Florian Sonnenschein
79632bfbe5
- Deleted "filevault_status" variable
...
- Now checks if "fdesetup" exists
- Add some hardening points (AddHP): 3 of 3 when enabled, 0 of 3, when not.
2024-05-14 16:02:51 +02:00
Florian Sonnenschein
0b7e8c3bfe
Added CRYP-7932 to determine if the system has enabled macOS FileVault.
2024-03-11 14:37:07 +01:00
xnoguer
6f1797fb59
Using grep -E
2023-04-23 17:38:21 -04:00
Zachary Lee Andrews
886adae4ef
Use posix egrep options, fixing issue #1166
2021-07-23 22:38:31 -04:00
Nicolai Søborg
3d2f57fe1d
Check MemoryOverwriteRequest Control
2021-03-03 22:38:45 +01:00
Michael Boelen
da1c1eca10
Preparation for release 3.0.3
2021-01-07 15:22:19 +01:00
Michael Boelen
01c970f73f
Merge pull request #1044 from delscate/master
...
Fix wc and head cmd when using busybox
2020-10-22 13:24:56 +02:00
Stéphane
67d04f2536
Add translate function for all sections
...
+ add EN and FR up to date languages files
2020-10-22 00:13:42 +02:00
Fabien Lehoussel
ae7be7599e
Fix head cmd with busybox
2020-10-19 15:09:43 +02:00
Michael Boelen
c6bd185fd7
Resolved merge conflict
2020-10-02 11:05:04 +02:00
Michael Boelen
768d8a62e8
Updated log
2020-10-02 10:55:36 +02:00
Michael Boelen
a1f794cc75
Don't provide suggestion to install pseudo rng at this moment
2020-09-03 10:54:21 +02:00
Michael Boelen
792a202934
Merge pull request #913 from topimiettinen/check-der-certs
...
[CRYP-7902] Check also certificates in DER format
2020-08-07 11:54:39 +02:00
Steve8291
c02ce49ce3
fix stderr output from cryptsetup status
...
Redirected stderr to /dev/null to silence output of `cryptsetup status /swap.img`
This was causing error output from my cron script.
Otherwise, if the swap file is not encrypted then the following error will be printed:
`Device swap.img not found`
2020-06-21 10:47:28 -04:00
Topi Miettinen
fcdc07f8d9
[CRYP-7902] Check also certificates in DER format
...
Check also certificates in DER (*.cer, *.der) format. Add
/etc/refind.d/keys to list of certificate paths.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-25 00:06:58 +03:00
Michael Boelen
ce3c80b44f
Merge pull request #883 from topimiettinen/check-encrypted-swap-devices
...
Check if system uses encrypted swap devices
2020-04-12 16:22:22 +02:00
Michael Boelen
a166691199
Merge pull request #882 from topimiettinen/check-package-certificates
...
[CRYP-7902] Check also certificates provided by packages
2020-04-09 11:01:39 +02:00
Martin Churchill
e4d491d574
[CRYP-7902] Fixes issue #902
...
[CRYP-7902] Checks for SSL_CERTIFICATE_PATHS_TO_IGNORE fails to ignore sub-directories #902
2020-04-08 10:02:18 +01:00
Topi Miettinen
9642bcffc8
[CRYP-7902] Optionally check also certificates provided by packages
...
The package maintainers are not immune to mistakes or they might not
always provide timely updates, so let's check (optionally) more
certificates even if they are delivered by packages.
I found three expired certificates in my Debian/unstable system,
thanks to changed Lynis.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-02 12:52:13 +03:00
Topi Miettinen
5c5cc43c6f
Check if system uses encrypted swap devices
...
Add test CRYP-7931 to check if the system uses any encrypted swap
devices.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-27 13:05:56 +02:00
Michael Boelen
7bba7bd4af
Removed incorrect process name from list, enable --full as it is required for matching jitterentropy-rngd
2020-03-23 16:13:39 +01:00
Michael Boelen
7d1fe1231a
[CRYP-8005] added haveged, match against process name instead of full command line, code cleanup
2020-03-23 14:29:47 +01:00
Topi Miettinen
26a54991ba
Check for software pseudo random number generators
...
Check for running audio-entropyd, havegd or jitterentropy-rngd.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-21 16:26:30 +02:00
Michael Boelen
38310223a6
Updated date/year
2020-03-20 14:50:25 +01:00
Michael Boelen
3bbe34ea73
[CRYP-8004] enhanced after pulling in initital test
2020-02-15 14:09:56 +01:00
pyllyukko
40acdc111d
Added CRYP-8004
2020-01-06 21:22:00 +02:00
Michael Boelen
09f29a5e64
Code style improvement: quote argument
2019-12-18 12:17:46 +01:00
Kristian Schuster
62419033f5
fix for #781 - run lsblk without --paths
2019-10-19 00:34:25 +02:00
Kristian Schuster
51d3c56842
crypto-test: suppress errors when devs are not accessible for cryptsetup
2019-09-29 17:44:15 +02:00
Michael Boelen
0d58ee77a0
[CRYP-7930] replaced incorrect PATH column with alternative
2019-09-02 19:20:16 +02:00
Michael Boelen
a87c2b10f9
Added CRYP-8002
2019-08-29 10:39:43 +02:00
Michael Boelen
605e515c31
Updated forensics variable
2019-08-21 14:00:20 +02:00
Michael Boelen
d395e1a2da
[CRYP-7930] extend test to use cryptsetup/lsblk or crypttab file
2019-08-21 13:50:01 +02:00
Michael Boelen
a714568842
Merge pull request #731 from chr0mag/cryp-7930
...
[CRYP-7930] Modify to use 'lsblk' and 'cryptsetup'
2019-08-21 12:31:36 +02:00
Michael Boelen
9605f0fa80
Combined sort and uniq to sort -u
2019-07-26 15:34:02 +02:00
Julian Phillips
e293af16aa
Add FOUND var to unset list
2019-07-17 18:01:44 -07:00
Julian Phillips
84dd024887
[CRYP-7930] Modify to use 'lsblk' and 'cryptsetup'
...
There are several challenges with the existing method of using
/etc/crypttab:
1)encrypted rootfs partitions are not typically listed in this
file (users are prompted for password in early boot instead)
2)the 'luks' option is the default option so it is possible for
/etc/crypttab entries to never have this set explicitly and any
block device configured as such will be missed currently
3)any device mounted manually, or using any other mechanism aside
from /etc/crypttab will be missed
This commit executes 'cryptsetup isLuks' on every block device in
the system to determine whether it is a LUKS device. This handles
all 3 cases mentioned above.
Test case wording was also updated to reflect the fact that it
only checks for LUKS entrypted block devices. So, plain dm-crypt
and TrueCrypt/VeraCrypt block device encryption is not detected.
Nor is any file system level encryption such as eCryptfs, EncFs,
gocryptfs.
2019-07-17 16:18:12 -07:00
Michael Boelen
fa8bad20db
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
Michael Boelen
09d8832a0b
[CRYP-7903] enhanced test to properly work
2019-07-09 11:42:04 +02:00
Michael Boelen
6891f64c39
Added CRYP-7930
2019-07-09 10:33:51 +02:00
Michael Boelen
f3f6be6630
Fix for incorrect subdirectory retrieval and adding enhancement to reduce number of evaluations needed
2019-07-08 21:20:45 +02:00
Michael Boelen
2c17c14c3b
New profile option to ignore specified certificate directories
2019-07-08 15:08:56 +02:00
Michael Boelen
66066ae226
Changed year and preparing for new release
2019-01-31 14:47:35 +01:00
Michael Boelen
211fb9117c
[CRYP-7902] - Do prevalidation for certificates before testing them
2018-03-05 11:32:23 +01:00
Michael Boelen
66f8cb2441
Changed year
2018-01-11 09:50:26 +01:00
Michael Boelen
c248ab6a16
[CRYP-7902] fix for bourne shell and rewrite
2017-09-06 12:56:32 +02:00
Bruno Vernay
4107d8a461
Support spaces in file names ( #444 )
...
File names may contain spaces
2017-08-29 14:32:42 +02:00
Michael Boelen
1190efac2b
[CRYP-7902] add a test to filter out non-certificate files
2017-08-18 19:19:15 +02:00
Michael Boelen
4a673aebc7
[CRYP-7902] certificate validation changed
2017-08-18 14:14:28 +02:00
Michael Boelen
60f94fef47
[CRYP-7902] prevent test from showing error on screen related to wrong certificate file
2017-07-18 11:51:45 +02:00