* Check that admin principals have disallow_tgt_based attribute
* Check that regular user principals have requires_pre_auth and
disallow_svr attributes
* Check for weak crypto
* Use kdb5_util for this
The Solaris IPS service manager (svcs) is now detected, and services
managed with it are enumerated.
Test BOOT-5184 now runs on Solaris, too, as SysV init scripts are
supported as well, even with IPS. SysV Init has been the traditional
init system on Solaris.
'systemd-analyze security' (available since systemd v240) makes a nice
overall evaluation of hardening levels of services in a system. More
details can be found with 'systemd-analyze security SERVICE' for each
service.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Detect tools for dm-integrity and dm-verity, check if some devices
in /dev/mapper/* use them and especially the system root device.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Check for evmctl (Extended Verification Module) tool and system IMA (Integrity Measurement
Architecture) status.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Manual page crypt(5) gives recommendations for choosing password
hashing methods, so let's check if there are weakly encrypted
passwords in the system.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Display and log: permissive types (rules are not enforced), unconfined
processes (not confined by rules) and processes with initrc_t
type (generic type with weak rules).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
There are several challenges with the existing method of using
/etc/crypttab:
1)encrypted rootfs partitions are not typically listed in this
file (users are prompted for password in early boot instead)
2)the 'luks' option is the default option so it is possible for
/etc/crypttab entries to never have this set explicitly and any
block device configured as such will be missed currently
3)any device mounted manually, or using any other mechanism aside
from /etc/crypttab will be missed
This commit executes 'cryptsetup isLuks' on every block device in
the system to determine whether it is a LUKS device. This handles
all 3 cases mentioned above.
Test case wording was also updated to reflect the fact that it
only checks for LUKS entrypted block devices. So, plain dm-crypt
and TrueCrypt/VeraCrypt block device encryption is not detected.
Nor is any file system level encryption such as eCryptfs, EncFs,
gocryptfs.
pyllyukko
gonzalo
Michael Boelen
rpmbuild
xnoguer
Steve Kolenich
Christian Bourque
Simon Biewald
Thomas Sjögren
Stéphane
Topi Miettinen
Brian Ginsbach
Kevin
Kristian Schuster
Julian Phillips