Merge pull request #180 from schurzi/crypto_policy

check for CRYPTO_POLICY should also work, when not root

Author: micheelengronne

controls/ssh_spec.rb

@@ -231,13 +231,12 @@
 control 'ssh-22' do
   impact 1.0
   title 'Client: CRYPTO_POLICY'
-  desc 'Verifies, that we are not running CRYPTO_POLICY and our settings from ssh_config are effective'
-  only_if('OS has CRYPTO_POLICY') do
-    file('/etc/sysconfig/sshd').exist? && file('/etc/sysconfig/sshd').content.match?(/CRYPTO_POLICY/)
+  desc 'Verifies, that we are not running CRYPTO_POLICY and our settings from ssh_config are effective (affects el8+ and fedora)'
+  only_if('ssh client supports -G option') do
+    bash('ssh -G localhost').exit_status.equal?(0)
   end
 
   describe bash('ssh -G localhost') do
-    its('exit_status') { should eq 0 }
     its('stdout') { should match('ciphers ' + ssh_crypto.valid_ciphers) }
     its('stdout') { should match('kexalgorithms ' + ssh_crypto.valid_kexs) }
     its('stdout') { should match('macs ' + ssh_crypto.valid_macs) }

controls/sshd_spec.rb

@@ -508,14 +508,14 @@
   impact 1.0
   title 'Server: CRYPTO_POLICY'
   desc 'Verifies, that we are not running CRYPTO_POLICY and our settings from sshd_config are effective'
-  only_if('OS has CRYPTO_POLICY') do
-    file('/etc/sysconfig/sshd').exist? && file('/etc/sysconfig/sshd').content.match?(/CRYPTO_POLICY/)
+  only_if('sshd with options is running') do
+    processes('sshd -D').exists?
   end
 
-  describe bash("pgrep -af 'sshd -D'") do
-    its('exit_status') { should eq 0 }
-    its('stdout') { should_not match('-oCiphers') }
-    its('stdout') { should_not match('-oKexAlgorithms') }
-    its('stdout') { should_not match('-oHostKeyAlgorithms') }
+  describe processes('sshd -D') do
+    its('entries.length') { should eq 1 }
+    its('commands.first') { should_not match(/-oCiphers/) }
+    its('commands.first') { should_not match(/-oKexAlgorithms/) }
+    its('commands.first') { should_not match(/-oHostKeyAlgorithms/) }
   end
 end