Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/include/tests_crypto
diff options
context:
space:
mode:
Diffstat (limited to 'include/tests_crypto')
-rw-r--r--include/tests_crypto68
1 files changed, 59 insertions, 9 deletions
diff --git a/include/tests_crypto b/include/tests_crypto
index e449f195..af63d21a 100644
--- a/include/tests_crypto
+++ b/include/tests_crypto
@@ -22,7 +22,11 @@
#
#################################################################################
#
- InsertSection "Cryptography"
+ RNG_FOUND=0
+#
+#################################################################################
+#
+ InsertSection "${SECTION_CRYPTOGRAPHY}"
#
#################################################################################
#
@@ -50,7 +54,7 @@
LASTSUBDIR=""
LogText "Result: found directory ${DIR}"
# Search for certificate files
- FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
+ FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
for FILE in ${FILES}; do
FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
# See if we need to skip this path
@@ -76,16 +80,23 @@
if [ ${CANREAD} -eq 1 ]; then
# Only check the files that are not installed by a package, unless enabled by profile
if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
+ echo ${FILE} | ${EGREPBINARY} --quiet ".cer$|.der$"
+ CER_DER=$?
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
- if [ $? -eq 0 ]; then
+ if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then
LogText "Result: file is a certificate file"
- FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
+ if [ ${CER_DER} -eq 0 ]; then
+ SSL_DER_OPT="-inform der"
+ else
+ SSL_DER_OPT=
+ fi
+ FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
if [ $? -eq 0 ]; then
# Check certificate where 'end date' has been expired
- FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
+ FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
EXIT_CODE=$?
- CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
- CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
+ CERT_CN=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
+ CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
if [ ${EXIT_CODE} -eq 0 ]; then
LogText "Result: certificate ${FILE} seems to be correct and still valid"
@@ -174,6 +185,39 @@
#
#################################################################################
#
+ # Test : CRYP-7931
+ # Description : Determine if system uses encrypted swap
+ if [ -e "${SWAPONBINARY}" -a -e "${CRYPTSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no CRYP-7931 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Determine if system uses encrypted swap"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ ENCRYPTED_SWAPS=0
+ UNENCRYPTED_SWAPS=0
+ # Redirect errors, as RHEL 5/6 and others don't have the --show option
+ SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings 2> /dev/null)
+ if [ $? -eq 0 ]; then
+ for BLOCK_DEV in ${SWAPS}; do
+ if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then
+ LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}"
+ ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
+ Report "encrypted_swap[]=${BLOCK_DEV},LUKS"
+ elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} --quiet "cipher:"; then
+ LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}"
+ ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
+ Report "encrypted_swap[]=${BLOCK_DEV},other"
+ else
+ LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}"
+ UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1))
+ Report "non_encrypted_swap[]=${BLOCK_DEV}"
+ fi
+ done
+ Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE
+ else
+ LogText "Result: skipping testing as swapon returned an error."
+ fi
+ fi
+#
+#################################################################################
+#
# Test : CRYP-8002
# Description : Gather available kernel entropy
Register --test-no CRYP-8002 --os Linux --weight L --network NO --root-only NO --category security --description "Gather available kernel entropy"
@@ -201,12 +245,13 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: looking for ${ROOTDIR}sys/class/misc/hw_random/rng_current"
if [ -f "${ROOTDIR}sys/class/misc/hw_random/rng_current" ]; then
- DATA=$(${HEADBINARY} --lines=1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]')
+ DATA=$(${HEADBINARY} -n 1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]')
if [ "${DATA}" != "none" ]; then
LogText "Result: positive match, found RNG: ${DATA}"
if IsRunning "rngd"; then
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_YES}" --color GREEN
LogText "Result: rngd is running"
+ RNG_FOUND=1
else
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW
# TODO - enable suggestion when website has listing for this control
@@ -238,8 +283,9 @@
done
if [ -z "${FOUND}" ]; then
Display --indent 2 --text "- SW prng" --result "${STATUS_NO}" --color YELLOW
- ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators"
+ # ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators"
else
+ RNG_FOUND=1
Display --indent 2 --text "- SW prng" --result "${STATUS_YES}" --color GREEN
LogText "Result: found ${FOUND} running"
fi
@@ -247,6 +293,10 @@
#
#################################################################################
#
+ Report "rng_found=${RNG_FOUND}"
+#
+#################################################################################
+#
WaitForKeyPress
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-11 23:25:35 +0300