Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential false positive on protocol detections #1510

Open
suprovsky opened this issue Jun 12, 2024 · 4 comments
Open

Potential false positive on protocol detections #1510

suprovsky opened this issue Jun 12, 2024 · 4 comments

Comments

@suprovsky
Copy link

Describe the bug
For some reason lynis does not detect modules responsible for protocols being blacklisted.

Version

  • Ubuntu 24.04 LTS amd64
  • Lynis 3.1.2

Expected behavior
Detections marked as OK.

Output

  * Determine if protocol 'dccp' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'sctp' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'rds' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'tipc' is really needed on this system [NETW-3200]
      https://cisofy.com/lynis/controls/NETW-3200/

2024-06-12 10:20:56 Performing test ID NETW-3200 (Determine available network protocols)
2024-06-12 10:20:56 Test: checking the status of some network protocols that typically are not used
2024-06-12 10:20:56 Test: now checking module 'dccp'
2024-06-12 10:20:56 Suggestion: Determine if protocol 'dccp' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-06-12 10:20:56 Test: now checking module 'sctp'
2024-06-12 10:20:56 Suggestion: Determine if protocol 'sctp' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-06-12 10:20:56 Test: now checking module 'rds'
2024-06-12 10:20:56 Suggestion: Determine if protocol 'rds' is really needed on this system [test:NETW-3200] [details:-] [solution:-]
2024-06-12 10:20:56 Test: now checking module 'tipc'
2024-06-12 10:20:56 Suggestion: Determine if protocol 'tipc' is really needed on this system [test:NETW-3200] [details:-] [solution:-]

Additional context
Add any other context about the problem here.

Attempting to load dccp module results in this:

 ⚡ root@supra  ~  modprobe dccp
modprobe: ERROR: ../libkmod/libkmod-module.c:1084 command_do() Error running install command '/bin/false' for module dccp: retcode 1
modprobe: ERROR: could not insert 'dccp': Invalid argument

my /etc/modprobe.d/unsafe-modules.conf (tried with /bin/true as an install argument, same result):

## Protocols
install dccp /bin/false
blacklist dccp
install sctp /bin/false
blacklist sctp
install rds /bin/false
blacklist rds
install tipc /bin/false
blacklist tipc
## USB Storage
install usb-storage /bin/false
blacklist usb-storage
# Filesystems
install cramfs /bin/false
blacklist cramfs
install freevxfs /bin/false
blacklist freevxfs
install hfs /bin/false
blacklist hfs
install hfsplus /bin/false
blacklist hfsplus
install jffs2 /bin/false
blacklist jffs2
install udf /bin/false
blacklist udf

I've blacklisted these 4 modules in GRUB - same result, here is my GRUB_CMDLINE_LINUX_DEFAULT:

GRUB_CMDLINE_LINUX_DEFAULT="module_blacklist=dccp,sctp,rds,tipc,usb-storage,cramfs,freevxfs,hfs,hfsplus,jffs2,udf"
@konstruktoid
Copy link
Contributor

Verified.

++ '[' -f /etc/modprobe.conf ']'
++ '[' -d /etc/modprobe.d ']'
+++ /usr/bin/grep -l -s '^install \+dccp \+/bin/(true|false)$' /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/dkms.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
++ DATA=

$ /usr/bin/grep -E -l -s '^install dccp /bin/(true|false)$' and similar works:

$ /usr/bin/grep -E -s '^install dccp /bin/(true|false)$' /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/dkms.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
/etc/modprobe.d/blacklist-rare-network.conf:install dccp /bin/false

@suprovsky
Copy link
Author

For modprobe /etc/modprobe.conf and /etc/modprobe.d/*.conf are read so lynis should read the same, not specific filenames in /etc/modprobe.d/.

@konstruktoid
Copy link
Contributor

yeah, but I(!) added \+ in 9819ac4 and that doesn't seem to work anymore.

$ /usr/bin/grep -E -l -s '^install \+dccp\s/bin/(true|false)$' /etc/modprobe.d/* | wc -l
0
$ /usr/bin/grep -E -l -s '^install dccp /bin/(true|false)$' /etc/modprobe.d/* | wc -l
1

@konstruktoid
Copy link
Contributor

Will be fixed in #1503

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@konstruktoid @suprovsky