tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-23 13:54:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

[USB-2000] improved testing for USB devices and filtering out possible incorrect state

Browse Source
This commit is contained in:
Michael Boelen 2020-02-15 14:09:23 +01:00
parent af70303aeb
commit 5ca8baf7a8
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
1 changed files with 37 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
include/tests_usb
View File

@ -91,22 +91,26 @@
# Description : Check USB authorizations # Description : Check USB authorizations
Register --test-no USB-2000 --os Linux --weight L --network NO --category security --description "Check USB authorizations" Register --test-no USB-2000 --os Linux --weight L --network NO --category security --description "Check USB authorizations"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking USB devices authorization to connect to the system"
FOUND=0 FOUND=0
USBDEVICESPATH="${ROOTDIR}sys/bus/usb/devices/usb" USBDEVICESPATH="${ROOTDIR}sys/bus/usb/devices"
for device in "${USBDEVICESPATH}"*; do LogText "Test: checking presence of USB devices path (${USBDEVICESPATH})"
if [ -d "${USBDEVICESPATH}" ]; then
LogText "Test: Checking USB devices authorization to connect to the system"
for device in $(find ${USBDEVICESPATH} -name "usb*" -type l -print); do
if [ -e "${device}/authorized" -o -e "${device}/authorized_default" ]; then if [ -e "${device}/authorized" -o -e "${device}/authorized_default" ]; then
if [ "$(cat "${device}/authorized_default")" = "1" ]; then if [ "$(cat "${device}/authorized_default")" = "1" ]; then
FOUND=1 FOUND=1
LogText "Test: ${device} is authorized by default" LogText "Test: ${device} is authorized by default (authorized_default=1)"
Report "usb_authorized_default_device[]=${device}" Report "usb_authorized_default_device[]=${device}"
elif [ "$(cat "${device}/authorized")" = "1" ]; then fi
if [ "$(cat "${device}/authorized")" = "1" ]; then
FOUND=1 FOUND=1
LogText "Test: ${device} is authorized currently" LogText "Test: ${device} is authorized currently (authorized=1)"
Report "usb_authorized_device[]=${device}" Report "usb_authorized_device[]=${device}"
fi fi
else else
LogText "Test: ${device} is authorized by default" LogText "Test: no authorized or authorized_default file, assuming ${device} is authorized by default"
Report "usb_authorized_default_device[]=${device}" Report "usb_authorized_default_device[]=${device}"
FOUND=1 FOUND=1
fi fi
@ -115,7 +119,7 @@
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system" LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
# To-Be-Added: create documentation and enable the suggestion # TODO: create documentation and enable the suggestion
#if [ ${USBGUARD_FOUND} -eq 0 ]; then #if [ ${USBGUARD_FOUND} -eq 0 ]; then
# ReportSuggestion "${TEST_NO}" "Disable USB devices authorization, to prevent unauthorized storage or data theft" # ReportSuggestion "${TEST_NO}" "Disable USB devices authorization, to prevent unauthorized storage or data theft"
#fi #fi
@ -125,6 +129,9 @@
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3 AddHP 3 3
fi fi
else
LogText "Result: devices path does not exist"
fi
fi fi
# #