Security Baseline Assessment

3 min read Data Protection & Compliance

Security Baseline Assessment

Before implementing hardening measures, establishing a security baseline provides a clear understanding of current vulnerabilities and helps measure improvement. A thorough assessment identifies configuration weaknesses, outdated software, and potential attack vectors that require attention.

Perform a comprehensive SSH security audit:

#!/bin/bash
# ssh-security-audit.sh
# Comprehensive SSH security assessment tool

echo "SSH Security Audit Report"
echo "========================="
echo "Generated: $(date)"
echo ""

# Check SSH version
echo "1. SSH Version Check"
echo "-------------------"
SSH_VERSION=$(ssh -V 2>&1)
echo "Current version: $SSH_VERSION"

# Check for outdated versions
if [[ $SSH_VERSION =~ OpenSSH_[567]\. ]]; then
    echo "WARNING: SSH version is outdated. Consider upgrading to OpenSSH 8.x or later"
fi

# Analyze current configuration
echo -e "\n2. Configuration Analysis"
echo "------------------------"

# Critical security settings
CRITICAL_SETTINGS=(
    "PermitRootLogin:no"
    "PasswordAuthentication:no"
    "PermitEmptyPasswords:no"
    "Protocol:2"
    "X11Forwarding:no"
    "StrictModes:yes"
    "IgnoreRhosts:yes"
    "HostbasedAuthentication:no"
    "UsePrivilegeSeparation:yes"
)

for setting in "${CRITICAL_SETTINGS[@]}"; do
    KEY="${setting%%:*}"
    EXPECTED="${setting##*:}"
    ACTUAL=$(sshd -T 2>/dev/null | grep -i "^$KEY" | awk '{print $2}')
    
    if [ "$ACTUAL" = "$EXPECTED" ]; then
        echo "✓ $KEY is correctly set to $EXPECTED"
    else
        echo "✗ $KEY is set to '$ACTUAL', should be '$EXPECTED'"
    fi
done

# Check for weak algorithms
echo -e "\n3. Cryptographic Algorithm Analysis"
echo "-----------------------------------"

# Extract configured algorithms
CIPHERS=$(sshd -T 2>/dev/null | grep "^ciphers" | cut -d' ' -f2-)
MACS=$(sshd -T 2>/dev/null | grep "^macs" | cut -d' ' -f2-)
KEX=$(sshd -T 2>/dev/null | grep "^kexalgorithms" | cut -d' ' -f2-)

# Check for weak ciphers
WEAK_CIPHERS="3des-cbc|arcfour|blowfish-cbc|cast128-cbc"
if echo "$CIPHERS" | grep -E "$WEAK_CIPHERS" > /dev/null; then
    echo "✗ Weak ciphers detected: $(echo "$CIPHERS" | grep -oE "$WEAK_CIPHERS")"
else
    echo "✓ No weak ciphers detected"
fi

# Check for weak MACs
WEAK_MACS="md5|sha1-96|umac-64"
if echo "$MACS" | grep -E "$WEAK_MACS" > /dev/null; then
    echo "✗ Weak MACs detected: $(echo "$MACS" | grep -oE "$WEAK_MACS")"
else
    echo "✓ No weak MACs detected"
fi

# File permission checks
echo -e "\n4. File Permission Analysis"
echo "---------------------------"

# Check SSH configuration file permissions
check_file_perms() {
    local file=$1
    local expected_perms=$2
    local expected_owner=$3
    
    if [ -f "$file" ]; then
        actual_perms=$(stat -c %a "$file" 2>/dev/null || stat -f %Lp "$file" 2>/dev/null)
        actual_owner=$(stat -c %U:%G "$file" 2>/dev/null || stat -f %Su:%Sg "$file" 2>/dev/null)
        
        if [ "$actual_perms" = "$expected_perms" ]; then
            echo "✓ $file permissions: $actual_perms (correct)"
        else
            echo "✗ $file permissions: $actual_perms (should be $expected_perms)"
        fi
        
        if [ "$actual_owner" = "$expected_owner" ]; then
            echo "✓ $file owner: $actual_owner (correct)"
        else
            echo "✗ $file owner: $actual_owner (should be $expected_owner)"
        fi
    else
        echo "✗ $file not found"
    fi
}

check_file_perms "/etc/ssh/sshd_config" "600" "root:root"
check_file_perms "/etc/ssh/ssh_host_rsa_key" "600" "root:root"
check_file_perms "/etc/ssh/ssh_host_ecdsa_key" "600" "root:root"
check_file_perms "/etc/ssh/ssh_host_ed25519_key" "600" "root:root"

# Generate security score
echo -e "\n5. Security Score"
echo "-----------------"
# Calculate score based on findings
# ... scoring logic ...