From d395e1a2da77d3e44a8894039414f10511ef6f9c Mon Sep 17 00:00:00 2001
From: Michael Boelen <michael.boelen@cisofy.com>
Date: Wed, 21 Aug 2019 13:50:01 +0200
Subject: [CRYP-7930] extend test to use cryptsetup/lsblk or crypttab file

---
 include/tests_crypto | 49 +++++++++++++++++++++++++++++++++++++------------
 1 file changed, 37 insertions(+), 12 deletions(-)

(limited to 'include/tests_crypto')

diff --git a/include/tests_crypto b/include/tests_crypto
index 979d2aad..b3524599 100644
--- a/include/tests_crypto
+++ b/include/tests_crypto
@@ -132,22 +132,47 @@
 #
     # Test        : CRYP-7930
     # Description : Determine if system uses LUKS block device encryption
-    if [ ! "${LSBLKBINARY}" = "" -a ! "${CRYPTSETUPBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-    Register --test-no CRYP-7930 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Determine if system uses LUKS block device encryption"
+    Register --test-no CRYP-7930 --os Linux --weight L --network NO --root-only YES --category security --description "Determine if system uses LUKS block device encryption"
     if [ ${SKIPTEST} -eq 0 ]; then
-      FOUND=0
-      for BLOCK_DEV in $(${LSBLKBINARY} --noheadings -o PATH); do
-	if ${CRYPTSETUPBINARY} isLuks ${BLOCK_DEV}; then
-	  LogText "Result: Found LUKS encrypted block device: ${BLOCK_DEV}"
-	  Report "encryption[]=luks,block_device,${BLOCK_DEV}"
-	  ((FOUND++))
-	fi
-      done
-      Display --indent 2 --text "- Found ${FOUND} LUKS encrypted block devices." --result OK --color WHITE
-      unset BLOCK_DEV FOUND
+        CRYPTTABFILE="${ROOTDIR}etc/crypttab"
+        FOUND=0
+
+        # cryptsetup only works as root
+        if [ -n "${LSBLKBINARY}" -a -n "${CRYPTSETUPBINARY}" -a ${FORENSICS} -eq 0 ]; then
+            for BLOCK_DEV in $(${LSBLKBINARY} --noheadings -o PATH); do
+                if ${CRYPTSETUPBINARY} isLuks ${BLOCK_DEV}; then
+                    LogText "Result: Found LUKS encrypted block device: ${BLOCK_DEV}"
+                    Report "encryption[]=luks,block_device,${BLOCK_DEV}"
+                    FOUND=$((FOUND +1))
+                else
+                    LogText "Result: block device ${BLOCK_DEV} is not LUKS encrypted"
+                fi
+            done
+            unset BLOCK_DEV
+        # This will enable us to do a test for forensics or when crypsetup/lsblk are not available
+        elif [ -f ${CRYPTTABFILE} ]; then
+            LogText "Result: crypttab (${CRYPTTABFILE}) exists"
+            DATA=$(${GREPBINARY} "^[a-z]" ${CRYPTTABFILE} | ${TRBINARY} -cd '[:alnum:]_\-=,\n\t ' | ${SEDBINARY} 's/[[:blank:]]/__space__/g')
+            for LINE in ${DATA}; do
+                LINE=$(echo ${LINE} | ${SEDBINARY} 's/__space__/ /g')
+                if ContainsString "luks," "${LINE}"; then
+                    PARTITION=$(echo ${LINE} | ${AWKBINARY} '{print $1}' | ${AWKBINARY} -F_ '{print $1}')
+                    LogText "Result: Found LUKS encryption on partition ${PARTITION}"
+                    Report "encryption[]=luks,partition,${PARTITION}"
+                    FOUND=$((FOUND +1))
+                fi
+            done
+            unset DATA LINE PARTITION
+        fi
+
+        if [ ${FOUND} -gt 0 ]; then
+            Display --indent 2 --text "- Found ${FOUND} LUKS encrypted block devices." --result OK --color WHITE
+        fi
+        unset FOUND
     fi
 #
 #################################################################################
+
 WaitForKeyPress
 
 #
-- 
cgit v1.2.3