Compliance Verification
Compliance Verification
Verifying compliance with organizational policies and regulatory requirements ensures SSH configurations meet necessary standards. This phase maps technical findings to compliance requirements and identifies gaps.
Implement compliance checking:
#!/bin/bash
# ssh-compliance-checker.sh
# Verify SSH compliance with various standards
COMPLIANCE_DIR="./ssh-compliance-$(date +%Y%m%d)"
mkdir -p "$COMPLIANCE_DIR"
# Define compliance frameworks
declare -A PCI_DSS_REQUIREMENTS=(
["2.2.3"]="Encrypt all non-console administrative access using strong cryptography"
["2.3"]="Encrypt all administrative access"
["8.2.3"]="Strong cryptography for authentication"
["8.5.1"]="Additional controls for service accounts"
)
declare -A NIST_REQUIREMENTS=(
["AC-17"]="Remote Access Controls"
["IA-2"]="Authentication Requirements"
["SC-8"]="Transmission Confidentiality"
["AU-2"]="Audit Events"
)
declare -A CIS_BENCHMARKS=(
["5.2.1"]="Ensure permissions on /etc/ssh/sshd_config are configured"
["5.2.2"]="Ensure SSH Protocol is set to 2"
["5.2.3"]="Ensure SSH LogLevel is appropriate"
["5.2.4"]="Ensure SSH X11 forwarding is disabled"
["5.2.5"]="Ensure SSH MaxAuthTries is set to 4 or less"
)
# PCI-DSS Compliance Check
check_pci_compliance() {
echo "=== PCI-DSS SSH Compliance Check ===" > "$COMPLIANCE_DIR/pci_dss_compliance.txt"
# Check encryption requirements
echo -e "\n[Requirement 2.2.3 - Strong Cryptography]" >> "$COMPLIANCE_DIR/pci_dss_compliance.txt"
# Check protocol version
protocol=$(sshd -T | grep "^protocol" | awk '{print $2}')
if [ "$protocol" = "2" ]; then
echo "✓ SSH Protocol 2 enforced" >> "$COMPLIANCE_DIR/pci_dss_compliance.txt"
else
echo "✗ SSH Protocol not set to 2 only" >> "$COMPLIANCE_DIR/pci_dss_compliance.txt"
fi
# Check cipher strength
weak_ciphers=$(sshd -T | grep "^ciphers" | grep -E "3des|arcfour|cbc")
if [ -z "$weak_ciphers" ]; then
echo "✓ No weak ciphers detected" >> "$COMPLIANCE_DIR/pci_dss_compliance.txt"
else
echo "✗ Weak ciphers enabled" >> "$COMPLIANCE_DIR/pci_dss_compliance.txt"
fi
# Check authentication
echo -e "\n[Requirement 8.2.3 - Authentication]" >> "$COMPLIANCE_DIR/pci_dss_compliance.txt"
password_auth=$(sshd -T | grep "^passwordauthentication" | awk '{print $2}')
if [ "$password_auth" = "no" ]; then
echo "✓ Password authentication disabled" >> "$COMPLIANCE_DIR/pci_dss_compliance.txt"
else
echo "✗ Password authentication enabled (use key-based auth)" >> "$COMPLIANCE_DIR/pci_dss_compliance.txt"
fi
# Check logging
echo -e "\n[Requirement 10.2 - Audit Logging]" >> "$COMPLIANCE_DIR/pci_dss_compliance.txt"
log_level=$(sshd -T | grep "^loglevel" | awk '{print $2}')
if [[ "$log_level" =~ ^(VERBOSE|DEBUG) ]]; then
echo "✓ Detailed logging enabled ($log_level)" >> "$COMPLIANCE_DIR/pci_dss_compliance.txt"
else
echo "✗ Insufficient logging level ($log_level)" >> "$COMPLIANCE_DIR/pci_dss_compliance.txt"
fi
}
# CIS Benchmark Check
check_cis_compliance() {
echo "=== CIS Benchmark Compliance Check ===" > "$COMPLIANCE_DIR/cis_compliance.txt"
for benchmark in "${!CIS_BENCHMARKS[@]}"; do
echo -e "\n[$benchmark - ${CIS_BENCHMARKS[$benchmark]}]" >> "$COMPLIANCE_DIR/cis_compliance.txt"
case "$benchmark" in
"5.2.1")
# Check sshd_config permissions
perms=$(stat -c %a /etc/ssh/sshd_config 2>/dev/null)
if [ "$perms" = "600" ]; then
echo "✓ Correct permissions ($perms)" >> "$COMPLIANCE_DIR/cis_compliance.txt"
else
echo "✗ Incorrect permissions ($perms, should be 600)" >> "$COMPLIANCE_DIR/cis_compliance.txt"
fi
;;
"5.2.2")
# Check Protocol
protocol=$(sshd -T | grep "^protocol" | awk '{print $2}')
if [ "$protocol" = "2" ]; then
echo "✓ Protocol 2 only" >> "$COMPLIANCE_DIR/cis_compliance.txt"
else
echo "✗ Protocol not restricted to 2" >> "$COMPLIANCE_DIR/cis_compliance.txt"
fi
;;
"5.2.3")
# Check LogLevel
log_level=$(sshd -T | grep "^loglevel" | awk '{print $2}')
if [[ "$log_level" =~ ^(INFO|VERBOSE)$ ]]; then
echo "✓ Appropriate log level ($log_level)" >> "$COMPLIANCE_DIR/cis_compliance.txt"
else
echo "✗ Inappropriate log level ($log_level)" >> "$COMPLIANCE_DIR/cis_compliance.txt"
fi
;;
"5.2.4")
# Check X11 forwarding
x11=$(sshd -T | grep "^x11forwarding" | awk '{print $2}')
if [ "$x11" = "no" ]; then
echo "✓ X11 forwarding disabled" >> "$COMPLIANCE_DIR/cis_compliance.txt"
else
echo "✗ X11 forwarding enabled" >> "$COMPLIANCE_DIR/cis_compliance.txt"
fi
;;
"5.2.5")
# Check MaxAuthTries
max_auth=$(sshd -T | grep "^maxauthtries" | awk '{print $2}')
if [ "$max_auth" -le 4 ]; then
echo "✓ MaxAuthTries set to $max_auth" >> "$COMPLIANCE_DIR/cis_compliance.txt"
else
echo "✗ MaxAuthTries too high ($max_auth)" >> "$COMPLIANCE_DIR/cis_compliance.txt"
fi
;;
esac
done
}
# Generate compliance summary
generate_compliance_summary() {
cat > "$COMPLIANCE_DIR/compliance_summary.txt" << EOF
SSH Compliance Summary Report
============================
Generated: $(date)
Hostname: $(hostname)
Compliance Frameworks Checked:
- PCI-DSS v3.2.1
- CIS Benchmarks
- NIST 800-53
Overall Compliance Status:
$(grep -c "✓" "$COMPLIANCE_DIR"/*.txt) Passed
$(grep -c "✗" "$COMPLIANCE_DIR"/*.txt) Failed
Critical Findings:
$(grep "✗" "$COMPLIANCE_DIR"/*.txt | head -10)
Recommendations:
1. Address all failed compliance checks
2. Implement additional monitoring
3. Schedule regular compliance reviews
4. Document any approved exceptions
Next Steps:
- Review detailed reports in $COMPLIANCE_DIR/
- Create remediation plan
- Schedule re-audit after fixes
EOF
}
# Run compliance checks
echo "Running SSH compliance checks..."
check_pci_compliance
check_cis_compliance
generate_compliance_summary
echo "Compliance check complete. Results in $COMPLIANCE_DIR/"
A comprehensive SSH security audit provides invaluable insights into your security posture, identifying vulnerabilities before they can be exploited. By following this systematic checklist and using automated tools, organizations can maintain strong SSH security while ensuring compliance with relevant standards. Regular audits, combined with prompt remediation of findings, create a cycle of continuous security improvement that adapts to evolving threats and changing requirements.## SSH Bastion Hosts and Jump Servers
SSH bastion hosts, also known as jump servers or jump boxes, provide a secure gateway for accessing internal network resources. By centralizing SSH access through a hardened intermediary server, organizations can implement strong security controls, comprehensive monitoring, and simplified access management. This chapter explores the design, implementation, and management of SSH bastion hosts that enhance security while maintaining operational efficiency.