Kernel module checks fail when module not present

[nroach44]

Describe the bug Kernel module checks (e.g. STRG-1846 and NETW-3200) still fail despite the modules not being built / installed.

Version

• Distribution: Any
• Lynis version: 3.0.9

Expected behavior I did not expect to see warnings about firewire, sctp etc. when the kernel has been compiled without these options.

Additional context It might be worth checking an authoritative source if the module is even available on the host before alerting:

• gzip -d /proc/config.gz -c
• /boot/config-$(uname -a)
• /lib/modules/<x>/modules.builtin
• /lib/modules/<x>/modules.dep

[mboelen]

Please include some details with the specifics. What warning/suggestion do you see and what is the related logging?

[nroach44]

Please include some details with the specifics. What warning/suggestion do you see and what is the related logging?

Lynis generates the following line item:

  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
      https://cisofy.com/lynis/controls/STRG-1846/

This is what's logged:

2024-05-16 20:16:03 Performing test ID STRG-1846 (Check if firewire storage is disabled)
2024-05-16 20:16:03 Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf
2024-05-16 20:16:03 Result: firewire ohci driver is not explicitly disabled
2024-05-16 20:16:03 Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846] [details:-] [solution:-]

The machine it's generating a log entry for does not have any avaialble firewire modules:

nroach44@x13al:~$ sudo modprobe firewire-core
modprobe: FATAL: Module firewire-core not found in directory /lib/modules/6.8.9-nr44-x13al-r1714707545
nroach44@x13al:~$ tree -afi /lib/modules/$(uname -r)/ | grep -i firewire | wc -l
0

Compared to a "default" debian kernel:

nroach44@other:~$ tree -afi /lib/modules/$(uname -r)/ | grep -i firewire
/lib/modules/5.10.0-29-amd64/kernel/drivers/firewire
/lib/modules/5.10.0-29-amd64/kernel/drivers/firewire/firewire-core.ko
/lib/modules/5.10.0-29-amd64/kernel/drivers/firewire/firewire-net.ko
/lib/modules/5.10.0-29-amd64/kernel/drivers/firewire/firewire-ohci.ko
/lib/modules/5.10.0-29-amd64/kernel/drivers/firewire/firewire-sbp2.ko
/lib/modules/5.10.0-29-amd64/kernel/drivers/firewire/nosy.ko
/lib/modules/5.10.0-29-amd64/kernel/drivers/media/firewire
/lib/modules/5.10.0-29-amd64/kernel/drivers/media/firewire/firedtv.ko
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/bebob
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/bebob/snd-bebob.ko
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/dice
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/dice/snd-dice.ko
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/digi00x
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/digi00x/snd-firewire-digi00x.ko
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/fireface
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/fireface/snd-fireface.ko
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/fireworks
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/fireworks/snd-fireworks.ko
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/motu
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/motu/snd-firewire-motu.ko
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/oxfw
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/oxfw/snd-oxfw.ko
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/snd-firewire-lib.ko
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/snd-isight.ko
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/tascam
/lib/modules/5.10.0-29-amd64/kernel/sound/firewire/tascam/snd-firewire-tascam.ko

I would suggest checking if the module is available before alerting that there's nothing stopping it from being loaded.