Merge pull request #158 from SemioticLabs/check-if-filesystem-is-used

Extend checks for the filesystem configuration
dev-sec · Nov 16, 2023 · ac049ac · ac049ac
2 parents a859a2a + 5dd178f
commit ac049ac
Showing 1 changed file with 72 additions and 24 deletions.
diff --git a/controls/1_1_filesystem_configuration.rb b/controls/1_1_filesystem_configuration.rb
@@ -29,9 +29,15 @@
   tag cis: 'distribution-independent-linux:1.1.1.1'
   tag level: 1
 
-  describe kernel_module('cramfs') do
-    it { should_not be_loaded }
-    it { should be_disabled }
+  describe.one do
+    describe etc_fstab.where { file_system_type == 'cramfs' } do
+      it { should be_configured }
+    end
+
+    describe kernel_module('cramfs') do
+      it { should_not be_loaded }
+      it { should be_disabled }
+    end
   end
 end
 
@@ -43,9 +49,15 @@
   tag cis: 'distribution-independent-linux:1.1.1.2'
   tag level: 1
 
-  describe kernel_module('freevxfs') do
-    it { should_not be_loaded }
-    it { should be_disabled }
+  describe.one do
+    describe etc_fstab.where { file_system_type == 'freevxfs' } do
+      it { should be_configured }
+    end
+
+    describe kernel_module('freevxfs') do
+      it { should_not be_loaded }
+      it { should be_disabled }
+    end
   end
 end
 
@@ -57,9 +69,15 @@
   tag cis: 'distribution-independent-linux:1.1.1.3'
   tag level: 1
 
-  describe kernel_module('jffs2') do
-    it { should_not be_loaded }
-    it { should be_disabled }
+  describe.one do
+    describe etc_fstab.where { file_system_type == 'jffs2' } do
+      it { should be_configured }
+    end
+
+    describe kernel_module('jffs2') do
+      it { should_not be_loaded }
+      it { should be_disabled }
+    end
   end
 end
 
@@ -71,9 +89,15 @@
   tag cis: 'distribution-independent-linux:1.1.1.4'
   tag level: 1
 
-  describe kernel_module('hfs') do
-    it { should_not be_loaded }
-    it { should be_disabled }
+  describe.one do
+    describe etc_fstab.where { file_system_type == 'hfs' } do
+      it { should be_configured }
+    end
+
+    describe kernel_module('hfs') do
+      it { should_not be_loaded }
+      it { should be_disabled }
+    end
   end
 end
 
@@ -85,9 +109,15 @@
   tag cis: 'distribution-independent-linux:1.1.1.5'
   tag level: 1
 
-  describe kernel_module('hfsplus') do
-    it { should_not be_loaded }
-    it { should be_disabled }
+  describe.one do
+    describe etc_fstab.where { file_system_type == 'hfsplus' } do
+      it { should be_configured }
+    end
+
+    describe kernel_module('hfsplus') do
+      it { should_not be_loaded }
+      it { should be_disabled }
+    end
   end
 end
 
@@ -99,9 +129,15 @@
   tag cis: 'distribution-independent-linux:1.1.1.6'
   tag level: 1
 
-  describe kernel_module('squashfs') do
-    it { should_not be_loaded }
-    it { should be_disabled }
+  describe.one do
+    describe etc_fstab.where { file_system_type == 'squashfs' } do
+      it { should be_configured }
+    end
+
+    describe kernel_module('squashfs') do
+      it { should_not be_loaded }
+      it { should be_disabled }
+    end
   end
 end
 
@@ -113,9 +149,15 @@
   tag cis: 'distribution-independent-linux:1.1.1.7'
   tag level: 1
 
-  describe kernel_module('udf') do
-    it { should_not be_loaded }
-    it { should be_disabled }
+  describe.one do
+    describe etc_fstab.where { file_system_type == 'udf' } do
+      it { should be_configured }
+    end
+
+    describe kernel_module('udf') do
+      it { should_not be_loaded }
+      it { should be_disabled }
+    end
   end
 end
 
@@ -127,9 +169,15 @@
   tag cis: 'distribution-independent-linux:1.1.1.8'
   tag level: 2
 
-  describe kernel_module('vfat') do
-    it { should_not be_loaded }
-    it { should be_disabled }
+  describe.one do
+    describe etc_fstab.where { file_system_type == 'vfat' } do
+      it { should be_configured }
+    end
+
+    describe kernel_module('vfat') do
+      it { should_not be_loaded }
+      it { should be_disabled }
+    end
   end
 
   only_if { cis_level == 2 }