cis-dil-benchmark
cis-dil-benchmark copied to clipboard
Published
20 hours ago •
dev-sec
dev-sec
Kernel checks fail when the kernel module doesn't exist
Description
If a Kernel module isn't installed on a machine, the check to confirm it is disabled fails due to the way that the kernel_module resource operates. If the module isn't found on the machine, be_disabled, be_loaded and be_blacklisted will all return false (as in, they technically don't meet the criteria because they don't exist).
Reproduction steps
inspec> describe kernel_module('cramfs') do
inspec> it {should be_disabled}
inspec> end
Profile: inspec-shell
Version: (not specified)
Target ID:
Kernel Module cramfs
× is expected to be disabled
expected `Kernel Module cramfs.disabled?` to be truthy, got false
Test Summary: 0 successful, 1 failure, 0 skipped
inspec> describe file('/proc/modules') do
inspec> its('content') { should_not match (/^cramfs\s/) }
inspec> end
Profile: inspec-shell
Version: (not specified)
Target ID:
File /proc/modules
✔ content is expected not to match /^cramfs\s/
Test Summary: 1 successful, 0 failures, 0 skipped
inspec>
Current Behavior
... False positives for kernel modules that are expected to be disabled but don't exist on the target system.
Expected Behavior
... If a module isn't installed on the target system, these checks should pass.
OS / Environment
... Linux (Tested on Ubuntu 22.04 LTS)
Inspec Version
... 5.21.29
Baseline Version
... 0.4.12
Additional information
...
