tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[BOOT-5122] check for defined password in all GRUB configuration files

This commit is contained in:
Michael Boelen 2020-03-19 15:52:03 +01:00
parent 6d9ebe4136
commit ddcf9bc713
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
2 changed files with 35 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -79,6 +79,7 @@ Using the relevant options, the scan will change base on the intended goal.
- AUTH-9282 - fix: temporary variable was overwritten - AUTH-9282 - fix: temporary variable was overwritten
- AUTH-9408 - added support for pam_tally2 to log failed logins - AUTH-9408 - added support for pam_tally2 to log failed logins
- BANN-7126 - additional words for login banner are accepted - BANN-7126 - additional words for login banner are accepted
- BOOT-5122 - check for defined password in all GRUB configuration files
- CONT-8106 - support newer 'docker info' output - CONT-8106 - support newer 'docker info' output
- CRYP-8002 - gather kernel entropy on Linux systems - CRYP-8002 - gather kernel entropy on Linux systems
- FILE-6310 - support for HP-UX - FILE-6310 - support for HP-UX

56
include/tests_boot_services
View File

@ -331,34 +331,46 @@
Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password" Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
LogText "Found file ${GRUBCONFFILE}, proceeding with tests."
FileIsReadable ${GRUBCONFFILE} CONF_FILES=$(${FINDBINARY} /etc/grub.d -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]')
if [ ${CANREAD} -eq 1 ]; then CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}"
FIND=$(${GREPBINARY} 'password --md5' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
FIND2=$(${GREPBINARY} 'password --encrypted' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') for FILE in ${CONF_FILES}; do
FIND3=$(${GREPBINARY} 'set superusers' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') if [ -f "${FILE}" ]; then
FIND4=$(${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') LogText "Found file ${FILE}, proceeding with tests."
FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') if FileIsReadable "${FILE}"; then
# GRUB1: Password should be set (MD5 or SHA1) FIND=$(${GREPBINARY} 'password --md5' ${FILE} | ${GREPBINARY} -v '^#')
if [ -n "${FIND}" -o -n "${FIND2}" ]; then FIND2=$(${GREPBINARY} 'password --encrypted' ${FILE} | ${GREPBINARY} -v '^#')
FOUND=1 FIND3=$(${GREPBINARY} 'set superusers' ${FILE} | ${GREPBINARY} -v '^#')
# GRUB2: Superusers AND password should be defined FIND4=$(${GREPBINARY} 'password_pbkdf2' ${FILE} | ${GREPBINARY} -v '^#')
elif [ -n "${FIND3}" ]; then FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${FILE} | ${GREPBINARY} -v '^#')
if [ -n "${FIND4}" -o -n "${FIND5}" ]; then FOUND=1; fi # GRUB1: Password should be set (MD5 or SHA1)
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
FOUND=1
# GRUB2: Superusers AND password should be defined
elif [ -n "${FIND3}" ]; then
if [ -n "${FIND4}" -o -n "${FIND5}" ]; then FOUND=1; fi
else
LogText "Result: did not find hashed password line in this file"
fi
else
LogText "Result: Can not read '${FILE}' (no permission?)"
fi
else
LogText "Result: File '${FILE}' does not exist"
fi fi
if [ ${FOUND} -eq 1 ]; then done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN
LogText "Result: GRUB has password protection." LogText "Result: GRUB has password protection."
AddHP 4 4 AddHP 4 4
else
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_NONE}" --color RED
LogText "Result: Didn't find hashed password line in GRUB boot file!"
ReportSuggestion "${TEST_NO}" "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
AddHP 0 2
fi
else else
LogText "Result: Can not read ${GRUBCONFFILE} (no permission)" Display --indent 4 --text "- Checking for password protection" --result "${STATUS_NONE}" --color RED
LogText "Result: Didn't find hashed password line in GRUB configuration"
ReportSuggestion "${TEST_NO}" "Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)"
AddHP 0 2
fi fi
unset CONF_FILES FILE FIND FIND2 FIND3 FIND4 FIND5 FOUND
fi fi
# #
################################################################################# #################################################################################