[Solved] Error: found one or more errors in profile /etc/lynis/default.prf

[hyperized]

[Solution]: remove old installation from /usr/local/lynis

When using the latest(2.5.5-1) package from the repository and only the default profile on a newly installed server we observe:

# lynis show

Error: found one or more errors in profile /etc/lynis/default.prf
Details: Unknown option 'colors' found (with value: yes)

When adding set -x to /usr/local/lynis/include/profiles, we see the following output:

# lynis show
+ SETTING_LOG_TESTS_INCORRECT_OS=1
+ SETTING_SHOW_REPORT_SOLUTION=0
+ LogText Reading profile/configuration /etc/lynis/default.prf
+ [ ! /var/log/lynis.log =  -a 0 -eq 1 ]
+ egrep ^config:|^[a-z-].*= /etc/lynis/default.prf
+ sed s/ /!space!/g
+ FIND=colors=yes
compressed-uploads=yes
error-on-warnings=no
language=
license-key=
machine-role=server
profile-name=Default!space!Audit!space!Template
pause-between-tests=0
quick=no
refresh-repositories=yes
show-report-solution=yes
show-tool-tips=yes
skip-plugins=no
test-scan-mode=full
upload=no
upload-server=
upload-options=
verbose=no
plugin=authentication
plugin=compliance
plugin=configuration
plugin=control-panels
plugin=crypto
plugin=dns
plugin=docker
plugin=file-integrity
plugin=file-systems
plugin=firewalls
plugin=forensics
plugin=intrusion-detection
plugin=intrusion-prevention
plugin=kernel
plugin=malware
plugin=memory
plugin=nginx
plugin=pam
plugin=processes
plugin=security-modules
plugin=software
plugin=system-integrity
plugin=systemd
plugin=users
system-customer-name=
tags=
config-data=sysctl;security.bsd.see_other_gids;0;1;Groups!space!only!space!see!space!their!space!own!space!processes;sysctl!space!-a;-;category:security;
config-data=sysctl;security.bsd.see_other_uids;0;1;Users!space!only!space!see!space!their!space!own!space!processes;sysctl!space!-a;-;category:security;
config-data=sysctl;security.bsd.stack_guard_page;1;1;Enable!space!stack!space!smashing!space!protection!space!(SSP)/ProPolice!space!to!space!defend!space!against!space!possible!space!buffer!space!overflows;-;category:security;
config-data=sysctl;security.bsd.unprivileged_proc_debug;0;1;Unprivileged!space!processes!space!can!space!not!space!use!space!process!space!debugging;sysctl!space!-a;-;category:security;
config-data=sysctl;security.bsd.unprivileged_read_msgbuf;0;1;Unprivileged!space!processes!space!can!space!not!space!read!space!the!space!kernel!space!message!space!buffer;sysctl!space!-a;-;category:security;
config-data=sysctl;fs.suid_dumpable;0;1;Restrict!space!core!space!dumps;sysctl!space!-a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
config-data=sysctl;fs.protected_hardlinks;1;1;Restrict!space!hardlink!space!creation!space!behavior;sysctl!space!-a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
config-data=sysctl;fs.protected_symlinks;1;1;Restrict!space!symlink!space!following!space!behavior;sysctl!space!-a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
config-data=sysctl;kern.sugid_coredump;0;1;No!space!description;sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.core_setuid_ok;0;1;No!space!description;sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.core_uses_pid;1;1;No!space!description;sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.ctrl-alt-del;0;1;No!space!description;sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.dmesg_restrict;1;1;Restrict!space!use!space!of!space!dmesg;sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.exec-shield-randomize;1;1;No!space!description;sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.exec-shield;1;1;No!space!description;sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.kptr_restrict;2;1;Restrict!space!access!space!to!space!kernel!space!symbols;sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.maps_protect;1;1;Restrict!space!access!space!to!space!/proc/[pid]/maps;sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.randomize_va_space;2;1;Randomize!space!of!space!memory!space!address!space!locations!space!(ASLR);sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.suid_dumpable;0;1;Restrict!space!core!space!dumps;sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.sysrq;0;1;Disable!space!magic!space!SysRQ;sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.use-nx;0;1;No!space!description;sysctl!space!-a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;net.inet.ip.linklocal.in.allowbadttl;0;
config-data=sysctl;net.inet.tcp.always_keepalive;0;1;Disable!space!TCP!space!keep!space!alive!space!detection!space!for!space!dead!space!peers!space!as!space!the!space!keepalive!space!can!space!be!space!spoofed;-;category:security;
config-data=sysctl;net.inet.tcp.nolocaltimewait;1;1;Remove!space!the!space!TIME_WAIT!space!state!space!for!space!loopback!space!interface;-;category:security;
config-data=sysctl;net.inet.tcp.path_mtu_discovery;0;1;Disable!space!MTU!space!discovery!space!as!space!many!space!hosts!space!drop!space!the!space!ICMP!space!type!space!3!space!packets;-;category:security;
config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore!space!ICMP!space!packets!space!directed!space!to!space!broadcast!space!address;-;category:security;
config-data=sysctl;net.inet.tcp.icmp_may_rst;0;1;ICMP!space!may!space!not!space!send!space!RST!space!to!space!avoid!space!spoofed!space!ICMP/UDP!space!floods;-;category:security;
config-data=sysctl;net.inet.icmp.drop_redirect;1;1;Do!space!not!space!allow!space!redirected!space!ICMP!space!packets;-;category:security;
config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable!space!incoming!space!ICMP!space!redirect!space!routing!space!redirects;-;category:security;
config-data=sysctl;net.inet.icmp.timestamp;0;1;Disable!space!timestamps;-;category:security;
config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable!space!IP!space!source!space!routing;-;category:security;
config-data=sysctl;net.inet.ip.check_interface;1;1;Verify!space!that!space!a!space!packet!space!arrived!space!on!space!the!space!right!space!interface;-;category:security;
config-data=sysctl;net.inet.ip.forwarding;0;1;Do!space!not!space!allow!space!forwarding!space!of!space!traffic;-;category:security;
config-data=sysctl;net.inet.ip.process_options;0;1;Ignore!space!any!space!IP!space!options!space!in!space!the!space!incoming!space!packets;-;category:security;
config-data=sysctl;net.inet.ip.random_id;1;1;Use!space!a!space!random!space!IP!space!id!space!to!space!each!space!packet!space!leaving!space!the!space!system;-;category:security;
config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore!space!ICMP!space!routing!space!redirects;-;category:security;
config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable!space!IP!space!source!space!routing;-;category:security;
config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore!space!ICMP!space!routing!space!redirects;-;category:security;
config-data=sysctl;net.inet.tcp.blackhole;2;1;Do!space!not!space!sent!space!RST!space!but!space!drop!space!traffic!space!when!space!delivered!space!to!space!closed!space!TCP!space!port;-;category:security;
config-data=sysctl;net.inet.tcp.drop_synfin;1;1;SYN/FIN!space!packets!space!will!space!be!space!dropped!space!on!space!initial!space!connection;-;category:security;
config-data=sysctl;net.inet.udp.blackhole;1;1;Do!space!not!space!sent!space!RST!space!but!space!drop!space!traffic!space!when!space!delivered!space!to!space!closed!space!UDP!space!port;-;category:security;
config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable!space!incoming!space!ICMP!space!redirect!space!routing!space!redirects;-;category:security;
config-data=sysctl;net.inet6.ip6.forwarding;0;1;Do!space!not!space!allow!space!forwarding!space!of!space!traffic;-;category:security;
config-data=sysctl;net.inet6.ip6.fw.enable;1;1;Enable!space!filtering;-;category:security;
config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable!space!sending!space!ICMP!space!redirect!space!routing!space!redirects;-;category:security;
config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore!space!ICMP!space!routing!space!redirects;-;category:security;
config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable!space!IP!space!source!space!routing;-;category:security;
config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do!space!not!space!relay!space!BOOTP!space!packets;-;category:security;
config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable!space!IP!space!source!space!routing;-;category:security;
config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log!space!all!space!packages!space!for!space!which!space!the!space!host!space!does!space!not!space!have!space!a!space!path!space!back!space!to!space!the!space!source;-;category:security;
config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable!space!IP!space!source!space!routing;-;category:security;
config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do!space!not!space!relay!space!ARP!space!packets;-;category:security;
config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce!space!ingress/egress!space!filtering!space!for!space!packets;-;category:security;
config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore!space!ICMP!space!routing!space!redirects;-;category:security;
config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore!space!ICMP!space!routing!space!redirects;-;category:security;
config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable!space!IP!space!source!space!routing;-;category:security;
config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log!space!all!space!packages!space!for!space!which!space!the!space!host!space!does!space!not!space!have!space!a!space!path!space!back!space!to!space!the!space!source;-;category:security;
config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore!space!ICMP!space!packets!space!directed!space!to!space!broadcast!space!address;-;category:security;
config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use!space!SYN!space!cookies!space!to!space!prevent!space!SYN!space!attack;-;category:security;
config-data=sysctl;net.ipv4.tcp_timestamps;0;1;Do!space!not!space!use!space!TCP!space!time!space!stamps;-;category:security;
config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore!space!ICMP!space!routing!space!redirects;-;category:security;
config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore!space!ICMP!space!routing!space!redirects;-;category:security;
config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable!space!IP!space!source!space!routing;-;category:security;
config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore!space!ICMP!space!routing!space!redirects;-;category:security;
config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable!space!IP!space!source!space!routing;-;category:security;
config-data=sysctl;hw.kbd.keymap_restrict_change;4;1;Disable!space!changing!space!the!space!keymap!space!by!space!non-privileged!space!users;-;category:security;
config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged!space!processes!space!are!space!not!space!allowed!space!to!space!create!space!hard!space!links!space!to!space!files!space!which!space!are!space!owned!space!by!space!other!space!groups;-;category:security;
config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged!space!processes!space!are!space!not!space!allowed!space!to!space!create!space!hard!space!links!space!to!space!files!space!which!space!are!space!owned!space!by!space!other!space!users;-;category:security;
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
config:compliance_standards:cis,hipaa,iso27001,pci-dss:
+ ContainsString config: colors=yes
+ RETVAL=1
+ [ 2 -ne 2 ]
+ echo colors=yes
+ egrep config:
+ FIND=
+ [ !  =  ]
+ return 1
+ echo colors=yes
+ cut -d = -f1
+ OPTION=colors
+ echo colors=yes
+ sed s/!space!/ /g
+ cut -d = -f2
+ VALUE=yes
+ Debug Profile option set: colors (with value yes)
+ [ 0 -eq 1 -a 1 -gt 0 ]
+ LogText Unknown option colors (with value: yes)
+ [ ! /var/log/lynis.log =  -a 0 -eq 1 ]
+ /bin/echo -e

+ /bin/echo -e Error: found one or more errors in profile /etc/lynis/default.prf
Error: found one or more errors in profile /etc/lynis/default.prf
+ /bin/echo -e Details: Unknown option 'colors' found (with value: yes)
Details: Unknown option 'colors' found (with value: yes)
+ /bin/echo -e

+ ExitFatal
+ RemovePIDFile
+ [ ! /var/run/lynis.pid =  ]
+ [ -f /var/run/lynis.pid ]
+ rm -f /var/run/lynis.pid
+ LogText PID file removed (/var/run/lynis.pid)
+ [ ! /var/log/lynis.log =  -a 0 -eq 1 ]
+ RemoveTempFiles
+ [ !  =  ]
+ LogText No temporary files to be deleted
+ [ ! /var/log/lynis.log =  -a 0 -eq 1 ]
+ LogText Lynis ended with exit code 1.
+ [ ! /var/log/lynis.log =  -a 0 -eq 1 ]
+ [ 0 -eq 1 ]
+ exit 1

When the color=yes is omitted from /etc/lynis/default.prf we see:

Details: Unknown option 'upload' found (with value: no)

Is there perhaps a mixup in config versions or are we missing something?

[mboelen]

What is the operating system that you run the packaged version on?

[hyperized]

$ uname -a
Linux my.host.name 4.4.0-96-generic #119~14.04.1-Ubuntu SMP Wed Sep 13 08:40:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

$ hostnamectl
  Operating System: Ubuntu 14.04.5 LTS
            Kernel: Linux 4.4.0-96-generic
      Architecture: x86_64

$ ll `which sh`
lrwxrwxrwx 1 root root 4 Feb 19  2014 /bin/sh -> dash*

$ apt-cache policy dash
dash:
  Installed: 0.5.7-4ubuntu1
  Candidate: 0.5.7-4ubuntu1
  Version table:
 *** 0.5.7-4ubuntu1 0
        500 http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

$ bash --version
GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)

[mboelen]

Do you have specific language settings?

[hyperized]

$ cat /etc/default/locale
LANG="en_US.UTF-8"

and

$ env
LC_ALL=en_US.UTF-8
LANG=en_US.UTF-8
LANGUAGE=en_US.UTF-8

[mboelen]

Hmm, so nothing special with the language. Do you have this only on one system or multiple systems?

[hyperized]

@mboelen we have multiple systems with identical OS and environment (quite a homogenous environment) that all have this same issue. Is there anything I can do in terms of debugging to aid in finding the root cause of this issue?

[mboelen]

You could do actually take the following steps:

• Find the section where it throws the error (Error: found one or more errors in profile /etc/lynis/default.prf)
• Before that line, let it hexdump the setting + value

Maybe there is some weird separator in it?

[hyperized]

I replaced the = with an old style : for the following fields:

colors
upload
system-customer-name
tags

And this seemed to have completely solved the issue. I'm not entirely sure why though.

[ITPPA]

same here

$ ./lynis update check

Error: found one or more errors in profile /etc/lynis/default.prf
Details: Unknown option 'colors' found (with value: yes)

Linux 4.10.0-37-generic #41~16.04.1-Ubuntu Operating System: Ubuntu 16.04.3 LTS Kernel: Linux 4.10.0-37-generic Architecture: x86-64

fixed by @hyperized recommendations.

[devhops]

I had the same issue, also resolved by following @hyperized suggestion.

Operating System: Ubuntu 14.04.5 LTS
Kernel: Linux 3.13.0-100-generic
Architecture: x86_64

[mboelen]

Wait a second... Is it possible that there is a very old installation already on the system? That could be a combination of a manual or GitHub installation in /usr/local/lynis, together with a newer packaged version.

[cn-d]

In which file do I change = to :?

Operating System: Ubuntu 16.04.3 LTS
Kernel: 4.4.0-98-generic
Architecture: x86_64

[mboelen]

@CallumND Before doing these changes... do you have an installation in /usr/local/lynis and also installed Lynis from a package?

[cn-d]

@mboelen yes, that is correct

[hyperized]

@mboelen also can confirm we used to have a git version installed (vs package)

[mboelen]

Ok, then this is the cause. A recent and much older version might conflict each other. The remedy is simple: remove the old installation from /usr/local/lynis.