[Bug] Getting the same report: "Reboot of system is most likely needed" even after reboot. [KRNL-5830]

[arafatx]

Operating System: CentOS 8 Lynis version: Lynis 3.0.1 (up to date)

I have rebooted my server several times to test this issue:

So, when I do again the test, I still get the following false test:

[root@earth lynis]# ./lynis show details KRNL-5830
2020-07-30 06:42:06 Performing test ID KRNL-5830 (Checking if system is running on the latest installed kernel)
2020-07-30 06:42:06 Test: Checking presence /var/run/reboot-required.pkgs
2020-07-30 06:42:06 Result: file /var/run/reboot-required.pkgs not found
2020-07-30 06:42:06 Result: /boot exists, performing more tests from here
2020-07-30 06:42:06 Result: found /boot/vmlinuz-0-rescue-58e0c7439b3e41b9914f9f968ebc39b1
2020-07-30 06:42:06 Result: version derived from file name is '0-rescue-58e0c7439b3e41b9914f9f968ebc39b1'
2020-07-30 06:42:06 Result: found version 0-rescue-58e0c7439b3e41b9914f9f968ebc39b1
2020-07-30 06:42:06 Result: active kernel version 4.18.0-193.6.3.el8_2.x86_64
2020-07-30 06:42:06 Result: reboot needed, as there is a difference between active kernel and the one on disk
2020-07-30 06:42:06 Result: /var/cache/apt/archives/ does not exist
2020-07-30 06:42:06 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]
2020-07-30 06:42:06 Hardening: assigned partial number of hardening points (0 of 5). Currently having 14 points (out of 21)
2020-07-30 06:42:06 Security check: file is normal
2020-07-30 06:42:06 Checking permissions of /usr/local/lynis/include/tests_memory_processes
2020-07-30 06:42:06 File permissions are OK
2020-07-30 06:42:06 ====

It seems like the test is comparing the real kernel with the rescue kernel and of course it is different. Maybe because the non-rescue kernels count is 1 ? Because I made a script to always clean up the old kernel so it's always become 1.

List of installed kernel:

$ dnf list installed kernel

Installed Packages
kernel.x86_64                                                                                            4.18.0-193.6.3.el8_2 

Using the following script returns "There is nothing to do!":

#!/bin/bash

LAST_KERNEL=$(rpm -q --last kernel | perl -pe 's/^kernel-(\S+).*/$1/' | head -1)
CURRENT_KERNEL=$(uname -r)

 if [ $LAST_KERNEL != $CURRENT_KERNEL ]
 then 
    echo "It is time to Reboot!"
 else 
    echo "There is nothing to do!"
 fi

[arafatx]

Ok this is getting more weird, I removed the rescue kernel (/boot/vmlinuz-0-rescue-58e0c7439b3e41b9914f9f968ebc39b1):

$ rm -rf /boot/vmlinuz-0-rescue-58e0c7439b3e41b9914f9f968ebc39b1
$ grubby --remove-kernel=/boot/vmlinuz-0-rescue-58e0c7439b3e41b9914f9f968ebc39b1
$ reboot

Then I run again the test

lynis still show the same output and the weirdest part is that it still found the rescue kernel at /boot which doesn't exist at all:

[root@earth lynis]# ./lynis show details KRNL-5830
2020-07-30 06:42:06 Performing test ID KRNL-5830 (Checking if system is running on the latest installed kernel)
2020-07-30 06:42:06 Test: Checking presence /var/run/reboot-required.pkgs
2020-07-30 06:42:06 Result: file /var/run/reboot-required.pkgs not found
2020-07-30 06:42:06 Result: /boot exists, performing more tests from here
2020-07-30 06:42:06 Result: found /boot/vmlinuz-0-rescue-58e0c7439b3e41b9914f9f968ebc39b1
2020-07-30 06:42:06 Result: version derived from file name is '0-rescue-58e0c7439b3e41b9914f9f968ebc39b1'
2020-07-30 06:42:06 Result: found version 0-rescue-58e0c7439b3e41b9914f9f968ebc39b1
2020-07-30 06:42:06 Result: active kernel version 4.18.0-193.6.3.el8_2.x86_64
2020-07-30 06:42:06 Result: reboot needed, as there is a difference between active kernel and the one on disk
2020-07-30 06:42:06 Result: /var/cache/apt/archives/ does not exist
2020-07-30 06:42:06 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]
2020-07-30 06:42:06 Hardening: assigned partial number of hardening points (0 of 5). Currently having 14 points (out of 21)
2020-07-30 06:42:06 Security check: file is normal
2020-07-30 06:42:06 Checking permissions of /usr/local/lynis/include/tests_memory_processes
2020-07-30 06:42:06 File permissions are OK
2020-07-30 06:42:06 ====
[root@earth lynis]#

based on the output of the timestamp it seems like the result was cached from the previous test. How do i clear this up and make the new test?

EDIT: I create a test like this

./lynis --test KRNL-5830

Found the result is "no reboot require"

then I think the above command clear the previous cache 'show details'

./lynis show details KRNL-5830

and the result also is "no reboot require":

[root@earth lynis]# ./lynis show details KRNL-5830
2020-07-30 08:20:31 Performing test ID KRNL-5830 (Checking if system is running on the latest installed kernel)
2020-07-30 08:20:31 Test: Checking presence /var/run/reboot-required.pkgs
2020-07-30 08:20:31 Result: file /var/run/reboot-required.pkgs not found
2020-07-30 08:20:31 Result: /boot exists, performing more tests from here
2020-07-30 08:20:31 Result: found /boot/vmlinuz-4.18.0-193.6.3.el8_2.x86_64
2020-07-30 08:20:31 Result: version derived from file name is '4.18.0-193.6.3.el8_2.x86_64'
2020-07-30 08:20:31 Result: found version 4.18.0-193.6.3.el8_2.x86_64
2020-07-30 08:20:31 Result: active kernel version 4.18.0-193.6.3.el8_2.x86_64
2020-07-30 08:20:31 Result: no reboot needed, active kernel is the same version as the one on disk
2020-07-30 08:20:31 Result: /var/cache/apt/archives/ does not exist
2020-07-30 08:20:31 Hardening: assigned maximum number of hardening points for this item (5). Currently having 5 points (out of 5)
2020-07-30 08:20:31 Security check: file is normal
2020-07-30 08:20:31 Checking permissions of /usr/local/lynis/include/tests_memory_processes
2020-07-30 08:20:31 File permissions are OK
2020-07-30 08:20:31 ====

This is ok if I removed the rescue kernel.

Edit: about the cache result, I found a documentation hidden in the program about the usage of lynis show details:

This command needs a test ID (e.g. CORE-1000) to search for. This command is used after a scan (lynis audit system). Run 'lynis show tests' to see all available tests

[github-actions[bot]]

Stale issue message

[Varbin]

I can reproduce this on CentOS 8.

[daniejstriata]

I get the latest version installed with this and check if I need a reboot: (RHEL and Debian specific)

        if [[ $(find /boot/ -maxdepth 1 -name 'vmlinuz*' -print -quit) ]]; then
            if [[ -e /bin/yum || -e /usr/bin/yum ]]; then
                _installed_kernel=$(ls -t /boot/vmlinuz-* | sed "s/\/boot\/vmlinuz-//g" | grep -v rescue | sed 's/.x86_64//' | sort -Vr | head -n1).x86_64
            elif [[ -e /usr/bin/apt ]]; then
                _installed_kernel=$(ls -t /boot/vmlinuz-* | sed "s/\/boot\/vmlinuz-//g" | grep -v rescue | sed 's/.x86_64//' | sort -Vr | head -n1)
            fi
            if [[ $_installed_kernel == $_unamer ]]; then
            echo "${_bold}Reboot is not required${_normal}. There is not a newer Kernel to activate."
            echo "Kernel is $_uname $_unamer"
            echo ""
            else
                echo "${_bold}Reboot is required${normal} to activate a newer Kernel."
                echo "Active Kernel is ${_bold}$_uname $_unamer${_normal} but the latest installed Kernel is ${_bold}$_installed_kernel${_normal}."
                echo ""
            fi
        else
            echo "This is a container. Check the host if the current kernel being used is the latest one."
            echo ""
        fi

5.8.5-1.el7.elrepo.x86_64

sort -Vr sorts the version in reverse and I get the top entry with head -n1. Now I know what the latest version installed and compare that with the output from uname -r.

If there is no underscore, the .el7.x86_X64 suffix is recognized as file extension and get in the way of getting the correct latest version. So I cut it off and add it back but only for RHEL OS.

[arafatx]

So, in brief, I just need to remove the rescue kernel (manually) then it will work. This is a bug, it shouldn't compare the real kernel with rescue kernel, both of the kernel are different. I think I will put this test temporarily in ignore list.

[neilsmith]

Just a +1 on this issue, really - just hit the same thing on a freshly-installed Centos 8.2 machine:

2020-10-21 11:22:21 Performing test ID KRNL-5830 (Checking if system is running on the latest installed kernel)
2020-10-21 11:22:21 Test: Checking presence /var/run/reboot-required.pkgs
2020-10-21 11:22:21 Result: file /var/run/reboot-required.pkgs not found
2020-10-21 11:22:21 Result: /boot exists, performing more tests from here
2020-10-21 11:22:21 Result: found /boot/vmlinuz-0-rescue-5bdc759c116846e1b76e7e5dd4d472c4
2020-10-21 11:22:21 Result: version derived from file name is '0-rescue-5bdc759c116846e1b76e7e5dd4d472c4'
2020-10-21 11:22:21 Result: found version 0-rescue-5bdc759c116846e1b76e7e5dd4d472c4
2020-10-21 11:22:21 Result: active kernel version 4.18.0-193.19.1.el8_2.x86_64
2020-10-21 11:22:21 Result: reboot needed, as there is a difference between active kernel and the one on disk
2020-10-21 11:22:21 Result: /var/cache/apt/archives/ does not exist
2020-10-21 11:22:21 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]
2020-10-21 11:22:21 Hardening: assigned partial number of hardening points (0 of 5). Currently having 12 points (out of 21)
2020-10-21 11:22:21 Security check: file is normal
2020-10-21 11:22:21 Checking permissions of /usr/share/lynis/include/tests_memory_processes
2020-10-21 11:22:21 File permissions are OK
2020-10-21 11:22:21 ====

[mboelen]

Thanks, now it makes sense. The rescue kernel is created after the normal one, which is why this one is selected instead of the normal kernel. Commit https://github.com/CISOfy/lynis/commit/71c474f4550667c055691421bf4241d5fbc53ab3 has an improvement for it to ignore rescue kernel and will be part of the next release.

[bluegroper]

Getting same error on freshly installed and updated CentOS 8.2. Looking forward to the lynis update. Meanwhile, I'll ignore the erroneous warning. Thanks for the heads-up.