tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tests_usb updates (#514) 

* Added kernel.dmesg_restrict to sysctl checks.

* Moved usb-storage and autthorization tests tests_usb

* Limit Suggestions when USBGuard installed

* Changed usb_devices to usb
This commit is contained in:
Dave Vehrs 2018-01-26 04:24:33 -07:00 committed by Michael Boelen
parent 7b664a7560
commit a30d429315
3 changed files with 100 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
include/tests_storage
View File

@ -27,82 +27,6 @@
AUTOMOUNTER_DAEMON_TOOL=""
#
#################################################################################
#
# Test : STRG-1840
# Description : Check for disabled USB storage
Register --test-no STRG-1840 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
fi
else
LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it."
fi
fi
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
if [ ! -z "${FIND}" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state"
fi
fi
if [ ${FOUND} -eq 0 ]; then
LogText "Result: usb-storage driver is not explicitly disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
AddHP 2 3
else
LogText "Result: usb-storage driver is disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : STRG-1842
# Description : Check USB authorizations
Register --test-no STRG-1842 --os Linux --weight L --network NO --category security --description "Check USB authorizations"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking USB devices authorization to connect to the system"
FOUND=0
USBDEVICESPATH="/sys/bus/usb/devices/usb"
for device in "${USBDEVICESPATH}"*; do
if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then
if [ $(cat "${device}/authorized_default") -eq 1 ]; then
FOUND=1
LogText "Test: ${device} is authorized by default"
Report "usb_authorized_default_device[]=${device}"
elif [ $(cat "${device}/authorized") -eq 1 ]; then
FOUND=1
LogText "Test: ${device} is authorized currently"
Report "usb_authorized_device[]=${device}"
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
# To-Be-Added: create documentation and enable the suggestion
#ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft"
AddHP 0 3
else
LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : STRG-1846
# Description : Check for disabled firewire storage

110
include/tests_usb
View File

@ -18,6 +18,10 @@
# USB Devices
#
#################################################################################
#
InsertSection "USB Devices"
#
#################################################################################
#
USBGUARD_FOUND=0
@ -35,22 +39,106 @@
#
#################################################################################
#
InsertSection "USB Devices"
# Test to determine if USBGuard is installed. If it is, we will limit
# suggestions from other tests.
if [ ! -z "${USBGUARDBINARY}" ]; then
USBGUARD_FOUND=1
fi
#
#################################################################################
#
# PLACEHOLDER USB-0000 used until a good test name & number can be assigned.
# Once that is done, we are one step closer to being able to enable the
# suggestions below.
# Test : USB-0000
# Description : Perform file permissions check
Register --test-no USB-0000 --os Linux --weight L --network NO --category security --description "Check for presence of USBGuard"
# Test : USB-0100
# Description : Check for disabled USB storage
Register --test-no USB-0100 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ ! -z "${FIND}" ]; then
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
fi
else
LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it."
fi
fi
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
if [ ! -z "${FIND}" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state"
fi
fi
if [ ${FOUND} -eq 0 ]; then
LogText "Result: usb-storage driver is not explicitly disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
if [ "${USBGUARD_FOUND}" -eq "0" ]; then
ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
fi
AddHP 2 3
else
LogText "Result: usb-storage driver is disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3
fi
fi
if [ ! -z "${USBGUARDBINARY}" ]; then
USBGUARD_FOUND=1
#
#################################################################################
#
# Test : USB-0200
# Description : Check USB authorizations
Register --test-no USB-0200 --os Linux --weight L --network NO --category security --description "Check USB authorizations"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking USB devices authorization to connect to the system"
FOUND=0
USBDEVICESPATH="/sys/bus/usb/devices/usb"
for device in "${USBDEVICESPATH}"*; do
if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then
if [ $(cat "${device}/authorized_default") -eq 1 ]; then
FOUND=1
LogText "Test: ${device} is authorized by default"
Report "usb_authorized_default_device[]=${device}"
elif [ $(cat "${device}/authorized") -eq 1 ]; then
FOUND=1
LogText "Test: ${device} is authorized currently"
Report "usb_authorized_device[]=${device}"
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
# To-Be-Added: create documentation and enable the suggestion
#if [ "${USBGUARD_FOUND}" -eq "0" ]; then
# ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft"
#fi
AddHP 0 3
else
LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : USB-0300
# Description : Perform USBGuard check
Register --test-no USB-0300 --os Linux --weight L --network NO --category security --description "Check for presence of USBGuard"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${USBGUARD_FOUND}" -gt "0" ]; then
LogText "Result: USBGuard is installed (${USBGUARDBINARY})"
Display --indent 2 --text "- Checking USBGuard" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
@ -235,7 +323,7 @@
LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)"
Display --indent 4 --text "- RuleFile" --result "${STATUS_NOT_FOUND}" --color RED
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies"
#ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies"
AddHP 0 1
fi

2
lynis
View File

@ -925,7 +925,7 @@ ${NORMAL}
LogText "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
filesystems usb_devices storage storage_nfs nameservices ports_packages networking printers_spools \
filesystems usb storage storage_nfs nameservices ports_packages networking printers_spools \
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting time crypto virtualization containers \
mac_frameworks file_integrity tooling malware file_permissions homedirs \