diff options
author | Michael Boelen <michael.boelen@cisofy.com> | 2020-03-23 15:19:29 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2020-03-23 15:19:29 +0300 |
commit | 1eb92189869c2ef99a07f6c77360c79afaeec6db (patch) | |
tree | b49fd9aa9a8660dfa230ab611aae447510519f28 /include | |
parent | 17bbaa8f7a54b30fdda8cf367593964a31ddcda6 (diff) | |
parent | 32cefdea0ae1c42eeeae1e311678966b874d2d47 (diff) |
Merge branch 'master' of https://github.com/CISOfy/lynis
Diffstat (limited to 'include')
-rw-r--r-- | include/binaries | 3 | ||||
-rw-r--r-- | include/tests_file_integrity | 101 |
2 files changed, 104 insertions, 0 deletions
diff --git a/include/binaries b/include/binaries index af5882a5..2327368e 100644 --- a/include/binaries +++ b/include/binaries @@ -157,6 +157,7 @@ xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;; egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;; equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;; + evmctl) EVMCTLBINARY=${BINARY}; LogText " Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;; exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;; fail2ban-server) FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;; file) FILEBINARY="${BINARY}"; LogText " Found known binary: file (file type detection) - ${BINARY}" ;; @@ -175,6 +176,7 @@ httpd2-prefork) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;; initctl) INITCTLBINARY=${BINARY}; SERVICE_MANAGER="upstart"; LogText " Found known binary: initctl (client to upstart init) - ${BINARY}" ;; ifconfig) IFCONFIGBINARY="${BINARY}"; LogText " Found known binary: ipconfig (IP configuration) - ${BINARY}" ;; + integritysetup) INTEGRITYSETUPBINARY="${BINARY}"; LogText " Found known binary: integritysetup (dm-integrity setup tool) - ${BINARY}" ;; ip) IPBINARY="${BINARY}"; LogText " Found known binary: ip (IP configuration) - ${BINARY}" ;; ipf) IPFBINARY="${BINARY}"; LogText " Found known binary: ipf (firewall) - ${BINARY}" ;; iptables) IPTABLESBINARY="${BINARY}"; LogText " Found known binary: iptables (firewall) - ${BINARY}" ;; @@ -281,6 +283,7 @@ uname) UNAMEBINARY="${BINARY}"; LogText " Found known binary: uname (operating system details) - ${BINARY}" ;; uniq) UNIQBINARY="${BINARY}"; LogText " Found known binary: uniq (text manipulation utility) - ${BINARY}";; usbguard) USBGUARDBINARY="${BINARY}"; LogText " Found known binary: usbguard (USB security tool) - ${BINARY}" ;; + veritysetup) VERITYSETUPBINARY="${BINARY}"; LogText " Found known binary: veritysetup (dm-verity setup tool) - ${BINARY}" ;; vgdisplay) VGDISPLAYBINARY="${BINARY}"; LogText " Found known binary: vgdisplay (LVM tool) - ${BINARY}" ;; vmtoolsd) VMWARETOOLSDBINARY="${BINARY}"; LogText " Found known binary: vmtoolsd (VMWare tools) - ${BINARY}" ;; wc) WCBINARY="${BINARY}"; LogText " Found known binary: wc (word count) - ${BINARY}" ;; diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 7a5658ac..dc32411d 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -298,6 +298,107 @@ # ################################################################################# # + # Test : FINT-4339 + # Description : Check IMA/EVM status + if [ ! -z "${EVMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No evmctl binary found"; fi + Register --test-no FINT-4339 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check IMA/EVM status" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + if [ -e /sys/kernel/security/ima ]; then + FOUND=$(${CAT_BINARY} /sys/kernel/security/ima) + fi + if [ "${FOUND}" -ne 1 ]; then + LogText "Result: EVM tools found but IMA/EVM disabled" + Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_DISABLED}" --color YELLOW + else + LogText "Result: EVM tools found, IMA/EVM enabled" + FILE_INT_TOOL="evmctl" + FILE_INT_TOOL_FOUND=1 + Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_ENABLED}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : FINT-4340 + # Description : Check dm-integrity status + if [ ! -z "${INTEGRITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No integritysetup binary found"; fi + Register --test-no FINT-4340 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-integrity status" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + ROOTPROTECTED=0 + ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') + for DEVICE in /dev/mapper/*; do + if [ -e "${DEVICE}" ]; then + FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY') + if [ ! -z "${FIND}" ]; then + FOUND=1 + LogText "Result: found dm-integrity device ${DEVICE}" + if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then + ROOTPROTECTED=1 + fi + fi + fi + done + if [ "${FOUND}" -ne 1 ]; then + LogText "Result: dm-integrity tools found but no active devices" + Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_DISABLED}" --color WHITE + else + LogText "Result: dm-integrity tools found, active devices" + if [ ${ROOTPROTECTED} -eq 1 ]; then + LogText "Result: root filesystem is protected by dm-integrity" + Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN + else + LogText "Result: root filesystem is not protected by dm-integrity but active devices found" + Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_FOUND}" --color YELLOW + fi + FILE_INT_TOOL="dm-integrity" + FILE_INT_TOOL_FOUND=1 + Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : FINT-4341 + # Description : Check dm-verity status + if [ ! -z "${VERITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No veritysetup binary found"; fi + Register --test-no FINT-4341 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-verity status" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + ROOTPROTECTED=0 + ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') + for DEVICE in /dev/mapper/*; do + if [ -e "${DEVICE}" ]; then + FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY') + if [ ! -z "${FIND}" ]; then + FOUND=1 + LogText "Result: found dm-verity device ${DEVICE}" + if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then + ROOTPROTECTED=1 + fi + fi + fi + done + if [ "${FOUND}" -ne 1 ]; then + LogText "Result: dm-verity tools found but no active devices" + Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_DISABLED}" --color WHITE + else + LogText "Result: dm-verity tools found, active devices" + if [ ${ROOTPROTECTED} -eq 1 ]; then + LogText "Result: root filesystem is protected by dm-verity" + Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_ENABLED}" --color GREEN + else + LogText "Result: root filesystem is not protected by dm-verity but active devices found" + Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_FOUND}" --color YELLOW + fi + FILE_INT_TOOL="dm-verity" + FILE_INT_TOOL_FOUND=1 + fi + fi +# +################################################################################# +# # Test : FINT-4402 (was FINT-4316) # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi |