These baseline tests requires [Inspec](https://github.com/inspec/inspec) to be installed. If you don't have it installed, it can be grabbed for RHEL, Ubuntu, and Mac using the following command. `curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec`
##### Required Configuration / Installations To run a baseline test, grab the required repository from the [DevSec GitHub](https://github.com/dev-sec) and run the following command `inspec exec BASELINETEST` For example, to run SSH-Baseline, just run the following ```shell # Don't forget to install Inspec # curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec git clone https://github.com/dev-sec/ssh-baseline inspec exec ssh-baseline ```When running these baselines, they will output the results as test success and failures in green and red, respectively. Some tests may be *intended* to fail in order to meet security needs. The ssh-baseline test [sshd-07](https://dev-sec.io/baselines/ssh/) will output an intended error if you have modified your `/etc/sshd_config` to use a custom port instead of the default 22. For example, if you have changed your SSH port to 999, the following error will be displayed. Note that the similar test, ssh-07, is not the same and refers to the configuration stored at `/etc/ssh/ssh_config`
```shell × sshd-07: Server: Specify the listen ssh Port × SSHD Configuration Port should eq "22" expected: "22" got: "999" ``` If you are unsure if the results of a test should be a concern, check the description on the baseline's overview page. For [ssh-baseline](https://dev-sec.io/baselines/ssh/), test sshd-07 has the following description. ```shell control 'sshd-07' do impact 1.0 title 'Server: Specify the listen ssh Port' desc 'Always specify which port the SSH server should listen to. Prevent unexpected settings.' describe sshd_config do its('Port') { should eq('22') } end end ``` You can see by the description above that this test is intended to alert you to always specify your port within `/etc/sshd_config` ##### Running the SSH-Baseline Test When initially running this test, first be sure to check your file can be read by inspec by checking the permission checks output when running `sudo inspec exec ssh-baseline` ```shell ... ✔ sshd-04: Server: Check SSH folder owner, group and permissions. ✔ File /etc/ssh should exist ✔ File /etc/ssh should be directory ✔ File /etc/ssh should be owned by "root" ✔ File /etc/ssh should be grouped into "root" ✔ File /etc/ssh should be executable ✔ File /etc/ssh should be readable by owner ✔ File /etc/ssh should be readable by group ✔ File /etc/ssh should be readable by other ✔ File /etc/ssh should be writable by owner ✔ File /etc/ssh should not be writable by group ✔ File /etc/ssh should not be writable by other ✔ sshd-05: Server: Check sshd_config owner, group and permissions. ✔ File /etc/ssh/sshd_config should exist ✔ File /etc/ssh/sshd_config should be file ✔ File /etc/ssh/sshd_config should be owned by "root" ✔ File /etc/ssh/sshd_config should be grouped into "root" ✔ File /etc/ssh/sshd_config should not be executable ✔ File /etc/ssh/sshd_config should be readable by owner ✔ File /etc/ssh/sshd_config should not be readable by group ✔ File /etc/ssh/sshd_config should not be readable by other ✔ File /etc/ssh/sshd_config should be writable by owner ✔ File /etc/ssh/sshd_config should not be writable by group ✔ File /etc/ssh/sshd_config should not be writable by other ... ✔ ssh-01: client: Check ssh_config owner, group and permissions. ✔ File /etc/ssh/ssh_config should exist ✔ File /etc/ssh/ssh_config should be file ✔ File /etc/ssh/ssh_config should be owned by "root" ✔ File /etc/ssh/ssh_config should be grouped into "root" ✔ File /etc/ssh/ssh_config should not be executable ✔ File /etc/ssh/ssh_config should be readable by owner ✔ File /etc/ssh/ssh_config should be readable by group ✔ File /etc/ssh/ssh_config should be readable by other ✔ File /etc/ssh/ssh_config should be writable by owner ✔ File /etc/ssh/ssh_config should not be writable by group ✔ File /etc/ssh/ssh_config should not be writable by other ... ```