Kernel values are double-evaluated when using custom.prf

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.

https://cisofy.com/lynis/

GNU General Public License v3.0

13.47k stars 1.49k forks source link

Kernel values are double-evaluated when using custom.prf #171

Closed rhyven closed 8 years ago

rhyven commented 8 years ago

When a kernel value exists in both default.prf and custom.prf, they're both evaluated:

custom.prf: sysctl:net.ipv4.tcp_timestamps:1:1:Enable TCP timestamps: default.prf: sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:

Results in:

[12:27:34] Result: sysctl key net.ipv4.tcp_timestamps has a different value than expected in scan profile. Expected=0, Real=1
[12:27:34] Hardening: assigned partial number of hardening points (0 of 1). Currently having 247 points (out of 275)
...
[12:27:36] Result: sysctl key net.ipv4.tcp_timestamps contains equal expected and current value (1)
[12:27:36] Hardening: assigned maximum number of hardening points for this item (1). Currently having 267 points (out of 295)

mboelen commented 8 years ago

Due to the ongoing work to allow multiple profiles, this behavior is to be expected. We have to come up with a good implementation for this kind of keys. After all, we want to propose default keys to check, but rather avoid people changing the default.prf file from now on. One possibility could be the usage of an external database (db directory), and store these values there.

rhyven commented 8 years ago

Agreed! I expected it, because the functionality is so new -- but I figured I'd log it as an issue, because it's definitely something we need to fix.

A db directory sounds like a lot of work. I'm not familiar enough with how bash does things -- I'll have a think on it, and see if I can come up a fix.

mboelen commented 8 years ago

There is already a db directory. We could simply make a file with the keys, and the preferred values. The challenge is that it should be flexible enough for people to change (without being overwritten), or the possibility to create their own data set.

rhyven commented 8 years ago

Ha, there it is. I hadn't noticed it before

mboelen commented 8 years ago

The related test (KRNL-6000) has been rewritten, so has the format of items in the profile. This way they can be used in multiple profiles. Order of preference: 1) personal profiles, 2) custom.prf, 3) default.prf. So by defining them in your personal or custom.prf, will define what value will be checked.

Can you test if it works for you?

mboelen commented 8 years ago

Hi @rhyven, do you have a few minutes to test if things work for you with the new method?

rhyven commented 8 years ago

Hey @mboelen, long time no see ;-) Absolutely, I'll aim to test it out in the next 24 hours.

rhyven commented 8 years ago

10/10. Rewritten test seems to work perfectly. Thanks! I'll close the issue :)