CISOfy
Debug/developer scan fails on KRB-1000
Describe the bug Latest pull from git as of today 14FEB25 fails on a debug scan.
I am actually trying to discover why Lynis fails on FINT-4315 saying aide.conf has error when setting Checksums=sha256 instead of Checksums=H but anyhow. Debug notes state to run in developer mode "lynis audit system --profile developer.prf" which stops at KRB-1000 with error as follows:
[+] Kerberos
------------------------------------
[DEBUG] Performing test ID KRB-1000 (Check for Kerberos KDC tools)
./lynis: 12: /root/lynis/include/tests_kerberos: KADMINLOCALBINARY: parameter not set
This does not occur when running a normal scan "lynis audit system" with or without a custom.prf
Version
- Distribution Debian 12 latest stable patches, no backports or mods
- Lynis version latest pull from Git dated 14FEB25 showing version 3.1.5
Expected behavior Debug/developer test to complete successfully.
Just realised forgot to add output. This is from running "lynis audit system --profile developer.prf" as debug notes state. Output normal for the first part, eg kernel, memory and processes, users groups and authentication then stops on kerberos with output as follows:
[+] Kerberos
------------------------------------
[DEBUG] Performing test ID KRB-1000 (Check for Kerberos KDC tools)
./lynis: 12: /root/lynis/include/tests_kerberos: KADMINLOCALBINARY: parameter not set
I dont have any kerberos principals, these aren't AD realm joined so if I don't have the binaries installed then kadmin will not be avaiable. I don't think the script should bork?
This doesnt happen when doing a "normal" scan eg "lynis audit system" either with or without a custom.prf, only happens on developer/debug. Annd the reason for needing a debug scan is linked to another ticket.
This seems to be a more generic problem with Lynis and not specific for KRB-1000. The developer profile sets Lynis into strict mode, which in turn sets set -u (disallow uninitialized variables).
In a Debian system (with the Debian plugin) it stops earlier with a similar failure with another variable:
[+] Debian Tests
------------------------------------
[DEBUG] Performing test ID DEB-0001 (Check for system binaries required by Debian Tests)
- Checking for system binaries that are required by Debian Tests...
- Checking /bin... [ FOUND ]
- Checking /sbin... [ FOUND ]
- Checking /usr/bin... [ FOUND ]
- Checking /usr/sbin... [ FOUND ]
- Checking /usr/local/bin... [ FOUND ]
- Checking /usr/local/sbin... [ FOUND ]
- Authentication:
- PAM (Pluggable Authentication Modules):
[DEBUG] Performing test ID DEB-0280 (Checking if libpam-tmpdir is installed and enabled.)
- libpam-tmpdir [ Not Installed ]
- File System Checks:
- DM-Crypt, Cryptsetup & Cryptmount:
/usr/sbin/lynis: 132: /usr/share/lynis/plugins/plugin_debian_phase1: LVDISPLAYBINARY: parameter not set
You can workaround this issue by commenting out the strict=yes in developer.prf.
Thanks for reporting. Issue has been fixed with commit https://github.com/CISOfy/lynis/commit/69c638d5735859d00725c9449a5750ca0d3715f7
Regarding the items mentioned by @pyllyukko: those are Debian-specific and not part of the project. For some reason Debian adopted several tests that were provided to the Debian package maintainer and not the upstream (this) project. Those tests are unsupported and preferably should be moved over as official tests in case they are useful for Debian and other distributions.
