mirror of
https://github.com/inspec/inspec
synced 2024-11-14 00:47:10 +00:00
cc7ed38d09
* Fix up methods, add command mock, do string matching in ruby instead of command Fixes #1643 Fixes #1673 Signed-off-by: Aaron Lippold <lippold@gmail.com>
110 lines
2.8 KiB
Ruby
110 lines
2.8 KiB
Ruby
# encoding: utf-8
|
|
# author: Christoph Hartmann
|
|
# author: Dominik Richter
|
|
# author: Aaron Lippold
|
|
# author: Adam Leff
|
|
|
|
module Inspec::Resources
|
|
class KernelModule < Inspec.resource(1)
|
|
name 'kernel_module'
|
|
desc 'Use the kernel_module InSpec audit resource to test kernel modules on
|
|
Linux platforms. These parameters are located under /lib/modules. Any submodule
|
|
may be tested using this resource.
|
|
|
|
The `kernel_module` resource can also verify if a kernel module is `blacklisted`
|
|
or if a module is disabled via a fake install using the `bin_true` or `bin_false`
|
|
method.'
|
|
|
|
example "
|
|
|
|
describe kernel_module('video') do
|
|
it { should be_loaded }
|
|
it { should_not be_disabled }
|
|
it { should_not be_blacklisted }
|
|
end
|
|
|
|
describe kernel_module('sstfb') do
|
|
it { should_not be_loaded }
|
|
it { should be_disabled }
|
|
end
|
|
|
|
describe kernel_module('floppy') do
|
|
it { should be_blacklisted }
|
|
end
|
|
|
|
describe kernel_module('dhcp') do
|
|
it { should_not be_loaded }
|
|
end
|
|
"
|
|
|
|
def initialize(modulename = nil)
|
|
@module = modulename
|
|
# this resource is only supported on Linux
|
|
return skip_resource 'The `kernel_parameter` resource is not supported on your OS.' if !inspec.os.linux?
|
|
end
|
|
|
|
def loaded?
|
|
if inspec.os.redhat? || inspec.os.name == 'fedora'
|
|
lsmod_cmd = '/sbin/lsmod'
|
|
else
|
|
lsmod_cmd = 'lsmod'
|
|
end
|
|
|
|
# get list of all modules
|
|
cmd = inspec.command(lsmod_cmd)
|
|
return false if cmd.exit_status != 0
|
|
|
|
# check if module is loaded
|
|
re = Regexp.new('^'+Regexp.quote(@module)+'\s')
|
|
found = cmd.stdout.match(re)
|
|
!found.nil?
|
|
end
|
|
|
|
def disabled?
|
|
!modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/(true|false)}).nil?
|
|
end
|
|
|
|
def blacklisted?
|
|
!modprobe_output.match(/^blacklist\s+#{@module}/).nil? || disabled_via_bin_true? || disabled_via_bin_false?
|
|
end
|
|
|
|
def version
|
|
cmd = inspec.command("#{modinfo_cmd_for_os} -F version #{@module}")
|
|
cmd.exit_status.zero? ? cmd.stdout.delete("\n") : nil
|
|
end
|
|
|
|
def to_s
|
|
"Kernel Module #{@module}"
|
|
end
|
|
|
|
private
|
|
|
|
def modprobe_output
|
|
@modprobe_output ||= inspec.command("#{modprobe_cmd_for_os} --showconfig").stdout
|
|
end
|
|
|
|
def modinfo_cmd_for_os
|
|
if inspec.os.redhat? || inspec.os.name == 'fedora'
|
|
'/sbin/modinfo'
|
|
else
|
|
'modinfo'
|
|
end
|
|
end
|
|
|
|
def modprobe_cmd_for_os
|
|
if inspec.os.redhat? || inspec.os.name == 'fedora'
|
|
'/sbin/modprobe'
|
|
else
|
|
'modprobe'
|
|
end
|
|
end
|
|
|
|
def disabled_via_bin_true?
|
|
!modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/true}).nil?
|
|
end
|
|
|
|
def disabled_via_bin_false?
|
|
!modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/false}).nil?
|
|
end
|
|
end
|
|
end
|