Commit Graph

75 Commits

Author SHA1 Message Date
Florian Sonnenschein 79632bfbe5 - Deleted "filevault_status" variable
- Now checks if "fdesetup" exists
- Add some hardening points (AddHP): 3 of 3 when enabled, 0 of 3, when not.
2024-05-14 16:02:51 +02:00
Florian Sonnenschein 0b7e8c3bfe Added CRYP-7932 to determine if the system has enabled macOS FileVault. 2024-03-11 14:37:07 +01:00
xnoguer 6f1797fb59 Using grep -E 2023-04-23 17:38:21 -04:00
Zachary Lee Andrews 886adae4ef
Use posix egrep options, fixing issue #1166 2021-07-23 22:38:31 -04:00
Nicolai Søborg 3d2f57fe1d
Check MemoryOverwriteRequest Control 2021-03-03 22:38:45 +01:00
Michael Boelen da1c1eca10
Preparation for release 3.0.3 2021-01-07 15:22:19 +01:00
Michael Boelen 01c970f73f
Merge pull request #1044 from delscate/master
Fix wc and head cmd when using busybox
2020-10-22 13:24:56 +02:00
Stéphane 67d04f2536
Add translate function for all sections
+ add EN and FR up to date languages files
2020-10-22 00:13:42 +02:00
Fabien Lehoussel ae7be7599e Fix head cmd with busybox 2020-10-19 15:09:43 +02:00
Michael Boelen c6bd185fd7
Resolved merge conflict 2020-10-02 11:05:04 +02:00
Michael Boelen 768d8a62e8
Updated log 2020-10-02 10:55:36 +02:00
Michael Boelen a1f794cc75
Don't provide suggestion to install pseudo rng at this moment 2020-09-03 10:54:21 +02:00
Michael Boelen 792a202934
Merge pull request #913 from topimiettinen/check-der-certs
[CRYP-7902] Check also certificates in DER format
2020-08-07 11:54:39 +02:00
Steve8291 c02ce49ce3
fix stderr output from cryptsetup status
Redirected stderr to /dev/null to silence output of `cryptsetup status /swap.img`
This was causing error output from my cron script.
Otherwise, if the swap file is not encrypted then the following error will be printed:
`Device swap.img not found`
2020-06-21 10:47:28 -04:00
Topi Miettinen fcdc07f8d9
[CRYP-7902] Check also certificates in DER format
Check also certificates in DER (*.cer, *.der) format. Add
/etc/refind.d/keys to list of certificate paths.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-25 00:06:58 +03:00
Michael Boelen ce3c80b44f
Merge pull request #883 from topimiettinen/check-encrypted-swap-devices
Check if system uses encrypted swap devices
2020-04-12 16:22:22 +02:00
Michael Boelen a166691199
Merge pull request #882 from topimiettinen/check-package-certificates
[CRYP-7902] Check also certificates provided by packages
2020-04-09 11:01:39 +02:00
Martin Churchill e4d491d574
[CRYP-7902] Fixes issue #902
[CRYP-7902] Checks for SSL_CERTIFICATE_PATHS_TO_IGNORE fails to ignore sub-directories #902
2020-04-08 10:02:18 +01:00
Topi Miettinen 9642bcffc8
[CRYP-7902] Optionally check also certificates provided by packages
The package maintainers are not immune to mistakes or they might not
always provide timely updates, so let's check (optionally) more
certificates even if they are delivered by packages.

I found three expired certificates in my Debian/unstable system,
thanks to changed Lynis.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-02 12:52:13 +03:00
Topi Miettinen 5c5cc43c6f
Check if system uses encrypted swap devices
Add test CRYP-7931 to check if the system uses any encrypted swap
devices.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-27 13:05:56 +02:00
Michael Boelen 7bba7bd4af
Removed incorrect process name from list, enable --full as it is required for matching jitterentropy-rngd 2020-03-23 16:13:39 +01:00
Michael Boelen 7d1fe1231a
[CRYP-8005] added haveged, match against process name instead of full command line, code cleanup 2020-03-23 14:29:47 +01:00
Topi Miettinen 26a54991ba
Check for software pseudo random number generators
Check for running audio-entropyd, havegd or jitterentropy-rngd.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-21 16:26:30 +02:00
Michael Boelen 38310223a6
Updated date/year 2020-03-20 14:50:25 +01:00
Michael Boelen 3bbe34ea73
[CRYP-8004] enhanced after pulling in initital test 2020-02-15 14:09:56 +01:00
pyllyukko 40acdc111d
Added CRYP-8004 2020-01-06 21:22:00 +02:00
Michael Boelen 09f29a5e64
Code style improvement: quote argument 2019-12-18 12:17:46 +01:00
Kristian Schuster 62419033f5
fix for #781 - run lsblk without --paths 2019-10-19 00:34:25 +02:00
Kristian Schuster 51d3c56842
crypto-test: suppress errors when devs are not accessible for cryptsetup 2019-09-29 17:44:15 +02:00
Michael Boelen 0d58ee77a0
[CRYP-7930] replaced incorrect PATH column with alternative 2019-09-02 19:20:16 +02:00
Michael Boelen a87c2b10f9
Added CRYP-8002 2019-08-29 10:39:43 +02:00
Michael Boelen 605e515c31
Updated forensics variable 2019-08-21 14:00:20 +02:00
Michael Boelen d395e1a2da
[CRYP-7930] extend test to use cryptsetup/lsblk or crypttab file 2019-08-21 13:50:01 +02:00
Michael Boelen a714568842
Merge pull request #731 from chr0mag/cryp-7930
[CRYP-7930] Modify to use 'lsblk' and 'cryptsetup'
2019-08-21 12:31:36 +02:00
Michael Boelen 9605f0fa80
Combined sort and uniq to sort -u 2019-07-26 15:34:02 +02:00
Julian Phillips e293af16aa Add FOUND var to unset list 2019-07-17 18:01:44 -07:00
Julian Phillips 84dd024887 [CRYP-7930] Modify to use 'lsblk' and 'cryptsetup'
There are several challenges with the existing method of using
/etc/crypttab:

1)encrypted rootfs partitions are not typically listed in this
file (users are prompted for password in early boot instead)

2)the 'luks' option is the default option so it is possible for
/etc/crypttab entries to never have this set explicitly and any
block device configured as such will be missed currently

3)any device mounted manually, or using any other mechanism aside
from /etc/crypttab will be missed

This commit executes 'cryptsetup isLuks' on every block device in
the system to determine whether it is a LUKS device. This handles
all 3 cases mentioned above.

Test case wording was also updated to reflect the fact that it
only checks for LUKS entrypted block devices. So, plain dm-crypt
and TrueCrypt/VeraCrypt block device encryption is not detected.
Nor is any file system level encryption such as eCryptfs, EncFs,
gocryptfs.
2019-07-17 16:18:12 -07:00
Michael Boelen fa8bad20db
Use -n instead of ! -z 2019-07-16 13:20:30 +02:00
Michael Boelen 09d8832a0b
[CRYP-7903] enhanced test to properly work 2019-07-09 11:42:04 +02:00
Michael Boelen 6891f64c39
Added CRYP-7930 2019-07-09 10:33:51 +02:00
Michael Boelen f3f6be6630
Fix for incorrect subdirectory retrieval and adding enhancement to reduce number of evaluations needed 2019-07-08 21:20:45 +02:00
Michael Boelen 2c17c14c3b
New profile option to ignore specified certificate directories 2019-07-08 15:08:56 +02:00
Michael Boelen 66066ae226
Changed year and preparing for new release 2019-01-31 14:47:35 +01:00
Michael Boelen 211fb9117c
[CRYP-7902] - Do prevalidation for certificates before testing them 2018-03-05 11:32:23 +01:00
Michael Boelen 66f8cb2441
Changed year 2018-01-11 09:50:26 +01:00
Michael Boelen c248ab6a16
[CRYP-7902] fix for bourne shell and rewrite 2017-09-06 12:56:32 +02:00
Bruno Vernay 4107d8a461 Support spaces in file names (#444)
File names may contain spaces
2017-08-29 14:32:42 +02:00
Michael Boelen 1190efac2b
[CRYP-7902] add a test to filter out non-certificate files 2017-08-18 19:19:15 +02:00
Michael Boelen 4a673aebc7
[CRYP-7902] certificate validation changed 2017-08-18 14:14:28 +02:00
Michael Boelen 60f94fef47
[CRYP-7902] prevent test from showing error on screen related to wrong certificate file 2017-07-18 11:51:45 +02:00