lynis icon indicating copy to clipboard operation
lynis copied to clipboard

Published 20 hours ago verified publisher icon CISOfy

Running processes not found on NixOS

Open sbrow opened this issue 1 year ago • 1 comments

Describe the bug Using auditd as an example, when searching for binary paths, lynis finds them in /run/current-system/sw/bin/auditd. However, this is a symlink to something like /nix/store/4c9gvbs2ixh1gfd7liasjpx1kcm74fx4-audit-2.8.5-bin/bin/auditd, and so when lynis tries to find the running process by calling ps /run/current-system/sw/bin/auditd, it can't find it because it's looking for the wrong path.

Version

  • Distribution NixOS Unstable (22.11)
  • Lynis version 3.0.8

Expected behavior Find running binaries appropriately.

Output If applicable, add output that you get from the tool or the related section of lynis.log

2022-08-19 22:20:30   Found known binary: auditd (audit framework) - /run/current-system/sw/bin/auditd
...
2022-08-19 22:20:58 ====
2022-08-19 22:20:58 Performing test ID ACCT-9628 (Check for auditd)
2022-08-19 22:20:58 Test: Check auditd status
2022-08-19 22:20:58 Performing pgrep scan without uid
2022-08-19 22:20:58 IsRunning: process 'auditd' not found
2022-08-19 22:20:58 Result: auditd not active
2022-08-19 22:20:58 Suggestion: Enable auditd to collect audit information [test:ACCT-9628] [details:-] [solution:-]
2022-08-19 22:20:58 Hardening: assigned partial number of hardening points (0 of 1). Currently having 110 points (out of 157)
2022-08-19 22:20:58 ====
2022-08-19 22:20:58 Skipped test ACCT-9630 (Check for auditd rules)
2022-08-19 22:20:58 Reason to skip: Prerequisites not met (ie missing tool, other type of Linux distribution)
2022-08-19 22:20:58 ====
2022-08-19 22:20:58 Skipped test ACCT-9632 (Check for auditd configuration file)
2022-08-19 22:20:58 Reason to skip: Prerequisites not met (ie missing tool, other type of Linux distribution)
2022-08-19 22:20:58 ====
2022-08-19 22:20:58 Skipped test ACCT-9634 (Check for auditd log file)
2022-08-19 22:20:58 Reason to skip: Prerequisites not met (ie missing tool, other type of Linux distribution)
2022-08-19 22:20:58 ====
...

Additional context calling readlink -f on the binary paths before psing them would solve this issue, however I do not know what kind of issues that may cause for other platforms.

sbrow avatar Aug 19 '22 22:08 sbrow

I had a look, but ps is not used but pgrep. In this case, no full path is used to that it is symlinked shouldn't matter.

Can you check manually by running pgrep and see what it returns? (assuming that auditd is really active)

mboelen avatar Sep 17 '22 14:09 mboelen

You were correct. Everything seems to work fine, and now I feel like an idiot. Sorry for wasting your time.

sbrow avatar Sep 30 '22 13:09 sbrow

No worries! Glad to see everything is working as expected :-)

mboelen avatar Oct 05 '22 18:10 mboelen