cis: Improve UDF kernel module check

The level 2 check 1.1.1.1 verifies mounting UDF filesystems is disabled. The current check for whether it is already loaded was not correct. Luckily there is a second check as part of this control to make sure loading is disabled. If the setting for loading is to not allow it, but the module is already loaded, the check does not return the expected output. So it would still report failure, but it is less than ideal for reporting the actual issue. This changes the check for whether the module is loaded to correctly identify if the module is loaded or not before checking whether the ability has been disabled. Signed-off-by: Sean McGinnis <[email protected]>
bottlerocket-os · Nov 3, 2023 · fa3abec · fa3abec
1 parent 103ec5e
commit fa3abec
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 7 deletions.
diff --git a/sources/bloodhound/src/bin/bottlerocket-checks/checks.rs b/sources/bloodhound/src/bin/bottlerocket-checks/checks.rs
@@ -22,15 +22,22 @@ pub struct BR01010101Checker {}
 
 impl Checker for BR01010101Checker {
     fn execute(&self) -> CheckerResult {
-        let module_result = check_file_contains!(
-            PROC_MODULES_FILE,
-            &[" udf,"],
-            "unable to parse modules to check for udf",
-            "udf is currently loaded"
-        );
-        if module_result.status != CheckStatus::PASS {
+        let mut module_result = CheckerResult::default();
+
+        // Make sure UDF isn't already loaded
+        if let Ok(found) = look_for_word_in_file(PROC_MODULES_FILE, "udf") {
+            if found {
+                module_result.error = "udf is currently loaded".to_string();
+                module_result.status = CheckStatus::FAIL;
+                return module_result;
+            }
+        } else {
+            module_result.error =
+                "unable to parse modprobe output to check if udf is enabled".to_string();
             return module_result;
         }
+
+        // Make sure the ability to load UDF is disabled
         check_output_contains!(
             MODPROBE_CMD,
             ["-n", "-v", "udf"],

diff --git a/sources/bloodhound/src/lib.rs b/sources/bloodhound/src/lib.rs
@@ -9,6 +9,16 @@ pub mod args;
 pub mod output;
 pub mod results;
 
+/// Reads a file and checks if the given `search_word` is present in its contents.
+pub fn look_for_word_in_file(path: &str, search_word: &str) -> Result<bool, io::Error> {
+    let reader = BufReader::new(File::open(path)?);
+    Ok(reader.lines().any(|line| {
+        line.unwrap_or_default()
+            .split_ascii_whitespace()
+            .any(|word| word == search_word)
+    }))
+}
+
 /// Reads a file and checks if the given `search_str` is present in its contents.
 pub fn look_for_string_in_file(path: &str, search_str: &str) -> Result<bool, io::Error> {
     let reader = BufReader::new(File::open(path)?);
@@ -197,6 +207,63 @@ mod test_utils {
         }};
     }
 
+    #[test]
+    fn test_look_for_word_in_file_found() {
+        let mut test_file = NamedTempFile::new().unwrap();
+        writeln!(
+            test_file,
+            concat!(
+                "udf 139264 0 - Live 0xffffffffc05e1000\n",
+                "crc_itu_t 16384 1 udf, Live 0xffffffffc05dc000\n",
+                "configfs 57344 1 - Live 0xffffffffc0320000\n"
+            )
+        )
+        .unwrap();
+
+        let found = look_for_word_in_file(temp_file_path!(test_file), "udf").unwrap();
+        assert!(found);
+    }
+
+    #[test]
+    fn test_look_for_word_in_file_not_found() {
+        let mut test_file = NamedTempFile::new().unwrap();
+        writeln!(
+            test_file,
+            concat!(
+                "crypto_simd 16384 1 aesni_intel, Live 0xffffffffc034f000\n",
+                "cryptd 28672 2 ghash_clmulni_intel,crypto_simd, Live 0xffffffffc0335000\n",
+                "configfs 57344 1 - Live 0xffffffffc0320000\n"
+            )
+        )
+        .unwrap();
+
+        let found = look_for_word_in_file(temp_file_path!(test_file), "udf").unwrap();
+        assert!(!found);
+    }
+
+    #[test]
+    fn test_look_for_word_in_file_partial_not_found() {
+        let mut test_file = NamedTempFile::new().unwrap();
+        writeln!(
+            test_file,
+            concat!(
+                "my-udf 139264 0 - Live 0xffffffffc05e1000\n",
+                "crc_itu_t 16384 1 udf, Live 0xffffffffc05dc000\n",
+                "configfs 57344 1 - Live 0xffffffffc0320000\n"
+            )
+        )
+        .unwrap();
+
+        let found = look_for_word_in_file(temp_file_path!(test_file), "udf").unwrap();
+        assert!(!found);
+    }
+
+    #[test]
+    fn test_look_for_word_in_file_bad_path() {
+        let result = look_for_word_in_file("/not/a/real/path", "search_str");
+        assert!(result.is_err());
+    }
+
     #[test]
     fn test_string_in_file_found() {
         let mut test_file = NamedTempFile::new().unwrap();