Check IMA/EVM status

Check for evmctl (Extended Verification Module) tool and system IMA (Integrity Measurement
Architecture) status.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

1 files changed, 22 insertions, 0 deletions

diff --git a/include/tests_file_integrity b/include/tests_file_integrity
index 7a5658ac..a387c248 100644
--- a/include/tests_file_integrity
+++ b/include/tests_file_integrity
@@ -298,6 +298,28 @@
 #
 #################################################################################
 #
+    # Test        : FINT-4339
+    # Description : Check IMA/EVM status
+    if [ ! -z "${EVMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No evmctl binary found"; fi
+    Register --test-no FINT-4339 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check IMA/EVM status"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        if [ -e /sys/kernel/security/ima ]; then
+            FOUND=$(${CAT_BINARY} /sys/kernel/security/ima)
+        fi
+        if [ "${FOUND}" -ne 1 ]; then
+            LogText "Result: EVM tools found but IMA/EVM disabled"
+            Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_DISABLED}" --color YELLOW
+        else
+            LogText "Result: EVM tools found, IMA/EVM enabled"
+            FILE_INT_TOOL="evmctl"
+            FILE_INT_TOOL_FOUND=1
+            Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_ENABLED}" --color GREEN
+        fi
+    fi
+#
+#################################################################################
+#
     # Test        : FINT-4402 (was FINT-4316)
     # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
     if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi