search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
12.77k stars 1.43k forks source link

[DBS-1882] Exception #1511

Open suprovsky opened 3 weeks ago

suprovsky commented 3 weeks ago

Describe the bug Lynis does not detect a configuration file of Redis as it's not default one because all instances of Redis are run as Docker containers.

Version

Expected behavior A clear and concise description of what you expected to happen.

Output If applicable, add output that you get from the tool or the related section of lynis.log

  Exception found!

  Function/test:  [DBS-1882]
  Message:        Found Redis, but no configuration file. Report this if you know where it is located on your system.

lynis.log

2024-06-12 10:21:48 Performing test ID DBS-1880 (Check for active Redis server)
2024-06-12 10:21:48 Performing pgrep scan without uid
2024-06-12 10:21:48 IsRunning: process 'redis-server' found (4204 4227 4228 5173 5194 5715 7445 8185 8432 8489 8560 12173 12302 12383 )
2024-06-12 10:21:48 Result: Redis is running
2024-06-12 10:21:48 ====
2024-06-12 10:21:48 Performing test ID DBS-1882 (Redis configuration file)
2024-06-12 10:21:48 Action: scanning directory (/etc/redis) for Redis configuration files
2024-06-12 10:21:49 Result: no configuration files found in this directory
2024-06-12 10:21:49 Action: scanning directory (/usr/local/etc) for Redis configuration files
2024-06-12 10:21:49 Result: no configuration files found in this directory
2024-06-12 10:21:49 Action: scanning directory (/usr/local/etc/redis) for Redis configuration files
2024-06-12 10:21:49 Result: no configuration files found in this directory
2024-06-12 10:21:49 Action: scanning directory (/usr/local/redis/etc) for Redis configuration files
2024-06-12 10:21:49 Result: no configuration files found in this directory
2024-06-12 10:21:49 Exception: test has an exceptional event (DBS-1882) with text Found Redis, but no configuration file. Report this if you know where it is located on your system.

Additional context You can reproduce this with the following setup on Docker: docker-compose.yml:

services:
  redis:
    image: rapidfort/redis:7.2
    healthcheck:
      test: redis-cli PING | grep PONG
      interval: 10s
      timeout: 2s
      retries: 10
    restart: always
    env_file:
      - ./.env
    environment:
      - REDIS_PASSWORD=${REDIS_PASSWORD}
      - REDISCLI_AUTH=${REDIS_PASSWORD}
    volumes:
      - redis-data:/bitnami/redis/data:rw
volumes:
  redis-data:

.env

REDIS_PASSWORD=testpw

The volume must have 1001:1001 permissions set in the volume, otherwise it won't start. I do it in a way where I add command: sleep infinity to a service and then after upping services I do docker exec -i -u 0 containername chown -R 1001:1001 /bitnami/redis/data

konstruktoid commented 3 weeks ago

That means there needs to be some kind of container test as well, similar to

$ for p in $(pgrep redis); do if grep -q docker "/proc/${p}/cgroup"; then echo "${p} is in a container"; fi; done
46716 is in a container

And then this can scale of course (ignore or find config in container etc etc)