def run( d , dname, full ): partitionTestResult = TestResult() if full == True: partitionTestResult.set_total_points(4) else: partitionTestResult.set_total_points(1) partitionScore = 0 print("Validating that {} has a separate partition...".format(d)) try: #Input: #>>> mount | grep `d` #Expected output: #>>> tmpfs on `d` type tmpfs (rw,nosuid,nodev,noexec,relatime) fsTest1 = subprocess.Popen(('mount'), stdout=subprocess.PIPE) try: fstTest1Output = subprocess.check_output(('grep', d), stdin=fsTest1.stdout) partitionScore += 1 print("......Passed!") if full == True: partitionScore += output_verification(fstTest1Output, d, dname) print partitionScore except subprocess.CalledProcessError as e: report.report("(X)...{} does not exist in a separate partition.".format(d)) mit(d, dname) except OSError: report.report("(!)...Tools do not support the use of the mount command.".format(fs)) partitionTestResult.set_points(partitionScore) return partitionTestResult
def partition(d, dname): partitionTestResult = TestResult() partitionTestResult.set_total_points(1) partitionScore = 0 print("Validating that {} has a separate partition...".format(d)) try: fsTest1 = subprocess.Popen(('mount'), stdout=subprocess.PIPE) try: fstTest1Output = subprocess.check_output(('grep', d), stdin=fsTest1.stdout) partitionScore += 1 print("......Passed!") except subprocess.CalledProcessError as e: report.report( "(X)...{} does not exist in a separate partition.".format(d)) report.mitigation( " Mitigation: run systemctl unmask {}.mount".format( dname)) report.mitigation( " systemctl enable {}.mount".format( dname)) print("......Failed!") except OSError: report.report( "(!)...Tools do not support the use of the mount command.".format( fs)) partitionTestResult.set_points(partitionScore) return partitionTestResult
def run( fs ): mountingTestResult = TestResult() mountingTestResult.set_total_points(1) passedTest = True print("Validating that {} support is disabled...".format(fs)) #In order to run the tests, a try catch block is set up to ensure the needed commands #are available on the system. try: #Input: #>>> modprobe -n -v `fs` #Expected output: #>>> install /bin/true fsTest1 = subprocess.check_output(('modprobe', '-n', '-v', fs)) if "install /bin/true" not in fsTest1: report.report("(X)...Support for mounting {} is not disabled.".format(fs)) passedTest = False #Input: #>>> lsmod | grep `fs` #Expected output: #<NONE> fsTest2 = subprocess.Popen(('lsmod'), stdout=subprocess.PIPE) #With grep piping, a try catch block is needed to guarantee that if the grep #returns no results, the process will not fail. try: fsTest2Output = subprocess.check_output(('grep', fs), stdin=fsTest2.stdout) passedTest = False print("(X) ... A module exists in /proc/modules for {}.") except subprocess.CalledProcessError as e: if str(e) != "Command '('grep', '{}')' returned non-zero exit status 1".format(fs): passedTest = False except OSError as e: #Catch if any of our commands fail report.error("(!)...Tools do not support running a scan for {}\n".format(fs)) mountingTestResult.set_error(True) mountingTestResult.set_error_status(" {}".format(e)) return mountingTestResult #If passedTest has been set by any of the checks, the test fails if passedTest == True: report.report("......Passed!") mountingTestResult.set_points(1) else: report.mitigation(" Mitigation: run install {} /bin/true".format(fs)) report.report("......Failed!") #Send up the result return mountingTestResult