kernel_module

Use the kernel_module InSpec audit resource to test kernel modules on Linux platforms. These parameters are located under /lib/modules. Any submodule may be tested using this resource.

The kernel_module resource can also verify if a kernel module is blacklisted or if a module is disabled via a fake install using the bin_true or bin_false method.


Syntax

A kernel_module resource block declares a module name, and then tests if that module is a loadable kernel module, if it is enabled, disabled or if it is blacklisted:

describe kernel_module('module_name') do
  it { should be_loaded }
  it { should_not be_disabled }
  it { should_not be_blacklisted }
end

where

  • 'module_name' must specify a kernel module, such as 'bridge'
  • { should be_loaded } tests if the module is a loadable kernel module
  • { should be_blacklisted } tests if the module is blacklisted or if the module is disabled via a fake install using /bin/false or /bin/true
  • { should be_disabled } tests if the module is disabled via a fake install using /bin/false or /bin/true


Examples

The following examples show how to use this InSpec audit resource.

Test a modules ‘version’

  describe kernel_module('bridge') do
    it { should be_loaded }
    its(:version) { should cmp >= '2.2.2' }
  end

Test if a module is loaded, not disabled and not blacklisted

  describe kernel_module('video') do
    it { should be_loaded }
    it { should_not be_disabled }
    it { should_not be_blacklisted }
  end

Check if a module is blacklisted

  describe kernel_module('floppy') do
    it { should be_blacklisted }
  end

Ensure a module is not blacklisted and it is loaded

  describe kernel_module('video') do
    it { should_not be_blacklisted }
    it { should be_loaded }
  end

Ensure a module is disabled via ‘bin_false’

  describe kernel_module('sstfb') do
    it { should_not be_loaded }
    it { should be_disabled }
  end

Ensure a module is ‘blacklisted’/‘disabled’ via ‘bin_true’

  describe kernel_module('nvidiafb') do
    it { should_not be_loaded }
    it { should be_blacklisted }
  end

Ensure a module is not loaded

  describe kernel_module('dhcp') do
    it { should_not be_loaded }
  end


Matchers

For a full list of available matchers, please visit our matchers page.

be_loaded

The be_loaded matcher tests if the module is a loadable kernel module:

it { should be_loaded }

version

The version matcher tests if the named module version is on the system:

its(:version) { should eq '3.2.2' }