diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-23 11:35:38 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2020-03-23 11:35:38 +0300 |
| commit | 8ea39314f2a028bca4ff53842258459c8ca018d3 (patch) | |
| tree | f5b7c1898a6c33fb1d00ae56b2962254f04bc148 /include/tests_file_integrity | |
| parent | 203a4d34801ec37200d2ec190328f6c27ad71b78 (diff) | |
Check for dm-integrity and dm-verity
Detect tools for dm-integrity and dm-verity, check if some devices
in /dev/mapper/* use them and especially the system root device.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'include/tests_file_integrity')
| -rw-r--r-- | include/tests_file_integrity | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/include/tests_file_integrity b/include/tests_file_integrity index a387c248..dc32411d 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -320,6 +320,85 @@ # ################################################################################# # + # Test : FINT-4340 + # Description : Check dm-integrity status + if [ ! -z "${INTEGRITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No integritysetup binary found"; fi + Register --test-no FINT-4340 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-integrity status" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + ROOTPROTECTED=0 + ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') + for DEVICE in /dev/mapper/*; do + if [ -e "${DEVICE}" ]; then + FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY') + if [ ! -z "${FIND}" ]; then + FOUND=1 + LogText "Result: found dm-integrity device ${DEVICE}" + if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then + ROOTPROTECTED=1 + fi + fi + fi + done + if [ "${FOUND}" -ne 1 ]; then + LogText "Result: dm-integrity tools found but no active devices" + Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_DISABLED}" --color WHITE + else + LogText "Result: dm-integrity tools found, active devices" + if [ ${ROOTPROTECTED} -eq 1 ]; then + LogText "Result: root filesystem is protected by dm-integrity" + Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN + else + LogText "Result: root filesystem is not protected by dm-integrity but active devices found" + Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_FOUND}" --color YELLOW + fi + FILE_INT_TOOL="dm-integrity" + FILE_INT_TOOL_FOUND=1 + Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : FINT-4341 + # Description : Check dm-verity status + if [ ! -z "${VERITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No veritysetup binary found"; fi + Register --test-no FINT-4341 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-verity status" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + ROOTPROTECTED=0 + ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') + for DEVICE in /dev/mapper/*; do + if [ -e "${DEVICE}" ]; then + FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY') + if [ ! -z "${FIND}" ]; then + FOUND=1 + LogText "Result: found dm-verity device ${DEVICE}" + if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then + ROOTPROTECTED=1 + fi + fi + fi + done + if [ "${FOUND}" -ne 1 ]; then + LogText "Result: dm-verity tools found but no active devices" + Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_DISABLED}" --color WHITE + else + LogText "Result: dm-verity tools found, active devices" + if [ ${ROOTPROTECTED} -eq 1 ]; then + LogText "Result: root filesystem is protected by dm-verity" + Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_ENABLED}" --color GREEN + else + LogText "Result: root filesystem is not protected by dm-verity but active devices found" + Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_FOUND}" --color YELLOW + fi + FILE_INT_TOOL="dm-verity" + FILE_INT_TOOL_FOUND=1 + fi + fi +# +################################################################################# +# # Test : FINT-4402 (was FINT-4316) # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi |