Kernel config search and check

helpers/helpers_emba_dependency_check.sh

@@ -357,7 +357,7 @@ dependency_check()
     check_dep_file "pixd visualizer" "$EXT_DIR""/pixde"
 
     # php iniscan
-    check_dep_file "PHP iniscan" "$EXT_DIR""/iniscan/bin/iniscan"
+    check_dep_file "PHP iniscan" "$EXT_DIR""/iniscan/vendor/bin/iniscan"
 
     # pixd image
     check_dep_file "pixd image renderer" "$EXT_DIR""/pixd_png.py"

installer/I24_25_kernel_tools.sh

@@ -22,6 +22,7 @@ I24_25_kernel_tools() {
     print_pip_info "lz4"
     print_pip_info "zstandard"
     print_tool_info "python3-pip" 1
+    print_git_info "kconfig-hardened-check" "a13xp0p0v/kconfig-hardened-check" "There are plenty of security hardening options for the Linux kernel. This tool checks them."
 
     if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then
       ANSWER=("n")
@@ -41,6 +42,10 @@ I24_25_kernel_tools() {
         pip3 install --upgrade lz4 zstandard git+https://github.com/clubby789/python-lzo@b4e39df
         pip3 install --upgrade git+https://github.com/marin-m/vmlinux-to-elf
         cd "$HOME_PATH" || ( echo "Could not install EMBA component vmlinux-to-elf" && exit 1 )
+
+        if ! [[ -d external/kconfig-hardened-check ]]; then
+          git clone https://github.com/a13xp0p0v/kconfig-hardened-check.git external/kconfig-hardened-check
+        fi
       ;;
     esac
   fi

modules/F50_base_aggregator.sh

@@ -33,6 +33,7 @@ F50_base_aggregator() {
   S20_LOG="s20_shell_check.txt"
   S21_LOG="s21_python_check.txt"
   S22_LOG="s22_php_check.txt"
+  S24_LOG="s24_kernel_bin_identifier.txt"
   S25_LOG="s25_kernel_check.txt"
   S30_LOG="s30_version_vulnerability_check.txt"
   S40_LOG="s40_weak_perm_check.txt"
@@ -247,7 +248,7 @@ output_details() {
 output_config_issues() {
   local DATA=0
 
-  if [[ "${PW_COUNTER:-0}" -gt 0 || "${S85_SSH_VUL_CNT:-0}" -gt 0 || "${STACS_HASHES:-0}" -gt 0 || "${INT_COUNT:-0}" -gt 0 || "${POST_COUNT:-0}" -gt 0 || "${MOD_DATA_COUNTER:-0}" -gt 0 || "${S40_WEAK_PERM_COUNTER:-0}" -gt 0 || "${S55_HISTORY_COUNTER:-0}" -gt 0 || "${S50_AUTH_ISSUES:-0}" -gt 0 || "${PASS_FILES_FOUND:-0}" -gt 0 || "${CERT_CNT:-0}" -gt 0 ]]; then
+  if [[ "${PW_COUNTER:-0}" -gt 0 || "${S85_SSH_VUL_CNT:-0}" -gt 0 || "${STACS_HASHES:-0}" -gt 0 || "${INT_COUNT:-0}" -gt 0 || "${POST_COUNT:-0}" -gt 0 || "${MOD_DATA_COUNTER:-0}" -gt 0 || "${S40_WEAK_PERM_COUNTER:-0}" -gt 0 || "${S55_HISTORY_COUNTER:-0}" -gt 0 || "${S50_AUTH_ISSUES:-0}" -gt 0 || "${PASS_FILES_FOUND:-0}" -gt 0 || "${CERT_CNT:-0}" -gt 0 || "${S24_FAILED_KSETTINGS:-0}" -gt 0 ]]; then
     print_output "[+] Found the following configuration issues:"
     if [[ "${S40_WEAK_PERM_COUNTER:-0}" -gt 0 ]]; then
       print_output "$(indent "$(green "Found $ORANGE$S40_WEAK_PERM_COUNTER$GREEN areas with weak permissions.")")"
@@ -305,6 +306,11 @@ output_config_issues() {
       write_csv_log "kernel_modules_lic" "$KMOD_BAD" "NA"
       DATA=1
     fi
+    if [[ "${S24_FAILED_KSETTINGS:-0}" -gt 0 ]]; then
+      print_output "$(indent "$(green "Found $ORANGE${S24_FAILED_KSETTINGS}$GREEN security related kernel settings for review.")")"
+      write_link "s24"
+      write_csv_log "kernel_settings" "${S24_FAILED_KSETTINGS:-0}" "NA"
+    fi
     if [[ "${INT_COUNT:-0}" -gt 0 || "${POST_COUNT:-0}" -gt 0 ]]; then
       print_output "$(indent "$(green "Found $ORANGE${INT_COUNT}$GREEN interesting files and $ORANGE${POST_COUNT:-0}$GREEN files that could be useful for post-exploitation.")")"
       write_link "s95"
@@ -685,6 +691,7 @@ get_data() {
   export S22_PHP_SCRIPTS=0
   export S22_PHP_INI_ISSUES=0
   export S22_PHP_INI_CONFIGS=0
+  export S24_FAILED_KSETTINGS=0
   export MOD_DATA_COUNTER=0
   export KMOD_BAD=0
   export S40_WEAK_PERM_COUNTER=0
@@ -761,6 +768,9 @@ get_data() {
     S22_PHP_INI_ISSUES=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S22_LOG" | cut -d: -f4 || true)
     S22_PHP_INI_CONFIGS=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S22_LOG" | cut -d: -f5 || true)
   fi
+  if [[ -f "$LOG_DIR"/"$S24_LOG" ]]; then
+    S24_FAILED_KSETTINGS=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S24_LOG" | cut -d: -f2 || true)
+  fi
   if [[ -f "$LOG_DIR"/"$S25_LOG" ]]; then
     MOD_DATA_COUNTER=$(grep -a "\[\*\]\ Statistics1:" "$LOG_DIR"/"$S25_LOG" | cut -d: -f2 || true)
     KMOD_BAD=$(grep -a "\[\*\]\ Statistics1:" "$LOG_DIR"/"$S25_LOG" | cut -d: -f3 || true)

modules/S22_php_check.sh

@@ -156,7 +156,7 @@ s22_check_php_ini(){
   local PHP_FILE=""
   local INISCAN_RESULT=()
   local LINE=""
-  local PHP_INISCAN_PATH="$EXT_DIR""/iniscan/bin/iniscan"
+  local PHP_INISCAN_PATH="$EXT_DIR""/iniscan/vendor/bin/iniscan"
   PHP_INI_FAILURE=0
   PHP_INI_LIMIT_EXCEEDED=0
   PHP_INI_WARNINGS=0

modules/S24_kernel_bin_identifier.sh

@@ -18,14 +18,19 @@
 S24_kernel_bin_identifier()
 {
   module_log_init "${FUNCNAME[0]}"
-  module_title "Kernel Binary Identifier"
+  module_title "Kernel Binary and Configuration Identifier"
   pre_module_reporter "${FUNCNAME[0]}"
 
   local NEG_LOG=0
   local FILE_ARR_TMP=()
   local FILE=""
   local K_VER=""
   local K_INIT=""
+  if [[ -e "$EXT_DIR"/kconfig-hardened-check/bin/kconfig-hardened-check ]]; then
+    KCONF_HARD_CHECKER="$EXT_DIR/kconfig-hardened-check/bin/kconfig-hardened-check"
+  else
+    KCONF_HARD_CHECKER="NA"
+  fi
 
   readarray -t FILE_ARR_TMP < <(find "$FIRMWARE_PATH_CP" -xdev "${EXCL_FIND[@]}" -type f ! \( -iname "*.udeb" -o -iname "*.deb" \
     -o -iname "*.ipk" -o -iname "*.pdf" -o -iname "*.php" -o -iname "*.txt" -o -iname "*.doc" -o -iname "*.rtf" -o -iname "*.docx" \
@@ -36,6 +41,7 @@ S24_kernel_bin_identifier()
 
   for FILE in "${FILE_ARR_TMP[@]}" ; do
     K_VER=$(strings "$FILE" 2>/dev/null | grep -E "^Linux version [0-9]+\.[0-9]+" || true)
+
     if [[ "$K_VER" =~ Linux\ version\ .* ]]; then
       print_output "[+] Possible Linux Kernel found: $ORANGE$FILE$NC"
       print_ln
@@ -68,8 +74,28 @@ S24_kernel_bin_identifier()
       fi
 
       write_csv_log "$K_VER" "$FILE" "$K_INIT"
-
       NEG_LOG=1
+
+    # ASCII kernel config files:
+    elif file "$FILE" | grep -q "ASCII"; then
+      K_CON_DET=$(strings "$FILE" 2>/dev/null | grep -E "^# Linux.*[0-9]{1}\.[0-9]{1,2}\.[0-9]{1,2}.* Kernel Configuration" || true)
+      if [[ "$K_CON_DET" =~ \ Kernel\ Configuration ]]; then
+        print_output "[+] Found kernel configuration file: $ORANGE$FILE$NC"
+        if [[ "$KCONF_HARD_CHECKER" != "NA" ]]; then
+          print_output "[*] Testing kernel configuration file $ORANGE$FILE$NC with kconfig-hardened-check"
+          local KCONF_LOG=""
+          KCONF_LOG="$LOG_PATH_MODULE/kconfig_hardening_check_$(basename "$FILE").log"
+          "$KCONF_HARD_CHECKER" -c "$FILE" | tee -a "$KCONF_LOG"
+          if [[ -f "$KCONF_LOG" ]]; then
+            FAILED_KSETTINGS=$(grep -c "FAIL: " "$KCONF_LOG")
+            if [[ "$FAILED_KSETTINGS" -gt 0 ]]; then
+              print_output "[+] Found $ORANGE$FAILED_KSETTINGS$GREEN security related kernel settings which should be reviewed - $ORANGE$(print_path "$FILE")$NC"
+              write_log "[*] Statistics:$FAILED_KSETTINGS"
+            fi
+          fi
+        fi
+        NEG_LOG=1
+      fi
     fi
   done