On 12/14/12 6:45 PM, Mike Palmiotto wrote:
There was some discussion a while back about the proper method for
doing kernel module checking. (see:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2012-August/...)
The OVAL checks for disabling kernel modules are currently checking
for `install [module] /bin/true`.
I'm sure there is a reason for doing this as opposed to `install
[module] /bin/false`. Just a shot in the dark: we want the install to
fail and return as if a failure is expected? Would it make more sense
to run /bin/false, as the actual install is failing to install?
Additionally, it seems the checks are using a mixture of `install
[module] /bin/true` and `alias [module] off`. Should these be made
uniform, or is there a reason for the variation in method?
Any and all insight is greatly appreciated.
Did this get lost in the pre-Christmas shuffle? I can't find any
responses to this =/
I'd wager existing code is mixed simply because there was no
standardized approach and we needed to "just get it done" between
multiple coders. Standardizing on /bin/false seems ideal to me. Anyone
have strong opinions on this?
And Mike was that you volunteering to submit patches for this?... ;)