From 266f03e785bbc71a53a9b677dcf25481126adc8d Mon Sep 17 00:00:00 2001 From: Mathieu Tarral Date: Sun, 7 Jul 2019 14:14:09 +0200 Subject: [PATCH 1/4] tools: add kconfig-hardened-check submodule --- .gitmodules | 3 +++ tools/kconfig-hardened-check | 1 + 2 files changed, 4 insertions(+) create mode 160000 tools/kconfig-hardened-check diff --git a/.gitmodules b/.gitmodules index 9fcc92f..a9b4f62 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "tools/checksec.sh"] path = tools/checksec url = https://github.com/slimm609/checksec.sh.git +[submodule "tools/kconfig-hardened-check"] + path = tools/kconfig-hardened-check + url = https://github.com/a13xp0p0v/kconfig-hardened-check.git diff --git a/tools/kconfig-hardened-check b/tools/kconfig-hardened-check new file mode 160000 index 0000000..3dc3f6e --- /dev/null +++ b/tools/kconfig-hardened-check @@ -0,0 +1 @@ +Subproject commit 3dc3f6e9e67e5206575acb5009f472cff780328d From 6fd0ae9c860d9689d93bf8f0e4ace7533d315884 Mon Sep 17 00:00:00 2001 From: Mathieu Tarral Date: Sun, 7 Jul 2019 14:20:40 +0200 Subject: [PATCH 2/4] security: find kconfig binary --- hooks/security.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hooks/security.py b/hooks/security.py index 04ab4df..91891c6 100644 --- a/hooks/security.py +++ b/hooks/security.py @@ -26,6 +26,7 @@ class ChecksecFile: class SecurityHook(Hook): CHECKSEC_BIN = Path(__file__).parent.parent/"tools"/"checksec"/"checksec" + KCONFIG_BIN = Path(__file__).parent.parent/"tools"/"kconfig-hardened-check"/"kconfig-hardened-check.py" def __init__(self, parameters): super().__init__(parameters) @@ -34,6 +35,10 @@ def __init__(self, parameters): raise RuntimeError('Cannot find checksec, did you forget to init the submodule ?') self.checksec = str(self.CHECKSEC_BIN) + if not self.KCONFIG_BIN.exists(): + raise RuntimeError('Cannot find kconfig-hardened-check, did you forget to init the submodule ?') + self.kconfig = str(self.KCONFIG_BIN) + self.context.subscribe('filesystem_new_file_mime', self.check_file) def check_file(self, event): From 46ef6feb35dc850ecb8f4e4285926cef240be90d Mon Sep 17 00:00:00 2001 From: Mathieu Tarral Date: Sun, 7 Jul 2019 14:59:52 +0200 Subject: [PATCH 3/4] filesystem: include remote file name in filesystem_new_file event --- hooks/filesystem.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hooks/filesystem.py b/hooks/filesystem.py index 6768264..a4589a8 100644 --- a/hooks/filesystem.py +++ b/hooks/filesystem.py @@ -69,7 +69,7 @@ def guestfs_instance(self): def guest_local_file(gfs, remote_file): with NamedTemporaryFile() as temp: gfs.download(remote_file, temp.name) - yield temp.name + yield remote_file, temp.name class FilesystemHook(Hook): @@ -147,8 +147,9 @@ def walk_capture(self, node): self.context.trigger('filesystem_new_inode', inode=inode) # download and execute trigger on local file if InodeType(inode.inode_type) == InodeType.REG: - with guest_local_file(self.gfs, str(node)) as local_file: - self.context.trigger('filesystem_new_file', filepath=local_file, inode=inode) + with guest_local_file(self.gfs, str(node)) as (remote_file, local_file): + self.context.trigger('filesystem_new_file', guest_filepath=remote_file, local_filepath=local_file, + inode=inode) # walk if self.gfs.is_dir(str(node)): entries = self.list_entries(node) @@ -162,7 +163,7 @@ def walk_capture(self, node): return inode def process_new_file(self, event): - filepath = event.filepath + filepath = event.local_filepath inode = event.inode # determine MIME type mime_type = subprocess.check_output(['file', '-bi', filepath]).decode().rstrip() From eb164cc711e0ef60c235e4f4a06dca467cf63470 Mon Sep 17 00:00:00 2001 From: Mathieu Tarral Date: Sun, 7 Jul 2019 15:00:23 +0200 Subject: [PATCH 4/4] security: run kconfig for each /boot/config- file --- hooks/security.py | 1 + 1 file changed, 1 insertion(+) diff --git a/hooks/security.py b/hooks/security.py index 91891c6..c2be0fd 100644 --- a/hooks/security.py +++ b/hooks/security.py @@ -40,6 +40,7 @@ def __init__(self, parameters): self.kconfig = str(self.KCONFIG_BIN) self.context.subscribe('filesystem_new_file_mime', self.check_file) + self.context.subscribe('filesystem_new_file', self.kconfig_check) def check_file(self, event): filepath = event.filepath