search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.5k stars 1.49k forks source link

HTTP-6660 Fails due to faulty comparison #1537

Closed jpasher-lazor closed 1 month ago

jpasher-lazor commented 2 months ago

Version

Describe the bug

The test for TraceEnable in Apache (HTTP-6660) has a comparison that is invalid in Dash (the default for /bin/sh in Debian-based distros). This is due to the way it does the string comparisons to try to compensate for an empty string (are there still shells around that need to do that?).

_Line 325 in include/testswebservers:

TRACEENABLED_SETTING=$( echo ${TRACEENABLE} | tr 'A-Z' 'a-z' )
if [ x${TRACEENABLED_SETTING} == x'off' ]; then
    ...
else
    ...
fi

It leads to this error:

./lynis: 326: [: xoff: unexpected operator

Since I'm not sure which old/obscure shells out there can't process an empty string as a parameter when in quotes, I kept the extra "x" and just wrapped the quotes properly.

if [ "x${TRACEENABLED_SETTING}" == 'xoff' ]; then

PR is here: #1536

mboelen commented 1 month ago

Thanks for reporting and PR. Closing after merging #1536