diff options
| author | Eric Light <eric@ericlight.com> | 2016-04-25 10:34:14 +0300 |
|---|---|---|
| committer | Michael Boelen <michael@cisofy.com> | 2016-04-25 10:34:14 +0300 |
| commit | bcdca90942c4afd3fe4daec271949d84b15fb076 (patch) | |
| tree | 15834336441bed08b946d7d0b5a12f98d40525fe /include/tests_kernel | |
| parent | c0f86fef09353cc3ddc070fe2a98f147d8cffcf6 (diff) | |
Update KRNL-5788 for grsecurity (#178)
* If grsec installed, build FINDKERNEL from uname -r
When running a grsecurity-patched custom kernel, the /vmlinuz link is often missing. If this link is missing, and grsecurity is installed, then we can calculate the location of FINDKERNEL with the words "linux-image-", plus the output of "uname -r".
* Suggest manually checking kernel if grsec installed
We can't rely on the apt-cache output when running grsecurity. This is because apt-cache can't tell us if we're running an up-to-date kernel, when it's a custom kernel with grsecurity. Instead of confirming that the kernel is OK, we instead should remind the auditor to double-check themselves.
Diffstat (limited to 'include/tests_kernel')
| -rw-r--r-- | include/tests_kernel | 35 |
1 files changed, 26 insertions, 9 deletions
diff --git a/include/tests_kernel b/include/tests_kernel index dd3d844b..a2089e69 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -343,11 +343,22 @@ if [ -x /usr/bin/apt-cache ]; then LogText "Result: found /usr/bin/apt-cache" LogText "Test: checking readlink location of /vmlinuz" - FINDKERNFILE=`readlink -f /vmlinuz` - LogText "Output: readlink reported file ${FINDKERNFILE}" - LogText "Test: checking package from dpkg -S" - FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | awk -F : '{print $1}'` - LogText "Output: dpkg -S reported package ${FINDKERNEL}" + if [ -f /vmlinuz ]; then + FINDKERNFILE=`readlink -f /vmlinuz` + LogText "Output: readlink reported file ${FINDKERNFILE}" + LogText "Test: checking package from dpkg -S" + FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | awk -F : '{print $1}'` + LogText "Output: dpkg -S reported package ${FINDKERNEL}" + else + if [ -e /dev/grsec ]; then + FINDKERNEL=linux-image-`uname -r` + LogText "/vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" + else + LogText "This system is missing /vmlinuz. Unable to check whether kernel is up-to-date." + ReportException "${TEST_NO}:00|Missing /vmlinuz" + ReportSuggestion ${TEST_NO} "Discover why /vmlinuz is missing. Consider manually re-linking." + fi + fi LogText "Test: Using apt-cache policy to determine if there is an update available" FINDINST=`apt-cache policy ${FINDKERNEL} | egrep 'Installed' | cut -d ':' -f2 | tr -d ' '` FINDCAND=`apt-cache policy ${FINDKERNEL} | egrep 'Candidate' | cut -d ':' -f2 | tr -d ' '` @@ -359,11 +370,17 @@ ReportException "${TEST_NO}:01" LogText "Exception: apt-cache policy did not return an installed kernel version" ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty" - else + else if [ "${FINDINST}" = "${FINDCAND}" ]; then - Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN - LogText "Result: no kernel update available" - else + if [ -e /dev/grsec ]; then + Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN + LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" + ReportSuggestion ${TEST_NO} "Manually check to confirm you're using a recent kernel and grsecurity patch" + else + Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN + LogText "Result: no kernel update available" + fi + else Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW LogText "Result: kernel update available according 'apt-cache policy'." ReportSuggestion ${TEST_NO} "Determine priority for available kernel update" |