lynis icon indicating copy to clipboard operation
lynis copied to clipboard
verified publisher icon CISOfy

Firewalls [x] but nftables

Open internethering opened this issue 2 years ago • 2 comments

I installed Lynis 3.1.11 and the audit says:

  Components:
  - Firewall               [X]

and:

[+] Software: Firewalls
------------------------------------
libkmod: kmod_module_new_from_loaded: could not open /proc/modules: No such file or directory
Error: could not get list of modules: No such file or directory
  - Checking iptables kernel module                           [ NICHT GEFUNDEN ]
  - Checking iptables in config file                          [ NICHT GEFUNDEN ]
libkmod: kmod_module_new_from_loaded: could not open /proc/modules: No such file or directory
Error: could not get list of modules: No such file or directory
  - Checking host based firewall

this is wrong:

# nft list ruleset
table inet filter {
        chain services {
[...]

you know nftables? ;) http://nftables.org/projects/nftables/index.html

internethering avatar Apr 01 '24 20:04 internethering

What OS and version are you using? What nftables version?

Also, what is wrong? The output, the used commands within Lynis?

Although I'm sure you meant well (and included a wink), please note that the nftables project is known for changing its syntax without backwards compatibility. So most likely Lynis uses a syntax that used to work (and still does on older systems), but changed. So with the questions above we can hopefully see what goes wrong.

mboelen avatar Apr 01 '24 21:04 mboelen

What OS and version are you using? What nftables version?

Gentoo Linux (23.0 profile)

# nft -v
nftables v1.0.9 (Old Doc Yak #3)

Kernel 6.8.2-gentoo

Also, what is wrong? The output, the used commands within Lynis?

lynis audit system

Although I'm sure you meant well (and included a wink), please note that the nftables project is known for changing its syntax without backwards compatibility. So most likely Lynis uses a syntax that used to work (and still does on older systems), but changed. So with the questions above we can hopefully see what goes wrong.

ok, thanks for this hint, I tried something more:

lynis --debug --verbose --developer audit system

[...]
[+] Software: Firewalls
------------------------------------
[DEBUG] Performing test ID FIRE-4502 (Check iptables kernel module)
libkmod: kmod_module_new_from_loaded: could not open /proc/modules: No such file or directory
Error: could not get list of modules: No such file or directory
  - Checking iptables kernel module                           [ NICHT GEFUNDEN ]
  - Checking iptables in config file                          [ NICHT GEFUNDEN ]
[DEBUG] Performing test ID FIRE-4524 (Check for CSF presence)
[DEBUG] Performing test ID FIRE-4536 (Check nftables status)
libkmod: kmod_module_new_from_loaded: could not open /proc/modules: No such file or directory
Error: could not get list of modules: No such file or directory
[DEBUG] Performing test ID FIRE-4538 (Check nftables basic configuration)
[DEBUG] Performing test ID FIRE-4540 (Check for empty nftables configuration)
[DEBUG] Performing test ID FIRE-4590 (Check firewall status)
  - Checking host based firewall                              [ NOT ACTIVE ]
[DEBUG] Performing test ID FIRE-4594 (Check for APF presence)

Then I had a look in https://github.com/CISOfy/lynis/blob/master/include/tests_firewalls for FIRE-4538 & FIRE-4540:

# AWKBINARY=awk
# TRBINARY=tr
# NFTBINARY=nft
# NFT_VERSION=$(${NFTBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="nftables") { print $2 }}' | ${TRBINARY} -d 'v')
# echo $NFT_VERSION
1.0.9

# NFTBINARY=nft
# GREPBINARY=grep
# WCBINARY=wc
# NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${GREPBINARY} -E -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
# echo $NFT_RULES_LENGTH
14

seems like a bug in lynis

internethering avatar Apr 02 '24 14:04 internethering