From 098813ab9620af6459667e4534a0912b4b1dbcb2 Mon Sep 17 00:00:00 2001 From: kemley76 Date: Thu, 23 May 2024 15:07:17 -0400 Subject: [PATCH 1/4] added checks to ensure some kernel modules are properly configured to be blacklisted Signed-off-by: kemley76 --- controls/SV-257804.rb | 13 +++++++++++++ controls/SV-257805.rb | 13 +++++++++++++ controls/SV-257806.rb | 15 ++++++++++++++- controls/SV-257807.rb | 13 +++++++++++++ controls/SV-257808.rb | 13 +++++++++++++ controls/SV-257880.rb | 13 +++++++++++++ controls/SV-258034.rb | 20 ++++++++++++++++++++ controls/SV-258039.rb | 13 +++++++++++++ 8 files changed, 112 insertions(+), 1 deletion(-) diff --git a/controls/SV-257804.rb b/controls/SV-257804.rb index b49f992..ac89911 100644 --- a/controls/SV-257804.rb +++ b/controls/SV-257804.rb @@ -32,4 +32,17 @@ it { should be_disabled } it { should be_blacklisted } end + + config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params + params.include?('blacklist') and params['blacklist'].include?('atm') + end + + describe 'atm' do + it 'is configured to be blacklisted' do + expect(blacklisted).to eq(true) + end + end end diff --git a/controls/SV-257805.rb b/controls/SV-257805.rb index 0d765f7..1e9f96c 100644 --- a/controls/SV-257805.rb +++ b/controls/SV-257805.rb @@ -32,4 +32,17 @@ it { should be_disabled } it { should be_blacklisted } end + + config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") + describe 'can' do + it 'is configured to be blacklisted' do + expect(config_files.any? do |c| + params = parse_config_file(c, + comment_char: '#', + multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params + params.include?('blacklist') and params['blacklist'].include?('can') + end).to eq(true) + end + end end diff --git a/controls/SV-257806.rb b/controls/SV-257806.rb index b135490..13efa00 100644 --- a/controls/SV-257806.rb +++ b/controls/SV-257806.rb @@ -32,4 +32,17 @@ it { should be_disabled } it { should be_blacklisted } end -end + + config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params + params.include?('blacklist') and params['blacklist'].include?('firewire-core') + end + + describe 'firewire_core' do + it 'is configured to be blacklisted' do + expect(blacklisted).to eq(true) + end + end +end \ No newline at end of file diff --git a/controls/SV-257807.rb b/controls/SV-257807.rb index a9d2b99..1e80440 100644 --- a/controls/SV-257807.rb +++ b/controls/SV-257807.rb @@ -42,4 +42,17 @@ it { should be_disabled } it { should be_blacklisted } end + + config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params + params.include?('blacklist') and params['blacklist'].include?('sctp') + end + + describe 'sctp' do + it 'is configured to be blacklisted' do + expect(blacklisted).to eq(true) + end + end end diff --git a/controls/SV-257808.rb b/controls/SV-257808.rb index 1063940..b2b8ea2 100644 --- a/controls/SV-257808.rb +++ b/controls/SV-257808.rb @@ -36,4 +36,17 @@ it { should be_disabled } it { should be_blacklisted } end + + config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params + params.include?('blacklist') and params['blacklist'].include?('tipc') + end + + describe 'tipc' do + it 'is configured to be blacklisted' do + expect(blacklisted).to eq(true) + end + end end diff --git a/controls/SV-257880.rb b/controls/SV-257880.rb index b5a893f..9927038 100644 --- a/controls/SV-257880.rb +++ b/controls/SV-257880.rb @@ -42,4 +42,17 @@ it { should be_disabled } it { should be_blacklisted } end + + config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params + params.include?('blacklist') and params['blacklist'].include?('cramfs') + end + + describe 'cramfs' do + it 'is configured to be blacklisted' do + expect(blacklisted).to eq(true) + end + end end diff --git a/controls/SV-258034.rb b/controls/SV-258034.rb index cece569..7a9cdbe 100644 --- a/controls/SV-258034.rb +++ b/controls/SV-258034.rb @@ -29,15 +29,35 @@ only_if('This control is Not Applicable to containers', impact: 0.0) { !virtualization.system.eql?('docker') } + + config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params + params.include?('blacklist') and params['blacklist'].include?('usb-storage') + end + if input('usb_storage_required') == true describe kernel_module('usb_storage') do it { should_not be_disabled } it { should_not be_blacklisted } end + + describe 'usb_storage' do + it 'is configured to be blacklisted' do + expect(blacklisted).to eq(false) + end + end else describe kernel_module('usb_storage') do it { should be_disabled } it { should be_blacklisted } end + + describe 'usb_storage' do + it 'is configured to be blacklisted' do + expect(blacklisted).to eq(true) + end + end end end diff --git a/controls/SV-258039.rb b/controls/SV-258039.rb index 7ea95b2..3e9052d 100644 --- a/controls/SV-258039.rb +++ b/controls/SV-258039.rb @@ -37,6 +37,19 @@ it { should be_disabled } it { should be_blacklisted } end + + config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params + params.include?('blacklist') and params['blacklist'].include?('bluetooth') + end + + describe 'bluetooth' do + it 'is configured to be blacklisted' do + expect(blacklisted).to eq(true) + end + end else impact 0.0 describe 'Device or operating system does not have a Bluetooth adapter installed' do From 9d63dd3be4a3001ec69c9cf652daa9b67779eaad Mon Sep 17 00:00:00 2001 From: kemley76 Date: Thu, 23 May 2024 16:05:09 -0400 Subject: [PATCH 2/4] linting --- controls/SV-257804.rb | 6 +++--- controls/SV-257805.rb | 10 +++++----- controls/SV-257806.rb | 8 ++++---- controls/SV-257807.rb | 6 +++--- controls/SV-257808.rb | 6 +++--- controls/SV-257880.rb | 6 +++--- controls/SV-258034.rb | 6 +++--- controls/SV-258039.rb | 8 ++++---- 8 files changed, 28 insertions(+), 28 deletions(-) diff --git a/controls/SV-257804.rb b/controls/SV-257804.rb index ac89911..039a631 100644 --- a/controls/SV-257804.rb +++ b/controls/SV-257804.rb @@ -34,9 +34,9 @@ end config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") - blacklisted = config_files.any? do |c| - params = parse_config_file(c, comment_char: '#', multiple_values: true, - assignment_regex: /^(\S+)\s+(\S+)$/).params + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params params.include?('blacklist') and params['blacklist'].include?('atm') end diff --git a/controls/SV-257805.rb b/controls/SV-257805.rb index 1e9f96c..345dddf 100644 --- a/controls/SV-257805.rb +++ b/controls/SV-257805.rb @@ -36,11 +36,11 @@ config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") describe 'can' do it 'is configured to be blacklisted' do - expect(config_files.any? do |c| - params = parse_config_file(c, - comment_char: '#', - multiple_values: true, - assignment_regex: /^(\S+)\s+(\S+)$/).params + expect(config_files.any? do |c| + params = parse_config_file(c, + comment_char: '#', + multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params params.include?('blacklist') and params['blacklist'].include?('can') end).to eq(true) end diff --git a/controls/SV-257806.rb b/controls/SV-257806.rb index 13efa00..2998d9b 100644 --- a/controls/SV-257806.rb +++ b/controls/SV-257806.rb @@ -34,9 +34,9 @@ end config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") - blacklisted = config_files.any? do |c| - params = parse_config_file(c, comment_char: '#', multiple_values: true, - assignment_regex: /^(\S+)\s+(\S+)$/).params + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params params.include?('blacklist') and params['blacklist'].include?('firewire-core') end @@ -45,4 +45,4 @@ expect(blacklisted).to eq(true) end end -end \ No newline at end of file +end diff --git a/controls/SV-257807.rb b/controls/SV-257807.rb index 1e80440..52c7c47 100644 --- a/controls/SV-257807.rb +++ b/controls/SV-257807.rb @@ -44,9 +44,9 @@ end config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") - blacklisted = config_files.any? do |c| - params = parse_config_file(c, comment_char: '#', multiple_values: true, - assignment_regex: /^(\S+)\s+(\S+)$/).params + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params params.include?('blacklist') and params['blacklist'].include?('sctp') end diff --git a/controls/SV-257808.rb b/controls/SV-257808.rb index b2b8ea2..82e9dfc 100644 --- a/controls/SV-257808.rb +++ b/controls/SV-257808.rb @@ -38,9 +38,9 @@ end config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") - blacklisted = config_files.any? do |c| - params = parse_config_file(c, comment_char: '#', multiple_values: true, - assignment_regex: /^(\S+)\s+(\S+)$/).params + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params params.include?('blacklist') and params['blacklist'].include?('tipc') end diff --git a/controls/SV-257880.rb b/controls/SV-257880.rb index 9927038..7e3c4a0 100644 --- a/controls/SV-257880.rb +++ b/controls/SV-257880.rb @@ -44,9 +44,9 @@ end config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") - blacklisted = config_files.any? do |c| - params = parse_config_file(c, comment_char: '#', multiple_values: true, - assignment_regex: /^(\S+)\s+(\S+)$/).params + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params params.include?('blacklist') and params['blacklist'].include?('cramfs') end diff --git a/controls/SV-258034.rb b/controls/SV-258034.rb index 7a9cdbe..1df66a6 100644 --- a/controls/SV-258034.rb +++ b/controls/SV-258034.rb @@ -31,9 +31,9 @@ } config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") - blacklisted = config_files.any? do |c| - params = parse_config_file(c, comment_char: '#', multiple_values: true, - assignment_regex: /^(\S+)\s+(\S+)$/).params + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params params.include?('blacklist') and params['blacklist'].include?('usb-storage') end diff --git a/controls/SV-258039.rb b/controls/SV-258039.rb index 3e9052d..94dfc0b 100644 --- a/controls/SV-258039.rb +++ b/controls/SV-258039.rb @@ -39,12 +39,12 @@ end config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") - blacklisted = config_files.any? do |c| - params = parse_config_file(c, comment_char: '#', multiple_values: true, - assignment_regex: /^(\S+)\s+(\S+)$/).params + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params params.include?('blacklist') and params['blacklist'].include?('bluetooth') end - + describe 'bluetooth' do it 'is configured to be blacklisted' do expect(blacklisted).to eq(true) From 4ccb789a4e46992f9087ff877883eb9c5c8c935d Mon Sep 17 00:00:00 2001 From: kemley76 Date: Mon, 17 Jun 2024 14:49:55 -0400 Subject: [PATCH 3/4] fix inconsistent formatting Signed-off-by: kemley76 --- controls/SV-257805.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/controls/SV-257805.rb b/controls/SV-257805.rb index 345dddf..3136555 100644 --- a/controls/SV-257805.rb +++ b/controls/SV-257805.rb @@ -37,10 +37,8 @@ describe 'can' do it 'is configured to be blacklisted' do expect(config_files.any? do |c| - params = parse_config_file(c, - comment_char: '#', - multiple_values: true, - assignment_regex: /^(\S+)\s+(\S+)$/).params + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params params.include?('blacklist') and params['blacklist'].include?('can') end).to eq(true) end From f7bf5f38c7ed351592f5802a3edc447608ca0730 Mon Sep 17 00:00:00 2001 From: kemley76 Date: Mon, 17 Jun 2024 14:54:43 -0400 Subject: [PATCH 4/4] actually fix inconsistent formatting Signed-off-by: kemley76 --- controls/SV-257805.rb | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/controls/SV-257805.rb b/controls/SV-257805.rb index 3136555..3337320 100644 --- a/controls/SV-257805.rb +++ b/controls/SV-257805.rb @@ -34,13 +34,15 @@ end config_files = command('find /etc/modprobe.conf /etc/modprobe.d/* -print0').stdout.split("\0") + blacklisted = config_files.any? do |c| + params = parse_config_file(c, comment_char: '#', multiple_values: true, + assignment_regex: /^(\S+)\s+(\S+)$/).params + params.include?('blacklist') and params['blacklist'].include?('can') + end + describe 'can' do it 'is configured to be blacklisted' do - expect(config_files.any? do |c| - params = parse_config_file(c, comment_char: '#', multiple_values: true, - assignment_regex: /^(\S+)\s+(\S+)$/).params - params.include?('blacklist') and params['blacklist'].include?('can') - end).to eq(true) + expect(blacklisted).to eq(true) end end end