mirror of https://github.com/CISOfy/lynis.git
Merge pull request #878 from topimiettinen/check-ima-evm
Check IMA/EVM, dm-integrity and dm-verity statuses
This commit is contained in:
commit
32cefdea0a
|
@ -136,6 +136,9 @@ FINT-4330:test:security:file_integrity::mtree availability:
|
||||||
FINT-4334:test:security:file_integrity::Check lfd daemon status:
|
FINT-4334:test:security:file_integrity::Check lfd daemon status:
|
||||||
FINT-4336:test:security:file_integrity::Check lfd configuration status:
|
FINT-4336:test:security:file_integrity::Check lfd configuration status:
|
||||||
FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
|
FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
|
||||||
|
FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status
|
||||||
|
FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status
|
||||||
|
FINT-4341:test:security:file_integrity:Linux:Check dm-verity status
|
||||||
FINT-4350:test:security:file_integrity::File integrity software installed:
|
FINT-4350:test:security:file_integrity::File integrity software installed:
|
||||||
FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
|
FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
|
||||||
FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module:
|
FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module:
|
||||||
|
|
|
@ -157,6 +157,7 @@
|
||||||
xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;;
|
xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;;
|
||||||
egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;;
|
egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;;
|
||||||
equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;;
|
equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;;
|
||||||
|
evmctl) EVMCTLBINARY=${BINARY}; LogText " Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;;
|
||||||
exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
|
exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
|
||||||
fail2ban-server) FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;;
|
fail2ban-server) FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;;
|
||||||
file) FILEBINARY="${BINARY}"; LogText " Found known binary: file (file type detection) - ${BINARY}" ;;
|
file) FILEBINARY="${BINARY}"; LogText " Found known binary: file (file type detection) - ${BINARY}" ;;
|
||||||
|
@ -175,6 +176,7 @@
|
||||||
httpd2-prefork) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;;
|
httpd2-prefork) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;;
|
||||||
initctl) INITCTLBINARY=${BINARY}; SERVICE_MANAGER="upstart"; LogText " Found known binary: initctl (client to upstart init) - ${BINARY}" ;;
|
initctl) INITCTLBINARY=${BINARY}; SERVICE_MANAGER="upstart"; LogText " Found known binary: initctl (client to upstart init) - ${BINARY}" ;;
|
||||||
ifconfig) IFCONFIGBINARY="${BINARY}"; LogText " Found known binary: ipconfig (IP configuration) - ${BINARY}" ;;
|
ifconfig) IFCONFIGBINARY="${BINARY}"; LogText " Found known binary: ipconfig (IP configuration) - ${BINARY}" ;;
|
||||||
|
integritysetup) INTEGRITYSETUPBINARY="${BINARY}"; LogText " Found known binary: integritysetup (dm-integrity setup tool) - ${BINARY}" ;;
|
||||||
ip) IPBINARY="${BINARY}"; LogText " Found known binary: ip (IP configuration) - ${BINARY}" ;;
|
ip) IPBINARY="${BINARY}"; LogText " Found known binary: ip (IP configuration) - ${BINARY}" ;;
|
||||||
ipf) IPFBINARY="${BINARY}"; LogText " Found known binary: ipf (firewall) - ${BINARY}" ;;
|
ipf) IPFBINARY="${BINARY}"; LogText " Found known binary: ipf (firewall) - ${BINARY}" ;;
|
||||||
iptables) IPTABLESBINARY="${BINARY}"; LogText " Found known binary: iptables (firewall) - ${BINARY}" ;;
|
iptables) IPTABLESBINARY="${BINARY}"; LogText " Found known binary: iptables (firewall) - ${BINARY}" ;;
|
||||||
|
@ -281,6 +283,7 @@
|
||||||
uname) UNAMEBINARY="${BINARY}"; LogText " Found known binary: uname (operating system details) - ${BINARY}" ;;
|
uname) UNAMEBINARY="${BINARY}"; LogText " Found known binary: uname (operating system details) - ${BINARY}" ;;
|
||||||
uniq) UNIQBINARY="${BINARY}"; LogText " Found known binary: uniq (text manipulation utility) - ${BINARY}";;
|
uniq) UNIQBINARY="${BINARY}"; LogText " Found known binary: uniq (text manipulation utility) - ${BINARY}";;
|
||||||
usbguard) USBGUARDBINARY="${BINARY}"; LogText " Found known binary: usbguard (USB security tool) - ${BINARY}" ;;
|
usbguard) USBGUARDBINARY="${BINARY}"; LogText " Found known binary: usbguard (USB security tool) - ${BINARY}" ;;
|
||||||
|
veritysetup) VERITYSETUPBINARY="${BINARY}"; LogText " Found known binary: veritysetup (dm-verity setup tool) - ${BINARY}" ;;
|
||||||
vgdisplay) VGDISPLAYBINARY="${BINARY}"; LogText " Found known binary: vgdisplay (LVM tool) - ${BINARY}" ;;
|
vgdisplay) VGDISPLAYBINARY="${BINARY}"; LogText " Found known binary: vgdisplay (LVM tool) - ${BINARY}" ;;
|
||||||
vmtoolsd) VMWARETOOLSDBINARY="${BINARY}"; LogText " Found known binary: vmtoolsd (VMWare tools) - ${BINARY}" ;;
|
vmtoolsd) VMWARETOOLSDBINARY="${BINARY}"; LogText " Found known binary: vmtoolsd (VMWare tools) - ${BINARY}" ;;
|
||||||
wc) WCBINARY="${BINARY}"; LogText " Found known binary: wc (word count) - ${BINARY}" ;;
|
wc) WCBINARY="${BINARY}"; LogText " Found known binary: wc (word count) - ${BINARY}" ;;
|
||||||
|
|
|
@ -297,6 +297,107 @@
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
#
|
||||||
|
# Test : FINT-4339
|
||||||
|
# Description : Check IMA/EVM status
|
||||||
|
if [ ! -z "${EVMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No evmctl binary found"; fi
|
||||||
|
Register --test-no FINT-4339 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check IMA/EVM status"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
FOUND=0
|
||||||
|
if [ -e /sys/kernel/security/ima ]; then
|
||||||
|
FOUND=$(${CAT_BINARY} /sys/kernel/security/ima)
|
||||||
|
fi
|
||||||
|
if [ "${FOUND}" -ne 1 ]; then
|
||||||
|
LogText "Result: EVM tools found but IMA/EVM disabled"
|
||||||
|
Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_DISABLED}" --color YELLOW
|
||||||
|
else
|
||||||
|
LogText "Result: EVM tools found, IMA/EVM enabled"
|
||||||
|
FILE_INT_TOOL="evmctl"
|
||||||
|
FILE_INT_TOOL_FOUND=1
|
||||||
|
Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
|
#
|
||||||
|
# Test : FINT-4340
|
||||||
|
# Description : Check dm-integrity status
|
||||||
|
if [ ! -z "${INTEGRITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No integritysetup binary found"; fi
|
||||||
|
Register --test-no FINT-4340 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-integrity status"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
FOUND=0
|
||||||
|
ROOTPROTECTED=0
|
||||||
|
ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
|
||||||
|
for DEVICE in /dev/mapper/*; do
|
||||||
|
if [ -e "${DEVICE}" ]; then
|
||||||
|
FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY')
|
||||||
|
if [ ! -z "${FIND}" ]; then
|
||||||
|
FOUND=1
|
||||||
|
LogText "Result: found dm-integrity device ${DEVICE}"
|
||||||
|
if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then
|
||||||
|
ROOTPROTECTED=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "${FOUND}" -ne 1 ]; then
|
||||||
|
LogText "Result: dm-integrity tools found but no active devices"
|
||||||
|
Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_DISABLED}" --color WHITE
|
||||||
|
else
|
||||||
|
LogText "Result: dm-integrity tools found, active devices"
|
||||||
|
if [ ${ROOTPROTECTED} -eq 1 ]; then
|
||||||
|
LogText "Result: root filesystem is protected by dm-integrity"
|
||||||
|
Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
|
else
|
||||||
|
LogText "Result: root filesystem is not protected by dm-integrity but active devices found"
|
||||||
|
Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_FOUND}" --color YELLOW
|
||||||
|
fi
|
||||||
|
FILE_INT_TOOL="dm-integrity"
|
||||||
|
FILE_INT_TOOL_FOUND=1
|
||||||
|
Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
|
#
|
||||||
|
# Test : FINT-4341
|
||||||
|
# Description : Check dm-verity status
|
||||||
|
if [ ! -z "${VERITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No veritysetup binary found"; fi
|
||||||
|
Register --test-no FINT-4341 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-verity status"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
FOUND=0
|
||||||
|
ROOTPROTECTED=0
|
||||||
|
ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
|
||||||
|
for DEVICE in /dev/mapper/*; do
|
||||||
|
if [ -e "${DEVICE}" ]; then
|
||||||
|
FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY')
|
||||||
|
if [ ! -z "${FIND}" ]; then
|
||||||
|
FOUND=1
|
||||||
|
LogText "Result: found dm-verity device ${DEVICE}"
|
||||||
|
if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then
|
||||||
|
ROOTPROTECTED=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "${FOUND}" -ne 1 ]; then
|
||||||
|
LogText "Result: dm-verity tools found but no active devices"
|
||||||
|
Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_DISABLED}" --color WHITE
|
||||||
|
else
|
||||||
|
LogText "Result: dm-verity tools found, active devices"
|
||||||
|
if [ ${ROOTPROTECTED} -eq 1 ]; then
|
||||||
|
LogText "Result: root filesystem is protected by dm-verity"
|
||||||
|
Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_ENABLED}" --color GREEN
|
||||||
|
else
|
||||||
|
LogText "Result: root filesystem is not protected by dm-verity but active devices found"
|
||||||
|
Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_FOUND}" --color YELLOW
|
||||||
|
fi
|
||||||
|
FILE_INT_TOOL="dm-verity"
|
||||||
|
FILE_INT_TOOL_FOUND=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Test : FINT-4402 (was FINT-4316)
|
# Test : FINT-4402 (was FINT-4316)
|
||||||
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
|
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
|
||||||
|
|
Loading…
Reference in New Issue