Check IMA/EVM status

Check for evmctl (Extended Verification Module) tool and system IMA (Integrity Measurement Architecture) status. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-22 11:18:00 +02:00 · 2020-03-22 11:18:00 +02:00 · 203a4d3480
parent f342669777
commit 203a4d3480
3 changed files with 24 additions and 0 deletions
--- a/db/tests.db
+++ b/db/tests.db
@ -135,6 +135,7 @@ FINT-4330:test:security:file_integrity::mtree availability:
 FINT-4334:test:security:file_integrity::Check lfd daemon status:
 FINT-4336:test:security:file_integrity::Check lfd configuration status:
 FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
+FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status
 FINT-4350:test:security:file_integrity::File integrity software installed:
 FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
 FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module:
--- a/include/binaries
+++ b/include/binaries
@ -157,6 +157,7 @@
                            xbps-query)             XBPSBINARY="${BINARY}";            LogText "  Found known binary: xbps (package management) - ${BINARY}" ;;
                            egrep)                  EGREPBINARY=${BINARY};             LogText "  Found known binary: egrep (text search) - ${BINARY}" ;;
                            equery)                 EQUERYBINARY="${BINARY}";          LogText "  Found known binary: query (package manager) - ${BINARY}" ;;
+                            evmctl)                 EVMCTLBINARY=${BINARY};            LogText "  Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;;
                            exim)                   EXIMBINARY="${BINARY}";            EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "  Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
                            fail2ban-server)        FAIL2BANBINARY="${BINARY}";        LogText "  Found known binary: fail2ban (IPS tool) - ${BINARY}" ;;
                            file)                   FILEBINARY="${BINARY}";            LogText "  Found known binary: file (file type detection) - ${BINARY}" ;;
--- a/include/tests_file_integrity
+++ b/include/tests_file_integrity
@ -297,6 +297,28 @@
    fi
 #
 #################################################################################
+#
+    # Test        : FINT-4339
+    # Description : Check IMA/EVM status
+    if [ ! -z "${EVMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No evmctl binary found"; fi
+    Register --test-no FINT-4339 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check IMA/EVM status"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        if [ -e /sys/kernel/security/ima ]; then
+            FOUND=$(${CAT_BINARY} /sys/kernel/security/ima)
+        fi
+        if [ "${FOUND}" -ne 1 ]; then
+            LogText "Result: EVM tools found but IMA/EVM disabled"
+            Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_DISABLED}" --color YELLOW
+        else
+            LogText "Result: EVM tools found, IMA/EVM enabled"
+            FILE_INT_TOOL="evmctl"
+            FILE_INT_TOOL_FOUND=1
+            Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_ENABLED}" --color GREEN
+        fi
+    fi
+#
+#################################################################################
 #
    # Test        : FINT-4402 (was FINT-4316)
    # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums