Package: lynis
Version: 1.4.4-1
Severity: wishlist
Dear Maintainer,
I've created a small function that tests for encrypted partitions via
dm-crypt, cryptsetup and rudimentary support for partitions mounted via
cryptmount.
Unlike my earlier suggestion for the detection Ecryptfs usage, I did not
include these functions in the tests_filesystems and binaries files. As
the Ecryptfs tests have not been accepted upstream, I wondered if it
wouldn't be more prudent to put the functions into tests_custom. The
existence of automated support for this file (if it exists) makes it
easier for us to include custom features with Lynis on Debian that can
be submitted for consideration as one file. Rather than as a few
patches. This may make it easier for the maintainers to keep track of
what is done locally for Debian. At least that is what I was thinking....
If this is a good idea, should I update this file to include the tests
done for Ecryptfs and remove it from the other files?
Or if it isn't a good idea, should I rewrite these functions to be
patches for the binaries and tests_filesystems files?
I've tested this version of tests_custom on:
- Sid with Lynis version 1.4.4
- Jessie with Lynis version 1.4.0
Appears to work just fine with my limited testing.
Thanks for considering this submission,
Dave V.
-- System Information:
Debian Release: sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
lynis depends on no packages.
Versions of packages lynis recommends:
pn menu <none>
Versions of packages lynis suggests:
ii dnsutils 1:9.9.5.dfsg-2
-- no debconf information
--
Dave Vehrs dve...@gmail.com
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# This has already been inserted, but you might reuse it to split your tests
# InsertSection "Custom Checks"
#
#################################################################################
# Start by scanning for any tools that will be needed for later custom tests.
# This is predominately a copy of the function from the binaries file with a
# shorter list of files to look for.
#
# Some of the files we search for here are repeated checks from the default
# tests, but we look for them again due to local function dependencies. It's a
# tiny redundancy that doesn't slow the tests up significantly.
# Test : CUS-0001
# Description : Check for system binaries
# Notes : Always perform test, other tests depend on it.
Register --test-no CUS-0001 --weight L --network NO --description "Check
for system binaries"
SCANNEDPATHS=""; N=0
Display --indent 2 --text "- Checking for system binaries that are needed
by custom tests..."
logtext "Status: Starting binary scan..."
for SCANDIR in ${BINPATHS}; do
logtext "Test: Checking binaries in directory ${SCANDIR}"
if [ -d ${SCANDIR} ]; then
Display --indent 4 --text "- Checking ${SCANDIR}... " --result
FOUND --color GREEN
SCANNEDPATHS="${SCANNEDPATHS}, ${SCANDIR}"
logtext "Directory ${SCANDIR} exists. Starting directory
scanning..."
FIND=`ls ${SCANDIR}`
for I in ${FIND}; do
N=`expr ${N} + 1`
BINARY="${SCANDIR}/${I}"
logtext "Binary: ${BINARY}"
# Optimized, much quicker (limited file access needed)
case ${I} in
cryptmount) CRYPTMOUNTFOUND=1;
CRYPTMOUNTBINARY="${BINARY}";
logtext " Found known binary: cryptmount (Encryption tool) - ${BINARY}"
;;
cryptsetup) CRYPTSETUPFOUND=1;
CRYPTSETUPBINARY="${BINARY}";
logtext " Found known binary: cryptsetup (Encryption tool) - ${BINARY}"
;;
lvdisplay) LVDISPLAYBINARY="${BINARY}";
logtext "
Found known binary: lvdisplay (LVM tool) - ${BINARY}"
;;
mount) MOUNTBINARY="${BINARY}";
logtext "
Fount known binary: mount (File system tool) - ${BINARY}"
;;
esac
done
else
Display --indent 4 --text "- Checking ${SCANDIR}... " --result "NOT
FOUND" --color WHITE
logtext "Directory ${SCANDIR} does NOT exist."
fi
logtextbreak
done
SCANNEDPATHS=`echo ${SCANNEDPATHS} | sed 's/^, //g'`
logtext "Discovered directories: ${SCANNEDPATHS}"
logtext "CUS-0001 Result: found ${N} binaries"
# report "binaries_count=${N}"
#
#################################################################################
#
Display --indent 2 --text "- File System Checks:"
logtext "Status: Starting file system checks..."
#
#################################################################################
Display --indent 4 --text "- DM-Crypt, Cryptsetup & Cryptmount:"
logtext "Status: Starting file system checks for dm-crypt, cryptsetup &
cryptmount..."
# Should this test only be run on Linux? And should we test for the OS
# before running these tests? Or is it enough to test for the binaries?
# Test : CUS-0100
# Description : Checking if LVM Groups or file systems are stored on
encrypted partitions (dm-crypt, cryptsetup & cryptmount)
if [ ! "${MOUNTBINARY}" = "" -a ! "${LVDISPLAYBINARY}" = "" -a !
"${CRYPTSETUPBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CUS-0100 --preqs-met ${PREQS_MET} --weight L --network
NO --description "Checking if LVM volume groups or file systems are stored on
encrypted partitions"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking file system mount points"
FIND=`${MOUNTBINARY} 2> /dev/null | grep -v
"^[sysfs|proc|udev|devpts|tmpfs|binfmt_misc|fusectl|none|systemd]" | grep -v
ecryptfs | awk '{ print $1 ":" $3 }'`
TESTED_LIST=""
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more file system mount points"
for I in ${FIND}; do
# physical device
PDEV=${I%:*}
# Mount Point
MOUNTPOINT=${I#*:}
# Test if we've already checked this physical device. If we are
# using bind mounts to mitigate issues with read-only file
# systems or to expand the size of one partition by bind
# mounting a directory to space on another drive then the bind
# mounts can cause a physical device to appear multiple times in
# the output of 'mount'. This test makes sure we only test
# whether or not it is encrypted one time.
#
# As far as I know there is no way to have the bind mounts not
# listed in /etc/mtab, /proc/mounts, or the output of mount
# because the kernel does not distinguish between bind and
# other mounts. To the kernel, it's just another mounted
# file system.
#
# Normal file systems are listed by 'mount' generally before
# those bind mounted on my systems, so forgoing a '| sort' on
# the FIND command appears to make sure that the mount points we
# care about are listed first and the bind second (which can
# and will be ignored in this test).
echo ${TESTED_LIST} | grep ${PDEV} > /dev/null
exitstatus=$?
if [ ${exitstatus} -eq 0 ]; then
# already tested this physical device, breaking out of the
# loop to the next item on the list.
logtext "- For ${MOUNTPOINT}: Already tested ${PDEV},
assuming bind mount and skipping."
continue
fi
logtext "Testing file system mount point: ${PDEV}"
case "${PDEV}" in
/dev/mapper/*)
TEST_DEVICE=`${LVDISPLAYBINARY} -m ${PDEV} 2>/dev/null`
exitstatus=$?
if [ ${exitstatus} -ne 0 ]; then
# If lvdisplay has a failing exit status, assign
# PDEV as DEVICE. Some partitions will be mounted
# through /dev/mapper mappings but not be part of
# LVM groups.
DEVICE=${PDEV}
else
# If lvdisplay does not have a failing exit status,
# then get the DEVICE from its output
DEVICE=`echo ${TEST_DEVICE} | sed -e 's/.*Physical
volume \(.*\) Physical.*/\1/'`
fi
;;
* )
DEVICE=${PDEV}
;;
esac
CRYPT=`${CRYPTSETUPBINARY} status ${DEVICE} 2>/dev/null`
exitstatus=$?
# It is possible that multiple partitions may be included within
# the same group (for LVM) and that group container may or may
# not be encrypted. If that is so, you will gain or
# lose hardening points for each partition in the group. Just
# as you would if they were individual partitions on the hard
# drive.
#
# Tests only apply to those partitions that are mounted when
# Lynis is run. You will not gain or lose points for any
# partitions that are not mounted.
if [ ${exitstatus} -eq 0 ]; then
TYPE=`echo ${CRYPT} | grep "type:" | sed -e 's/.*type:
\(.*\) cipher.*/\1/'`
if [ "a${TYPE}a" = "aa" ]; then
# Partitions mounted via cryptmount will pass cryptsetup
# with a valid exit status and will show as "active" but
# will not show a type, cipher or other descriptions.
#
# We do not add a hardening point because this result is
# not definite but only possible. Display output is
# yellow to alert the user so they can manually check
# it.
AddHP 0 1
if [ ! "${CRYPTMOUNTBINARY}" = "" ]; then
# if cryptsetup exist with a valid exit status and
# cryptmount is installed, then that may explain why
# we are unable to determine the type from
# cryptsetup's output.
Display --indent 6 --text "- Checking ${MOUNTPOINT}
on ${DEVICE}" --result "Possible Cryptmount Usage" --color YELLOW
else
# if cryptsetup exits with a valid exit status but
# cryptmount is not installed then Display informs
# the user that the test is uncertain of the
# encryption status of the partition or drive. It
# will be up to the user to determine its status.
Display --indent 6 --text "- Checking ${MOUNTPOINT}
on ${DEVICE}" --result "Unknown Encryption Status" --color YELLOW
fi
else
# cryptsetup exited with a valid exit status (0) and we
# were able to determine the type of encryption used
# from its output.
AddHP 1 1
Display --indent 6 --text "- Checking ${MOUNTPOINT} on
${DEVICE}" --result "ENCRYPTED (Type: ${TYPE})" --color GREEN
fi
else
# if cryptsetup exits with a non-zero exit status, then the
# drive or partition has not been encrypted in a manner that
# cryptsetup can detect. For the purposes of this test, it
# is considered to be not encrypted.
if [ ! "${MOUNTPOINT}" = "/boot" ]; then
AddHP 0 1
Display --indent 6 --text "- Checking ${MOUNTPOINT} on
${DEVICE}" --result "NOT ENCRYPTED" --color WHITE
else
# /boot is generally not be encrypted. We should test
to see
# that it is on its own partition. Also might test if
# it is mounted read-only?
Display --indent 6 --text "- Checking /boot on
${DEVICE}" --result "NOT ENCRYPTED" --color WHITE
fi
fi
# add physical device to the tested list.
TESTED_LIST="${TESTED_LIST},${PDEV}"
done
else
Display --indent 6 --text "- No file system mount points found"
--result ERROR --color RED
fi
fi
logtextbreak
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
