tests_usb updates (#514)

* Added kernel.dmesg_restrict to sysctl checks.

* Moved usb-storage and autthorization tests tests_usb

* Limit Suggestions when USBGuard installed

* Changed usb_devices to usb

include/tests_storage

@@ -27,82 +27,6 @@
     AUTOMOUNTER_DAEMON_TOOL=""
 #
 #################################################################################
-#
-    # Test        : STRG-1840
-    # Description : Check for disabled USB storage
-    Register --test-no STRG-1840 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled"
-    if [ ${SKIPTEST} -eq 0 ]; then
-        FOUND=0
-        LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
-        if [ -d /etc/modprobe.d ]; then
-            FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
-            if [ ! -z "${FIND}" ]; then
-                FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
-                FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
-                if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
-                    FOUND=1
-                    LogText "Result: found usb-storage driver in disabled state (blacklisted)"
-                fi
-            else
-                LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it."
-            fi
-        fi
-        if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
-            FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
-            if [ ! -z "${FIND}" ]; then
-                FOUND=1
-                LogText "Result: found usb-storage driver in disabled state"
-            fi
-        fi
-        if [ ${FOUND} -eq 0 ]; then
-            LogText "Result: usb-storage driver is not explicitly disabled"
-            Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
-            ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
-            AddHP 2 3
-        else
-            LogText "Result: usb-storage driver is disabled"
-            Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
-            AddHP 3 3
-        fi
-    fi
-#
-#################################################################################
-#
-    # Test        : STRG-1842
-    # Description : Check USB authorizations
-    Register --test-no STRG-1842 --os Linux --weight L --network NO --category security --description "Check USB authorizations"
-    if [ ${SKIPTEST} -eq 0 ]; then
-        LogText "Test: Checking USB devices authorization to connect to the system"
-        FOUND=0
-        USBDEVICESPATH="/sys/bus/usb/devices/usb"
-        for device in "${USBDEVICESPATH}"*; do
-            if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then
-                if [ $(cat "${device}/authorized_default") -eq 1 ]; then
-                    FOUND=1
-                    LogText "Test: ${device} is authorized by default"
-                    Report "usb_authorized_default_device[]=${device}"
-                elif [ $(cat "${device}/authorized") -eq 1 ]; then
-                    FOUND=1
-                    LogText "Test: ${device} is authorized currently"
-                    Report "usb_authorized_device[]=${device}"
-                fi
-            fi
-        done
-
-        if [ ${FOUND} -eq 1 ]; then
-            LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
-            Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
-            # To-Be-Added: create documentation and enable the suggestion
-            #ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft"
-            AddHP 0 3
-        else
-            LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system"
-            Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
-            AddHP 3 3
-        fi
-    fi
-#
-#################################################################################
 #
     # Test        : STRG-1846
     # Description : Check for disabled firewire storage

include/tests_usb

@@ -18,6 +18,10 @@
 #  USB Devices
 #
 #################################################################################
+#
+    InsertSection "USB Devices"
+#
+#################################################################################
 #
 
     USBGUARD_FOUND=0
@@ -35,22 +39,106 @@
 #
 #################################################################################
 #
-    InsertSection "USB Devices"
+
+    # Test to determine if USBGuard is installed.  If it is, we will limit
+    # suggestions from other tests.
+    if [ ! -z "${USBGUARDBINARY}" ]; then
+        USBGUARD_FOUND=1
+    fi
+
 #
 #################################################################################
 #
 
-    # PLACEHOLDER USB-0000 used until a good test name & number can be assigned.
-    # Once that is done, we are one step closer to being able to enable the
-    # suggestions below.
-
-    # Test        : USB-0000
-    # Description : Perform file permissions check
-    Register --test-no USB-0000  --os Linux --weight L --network NO --category security --description "Check for presence of USBGuard"
+    # Test        : USB-0100
+    # Description : Check for disabled USB storage
+    Register --test-no USB-0100 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled"
     if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
+        if [ -d /etc/modprobe.d ]; then
+            FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
+            if [ ! -z "${FIND}" ]; then
+                FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
+                FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
+                if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
+                    FOUND=1
+                    LogText "Result: found usb-storage driver in disabled state (blacklisted)"
+                fi
+            else
+                LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it."
+            fi
+        fi
+        if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
+            FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
+            if [ ! -z "${FIND}" ]; then
+                FOUND=1
+                LogText "Result: found usb-storage driver in disabled state"
+            fi
+        fi
+        if [ ${FOUND} -eq 0 ]; then
+            LogText "Result: usb-storage driver is not explicitly disabled"
+            Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
+            if [ "${USBGUARD_FOUND}" -eq "0" ]; then
+                ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
+            fi
+            AddHP 2 3
+        else
+            LogText "Result: usb-storage driver is disabled"
+            Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
+            AddHP 3 3
+        fi
+    fi
 
-        if [ ! -z "${USBGUARDBINARY}" ]; then
-            USBGUARD_FOUND=1
+#
+#################################################################################
+#
+
+    # Test        : USB-0200
+    # Description : Check USB authorizations
+    Register --test-no USB-0200 --os Linux --weight L --network NO --category security --description "Check USB authorizations"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: Checking USB devices authorization to connect to the system"
+        FOUND=0
+        USBDEVICESPATH="/sys/bus/usb/devices/usb"
+        for device in "${USBDEVICESPATH}"*; do
+            if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then
+                if [ $(cat "${device}/authorized_default") -eq 1 ]; then
+                    FOUND=1
+                    LogText "Test: ${device} is authorized by default"
+                    Report "usb_authorized_default_device[]=${device}"
+                elif [ $(cat "${device}/authorized") -eq 1 ]; then
+                    FOUND=1
+                    LogText "Test: ${device} is authorized currently"
+                    Report "usb_authorized_device[]=${device}"
+                fi
+            fi
+        done
+
+        if [ ${FOUND} -eq 1 ]; then
+            LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
+            Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
+            # To-Be-Added: create documentation and enable the suggestion
+            #if [ "${USBGUARD_FOUND}" -eq "0" ]; then
+            #   ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft"
+            #fi
+            AddHP 0 3
+        else
+            LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system"
+            Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
+            AddHP 3 3
+        fi
+    fi
+
+#
+#################################################################################
+#
+
+    # Test        : USB-0300
+    # Description : Perform USBGuard check
+    Register --test-no USB-0300  --os Linux --weight L --network NO --category security --description "Check for presence of USBGuard"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        if [ "${USBGUARD_FOUND}" -gt "0" ]; then
             LogText "Result: USBGuard is installed (${USBGUARDBINARY})"
             Display --indent 2 --text "- Checking USBGuard" --result "${STATUS_FOUND}" --color GREEN
             AddHP 1 1
@@ -235,7 +323,7 @@
                     LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)"
                     Display --indent 4 --text "- RuleFile" --result "${STATUS_NOT_FOUND}" --color RED
                     # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
-                    ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies"
+                    #ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies"
                     AddHP 0 1
                 fi
 

lynis

@@ -925,7 +925,7 @@ ${NORMAL}
             LogText "Info: perform tests from all categories"
 
             INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
-                           filesystems usb_devices storage storage_nfs nameservices ports_packages networking printers_spools \
+                           filesystems usb storage storage_nfs nameservices ports_packages networking printers_spools \
                            mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
                            insecure_services banners scheduling accounting time crypto virtualization containers \
                            mac_frameworks file_integrity tooling malware file_permissions homedirs \