search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.06k stars 1.46k forks source link

Potential false positive on protocol detections #1510

Open suprovsky opened 3 months ago

suprovsky commented 3 months ago

Describe the bug For some reason lynis does not detect modules responsible for protocols being blacklisted.

Version

Expected behavior Detections marked as OK.

Output

  * Determine if protocol 'dccp' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'sctp' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'rds' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'tipc' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/
2024-06-12 10:20:56 Performing test ID NETW-3200 (Determine available network protocols)
2024-06-12 10:20:56 Test: checking the status of some network protocols that typically are not used
2024-06-12 10:20:56 Test: now checking module 'dccp'
2024-06-12 10:20:56 Suggestion: Determine if protocol 'dccp' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-06-12 10:20:56 Test: now checking module 'sctp'
2024-06-12 10:20:56 Suggestion: Determine if protocol 'sctp' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-06-12 10:20:56 Test: now checking module 'rds'
2024-06-12 10:20:56 Suggestion: Determine if protocol 'rds' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-06-12 10:20:56 Test: now checking module 'tipc'
2024-06-12 10:20:56 Suggestion: Determine if protocol 'tipc' is really needed on this system [test:NETW-3200] [details:-] [solution:-]

Additional context Add any other context about the problem here.

Attempting to load dccp module results in this:

 ⚡ root@supra  ~  modprobe dccp
modprobe: ERROR: ../libkmod/libkmod-module.c:1084 command_do() Error running install command '/bin/false' for module dccp: retcode 1
modprobe: ERROR: could not insert 'dccp': Invalid argument

my /etc/modprobe.d/unsafe-modules.conf (tried with /bin/true as an install argument, same result):

## Protocols
install dccp /bin/false
blacklist dccp
install sctp /bin/false
blacklist sctp
install rds /bin/false
blacklist rds
install tipc /bin/false
blacklist tipc
## USB Storage
install usb-storage /bin/false
blacklist usb-storage
# Filesystems
install cramfs /bin/false
blacklist cramfs
install freevxfs /bin/false
blacklist freevxfs
install hfs /bin/false
blacklist hfs
install hfsplus /bin/false
blacklist hfsplus
install jffs2 /bin/false
blacklist jffs2
install udf /bin/false
blacklist udf

I've blacklisted these 4 modules in GRUB - same result, here is my GRUB_CMDLINE_LINUX_DEFAULT:

GRUB_CMDLINE_LINUX_DEFAULT="module_blacklist=dccp,sctp,rds,tipc,usb-storage,cramfs,freevxfs,hfs,hfsplus,jffs2,udf"
konstruktoid commented 3 months ago

Verified.

++ '[' -f /etc/modprobe.conf ']'
++ '[' -d /etc/modprobe.d ']'
+++ /usr/bin/grep -l -s '^install \+dccp \+/bin/(true|false)$' /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/dkms.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
++ DATA=

$ /usr/bin/grep -E -l -s '^install dccp /bin/(true|false)$' and similar works:

$ /usr/bin/grep -E -s '^install dccp /bin/(true|false)$' /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/dkms.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
/etc/modprobe.d/blacklist-rare-network.conf:install dccp /bin/false
suprovsky commented 3 months ago

For modprobe /etc/modprobe.conf and /etc/modprobe.d/*.conf are read so lynis should read the same, not specific filenames in /etc/modprobe.d/.

konstruktoid commented 3 months ago

yeah, but I(!) added \+ in https://github.com/CISOfy/lynis/commit/9819ac4023f2499231f07e93b40ed1cef49f0b19 and that doesn't seem to work anymore.

$ /usr/bin/grep -E -l -s '^install \+dccp\s/bin/(true|false)$' /etc/modprobe.d/* | wc -l
0
$ /usr/bin/grep -E -l -s '^install dccp /bin/(true|false)$' /etc/modprobe.d/* | wc -l
1
konstruktoid commented 3 months ago

Will be fixed in https://github.com/CISOfy/lynis/pull/1503