1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
<def-group>
<definition class="compliance"
id="kernel_module_{{{ KERNMODULE }}}_disabled" version="1">
{{{ oval_metadata("The kernel module " + KERNMODULE + " should be disabled.") }}}
<criteria operator="OR">
{{% if product in ["rhcos4", "sle12", "sle15", "slmicro5"] or 'ol' in product or 'rhel' in product or 'ubuntu' in product %}}
<criteria operator="AND">
<criterion test_ref="test_kernmod_{{{ KERNMODULE }}}_blacklisted"
comment="kernel module {{{ KERNMODULE }}} blacklisted in modprobe.d" />
<criterion test_ref="test_kernmod_{{{ KERNMODULE }}}_disabled"
comment="kernel module {{{ KERNMODULE }}} disabled in modprobe.d" />
</criteria>
{{% else %}}
<criterion test_ref="test_kernmod_{{{ KERNMODULE }}}_disabled"
comment="kernel module {{{ KERNMODULE }}} disabled in modprobe.d" />
{{% endif %}}
{{% if "ubuntu" not in product and "rhel" not in product and "ol" not in product%}}
<criterion test_ref="test_kernmod_{{{ KERNMODULE }}}_modprobeconf" comment="kernel module {{{ KERNMODULE }}} disabled in /etc/modprobe.conf" />
{{% endif %}}
</criteria>
</definition>
<ind:textfilecontent54_test id="test_kernmod_{{{ KERNMODULE }}}_disabled" version="1" check="all"
comment="kernel module {{{ KERNMODULE }}} disabled">
<ind:object object_ref="obj_kernmod_{{{ KERNMODULE }}}_disabled" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_kernmod_{{{ KERNMODULE }}}_disabled"
version="1" comment="kernel module {{{ KERNMODULE }}} disabled">
<ind:path var_ref="var_kernel_module_{{{ KERNMODULE }}}_paths" var_check="at least one" />
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
<ind:pattern operation="pattern match">^\s*install\s+{{{ KERNMODULE }}}\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<constant_variable datatype="string" comment="Other paths where kernel modules can be configured"
id="var_kernel_module_{{{ KERNMODULE }}}_paths" version="1">
<value>/etc/modprobe.d</value>
<value>/etc/modules-load.d</value>
<value>/run/modprobe.d</value>
<value>/run/modules-load.d</value>
<value>/usr/lib/modprobe.d</value>
<value>/usr/lib/modules-load.d</value>
</constant_variable>
{{% if product in ["rhcos4", "sle12", "sle15", "slmicro5"] or 'ol' in product or 'rhel' in product or 'ubuntu' in product %}}
<ind:textfilecontent54_test id="test_kernmod_{{{ KERNMODULE }}}_blacklisted" version="1" check="all"
comment="kernel module {{{ KERNMODULE }}} blacklisted">
<ind:object object_ref="obj_kernmod_{{{ KERNMODULE }}}_blacklisted" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_kernmod_{{{ KERNMODULE }}}_blacklisted"
version="1" comment="kernel module {{{ KERNMODULE }}} blacklisted">
<ind:path var_ref="var_kernel_module_{{{ KERNMODULE }}}_paths" var_check="at least one" />
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
<ind:pattern operation="pattern match">^blacklist\s+{{{ KERNMODULE }}}$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
{{% endif %}}
{{% if "ubuntu" not in product and "rhel" not in product and "ol" not in product %}}
<ind:textfilecontent54_test id="test_kernmod_{{{ KERNMODULE }}}_modprobeconf" version="1" check="all"
comment="kernel module {{{ KERNMODULE }}} disabled in /etc/modprobe.conf">
<ind:object object_ref="obj_kernmod_{{{ KERNMODULE }}}_modprobeconf" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_kernmod_{{{ KERNMODULE }}}_modprobeconf"
version="1" comment="Check deprecated /etc/modprobe.conf for disablement of {{{ KERNMODULE }}}">
<ind:filepath>/etc/modprobe.conf</ind:filepath>
<ind:pattern operation="pattern match">^\s*install\s+{{{ KERNMODULE }}}\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
{{% endif %}}
</def-group>
|
