From 203a4d34801ec37200d2ec190328f6c27ad71b78 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sun, 22 Mar 2020 11:18:00 +0200
Subject: [PATCH] Check IMA/EVM status
Check for evmctl (Extended Verification Module) tool and system IMA (Integrity Measurement
Architecture) status.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
db/tests.db | 1 +
include/binaries | 1 +
include/tests_file_integrity | 22 ++++++++++++++++++++++
3 files changed, 24 insertions(+)
diff --git a/db/tests.db b/db/tests.db
index 76884a45..44a9a410 100644
--- a/db/tests.db
+++ b/db/tests.db
@@ -135,6 +135,7 @@ FINT-4330:test:security:file_integrity::mtree availability:
FINT-4334:test:security:file_integrity::Check lfd daemon status:
FINT-4336:test:security:file_integrity::Check lfd configuration status:
FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
+FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status
FINT-4350:test:security:file_integrity::File integrity software installed:
FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module:
diff --git a/include/binaries b/include/binaries
index 89e2fddd..b538eb56 100644
--- a/include/binaries
+++ b/include/binaries
@@ -157,6 +157,7 @@
xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;;
egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;;
equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;;
+ evmctl) EVMCTLBINARY=${BINARY}; LogText " Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;;
exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
fail2ban-server) FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;;
file) FILEBINARY="${BINARY}"; LogText " Found known binary: file (file type detection) - ${BINARY}" ;;
diff --git a/include/tests_file_integrity b/include/tests_file_integrity
index 7a5658ac..a387c248 100644
--- a/include/tests_file_integrity
+++ b/include/tests_file_integrity
@@ -297,6 +297,28 @@
fi
#
#################################################################################
+#
+ # Test : FINT-4339
+ # Description : Check IMA/EVM status
+ if [ ! -z "${EVMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No evmctl binary found"; fi
+ Register --test-no FINT-4339 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check IMA/EVM status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ if [ -e /sys/kernel/security/ima ]; then
+ FOUND=$(${CAT_BINARY} /sys/kernel/security/ima)
+ fi
+ if [ "${FOUND}" -ne 1 ]; then
+ LogText "Result: EVM tools found but IMA/EVM disabled"
+ Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_DISABLED}" --color YELLOW
+ else
+ LogText "Result: EVM tools found, IMA/EVM enabled"
+ FILE_INT_TOOL="evmctl"
+ FILE_INT_TOOL_FOUND=1
+ Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_ENABLED}" --color GREEN
+ fi
+ fi
+#
+#################################################################################
#
# Test : FINT-4402 (was FINT-4316)
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums