2016-09-22 12:43:57 +00:00
|
|
|
---
|
|
|
|
|
title: About the ssh_config Resource
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# ssh_config
|
|
|
|
|
|
|
|
|
|
Use the `ssh_config` InSpec audit resource to test OpenSSH client configuration data located at `/etc/ssh/ssh_config` on Linux and Unix platforms.
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
## Syntax
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
An `ssh_config` resource block declares the client OpenSSH configuration data to be tested:
|
|
|
|
|
|
|
|
|
|
describe ssh_config('path') do
|
|
|
|
|
its('name') { should include('foo') }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
where
|
|
|
|
|
|
|
|
|
|
* `name` is a configuration setting in `ssh_config`
|
|
|
|
|
* `('path')` is the non-default `/path/to/ssh_config`
|
|
|
|
|
* `{ should include('foo') }` tests the value of `name` as read from `ssh_config` versus the value declared in the test
|
|
|
|
|
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
## Matchers
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
This InSpec audit resource has the following matchers:
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### be
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
<%= partial "/shared/matcher_be" %>
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### cmp
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
<%= partial "/shared/matcher_cmp" %>
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### eq
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
<%= partial "/shared/matcher_eq" %>
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### include
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
<%= partial "/shared/matcher_include" %>
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### match
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
<%= partial "/shared/matcher_match" %>
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### name
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
The `name` matcher tests the value of `name` as read from `ssh_config` versus the value declared in the test:
|
|
|
|
|
|
|
|
|
|
its('name') { should eq 'foo' }
|
|
|
|
|
|
|
|
|
|
or:
|
|
|
|
|
|
|
|
|
|
its('name') { should include('bar') }
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
## Examples
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
The following examples show how to use this InSpec audit resource.
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### Test SSH configuration settings
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
describe ssh_config do
|
|
|
|
|
its('cipher') { should contain '3des' }
|
|
|
|
|
its('port') { should eq '22' }
|
|
|
|
|
its('hostname') { should include('example.com') }
|
|
|
|
|
end
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### Test which variables from the local environment are sent to the server
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
only_if do
|
|
|
|
|
command('sshd').exist? or command('ssh').exists?
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
describe ssh_config do
|
|
|
|
|
its('SendEnv') { should include('GORDON_CLIENT') }
|
|
|
|
|
end
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### Test owner and group permissions
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
describe ssh_config do
|
|
|
|
|
its('owner') { should eq 'root' }
|
|
|
|
|
its('mode') { should cmp '0644' }
|
|
|
|
|
end
|
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### Test SSH configuration
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
|
describe ssh_config do
|
|
|
|
|
its('Host') { should eq '*' }
|
|
|
|
|
its('Tunnel') { should eq nil }
|
|
|
|
|
its('SendEnv') { should eq 'LANG LC_*' }
|
|
|
|
|
its('HashKnownHosts') { should eq 'yes' }
|
|
|
|
|
end
|
