diff options
| author | Dave Vehrs <dvehrs@users.noreply.github.com> | 2018-01-26 14:24:33 +0300 |
|---|---|---|
| committer | Michael Boelen <michael.boelen@cisofy.com> | 2018-01-26 14:24:33 +0300 |
| commit | a30d429315fcdbf2c6e2a2bad2ec837d5b9d5580 (patch) | |
| tree | 96db01d0c45f746bbdefa9aaabdc449209c12dbc | |
| parent | 7b664a7560401494f33c52069c53b61a8de167f4 (diff) | |
tests_usb updates (#514)
* Added kernel.dmesg_restrict to sysctl checks.
* Moved usb-storage and autthorization tests tests_usb
* Limit Suggestions when USBGuard installed
* Changed usb_devices to usb
| -rw-r--r-- | include/tests_storage | 76 | ||||
| -rw-r--r-- | include/tests_usb | 108 | ||||
| -rwxr-xr-x | lynis | 2 |
3 files changed, 99 insertions, 87 deletions
diff --git a/include/tests_storage b/include/tests_storage index f67d70e5..de8984c4 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -28,82 +28,6 @@ # ################################################################################# # - # Test : STRG-1840 - # Description : Check for disabled USB storage - Register --test-no STRG-1840 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled" - if [ ${SKIPTEST} -eq 0 ]; then - FOUND=0 - LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" - if [ -d /etc/modprobe.d ]; then - FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) - if [ ! -z "${FIND}" ]; then - FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*) - if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then - FOUND=1 - LogText "Result: found usb-storage driver in disabled state (blacklisted)" - fi - else - LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it." - fi - fi - if [ -f ${ROOTDIR}etc/modprobe.conf ]; then - FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") - if [ ! -z "${FIND}" ]; then - FOUND=1 - LogText "Result: found usb-storage driver in disabled state" - fi - fi - if [ ${FOUND} -eq 0 ]; then - LogText "Result: usb-storage driver is not explicitly disabled" - Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE - ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" - AddHP 2 3 - else - LogText "Result: usb-storage driver is disabled" - Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - fi - fi -# -################################################################################# -# - # Test : STRG-1842 - # Description : Check USB authorizations - Register --test-no STRG-1842 --os Linux --weight L --network NO --category security --description "Check USB authorizations" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking USB devices authorization to connect to the system" - FOUND=0 - USBDEVICESPATH="/sys/bus/usb/devices/usb" - for device in "${USBDEVICESPATH}"*; do - if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then - if [ $(cat "${device}/authorized_default") -eq 1 ]; then - FOUND=1 - LogText "Test: ${device} is authorized by default" - Report "usb_authorized_default_device[]=${device}" - elif [ $(cat "${device}/authorized") -eq 1 ]; then - FOUND=1 - LogText "Test: ${device} is authorized currently" - Report "usb_authorized_device[]=${device}" - fi - fi - done - - if [ ${FOUND} -eq 1 ]; then - LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system" - Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW - # To-Be-Added: create documentation and enable the suggestion - #ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft" - AddHP 0 3 - else - LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system" - Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - fi - fi -# -################################################################################# -# # Test : STRG-1846 # Description : Check for disabled firewire storage # Explanation : Best option is to use the install function, or else drivers can still be loaded manually diff --git a/include/tests_usb b/include/tests_usb index 64e80aaf..d2d5a5ac 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -19,6 +19,10 @@ # ################################################################################# # + InsertSection "USB Devices" +# +################################################################################# +# USBGUARD_FOUND=0 USBGUARD_CONFIG="" @@ -35,22 +39,106 @@ # ################################################################################# # - InsertSection "USB Devices" + + # Test to determine if USBGuard is installed. If it is, we will limit + # suggestions from other tests. + if [ ! -z "${USBGUARDBINARY}" ]; then + USBGUARD_FOUND=1 + fi + # ################################################################################# # - # PLACEHOLDER USB-0000 used until a good test name & number can be assigned. - # Once that is done, we are one step closer to being able to enable the - # suggestions below. + # Test : USB-0100 + # Description : Check for disabled USB storage + Register --test-no USB-0100 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" + if [ -d /etc/modprobe.d ]; then + FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) + if [ ! -z "${FIND}" ]; then + FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*) + if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then + FOUND=1 + LogText "Result: found usb-storage driver in disabled state (blacklisted)" + fi + else + LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it." + fi + fi + if [ -f ${ROOTDIR}etc/modprobe.conf ]; then + FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") + if [ ! -z "${FIND}" ]; then + FOUND=1 + LogText "Result: found usb-storage driver in disabled state" + fi + fi + if [ ${FOUND} -eq 0 ]; then + LogText "Result: usb-storage driver is not explicitly disabled" + Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE + if [ "${USBGUARD_FOUND}" -eq "0" ]; then + ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" + fi + AddHP 2 3 + else + LogText "Result: usb-storage driver is disabled" + Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + fi + fi + +# +################################################################################# +# - # Test : USB-0000 - # Description : Perform file permissions check - Register --test-no USB-0000 --os Linux --weight L --network NO --category security --description "Check for presence of USBGuard" + # Test : USB-0200 + # Description : Check USB authorizations + Register --test-no USB-0200 --os Linux --weight L --network NO --category security --description "Check USB authorizations" if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking USB devices authorization to connect to the system" + FOUND=0 + USBDEVICESPATH="/sys/bus/usb/devices/usb" + for device in "${USBDEVICESPATH}"*; do + if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then + if [ $(cat "${device}/authorized_default") -eq 1 ]; then + FOUND=1 + LogText "Test: ${device} is authorized by default" + Report "usb_authorized_default_device[]=${device}" + elif [ $(cat "${device}/authorized") -eq 1 ]; then + FOUND=1 + LogText "Test: ${device} is authorized currently" + Report "usb_authorized_device[]=${device}" + fi + fi + done - if [ ! -z "${USBGUARDBINARY}" ]; then - USBGUARD_FOUND=1 + if [ ${FOUND} -eq 1 ]; then + LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system" + Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW + # To-Be-Added: create documentation and enable the suggestion + #if [ "${USBGUARD_FOUND}" -eq "0" ]; then + # ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft" + #fi + AddHP 0 3 + else + LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system" + Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + fi + fi + +# +################################################################################# +# + + # Test : USB-0300 + # Description : Perform USBGuard check + Register --test-no USB-0300 --os Linux --weight L --network NO --category security --description "Check for presence of USBGuard" + if [ ${SKIPTEST} -eq 0 ]; then + if [ "${USBGUARD_FOUND}" -gt "0" ]; then LogText "Result: USBGuard is installed (${USBGUARDBINARY})" Display --indent 2 --text "- Checking USBGuard" --result "${STATUS_FOUND}" --color GREEN AddHP 1 1 @@ -235,7 +323,7 @@ LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)" Display --indent 4 --text "- RuleFile" --result "${STATUS_NOT_FOUND}" --color RED # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion - ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies" + #ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies" AddHP 0 1 fi @@ -925,7 +925,7 @@ ${NORMAL} LogText "Info: perform tests from all categories" INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ - filesystems usb_devices storage storage_nfs nameservices ports_packages networking printers_spools \ + filesystems usb storage storage_nfs nameservices ports_packages networking printers_spools \ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ insecure_services banners scheduling accounting time crypto virtualization containers \ mac_frameworks file_integrity tooling malware file_permissions homedirs \ |