mirror of
https://github.com/inspec/inspec
synced 2024-11-23 21:23:29 +00:00
9cfc86d2ab
Light formatting changes, change order of example and matchers, slight color changes Signed-off-by: hannah-radish <hmaddy@chef.io>
107 lines
2.7 KiB
Text
107 lines
2.7 KiB
Text
---
|
|
title: About the kernel_module Resource
|
|
---
|
|
|
|
# kernel_module
|
|
|
|
Use the `kernel_module` InSpec audit resource to test kernel modules on Linux
|
|
platforms. These parameters are located under `/lib/modules`. Any submodule may
|
|
be tested using this resource.
|
|
|
|
The `kernel_module` resource can also verify if a kernel module is `blacklisted`
|
|
or if a module is disabled via a fake install using the `bin_true` or `bin_false`
|
|
method.
|
|
|
|
<br>
|
|
|
|
## Syntax
|
|
|
|
A `kernel_module` resource block declares a module name, and then tests if that
|
|
module is a loadable kernel module, if it is enabled, disabled or if it is
|
|
blacklisted:
|
|
|
|
describe kernel_module('module_name') do
|
|
it { should be_loaded }
|
|
it { should_not be_disabled }
|
|
it { should_not be_blacklisted }
|
|
end
|
|
end
|
|
|
|
where
|
|
|
|
* `'module_name'` must specify a kernel module, such as `'bridge'`
|
|
* `{ should be_loaded }` tests if the module is a loadable kernel module
|
|
* `{ should be_blacklisted }` tests if the module is blacklisted or if the module is disabled via a fake install using /bin/false or /bin/true
|
|
* `{ should be_disabled }` tests if the module is disabled via a fake install using /bin/false or /bin/true
|
|
|
|
<br>
|
|
|
|
## Examples
|
|
|
|
The following examples show how to use this InSpec audit resource.
|
|
|
|
### Test a modules 'version'
|
|
|
|
describe kernel_module('bridge') do
|
|
it { should be_loaded }
|
|
its(:version) { should cmp >= '2.2.2' }
|
|
end
|
|
|
|
### Test if a module is loaded, not disabled and not blacklisted
|
|
|
|
describe kernel_module('video') do
|
|
it { should be_loaded }
|
|
it { should_not be_disabled }
|
|
it { should_not be_blacklisted }
|
|
end
|
|
|
|
### Check if a module is blacklisted
|
|
|
|
describe kernel_module('floppy') do
|
|
it { should be_blacklisted }
|
|
end
|
|
|
|
### Ensure a module is *not* blacklisted and it is loaded
|
|
|
|
describe kernel_module('video') do
|
|
it { should_not be_blacklisted }
|
|
it { should be_loaded }
|
|
end
|
|
|
|
### Ensure a module is disabled via 'bin_false'
|
|
|
|
describe kernel_module('sstfb') do
|
|
it { should_not be_loaded }
|
|
it { should be_disabled }
|
|
end
|
|
|
|
### Ensure a module is 'blacklisted'/'disabled' via 'bin_true'
|
|
|
|
describe kernel_module('nvidiafb') do
|
|
it { should_not be_loaded }
|
|
it { should be_blacklisted }
|
|
end
|
|
|
|
### Ensure a module is not loaded
|
|
|
|
describe kernel_module('dhcp') do
|
|
it { should_not be_loaded }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Matchers
|
|
|
|
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
|
|
|
### be_loaded
|
|
|
|
The `be_loaded` matcher tests if the module is a loadable kernel module:
|
|
|
|
it { should be_loaded }
|
|
|
|
### version
|
|
|
|
The `version` matcher tests if the named module version is on the system:
|
|
|
|
its(:version) { should eq '3.2.2' }
|