Commit graph

138 commits

Author SHA1 Message Date
Michael Boelen
ce3c80b44f
Merge pull request #883 from topimiettinen/check-encrypted-swap-devices
Check if system uses encrypted swap devices
2020-04-12 16:22:22 +02:00
Michael Boelen
c5914c4e0f
Split count values so they are reported as individual items 2020-04-01 11:48:39 +02:00
Topi Miettinen
179f7d3442
Enhance binaries report
Report also number of set-uid and set-gid binaries found.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-31 19:09:57 +03:00
Brian Ginsbach
2b1d5fa46f Add NetBSD pkgsrc pkg_info to known binaries
The NetBSD pkgsrc package management system uses pkg_info for
determining information about packages. This is also the command
used in PKGS-7302.
2020-03-30 14:09:28 -05:00
Topi Miettinen
5c5cc43c6f
Check if system uses encrypted swap devices
Add test CRYP-7931 to check if the system uses any encrypted swap
devices.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-27 13:05:56 +02:00
Michael Boelen
3c3feecbfb
Merge pull request #824 from Varbin/master
Add detection of OpenNTPD
2020-03-24 13:29:02 +01:00
Michael Boelen
dbfadc5446
Merge pull request #879 from topimiettinen/enhance-tomoyo-check
Enhance TOMOYO Linux check
2020-03-24 13:26:33 +01:00
Topi Miettinen
e09fe98b89 Enhance TOMOYO Linux check
Count and log unconfined processes, which are not using policy
profile 3.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-23 18:44:21 +02:00
Topi Miettinen
8913374092 Run 'systemd-analyze security'
'systemd-analyze security' (available since systemd v240) makes a nice
overall evaluation of hardening levels of services in a system. More
details can be found with 'systemd-analyze security SERVICE' for each
service.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-23 17:31:32 +02:00
Michael Boelen
32cefdea0a
Merge pull request #878 from topimiettinen/check-ima-evm
Check IMA/EVM, dm-integrity and dm-verity statuses
2020-03-23 13:18:16 +01:00
Topi Miettinen
8ea39314f2
Check for dm-integrity and dm-verity
Detect tools for dm-integrity and dm-verity, check if some devices
in /dev/mapper/* use them and especially the system root device.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-23 10:35:38 +02:00
Topi Miettinen
203a4d3480
Check IMA/EVM status
Check for evmctl (Extended Verification Module) tool and system IMA (Integrity Measurement
Architecture) status.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-22 11:21:52 +02:00
Topi Miettinen
4a51ad031b
Check password hashing methods
Manual page crypt(5) gives recommendations for choosing password
hashing methods, so let's check if there are weakly encrypted
passwords in the system.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-21 12:50:38 +02:00
Michael Boelen
38310223a6
Updated date/year 2020-03-20 14:50:25 +01:00
Michael Boelen
8c0b42cdae
Merge pull request #861 from topimiettinen/enhance-selinux-check
Enhance SELinux checks
2020-03-20 14:00:57 +01:00
Topi Miettinen
820d2ec607
Check DNSSEC status with resolvectl when available
'resolvectl statistics' shows if DNSSEC is supported by
systemd-resolved and upstream DNS servers.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-19 23:56:24 +02:00
Topi Miettinen
fb9cdb5c43
Enhance SELinux checks
Display and log: permissive types (rules are not enforced), unconfined
processes (not confined by rules) and processes with initrc_t
type (generic type with weak rules).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-19 19:45:37 +02:00
Michael Boelen
d1db448c51
Skip pacman when it is the game instead of package manager 2020-03-17 13:02:59 +01:00
Kevin
42b2831f75 add basic xbps/void support 2020-02-21 08:06:24 +01:00
Simon Biewald
c58e296bd3
add openntpd detection and a few tests for it 2020-01-08 18:53:15 +01:00
Michael Boelen
f00447fd1b
Style change, add curly brackets 2019-12-06 15:55:59 +01:00
Kristian Schuster
4898e48e16
don't fail relative paths check with spaces in PATH 2019-10-22 21:43:37 +02:00
Kristian Schuster
7b52ff52c7
add check for disabled coredumps in etc/profile and systemd 2019-10-13 22:06:50 +02:00
Michael Boelen
a1b6d463b2
Fixed a typo 2019-09-21 16:31:06 +02:00
Michael Boelen
36627a4eb7
Style improvements 2019-09-19 14:05:15 +02:00
Michael Boelen
5c38a0bdb4
Tests using lsof may ignore threads (if supported) 2019-09-13 11:47:39 +02:00
Michael Boelen
a714568842
Merge pull request #731 from chr0mag/cryp-7930
[CRYP-7930] Modify to use 'lsblk' and 'cryptsetup'
2019-08-21 12:31:36 +02:00
Michael Boelen
48ba463376
Added support for swupd (Clear Linux OS) 2019-08-04 19:37:55 +02:00
Julian Phillips
84dd024887 [CRYP-7930] Modify to use 'lsblk' and 'cryptsetup'
There are several challenges with the existing method of using
/etc/crypttab:

1)encrypted rootfs partitions are not typically listed in this
file (users are prompted for password in early boot instead)

2)the 'luks' option is the default option so it is possible for
/etc/crypttab entries to never have this set explicitly and any
block device configured as such will be missed currently

3)any device mounted manually, or using any other mechanism aside
from /etc/crypttab will be missed

This commit executes 'cryptsetup isLuks' on every block device in
the system to determine whether it is a LUKS device. This handles
all 3 cases mentioned above.

Test case wording was also updated to reflect the fact that it
only checks for LUKS entrypted block devices. So, plain dm-crypt
and TrueCrypt/VeraCrypt block device encryption is not detected.
Nor is any file system level encryption such as eCryptfs, EncFs,
gocryptfs.
2019-07-17 16:18:12 -07:00
Michael Boelen
fa8bad20db
Use -n instead of ! -z 2019-07-16 13:20:30 +02:00
Michael Boelen
96434508d4
Disable testing for other tools, as xxd is not present on all systems by default 2019-07-14 12:18:22 +02:00
Michael Boelen
c639cb4f6e
Only check empty binaries when we did a full scan, as for some commands the binary scanning is not performed 2019-07-05 18:37:10 +02:00
Michael Boelen
bc88775d0e
When PATH is defined, only locations from variable 2019-07-01 07:39:32 +02:00
Michael Boelen
fdacc00b45
Security: test PATH and warn or exit on discovery of dangerous location 2019-06-30 19:21:07 +02:00
Michael Boelen
5e4e44bdf3
Added check to ensure that common system tools are defined as extra safety measure 2019-06-30 18:27:31 +02:00
Michael Boelen
94e0a4e40d
Added Suricata (IDS) 2019-06-24 15:38:34 +02:00
Michael Boelen
8d16a62bbd
Added Bro (IDS) 2019-06-24 15:37:40 +02:00
Michael Boelen
e195e7c8e0
Corrected lsvg binary detection 2019-04-09 08:26:16 +02:00
Michael Boelen
2750e9b7b8
Detect equery binary 2019-04-07 15:50:46 +02:00
Michael Boelen
de2ef2c3e7
Add apt and dpkg binaries 2019-03-29 12:23:45 +01:00
Michael Boelen
703a856e82
Corrected blkid detection 2019-03-14 13:15:07 +01:00
chr0mag
341612418f BOOT-5117 adds systemd-boot bootloader detection (#634)
Adds a test to detect systemd-boot. The 'bootctl' binary is also
added as this is the utility used to inspect the systemd-boot
configuration.

This test is only executed if systemd is installed, the bootctl
utility exists and the system is booted in UEFI mode.
2019-03-07 10:07:52 +01:00
jirib
0dafe4a02b better OpenBSD support (#641) 2019-03-05 19:03:44 +01:00
Michael Boelen
66066ae226
Changed year and preparing for new release 2019-01-31 14:47:35 +01:00
theycallhimpat
0f32d2725c Fix printed error when wget comes from busybox (#602)
Busybox's wget does't provide the -V parameter to get the version, so
redirect stderr to /dev/null to hide the printed error message
2018-12-17 09:53:27 +01:00
Deon Spengler
72796f5757 Added support for TOMOYO Linux Mandatory Access Control (#589)
* Added binary for TOMOYO Linux

* Added support for TOMOYO Linux Mandatory Access Control
2018-10-17 14:20:52 +02:00
Michael Boelen
c53072e31e
Ensure a parent directory with binaries is scanned - issue #517 on GitHub 2018-02-06 10:45:41 +01:00
Michael Boelen
7b664a7560
Reverse PATH search 2018-01-25 19:43:51 +01:00
Michael Boelen
3a4bc4db9c
Use binary paths from both PATH and predefined list to improve detection on all platforms 2018-01-25 19:14:58 +01:00
Dave Vehrs
8f689d4723 Adding USBGuard to checks for USB Devices. (#499)
* Added kernel.dmesg_restrict to sysctl checks.

* Initial addition of tests_usb_devices

* More updates for tests_usb_devices

* More updates

* Updated logging and other output.
2018-01-24 19:29:50 +01:00