2015-09-20 16:32:50 +00:00
|
|
|
# encoding: utf-8
|
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
module Inspec::Resources
|
|
|
|
class KernelModule < Inspec.resource(1)
|
|
|
|
name 'kernel_module'
|
2018-02-19 14:26:49 +00:00
|
|
|
supports platform: 'unix'
|
2017-07-05 09:41:44 +00:00
|
|
|
desc 'Use the kernel_module InSpec audit resource to test kernel modules on
|
|
|
|
Linux platforms. These parameters are located under /lib/modules. Any submodule
|
|
|
|
may be tested using this resource.
|
|
|
|
|
|
|
|
The `kernel_module` resource can also verify if a kernel module is `blacklisted`
|
|
|
|
or if a module is disabled via a fake install using the `bin_true` or `bin_false`
|
|
|
|
method.'
|
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
example "
|
2017-07-05 09:41:44 +00:00
|
|
|
|
|
|
|
describe kernel_module('video') do
|
|
|
|
it { should be_loaded }
|
|
|
|
it { should_not be_disabled }
|
|
|
|
it { should_not be_blacklisted }
|
|
|
|
end
|
|
|
|
|
|
|
|
describe kernel_module('sstfb') do
|
|
|
|
it { should_not be_loaded }
|
|
|
|
it { should be_disabled }
|
|
|
|
end
|
|
|
|
|
|
|
|
describe kernel_module('floppy') do
|
|
|
|
it { should be_blacklisted }
|
|
|
|
end
|
|
|
|
|
|
|
|
describe kernel_module('dhcp') do
|
|
|
|
it { should_not be_loaded }
|
|
|
|
end
|
2016-03-08 18:06:55 +00:00
|
|
|
"
|
2015-09-20 16:32:50 +00:00
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
def initialize(modulename = nil)
|
|
|
|
@module = modulename
|
|
|
|
# this resource is only supported on Linux
|
|
|
|
return skip_resource 'The `kernel_parameter` resource is not supported on your OS.' if !inspec.os.linux?
|
|
|
|
end
|
2015-09-20 16:32:50 +00:00
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
def loaded?
|
2017-02-24 20:30:00 +00:00
|
|
|
if inspec.os.redhat? || inspec.os.name == 'fedora'
|
2017-02-24 11:32:57 +00:00
|
|
|
lsmod_cmd = '/sbin/lsmod'
|
|
|
|
else
|
|
|
|
lsmod_cmd = 'lsmod'
|
|
|
|
end
|
2015-10-23 11:57:37 +00:00
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
# get list of all modules
|
|
|
|
cmd = inspec.command(lsmod_cmd)
|
|
|
|
return false if cmd.exit_status != 0
|
2015-09-20 16:32:50 +00:00
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
# check if module is loaded
|
|
|
|
re = Regexp.new('^'+Regexp.quote(@module)+'\s')
|
|
|
|
found = cmd.stdout.match(re)
|
|
|
|
!found.nil?
|
|
|
|
end
|
2015-09-20 16:32:50 +00:00
|
|
|
|
2017-07-05 09:41:44 +00:00
|
|
|
def disabled?
|
|
|
|
!modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/(true|false)}).nil?
|
|
|
|
end
|
|
|
|
|
|
|
|
def blacklisted?
|
|
|
|
!modprobe_output.match(/^blacklist\s+#{@module}/).nil? || disabled_via_bin_true? || disabled_via_bin_false?
|
|
|
|
end
|
|
|
|
|
2017-01-25 20:47:39 +00:00
|
|
|
def version
|
2017-07-05 09:41:44 +00:00
|
|
|
cmd = inspec.command("#{modinfo_cmd_for_os} -F version #{@module}")
|
|
|
|
cmd.exit_status.zero? ? cmd.stdout.delete("\n") : nil
|
|
|
|
end
|
|
|
|
|
|
|
|
def to_s
|
|
|
|
"Kernel Module #{@module}"
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def modprobe_output
|
|
|
|
@modprobe_output ||= inspec.command("#{modprobe_cmd_for_os} --showconfig").stdout
|
|
|
|
end
|
|
|
|
|
|
|
|
def modinfo_cmd_for_os
|
2017-02-24 20:30:00 +00:00
|
|
|
if inspec.os.redhat? || inspec.os.name == 'fedora'
|
2017-07-05 09:41:44 +00:00
|
|
|
'/sbin/modinfo'
|
2017-01-27 10:49:21 +00:00
|
|
|
else
|
2017-07-05 09:41:44 +00:00
|
|
|
'modinfo'
|
2017-01-27 10:49:21 +00:00
|
|
|
end
|
2017-07-05 09:41:44 +00:00
|
|
|
end
|
2017-01-25 20:47:39 +00:00
|
|
|
|
2017-07-05 09:41:44 +00:00
|
|
|
def modprobe_cmd_for_os
|
|
|
|
if inspec.os.redhat? || inspec.os.name == 'fedora'
|
|
|
|
'/sbin/modprobe'
|
|
|
|
else
|
|
|
|
'modprobe'
|
|
|
|
end
|
2017-01-25 20:47:39 +00:00
|
|
|
end
|
|
|
|
|
2017-07-05 09:41:44 +00:00
|
|
|
def disabled_via_bin_true?
|
|
|
|
!modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/true}).nil?
|
|
|
|
end
|
|
|
|
|
|
|
|
def disabled_via_bin_false?
|
|
|
|
!modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/false}).nil?
|
2016-03-08 18:06:55 +00:00
|
|
|
end
|
2015-09-20 16:32:50 +00:00
|
|
|
end
|
|
|
|
end
|