diff options
-rw-r--r-- | CHANGELOG.md | 1 | ||||
-rw-r--r-- | db/tests.db | 1 | ||||
-rw-r--r-- | include/tests_crypto | 23 |
3 files changed, 25 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index e428ec83..fa3d7cb4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -69,6 +69,7 @@ Using the relevant options, the scan will change base on the intended goal. - AUTH-9266 - skip .pam-old files in /etc/pam.d - AUTH-9408 - added support for pam_tally2 to log failed logins - CONT-8106 - support newer 'docker info' output +- CRYP-8002 - gather kernel entropy on Linux systems - FILE-7524 - optimized file permissions testing - FINT-4328 - corrected text in log - FINT-4334 - improved process detection for lfd diff --git a/db/tests.db b/db/tests.db index dea85fba..77ec7fbb 100644 --- a/db/tests.db +++ b/db/tests.db @@ -85,6 +85,7 @@ CONT-8108:test:security:containers::Check file permissions for Docker files: CORE-1000:test:performance:system_integrity::Check all system binaries: CRYP-7902:test:security:crypto::Check expire date of SSL certificates: CRYP-7930:test:security:crypto:Linux:Determine if system uses LUKS encryption: +CRYP-8002:test:security:crypto:Linux:Gather kernel entropy: DNS-1600:test:security:dns::Validating that the DNSSEC signatures are checked: DBS-1804:test:security:databases::Checking active MySQL process: DBS-1816:test:security:databases::Checking MySQL root password: diff --git a/include/tests_crypto b/include/tests_crypto index c79de525..cf6e0e48 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -149,6 +149,7 @@ fi done unset BLOCK_DEV + # This will enable us to do a test for forensics or when crypsetup/lsblk are not available elif [ -f ${CRYPTTABFILE} ]; then LogText "Result: crypttab (${CRYPTTABFILE}) exists" @@ -172,6 +173,28 @@ fi # ################################################################################# +# + # Test : CRYP-8002 + # Description : Gather available kernel entropy + Register --test-no CRYP-8002 --os Linux --weight L --network NO --root-only NO --category security --description "Gather available kernel entropy" + if [ ${SKIPTEST} -eq 0 ]; then + if [ -f ${ROOTDIR}proc/sys/kernel/random/entropy_avail ]; then + DATA=$(${AWKBINARY} '$1 ~ /^[0-9]+$/ {print $1}' ${ROOTDIR}proc/sys/kernel/random/entropy_avail) + if [ -n "${DATA}" ]; then + LogText "Result: found kernel entropy value of ${DATA}" + Report "kernel_entropy=${DATA}" + if [ ${DATA} -gt 200 ]; then + Display --indent 2 --text "- Kernel entropy is sufficient" --result "${STATUS_YES}" --color GREEN + else + Display --indent 2 --text "- Kernel entropy is sufficient" --result "${STATUS_NO}" --color YELLOW + # TODO - enable suggestion when information on website is available + fi + fi + fi + fi +# +################################################################################# +# WaitForKeyPress |