search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.39k stars 1.48k forks source link

false negative: debsums cron job check reports OK when debsums is installed but CRON_CHECK=never #1275

Closed nodiscc closed 5 months ago

nodiscc commented 2 years ago

Describe the bug

PKGS-7370 checks for the existence of the debsums binary, and a corresponding cron job in /etc/cron*.

If the cron job is not properly configured, it is meant to report a suggestion Check debsums configuration and enable checking regularly via a cron job."

Installing the debsums package on a Debian 11 system clears these suggestions, letting the user think that this item is correctly hardened but in the default Debian configuration, debsums actually never runs from cron:

$ sudo cat /etc/cron.daily/debsums
#!/bin/sh

debsums="/usr/bin/debsums"
ignorefile="/etc/debsums-ignore"

[ -x $debsums ] || exit 0

if ! [ -e "$ignorefile" ]; then
    ignorefile="/dev/null"
fi

# source our config
. /etc/default/debsums
[ "z$CRON_CHECK" = "zdaily" ] || exit 0

# See ionice(1)
if [ -x /usr/bin/ionice ] &&
    /usr/bin/ionice -c3 true 2>/dev/null; then
    IONICE="/usr/bin/ionice -c3"
fi

exec 3>&1

$IONICE $debsums -cs 2>&1 | egrep -vf "$ignorefile" | tee /proc/self/fd/3 | sed 's/^debsums: //' | logger -t debsums

# Exit with a normal status code even if errors (which could be ignored) were found
exit 0

Notice it sources /etc/default/debsums and only runs if CRON_CHECK = daily. The same goes for /etc/cron.weekly/debsums and /etc/cron.monthly/debsums. But the default value for CRON_CHECK is never:

$ cat /etc/default/debsums 
# Defaults for debsums cron jobs
# sourced by /etc/cron.d/debsums

#
# This is a POSIX shell fragment
#

# Set this to never to disable the checksum verification or
# one of "daily", "weekly", "monthly" to enable it
CRON_CHECK=never

Version

Expected behavior

The check should return a suggestion/warning when OK when CRON_CHECK is not one of daily, weekly, monthly (similar to Check debsums configuration and enable checking regularly via a cron job.)

Output

$ sudo /usr/sbin/lynis audit system --profile /etc/lynis/custom.prf
...
[+] Ports and packages
------------------------------------
  - Searching package managers
    - Searching dpkg package manager                          [ FOUND ]
      - Querying package manager
    - Query unpurged packages                                 [ FOUND ]
    - debsecan utility                                        [ FOUND ]
      - debsecan cron job                                     [ FOUND ]
    - debsums utility                                         [ FOUND ]
      - Cron job for debsums                                  [ FOUND ]

$ grep CRON /etc/default/debsums 
CRON_CHECK=never
nodiscc commented 2 years ago

/cc @mboelen

xnoguer commented 1 year ago

@nodiscc Can you test whether pull request #1406 fixes this ?

nodiscc commented 1 year ago

Thank you @xnoguer, your patch seems to fix the problem. Posted a review in https://github.com/CISOfy/lynis/pull/1406

mboelen commented 5 months ago

Closing after testing by @nodiscc and pull request is merged.