tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-23 22:04:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

[FILE-6430] minor code improvements and show suggestion with more details

Browse Source
This commit is contained in:
Michael Boelen 2019-12-18 19:20:48 +01:00
parent 4381382d7e
commit 35d248b74c
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
include/tests_filesystems
View File

@ -759,7 +759,7 @@
# Test : FILE-6430 # Test : FILE-6430
# Description : Disable mounting of some filesystems # Description : Disable mounting of some filesystems
# Rationale : Unless there is a specific reason to use a particular file system, disable it. # Rationale : Unless there is a specific reason to use a particular file system, disable it.
# Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf # Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf
Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems" Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
@ -770,19 +770,17 @@
AVAILABLE_MODPROBE_FS="" AVAILABLE_MODPROBE_FS=""
for FS in ${LIST_FS_NOT_SUPPORTED}; do for FS in ${LIST_FS_NOT_SUPPORTED}; do
# Check if filesystem is present in modprobe output # Check if filesystem is present in modprobe output
FIND=$(${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1) FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | ${TAILBINARY} -1)
if [ -n "${FIND}" ]; then if [ -n "${FIND}" ]; then
LogText "Result: found module support in kernel: ${FIND}" LogText "Result: found ${FS} support in the kernel (output = ${FIND})"
Debug "Module ${FS} present in the kernel" Debug "Module ${FS} present in the kernel"
LogText "Test: Checking if ${FS} is active" LogText "Test: Checking if ${FS} is active"
# Check if FS is present in lsmod output # Check if FS is present in lsmod output
FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}") FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
if IsEmpty "${FIND}"; then if IsEmpty "${FIND}"; then
LogText "Result: module ${FS} is not loaded in the kernel" LogText "Result: module ${FS} is currently not loaded in the kernel."
AddHP 2 3 AddHP 2 3
if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi
# Tip to disable a particular module if it is not loaded TODO
#ReportSuggestion "${TEST_NO}" "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
FOUND=1 FOUND=1
AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} " AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} "
else else
@ -796,6 +794,7 @@
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}" Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}"
ReportSuggestion "${TEST_NO}" "Consider disabling unused kernel modules" "/etc/modprobe.d/blacklist.conf" "Add 'install MODULENAME /bin/true' (without quotes)"
fi fi
else else
LogText "Test skipped lsmod binary not found or /proc/modules can not be opened" LogText "Test skipped lsmod binary not found or /proc/modules can not be opened"