CRYP-7931: missing detection of swap volume inside encrypted volume group

[SjoerdV]

Describe the bug Concerning test CRYP-7931. When a swap volume is inside a LUKS encrypted volume group, the test outputs 'Found 0 encrypted and 1 unencrypted swap devices in use.'

Version

• Debian 12 Bookworm
• Lynis version 3.0.8

Expected behavior I would expect the test to output 'Found 1 encrypted and 0 unencrypted swap devices in use.'

Output

Additional context relevant source code: https://github.com/CISOfy/lynis/blob/59a3c4b5368cdbd96ba7cdddf0dce5410b30163c/include/tests_crypto#L188 disk setup:

lsblk /dev/sda -o NAME,KNAME,FSTYPE,TYPE,MOUNTPOINT

NAME                 KNAME FSTYPE      TYPE  MOUNTPOINT
sda                  sda               disk  
├─sda1               sda1  vfat        part  /boot/efi
└─sda2               sda2  crypto_LUKS part  
  └─sda2_crypt       dm-0  LVM2_member crypt 
    ├─vg--1-lv--swap dm-1  swap        lvm   [SWAP]
    ├─vg--1-lv--root dm-2  ext4        lvm   /
    └─vg--1-lv--home dm-3  ext4        lvm   /home

[SjoerdV]

possible solution (just for inspiration):

• first get all encrypted volume group member names (KNAME): lsblk -lo KNAME,TYPE | grep " crypt"
• then get the swap volumes based on the parent (PKNAME) in for loop: lsblk -lo NAME,KNAME,PKNAME,FSTYPE,TYPE,MOUNTPOINT | grep -e " $KNAME " | grep " swap "
  • Count the number of encrypted swap disks processed

extra check:

• total number of swap disks should be matched with the number of encrypted swap disks above: lsblk -lo NAME,KNAME,PKNAME,FSTYPE,TYPE,MOUNTPOINT | grep " swap " | wc -l

[AfroThundr3007730]

Or for each discovered swap device, check to see if it's an LV, then check all PVs of that VG to see if they're LUKS devices.

This would not be completely robust for complex scenarios (nested PVs, etc.) but should cover most cases.