Package: lynis
Version: 1.3.9-1
Severity: normal
Dear Maintainer,
I've put together a pair of short patches for your consideration.
Patches add tests that check if Ecryptfs is installed and if it is, then
checks if ecryptfs-migirate-home (or other method) has been used to
configure each user's home directory (UID >= 500 && != 65534) to use it.
I believe the use of Ecryptfs could be valuable for anyone using a
laptop or any system with multiple users. This could add to the
hardened status of the system that Lynis is testing for many users.
The patch I've worked up is missing a test number (FILE-####) that the
other tests have and may need to be submitted upstream to get one.
What do you think, would this be a worthwhile addition to Lynis?
Thanks,
Dave Vehrs
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
lynis depends on no packages.
Versions of packages lynis recommends:
ii menu 2.1.46
Versions of packages lynis suggests:
ii dnsutils 1:9.8.4.dfsg.P1-6+nmu3
-- no debconf information
--
Dave Vehrs dve...@gmail.com
--- binaries.orig 2014-01-27 17:31:06.193667725 -0700
+++ binaries 2014-01-28 20:24:33.913326347 -0700
@@ -69,6 +69,8 @@
dig) if [ -f ${BINARY} ]; then DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (network/dns tool) - ${BINARY}"; fi ;;
dnsdomainname) DNSDOMAINNAMEFOUND=1; DNSDOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;;
domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
+ ecryptfsd) ECRYPTFSDFOUND=1; ECRYPTFSDBINARY="${BINARY}"; logtext " Found known binary: ecryptfsd (Layered Encryption) - ${BINARY}" ;;
+ ecryptfs-migrate-home) ECRYPTFSMIGRATEFOUND=1; ECRYPTFSMIGRATEBINARY=${BINARY}; logtext " Found known binary: ecryptfs-migrate-home (Layered Encryption) - ${BINARY}" ;;
exim) EXIMFOUND=1; EXIMBINARY="${BINARY}"; EXIMVERSION=`${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs`; logtext "Found ${BINARY} (version ${EXIMVERSION})" ;;
find) FINDFOUND=1; FINDBINARY="${BINARY}"; logtext " Found known binary: find (search tool) - ${BINARY}" ;;
g++) GPLUSPLUSFOUND=1; GPLUSPLUSBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: g++ (compiler) - ${BINARY}" ;;
--- tests_filesystems.orig 2014-01-27 17:20:14.749679392 -0700
+++ tests_filesystems 2014-01-29 16:20:52.128727221 -0700
@@ -558,6 +558,72 @@
#################################################################################
#
+ # Test : FILE-####
+ # Description : (LINUX) Check if user home directories are encrypted with ecryptfs
+ # Notes : Ecryptfs is useful on multi-user systems. Can be configured
+ # so that files in the users home directories are only
+ # decrypted while the user is logged in.
+ #
+ # This function adds hardening points according to the
+ # following criteria:
+ # +1 Ecryptfs Installed
+ # +1 for each user account that can be configured to use it.
+ if [ "${OS}" = "Linux" ]; then
+ if [ ! "${ECRYPTFSDBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no "FILE-####" --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for Ecryptfs"
+ if [ ${SKIPTEST} -eq 0 -a ! "${ECRYPTFSDBINARY}" = "" ]; then
+ Display --indent 2 --text "- Ecryptfs" --result INSTALLED --color GREEN
+ logtext "Ecryptfs installed."
+ logtext "Test: If user home directories are configured to use Ecryptfs"
+ AddHP 1 1
+ USERLIST=`awk -F: '($3 > 500) && ($3 != 65534) { print $1","$6 }' /etc/passwd`
+ for U in ${USERLIST}; do
+ ECRYPTFSHOME=1
+ USER=`echo ${U} | sed -e 's/,.*//'`
+ HOMEDIR=`echo ${U} | sed -e 's/^[^,]*,//'`
+ logtext "USER: ${USER}"
+ logtext "HOME DIR: ${HOMEDIR}"
+ if [ -d /home/.ecryptfs/${USER} -a -f /home/.ecryptfs/${USER}/.ecryptfs/auto-mount -a -f /home/.ecryptfs/${USER}/.ecryptfs/Private.mnt ]; then
+ PRIVDIR=`cat /home/.ecryptfs/${USER}/.ecryptfs/Private.mnt`
+ logtext "PRIVATE DIR: ${PRIVDIR}"
+ if [ "${HOMEDIR}" = ${PRIVDIR} ]; then
+ # Ecryptfs installed and configured to encrypt users
+ # entire ${HOME} directory.
+ logtext "Result: Home directory for ${USER} configured to use Ecryptfs"
+ Display --indent 4 --text "- Home for ${USER}" --result YES --color GREEN
+ AddHP 1 1
+ ECRYPTFSHOME=0
+ fi
+ fi
+ if [ ${ECRYPTFSHOME} = 1 ]; then
+ # Ecryptfs Private directory configured but not for
+ # users ${HOME} directory -OR- Ecryptfs has not been setup
+ # for user.
+ logtext "Result: Ecryptfs installed but not configured for ${USER}'s home directory"
+ Display --indent 4 --text "- Home for ${USER}" --result NO --color RED
+ AddHP 0 1
+ # Unsure if ecryptfs-migrate-home is part of all Ecryptfs installations
+ # on all Linux distributions.
+ if [ ! "${ECRYPTFSMIGRATEBINARY}" = "" ]; then
+ ReportSuggestion ${TEST_NO} "As root run 'ecryptfs-migrate-home --user ${USER}' to configure Ecryptfs for user's home directory"
+ else
+ ReportSuggestion ${TEST_NO} "Configure Ecryptfs for ${USER}'s home directory"
+ fi
+ fi
+ done
+ else
+ Display --indent 2 --text "- Ecryptfs" --result "NOT INSTALLED" --color RED
+ ReportSuggestion ${TEST_NO} "Install 'ecryptfs-utils' and configure for each user."
+ # Increasing Hardening score by 1 for each account that could use
+ # Ecryptfs + 1 for installation.
+ USERCOUNT=`awk -F: '($3 > 500) && ($3 != 65534) { print $1 }' /etc/passwd | wc -l`
+ AddHP 0 $((USERCOUNT+1))
+ fi
+ fi
+
+#
+#################################################################################
+#
wait_for_keypress
