lynis icon indicating copy to clipboard operation
lynis copied to clipboard

Published 20 hours ago verified publisher icon CISOfy

False positives on NixOS

Open poperigby opened this issue 1 year ago • 3 comments

Describe the bug I've noticed multiple false positives when running sudo lynis audit system on NixOS:

  • Auditd log file is defined but can not be found on disk: /var/log/audit/audit.log exists
  • https://cisofy.com/lynis/controls/NETW-3200/: I've blacklisted dccp, sctp, rds, and tipc

Version

  • Distribution: NixOS Unstable
  • Lynis version: 3.1.1

Expected behavior These false positives don't happen.

poperigby avatar Sep 17 '24 01:09 poperigby

Can you be more specific, so that we can troubleshoot these issues. Let's start with the first one (the audit log). Please include test number, the output of lynis.log for that particular test.

Good to know: Lynis 3.1.2 was released yesterday and fixes a lot of items, possibly including the NETW-3200.

mboelen avatar Sep 27 '24 07:09 mboelen

@mboelen Sorry about the wait. I just updated to Lynis 3.1.2 and did a new system audit.

The test number for the first false positive is ACCT-9634, and the output of lynis.log for that test is:

2024-10-01 22:14:23 Performing test ID ACCT-9634 (Check for auditd log file)
2024-10-01 22:14:23 Test: Checking auditd log file
2024-10-01 22:14:23 Result: no log file found
2024-10-01 22:14:23 Warning: Auditd log file is defined but can not be found on disk [test:ACCT-9634] [details:-] [solution:-]

The output for NETW-3200 is:

2024-10-01 22:14:13 Performing test ID NETW-3200 (Determine available network protocols)
2024-10-01 22:14:13 Test: checking the status of some network protocols that typically are not used
2024-10-01 22:14:13 Test: now checking module 'dccp'
2024-10-01 22:14:13 Suggestion: Determine if protocol 'dccp' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-10-01 22:14:13 Test: now checking module 'sctp'
2024-10-01 22:14:13 Suggestion: Determine if protocol 'sctp' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-10-01 22:14:13 Test: now checking module 'rds'
2024-10-01 22:14:13 Suggestion: Determine if protocol 'rds' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-10-01 22:14:13 Test: now checking module 'tipc'
2024-10-01 22:14:13 Suggestion: Determine if protocol 'tipc' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-10-01 22:14:13 Security check: file is normal
2024-10-01 22:14:13 Checking permissions of /nix/store/5a8gviinkkklfi206nkxyp7bk7jx451s-lynis-3.1.2/share/lynis/include/tests_printers_spoolers
2024-10-01 22:14:13 File permissions are OK

poperigby avatar Oct 02 '24 05:10 poperigby

The issue with the auditd log file is not NixOS specific. I assume your auditd configuration file simply does not set log_file. Which is fine for auditd, which will use the default location /var/log/audit/audit.log.

However, lynis extracts the log file location from the auditd configuration file and claims the log file is missing in case log_file is not found.

I have created PR https://github.com/CISOfy/lynis/pull/1594 to fix this.

pSub avatar Jan 17 '25 22:01 pSub