mirror of
https://github.com/CISOfy/lynis.git
synced 2025-07-28 16:24:13 +02:00
Merge and initial changes for new tests FILE-6344 and FILE-6430
This commit is contained in:
Michael Boelen
parent
9a5647f66c
commit
38e6ff18d4
@ -291,17 +291,24 @@
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6337
|
||||
# Description : Check proc mount options (Linux >=3.3 only)
|
||||
# Test : FILE-6344
|
||||
# Description : Check proc mount options (Linux >=3.3 only)
|
||||
# Examples : proc /proc proc defaults,hidepid=2 0 0
|
||||
# Goal : Users should not be able to see processes of other users
|
||||
|
||||
if [ -f /proc/version ] && [ "$(cat /proc/version | cut -d" " -f3)" \> "3.2" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FILE-6337 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Checking proc mount options"
|
||||
if [ "${OS}" = "Linux" -a -f /proc/version ]; then
|
||||
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | awk -F. '{print $1}')
|
||||
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | awk -F. '{print $2}')
|
||||
if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then
|
||||
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
else
|
||||
PREQS_MET="NO";
|
||||
fi
|
||||
fi
|
||||
Register --test-no FILE-6344 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking proc mount options"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least
|
||||
LogText "Test: check proc mount with incorrect mount options"
|
||||
FIND=`mount | grep proc | egrep -o "hidepid=[0-9]"`
|
||||
FIND=$(mount | ${EGREPBINARY} "^proc" | ${EGREPBINARY} -o "hidepid=[0-9]")
|
||||
if [ "${FIND}" = "hidepid=2" ]; then
|
||||
Display --indent 2 --text "- Testing proc mount" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: proc mount mounted with hidepid=2"
|
||||
@ -310,8 +317,8 @@
|
||||
HIDEPID1_SUGGESTION=" (or at least hidepid=1)"
|
||||
fi
|
||||
Display --indent 2 --text "- Testing proc mount" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
LogText "Result: proc file system not mounted with option hidepid=2$HIDEPID1_SUGGESTION"
|
||||
ReportSuggestion ${TEST_NO} "Consider mounting /proc via /etc/fstab with mount option hidepid=2$HIDEPID1_SUGGESTION"
|
||||
LogText "Result: /proc filesystem is not mounted with option hidepid=2"
|
||||
#ReportSuggestion ${TEST_NO} "Consider mounting /proc via /etc/fstab with mount option hidepid=2"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
@ -677,34 +684,39 @@
|
||||
Register --test-no FILE-6430 --weight L --network NO --description "Disable mounting of some filesystems"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
|
||||
Display --indent 2 --text "- Disable mounting of some filesystems"
|
||||
Display --indent 2 --text "- Disable kernel support of some filesystems"
|
||||
LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf"
|
||||
FOUND=0
|
||||
AVAILABLE_FS=""
|
||||
for FS in ${LIST_FS_NOT_SUPPORTED}; do
|
||||
Display --indent 4 --text "- Disable mounting of ${FS} filesystem"
|
||||
LogText "Test: Checking if ${FS} is not present in loaded modules"
|
||||
# Check if FS is present in lsmod output
|
||||
FIND=`${LSMODBINARY} | ${EGREPBINARY} "^${FS}"`
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: module ${FS} not loaded in the kernel"
|
||||
Display --indent 6 --text "- Module ${FS} not loaded in the kernel" --result OK --color GREEN
|
||||
AddHP 2 2
|
||||
else
|
||||
LogText "Result: module ${FS} loaded in the kernel"
|
||||
Display --indent 6 --text "- Module $FS loaded in the kernel" --result "FOUND" --color YELLOW
|
||||
AddHP 2 5
|
||||
fi
|
||||
# Check if FS is present in modprobe output
|
||||
# Check if filesystem is present in modprobe output
|
||||
FIND=`${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1`
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found module support in kernel: ${FIND}"
|
||||
Display --indent 6 --text "- Module ${FS} present in the kernel" --result "FOUND" --color YELLOW
|
||||
AddHP 2 3
|
||||
Debug "Module ${FS} present in the kernel"
|
||||
LogText "Test: Checking if ${FS} is active"
|
||||
# Check if FS is present in lsmod output
|
||||
FIND=`${LSMODBINARY} | ${EGREPBINARY} "^${FS}"`
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: module ${FS} is not loaded in the kernel"
|
||||
AddHP 2 3
|
||||
#Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN
|
||||
# Tip to disable a particular module if it is not loaded
|
||||
#ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
|
||||
FOUND=1
|
||||
AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} "
|
||||
else
|
||||
LogText "Result: module ${FS} is loaded in the kernel"
|
||||
Display --indent 4 --text "- Module $FS loaded in the kernel (lsmod)" --result "FOUND" --color WHITE
|
||||
fi
|
||||
else
|
||||
AddHP 2 2
|
||||
Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN
|
||||
#ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
|
||||
AddHP 3 3
|
||||
#Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}"
|
||||
fi
|
||||
else
|
||||
LogText "Test skipped lsmod binary not found or /proc/modules can not be opened"
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user