search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.43k stars 1.48k forks source link

Exception found! [KRNL-5730] _ReportException_ should have _GREPTOOL_ passed in and not _GREPBINARY_ #1484

Open fullofentropy opened 7 months ago

fullofentropy commented 7 months ago

Describe the bug Function/test: [KRNL-5730] produces an exception. Error message from exception is incorrect: Message: No valid /bin/grep tool found to search kernel settings

A valid /bin/grep tool does exist on the system. When looking at the source searching "KRNL-5730" the following flow is done incorrectly:

#
    # Test        : KRNL-5730
    # Description : Checking default I/O kernel scheduler
    # Notes       : This test could be extended with testing some of the specific devices like disks
    #               cat /sys/block/sda/queue/scheduler
    PREQS_MET="NO"
    if HasData "${LINUXCONFIGFILE}"; then
        if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi
    fi
    Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking disk I/O kernel scheduler"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi
        if [ -n "${GREPTOOL}" ]; then
            LogText "Test: Checking the default I/O kernel scheduler"
            LINUX_KERNEL_IOSCHED=$(${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g)
            if [ -n "${LINUX_KERNEL_IOSCHED}" ]; then
                LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
                Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN
                Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
            else
                LogText "Result: no default I/O kernel scheduler found"
                Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE
            fi
        else
            ReportException "${TEST_NO}" "No valid ${GREPBINARY} tool found to search kernel settings"
        fi
   fi
#

Version

Expected behavior No exception expected, error should be properly handled.

Output If applicable, add output that you get from the tool or the related section of lynis.log 18:26:05 [+] Kernel 18:26:05 ------------------------------------ 18:26:05 - Checking default run level [ 3 ] 18:26:05 - Checking kernel version and release [ DONE ] 18:26:06 - Checking kernel type [ DONE ] 18:26:06 - Checking loaded kernel modules [ DONE ] 18:26:06 - Checking Linux kernel configuration file [ FOUND ] 18:26:06 18:26:06 ================================================================= 18:26:06 18:26:06 Exception found! 18:26:06 18:26:06 Function/test: [KRNL-5730] 18:26:06 Message: No valid /bin/grep tool found to search kernel settings 18:26:06

Additional context

mboelen commented 6 months ago

Thanks for reporting.

So in your case:

Is that correct?

jpasher-lazor commented 2 months ago

Do you have zgrep installed/available in your path? It doesn't make sense for the ReportException message text to use GREPTOOL, because it's blank (that's the only way that check would fall). Even GREPBINARY is technically wrong, since GREPTOOL might not be set to that.

Since you said LINUXCONFIGFILE_ZIPPED is 1, it tries to set GREPTOOL to ZGREPBINARY, which means ZGREPBINARY is blank, and it shows the exception.

Your ultimate issue is zgrep can't be found, which is required to search the compressed Linux config file.