diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-22 12:18:00 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2020-03-22 12:21:52 +0300 |
commit | 203a4d34801ec37200d2ec190328f6c27ad71b78 (patch) | |
tree | 0057340ac2bf0bfc99cb4fe7d0f12f5fe24e016f /include/tests_file_integrity | |
parent | f3426697777d87de31d6229ebecd875a2fc2f0c4 (diff) |
Check IMA/EVM status
Check for evmctl (Extended Verification Module) tool and system IMA (Integrity Measurement
Architecture) status.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'include/tests_file_integrity')
-rw-r--r-- | include/tests_file_integrity | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 7a5658ac..a387c248 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -298,6 +298,28 @@ # ################################################################################# # + # Test : FINT-4339 + # Description : Check IMA/EVM status + if [ ! -z "${EVMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No evmctl binary found"; fi + Register --test-no FINT-4339 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check IMA/EVM status" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + if [ -e /sys/kernel/security/ima ]; then + FOUND=$(${CAT_BINARY} /sys/kernel/security/ima) + fi + if [ "${FOUND}" -ne 1 ]; then + LogText "Result: EVM tools found but IMA/EVM disabled" + Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_DISABLED}" --color YELLOW + else + LogText "Result: EVM tools found, IMA/EVM enabled" + FILE_INT_TOOL="evmctl" + FILE_INT_TOOL_FOUND=1 + Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_ENABLED}" --color GREEN + fi + fi +# +################################################################################# +# # Test : FINT-4402 (was FINT-4316) # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi |