diff options
| author | Michael Boelen <michael.boelen@cisofy.com> | 2019-07-14 14:30:16 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-07-14 14:30:16 +0300 |
| commit | 1df9630bcfcf1134cb1f4323cf12d0229181d929 (patch) | |
| tree | 3eb986a1568e44154183f263a31b6ff2cde4c74d /include | |
| parent | 4b68c22f306e62d64b1ffc78eac91646c5210c3d (diff) | |
| parent | 06cdf6c50f7bac61afc6dc383716262e7c7d9838 (diff) | |
Merge pull request #676 from Capashenn/patch_8
fix issue #659
Diffstat (limited to 'include')
| -rw-r--r-- | include/tests_kernel | 68 |
1 files changed, 37 insertions, 31 deletions
diff --git a/include/tests_kernel b/include/tests_kernel index f89177ce..66a80214 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -31,6 +31,7 @@ CPU_NX=0 LINUXCONFIGFILE="" LINUXCONFIGFILE_ZIPPED=0 + LIMITS_DIRECTORY="${ROOTDIR}etc/security/limits.d" # ################################################################################# # @@ -436,51 +437,56 @@ # Description : Checking core dumps configuration (Linux) Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration" if [ ${SKIPTEST} -eq 0 ]; then + # Limits option LogText "Test: Checking presence /etc/security/limits.conf" if [ -f /etc/security/limits.conf ]; then LogText "Result: file /etc/security/limits.conf exists" - LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf" - FIND1=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }') - FIND2=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }') - if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then - LogText "Result: core dumps (soft or hard) are enabled" - Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW - ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system" - AddHP 1 2 - else + LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf and /etc/security/limits.d/*" + FIND1=$(${GREPBINARY} -r -v "^#" /etc/security/limits.conf ${LIMITS_DIRECTORY} | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }') + FIND2=$(${GREPBINARY} -r -v "^#" /etc/security/limits.conf ${LIMITS_DIRECTORY} | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }') + if [ "${FIND2}" = "hard core disabled" ]; then LogText "Result: core dumps (soft and hard) are both disabled" Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN CORE_DUMPS_DISABLED=1 AddHP 3 3 - fi - - # Sysctl option - LogText "Test: Checking sysctl value of fs.suid_dumpable" - FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }') - if [ -z "${FIND}" ]; then - LogText "Result: sysctl key fs.suid_dumpable not found" - else - LogText "Result: value ${FIND} found" - fi - if [ "${FIND}" = "2" ]; then - LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN - AddHP 1 1 - elif [ "${FIND}" = "1" ]; then - LogText "Result: all programs can perform core dumps (value 1, for debugging)" - Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW - ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump" - AddHP 0 1 + elif [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then + LogText "Result: core dumps (soft or hard) are enabled" + Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system" + AddHP 1 3 else - LogText "Result: found default option, some programs can dump (not processes which need to change credentials)" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE - AddHP 1 1 + LogText "Result: core dumps are not explicitly disabled" + Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_NOT_FOUND}" --color WHITE + ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file" + AddHP 2 3 fi else LogText "Result: file /etc/security/limits.conf does not exist, skipping test" fi # TODO: Check ulimit settings in /etc/profile and /etc/profile.d + # Sysctl option + LogText "Test: Checking sysctl value of fs.suid_dumpable" + FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }') + if [ -z "${FIND}" ]; then + LogText "Result: sysctl key fs.suid_dumpable not found" + else + LogText "Result: value ${FIND} found" + fi + if [ "${FIND}" = "2" ]; then + LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" + Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN + AddHP 1 1 + elif [ "${FIND}" = "1" ]; then + LogText "Result: all programs can perform core dumps (value 1, for debugging)" + Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW + ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump" + AddHP 0 1 + else + LogText "Result: found default option, some programs can dump (not processes which need to change credentials)" + Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE + AddHP 1 1 + fi fi # ################################################################################# |