inspec/docs/resources/kernel_module.md.erb

107 lines
2.8 KiB
Text
Raw Normal View History

2016-09-22 12:43:57 +00:00
---
title: About the kernel_module Resource
---
# kernel_module
Use the `kernel_module` InSpec audit resource to test kernel modules on Linux
platforms. These parameters are located under `/lib/modules`. Any submodule may
be tested using this resource.
The `kernel_module` resource can also verify if a kernel module is `blacklisted`
or if a module is disabled via a fake install using the `bin_true` or `bin_false`
method.
2016-09-22 12:43:57 +00:00
<br>
## Syntax
2016-09-22 12:43:57 +00:00
A `kernel_module` resource block declares a module name, and then tests if that
module is a loadable kernel module, if it is enabled, disabled or if it is
blacklisted:
2016-09-22 12:43:57 +00:00
describe kernel_module('module_name') do
2016-09-22 12:43:57 +00:00
it { should be_loaded }
it { should_not be_disabled }
it { should_not be_blacklisted }
end
2016-09-22 12:43:57 +00:00
where
* `'module_name'` must specify a kernel module, such as `'bridge'`
* `{ should be_loaded }` tests if the module is a loadable kernel module
* `{ should be_blacklisted }` tests if the module is blacklisted or if the module is disabled via a fake install using /bin/false or /bin/true
* `{ should be_disabled }` tests if the module is disabled via a fake install using /bin/false or /bin/true
2016-09-22 12:43:57 +00:00
<br>
2016-09-22 12:43:57 +00:00
## Examples
2016-09-22 12:43:57 +00:00
The following examples show how to use this InSpec audit resource.
2016-09-22 12:43:57 +00:00
### Test a modules 'version'
2016-09-22 12:43:57 +00:00
describe kernel_module('bridge') do
it { should be_loaded }
its(:version) { should cmp >= '2.2.2' }
end
2016-09-22 12:43:57 +00:00
### Test if a module is loaded, not disabled and not blacklisted
2016-09-22 12:43:57 +00:00
describe kernel_module('video') do
it { should be_loaded }
it { should_not be_disabled }
it { should_not be_blacklisted }
end
2016-09-22 12:43:57 +00:00
### Check if a module is blacklisted
2016-09-22 12:43:57 +00:00
describe kernel_module('floppy') do
it { should be_blacklisted }
end
2016-09-22 12:43:57 +00:00
### Ensure a module is *not* blacklisted and it is loaded
2016-09-22 12:43:57 +00:00
describe kernel_module('video') do
it { should_not be_blacklisted }
it { should be_loaded }
end
### Ensure a module is disabled via 'bin_false'
describe kernel_module('sstfb') do
it { should_not be_loaded }
it { should be_disabled }
end
### Ensure a module is 'blacklisted'/'disabled' via 'bin_true'
2016-09-22 12:43:57 +00:00
describe kernel_module('nvidiafb') do
it { should_not be_loaded }
it { should be_blacklisted }
end
2016-09-22 12:43:57 +00:00
### Ensure a module is not loaded
2016-09-22 12:43:57 +00:00
describe kernel_module('dhcp') do
it { should_not be_loaded }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_loaded
The `be_loaded` matcher tests if the module is a loadable kernel module:
it { should be_loaded }
### version
The `version` matcher tests if the named module version is on the system:
its(:version) { should eq '3.2.2' }