How to test whether a list of configured parameters is a subset of allowed parameters?


#1

In the case of ssh compliance I want to check whether the ciphers that are configured is a subset of allowed secure ciphers.
Let’s say the allowed ciphers are aes256-ctr, aes192-ctr and aes128-ctr then any subset of these ciphers would mean that the
requirement to only use secure ciphers would be fulfilled, i.e. the result should be “passed”.
Is there an easy way to build this check with a command like “is subset of” or how could I realize this?


#2

May be you can try something like this

supported_ciphers = command('ssh -Q cipher').stdout.strip.split("\n")

preferred_ciphers = [
  'chacha20-poly1305@openssh.com',
  'aes256-gcm@openssh.com',
  'aes128-gcm@openssh.com',
  'aes256-ctr',
  'aes192-ctr',
  'aes128-ctr'
]

fallback_ciphers = 'aes128-ctr,aes192-ctr,aes256-ctr'

target_ciphers = []
preferred_ciphers.each do |cipher|
  target_ciphers << cipher if supported_ciphers.include?(cipher)
end
# checking content of the file /etc/ssh/sshd_config for target_ciphers
describe file('/etc/ssh/sshd_config') do
  if target_ciphers.empty?
    its('content') { should match fallback_ciphers.to_s }
  else
    its('content') { should match target_ciphers.join(',').to_s }
  end
end

#3

Thanks a lot, that led me to the right direction.