tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tests_filesystems: check for blacklisted modules also under 

/usr/lib/modules.d
This commit is contained in:
Johannes Segitz 2021-10-13 16:31:09 +02:00
parent 798c1054d7
commit 13a8d2a190
1 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
include/tests_filesystems
View File

@ -836,16 +836,19 @@
AddHP 3 3 AddHP 3 3
if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi
fi fi
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) for SUBDIR in "${ROOTDIR}etc" "/usr/lib"; do
FIND=$(${LSBINARY} ${SUBDIR}/modprobe.d/* 2> /dev/null)
if [ -n "${FIND}" ]; then if [ -n "${FIND}" ]; then
FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${SUBDIR}/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${SUBDIR}/modprobe.d/* | ${GREPBINARY} -v "#")
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
LogText "Result: module ${FS} is blacklisted" LogText "Result: module ${FS} is blacklisted"
break
fi fi
fi fi
done done
done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}" Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}"
ReportSuggestion "${TEST_NO}" "Consider disabling unused kernel modules" "/etc/modprobe.d/blacklist.conf" "Add 'install MODULENAME /bin/true' (without quotes)" ReportSuggestion "${TEST_NO}" "Consider disabling unused kernel modules" "/etc/modprobe.d/blacklist.conf" "Add 'install MODULENAME /bin/true' (without quotes)"