"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "include/tests_filesystems" between
lynis-3.0.5.tar.gz and lynis-3.0.6.tar.gz

About: Lynis is a security and system auditing tool.

tests_filesystems  (lynis-3.0.5):tests_filesystems  (lynis-3.0.6)
skipping to change at line 342 skipping to change at line 342
#ReportWarning "${TEST_NO}" "Possible incorrect mount options used f or swap partition (${FIND})" #ReportWarning "${TEST_NO}" "Possible incorrect mount options used f or swap partition (${FIND})"
ReportSuggestion "${TEST_NO}" "Check your /etc/fstab file for swap p artition mount options" ReportSuggestion "${TEST_NO}" "Check your /etc/fstab file for swap p artition mount options"
LogText "Notes: usually swap partition have 'sw' or 'swap' in the op tions field (4th)" LogText "Notes: usually swap partition have 'sw' or 'swap' in the op tions field (4th)"
fi fi
fi fi
# #
################################################################################ # ################################################################################ #
# #
# Test : FILE-6344 # Test : FILE-6344
# Description : Check proc mount options (Linux >=3.3 only) # Description : Check proc mount options (Linux >=3.3 only)
# hidepid textual values available kernel >= 5.8 only)
# Examples : proc /proc proc defaults,hidepid=2 0 0 # Examples : proc /proc proc defaults,hidepid=2 0 0
# Goal : Users should not be able to see processes of other users # Goal : Users should not be able to see processes of other users
if [ "${OS}" = "Linux" -a -f ${ROOTDIR}proc/version ]; then if [ "${OS}" = "Linux" -a -f ${ROOTDIR}proc/version ]; then
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $ 1}') LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $ 1}')
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $ 2}') LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $ 2}')
if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; t hen PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; t hen PREQS_MET="YES"; else PREQS_MET="NO"; fi
else else
PREQS_MET="NO"; PREQS_MET="NO";
fi fi
fi fi
Register --test-no FILE-6344 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking proc mount options" Register --test-no FILE-6344 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking proc mount options"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least # Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least
# https://www.kernel.org/doc/html/latest/filesystems/proc.html#chapter-4 -configuring-procfs
LogText "Test: check proc mount with incorrect mount options" LogText "Test: check proc mount with incorrect mount options"
FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY
} -o "hidepid=[0-9]") } -o "hidepid=([0-9]|[a-z][a-z]*)")
if [ "${FIND}" = "hidepid=2" ]; then if [ "${FIND}" = "hidepid=4" -o "${FIND}" = "hidepid=ptraceable" ]; then
# https://lwn.net/Articles/817137/
Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN
LogText "Result: proc mount mounted with hidepid=2" LogText "Result: proc mount mounted with ${FIND}"
AddHP 3 3 AddHP 3 3
elif [ "${FIND}" = "hidepid=1" ]; then elif [ "${FIND}" = "hidepid=2" -o "${FIND}" = "hidepid=invisible" ]; the n
Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN
LogText "Result: proc mount mounted with hidepid=1" LogText "Result: proc mount mounted with ${FIND}"
AddHP 3 3
elif [ "${FIND}" = "hidepid=1" -o "${FIND}" = "hidepid=noaccess" ]; then
Display --indent 2 --text "- Testing /proc mount (hidepid)" --result
"${STATUS_OK}" --color GREEN
LogText "Result: proc mount mounted with ${FIND}"
AddHP 2 3 AddHP 2 3
elif [ -z "${FIND}" ]; then elif [ -z "${FIND}" ]; then
# HIDEPID1_SUGGESTION=" (or at least hidepid=1)" # HIDEPID1_SUGGESTION=" (or at least hidepid=1)"
AddHP 0 3 AddHP 0 3
Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_SUGGESTION}" --color YELLOW Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: /proc filesystem is not mounted with option hidepid =1 or hidepid=2" LogText "Result: /proc filesystem is not mounted with option hidepid =1 or hidepid=2"
# TODO ReportSuggestion "${TEST_NO}" "Consider mounting /proc via /e tc/fstab with mount option hidepid=2" "/proc" "-" # TODO ReportSuggestion "${TEST_NO}" "Consider mounting /proc via /e tc/fstab with mount option hidepid=2" "/proc" "-"
fi fi
fi fi
# #
 End of changes. 6 change blocks. 
6 lines changed or deleted 14 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)