elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-15 13:22:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

refactor: is_kernel_option_enabled

Browse Source 
Current "is_kernel_option_enabled" function is doing many things, like checking for a kernel option AND checking a kernel module state AND checking if it is disabled
We split it in different functions:
        - is_kernel_monolithic
        - is_kernel_option_enabled -> check for a kernel configuration in the running kernel
        - is_kernel_module_loaded -> check if a module is currently loaded
        - is_kernel_module_available -> check if a module is configured in all available kernel configs
        - is_kernel_module_disabled   -> check if a kernel module is disabled in the modprobe configuration

Also:

- update its behaviour to debian 12 CIS recommendation, to check if a module is "available in ANY installed kernel"
- fix "disable_usb_storage" to look for correct module name once loaded : issue #249
- the associated checks now check separately if the module is loaded, and if it is configured
- for checks about kernel module presence, the "apply" function now manages to disable the module in the modprobe configuration (if kernel not monolithic) (but still wont unload it)
This commit is contained in:
Damien Cavagnini
2025-07-07 15:30:22 +02:00
parent ab0dba9f95
commit 3753a72723
13 changed files with 452 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
bin/hardening/disable_cramfs.sh
View File

@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is loaded!"
else else
ok "$MODULE_NAME is disabled" ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi fi
fi fi
} }
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" crit "$LOADED_MODULE_NAME is loaded!"
else warn "I wont unload the module, unload it manually or recompile the kernel if needed"
ok "$MODULE_NAME is disabled" fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi fi
fi fi
} }

39
bin/hardening/disable_dccp.sh
View File

@ -28,11 +28,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is loaded!"
else else
ok "$MODULE_NAME is disabled" ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi fi
fi fi
} }
@ -43,11 +57,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" crit "$LOADED_MODULE_NAME is loaded!"
else warn "I wont unload the module, unload it manually or recompile the kernel if needed"
ok "$MODULE_NAME is disabled" fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi fi
fi fi
} }

39
bin/hardening/disable_freevxfs.sh
View File

@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is loaded!"
else else
ok "$MODULE_NAME is disabled" ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi fi
fi fi
} }
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" crit "$LOADED_MODULE_NAME is loaded!"
else warn "I wont unload the module, unload it manually or recompile the kernel if needed"
ok "$MODULE_NAME is disabled" fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi fi
fi fi
} }

39
bin/hardening/disable_hfs.sh
View File

@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is loaded!"
else else
ok "$MODULE_NAME is disabled" ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi fi
fi fi
} }
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" crit "$LOADED_MODULE_NAME is loaded!"
else warn "I wont unload the module, unload it manually or recompile the kernel if needed"
ok "$MODULE_NAME is disabled" fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi fi
fi fi
} }

39
bin/hardening/disable_hfsplus.sh
View File

@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is loaded!"
else else
ok "$MODULE_NAME is disabled" ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi fi
fi fi
} }
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" crit "$LOADED_MODULE_NAME is loaded!"
else warn "I wont unload the module, unload it manually or recompile the kernel if needed"
ok "$MODULE_NAME is disabled" fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi fi
fi fi
} }

39
bin/hardening/disable_jffs2.sh
View File

@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is loaded!"
else else
ok "$MODULE_NAME is disabled" ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi fi
fi fi
} }
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" crit "$LOADED_MODULE_NAME is loaded!"
else warn "I wont unload the module, unload it manually or recompile the kernel if needed"
ok "$MODULE_NAME is disabled" fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi fi
fi fi
} }

39
bin/hardening/disable_rds.sh
View File

@ -28,11 +28,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is loaded!"
else else
ok "$MODULE_NAME is disabled" ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi fi
fi fi
} }
@ -43,11 +57,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" crit "$LOADED_MODULE_NAME is loaded!"
else warn "I wont unload the module, unload it manually or recompile the kernel if needed"
ok "$MODULE_NAME is disabled" fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi fi
fi fi
} }

39
bin/hardening/disable_sctp.sh
View File

@ -28,11 +28,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is loaded!"
else else
ok "$MODULE_NAME is disabled" ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi fi
fi fi
} }
@ -43,11 +57,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" crit "$LOADED_MODULE_NAME is loaded!"
else warn "I wont unload the module, unload it manually or recompile the kernel if needed"
ok "$MODULE_NAME is disabled" fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi fi
fi fi
} }

39
bin/hardening/disable_squashfs.sh
View File

@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is loaded!"
else else
ok "$MODULE_NAME is disabled" ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi fi
fi fi
} }
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" crit "$LOADED_MODULE_NAME is loaded!"
else warn "I wont unload the module, unload it manually or recompile the kernel if needed"
ok "$MODULE_NAME is disabled" fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi fi
fi fi
} }

39
bin/hardening/disable_tipc.sh
View File

@ -28,11 +28,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is loaded!"
else else
ok "$MODULE_NAME is disabled" ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi fi
fi fi
} }
@ -43,11 +57,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" crit "$LOADED_MODULE_NAME is loaded!"
else warn "I wont unload the module, unload it manually or recompile the kernel if needed"
ok "$MODULE_NAME is disabled" fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi fi
fi fi
} }

39
bin/hardening/disable_udf.sh
View File

@ -26,11 +26,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$MODULE_NAME is loaded!"
else else
ok "$MODULE_NAME is disabled" ok "$MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi fi
fi fi
} }
@ -41,11 +55,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" crit "$LOADED_MODULE_NAME is loaded!"
else warn "I wont unload the module, unload it manually or recompile the kernel if needed"
ok "$MODULE_NAME is disabled" fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi fi
fi fi
} }

42
bin/hardening/disable_usb_storage.sh
View File

@ -20,7 +20,10 @@ DESCRIPTION="Disable USB storage."
# Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels # Note: we check /proc/config.gz to be compliant with both monolithic and modular kernels
KERNEL_OPTION="CONFIG_USB_STORAGE" KERNEL_OPTION="CONFIG_USB_STORAGE"
# name as used for "modprobe"
MODULE_NAME="usb-storage" MODULE_NAME="usb-storage"
# name as returned by "modinfo -F name <module_file.ko>"
LOADED_MODULE_NAME="usb_storage"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
@ -28,11 +31,25 @@ audit() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing or disable this check!" ok "Container detected, consider host enforcing or disable this check!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
crit "$MODULE_NAME is enabled!" crit "$LOADED_MODULE_NAME is loaded!"
else else
ok "$MODULE_NAME is disabled" ok "$LOADED_MODULE_NAME is not loaded"
fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 0 ]; then
ok "$MODULE_NAME is disabled in the modprobe configuration"
else
is_kernel_module_available "$KERNEL_OPTION"
if [ "$FNRET" -eq 0 ]; then
crit "$MODULE_NAME is available in some kernel config, but not disabled"
else
ok "$MODULE_NAME is not available in any kernel config"
fi
fi
fi fi
fi fi
} }
@ -43,11 +60,18 @@ apply() {
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
ok "Container detected, consider host enforcing!" ok "Container detected, consider host enforcing!"
else else
is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" crit "$LOADED_MODULE_NAME is loaded!"
else warn "I wont unload the module, unload it manually or recompile the kernel if needed"
ok "$MODULE_NAME is disabled" fi
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
is_kernel_module_disabled "$MODULE_NAME"
if [ "$FNRET" -eq 1 ]; then
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
info "$MODULE_NAME has been disabled in the modprobe configuration"
fi
fi fi
fi fi
} }

138
lib/utils.sh
View File

@ -319,39 +319,38 @@ is_service_enabled() {
# #
# Kernel Options checks # Kernel Options checks
# #
is_kernel_monolithic() {
is_kernel_option_enabled() { debug "Detect if /proc/modules is available, otherwise consider as a monolithic kernel"
local KERNEL_OPTION="$1" if $SUDO_CMD ls /proc/modules >/dev/null 2>&1; then
local MODULE_NAME="" IS_MONOLITHIC_KERNEL=1
local MODPROBE_FILTER="" else
local RESULT=""
local IS_MONOLITHIC_KERNEL=1
local DEF_MODULE=""
if [ $# -ge 2 ]; then
MODULE_NAME="$2"
fi
if [ $# -ge 3 ]; then
MODPROBE_FILTER="$3"
fi
debug "Detect if lsmod is available and does not return an error code (otherwise consider as a monolithic kernel"
if $SUDO_CMD lsmod >/dev/null 2>&1; then
IS_MONOLITHIC_KERNEL=0 IS_MONOLITHIC_KERNEL=0
fi fi
}
if [ $IS_MONOLITHIC_KERNEL -eq 1 ]; then is_kernel_option_enabled() {
if $SUDO_CMD [ -r "/proc/config.gz" ]; then # check if kernel option is configured for the running kernel
local KERNEL_OPTION="$1"
local RESULT=""
is_kernel_monolithic
if [ "$IS_MONOLITHIC_KERNEL" -eq 0 ] && $SUDO_CMD [ -r "/proc/config.gz" ]; then
RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || : RESULT=$($SUDO_CMD zgrep "^$KERNEL_OPTION=" /proc/config.gz) || :
elif $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then fi
# modular kernel, or no configuration found in /proc
if [[ "$RESULT" == "" ]]; then
if $SUDO_CMD [ -r "/boot/config-$(uname -r)" ]; then
RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || : RESULT=$($SUDO_CMD grep "^$KERNEL_OPTION=" "/boot/config-$(uname -r)") || :
else else
debug "No information about kernel found, you're probably in a container" info "No information about kernel configuration found"
FNRET=127 FNRET=127
return return
fi fi
fi
local ANSWER=""
ANSWER=$(cut -d = -f 2 <<<"$RESULT") ANSWER=$(cut -d = -f 2 <<<"$RESULT")
if [ "$ANSWER" = "y" ]; then if [ "$ANSWER" = "y" ]; then
debug "Kernel option $KERNEL_OPTION enabled" debug "Kernel option $KERNEL_OPTION enabled"
@ -363,51 +362,66 @@ is_kernel_option_enabled() {
debug "Kernel option $KERNEL_OPTION not found" debug "Kernel option $KERNEL_OPTION not found"
FNRET=2 # Not found FNRET=2 # Not found
fi fi
}
if $SUDO_CMD [ "$FNRET" -ne 0 ] && [ -n "$MODULE_NAME" ] && [ -d "/lib/modules/$(uname -r)" ]; then is_kernel_module_disabled() {
# also check in modules, because even if not =y, maybe # check if a kernel module is disabled in the modprobe configuration
# the admin compiled it separately later (or out-of-tree) local MODULE_NAME="$1"
# as a module (regardless of the fact that we have =m or not)
debug "Checking if we have $MODULE_NAME.ko"
local modulefile
modulefile=$($SUDO_CMD find "/lib/modules/$(uname -r)/" -type f -name "$MODULE_NAME.ko")
if $SUDO_CMD [ -n "$modulefile" ]; then
debug "We do have $modulefile!"
# ... but wait, maybe it's blacklisted? check files in /etc/modprobe.d/ for "blacklist xyz"
if grep -qRE "^\s*blacklist\s+$MODULE_NAME\s*$" /etc/modprobe.d/*.conf; then
debug "... but it's blacklisted!"
FNRET=1 # Not found (found but blacklisted)
fi
# ... but wait, maybe it's override ? check files in /etc/modprobe.d/ for "install xyz /bin/(true|false)"
if grep -aRE "^\s*install\s+$MODULE_NAME\s+/bin/(true|false)\s*$" /etc/modprobe.d/*.conf; then
debug "... but it's override!"
FNRET=1 # Not found (found but override)
fi
FNRET=0 # Found!
fi
fi
else
if [ "$MODPROBE_FILTER" != "" ]; then
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | tail -1 | xargs)"
else
DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | tail -1 | xargs)"
fi
if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then
debug "$MODULE_NAME is disabled (blacklist with override)"
FNRET=1 FNRET=1
elif [ "$DEF_MODULE" == "" ]; then
local module_is_disabled=0
# is it blacklisted ?
if grep -qE "\s?+[^#]?blacklist\s+$MODULE_NAME\s?$" /etc/modprobe.d/*.conf; then
debug "$MODULE_NAME is blacklisted"
module_is_disabled=1
# maybe it is overriden ? check files in /etc/modprobe.d/ for "install xyz /bin/(true|false)"
elif grep -qE "\s?+[^#]?install\s+$MODULE_NAME\s+/bin/(true|false)\s?$" /etc/modprobe.d/*.conf; then
debug "$MODULE_NAME is disabled" debug "$MODULE_NAME is disabled"
FNRET=1 module_is_disabled=1
else
debug "$MODULE_NAME is enabled"
FNRET=0
fi fi
if [ "$($SUDO_CMD lsmod | grep -E "$MODULE_NAME" 2>/dev/null)" != "" ]; then if [ "$module_is_disabled" -eq 1 ]; then
debug "$MODULE_NAME is enabled" debug "$MODULE_NAME is disabled in modprobe config"
FNRET=0 FNRET=0
fi fi
}
is_kernel_module_available() {
# check if a kernel module is loadable, in a non monolithic kernel
local KERNEL_OPTION="$1"
FNRET=1
is_kernel_monolithic
if [ "$IS_MONOLITHIC_KERNEL" -eq 0 ]; then
info "your kernel is monolithic, no need to check for module availability"
return
fi
# look if a module is present as a loadable module in ANY available kernel, per CIS recommendation
# shellcheck disable=2013
for config_file in $($SUDO_CMD grep -l "^$KERNEL_OPTION=" /boot/config-*); do
module_config=$($SUDO_CMD grep "^$KERNEL_OPTION=" "$config_file" | cut -d= -f 2)
if [ "$module_config" == 'm' ]; then
debug "\"${KERNEL_OPTION}=m\" found in $config_file as module"
FNRET=0
fi
done
}
is_kernel_module_loaded() {
# check if a kernel module is actually loaded
local KERNEL_OPTION="$1"
local LOADED_MODULE_NAME="$2"
FNRET=1
is_kernel_monolithic
if [ "$IS_MONOLITHIC_KERNEL" -eq 0 ]; then
# check if module is compiled
# if yes, then it is loaded
is_kernel_option_enabled "$KERNEL_OPTION"
elif $SUDO_CMD grep -w "$LOADED_MODULE_NAME" /proc/modules >/dev/null 2>&1; then
debug "$LOADED_MODULE_NAME is loaded in the running kernel in /proc/modules"
FNRET=0 # Found!
fi fi
} }