Package: lynis
Version: 1.4.4-1
Severity: wishlist
Dear Maintainer,
I've created a small function that tests for encrypted partitions via
dm-crypt, cryptsetup and rudimentary support for partitions mounted via
cryptmount.
Unlike my earlier suggestion for the detection Ecryptfs usage, I did not
include these functions in the tests_filesystems and binaries files. As
the Ecryptfs tests have not been accepted upstream, I wondered if it
wouldn't be more prudent to put the functions into tests_custom. The
existence of automated support for this file (if it exists) makes it
easier for us to include custom features with Lynis on Debian that can
be submitted for consideration as one file. Rather than as a few
patches. This may make it easier for the maintainers to keep track of
what is done locally for Debian. At least that is what I was thinking
If this is a good idea, should I update this file to include the tests
done for Ecryptfs and remove it from the other files?
Or if it isn't a good idea, should I rewrite these functions to be
patches for the binaries and tests_filesystems files?
I've tested this version of tests_custom on:
- Sid with Lynis version 1.4.4
- Jessie with Lynis version 1.4.0
Appears to work just fine with my limited testing.
Thanks for considering this submission,
Dave V.
-- System Information:
Debian Release: sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
lynis depends on no packages.
Versions of packages lynis recommends:
pn menu none
Versions of packages lynis suggests:
ii dnsutils 1:9.9.5.dfsg-2
-- no debconf information
--
Dave Vehrs dve...@gmail.com
#!/bin/sh
#
#
# Lynis
# --
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#
#
#This has already been inserted, but you might reuse it to split your tests
#InsertSection Custom Checks
#
#
# Start by scanning for any tools that will be needed for later custom tests.
# This is predominately a copy of the function from the binaries file with a
# shorter list of files to look for.
#
# Some of the files we search for here are repeated checks from the default
# tests, but we look for them again due to local function dependencies. It's a
# tiny redundancy that doesn't slow the tests up significantly.
# Test: CUS-0001
# Description : Check for system binaries
# Notes : Always perform test, other tests depend on it.
Register --test-no CUS-0001 --weight L --network NO --description Check
for system binaries
SCANNEDPATHS=; N=0
Display --indent 2 --text - Checking for system binaries that are needed
by custom tests...
logtext Status: Starting binary scan...
for SCANDIR in ${BINPATHS}; do
logtext Test: Checking binaries in directory ${SCANDIR}
if [ -d ${SCANDIR} ]; then
Display --indent 4 --text - Checking ${SCANDIR}... --result
FOUND --color GREEN
SCANNEDPATHS=${SCANNEDPATHS}, ${SCANDIR}
logtext Directory ${SCANDIR} exists. Starting directory
scanning...
FIND=`ls ${SCANDIR}`
for I in ${FIND}; do
N=`expr ${N} + 1`
BINARY=${SCANDIR}/${I}
logtext Binary: ${BINARY}
# Optimized, much quicker (limited file access needed)
case ${I} in
cryptmount) CRYPTMOUNTFOUND=1;
CRYPTMOUNTBINARY=${BINARY};
logtext Found known binary: cryptmount (Encryption tool) - ${BINARY}
;;
cryptsetup) CRYPTSETUPFOUND=1;
CRYPTSETUPBINARY=${BINARY};
logtext Found known binary: cryptsetup (Encryption tool) - ${BINARY}
;;
lvdisplay) LVDISPLAYBINARY=${BINARY};
logtext
Found known binary: lvdisplay (LVM tool) - ${BINARY}
;;
mount) MOUNTBINARY=${BINARY};
logtext
Fount known binary: mount (File system tool) - ${BINARY}
;;
