Voici des paquets pour auditer le chiffrement des postes Linux avec LUKS et des postes MacOS avec FileVault.
LUKS :
Code : Tout sélectionner
# -*- coding: utf-8 -*-
from setuphelpers import *
def install():
pass
def audit():
audit_result = "OK"
# Check existing LUKS partitions
luks_partitions = run(r"lsblk -e7 -n -f -r -o NAME,FSTYPE | grep LUKS | awk '{print $1}'").strip().split("\n")
if any(luks_partitions):
# Ensure system partition is encrypted
system_partition = None
for luks_partition in luks_partitions:
try:
run(r"lsblk /dev/%s -l -o MOUNTPOINTS | grep '^/$'" % luks_partition)
except:
pass
else:
system_partition = luks_partition
break
if not system_partition:
print(r'Error, system partition is not encrypted !')
audit_result = "ERROR"
else:
# Ensure system partition is valid LUKS partition
try:
run(r'cryptsetup isLuks /dev/%s' % luks_partition)
except:
print(r'Error, system partition seems encrypted but is not a valid LUKS partition !')
audit_result = "ERROR"
else:
print(r'System partition is encrypted and is a valid LUKS partition')
else:
print(r'Error, cannot find any LUKS partition !')
audit_result = "ERROR"
return audit_result
FileVault :
Code : Tout sélectionner
# -*- coding: utf-8 -*-
from setuphelpers import *
def install():
pass
def audit():
audit_result = "OK"
filevault_status = run(r'sudo fdesetup status')
if r'FileVault is On' in filevault_status:
if r'Encryption in progress' in filevault_status:
print(r'FileVault is enabled and encryption is in progress.')
else:
print(r'FileVault is enabled and disks are fully encrypted.')
elif r'FileVault is Off' in filevault_status:
if r'Decryption in progress' in filevault_status:
print(r'FileVault is not enabled and decryption is in progress !')
else:
print(r'FileVault is not enabled and disks are not encrypted !')
audit_result = "ERROR"
else:
print(r'Cannot get FileVault status !')
audit_result = "ERROR"
return audit_result
