diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2020-04-10 12:54:48 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2020-04-10 12:54:48 +0300 |
| commit | de848cb76a1d336bf4b8f46da490fc8b8d14a66e (patch) | |
| tree | cce5f9eb926420d6e7447a3383024e1aaa87c793 /include/tests_hardening | |
| parent | a16669119979927cda4317889d94bf744ec1cc4f (diff) | |
Check for registered non-native binary formats
Examine /proc/sys/fs/binfmt_misc (Linux) for additional registered
binary formats. Those are probably emulated and their emulation could
be less tested, more buggy and more vulnerable than native binary
formats, so they should be disabled when not needed.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'include/tests_hardening')
| -rw-r--r-- | include/tests_hardening | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/include/tests_hardening b/include/tests_hardening index 2f88b179..9fe31944 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -107,6 +107,27 @@ # ################################################################################# # + # Test : HRDN-7231 + # Description : Check for registered non-native binary formats + Register --test-no HRDN-7231 --os Linux --weight L --network NO --category security --description "Check for registered non-native binary formats" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Check for registered non-native binary formats" + NFORMATS=0 + if [ -d /proc/sys/fs/binfmt_misc ]; then + NFORMATS=$(${FINDBINARY} /proc/sys/fs/binfmt_misc -type f -not -name register -not -name status | ${WCBINARY} --lines) + fi + if [ ${NFORMATS} -eq 0 ]; then + LogText "Result: no non-native binary formats found" + Display --indent 4 --text "- Non-native binary formats" --result "${STATUS_NOT_FOUND}" --color GREEN + else + FORMATS=$(${FINDBINARY} /proc/sys/fs/binfmt_misc -type f -not -name register -not -name status -printf '%f ') + LogText "Result: found ${NFORMATS} non-native binary formats registered: ${FORMATS}" + Display --indent 4 --text "- Non-native binary formats" --result "${STATUS_FOUND}" --color RED + fi + fi +# +################################################################################# +# # LogText "--------------------------------------------------------------------" # LogText "| System part | Preferred value | Actual value | Points |" # LogText "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |" |