lynis hangs when docker socket is exposed to network

[SuperSandro2000]

Describe the bug When a docker socket is exposed like explained here. lynis hangs on checking docker containers and never finishes.

Version

• Distribution: Ubuntu 18.10
• Lynis version: 2.7.1

Expected behavior To not hang.

Output

2019-02-17 03:52:34 Checking permissions of /usr/share/lynis/include/tests_virtualization
2019-02-17 03:52:34 File permissions are OK
2019-02-17 03:52:34 ===---------------------------------------------------------------===
2019-02-17 03:52:34 Action: Performing tests from category: Virtualization
2019-02-17 03:52:34 Checking permissions of /usr/share/lynis/include/tests_containers
2019-02-17 03:52:34 File permissions are OK
2019-02-17 03:52:34 ===---------------------------------------------------------------===
2019-02-17 03:52:34 Action: Performing tests from category: Containers
2019-02-17 03:52:34 ===---------------------------------------------------------------===
2019-02-17 03:52:34 Skipped test CONT-8004 (Query running Solaris zones)
2019-02-17 03:52:34 Reason to skip: Incorrect guest OS (Solaris only)
2019-02-17 03:52:34 ===---------------------------------------------------------------===
2019-02-17 03:52:34 Performing test ID CONT-8102 (Checking Docker status and information)
2019-02-17 03:52:34 IsRunning: process 'dockerd' found (1204 )
2019-02-17 03:52:34 Result: found Docker daemon running
2019-02-17 03:52:34 ===---------------------------------------------------------------===
2019-02-17 03:52:34 Performing test ID CONT-8104 (Checking Docker info for any warnings)
2019-02-17 03:52:34 Test: Check for any warnings

Additional context docker 18.09.2

[mboelen]

Is it also hanging when you manually run docker version?

[SuperSandro2000]

no it doesn't hang when I run docker version but I have aliased the docker command. It actually runs docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=server:2376

[mboelen]

Looks like it hangs on the line below, as the line before is the last part of your log. Is that part of the log complete or is there more? https://github.com/CISOfy/lynis/blob/672677bae1bd2fa2392d2afcb7e204662516679a/include/tests_containers#L105

If you unalias it and run it, does it then hang?

[SuperSandro2000]

2019-02-26 22:27:14 Checking permissions of /usr/share/lynis/include/tests_virtualization
2019-02-26 22:27:14 File permissions are OK
2019-02-26 22:27:14 ===---------------------------------------------------------------===
2019-02-26 22:27:14 Action: Performing tests from category: Virtualization
2019-02-26 22:27:14 Checking permissions of /usr/share/lynis/include/tests_containers
2019-02-26 22:27:14 File permissions are OK
2019-02-26 22:27:14 ===---------------------------------------------------------------===
2019-02-26 22:27:14 Action: Performing tests from category: Containers
2019-02-26 22:27:14 ===---------------------------------------------------------------===
2019-02-26 22:27:14 Skipped test CONT-8004 (Query running Solaris zones)
2019-02-26 22:27:14 Reason to skip: Incorrect guest OS (Solaris only)
2019-02-26 22:27:14 ===---------------------------------------------------------------===
2019-02-26 22:27:14 Performing test ID CONT-8102 (Checking Docker status and information)
2019-02-26 22:27:14 IsRunning: process 'dockerd' found (1200 )
2019-02-26 22:27:14 Result: found Docker daemon running
2019-02-26 22:27:14 ===---------------------------------------------------------------===
2019-02-26 22:27:14 Performing test ID CONT-8104 (Checking Docker info for any warnings)
2019-02-26 22:27:14 Test: Check for any warnings

basically the same as above

2019-02-26 22:28:09 PID file removed (/var/run/lynis.pid)
2019-02-26 22:28:09 Temporary files:  /tmp/lynis.cVXdeKYOis /tmp/lynis.PN0zNpf5kD /tmp/lynis.ZbO1SiGbzq /tmp/lynis.30pQAWOuSn
2019-02-26 22:28:09 Action: removing temporary file /tmp/lynis.cVXdeKYOis
2019-02-26 22:28:09 Info: temporary file /tmp/lynis.PN0zNpf5kD was already removed
2019-02-26 22:28:09 Info: temporary file /tmp/lynis.ZbO1SiGbzq was already removed
2019-02-26 22:28:09 Action: removing temporary file /tmp/lynis.30pQAWOuSn
2019-02-26 22:28:09 PID file not found (/var/run/lynis.pid)
2019-02-26 22:28:09 Temporary files:  /tmp/lynis.cVXdeKYOis /tmp/lynis.PN0zNpf5kD /tmp/lynis.ZbO1SiGbzq /tmp/lynis.30pQAWOuSn
2019-02-26 22:28:09 Info: temporary file /tmp/lynis.cVXdeKYOis was already removed
2019-02-26 22:28:09 Info: temporary file /tmp/lynis.PN0zNpf5kD was already removed
2019-02-26 22:28:09 Info: temporary file /tmp/lynis.ZbO1SiGbzq was already removed
2019-02-26 22:28:09 Info: temporary file /tmp/lynis.30pQAWOuSn was already removed
2019-02-26 22:28:09 Lynis ended with exit code 1.

and that happened after I Ctrl-C out

removing the alias and relogging does nothing cause then the docker command does not work at all then.

[mboelen]

As you are the first to report this, I think it is related to your specific configuration (Docker, terminal, or otherwise). You could run a strace and see what happens when it hangs. For now, I don't know how we can trigger the same behavior on our test systems, so can't make a change or fix without knowing the underlying cause. Will close this issue for now (to keep the list clean), but feel free to reopen if you have additional insights.

[SuperSandro2000]

It is almost like you didn't even read the issue. I have a standard Ubuntu 18.10 server install with the docker socket exposed over the network. Read about it here https://docs.docker.com/engine/security/https/ . How to trigger that behavior? Get a VM, install Ubuntu and docker and expose the socket. And commenting out the docker plugin in the config does not work either.

[SuperSandro2000]

And nice try. I can't reopen the issue.

[mboelen]

@SuperSandro2000 remaining a positive and friendly attitude is how we all can keep the open source software world pleasant. You are using free software and in return, we truly appreciate bug reports and feedback. Let's keep it friendly.

If disabling that particular plugin does not have any effect, then most likely CONT-8104 is not the culprit. As it was the latest in your initial output, it looked like it was. I suggest to have a look in the lynis.log what the latest one is when it hangs (with CONT-8104 disabled for now), so you can pinpoint it to the right one. Also running strace might be an option to see where it hangs (on what function).

[SuperSandro2000]

[SuperSandro2000]

And my configuration is not uncommon. This 1M+ pulls image https://hub.docker.com/r/pyouroboros/ouroboros has an example for my setup.

[mboelen]

We took an existing Ubuntu 18.04 LTS system from our lab and installed the latest version of Docker CE (18.09.3) on it.

As a quick test, I started the Docker daemon and told it to listen on the network socket. To save time, without configuring HTTPS, so skipping the TLS verification parameters.

Command: dockerd -H=0.0.0.0:2376.

I then run Lynis (latest development version) and it works without any issues or hanging. The minor differences are Ubuntu 18.04 versus your 18.10. Then my Docker 18.09.3 versus your 18.09.2. I use a basic configuration, so no TLS configuration.

As you see in your screenshot, Docker is hanging on the 'docker version' command. So it is something related to Docker or in combination with your configuration. We simply call the command and expect it to return something.

So I can't reproduce your issue within the lab configuration that we have. Docker is hanging and Lynis is waiting on it to return. Please note that Lynis is used by many(tm) people, including many(tm) Docker installations. We never got a similar issue that it hangs on retrieving the version. So I am the first one to believe your configuration is not uncommon, but so far it seems no one got a similar issue.

What you can try:

• Upgrade to Docker 18.09.3
• Run Lynis without the sudo, and as root user directly
• Run strace as root user on the Lynis script and follow child processes (strace -f -p >pid>), then capture the last bits where it hangs (the 'docker version')