Merge pull request #905 from topimiettinen/check-non-native-binary-formats

Check for registered non-native binary formats
2021-01-07 15:16:34 +01:00 · 2021-01-07 15:16:34 +01:00 · ab1111c0ed
parent 74fbc870b3 de848cb76a
commit ab1111c0ed
3 changed files with 23 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -150,6 +150,7 @@ Using the relevant options, the scan will change base on the intended goal.
 - New test: FINT-4316 - presence of AIDE database and size test
 - New test: FINT-4340 - check dm-integrity status (Linux)
 - New test: FINT-4341 - verify status of dm-verity (Linux)
+- New test: HRDN-7231 - check for registered non-native binary formats
 - New test: INSE-8314 - test for NIS client
 - New test: INSE-8316 - test for NIS server
 - New test: NETW-2400 - test hostname for valid characters and length
--- a/db/tests.db
+++ b/db/tests.db
@ -171,6 +171,7 @@ HOME-9350:test:security:homedirs::Collecting information from home directories:
 HRDN-7220:test:security:hardening::Check if one or more compilers are installed:
 HRDN-7222:test:security:hardening::Check compiler permissions:
 HRDN-7230:test:security:hardening::Check for malware scanner:
+HRDN-7231:test:security:hardening:Linux:Check for registered non-native binary formats:
 HTTP-6622:test:security:webservers::Checking Apache presence:
 HTTP-6624:test:security:webservers::Testing main Apache configuration file:
 HTTP-6626:test:security:webservers::Testing other Apache configuration file:
--- a/include/tests_hardening
+++ b/include/tests_hardening
@ -106,6 +106,27 @@
    fi
 #
 #################################################################################
+#
+    # Test        : HRDN-7231
+    # Description : Check for registered non-native binary formats
+    Register --test-no HRDN-7231  --os Linux --weight L --network NO --category security --description "Check for registered non-native binary formats"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: Check for registered non-native binary formats"
+        NFORMATS=0
+        if [ -d /proc/sys/fs/binfmt_misc ]; then
+            NFORMATS=$(${FINDBINARY} /proc/sys/fs/binfmt_misc -type f -not -name register -not -name status | ${WCBINARY} --lines)
+        fi
+        if [ ${NFORMATS} -eq 0 ]; then
+            LogText "Result: no non-native binary formats found"
+            Display --indent 4 --text "- Non-native binary formats" --result "${STATUS_NOT_FOUND}" --color GREEN
+        else
+            FORMATS=$(${FINDBINARY} /proc/sys/fs/binfmt_misc -type f -not -name register -not -name status -printf '%f ')
+            LogText "Result: found ${NFORMATS} non-native binary formats registered: ${FORMATS}"
+            Display --indent 4 --text "- Non-native binary formats" --result "${STATUS_FOUND}" --color RED
+        fi
+    fi
+#
+#################################################################################
 #
 #    LogText "--------------------------------------------------------------------"
 #    LogText "| System part                        | Preferred value | Actual value | Points |"