search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
12.78k stars 1.43k forks source link

NETW-3200 and FILE-6430 do no longer detect blacklisted modules #1502

Open sbaumgartner75 opened 1 month ago

sbaumgartner75 commented 1 month ago

Describe the bug Both tests NETW-3200 and FILE-6430 do no longer detect blacklisted modules

Version

Expected behavior Both tests NETW-3200 and FILE-6430 detect blacklisted modules

Output

  * Determine if protocol 'dccp' is really needed on this system [NETW-3200] 
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'sctp' is really needed on this system [NETW-3200] 
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'rds' is really needed on this system [NETW-3200] 
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'tipc' is really needed on this system [NETW-3200] 
      https://cisofy.com/lynis/controls/NETW-3200/

Additional context Since commit "9819ac4" the REGEX for detecting the blacklist entries is broken.

DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf) and DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*) respectively, because the "\" escapes the "+" and thus the "+" is expected in the output.

I fixed this to read

DATA=$(${GREPBINARY} "^install +${P} +/bin/true$" ${ROOTDIR}etc/modprobe.conf) and DATA=$(${GREPBINARY} -l -s "^install +${P} +/bin/true$" ${ROOTDIR}etc/modprobe.d/*)

which fulfills the original intention of allowing any number of blanks.

SchwarzerA commented 1 month ago

That's due to an error in include/consts, GREPBINARY="grep". It should read GREPBINARY="grep -E" because in NETW-3200 and other tests I assume extended regular expressions are used. And the test should be written as:

grep -E "^install[[:space:]]+dccp[[:space:]]+/bin/(true|false)$" /etc/modprobe.d/*

to actually work (openSUSE Tumbleweed). Please be aware that tabulators and/or blanks might be used.

sbaumgartner75 commented 1 month ago

I have amended my PR to include your very valid remark.

konstruktoid commented 3 weeks ago

to achieve the expected behaviour in https://github.com/CISOfy/lynis/commit/9819ac4023f2499231f07e93b40ed1cef49f0b19: /usr/bin/grep -E -l -s '^install\s+dccp\s+/bin/(true|false)$' /etc/modprobe.d/*