32 lines
1.3 KiB
Bash
32 lines
1.3 KiB
Bash
#!/usr/bin/env bash
|
|
{
|
|
l_output="" l_output2=""
|
|
l_mname="squashfs" # set module name
|
|
# Check how module will be loaded
|
|
l_loadable="$(modprobe -n -v "$l_mname")"
|
|
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
|
|
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
|
|
else
|
|
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
|
|
fi
|
|
# Check is the module currently loaded
|
|
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
|
|
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
|
|
else
|
|
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
|
|
fi
|
|
# Check if the module is deny listed
|
|
if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
|
|
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
|
|
else
|
|
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
|
|
fi
|
|
# Report results. If no failures output in l_output2, we pass
|
|
if [ -z "$l_output2" ]; then
|
|
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
|
|
else
|
|
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
|
|
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
|
|
fi
|
|
}
|