diff options
author | Michael Boelen <michael.boelen@cisofy.com> | 2020-02-15 16:09:23 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2020-02-15 16:09:23 +0300 |
commit | 5ca8baf7a8b3a31a4893d8130fa85f085d3b1ef2 (patch) | |
tree | 47e7e7ac7019808279795c3766955f0efbb526e7 /include/tests_usb | |
parent | af70303aeb9566ca1bed564f8e655720e60b4a5e (diff) |
[USB-2000] improved testing for USB devices and filtering out possible incorrect state
Diffstat (limited to 'include/tests_usb')
-rw-r--r-- | include/tests_usb | 59 |
1 files changed, 33 insertions, 26 deletions
diff --git a/include/tests_usb b/include/tests_usb index 24c74982..1c6cae6d 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -91,39 +91,46 @@ # Description : Check USB authorizations Register --test-no USB-2000 --os Linux --weight L --network NO --category security --description "Check USB authorizations" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking USB devices authorization to connect to the system" FOUND=0 - USBDEVICESPATH="${ROOTDIR}sys/bus/usb/devices/usb" - for device in "${USBDEVICESPATH}"*; do - if [ -e "${device}/authorized" -o -e "${device}/authorized_default" ]; then - if [ "$(cat "${device}/authorized_default")" = "1" ]; then - FOUND=1 - LogText "Test: ${device} is authorized by default" + USBDEVICESPATH="${ROOTDIR}sys/bus/usb/devices" + LogText "Test: checking presence of USB devices path (${USBDEVICESPATH})" + if [ -d "${USBDEVICESPATH}" ]; then + + LogText "Test: Checking USB devices authorization to connect to the system" + for device in $(find ${USBDEVICESPATH} -name "usb*" -type l -print); do + if [ -e "${device}/authorized" -o -e "${device}/authorized_default" ]; then + if [ "$(cat "${device}/authorized_default")" = "1" ]; then + FOUND=1 + LogText "Test: ${device} is authorized by default (authorized_default=1)" + Report "usb_authorized_default_device[]=${device}" + fi + if [ "$(cat "${device}/authorized")" = "1" ]; then + FOUND=1 + LogText "Test: ${device} is authorized currently (authorized=1)" + Report "usb_authorized_device[]=${device}" + fi + else + LogText "Test: no authorized or authorized_default file, assuming ${device} is authorized by default" Report "usb_authorized_default_device[]=${device}" - elif [ "$(cat "${device}/authorized")" = "1" ]; then FOUND=1 - LogText "Test: ${device} is authorized currently" - Report "usb_authorized_device[]=${device}" fi + done + + if [ ${FOUND} -eq 1 ]; then + LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system" + Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW + # TODO: create documentation and enable the suggestion + #if [ ${USBGUARD_FOUND} -eq 0 ]; then + # ReportSuggestion "${TEST_NO}" "Disable USB devices authorization, to prevent unauthorized storage or data theft" + #fi + AddHP 0 3 else - LogText "Test: ${device} is authorized by default" - Report "usb_authorized_default_device[]=${device}" - FOUND=1 + LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system" + Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 fi - done - - if [ ${FOUND} -eq 1 ]; then - LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system" - Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW - # To-Be-Added: create documentation and enable the suggestion - #if [ ${USBGUARD_FOUND} -eq 0 ]; then - # ReportSuggestion "${TEST_NO}" "Disable USB devices authorization, to prevent unauthorized storage or data theft" - #fi - AddHP 0 3 else - LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system" - Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 + LogText "Result: devices path does not exist" fi fi |