Added GRUB2 detection on empty /boot

2014-09-25 17:47:23 +02:00 · 2014-09-25 17:47:23 +02:00 · 08f77d2531
parent f0292d3653
commit 08f77d2531
1 changed files with 41 additions and 23 deletions
--- a/include/tests_boot_services
+++ b/include/tests_boot_services
@ -25,6 +25,7 @@
    Display --indent 2 --text "- Checking boot loaders"
    BOOT_LOADER="Unknown"
    BOOT_LOADER_FOUND=0
+    GRUB_VERSION=0
 #
 #################################################################################
 #
@ -38,30 +39,9 @@
            FOUND=1
            BOOT_LOADER="GRUB"
            BOOT_LOADER_FOUND=1
+            GRUB_VERSION=1
            Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN
            if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
-            logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
-            FileIsReadable ${GRUBCONFFILE}
-            if [ ${CANREAD} -eq 1 ]; then
-                FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
-                FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
-                if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
-                    Display --indent 6 --text "- Checking for password protection" --result WARNING --color RED
-                    logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!"
-                    logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them."
-                    logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
-                    logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access."
-                    ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader"
-                    logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password"
-                    AddHP 0 2
-                  else
-                    Display --indent 6 --text "- Checking for password protection" --result OK --color GREEN
-                    logtext "Result: GRUB has password protection."
-                    AddHP 4 4
-                fi
-              else
-                logtext "Result: Can not read ${GRUBCONFFILE} (no permission)"
-            fi
        fi

        # GRUB2 configuration file
@ -69,11 +49,18 @@
            FOUND=1
            BOOT_LOADER="GRUB2"
            BOOT_LOADER_FOUND=1
+            GRUB_VERSION=2
+            GRUBCONFFILE="/boot/grub/grub.cfg"
            Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN
            logtext "Result: found GRUB2 configuration file (/boot/grub/grub.cfg)"
            # YYY password check, when documentation of GRUB2 project is improved
            # YYY Add check permission check (600)
-            ReportManual "${TEST_NO}:01"
+        if [ -d /boot ]; then
+            if [ `ls /boot/* 2> /dev/null` -a ! "${GRUB2INSTALLBINARY}" = "" ]; then
+                logtext "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
+                Display --indent 4 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW
+                ReportManual "${TEST_NO}:01"
+            fi
        fi

        if [ ${FOUND} -eq 0 ]; then
@ -82,6 +69,37 @@
    fi
 #
 #################################################################################
+#
+    # Test        : BOOT-5122
+    # Description : Check for GRUB boot loader configuration
+    if [ ! "${GRUBCONFFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for GRUB boot password"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
+        FileIsReadable ${GRUBCONFFILE}
+        if [ ${CANREAD} -eq 1 ]; then
+            FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
+            FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
+            if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
+                Display --indent 6 --text "- Checking for password protection" --result WARNING --color RED
+                logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!"
+                logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them."
+                logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
+                logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access."
+                ReportSuggestion ${TEST_NO} "M" "Set a password on GRUB bootloader to prevent altering configuration"
+                logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password"
+                AddHP 0 2
+              else
+                Display --indent 6 --text "- Checking for password protection" --result OK --color GREEN
+                logtext "Result: GRUB has password protection."
+                AddHP 4 4
+            fi
+          else
+                logtext "Result: Can not read ${GRUBCONFFILE} (no permission)"
+        fi
+    fi
+#
+#################################################################################
 #
    # Test        : BOOT-5124
    # Description : Check for FreeBSD boot loader