MQL Examples for authorizedkeys and authorizedkeys.entry

[kmf]

Is there MQL examples of using Authorized Keys and Authorized Keys Entries?

[imilchev]

I suppose you are encountering an error when you try to access this resource. You need to initialize it when invoking it. You can do that as follows:

cnspec> authorizedkeys(path: '/root/.ssh/authorized_keys')
authorizedkeys.list: [
  0: authorizedkeys.entry key="***"
  1: authorizedkeys.entry key="***"
]

Essentially, you need to provide the path to a file that contains your authorized keys.

[kmf]

trying to match output to a list of known keys, how would that look?

[imilchev]

Here is an example policy that can do this:

policies:
  - uid: sshd-server-policy
    name: SSH Server Policy
    groups:
      - filters: platform.family.contains('linux') # will apply only to assets that run linux
        checks:
          - uid: ssh-authorized-keys
queries:
  - uid: ssh-authorized-keys
    title: Verify SSH authorized keys
    props:
      - uid: allowedKeys # a property that defines the allowed keys. It can be referenced in the query later
        title: Define allowed SSH keys
        mql: |
          return [ 
             "key1", 
             "key2"
          ]
    # The query loads the authorized keys file at /root/.ssh/authorized_keys and then creates a flat list of the keys
    # in that file. Then we verify that this list contains only entries that are present in allowedKeys
    mql: |
      authorizedkeys(path: '/root/.ssh/authorized_keys').map(_.key).containsOnly(props.allowedKeys)

This is one way of doing that check. You can play with the MQL a bit if you want to do it differently but this will check what you asked for.

Let me know if there is something that's not clear!

[kmf]

Failed.

Authorized Keys:
[failed] [].containsOnly()
  expected: == []
  actual:   [
    0: "AAAAB3NzaC1yc2EAAAABIwAAAQEAnY/glWyYr37wg9EesHIuRvGj4cT97DLuRrW0KJiqoCTW1xKxTw4roBnXTcHJunOGjIIwENZeoLnZGOaZ2R4PMsoa7k7VbKYOxb6Q8AzZjvtK5dhpG1/uq3PQRIkWpST2gJEexMctDVfr7V28eb7ncUOz7/eBVDydLwwQHdlTWlww99N9IpzqNr7v4JESm6Ea70osg6QSo/NQDTboKKH+jWMYXRe8mrACzCqZ6ZeFivcv2BCUFEE+T0OCHcHyXwkxUcv+wvtgUGoC8MhChX7YpzpNiVoGMDy7bzAcLx+Ym6b2L0PpcdjkXzi8HzX+Xbzh9HROiVmvpSkGHEnJNfUstQ=="
    1: "AAAAB3NzaC1yc2EAAAADAQABAAACAQCDW1klXpDGfCJPHLxnl2JPe1BvfDJbjxZmXS/INLobawQ+KdUO+DHNCWKir7bWJMUPGd9/RbjPOoG0nQnIc1Bz2V28dr8mk0qR7LG/HucijTXkB4Uxt4UxzbIovoHHAqYl9opjRwf/t8Ecl3N46jOTq971xvQOBINAPCAYv9+5EJK167MrTgEiNgGETpf7qEQzakG2fXWkawyGxRNIYKoSHVn9ArHF9DkDlYdjIbrkC+GLpznACwHZP7vKo2tIP7ITqu1jzUYCkH5rII0nI6ctPBq79/HXVBrU4Zh6rCk3YAZDy0yO4MW/oIFkl4WUa1mVQ7FcxN4apw+o6L87mkdyqs+GtVf6Z76+T89/WHXx0/1+GKSNapgB1V/tPa6zXYs7WAaqEjchAqRZlGD4v8Iq4cp0MCjZFnaGbcR0FpmIdN+VHHCzQYmiDsQdL1RX1dXOrTPGWVj4ucx1AwbVzNLKys8qPDVpz/87YhM3j0UcS3LNXmaHoU4xoEOhf/CuTGcCGs79hj7qP/jhthvhaZb84pcJ+rFEZIgQ9JF+QBhAbcDR9EolSVZxuoXzK9hQaweOZmpmifzZOiLchAeV185KvQJ6djgKGmHrgDIL49vGWVEuNN8mRGBGNa/KE7O+3tFYGNeF/7TDNr7fq3hW46YcmdQolxrDRjFq3yDVNc7Qxw=="

[kmf]

Working, my Mistake.

Authorized Keys:
[ok] value: []

[imilchev]

As a follow-up we will work on fixing the output for containsOnly and better documenting the usage of authorizedkeys and other resources that require init parameters.