From a30d429315fcdbf2c6e2a2bad2ec837d5b9d5580 Mon Sep 17 00:00:00 2001
From: Dave Vehrs <dvehrs@users.noreply.github.com>
Date: Fri, 26 Jan 2018 04:24:33 -0700
Subject: tests_usb updates (#514)

* Added kernel.dmesg_restrict to sysctl checks.

* Moved usb-storage and autthorization tests tests_usb

* Limit Suggestions when USBGuard installed

* Changed usb_devices to usb
---
 include/tests_usb | 108 +++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 98 insertions(+), 10 deletions(-)

(limited to 'include/tests_usb')

diff --git a/include/tests_usb b/include/tests_usb
index 64e80aaf..d2d5a5ac 100644
--- a/include/tests_usb
+++ b/include/tests_usb
@@ -18,6 +18,10 @@
 #  USB Devices
 #
 #################################################################################
+#
+    InsertSection "USB Devices"
+#
+#################################################################################
 #
 
     USBGUARD_FOUND=0
@@ -35,22 +39,106 @@
 #
 #################################################################################
 #
-    InsertSection "USB Devices"
+
+    # Test to determine if USBGuard is installed.  If it is, we will limit
+    # suggestions from other tests.
+    if [ ! -z "${USBGUARDBINARY}" ]; then
+        USBGUARD_FOUND=1
+    fi
+
 #
 #################################################################################
 #
 
-    # PLACEHOLDER USB-0000 used until a good test name & number can be assigned.
-    # Once that is done, we are one step closer to being able to enable the
-    # suggestions below.
+    # Test        : USB-0100
+    # Description : Check for disabled USB storage
+    Register --test-no USB-0100 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
+        if [ -d /etc/modprobe.d ]; then
+            FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
+            if [ ! -z "${FIND}" ]; then
+                FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
+                FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
+                if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
+                    FOUND=1
+                    LogText "Result: found usb-storage driver in disabled state (blacklisted)"
+                fi
+            else
+                LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it."
+            fi
+        fi
+        if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
+            FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
+            if [ ! -z "${FIND}" ]; then
+                FOUND=1
+                LogText "Result: found usb-storage driver in disabled state"
+            fi
+        fi
+        if [ ${FOUND} -eq 0 ]; then
+            LogText "Result: usb-storage driver is not explicitly disabled"
+            Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
+            if [ "${USBGUARD_FOUND}" -eq "0" ]; then
+                ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
+            fi
+            AddHP 2 3
+        else
+            LogText "Result: usb-storage driver is disabled"
+            Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
+            AddHP 3 3
+        fi
+    fi
+
+#
+#################################################################################
+#
 
-    # Test        : USB-0000
-    # Description : Perform file permissions check
-    Register --test-no USB-0000  --os Linux --weight L --network NO --category security --description "Check for presence of USBGuard"
+    # Test        : USB-0200
+    # Description : Check USB authorizations
+    Register --test-no USB-0200 --os Linux --weight L --network NO --category security --description "Check USB authorizations"
     if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: Checking USB devices authorization to connect to the system"
+        FOUND=0
+        USBDEVICESPATH="/sys/bus/usb/devices/usb"
+        for device in "${USBDEVICESPATH}"*; do
+            if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then
+                if [ $(cat "${device}/authorized_default") -eq 1 ]; then
+                    FOUND=1
+                    LogText "Test: ${device} is authorized by default"
+                    Report "usb_authorized_default_device[]=${device}"
+                elif [ $(cat "${device}/authorized") -eq 1 ]; then
+                    FOUND=1
+                    LogText "Test: ${device} is authorized currently"
+                    Report "usb_authorized_device[]=${device}"
+                fi
+            fi
+        done
 
-        if [ ! -z "${USBGUARDBINARY}" ]; then
-            USBGUARD_FOUND=1
+        if [ ${FOUND} -eq 1 ]; then
+            LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
+            Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
+            # To-Be-Added: create documentation and enable the suggestion
+            #if [ "${USBGUARD_FOUND}" -eq "0" ]; then
+            #   ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft"
+            #fi
+            AddHP 0 3
+        else
+            LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system"
+            Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
+            AddHP 3 3
+        fi
+    fi
+
+#
+#################################################################################
+#
+
+    # Test        : USB-0300
+    # Description : Perform USBGuard check
+    Register --test-no USB-0300  --os Linux --weight L --network NO --category security --description "Check for presence of USBGuard"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        if [ "${USBGUARD_FOUND}" -gt "0" ]; then
             LogText "Result: USBGuard is installed (${USBGUARDBINARY})"
             Display --indent 2 --text "- Checking USBGuard" --result "${STATUS_FOUND}" --color GREEN
             AddHP 1 1
@@ -235,7 +323,7 @@
                     LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)"
                     Display --indent 4 --text "- RuleFile" --result "${STATUS_NOT_FOUND}" --color RED
                     # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
-                    ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies"
+                    #ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies"
                     AddHP 0 1
                 fi
 
-- 
cgit v1.2.3