From a30d429315fcdbf2c6e2a2bad2ec837d5b9d5580 Mon Sep 17 00:00:00 2001 From: Dave Vehrs Date: Fri, 26 Jan 2018 04:24:33 -0700 Subject: [PATCH] tests_usb updates (#514) * Added kernel.dmesg_restrict to sysctl checks. * Moved usb-storage and autthorization tests tests_usb * Limit Suggestions when USBGuard installed * Changed usb_devices to usb --- include/tests_storage | 76 ----------------------------- include/tests_usb | 110 +++++++++++++++++++++++++++++++++++++----- lynis | 2 +- 3 files changed, 100 insertions(+), 88 deletions(-) diff --git a/include/tests_storage b/include/tests_storage index f67d70e5..de8984c4 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -27,82 +27,6 @@ AUTOMOUNTER_DAEMON_TOOL="" # ################################################################################# -# - # Test : STRG-1840 - # Description : Check for disabled USB storage - Register --test-no STRG-1840 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled" - if [ ${SKIPTEST} -eq 0 ]; then - FOUND=0 - LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" - if [ -d /etc/modprobe.d ]; then - FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) - if [ ! -z "${FIND}" ]; then - FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*) - if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then - FOUND=1 - LogText "Result: found usb-storage driver in disabled state (blacklisted)" - fi - else - LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it." - fi - fi - if [ -f ${ROOTDIR}etc/modprobe.conf ]; then - FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") - if [ ! -z "${FIND}" ]; then - FOUND=1 - LogText "Result: found usb-storage driver in disabled state" - fi - fi - if [ ${FOUND} -eq 0 ]; then - LogText "Result: usb-storage driver is not explicitly disabled" - Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE - ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" - AddHP 2 3 - else - LogText "Result: usb-storage driver is disabled" - Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - fi - fi -# -################################################################################# -# - # Test : STRG-1842 - # Description : Check USB authorizations - Register --test-no STRG-1842 --os Linux --weight L --network NO --category security --description "Check USB authorizations" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking USB devices authorization to connect to the system" - FOUND=0 - USBDEVICESPATH="/sys/bus/usb/devices/usb" - for device in "${USBDEVICESPATH}"*; do - if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then - if [ $(cat "${device}/authorized_default") -eq 1 ]; then - FOUND=1 - LogText "Test: ${device} is authorized by default" - Report "usb_authorized_default_device[]=${device}" - elif [ $(cat "${device}/authorized") -eq 1 ]; then - FOUND=1 - LogText "Test: ${device} is authorized currently" - Report "usb_authorized_device[]=${device}" - fi - fi - done - - if [ ${FOUND} -eq 1 ]; then - LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system" - Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW - # To-Be-Added: create documentation and enable the suggestion - #ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft" - AddHP 0 3 - else - LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system" - Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - fi - fi -# -################################################################################# # # Test : STRG-1846 # Description : Check for disabled firewire storage diff --git a/include/tests_usb b/include/tests_usb index 64e80aaf..d2d5a5ac 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -18,6 +18,10 @@ # USB Devices # ################################################################################# +# + InsertSection "USB Devices" +# +################################################################################# # USBGUARD_FOUND=0 @@ -35,22 +39,106 @@ # ################################################################################# # - InsertSection "USB Devices" + + # Test to determine if USBGuard is installed. If it is, we will limit + # suggestions from other tests. + if [ ! -z "${USBGUARDBINARY}" ]; then + USBGUARD_FOUND=1 + fi + # ################################################################################# # - # PLACEHOLDER USB-0000 used until a good test name & number can be assigned. - # Once that is done, we are one step closer to being able to enable the - # suggestions below. - - # Test : USB-0000 - # Description : Perform file permissions check - Register --test-no USB-0000 --os Linux --weight L --network NO --category security --description "Check for presence of USBGuard" + # Test : USB-0100 + # Description : Check for disabled USB storage + Register --test-no USB-0100 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled" if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" + if [ -d /etc/modprobe.d ]; then + FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) + if [ ! -z "${FIND}" ]; then + FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*) + if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then + FOUND=1 + LogText "Result: found usb-storage driver in disabled state (blacklisted)" + fi + else + LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it." + fi + fi + if [ -f ${ROOTDIR}etc/modprobe.conf ]; then + FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") + if [ ! -z "${FIND}" ]; then + FOUND=1 + LogText "Result: found usb-storage driver in disabled state" + fi + fi + if [ ${FOUND} -eq 0 ]; then + LogText "Result: usb-storage driver is not explicitly disabled" + Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE + if [ "${USBGUARD_FOUND}" -eq "0" ]; then + ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" + fi + AddHP 2 3 + else + LogText "Result: usb-storage driver is disabled" + Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + fi + fi - if [ ! -z "${USBGUARDBINARY}" ]; then - USBGUARD_FOUND=1 +# +################################################################################# +# + + # Test : USB-0200 + # Description : Check USB authorizations + Register --test-no USB-0200 --os Linux --weight L --network NO --category security --description "Check USB authorizations" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking USB devices authorization to connect to the system" + FOUND=0 + USBDEVICESPATH="/sys/bus/usb/devices/usb" + for device in "${USBDEVICESPATH}"*; do + if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then + if [ $(cat "${device}/authorized_default") -eq 1 ]; then + FOUND=1 + LogText "Test: ${device} is authorized by default" + Report "usb_authorized_default_device[]=${device}" + elif [ $(cat "${device}/authorized") -eq 1 ]; then + FOUND=1 + LogText "Test: ${device} is authorized currently" + Report "usb_authorized_device[]=${device}" + fi + fi + done + + if [ ${FOUND} -eq 1 ]; then + LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system" + Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW + # To-Be-Added: create documentation and enable the suggestion + #if [ "${USBGUARD_FOUND}" -eq "0" ]; then + # ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft" + #fi + AddHP 0 3 + else + LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system" + Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + fi + fi + +# +################################################################################# +# + + # Test : USB-0300 + # Description : Perform USBGuard check + Register --test-no USB-0300 --os Linux --weight L --network NO --category security --description "Check for presence of USBGuard" + if [ ${SKIPTEST} -eq 0 ]; then + if [ "${USBGUARD_FOUND}" -gt "0" ]; then LogText "Result: USBGuard is installed (${USBGUARDBINARY})" Display --indent 2 --text "- Checking USBGuard" --result "${STATUS_FOUND}" --color GREEN AddHP 1 1 @@ -235,7 +323,7 @@ LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)" Display --indent 4 --text "- RuleFile" --result "${STATUS_NOT_FOUND}" --color RED # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion - ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies" + #ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies" AddHP 0 1 fi diff --git a/lynis b/lynis index 2b8e9168..4ebddd60 100755 --- a/lynis +++ b/lynis @@ -925,7 +925,7 @@ ${NORMAL} LogText "Info: perform tests from all categories" INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ - filesystems usb_devices storage storage_nfs nameservices ports_packages networking printers_spools \ + filesystems usb storage storage_nfs nameservices ports_packages networking printers_spools \ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ insecure_services banners scheduling accounting time crypto virtualization containers \ mac_frameworks file_integrity tooling malware file_permissions homedirs \