Updated built-in server and client policies for Amazon Linux 2023.

jtesta · Oct 1, 2024 · 1e060a9 · 1e060a9
1 parent 8563c29
commit 1e060a9
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -233,7 +233,7 @@ For convenience, a web front-end on top of the command-line tool is available at
  - Fixed invalid JSON output when a socket error occurs while performing a client audit.
  - Fixed `--conn-rate-test` feature on Windows.
  - When scanning multiple targets (using `-T`/`--targets`), the `-p`/`--port` option will now be used as the default port (set to 22 if `-p`/`--port` is not given).  Hosts specified in the file can override this default with an explicit port number (i.e.: "host1:1234").  For example, when using `-T targets.txt -p 222`, all hosts in `targets.txt` that do not explicitly include a port number will default to 222; when using `-T targets.txt` (without `-p`), all hosts will use a default of 22.
- - Updated built-in server & client policies for Debian 12, Rocky Linux 9, and Ubuntu 22.04 to improve host key efficiency and cipher resistance to quantum attacks.
+ - Updated built-in server & client policies for Amazon Linux 2023, Debian 12, Rocky Linux 9, and Ubuntu 22.04 to improve host key efficiency and cipher resistance to quantum attacks.
  - Added 1 new cipher: `grasshopper-ctr128`.
  - Added 2 new key exchanges: `mlkem768x25519-sha256`, `sntrup761x25519-sha512`.
 

diff --git a/src/ssh_audit/builtin_policies.py b/src/ssh_audit/builtin_policies.py
@@ -30,6 +30,8 @@
     # Amazon Linux 2023
     'Hardened Amazon Linux 2023 (version 1)': {'version': '1', 'changelog': 'Initial version', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]'], 'kex': ['[email protected]', 'curve25519-sha256', '[email protected]', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', '[email protected]'], 'ciphers': ['[email protected]', '[email protected]', '[email protected]', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['[email protected]', '[email protected]', '[email protected]'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "[email protected]": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "[email protected]": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "[email protected]": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "[email protected]": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "[email protected]": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
 
+    'Hardened Amazon Linux 2023 (version 2)': {'version': '2', 'changelog': 'Re-ordered host keys to prioritize ED25519 due to efficiency.  Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': ['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]'], 'kex': ['[email protected]', 'curve25519-sha256', '[email protected]', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', '[email protected]'], 'ciphers': ['[email protected]', '[email protected]', 'aes256-ctr', 'aes192-ctr', '[email protected]', 'aes128-ctr'], 'macs': ['[email protected]', '[email protected]', '[email protected]'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "[email protected]": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "[email protected]": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "[email protected]": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "[email protected]": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "[email protected]": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
 
     # Debian Server 12
     'Hardened Debian 12 (version 1)': {'version': '1', 'changelog': 'Initial version', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]'], 'kex': ['[email protected]', 'curve25519-sha256', '[email protected]', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', '[email protected]'], 'ciphers': ['[email protected]', '[email protected]', '[email protected]', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['[email protected]', '[email protected]', '[email protected]'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "[email protected]": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "[email protected]": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "[email protected]": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "[email protected]": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "[email protected]": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
@@ -109,6 +111,8 @@
 
     'Hardened Amazon Linux Client 2023 (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['[email protected]', 'curve25519-sha256', '[email protected]', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', '[email protected]'], 'ciphers': ['[email protected]', '[email protected]', '[email protected]', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['[email protected]', '[email protected]', '[email protected]'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
 
+    'Hardened Amazon Linux Client 2023 (version 2)': {'version': '2', 'changelog': 'Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', 'banner': None, 'compressions': None, 'host_keys': ['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['[email protected]', 'curve25519-sha256', '[email protected]', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', '[email protected]'], 'ciphers': ['[email protected]', '[email protected]', 'aes256-ctr', 'aes192-ctr', '[email protected]', 'aes128-ctr'], 'macs': ['[email protected]', '[email protected]', '[email protected]'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
 
     # Debian Client Policies