ADD: VM detection for disk encryption (VM means we assume encryption …

…takes place at the host)

src/test/metric.py

@@ -44,7 +44,7 @@ def log(self, log_type, message, result=None):
     def is_target_cli(self, target_type):
         '''Check if the given target type has a cli target'''
         if self.info[target_type]['class'] != 'cli':
-            self.log("warning", f"{target_type} target  is not a `cli` or not "
+            self.log("warning", f"{self.metric_name}/{target_type} is not a `cli` or not "
                      "implemented yet. "
                      f"Class: `{self.info[target_type]['class']}`")
             raise TargetIsNotACLI
@@ -64,7 +64,7 @@ def common_target_tests(self, target_type):
             # Execute the target
             self.execute_target(target_type)
         except (subprocess.TimeoutExpired, TargetExecutionError) as e:
-            self.log("error", f"{target_type}: {e}")
+            self.log("error", f"{self.metric_name}/{target_type}: {e}")
             return False
 
         return True
@@ -81,7 +81,7 @@ def implementation_tests(self):
         # stdout with data means that a remediation is needed
         need_remediation, _ = self.fetch_need_remediation()
 
-        self.log("ok", f"{target_type} target passed tests. "
+        self.log("ok", f"{self.metric_name}/{target_type} target passed tests. "
                  f"Need remediation: {need_remediation}")
 
         return True
@@ -99,10 +99,10 @@ def remediation_tests(self, enable_log=True):
         need_remediation, result = self.fetch_need_remediation()
 
         if need_remediation:
-            self.log("error", f"{target_type} target ran flawlessly but did not "
+            self.log("error", f"{self.metric_name}/{target_type} ran flawlessly but did not "
                      "resolve the metric", result=result)
         else:
-            self.log("ok", f"{target_type} target successfuly resolved the "
+            self.log("ok", f"{self.metric_name}/{target_type} successfuly resolved the "
                      "metric")
 
         return not need_remediation
@@ -120,10 +120,10 @@ def rollback_test(self):
         need_remediation, result = self.fetch_need_remediation()
 
         if not need_remediation:
-            self.log("error", f"{target_type} dit not revert the changes",
+            self.log("error", f"{self.metric_name}/{target_type} dit not revert the changes",
                      result=result)
         else:
-            self.log("ok", f"{target_type} successfuly reverted the changes")
+            self.log("ok", f"{self.metric_name}/{target_type} successfuly reverted the changes")
 
         return need_remediation
 
@@ -185,9 +185,9 @@ def elevation_test(self, target_type):
             self.execute_target(target_type, permissions=False)
             need_permissions = False
         except subprocess.TimeoutExpired or TargetExecutionError as e:
-            self.log("error", f"{target_type} target failed during "
+            self.log("error", f"{self.metric_name}/{target_type} failed during "
                      f"elevation test: {e}")
-            self.log("info", f"{target_type} retrying with permissions")
+            self.log("info", f"{self.metric_name}/{target_type} retrying with permissions")
 
             # This call will be able to raise exceptions
             self.execute_target(target_type, permissions=True)
@@ -197,21 +197,21 @@ def elevation_test(self, target_type):
             # If execution required permissions and the elevation is set to
             # user, the elevation is too low
             if self.info[target_type]["elevation"] == "user":
-                self.log("warning", f"{target_type} target elevation too low. "
+                self.log("warning", f"{self.metric_name}/{target_type} target elevation too low. "
                          "Needed: `Admin`, current: `user`")
             else:
                 self.log("ok",
-                         f"{target_type} elevation is at a correct level")
+                         f"{self.metric_name}/{target_type} elevation is at a correct level")
         else:
             # If execution did not require permissions and the elevation is set
             # to something else than user, the elevation is too high
             if self.info[target_type]["elevation"] != "user":
-                self.log("warning", f"{target_type} target elevation too high."
+                self.log("warning", f"{self.metric_name}/{target_type} target elevation too high."
                          " Needed: `user`, current: "
                          f"`{self.info[target_type]['elevation']}`")
             else:
                 self.log("ok",
-                         f"{target_type} elevation is at a correct level")
+                         f"{self.metric_name}/{target_type} elevation is at a correct level")
 
         self.report[target_type]["need_permissions"] = need_permissions
 

threatmodel-Linux.json

@@ -205,8 +205,8 @@
         "minversion": 20,
         "maxversion": 0,
         "class": "cli",
-        "elevation": "user",
-        "target": "grep -qE '(hypervisor|vmware|virtualbox|qemu|kvm|xen)' /proc/cpuinfo || { lsblk -o MOUNTPOINT,FSTYPE | grep '/$' | grep -q 'crypt' || echo encryption_disabled; lsblk -o MOUNTPOINT,FSTYPE | grep '/swap' | grep -q 'crypt' || echo encryption_disabled; }",
+        "elevation": "admin",
+        "target": "sudo apt install virt-what > /dev/null 2>&1 && sudo virt-what | read -t 0 -N 0 && { lsblk -o MOUNTPOINT,FSTYPE | grep '/ ' | grep -q 'crypt' || echo encryption_disabled; lsblk -o MOUNTPOINT,FSTYPE | grep '/swap' | grep -q 'crypt' || echo encryption_disabled; }",
         "education": []
       },
       "remediation": {
@@ -718,7 +718,7 @@
         "maxversion": 0,
         "class": "cli",
         "elevation": "system",
-        "target": "apt list --upgradeable 2>/dev/null | grep \"upgradable\"",
+        "target": "apt list --upgradeable 2>/dev/null | grep 'upgradable'",
         "education": []
       },
       "remediation": {

threatmodel-macOS.json

@@ -960,7 +960,7 @@
         "maxversion": 0,
         "class": "cli",
         "elevation": "admin",
-        "target": "system_profiler SPHardwareDataType | grep -q \"Virtualization\" || fdesetup isactive | grep false",
+        "target": "system_profiler SPHardwareDataType | grep -q 'Virtual' || fdesetup isactive | grep false",
         "education": []
       },
       "remediation": {
@@ -1316,12 +1316,12 @@
         {
           "locale": "EN",
           "title": "System Integrity Protection disabled",
-          "summary": "System Integrity Protection is a great ability of macOS that prevents any software to change system files and components. To some extent it's a \"good enough\" antivirus for your Mac. Having it disabled is... unusual and dangerous. It should be enabled by default on your Mac. This content will explain a way to enable it again. Bear with me .. it's somewhat hard to achieve!"
+          "summary": "System Integrity Protection is a great ability of macOS that prevents any software to change system files and components. To some extent it's a 'good enough' antivirus for your Mac. Having it disabled is... unusual and dangerous. It should be enabled by default on your Mac. This content will explain a way to enable it again. Bear with me .. it's somewhat hard to achieve!"
         },
         {
           "locale": "FR",
           "title": "Protection d'intégrité système désactivée",
-          "summary": "La Protection de l'Intégrité du Système est une capacité clé de macOS qui empêche tous logiciels de modifier les fichiers et les composants du système. Dans une certaine mesure, c'est un antivirus \"assez bon\" pour votre Mac. Le désactiver est... inhabituel et dangereux. Il devrait être activé par défaut sur votre Mac. Ce contenu vous expliquera comment l'activer à nouveau. Soyez courageux... c'est un peu difficile à réaliser !"
+          "summary": "La Protection de l'Intégrité du Système est une capacité clé de macOS qui empêche tous logiciels de modifier les fichiers et les composants du système. Dans une certaine mesure, c'est un antivirus 'assez bon' pour votre Mac. Le désactiver est... inhabituel et dangereux. Il devrait être activé par défaut sur votre Mac. Ce contenu vous expliquera comment l'activer à nouveau. Soyez courageux... c'est un peu difficile à réaliser !"
         }
       ],
       "implementation": {
@@ -1472,7 +1472,7 @@
         "maxversion": 0,
         "class": "cli",
         "elevation": "user",
-        "target": "dscl . -read /Users/root Password | grep \"\\*\\*\"",
+        "target": "dscl . -read /Users/root Password | grep '\\*\\*'",
         "education": []
       },
       "remediation": {
@@ -1555,7 +1555,7 @@
         "maxversion": 0,
         "class": "cli",
         "elevation": "system",
-        "target": "security authorizationdb read system.preferences > /tmp/system.preferences.plist; /usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist; security authorizationdb write system.preferences < /tmp/system.preferences.plist",
+        "target": "security authorizationdb read system.preferences > /tmp/system.preferences.plist; /usr/libexec/PlistBuddy -c 'Set :shared false' /tmp/system.preferences.plist; security authorizationdb write system.preferences < /tmp/system.preferences.plist",
         "education": [
           {
             "locale": "EN",
@@ -1575,7 +1575,7 @@
         "maxversion": 0,
         "class": "cli",
         "elevation": "system",
-        "target": "security authorizationdb read system.preferences > /tmp/system.preferences.plist; /usr/libexec/PlistBuddy -c \"Set :shared true\" /tmp/system.preferences.plist; security authorizationdb write system.preferences < /tmp/system.preferences.plist",
+        "target": "security authorizationdb read system.preferences > /tmp/system.preferences.plist; /usr/libexec/PlistBuddy -c 'Set :shared true' /tmp/system.preferences.plist; security authorizationdb write system.preferences < /tmp/system.preferences.plist",
         "education": [
           {
             "locale": "EN",
@@ -1840,7 +1840,7 @@
         "maxversion": 0,
         "class": "cli",
         "elevation": "user",
-        "target": "if defaults read /Applications/Google\\ Chrome.app/Contents/Info.plist CFBundleShortVersionString &>/dev/null; then latest_version=$(curl -s \"https://formulae.brew.sh/api/cask/google-chrome.json\" | awk -F'[\"]' '{for(i=1;i<=NF;i++) if ($i==\"version\") {print $(i+2); exit}}'); local_version=$(defaults read /Applications/Google\\ Chrome.app/Contents/Info.plist CFBundleShortVersionString); if [ \"$latest_version\" = \"$local_version\" ]; then echo \"\"; else echo \"Chrome is not up to date (Installed: $local_version, Latest: $latest_version)\"; fi; else echo \"\"; fi",
+        "target": "if defaults read /Applications/Google\\ Chrome.app/Contents/Info.plist CFBundleShortVersionString &>/dev/null; then latest_version=$(curl -s 'https://formulae.brew.sh/api/cask/google-chrome.json' | awk -F'[\"]' '{for(i=1;i<=NF;i++) if ($i=='version') {print $(i+2); exit}}'); local_version=$(defaults read /Applications/Google\\ Chrome.app/Contents/Info.plist CFBundleShortVersionString); if [ \"$latest_version\" = \"$local_version\" ]; then echo ''; else echo \"Chrome is not up to date (Installed: $local_version, Latest: $latest_version)\"; fi; else echo ''; fi",
         "education": []
       },
       "remediation": {