diff options
author | mboelen <michael@cisofy.com> | 2014-09-09 16:49:37 +0400 |
---|---|---|
committer | mboelen <michael@cisofy.com> | 2014-09-09 16:49:37 +0400 |
commit | dd2ea3efaf5a91b97840383b578ad8ddffbd76a8 (patch) | |
tree | 705fee4e70ef4920598f76ab238332e791f33372 /include/tests_boot_services | |
parent | 3beae44e9268920f73f742365bfb26be5e5f63be (diff) |
Made adjustments to run in non-privileged scans
Diffstat (limited to 'include/tests_boot_services')
-rw-r--r-- | include/tests_boot_services | 73 |
1 files changed, 42 insertions, 31 deletions
diff --git a/include/tests_boot_services b/include/tests_boot_services index 2755460d..3d8ce7c1 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -39,21 +39,26 @@ Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi logtext "Found file ${GRUBCONFFILE}, proceeding with tests." - FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'` - FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'` - if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then - Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED - logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!" - logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them." - logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!" - logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access." - ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader" - logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password" - AddHP 0 2 + FileIsReadable ${GRUBCONFFILE} + if [ ${CANREAD} -eq 1 ]; then + FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'` + FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'` + if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then + Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED + logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!" + logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them." + logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!" + logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access." + ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader" + logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password" + AddHP 0 2 + else + Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN + logtext "Result: GRUB has password protection." + AddHP 4 4 + fi else - Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN - logtext "Result: GRUB has password protection." - AddHP 4 4 + logtext "Warning: can not read ${GRUBCONFFILE}" fi fi @@ -86,7 +91,7 @@ BOOT_LOADER="FreeBSD" else logtext "Result: Not all expected files found in /boot" - Display --indent 4 --text "- Checking presence FreeBSD loader" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking presence FreeBSD loader" --result "NOT FOUND" --color WHITE fi fi # @@ -114,25 +119,31 @@ # Notes : password= or password = Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then + LILOCONFFILE="/etc/lilo.conf" logtext "Test: checking for presence LILO configuration file..." - if [ -f /etc/lilo.conf ]; then - BOOT_LOADER="LILO" - Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN - logtext "Checking password option LILO..." - FIND=`cat /etc/lilo.conf | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"` - if [ "${FIND}" = "" ]; then - Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED - logtext "Result: no password set for LILO. Bootloader is unprotected to" - logtext "dropping to single user mode or unauthorized access to devices/data." - ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>" - ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader" - AddHP 0 2 + if [ -f ${LILOCONFFILE} ]; then + FileIsReadable ${LILOCONFFILE} + if [ ${CANREAD} -eq 1 ]; then + BOOT_LOADER="LILO" + Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN + logtext "Checking password option LILO..." + FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"` + if [ "${FIND}" = "" ]; then + Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED + logtext "Result: no password set for LILO. Bootloader is unprotected to" + logtext "dropping to single user mode or unauthorized access to devices/data." + ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>" + ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader" + AddHP 0 2 + else + Display --indent 6 --text "- Password option presence " --result "OK" --color GREEN + logtext "Result: LILO password option set" + AddHP 4 4 + fi + #YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf) else - Display --indent 6 --text "- Password option presence " --result "OK" --color GREEN - logtext "Result: LILO password option set" - AddHP 4 4 + logtext "Warning: can not access ${LILOCONFFILE}" fi - #YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf) else Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE logtext "Result: LILO configuration file not found" |