inspec/lib/resources/kernel_module.rb
Aaron Lippold cc7ed38d09 kernel_module resource: added blacklisting, enabled, disabled, docs and unit tests (#1798)
* Fix up methods, add command mock, do string matching in ruby instead of command

Fixes #1643
Fixes #1673

Signed-off-by: Aaron Lippold <lippold@gmail.com>
2017-07-05 11:41:44 +02:00

110 lines
2.8 KiB
Ruby

# encoding: utf-8
# author: Christoph Hartmann
# author: Dominik Richter
# author: Aaron Lippold
# author: Adam Leff
module Inspec::Resources
class KernelModule < Inspec.resource(1)
name 'kernel_module'
desc 'Use the kernel_module InSpec audit resource to test kernel modules on
Linux platforms. These parameters are located under /lib/modules. Any submodule
may be tested using this resource.
The `kernel_module` resource can also verify if a kernel module is `blacklisted`
or if a module is disabled via a fake install using the `bin_true` or `bin_false`
method.'
example "
describe kernel_module('video') do
it { should be_loaded }
it { should_not be_disabled }
it { should_not be_blacklisted }
end
describe kernel_module('sstfb') do
it { should_not be_loaded }
it { should be_disabled }
end
describe kernel_module('floppy') do
it { should be_blacklisted }
end
describe kernel_module('dhcp') do
it { should_not be_loaded }
end
"
def initialize(modulename = nil)
@module = modulename
# this resource is only supported on Linux
return skip_resource 'The `kernel_parameter` resource is not supported on your OS.' if !inspec.os.linux?
end
def loaded?
if inspec.os.redhat? || inspec.os.name == 'fedora'
lsmod_cmd = '/sbin/lsmod'
else
lsmod_cmd = 'lsmod'
end
# get list of all modules
cmd = inspec.command(lsmod_cmd)
return false if cmd.exit_status != 0
# check if module is loaded
re = Regexp.new('^'+Regexp.quote(@module)+'\s')
found = cmd.stdout.match(re)
!found.nil?
end
def disabled?
!modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/(true|false)}).nil?
end
def blacklisted?
!modprobe_output.match(/^blacklist\s+#{@module}/).nil? || disabled_via_bin_true? || disabled_via_bin_false?
end
def version
cmd = inspec.command("#{modinfo_cmd_for_os} -F version #{@module}")
cmd.exit_status.zero? ? cmd.stdout.delete("\n") : nil
end
def to_s
"Kernel Module #{@module}"
end
private
def modprobe_output
@modprobe_output ||= inspec.command("#{modprobe_cmd_for_os} --showconfig").stdout
end
def modinfo_cmd_for_os
if inspec.os.redhat? || inspec.os.name == 'fedora'
'/sbin/modinfo'
else
'modinfo'
end
end
def modprobe_cmd_for_os
if inspec.os.redhat? || inspec.os.name == 'fedora'
'/sbin/modprobe'
else
'modprobe'
end
end
def disabled_via_bin_true?
!modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/true}).nil?
end
def disabled_via_bin_false?
!modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/false}).nil?
end
end
end