mirror of
https://github.com/ovh/debian-cis.git
synced 2025-07-15 21:32:17 +02:00
refactor: is_kernel_option_enabled
Current "is_kernel_option_enabled" function is doing many things, like checking for a kernel option AND checking a kernel module state AND checking if it is disabled
We split it in different functions:
- is_kernel_monolithic
- is_kernel_option_enabled -> check for a kernel configuration in the running kernel
- is_kernel_module_loaded -> check if a module is currently loaded
- is_kernel_module_available -> check if a module is configured in all available kernel configs
- is_kernel_module_disabled -> check if a kernel module is disabled in the modprobe configuration
Also:
- update its behaviour to debian 12 CIS recommendation, to check if a module is "available in ANY installed kernel"
- fix "disable_usb_storage" to look for correct module name once loaded : issue #249
- the associated checks now check separately if the module is loaded, and if it is configured
- for checks about kernel module presence, the "apply" function now manages to disable the module in the modprobe configuration (if kernel not monolithic) (but still wont unload it)
This commit is contained in:
Damien Cavagnini
@ -26,11 +26,25 @@ audit() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing or disable this check!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is enabled!"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is loaded!"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
ok "$MODULE_NAME is not loaded"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
||||
else
|
||||
is_kernel_module_available "$KERNEL_OPTION"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
||||
else
|
||||
ok "$MODULE_NAME is not available in any kernel config"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -41,11 +55,18 @@ apply() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 1 ]; then
|
||||
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
||||
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -28,11 +28,25 @@ audit() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing or disable this check!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is enabled!"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is loaded!"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
ok "$MODULE_NAME is not loaded"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
||||
else
|
||||
is_kernel_module_available "$KERNEL_OPTION"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
||||
else
|
||||
ok "$MODULE_NAME is not available in any kernel config"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -43,11 +57,18 @@ apply() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 1 ]; then
|
||||
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
||||
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -26,11 +26,25 @@ audit() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing or disable this check!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is enabled!"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is loaded!"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
ok "$MODULE_NAME is not loaded"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
||||
else
|
||||
is_kernel_module_available "$KERNEL_OPTION"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
||||
else
|
||||
ok "$MODULE_NAME is not available in any kernel config"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -41,11 +55,18 @@ apply() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 1 ]; then
|
||||
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
||||
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -26,11 +26,25 @@ audit() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing or disable this check!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is enabled!"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is loaded!"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
ok "$MODULE_NAME is not loaded"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
||||
else
|
||||
is_kernel_module_available "$KERNEL_OPTION"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
||||
else
|
||||
ok "$MODULE_NAME is not available in any kernel config"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -41,11 +55,18 @@ apply() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 1 ]; then
|
||||
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
||||
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -26,11 +26,25 @@ audit() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing or disable this check!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is enabled!"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is loaded!"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
ok "$MODULE_NAME is not loaded"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
||||
else
|
||||
is_kernel_module_available "$KERNEL_OPTION"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
||||
else
|
||||
ok "$MODULE_NAME is not available in any kernel config"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -41,11 +55,18 @@ apply() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 1 ]; then
|
||||
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
||||
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -26,11 +26,25 @@ audit() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing or disable this check!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is enabled!"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is loaded!"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
ok "$MODULE_NAME is not loaded"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
||||
else
|
||||
is_kernel_module_available "$KERNEL_OPTION"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
||||
else
|
||||
ok "$MODULE_NAME is not available in any kernel config"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -41,11 +55,18 @@ apply() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 1 ]; then
|
||||
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
||||
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -28,11 +28,25 @@ audit() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing or disable this check!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is enabled!"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is loaded!"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
ok "$MODULE_NAME is not loaded"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
||||
else
|
||||
is_kernel_module_available "$KERNEL_OPTION"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
||||
else
|
||||
ok "$MODULE_NAME is not available in any kernel config"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -43,11 +57,18 @@ apply() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 1 ]; then
|
||||
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
||||
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -28,11 +28,25 @@ audit() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing or disable this check!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is enabled!"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is loaded!"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
ok "$MODULE_NAME is not loaded"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
||||
else
|
||||
is_kernel_module_available "$KERNEL_OPTION"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
||||
else
|
||||
ok "$MODULE_NAME is not available in any kernel config"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -43,11 +57,18 @@ apply() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 1 ]; then
|
||||
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
||||
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -26,11 +26,25 @@ audit() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing or disable this check!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is enabled!"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is loaded!"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
ok "$MODULE_NAME is not loaded"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
||||
else
|
||||
is_kernel_module_available "$KERNEL_OPTION"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
||||
else
|
||||
ok "$MODULE_NAME is not available in any kernel config"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -41,11 +55,18 @@ apply() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 1 ]; then
|
||||
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
||||
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -28,11 +28,25 @@ audit() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing or disable this check!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is enabled!"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is loaded!"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
ok "$MODULE_NAME is not loaded"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
||||
else
|
||||
is_kernel_module_available "$KERNEL_OPTION"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
||||
else
|
||||
ok "$MODULE_NAME is not available in any kernel config"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -43,11 +57,18 @@ apply() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 1 ]; then
|
||||
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
||||
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -26,11 +26,25 @@ audit() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing or disable this check!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is enabled!"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is loaded!"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
ok "$MODULE_NAME is not loaded"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
||||
else
|
||||
is_kernel_module_available "$KERNEL_OPTION"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
||||
else
|
||||
ok "$MODULE_NAME is not available in any kernel config"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -41,11 +55,18 @@ apply() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 1 ]; then
|
||||
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
||||
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -20,7 +20,10 @@ DESCRIPTION="Disable USB storage."
|
||||
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
|
||||
|
||||
KERNEL_OPTION="CONFIG_USB_STORAGE"
|
||||
# name as used for "modprobe"
|
||||
MODULE_NAME="usb-storage"
|
||||
# name as returned by "modinfo -F name <module_file.ko>"
|
||||
LOADED_MODULE_NAME="usb_storage"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
@ -28,11 +31,25 @@ audit() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing or disable this check!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$MODULE_NAME is enabled!"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
ok "$LOADED_MODULE_NAME is not loaded"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
||||
else
|
||||
is_kernel_module_available "$KERNEL_OPTION"
|
||||
if [ "$FNRET" -eq 0 ]; then
|
||||
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
||||
else
|
||||
ok "$MODULE_NAME is not available in any kernel config"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -43,11 +60,18 @@ apply() {
|
||||
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
||||
ok "Container detected, consider host enforcing!"
|
||||
else
|
||||
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME"
|
||||
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated
|
||||
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)"
|
||||
else
|
||||
ok "$MODULE_NAME is disabled"
|
||||
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
||||
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
||||
crit "$LOADED_MODULE_NAME is loaded!"
|
||||
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
||||
fi
|
||||
|
||||
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
||||
is_kernel_module_disabled "$MODULE_NAME"
|
||||
if [ "$FNRET" -eq 1 ]; then
|
||||
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
||||
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user