mirror of
https://github.com/ovh/debian-cis.git
synced 2025-07-15 05:12:17 +02:00
3753a72723
Current "is_kernel_option_enabled" function is doing many things, like checking for a kernel option AND checking a kernel module state AND checking if it is disabled
We split it in different functions:
- is_kernel_monolithic
- is_kernel_option_enabled -> check for a kernel configuration in the running kernel
- is_kernel_module_loaded -> check if a module is currently loaded
- is_kernel_module_available -> check if a module is configured in all available kernel configs
- is_kernel_module_disabled -> check if a kernel module is disabled in the modprobe configuration
Also:
- update its behaviour to debian 12 CIS recommendation, to check if a module is "available in ANY installed kernel"
- fix "disable_usb_storage" to look for correct module name once loaded : issue #249
- the associated checks now check separately if the module is loaded, and if it is configured
- for checks about kernel module presence, the "apply" function now manages to disable the module in the modprobe configuration (if kernel not monolithic) (but still wont unload it)
98 lines
3.3 KiB
Bash
Executable File
98 lines
3.3 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# run-shellcheck
|
|
#
|
|
# CIS Debian Hardening
|
|
#
|
|
|
|
#
|
|
# Esnure mounting of jffs2 filesystems is disabled (Scored)
|
|
#
|
|
|
|
set -e # One error, it's over
|
|
set -u # One variable unset, it's over
|
|
|
|
# shellcheck disable=2034
|
|
HARDENING_LEVEL=2
|
|
# shellcheck disable=2034
|
|
DESCRIPTION="Disable mounting of jffs2 filesystems."
|
|
|
|
KERNEL_OPTION="CONFIG_JFFS2_FS"
|
|
MODULE_NAME="jffs2"
|
|
|
|
# This function will be called if the script status is on enabled / audit mode
|
|
audit() {
|
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
|
ok "Container detected, consider host enforcing or disable this check!"
|
|
else
|
|
is_kernel_module_loaded "$KERNEL_OPTION" "$MODULE_NAME"
|
|
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
|
crit "$MODULE_NAME is loaded!"
|
|
else
|
|
ok "$MODULE_NAME is not loaded"
|
|
fi
|
|
|
|
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
|
is_kernel_module_disabled "$MODULE_NAME"
|
|
if [ "$FNRET" -eq 0 ]; then
|
|
ok "$MODULE_NAME is disabled in the modprobe configuration"
|
|
else
|
|
is_kernel_module_available "$KERNEL_OPTION"
|
|
if [ "$FNRET" -eq 0 ]; then
|
|
crit "$MODULE_NAME is available in some kernel config, but not disabled"
|
|
else
|
|
ok "$MODULE_NAME is not available in any kernel config"
|
|
fi
|
|
fi
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# This function will be called if the script status is on enabled mode
|
|
apply() {
|
|
if [ "$IS_CONTAINER" -eq 1 ]; then
|
|
# In an unprivileged container, the kernel modules are host dependent, so you should consider enforcing it
|
|
ok "Container detected, consider host enforcing!"
|
|
else
|
|
is_kernel_module_loaded "$KERNEL_OPTION" "$LOADED_MODULE_NAME"
|
|
if [ "$FNRET" -eq 0 ]; then # 0 means true in bash, so it IS activated
|
|
crit "$LOADED_MODULE_NAME is loaded!"
|
|
warn "I wont unload the module, unload it manually or recompile the kernel if needed"
|
|
fi
|
|
|
|
if [ "$IS_MONOLITHIC_KERNEL" -eq 1 ]; then
|
|
is_kernel_module_disabled "$MODULE_NAME"
|
|
if [ "$FNRET" -eq 1 ]; then
|
|
echo "install $MODULE_NAME /bin/true" >>/etc/modprobe.d/"$MODULE_NAME".conf
|
|
info "$MODULE_NAME has been disabled in the modprobe configuration"
|
|
fi
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# This function will check config parameters required
|
|
check_config() {
|
|
:
|
|
}
|
|
|
|
# Source Root Dir Parameter
|
|
if [ -r /etc/default/cis-hardening ]; then
|
|
# shellcheck source=../../debian/default
|
|
. /etc/default/cis-hardening
|
|
fi
|
|
if [ -z "$CIS_LIB_DIR" ]; then
|
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
|
echo "Cannot source CIS_LIB_DIR variable, aborting."
|
|
exit 128
|
|
fi
|
|
|
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
|
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
|
|
# shellcheck source=../../lib/main.sh
|
|
. "${CIS_LIB_DIR}"/main.sh
|
|
else
|
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
|
|
exit 128
|
|
fi
|