diff options
author | Dave Vehrs <dvehrs@users.noreply.github.com> | 2018-01-26 14:24:33 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2018-01-26 14:24:33 +0300 |
commit | a30d429315fcdbf2c6e2a2bad2ec837d5b9d5580 (patch) | |
tree | 96db01d0c45f746bbdefa9aaabdc449209c12dbc /include/tests_storage | |
parent | 7b664a7560401494f33c52069c53b61a8de167f4 (diff) |
tests_usb updates (#514)
* Added kernel.dmesg_restrict to sysctl checks.
* Moved usb-storage and autthorization tests tests_usb
* Limit Suggestions when USBGuard installed
* Changed usb_devices to usb
Diffstat (limited to 'include/tests_storage')
-rw-r--r-- | include/tests_storage | 76 |
1 files changed, 0 insertions, 76 deletions
diff --git a/include/tests_storage b/include/tests_storage index f67d70e5..de8984c4 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -28,82 +28,6 @@ # ################################################################################# # - # Test : STRG-1840 - # Description : Check for disabled USB storage - Register --test-no STRG-1840 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled" - if [ ${SKIPTEST} -eq 0 ]; then - FOUND=0 - LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" - if [ -d /etc/modprobe.d ]; then - FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) - if [ ! -z "${FIND}" ]; then - FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*) - if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then - FOUND=1 - LogText "Result: found usb-storage driver in disabled state (blacklisted)" - fi - else - LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it." - fi - fi - if [ -f ${ROOTDIR}etc/modprobe.conf ]; then - FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") - if [ ! -z "${FIND}" ]; then - FOUND=1 - LogText "Result: found usb-storage driver in disabled state" - fi - fi - if [ ${FOUND} -eq 0 ]; then - LogText "Result: usb-storage driver is not explicitly disabled" - Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE - ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" - AddHP 2 3 - else - LogText "Result: usb-storage driver is disabled" - Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - fi - fi -# -################################################################################# -# - # Test : STRG-1842 - # Description : Check USB authorizations - Register --test-no STRG-1842 --os Linux --weight L --network NO --category security --description "Check USB authorizations" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking USB devices authorization to connect to the system" - FOUND=0 - USBDEVICESPATH="/sys/bus/usb/devices/usb" - for device in "${USBDEVICESPATH}"*; do - if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then - if [ $(cat "${device}/authorized_default") -eq 1 ]; then - FOUND=1 - LogText "Test: ${device} is authorized by default" - Report "usb_authorized_default_device[]=${device}" - elif [ $(cat "${device}/authorized") -eq 1 ]; then - FOUND=1 - LogText "Test: ${device} is authorized currently" - Report "usb_authorized_device[]=${device}" - fi - fi - done - - if [ ${FOUND} -eq 1 ]; then - LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system" - Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW - # To-Be-Added: create documentation and enable the suggestion - #ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft" - AddHP 0 3 - else - LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system" - Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - fi - fi -# -################################################################################# -# # Test : STRG-1846 # Description : Check for disabled firewire storage # Explanation : Best option is to use the install function, or else drivers can still be loaded manually |