✨ support sshd.config.permitRootLogin

which also supports multiple values to be set to the field, adressing the first half of: mondoohq/cnspec-policies#340 Signed-off-by: Dominik Richter <[email protected]>
mondoohq · Feb 2, 2024 · c5db196 · c5db196
1 parent 7699b5b
commit c5db196
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 5 deletions.
diff --git a/providers-sdk/v1/testutils/testdata/arch.json b/providers-sdk/v1/testutils/testdata/arch.json
diff --git a/providers/os/resources/os.lr b/providers/os/resources/os.lr
@@ -680,6 +680,8 @@ sshd.config {
   kexs(params) []string
   // Host keys configured for this SSH server
   hostkeys(params) []string
+  // PermitRootLogin setting in SSH server
+  permitRootLogin(params) []string
 }
 
 // Service on this system

diff --git a/providers/os/resources/os.lr.go b/providers/os/resources/os.lr.go
diff --git a/providers/os/resources/os.lr.manifest.yaml b/providers/os/resources/os.lr.manifest.yaml
@@ -847,6 +847,8 @@ resources:
       kexs: {}
       macs: {}
       params: {}
+      permitRootLogin:
+        min_mondoo_version: latest
     min_mondoo_version: 5.15.0
     snippets:
     - query: sshd.config.params['Banner'] == '/etc/ssh/sshd-banner'

diff --git a/providers/os/resources/sshd.go b/providers/os/resources/sshd.go
@@ -133,13 +133,13 @@ func (s *mqlSshdConfig) params(content string) (map[string]interface{}, error) {
 }
 
 func (s *mqlSshdConfig) parseConfigEntrySlice(raw interface{}) ([]interface{}, error) {
-	strCipher, ok := raw.(string)
+	str, ok := raw.(string)
 	if !ok {
 		return nil, errors.New("value is not a valid string")
 	}
 
 	res := []interface{}{}
-	entries := strings.Split(strCipher, ",")
+	entries := strings.Split(str, ",")
 	for i := range entries {
 		val := strings.TrimSpace(entries[i])
 		res = append(res, val)
@@ -183,3 +183,12 @@ func (s *mqlSshdConfig) hostkeys(params map[string]interface{}) ([]interface{},
 
 	return s.parseConfigEntrySlice(rawHostKeys)
 }
+
+func (s *mqlSshdConfig) permitRootLogin(params map[string]interface{}) ([]interface{}, error) {
+	rawHostKeys, ok := params["PermitRootLogin"]
+	if !ok {
+		return nil, nil
+	}
+
+	return s.parseConfigEntrySlice(rawHostKeys)
+}
diff --git a/providers/os/resources/sshd_test.go b/providers/os/resources/sshd_test.go
@@ -70,4 +70,11 @@ func TestResource_SSHD(t *testing.T) {
 		assert.Empty(t, res[0].Result().Error)
 		assert.Equal(t, []interface{}{"/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_ecdsa_key", "/etc/ssh/ssh_host_ed25519_key"}, res[0].Data.Value)
 	})
+
+	t.Run("parse permitRootLogin", func(t *testing.T) {
+		res := x.TestQuery(t, "sshd.config.permitRootLogin")
+		assert.NotEmpty(t, res)
+		assert.Empty(t, res[0].Result().Error)
+		assert.Equal(t, []interface{}{"no", "no"}, res[0].Data.Value)
+	})
 }