Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-22 20:53:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

kernel_module resource: added blacklisting, enabled, disabled, docs and unit tests (#1798)

Browse source 
* Fix up methods, add command mock, do string matching in ruby instead of command

Fixes #1643
Fixes #1673

Signed-off-by: Aaron Lippold <lippold@gmail.com>
This commit is contained in:
Aaron Lippold 2017-07-05 05:41:44 -04:00 committed by Christoph Hartmann
parent 224935e9cf
commit cc7ed38d09
7 changed files with 275 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
docs/resources/kernel_module.md.erb
View file

@ -4,20 +4,45 @@ title: About the kernel_module Resource
# kernel_module
Use the `kernel_module` InSpec audit resource to test kernel modules on Linux platforms. These parameters are located under `/lib/modules`. Any submodule may be tested using this resource.
Use the `kernel_module` InSpec audit resource to test kernel modules on Linux
platforms. These parameters are located under `/lib/modules`. Any submodule may
be tested using this resource.
The `kernel_module` resource can also verify if a kernel module is `blacklisted`
or if a module is disabled via a fake install using the `bin_true` or `bin_false`
method.
## Syntax
A `kernel_module` resource block declares a module name, and then tests if that module is a loadable kernel module:
A `kernel_module` resource block declares a module name, and then tests if that
module is a loadable kernel module, if it is enabled, disabled or if it is
blacklisted:
describe kernel_module('module_name') do
describe kernel_module('video') do
it { should be_loaded }
it { should_not be_disabled }
it { should_not be_blacklisted }
end
describe kernel_module('sstfb') do
it { should_not be_loaded }
it { should be_disabled }
end
describe kernel_module('floppy') do
it { should be_blacklisted }
end
describe kernel_module('dhcp') do
it { should_not be_loaded }
end
where
* `'module_name'` must specify a kernel module, such as `'bridge'`
* `{ should be_loaded }` tests if the module is a loadable kernel module
* `{ should be_blacklisted }` tests if the module is blacklisted or if the module is disabled via a fake install using /bin/false or /bin/true
* `{ should be_disabled }` tests if the module is disabled via a fake install using /bin/false or /bin/true
## Matchers
@ -59,9 +84,50 @@ The `version` matcher tests if the named module version is on the system:
The following examples show how to use this InSpec audit resource.
### Test if a module is loaded
### Test a modules 'version'
describe kernel_module('bridge') do
it { should be_loaded }
its(:version) { should cmp >= '2.2.2' }
end
### Test if a module is loaded, not disabled and not blacklisted
describe kernel_module('video') do
it { should be_loaded }
it { should_not be_disabled }
it { should_not be_blacklisted }
end
### Check if a module is blacklisted
describe kernel_module('floppy') do
it { should be_blacklisted }
end
### Ensure a module is *not* blacklisted and it is loaded
describe kernel_module('video') do
it { should_not be_blacklisted }
it { should be_loaded }
end
### Ensure a module is disabled via 'bin_false'
describe kernel_module('sstfb') do
it { should_not be_loaded }
it { should be_disabled }
end
### Ensure a module is 'blacklisted'/'disabled' via 'bin_true'
describe kernel_module('nvidiafb') do
it { should_not be_loaded }
it { should be_blacklisted }
end
### Ensure a module is not loaded
describe kernel_module('dhcp') do
it { should_not be_loaded }
end

80
lib/resources/kernel_module.rb
View file

@ -1,20 +1,44 @@
# encoding: utf-8
# author: Christoph Hartmann
# author: Dominik Richter
# author: Aaron Lippold
# author: Adam Leff
module Inspec::Resources
class KernelModule < Inspec.resource(1)
name 'kernel_module'
desc 'Use the kernel_module InSpec audit resource to test kernel modules on Linux platforms. These parameters are located under /lib/modules. Any submodule may be tested using this resource.'
desc 'Use the kernel_module InSpec audit resource to test kernel modules on
Linux platforms. These parameters are located under /lib/modules. Any submodule
may be tested using this resource.
The `kernel_module` resource can also verify if a kernel module is `blacklisted`
or if a module is disabled via a fake install using the `bin_true` or `bin_false`
method.'
example "
describe kernel_module('bridge') do
it { should be_loaded }
end
describe kernel_module('video') do
it { should be_loaded }
it { should_not be_disabled }
it { should_not be_blacklisted }
end
describe kernel_module('sstfb') do
it { should_not be_loaded }
it { should be_disabled }
end
describe kernel_module('floppy') do
it { should be_blacklisted }
end
describe kernel_module('dhcp') do
it { should_not be_loaded }
end
"
def initialize(modulename = nil)
@module = modulename
# this resource is only supported on Linux
return skip_resource 'The `kernel_parameter` resource is not supported on your OS.' if !inspec.os.linux?
end
@ -36,19 +60,51 @@ module Inspec::Resources
!found.nil?
end
def version
if inspec.os.redhat? || inspec.os.name == 'fedora'
modinfo_cmd = "/sbin/modinfo -F version #{@module}"
else
modinfo_cmd = "modinfo -F version #{@module}"
end
def disabled?
!modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/(true|false)}).nil?
end
cmd = inspec.command(modinfo_cmd)
def blacklisted?
!modprobe_output.match(/^blacklist\s+#{@module}/).nil? || disabled_via_bin_true? || disabled_via_bin_false?
end
def version
cmd = inspec.command("#{modinfo_cmd_for_os} -F version #{@module}")
cmd.exit_status.zero? ? cmd.stdout.delete("\n") : nil
end
def to_s
"Kernel Module #{@module}"
end
private
def modprobe_output
@modprobe_output ||= inspec.command("#{modprobe_cmd_for_os} --showconfig").stdout
end
def modinfo_cmd_for_os
if inspec.os.redhat? || inspec.os.name == 'fedora'
'/sbin/modinfo'
else
'modinfo'
end
end
def modprobe_cmd_for_os
if inspec.os.redhat? || inspec.os.name == 'fedora'
'/sbin/modprobe'
else
'modprobe'
end
end
def disabled_via_bin_true?
!modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/true}).nil?
end
def disabled_via_bin_false?
!modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/false}).nil?
end
end
end

2
test/helper.rb
View file

@ -335,6 +335,8 @@ class MockLoader
"docker inspect 71b5df59442b" => cmd.call('docker-inspec'),
# docker images
"83c36bfade9375ae1feb91023cd1f7409b786fd992ad4013bf0f2259d33d6406" => cmd.call('docker-images'),
# modprobe for kernel_module
"modprobe --showconfig" => cmd.call('modprobe-config'),
# get-process cmdlet for processes resource
'$Proc = Get-Process -IncludeUserName | Where-Object {$_.Path -ne $null } | Select-Object PriorityClass,Id,CPU,PM,VirtualMemorySize,NPM,SessionId,Responding,StartTime,TotalProcessorTime,UserName,Path | ConvertTo-Csv -NoTypeInformation;$Proc.Replace("""","").Replace("`r`n","`n")' => cmd.call('get-process_processes'),
# host resource: check to see if netcat is installed

27
test/integration/default/kernel_module_spec.rb
View file

@ -9,13 +9,40 @@ if !os.linux?
return
end
# @todo add a disabled kernel module with /bin/true and /bin/false
# Test kernel modules on all linux systems
describe kernel_module('video') do
it { should be_loaded }
it { should_not be_disabled }
it { should_not be_blacklisted }
end
describe kernel_module('video') do
it { should_not be_blacklisted }
it { should be_enabled }
end
describe kernel_module('sstfb') do
it { should_not be_loaded }
it { should be_disabled }
it { should be_disabled_via_bin_false }
end
describe kernel_module('nvidiafb') do
it { should_not be_loaded }
it { should be_disabled }
it { should be_disabled_via_bin_true }
end
describe kernel_module('floppy') do
it { should be_blacklisted }
it { should_not be_enabled }
end
describe kernel_module('bridge') do
it { should_not be_loaded }
it { should_not be_enabled }
end
describe kernel_module('dhcp') do

1
test/unit/mock/cmd/lsmod
View file

@ -1,2 +1,3 @@
Module Size Used by
bridge 73728 1 br_netfilter
video 24400 0

3
test/unit/mock/cmd/modprobe-config Normal file
View file

@ -0,0 +1,3 @@
blacklist floppy
install nvidiafb /bin/true
install sstfb /sbin/false

111
test/unit/resources/kernel_module_test.rb
View file

@ -6,23 +6,120 @@ require 'helper'
require 'inspec/resource'
describe 'Inspec::Resources::KernelModule' do
it 'verify kernel_module parsing' do
#kernel version
# 1
it 'Verify kernel_module version' do
resource = load_resource('kernel_module', 'dhcp')
_(resource.version).must_equal '3.2.2'
end
# loaded
# 2
it 'Verify kernel_module parsing `loaded` - true' do
resource = load_resource('kernel_module', 'bridge')
_(resource.loaded?).must_equal true
end
it 'verify kernel_module parsing' do
# 3
it 'Verify kernel_module parsing `loaded` - false' do
resource = load_resource('kernel_module', 'bridges')
_(resource.loaded?).must_equal false
end
it 'verify kernel_module parsing' do
resource = load_resource('kernel_module', 'dhcp')
#disabled
# 4
it 'Verify kernel_module parsing `disabled` - true ' do
resource = load_resource('kernel_module', 'nvidiafb')
_(resource.disabled?).must_equal true
end
# 5
it 'Verify kernel_module parsing `disabled` - false' do
resource = load_resource('kernel_module', 'bridge')
_(resource.disabled?).must_equal false
end
#/bin/true
# 6
it 'Verify a kernel_module is disabled via /bin/true - true' do
resource = load_resource('kernel_module', 'nvidiafb')
_(resource.blacklisted?).must_equal true
end
# 7
it 'Verify a kernel_module is not disabled via /bin/true - false' do
resource = load_resource('kernel_module', 'ssftb')
_(resource.blacklisted?).must_equal false
end
# 8
#/bin/false
it 'Verify a kernel_module is disabled via /bin/false - true' do
resource = load_resource('kernel_module', 'sstfb')
_(resource.blacklisted?).must_equal true
end
# 9
it 'Verify a kernel_module is not disabled via /bin/false - true ' do
resource = load_resource('kernel_module', 'bridge')
_(resource.blacklisted?).must_equal false
end
# 10
# unlisted bin/true,/bin/false
it 'Verify an unlisted kernel_module is not disabled via /bin/true - false' do
resource = load_resource('kernel_module', 'fakemod')
_(resource.blacklisted?).must_equal false
end
# 11
it 'Verify an unlisted kernel_module is not disabled via /bin/false - false' do
resource = load_resource('kernel_module', 'fakemod')
_(resource.blacklisted?).must_equal false
end
# 12
#blacklisting
it 'Verify a kernel_module is blacklisted - true' do
resource = load_resource('kernel_module', 'floppy')
_(resource.blacklisted?).must_equal true
end
# 13
it 'Verify a kernel_module is not blacklisted - false' do
resource = load_resource('kernel_module', 'ssftb')
_(resource.blacklisted?).must_equal false
end
# 14
#unlisted moduled
it 'Verify an unlisted kernel_module is not `loaded` - false' do
resource = load_resource('kernel_module', 'not_a_module')
_(resource.loaded?).must_equal false
end
it 'verify kernel_module version' do
resource = load_resource('kernel_module', 'dhcp')
_(resource.version).must_equal '3.2.2'
# 15
it 'Verify an unlisted kernel_module is not `disabled` - false' do
resource = load_resource('kernel_module', 'not_a_module')
_(resource.disabled?).must_equal false
end
# 16
it 'Verify an unlisted kernel_module is not blacklisted - false' do
resource = load_resource('kernel_module', 'not_a_module')
_(resource.blacklisted?).must_equal false
end
# 17
it 'Verify an unlisted kernel_module is not disabled_via_bin_true - false' do
resource = load_resource('kernel_module', 'not_a_module')
_(resource.blacklisted?).must_equal false
end
# 18
it 'Verify an unlisted kernel_module is not disabled_via_bin_false - false' do
resource = load_resource('kernel_module', 'not_a_module')
_(resource.blacklisted?).must_equal false
end
end