diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-19 23:40:54 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2020-03-23 18:31:32 +0300 |
| commit | 8913374092acf285b492abcffde3d97406ec88f1 (patch) | |
| tree | 573baf161e26afa26ff990a62b76bca979ffdcdf /include/tests_boot_services | |
| parent | 7bba7bd4af22a959a1a058e76bb4689f748491a6 (diff) | |
Run 'systemd-analyze security'
'systemd-analyze security' (available since systemd v240) makes a nice
overall evaluation of hardening levels of services in a system. More
details can be found with 'systemd-analyze security SERVICE' for each
service.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'include/tests_boot_services')
| -rw-r--r-- | include/tests_boot_services | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/include/tests_boot_services b/include/tests_boot_services index f280cb86..8ad83d7c 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -987,6 +987,44 @@ # ################################################################################# # + # Test : BOOT-5264 + # Description : Run systemd-analyze security + if [ -z "${SYSTEMDANALYZEBINARY}" ]; then SKIPREASON="systemd-analyze not available"; PREQS_MET="NO"; + else + SYSTEMD_VERSION=$("${SYSTEMDANALYZEBINARY}" --version | ${AWKBINARY} '/^systemd / {print $2}') + if [ "${SYSTEMD_VERSION}" -ge 240 ]; then PREQS_MET="YES"; else SKIPREASON="systemd-analyze too old (v${SYSTEMD_VERSION}), need at least v240"; PREQS_MET="NO"; fi + fi + Register --test-no BOOT-5264 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --os Linux --weight L --network NO --category security --description "Run systemd-analyze security" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Run systemd-analyze security" + Display --indent 2 --text "- Running 'systemd-analyze security'" + ${SYSTEMDANALYZEBINARY} security | while read UNIT EXPOSURE PREDICATE HAPPY; do + if [ "${UNIT}" = "UNIT" ]; then + continue + fi + COLOR="BLACK" + case ${PREDICATE} in + PERFECT | SAFE | OK) + COLOR=GREEN + ;; + MEDIUM) + COLOR=WHITE + ;; + EXPOSED) + COLOR=YELLOW + ;; + UNSAFE | DANGEROUS) + COLOR=RED + ;; + esac + Display --indent 8 --text "- ${UNIT}:" --result "${PREDICATE}" --color "${COLOR}" + LogText "Result: ${UNIT}: ${EXPOSURE} ${PREDICATE}" + done + ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service" + fi +# +################################################################################# +# Report "boot_loader=${BOOT_LOADER}" Report "boot_uefi_booted=${UEFI_BOOTED}" |