diff options
| author | mboelen <michael@cisofy.com> | 2014-09-25 19:47:23 +0400 |
|---|---|---|
| committer | mboelen <michael@cisofy.com> | 2014-09-25 19:47:23 +0400 |
| commit | 08f77d2531a231111e248754db12d6c92053f462 (patch) | |
| tree | 7743eb41d9e4245a3200bbcc6dbf22ef1c951044 /include/tests_boot_services | |
| parent | f0292d36533f8628a797d220ee1c99738fa4c1b4 (diff) | |
Added GRUB2 detection on empty /boot
Diffstat (limited to 'include/tests_boot_services')
| -rw-r--r-- | include/tests_boot_services | 64 |
1 files changed, 41 insertions, 23 deletions
diff --git a/include/tests_boot_services b/include/tests_boot_services index 2c14cbe8..78e51485 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -25,6 +25,7 @@ Display --indent 2 --text "- Checking boot loaders" BOOT_LOADER="Unknown" BOOT_LOADER_FOUND=0 + GRUB_VERSION=0 # ################################################################################# # @@ -38,30 +39,9 @@ FOUND=1 BOOT_LOADER="GRUB" BOOT_LOADER_FOUND=1 + GRUB_VERSION=1 Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi - logtext "Found file ${GRUBCONFFILE}, proceeding with tests." - FileIsReadable ${GRUBCONFFILE} - if [ ${CANREAD} -eq 1 ]; then - FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'` - FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'` - if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then - Display --indent 6 --text "- Checking for password protection" --result WARNING --color RED - logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!" - logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them." - logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!" - logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access." - ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader" - logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password" - AddHP 0 2 - else - Display --indent 6 --text "- Checking for password protection" --result OK --color GREEN - logtext "Result: GRUB has password protection." - AddHP 4 4 - fi - else - logtext "Result: Can not read ${GRUBCONFFILE} (no permission)" - fi fi # GRUB2 configuration file @@ -69,11 +49,18 @@ FOUND=1 BOOT_LOADER="GRUB2" BOOT_LOADER_FOUND=1 + GRUB_VERSION=2 + GRUBCONFFILE="/boot/grub/grub.cfg" Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN logtext "Result: found GRUB2 configuration file (/boot/grub/grub.cfg)" # YYY password check, when documentation of GRUB2 project is improved # YYY Add check permission check (600) - ReportManual "${TEST_NO}:01" + if [ -d /boot ]; then + if [ `ls /boot/* 2> /dev/null` -a ! "${GRUB2INSTALLBINARY}" = "" ]; then + logtext "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted" + Display --indent 4 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW + ReportManual "${TEST_NO}:01" + fi fi if [ ${FOUND} -eq 0 ]; then @@ -83,6 +70,37 @@ # ################################################################################# # + # Test : BOOT-5122 + # Description : Check for GRUB boot loader configuration + if [ ! "${GRUBCONFFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for GRUB boot password" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Found file ${GRUBCONFFILE}, proceeding with tests." + FileIsReadable ${GRUBCONFFILE} + if [ ${CANREAD} -eq 1 ]; then + FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'` + FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'` + if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then + Display --indent 6 --text "- Checking for password protection" --result WARNING --color RED + logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!" + logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them." + logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!" + logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access." + ReportSuggestion ${TEST_NO} "M" "Set a password on GRUB bootloader to prevent altering configuration" + logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password" + AddHP 0 2 + else + Display --indent 6 --text "- Checking for password protection" --result OK --color GREEN + logtext "Result: GRUB has password protection." + AddHP 4 4 + fi + else + logtext "Result: Can not read ${GRUBCONFFILE} (no permission)" + fi + fi +# +################################################################################# +# # Test : BOOT-5124 # Description : Check for FreeBSD boot loader Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot loader presence" |