lynis icon indicating copy to clipboard operation
lynis copied to clipboard

Published 20 hours ago verified publisher icon CISOfy

false negative: debsums cron job check reports OK when debsums is installed but CRON_CHECK=never

Open nodiscc opened this issue 2 years ago • 3 comments

Describe the bug

PKGS-7370 checks for the existence of the debsums binary, and a corresponding cron job in /etc/cron*.

If the cron job is not properly configured, it is meant to report a suggestion Check debsums configuration and enable checking regularly via a cron job."

Installing the debsums package on a Debian 11 system clears these suggestions, letting the user think that this item is correctly hardened but in the default Debian configuration, debsums actually never runs from cron:

$ sudo cat /etc/cron.daily/debsums
#!/bin/sh

debsums="/usr/bin/debsums"
ignorefile="/etc/debsums-ignore"

[ -x $debsums ] || exit 0

if ! [ -e "$ignorefile" ]; then
    ignorefile="/dev/null"
fi

# source our config
. /etc/default/debsums
[ "z$CRON_CHECK" = "zdaily" ] || exit 0

# See ionice(1)
if [ -x /usr/bin/ionice ] &&
    /usr/bin/ionice -c3 true 2>/dev/null; then
    IONICE="/usr/bin/ionice -c3"
fi

exec 3>&1

$IONICE $debsums -cs 2>&1 | egrep -vf "$ignorefile" | tee /proc/self/fd/3 | sed 's/^debsums: //' | logger -t debsums

# Exit with a normal status code even if errors (which could be ignored) were found
exit 0

Notice it sources /etc/default/debsums and only runs if CRON_CHECK = daily. The same goes for /etc/cron.weekly/debsums and /etc/cron.monthly/debsums. But the default value for CRON_CHECK is never:

$ cat /etc/default/debsums 
# Defaults for debsums cron jobs
# sourced by /etc/cron.d/debsums

#
# This is a POSIX shell fragment
#

# Set this to never to disable the checksum verification or
# one of "daily", "weekly", "monthly" to enable it
CRON_CHECK=never

Version

  • Debian 11
  • 3.0.2-1

Expected behavior

The check should return a suggestion/warning when OK when CRON_CHECK is not one of daily, weekly, monthly (similar to Check debsums configuration and enable checking regularly via a cron job.)

Output

$ sudo /usr/sbin/lynis audit system --profile /etc/lynis/custom.prf
...
[+] Ports and packages
------------------------------------
  - Searching package managers
    - Searching dpkg package manager                          [ FOUND ]
      - Querying package manager
    - Query unpurged packages                                 [ FOUND ]
    - debsecan utility                                        [ FOUND ]
      - debsecan cron job                                     [ FOUND ]
    - debsums utility                                         [ FOUND ]
      - Cron job for debsums                                  [ FOUND ]

$ grep CRON /etc/default/debsums 
CRON_CHECK=never

nodiscc avatar Mar 03 '22 18:03 nodiscc

/cc @mboelen

nodiscc avatar May 02 '22 20:05 nodiscc

@nodiscc Can you test whether pull request #1406 fixes this ?

xnoguer avatar Jun 02 '23 09:06 xnoguer

Thank you @xnoguer, your patch seems to fix the problem. Posted a review in https://github.com/CISOfy/lynis/pull/1406

nodiscc avatar Jul 25 '23 09:07 nodiscc