If ssl or tls is missing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xorima @micheelengronne @nbublikov