fix: excludes

Author: samrose

nix/packages/cis-audit/scanner/internal/config/defaults.go

@@ -25,6 +25,12 @@ var DefaultExclusions = Config{
 		// Package manager caches
 		"/var/lib/apt/lists/*",
 		"/var/cache/apt/*",
+
+		// Kernel version-specific files (change with kernel updates)
+		"/boot/System.map-*",
+		"/boot/config-*",
+		"/boot/initrd.img-*",
+		"/boot/vmlinuz-*",
 	},
 
 	ShallowDirs: []string{
@@ -41,12 +47,19 @@ var DefaultExclusions = Config{
 		"fs.file-nr",                      // File handle statistics (dynamic)
 		"fs.inode-nr",                     // Inode statistics (dynamic)
 		"fs.inode-state",                  // Inode state (dynamic)
+		"fs.aio-nr",                       // Current async I/O operations (dynamic)
 		"kernel.random.uuid",              // Random UUID (changes every read)
 		"kernel.random.boot_id",           // Boot ID (changes per boot but not security-relevant)
+		"kernel.random.entropy_avail",     // Available entropy (changes constantly)
 		"kernel.ns_last_pid",              // Last PID allocated (dynamic)
 		"kernel.pty.nr",                   // Current number of PTYs (dynamic)
 		"net.netfilter.*_conntrack_count", // Connection tracking counts (dynamic)
 		"net.netfilter.*_conntrack_max",   // Connection tracking max (dynamic)
+
+		// RAM-dependent parameters (auto-tuned based on system memory)
+		"fs.epoll.max_user_watches",           // Computed from RAM
+		"net.netfilter.nf_conntrack_buckets",  // Auto-tuned based on RAM
+		"net.netfilter.nf_conntrack_expect_max", // Derived from buckets
 	},
 
 	DisabledScanners: []string{

nix/packages/cis-audit/scanner/internal/config/loader.go

@@ -81,16 +81,25 @@ func Load(configPath string, opts CLIOptions) (*Config, error) {
 
 	// Apply CLI overrides (highest precedence)
 	if opts.IncludeDynamic {
-		// Remove all dynamic kernel params from the default list
+		// Remove all dynamic/RAM-dependent kernel params from the exclusion list
 		dynamicParams := []string{
+			// Dynamic counters/statistics
 			"fs.dentry-state",
 			"fs.file-nr",
 			"fs.inode-nr",
 			"fs.inode-state",
+			"fs.aio-nr",
 			"kernel.random.uuid",
 			"kernel.random.boot_id",
+			"kernel.random.entropy_avail",
 			"kernel.ns_last_pid",
 			"kernel.pty.nr",
+			"net.netfilter.*_conntrack_count",
+			"net.netfilter.*_conntrack_max",
+			// RAM-dependent parameters
+			"fs.epoll.max_user_watches",
+			"net.netfilter.nf_conntrack_buckets",
+			"net.netfilter.nf_conntrack_expect_max",
 		}
 		cfg.KernelParams = removeItems(cfg.KernelParams, dynamicParams)
 	}

nix/packages/cis-audit/scanner/internal/config/loader_test.go

@@ -156,6 +156,67 @@ kernelParams:
 	}
 }
 
+func TestLoad_ShallowDepthZero(t *testing.T) {
+	// Test that ShallowDepthSet allows explicit 0 to be set
+	cfg, err := Load("", CLIOptions{
+		ShallowDepth:    0,
+		ShallowDepthSet: true,
+	})
+	if err != nil {
+		t.Fatalf("Load() error = %v", err)
+	}
+
+	if cfg.ShallowDepth != 0 {
+		t.Errorf("Expected ShallowDepth 0 when explicitly set, got %d", cfg.ShallowDepth)
+	}
+}
+
+func TestLoad_ShallowDepthDefault(t *testing.T) {
+	// Test that ShallowDepth defaults to 1 when not set
+	cfg, err := Load("", CLIOptions{
+		ShallowDepthSet: false,
+	})
+	if err != nil {
+		t.Fatalf("Load() error = %v", err)
+	}
+
+	if cfg.ShallowDepth != 1 {
+		t.Errorf("Expected ShallowDepth 1 as default, got %d", cfg.ShallowDepth)
+	}
+}
+
+func TestLoad_ShallowDepthFromCLI(t *testing.T) {
+	// Test that CLI shallow depth overrides defaults
+	cfg, err := Load("", CLIOptions{
+		ShallowDepth:    3,
+		ShallowDepthSet: true,
+	})
+	if err != nil {
+		t.Fatalf("Load() error = %v", err)
+	}
+
+	if cfg.ShallowDepth != 3 {
+		t.Errorf("Expected ShallowDepth 3 from CLI, got %d", cfg.ShallowDepth)
+	}
+}
+
+func TestLoad_ShallowDirs(t *testing.T) {
+	// Test that CLI shallow dirs are added
+	cfg, err := Load("", CLIOptions{
+		ShallowDirs: []string{"/custom/shallow", "/another/shallow"},
+	})
+	if err != nil {
+		t.Fatalf("Load() error = %v", err)
+	}
+
+	if !contains(cfg.ShallowDirs, "/custom/shallow") {
+		t.Errorf("Expected /custom/shallow in ShallowDirs")
+	}
+	if !contains(cfg.ShallowDirs, "/another/shallow") {
+		t.Errorf("Expected /another/shallow in ShallowDirs")
+	}
+}
+
 // Helper function to check if a slice contains a string
 func contains(slice []string, item string) bool {
 	for _, s := range slice {

nix/packages/cis-audit/scanner/internal/scanners/files_test.go

@@ -83,3 +83,114 @@ func TestFileScanner_Exclusions(t *testing.T) {
 		t.Errorf("Expected 1 file (excluded proc), got %d", len(results))
 	}
 }
+
+func TestFileScanner_ShallowDirsDepthZero(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Create a shallow dir with files inside
+	shallowDir := filepath.Join(tmpDir, "nix-store")
+	os.Mkdir(shallowDir, 0755)
+	os.WriteFile(filepath.Join(shallowDir, "file1.txt"), []byte("data"), 0644)
+	os.WriteFile(filepath.Join(shallowDir, "file2.txt"), []byte("data"), 0644)
+
+	// Create a subdir inside shallow dir
+	subdir := filepath.Join(shallowDir, "subdir")
+	os.Mkdir(subdir, 0755)
+	os.WriteFile(filepath.Join(subdir, "nested.txt"), []byte("data"), 0644)
+
+	// Create a normal dir that should be scanned
+	normalDir := filepath.Join(tmpDir, "etc")
+	os.Mkdir(normalDir, 0755)
+	os.WriteFile(filepath.Join(normalDir, "passwd"), []byte("data"), 0644)
+
+	scanner := &FileScanner{rootPath: tmpDir}
+	writer := spec.NewTestWriter()
+
+	opts := ScanOptions{
+		Writer: writer,
+		Config: &config.Config{
+			ShallowDirs:  []string{shallowDir},
+			ShallowDepth: 0, // Don't scan ANY files inside shallow dirs
+		},
+		Logger: testLogger(),
+	}
+
+	scanner.Scan(context.Background(), opts)
+
+	results := writer.GetFileResults()
+
+	// With depth 0, we should only get:
+	// - /etc/passwd (normal dir)
+	// - the shallow dir itself (as directory entry)
+	// Files inside shallow dir should be skipped
+
+	hasPasswd := false
+	hasShallowDirFiles := false
+	for _, r := range results {
+		if filepath.Base(r.Path) == "passwd" {
+			hasPasswd = true
+		}
+		if filepath.Base(r.Path) == "file1.txt" || filepath.Base(r.Path) == "file2.txt" || filepath.Base(r.Path) == "nested.txt" {
+			hasShallowDirFiles = true
+		}
+	}
+
+	if !hasPasswd {
+		t.Errorf("Expected /etc/passwd to be scanned")
+	}
+	if hasShallowDirFiles {
+		t.Errorf("Files inside shallow dir should be skipped with depth 0")
+	}
+}
+
+func TestFileScanner_ShallowDirsDepthOne(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	// Create a shallow dir with files inside
+	shallowDir := filepath.Join(tmpDir, "nix-store")
+	os.Mkdir(shallowDir, 0755)
+	os.WriteFile(filepath.Join(shallowDir, "file1.txt"), []byte("data"), 0644)
+
+	// Create a subdir inside shallow dir
+	subdir := filepath.Join(shallowDir, "subdir")
+	os.Mkdir(subdir, 0755)
+	os.WriteFile(filepath.Join(subdir, "nested.txt"), []byte("data"), 0644)
+
+	scanner := &FileScanner{rootPath: tmpDir}
+	writer := spec.NewTestWriter()
+
+	opts := ScanOptions{
+		Writer: writer,
+		Config: &config.Config{
+			ShallowDirs:  []string{shallowDir},
+			ShallowDepth: 1, // Scan top-level files only
+		},
+		Logger: testLogger(),
+	}
+
+	scanner.Scan(context.Background(), opts)
+
+	results := writer.GetFileResults()
+
+	// With depth 1, we should get:
+	// - file1.txt (direct child of shallow dir)
+	// But NOT nested.txt (inside subdir)
+
+	hasFile1 := false
+	hasNested := false
+	for _, r := range results {
+		if filepath.Base(r.Path) == "file1.txt" {
+			hasFile1 = true
+		}
+		if filepath.Base(r.Path) == "nested.txt" {
+			hasNested = true
+		}
+	}
+
+	if !hasFile1 {
+		t.Errorf("Expected file1.txt (direct child) to be scanned with depth 1")
+	}
+	if hasNested {
+		t.Errorf("nested.txt should be skipped with depth 1")
+	}
+}

nix/packages/cis-audit/scanner/internal/scanners/mounts.go

@@ -95,18 +95,33 @@ func (s *MountScanner) getMounts(opts ScanOptions) (map[string]spec.MountSpec, e
 		fstype := fields[2]
 		optionsStr := fields[3]
 
-		// Parse options (comma-separated)
-		var opts []string
+		// Parse options (comma-separated), filtering out instance-specific values
+		var filteredOpts []string
 		if optionsStr != "" {
-			opts = strings.Split(optionsStr, ",")
+			for _, opt := range strings.Split(optionsStr, ",") {
+				// Skip instance-specific options that vary by RAM/instance type
+				if strings.HasPrefix(opt, "size=") ||
+					strings.HasPrefix(opt, "nr_inodes=") ||
+					strings.HasPrefix(opt, "nr_blocks=") {
+					continue
+				}
+				filteredOpts = append(filteredOpts, opt)
+			}
+		}
+
+		// Determine if source should be included
+		// Skip source for virtual filesystems where device names are meaningless or instance-specific
+		source := device
+		if isVirtualOrInstanceSpecificSource(device, fstype) {
+			source = ""
 		}
 
 		mounts[mountpoint] = spec.MountSpec{
 			Path:       mountpoint,
 			Exists:     true,
 			Filesystem: fstype,
-			Opts:       opts,
-			Source:     device,
+			Opts:       filteredOpts,
+			Source:     source,
 		}
 	}
 
@@ -116,3 +131,42 @@ func (s *MountScanner) getMounts(opts ScanOptions) (map[string]spec.MountSpec, e
 
 	return mounts, nil
 }
+
+// isVirtualOrInstanceSpecificSource returns true if the device/source is virtual
+// or instance-specific (e.g., /dev/nvme* device names that vary by instance)
+func isVirtualOrInstanceSpecificSource(device, fstype string) bool {
+	// Virtual filesystems where source is just a label
+	virtualFsTypes := map[string]bool{
+		"tmpfs":      true,
+		"devtmpfs":   true,
+		"sysfs":      true,
+		"proc":       true,
+		"devpts":     true,
+		"cgroup":     true,
+		"cgroup2":    true,
+		"securityfs": true,
+		"debugfs":    true,
+		"hugetlbfs":  true,
+		"mqueue":     true,
+		"binfmt_misc": true,
+		"configfs":   true,
+		"fusectl":    true,
+		"tracefs":    true,
+		"pstore":     true,
+		"efivarfs":   true,
+		"bpf":        true,
+	}
+
+	if virtualFsTypes[fstype] {
+		return true
+	}
+
+	// Instance-specific block devices (NVMe devices vary by instance)
+	if strings.HasPrefix(device, "/dev/nvme") ||
+		strings.HasPrefix(device, "/dev/xvd") ||
+		strings.HasPrefix(device, "/dev/sd") {
+		return true
+	}
+
+	return false
+}

nix/packages/cis-audit/scanner/internal/scanners/mounts_test.go

@@ -52,8 +52,9 @@ tmpfs /tmp tmpfs rw,nosuid,nodev 0 0
 	if root.Filesystem != "ext4" {
 		t.Errorf("Expected filesystem 'ext4', got '%s'", root.Filesystem)
 	}
-	if root.Source != "/dev/sda1" {
-		t.Errorf("Expected source '/dev/sda1', got '%s'", root.Source)
+	// Source is now filtered out for /dev/* devices (instance-specific)
+	if root.Source != "" {
+		t.Errorf("Expected source to be empty for /dev/* device, got '%s'", root.Source)
 	}
 	if len(root.Opts) == 0 {
 		t.Errorf("Expected mount options to be parsed")
@@ -93,6 +94,58 @@ func TestMountScanner_Properties(t *testing.T) {
 	}
 }
 
+func TestMountScanner_FiltersInstanceSpecificOptions(t *testing.T) {
+	tmpDir := t.TempDir()
+	mountsFile := filepath.Join(tmpDir, "mounts")
+
+	// Create mounts file with instance-specific options that should be filtered
+	mountsContent := `tmpfs /dev/shm tmpfs rw,nosuid,nodev,size=194656k,nr_inodes=48664,inode64 0 0
+/dev/nvme1n1p2 / ext4 rw,relatime,discard 0 0
+`
+	if err := os.WriteFile(mountsFile, []byte(mountsContent), 0644); err != nil {
+		t.Fatalf("Failed to create test mounts file: %v", err)
+	}
+
+	scanner := &MountScanner{mountsPath: mountsFile}
+	writer := spec.NewTestWriter()
+
+	opts := ScanOptions{
+		Writer: writer,
+		Logger: testLogger(),
+	}
+
+	_, err := scanner.Scan(context.Background(), opts)
+	if err != nil {
+		t.Fatalf("Scan failed: %v", err)
+	}
+
+	results := writer.GetMountResults()
+
+	// Check /dev/shm - should have size= and nr_inodes= filtered out
+	shm, ok := results["/dev/shm"]
+	if !ok {
+		t.Fatalf("/dev/shm mount not found")
+	}
+	for _, opt := range shm.Opts {
+		if opt == "size=194656k" || opt == "nr_inodes=48664" {
+			t.Errorf("Instance-specific option '%s' should have been filtered out", opt)
+		}
+	}
+	// Source should be empty for tmpfs (virtual filesystem)
+	if shm.Source != "" {
+		t.Errorf("Expected empty source for tmpfs, got '%s'", shm.Source)
+	}
+
+	// Check root - source should be empty for /dev/nvme* devices
+	root, ok := results["/"]
+	if !ok {
+		t.Fatalf("root mount not found")
+	}
+	if root.Source != "" {
+		t.Errorf("Expected empty source for /dev/nvme* device, got '%s'", root.Source)
+	}
+}
+
 func TestMountScanner_MalformedLines(t *testing.T) {
 	tmpDir := t.TempDir()
 	mountsFile := filepath.Join(tmpDir, "mounts")