tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-30 09:14:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge and initial changes for new tests FILE-6344 and FILE-6430

Browse Source
This commit is contained in:
Michael Boelen 2016-07-11 19:57:45 +02:00
parent 9a5647f66c
commit 38e6ff18d4
1 changed files with 40 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
include/tests_filesystems
View File

@ -291,17 +291,24 @@
#
#################################################################################
#
# Test : FILE-6337
# Description : Check proc mount options (Linux >=3.3 only)
# Test : FILE-6344
# Description : Check proc mount options (Linux >=3.3 only)
# Examples : proc /proc proc defaults,hidepid=2 0 0
# Goal : Users should not be able to see processes of other users
if [ -f /proc/version ] && [ "$(cat /proc/version | cut -d" " -f3)" \> "3.2" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6337 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Checking proc mount options"
if [ "${OS}" = "Linux" -a -f /proc/version ]; then
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | awk -F. '{print $1}')
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | awk -F. '{print $2}')
if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
else
PREQS_MET="NO";
fi
fi
Register --test-no FILE-6344 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking proc mount options"
if [ ${SKIPTEST} -eq 0 ]; then
# Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least
LogText "Test: check proc mount with incorrect mount options"
FIND=`mount | grep proc | egrep -o "hidepid=[0-9]"`
FIND=$(mount | ${EGREPBINARY} "^proc" | ${EGREPBINARY} -o "hidepid=[0-9]")
if [ "${FIND}" = "hidepid=2" ]; then
Display --indent 2 --text "- Testing proc mount" --result "${STATUS_OK}" --color GREEN
LogText "Result: proc mount mounted with hidepid=2"
@ -310,8 +317,8 @@
HIDEPID1_SUGGESTION=" (or at least hidepid=1)"
fi
Display --indent 2 --text "- Testing proc mount" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: proc file system not mounted with option hidepid=2$HIDEPID1_SUGGESTION"
ReportSuggestion ${TEST_NO} "Consider mounting /proc via /etc/fstab with mount option hidepid=2$HIDEPID1_SUGGESTION"
LogText "Result: /proc filesystem is not mounted with option hidepid=2"
#ReportSuggestion ${TEST_NO} "Consider mounting /proc via /etc/fstab with mount option hidepid=2"
fi
fi
#
@ -677,34 +684,39 @@
Register --test-no FILE-6430 --weight L --network NO --description "Disable mounting of some filesystems"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
Display --indent 2 --text "- Disable mounting of some filesystems"
Display --indent 2 --text "- Disable kernel support of some filesystems"
LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf"
FOUND=0
AVAILABLE_FS=""
for FS in ${LIST_FS_NOT_SUPPORTED}; do
Display --indent 4 --text "- Disable mounting of ${FS} filesystem"
LogText "Test: Checking if ${FS} is not present in loaded modules"
# Check if FS is present in lsmod output
FIND=`${LSMODBINARY} | ${EGREPBINARY} "^${FS}"`
if [ -z "${FIND}" ]; then
LogText "Result: module ${FS} not loaded in the kernel"
Display --indent 6 --text "- Module ${FS} not loaded in the kernel" --result OK --color GREEN
AddHP 2 2
else
LogText "Result: module ${FS} loaded in the kernel"
Display --indent 6 --text "- Module $FS loaded in the kernel" --result "FOUND" --color YELLOW
AddHP 2 5
fi
# Check if FS is present in modprobe output
# Check if filesystem is present in modprobe output
FIND=`${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1`
if [ ! -z "${FIND}" ]; then
LogText "Result: found module support in kernel: ${FIND}"
Display --indent 6 --text "- Module ${FS} present in the kernel" --result "FOUND" --color YELLOW
AddHP 2 3
Debug "Module ${FS} present in the kernel"
LogText "Test: Checking if ${FS} is active"
# Check if FS is present in lsmod output
FIND=`${LSMODBINARY} | ${EGREPBINARY} "^${FS}"`
if [ -z "${FIND}" ]; then
LogText "Result: module ${FS} is not loaded in the kernel"
AddHP 2 3
#Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN
# Tip to disable a particular module if it is not loaded
#ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
FOUND=1
AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} "
else
LogText "Result: module ${FS} is loaded in the kernel"
Display --indent 4 --text "- Module $FS loaded in the kernel (lsmod)" --result "FOUND" --color WHITE
fi
else
AddHP 2 2
Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN
#ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
AddHP 3 3
#Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}"
fi
else
LogText "Test skipped lsmod binary not found or /proc/modules can not be opened"
fi