Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positives on NixOS #1542

Open
poperigby opened this issue Sep 17, 2024 · 3 comments
Open

False positives on NixOS #1542

poperigby opened this issue Sep 17, 2024 · 3 comments
Assignees
@mboelen
Labels
information-needed

Comments

@poperigby
Copy link

Describe the bug
I've noticed multiple false positives when running sudo lynis audit system on NixOS:

Version

  • Distribution: NixOS Unstable
  • Lynis version: 3.1.1

Expected behavior
These false positives don't happen.
@mboelen
Copy link
Member

mboelen commented Sep 27, 2024

Can you be more specific, so that we can troubleshoot these issues. Let's start with the first one (the audit log). Please include test number, the output of lynis.log for that particular test.

Good to know: Lynis 3.1.2 was released yesterday and fixes a lot of items, possibly including the NETW-3200.

@mboelen mboelen self-assigned this Sep 27, 2024
@poperigby
Copy link
Author

@mboelen Sorry about the wait. I just updated to Lynis 3.1.2 and did a new system audit.

The test number for the first false positive is ACCT-9634, and the output of lynis.log for that test is:

2024-10-01 22:14:23 Performing test ID ACCT-9634 (Check for auditd log file)
2024-10-01 22:14:23 Test: Checking auditd log file
2024-10-01 22:14:23 Result: no log file found
2024-10-01 22:14:23 Warning: Auditd log file is defined but can not be found on disk [test:ACCT-9634] [details:-] [solution:-]

The output for NETW-3200 is:

2024-10-01 22:14:13 Performing test ID NETW-3200 (Determine available network protocols)
2024-10-01 22:14:13 Test: checking the status of some network protocols that typically are not used
2024-10-01 22:14:13 Test: now checking module 'dccp'
2024-10-01 22:14:13 Suggestion: Determine if protocol 'dccp' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-10-01 22:14:13 Test: now checking module 'sctp'
2024-10-01 22:14:13 Suggestion: Determine if protocol 'sctp' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-10-01 22:14:13 Test: now checking module 'rds'
2024-10-01 22:14:13 Suggestion: Determine if protocol 'rds' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-10-01 22:14:13 Test: now checking module 'tipc'
2024-10-01 22:14:13 Suggestion: Determine if protocol 'tipc' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-10-01 22:14:13 Security check: file is normal
2024-10-01 22:14:13 Checking permissions of /nix/store/5a8gviinkkklfi206nkxyp7bk7jx451s-lynis-3.1.2/share/lynis/include/tests_printers_spoolers
2024-10-01 22:14:13 File permissions are OK

@pSub
Copy link

pSub commented Jan 17, 2025

The issue with the auditd log file is not NixOS specific. I assume your auditd configuration file simply does not set log_file. Which is fine for auditd, which will use the default location /var/log/audit/audit.log.

However, lynis extracts the log file location from the auditd configuration file and claims the log file is missing in case log_file is not found.

I have created PR #1594 to fix this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mboelen mboelen

Labels
information-needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pSub @mboelen @poperigby