Conversation
- printconfig script - test_printconfig for tox testing - update globals for GUIDES_UPDATED date value - update ssh_audit for print_config argument and checks
jtesta
left a comment
jtesta
left a comment
There was a problem hiding this comment.
Thanks for submitting this PR! Here's some feedback on this draft.
src/ssh_audit/printconfig.py
Outdated
|
|
||
| from ssh_audit import exitcodes | ||
| from ssh_audit.globals import VERSION | ||
| from ssh_audit.globals import GUIDES_UPDATED |
There was a problem hiding this comment.
I think each platform should track an independent last-updated field. Just like the guides on the website, sometimes one platform needs an update, but the others don't.
Also, it would be a good idea to track a change log per platform (also like the online guides).
Perhaps the guides can be stored as a dictionary with "last_update", "change_log", and "instructions" fields. That would organize it in a cleaner way in the code, I think.
There was a problem hiding this comment.
As an example of what I mean by using a dictionary, see here:
src/ssh_audit/printconfig.py
Outdated
| from ssh_audit.globals import GUIDES_UPDATED | ||
|
|
||
|
|
||
| class PrintConfig: |
There was a problem hiding this comment.
Perhaps this class could be called HardeningGuides.
src/ssh_audit/printconfig.py
Outdated
| sys.exit(retval) | ||
| else: | ||
| print(" ") | ||
| print(f"\033[1mSSH-Audit Version : {VERSION}\033[0m") |
There was a problem hiding this comment.
If the class constructor accepts an OutputBuffer, then we can print using its good() method to handle colors for us.
Also, in the code, ssh-audit always refers to itself as "ssh-audit" (in lowercase).
src/ssh_audit/ssh_audit.py
Outdated
|
|
||
| # The mandatory target option. Or rather, mandatory when -L, -T, or --lookup are not used. | ||
| # Print Suggested Configurations from : https://www.ssh-audit.com/hardening_guides.html | ||
| parser.add_argument("--print-config", nargs="*", action="append", metavar="OS Ver Client/Server", dest="print_configuration", type=str, default=None, help="print suggested server or client configurations. Usage Example : Ubuntu 2404 Server") |
There was a problem hiding this comment.
Perhaps this option could be called --get-hardening-guide?
Also, the user would want to see what hardening guides are available, so perhaps the supported arguments to --get-hardening-guide can be listed with --list-hardening-guides.
There was a problem hiding this comment.
if the argument is called with out any further data ( server / version / edition ) or incorrectly formatted data it will print out the supported configurations.
With that said I have updated the configuration to print an example.
Would this be acceptable ?
python3 ssh-audit.py --get-hardening-guides
ssh-audit Version : v3.4.0-dev
Guides Last modified : 2024-10-01
Error unknown varient : OS Version Edition
For current, community developed and legacy guides
check the website : https://www.ssh-audit.com/hardening_guides.html
Supported Server Configurations :
Amazon 2023 Server
Debian Bookworm Server
Debian Bullseye Server
Rocky 9 Server
Ubuntu 2404 Server
Ubuntu 2204 Server
Ubuntu 2004 Server
Supported Client Configurations :
Amazon 2023 Client
Debian Bookworm Client
Mint 22 Client
Mint 21 Client
Mint 20 Client
Rocky 9 Client
Ubuntu 2404 Client
Ubuntu 2204 Client
Ubuntu 2004 Client
Example Usage :
python3 ssh-audit.py --get-hardening-guides Ubuntu 2404 Server
There was a problem hiding this comment.
if the argument is called with out any further data ( server / version / edition ) or incorrectly formatted data it will print out the supported configurations.
Thinking from a user's perspective, usability would be better if we presented an obvious --list-hardening-guides option.
Would this be acceptable ?
Sure, that would work. My only feedback would be that having one last-modified field for all guides wouldn't be helpful to users; each platform should have its own history (date, integer version number, change log message, and hardening instructions).
Perhaps the current -L and -L -v behavior could serve as a model here. Notice how ssh-audit -L only shows the latest version of policies, but ssh-audit -L -v lists previous versions of the policies as well, including their change log messages. It would be nice if --list-hardening-guides did the same thing.
test/test_printconfig.py
Outdated
|
|
||
|
|
||
| # pylint: disable=attribute-defined-outside-init | ||
| class TestAuditConf: |
There was a problem hiding this comment.
I suppose this class name should be updated to TestHardeningGuides.
|
Hi Joe, As always, thanks for the review and feedback. Again I will try and update and attempt to squash everything, and again if it turns into a mess - I'll close this one of and create a clean PR when the code is a bit closer to a second review. Cheers. |
One way to do it is to make a working branch for your next revision, add as many commits as you'd like to that, then simply make one squash merge commit back into For example: Once you push the one squashed commit in |
|
Hi Joe, As you will have seen I have made a few changes and pushed everything up again. As you will have also seen - I still didn't get the squash merge correct. I can only apologies for that. With that said; happy for another round of feed back when you have time to review after the festive season. If this needs further work I will create a clean branch and try again. |
|
Merged. Thanks for putting the work into this! |
2 participants
@jtesta @daniejstriata
Quotes should no longer be needed.
usage : ssh-audit.py --print-config Ubuntu 2204 Server