Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FILE-6430] - Wrong tests and logic on ubuntu #1578

Open
SixK opened this issue Nov 18, 2024 · 0 comments
Open

[FILE-6430] - Wrong tests and logic on ubuntu #1578

SixK opened this issue Nov 18, 2024 · 0 comments

Comments

@SixK
Copy link

SixK commented Nov 18, 2024

In

lynis/include/tests_filesystems

Line 849 in d76bfdb

# Test : FILE-6430
tests and logic for FILE-6430 seem's wrong.

Version

  • Distribution [Ubuntu 22.04]
  • Lynis version [master]

Expected behavior
Lynis should not attribute points to loaded modules

Verify test case
load hfs module using sudo insmod /lib/modules/6.8.0-48-generic/kernel/fs/hfs/hfs.ko or sudo modprobe hfs
verify hfs module is loaded

lsmod | grep hfs
> hfs                    77824  0

run lynis filesystems tests sudo lynis --tests-from-group filesystems --verbose --debug|grep hfs

sudo lynis --tests-from-group filesystems --verbose --debug|grep hfs
      - Module hfs not present in the kernel                  [ OK ]
[DEBUG] Module hfsplus present in the kernel
      - Module hfsplus not loaded (lsmod)                     [ OK ]
      - Module squashfs not present in the kernel             [ OK ]

Lynis return that hfs is not present in the kernel, while module is loaded and test get 3 points attributed.

test could be simplified as this:

FIND=$(modprobe -v -n hfs 2>/dev/null | grep -E "/hfs.ko" | tail -1)
if [ -n "${FIND}" ]; then
    echo "module loaded";
else
    echo "module not loaded";
fi

this return module not loaded, because modprobe return nothing when module is already loaded.

Fact is that test can't differenciates if module exists and is loaded and if module is not supported by kernel.
If testing an unexisting module, we have the same return:

FIND=$(modprobe -v -n hfszzz 2>/dev/null | grep -E "/hfszzz.ko" | tail -1)
if [ -n "${FIND}" ]; then
    echo "module loaded";
else
    echo "module not loaded";
fi

this return module not loaded too.

I would suggest to rather test something like command value returned:

  • modprobe -v -n hfs;echo $? return 0 value
  • modprobe -v -n hfszz;echo $? return 1 value

In this case, code could be modified with something like this:

FIND=$(modprobe -v -n hfsplus 2>/dev/null)
if [ $? -eq 0 ]; then    
    echo "module loaded";
else
    echo "module not loaded";
fi

Then line LogText "Result: found ${FS} support in the kernel (output = ${FIND})" would return (output = ) if module is loaded and if module is not loaded (output = insmod /lib/modules/6.8.0-48-generic/kernel/fs/hfs/hfs.ko)
Neixen911 pushed a commit to Neixen911/lynis that referenced this issue Dec 13, 2024
Fix for issue CISOfy#1578
58463ab
@Neixen911 Neixen911 mentioned this issue Dec 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SixK