From 8f855ac15931eb17fdb2e370e01d61cc42c49ab9 Mon Sep 17 00:00:00 2001 From: Jan Schmidle Date: Wed, 20 Oct 2021 14:51:29 +0200 Subject: [PATCH] fix: kernel module detection (#129) * fix: add filter to hfs * fix is_kernel_option_enabled check as the module in question could have dependencies which have been blacklisted as well we need to make sure that the comparison only checks for the module in question - the last line in the output. Co-authored-by: GoldenKiwi --- bin/hardening/1.1.1.3_disable_hfs.sh | 4 ++-- bin/hardening/1.1.1.4_disable_hfsplus.sh | 4 ++-- lib/utils.sh | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/bin/hardening/1.1.1.3_disable_hfs.sh b/bin/hardening/1.1.1.3_disable_hfs.sh index 30f7b80..6607d26 100755 --- a/bin/hardening/1.1.1.3_disable_hfs.sh +++ b/bin/hardening/1.1.1.3_disable_hfs.sh @@ -26,7 +26,7 @@ audit() { # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it ok "Container detected, consider host enforcing or disable this check!" else - is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$MODULE_NAME is enabled!" else @@ -41,7 +41,7 @@ apply() { # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it ok "Container detected, consider host enforcing!" else - is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" else diff --git a/bin/hardening/1.1.1.4_disable_hfsplus.sh b/bin/hardening/1.1.1.4_disable_hfsplus.sh index 3184e5b..824d456 100755 --- a/bin/hardening/1.1.1.4_disable_hfsplus.sh +++ b/bin/hardening/1.1.1.4_disable_hfsplus.sh @@ -26,7 +26,7 @@ audit() { # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it ok "Container detected, consider host enforcing or disable this check!" else - is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated crit "$MODULE_NAME is enabled!" else @@ -41,7 +41,7 @@ apply() { # In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it ok "Container detected, consider host enforcing!" else - is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" + is_kernel_option_enabled "$KERNEL_OPTION" "$MODULE_NAME" "($MODULE_NAME|install)" if [ "$FNRET" = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $MODULE_NAME, recompile your kernel or blacklist module $MODULE_NAME (/etc/modprobe.d/blacklist.conf : +install $MODULE_NAME /bin/true)" else diff --git a/lib/utils.sh b/lib/utils.sh index d73fbcf..63f2afa 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -384,9 +384,9 @@ is_kernel_option_enabled() { fi else if [ "$MODPROBE_FILTER" != "" ]; then - DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | xargs)" + DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | grep -E "$MODPROBE_FILTER" | tail -1 | xargs)" else - DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | xargs)" + DEF_MODULE="$($SUDO_CMD modprobe -n -v "$MODULE_NAME" 2>/dev/null | tail -1 | xargs)" fi if [ "$DEF_MODULE" == "install /bin/true" ] || [ "$DEF_MODULE" == "install /bin/false" ]; then