IS_CHROOTED_BINARY_NOT_UPTODATE: new check
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
Verify that chrooted processes run up-to-date binaries
This commit is contained in:
parent
95c9f1f99b
commit
40ada4de70
|
@ -5,6 +5,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
|
|||
|
||||
### Added
|
||||
|
||||
* IS_CHROOTED_BINARY_NOT_UPTODATE: verify that chrooted processes run up-to-date binaries
|
||||
|
||||
### Changed
|
||||
|
||||
### Deprecated
|
||||
|
|
24
evocheck.sh
24
evocheck.sh
|
@ -1239,6 +1239,29 @@ check_apt_valid_until() {
|
|||
fi
|
||||
}
|
||||
|
||||
check_chrooted_binary_not_uptodate() {
|
||||
# list of processes to check
|
||||
process_list="sshd"
|
||||
for process_name in ${process_list}; do
|
||||
# what is the binary path?
|
||||
original_bin=$(command -v "${process_name}")
|
||||
for pid in $(pgrep ${process_name}); do
|
||||
process_bin=$(realpath /proc/${pid}/exe)
|
||||
# Is the process chrooted?
|
||||
real_root=$(realpath /proc/${pid}/root)
|
||||
if [ "${real_root}" != "/" ]; then
|
||||
chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ')
|
||||
original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ')
|
||||
# compare md5 checksums
|
||||
if [ "$original_md5" != "$chrooted_md5" ]; then
|
||||
failed "IS_CHROOTED_BINARY_NOT_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}."
|
||||
test "${VERBOSE}" = 1 || break
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
main() {
|
||||
# Default return code : 0 = no error
|
||||
RC=0
|
||||
|
@ -1363,6 +1386,7 @@ main() {
|
|||
test "${IS_OSPROBER:=1}" = 1 && check_osprober
|
||||
test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
|
||||
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
|
||||
test "${IS_CHROOTED_BINARY_NOT_UPTODATE:=1}" = 1 && check_chrooted_binary_not_uptodate
|
||||
fi
|
||||
|
||||
#-----------------------------------------------------------
|
||||
|
|
Loading…
Reference in a new issue