diff --git a/controls/1_1_filesystem_configuration.rb b/controls/1_1_filesystem_configuration.rb index 1dfd490..dbb9281 100644 --- a/controls/1_1_filesystem_configuration.rb +++ b/controls/1_1_filesystem_configuration.rb @@ -20,7 +20,7 @@ cis_level = input('cis_level') title '1.1 Filesystem Configuration' - +kernel_module control 'cis-dil-benchmark-1.1.1.1' do title 'Ensure mounting of cramfs filesystems is disabled' desc "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.\n\nRationale: Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -29,9 +29,14 @@ tag cis: 'distribution-independent-linux:1.1.1.1' tag level: 1 - describe kernel_module('cramfs') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^cramfs\s/) } + end + describe kernel_module('cramfs') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -43,9 +48,14 @@ tag cis: 'distribution-independent-linux:1.1.1.2' tag level: 1 - describe kernel_module('freevxfs') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^freevxfs\s/) } + end + describe kernel_module('freevxfs') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -57,9 +67,14 @@ tag cis: 'distribution-independent-linux:1.1.1.3' tag level: 1 - describe kernel_module('jffs2') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^jffs2\s/) } + end + describe kernel_module('jffs2') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -71,9 +86,14 @@ tag cis: 'distribution-independent-linux:1.1.1.4' tag level: 1 - describe kernel_module('hfs') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^hfs\s/) } + end + describe kernel_module('hfs') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -85,9 +105,14 @@ tag cis: 'distribution-independent-linux:1.1.1.5' tag level: 1 - describe kernel_module('hfsplus') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^hfsplus\s/) } + end + describe kernel_module('hfsplus') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -99,9 +124,14 @@ tag cis: 'distribution-independent-linux:1.1.1.6' tag level: 1 - describe kernel_module('squashfs') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^squashfs\s/) } + end + describe kernel_module('squashfs') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -113,9 +143,14 @@ tag cis: 'distribution-independent-linux:1.1.1.7' tag level: 1 - describe kernel_module('udf') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^udf\s/) } + end + describe kernel_module('udf') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -127,9 +162,14 @@ tag cis: 'distribution-independent-linux:1.1.1.8' tag level: 2 - describe kernel_module('vfat') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^vfat\s/) } + end + describe kernel_module('vfat') do + it { should_not be_loaded } + it { should be_disabled } + end end only_if { cis_level == 2 } @@ -465,8 +505,13 @@ # kernel modules need to use underscores # ref: https://github.com/inspec/inspec/issues/5190 - describe kernel_module('usb_storage') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^usb_storage\s/) } + end + describe kernel_module('usb_storage') do + it { should_not be_loaded } + it { should be_disabled } + end end end diff --git a/controls/3_4_uncommon_network_protocols.rb b/controls/3_4_uncommon_network_protocols.rb index 45011d8..5c80c18 100644 --- a/controls/3_4_uncommon_network_protocols.rb +++ b/controls/3_4_uncommon_network_protocols.rb @@ -31,9 +31,14 @@ only_if { cis_level == 2 } - describe kernel_module('dccp') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^dccp\s/) } + end + describe kernel_module('dccp') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -47,9 +52,14 @@ only_if { cis_level == 2 } - describe kernel_module('sctp') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^sctp\s/) } + end + describe kernel_module('sctp') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -63,9 +73,14 @@ only_if { cis_level == 2 } - describe kernel_module('rds') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^rds\s/) } + end + describe kernel_module('rds') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -79,8 +94,13 @@ only_if { cis_level == 2 } - describe kernel_module('tipc') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^tipc\s/) } + end + describe kernel_module('tipc') do + it { should_not be_loaded } + it { should be_disabled } + end end end