From bcdca90942c4afd3fe4daec271949d84b15fb076 Mon Sep 17 00:00:00 2001 From: Eric Light Date: Mon, 25 Apr 2016 19:34:14 +1200 Subject: Update KRNL-5788 for grsecurity (#178) * If grsec installed, build FINDKERNEL from uname -r When running a grsecurity-patched custom kernel, the /vmlinuz link is often missing. If this link is missing, and grsecurity is installed, then we can calculate the location of FINDKERNEL with the words "linux-image-", plus the output of "uname -r". * Suggest manually checking kernel if grsec installed We can't rely on the apt-cache output when running grsecurity. This is because apt-cache can't tell us if we're running an up-to-date kernel, when it's a custom kernel with grsecurity. Instead of confirming that the kernel is OK, we instead should remind the auditor to double-check themselves. --- include/tests_kernel | 35 ++++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 9 deletions(-) (limited to 'include/tests_kernel') diff --git a/include/tests_kernel b/include/tests_kernel index dd3d844b..a2089e69 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -343,11 +343,22 @@ if [ -x /usr/bin/apt-cache ]; then LogText "Result: found /usr/bin/apt-cache" LogText "Test: checking readlink location of /vmlinuz" - FINDKERNFILE=`readlink -f /vmlinuz` - LogText "Output: readlink reported file ${FINDKERNFILE}" - LogText "Test: checking package from dpkg -S" - FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | awk -F : '{print $1}'` - LogText "Output: dpkg -S reported package ${FINDKERNEL}" + if [ -f /vmlinuz ]; then + FINDKERNFILE=`readlink -f /vmlinuz` + LogText "Output: readlink reported file ${FINDKERNFILE}" + LogText "Test: checking package from dpkg -S" + FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | awk -F : '{print $1}'` + LogText "Output: dpkg -S reported package ${FINDKERNEL}" + else + if [ -e /dev/grsec ]; then + FINDKERNEL=linux-image-`uname -r` + LogText "/vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" + else + LogText "This system is missing /vmlinuz. Unable to check whether kernel is up-to-date." + ReportException "${TEST_NO}:00|Missing /vmlinuz" + ReportSuggestion ${TEST_NO} "Discover why /vmlinuz is missing. Consider manually re-linking." + fi + fi LogText "Test: Using apt-cache policy to determine if there is an update available" FINDINST=`apt-cache policy ${FINDKERNEL} | egrep 'Installed' | cut -d ':' -f2 | tr -d ' '` FINDCAND=`apt-cache policy ${FINDKERNEL} | egrep 'Candidate' | cut -d ':' -f2 | tr -d ' '` @@ -359,11 +370,17 @@ ReportException "${TEST_NO}:01" LogText "Exception: apt-cache policy did not return an installed kernel version" ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty" - else + else if [ "${FINDINST}" = "${FINDCAND}" ]; then - Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN - LogText "Result: no kernel update available" - else + if [ -e /dev/grsec ]; then + Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN + LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" + ReportSuggestion ${TEST_NO} "Manually check to confirm you're using a recent kernel and grsecurity patch" + else + Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN + LogText "Result: no kernel update available" + fi + else Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW LogText "Result: kernel update available according 'apt-cache policy'." ReportSuggestion ${TEST_NO} "Determine priority for available kernel update" -- cgit v1.2.3