lynis
lynis copied to clipboard
CISOfy
lynis modifies file owner and group
I have two different installations with Arch Linux x86_64 5.16.10-arch1-1. On both is Homebrew for Linux installed with default setup. homebrew-on-linux I tested first Arch Linux with lynis 3.0.7 "sudo lynis audit system". After that brew didn't work anymore. Fatal error. I tested second Arch with lynis. Brew also threw "fatal error" after.
Lynis modified/altered owners/groups on dirs and files in path /home/linuxbrew/.linuxbrew.
Why this? Is this wanted?
Lynis is an audit tool that only reviews the system and not applies changes. One possibility is that Brew is making those changes when it is being executed.
To see if this is the case, I suggest the following:
- Restore the permissions
- Run Brew as root (using sudo) and query the installed packages
- See if that changes the permissions as well
Brew can't be, shouldn't be run as root: sudo brew [sudo] Passwort .....: Error: Running Homebrew as root is extremely dangerous and no longer supported. As Homebrew does not drop privileges on installation you would be giving all build scripts full access to your system.
Find it out your self: Install Arch Linux and install Brew for Linux as per defaults. Then install lynis and run it.
On both Arch Linuxes I have with brew for Linux brew didn't run anymore after running lynis with sudo due to changed permissions in path /home/linuxbrew/.linuxbrew to root.
I have no Arch Linux installed, so can't test that. If you disable the related brew test (most likely that is PKGS-7303) in your custom.prf (skip-test=PKGS-7303), does it then keep working?
I didn't test with skip-test=PKGS-7303 yet. I created an archive with lynis logs inside. lynis_logs Rapidly parsing the logs seen that lynis seems to harden: 2022-02-26 11:53:47 Hardening strength: System has been hardened, but could use additional hardening Does this change owners/permissions? SELinux is a hardened fs but not officially supported by Arch Linux.
Lynis does not harden anything (on purpose). Please disable first the test and see if that makes any difference when it comes to the file permissions.
@mboelen @AWHubGit I couldn't replicate the behaviour described using an archlinux:latest Docker container. These are the commands that I executed:
ls -la /home/linuxbrew/.linuxbrew/ /home/linuxbrew/.linuxbrew/Homebrew/bin/brew install hello cp /etc/lynis/default.prf /etc/lynis/custom.prf vim /etc/lynis/custom.prf grep skip-test /etc/lynis/custom.prf ls -la /home/linuxbrew/.linuxbrew/ lynis audit system ls -la /home/linuxbrew/.linuxbrew/ lynis audit system --profile /etc/lynis/custom.prf ls -la /home/linuxbrew/.linuxbrew/ /home/linuxbrew/.linuxbrew/Homebrew/bin/brew install bzip2 lynis audit system /home/linuxbrew/.linuxbrew/Homebrew/bin/brew install zlib
brew kept executing without errors.
@mboelen @AWHubGit I've now tried to replicate the behaviour in an archlinux:latest Docker container, but with a user other than (root is the default user for the container). These are the commands that I executed:
useradd --create-home xnoguer passwd xnoguer vim /etc/sudoers su - xnoguer
id /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" /home/linuxbrew/.linuxbrew/Homebrew/bin/brew install hello ls -la /home/linuxbrew/.linuxbrew/Homebrew pwd lynis audit system sudo ls -la /usr/share/lynis/include/consts sudo ls -la /usr/share/lynis/include/ sudo chmod 644 /usr/share/lynis/include/* lynis audit system pwd /home/linuxbrew/.linuxbrew/Homebrew/bin/brew install bzip2 ls -la /home/linuxbrew/.linuxbrew/Homebrew
brew kept executing without errors.
A few comments:
- The first execution of brew install did ask for the user's password (user xnoguer) in order to execute several commands as sudo.
- I had to execute chmod in order to address the problem reported in issue #1383 . Otherwise I can't execute lynis audit system as a non privileged user.