Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
sudo lynis --tests-from-group filesystems --verbose --debug|grep hfs
- Module hfs not present in the kernel [ OK ]
[DEBUG] Module hfsplus present in the kernel
- Module hfsplus not loaded (lsmod) [ OK ]
- Module squashfs not present in the kernel [ OK ]
Lynis return that hfs is not present in the kernel, while module is loaded and test get 3 points attributed.
test could be simplified as this:
FIND=$(modprobe -v -n hfs 2>/dev/null | grep -E "/hfs.ko" | tail -1)
if [ -n "${FIND}" ]; then
echo "module loaded";
else
echo "module not loaded";
fi
this return module not loaded, because modprobe return nothing when module is already loaded.
Fact is that test can't differenciates if module exists and is loaded and if module is not supported by kernel.
If testing an unexisting module, we have the same return:
FIND=$(modprobe -v -n hfszzz 2>/dev/null | grep -E "/hfszzz.ko" | tail -1)
if [ -n "${FIND}" ]; then
echo "module loaded";
else
echo "module not loaded";
fi
this return module not loaded too.
I would suggest to rather test something like command value returned:
modprobe -v -n hfs;echo $? return 0 value
modprobe -v -n hfszz;echo $? return 1 value
In this case, code could be modified with something like this:
FIND=$(modprobe -v -n hfsplus 2>/dev/null)
if [ $? -eq 0 ]; then
echo "module loaded";
else
echo "module not loaded";
fi
Then line LogText "Result: found ${FS} support in the kernel (output = ${FIND})" would return (output = ) if module is loaded and if module is not loaded (output = insmod /lib/modules/6.8.0-48-generic/kernel/fs/hfs/hfs.ko)
In https://github.com/CISOfy/lynis/blob/d76bfdbc1c47c3ffe4faa8cdaae70cc56fad0ad9/include/tests_filesystems#L849 tests and logic for FILE-6430 seem's wrong.
Version
Expected behavior Lynis should not attribute points to loaded modules
Verify test case load hfs module using
sudo insmod /lib/modules/6.8.0-48-generic/kernel/fs/hfs/hfs.koorsudo modprobe hfsverify hfs module is loaded
run lynis filesystems tests
sudo lynis --tests-from-group filesystems --verbose --debug|grep hfsLynis return that hfs is not present in the kernel, while module is loaded and test get 3 points attributed.
test could be simplified as this:
this return
module not loaded, because modprobe return nothing when module is already loaded.Fact is that test can't differenciates if module exists and is loaded and if module is not supported by kernel. If testing an unexisting module, we have the same return:
this return
module not loadedtoo.I would suggest to rather test something like command value returned:
modprobe -v -n hfs;echo $?return 0 valuemodprobe -v -n hfszz;echo $?return 1 valueIn this case, code could be modified with something like this:
Then line
LogText "Result: found ${FS} support in the kernel (output = ${FIND})"would return (output = ) if module is loaded and if module is not loaded (output = insmod /lib/modules/6.8.0-48-generic/kernel/fs/hfs/hfs.ko)