Incorrect work with the kernel.

[Rufics]

Describe the bug Incorrectly detects kernel on disk and current on systems with multiple kernel versions.

Version

• Distribution CentOS Linux release 7.8.2003 (Core)
• Lynis version 3.0.1

Expected behavior During the check, it offers to reboot the system because it sees the recovery kernel on the disk of a different version, the current system has been updated to a newer kernel and with the help of grub2-set-default the kernel is set to boot in GRUB. At the same time, as you can see from the logs, what Lynis finds is the core for recovery. The expected behavior is that it will check for the presence of a kernel to boot by default on the disk, and that the system is running from it.

Output

2020-08-30 01:10:50 Test: Checking presence /var/run/reboot-required.pkgs
2020-08-30 01:10:50 Result: file /var/run/reboot-required.pkgs not found
2020-08-30 01:10:50 Result: /boot exists, performing more tests from here
2020-08-30 01:10:50 Result: found /boot/vmlinuz-0-rescue-c1301f4b43894de3b590f3810f83fe1f
2020-08-30 01:10:50 Result: version derived from file name is '0-rescue-c1301f4b43894de3b590f3810f83fe1f'
2020-08-30 01:10:50 Result: found version 0-rescue-c1301f4b43894de3b590f3810f83fe1f
2020-08-30 01:10:50 Result: active kernel version 5.7.12-1.el7.elrepo.x86_64
2020-08-30 01:10:50 Result: reboot needed, as there is a difference between active kernel and the one on disk
2020-08-30 01:10:50 Result: /var/cache/apt/archives/ does not exist
2020-08-30 01:10:50 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]
2020-08-30 01:10:50 Hardening: assigned partial number of hardening points (0 of 5). Currently having 12 points (out of 21)
2020-08-30 01:10:50 Security check: file is normal
2020-08-30 01:10:50 Checking permissions of /opt/lynis/include/tests_memory_processes
2020-08-30 01:10:50 File permissions are OK

[Varbin]

Is this the same issue as in #999?

[Rufics]

Yes, the problem is similar. But there I see how a person simply removed the kernel for backup recovery, which I do not consider to be the correct solution to the problem, since this does not affect security.

[Rufics]

I don’t understand what exactly you wanted to say, but the current version pops up in the command above. But I see a slightly different behavior of the program, it checks the current kernel and the default kernel, as well as the kernel in / boot and everywhere there should be a kernel from which the system is running. Why even extra checks and sorts?

echo $(ls -t /boot/vmlinuz-* | sed "s/\/boot\/vmlinuz-//g" | grep -v rescue | sed 's/.x86_64//' | sort -Vr | head -n1).x86_64
5.7.12-1.el7.elrepo.x86_64

[daniejstriata]

I don't think my reply was as relevant to your scenario that's why I moved to to the other issue. Maybe it will help someone as I also had issues in my own script to 100% of the time know if I need to reboot or not.

[github-actions[bot]]

Stale issue message

[pyllyukko]

I have a similar issue with Slackware 15.0 and custom kernels. The vmlinuz images are named in the packaging script as follows:

  cp -a --verbose System.map $PKG/boot/System.map-${KERNEL_NAME}${LOCALVERSION}-${VERSION}${LOCALVERSION}
  cp -a --verbose .config $PKG/boot/config-${KERNEL_NAME}${LOCALVERSION}-${VERSION}${LOCALVERSION}${CONFIG_SUFFIX}
  cp -a --verbose arch/${KERNEL_ARCH}/boot/bzImage $PKG/boot/vmlinuz-${KERNEL_NAME}${LOCALVERSION}-${VERSION}${LOCALVERSION}
  # Make symlinks:
  ln -sf System.map-${KERNEL_NAME}${LOCALVERSION}-${VERSION}${LOCALVERSION} $PKG/boot/System.map
  ln -sf config-${KERNEL_NAME}${LOCALVERSION}-${VERSION}${LOCALVERSION}${CONFIG_SUFFIX} $PKG/boot/config
  ln -sf vmlinuz-${KERNEL_NAME}${LOCALVERSION}-${VERSION}${LOCALVERSION} $PKG/boot/vmlinuz
  ln -sf vmlinuz-${KERNEL_NAME}${LOCALVERSION}-${VERSION}${LOCALVERSION} $PKG/boot/vmlinuz-${KERNEL_NAME}${LOCALVERSION}

So Lynis doesn't understand that:

2023-01-03 04:40:26 Performing test ID KRNL-5830 (Checking if system is running on the latest installed kernel)
2023-01-03 04:40:26 Test: Checking presence /var/run/reboot-required.pkgs
2023-01-03 04:40:26 Result: file /var/run/reboot-required.pkgs not found
2023-01-03 04:40:26 Test: Checking presence /var/run/needs_restarting
2023-01-03 04:40:26 Result: file /var/run/needs_restarting not found
2023-01-03 04:40:26 Result: /boot exists, performing more tests from here
2023-01-03 04:40:26 Result: found /boot/vmlinuz
2023-01-03 04:40:26 Result: found a symlink, retrieving destination
2023-01-03 04:40:26 Result: destination file is vmlinuz-generic-kspp-5.15.80-kspp
2023-01-03 04:40:26 Result: version derived from file name is 'generic-kspp-5.15.80-kspp'
2023-01-03 04:40:26 Result: found version generic-kspp-5.15.80-kspp
2023-01-03 04:40:26 Result: active kernel version 5.15.80-kspp
2023-01-03 04:40:26 Result: reboot needed, as there is a difference between active kernel and the one on disk
2023-01-03 04:40:26 Result: /var/cache/apt/archives/ does not exist
2023-01-03 04:40:26 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]
2023-01-03 04:40:26 Hardening: assigned partial number of hardening points (0 of 5). Currently having 7 points (out of 13)
2023-01-03 04:40:26 Security check: file is normal
2023-01-03 04:40:26 Checking permissions of /usr/share/lynis/include/tests_memory_processes
2023-01-03 04:40:26 File permissions are OK
2023-01-03 04:40:26 ====

Another issue is that with ELILO, the kernels residing under /boot/ are not even the ones being used, as it loads them from the EFI partition (which might be mounted at /boot/efi/EFI/Slackware/).