elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-06-21 18:23:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

IMP: add multiple Improvements

Browse Source 
* add new kernel module detection (enable & listing)  with detection of monolithic kernel
* change way to detect if file system type is disabled
* add global IS_CONTAINER variable
* disable test for 3.4.x to be consistent with others
* add cli options to override configuration loglevel
This commit is contained in:
jeremydenoun
2021-02-04 16:21:49 +01:00
committed by GitHub
parent ec9e2addc2
commit 0b6ea0d97e
22 changed files with 362 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
lib/common.sh
View File

@ -113,11 +113,36 @@ sudo_wrapper() {
fi
}
#
# detect if container based on cgroup detection
#
is_running_in_container() {
awk -F/ '$2 == "'"$1"'"' /proc/self/cgroup
}
CONTAINER_TYPE=""
IS_CONTAINER=0
if [ "$(is_running_in_container "docker")" != "" ]; then
CONTAINER_TYPE="docker"
IS_CONTAINER=1
fi
if [ "$(is_running_in_container "lxc")" != "" ]; then
CONTAINER_TYPE="lxc"
IS_CONTAINER=1
fi
if [ "$(is_running_in_container "kubepods")" != "" ]; then
# shellcheck disable=SC2034
CONTAINER_TYPE="kubepods"
# shellcheck disable=SC2034
IS_CONTAINER=1
fi
#
# Math functions
#
function div() {
div() {
local _d=${3:-2}
local _n=0000000000
_n=${_n:0:$_d}

107
lib/utils.sh
View File

@ -295,51 +295,90 @@ is_service_enabled() {
is_kernel_option_enabled() {
local KERNEL_OPTION="$1"
local MODULE_NAME=""
local MODPROBE_FILTER=""
local RESULT=""
local IS_MONOLITHIC_KERNEL=1
local DEF_MODULE=""
if [ $# -ge 2 ]; then
MODULE_NAME="$2"
fi
if $SUDO_CMD [ -r "/proc/config.gz" ]; then
RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
else
debug "No information about kernel found, you're probably in a container"
FNRET=127
return
if [ $# -ge 3 ]; then
MODPROBE_FILTER="$3"
fi
ANSWER=$(cut -d = -f 2 <<<"$RESULT")
if [ "x$ANSWER" = "xy" ]; then
debug "Kernel option $KERNEL_OPTION enabled"
FNRET=0
elif [ "x$ANSWER" = "xn" ]; then
debug "Kernel option $KERNEL_OPTION disabled"
FNRET=1
else
debug "Kernel option $KERNEL_OPTION not found"
FNRET=2 # Not found
debug "Detect if lsmod is available and does not return an error code (otherwise consider as a monolithic kernel"
if $SUDO_CMD lsmod >/dev/null 2>&1; then
IS_MONOLITHIC_KERNEL=0
fi
if $SUDO_CMD [ "$FNRET" -ne 0 ] && [ -n "$MODULE_NAME" ] && [ -d "/lib/modules/$(uname -r)" ]; then
# also check in modules, because even if not =y, maybe
# the admin compiled it separately later (or out-of-tree)
# as a module (regardless of the fact that we have =m or not)
debug "Checking if we have $MODULE_NAME.ko"
local modulefile
modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
if $SUDO_CMD [ -n "$modulefile" ]; then
debug "We do have $modulefile!"
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/; then
debug "... but it's blacklisted!"
FNRET=1 # Not found (found but blacklisted)
# FIXME: even if blacklisted, it might be present in the initrd and
# be insmod from there... but painful to check :/ maybe lsmod would be enough ?
if [ $IS_MONOLITHIC_KERNEL -eq 1 ]; then
if $SUDO_CMD [ -r "/proc/config.gz" ]; then
RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
else
debug "No information about kernel found, you're probably in a container"
FNRET=127
return
fi
ANSWER=$(cut -d = -f 2 <<<"$RESULT")
if [ "x$ANSWER" = "xy" ]; then
debug "Kernel option $KERNEL_OPTION enabled"
FNRET=0
elif [ "x$ANSWER" = "xn" ]; then
debug "Kernel option $KERNEL_OPTION disabled"
FNRET=1
else
debug "Kernel option $KERNEL_OPTION not found"
FNRET=2 # Not found
fi
if $SUDO_CMD [ "$FNRET" -ne 0 ] && [ -n "$MODULE_NAME" ] && [ -d "/lib/modules/$(uname -r)" ]; then
# also check in modules, because even if not =y, maybe
# the admin compiled it separately later (or out-of-tree)
# as a module (regardless of the fact that we have =m or not)
debug "Checking if we have $MODULE_NAME.ko"
local modulefile
modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
if $SUDO_CMD [ -n "$modulefile" ]; then
debug "We do have $modulefile!"
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/*.conf; then
debug "... but it's blacklisted!"
FNRET=1 # Not found (found but blacklisted)
fi
# ... but wait, maybe it's override ? check files in /etc/modprobe.d/ for "install xyz /bin/(true|false)"
if grep -aRE "^\s*install\s+$MODULE_NAME\s+/bin/(true|false)\s*$" /etc/modprobe.d/*.conf; then
debug "... but it's override!"
FNRET=1 # Not found (found but override)
fi
FNRET=0 # Found!
fi
FNRET=0 # Found!
fi
else
if [ "$FILTER" != "" ]; then
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)"
else
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)"
fi
if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
debug "$MODULE_NAME is disabled (blacklist with override)"
FNRET=1
elif [ "$DEF_MODULE" == "" ]; then
debug "$MODULE_NAME is disabled"
FNRET=1
else
debug "$MODULE_NAME is enabled"
FNRET=0
fi
if [ "$($SUDO_CMD lsmod | grep -E "$MODULE_NAME" 2>/dev/null)" != "" ]; then
debug "$MODULE_NAME is enabled"
FNRET=0
fi
fi
}