[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

lynis - security auditing tool for Unix based systems

Lynis is a good tool for automating audits. It’s in the debian repos. We’ve applied most of the changes already but there may be some more useful stuff there.

1 Like
sudo apt update
sudo apt install lynis
sudo lynis audit system
1 Like

It would be best to test this with the testing Whonix versions so it detects all of the recent changes.

1 Like

So let’s install https://packages.debian.org/buster/libpam-tmpdir by default?

https://packages.debian.org/buster/debsecan

I did not manage to gather any actionable / useful advice. If annyone has more luck on how to use this, please share.

1 Like

I’m not entirely sure how that works or how it would help. Don’t most programs just use /tmp?

Doesn’t seem to install properly for me.

1 Like

Most programs use mktemp, I think, I hope? Or some sort of API around it? The are not supposed to have their own logic of creating a temp folder. That is supposed to be abstracted and secure.

As far as I understand libpam-tmpdir attempts to make this process more secure by adding per-user temp folder separation.

It sets environment variables TMP and TEMP to /tmp/user/<userid>. These will then be private temp folders.

Not sure that is really needed but might be since systemd also has an instance PrivateTmp=true?

Examples:


user:

mktemp

/tmp/user/1000/tmp.16V0NDw304


root:

mktemp

/tmp/user/0/tmp.SWfIATj8AU


Unfortunately it seems to be incompatible with some Debian packaging tools? Perhaps since this package is rather unpopular? Examples:


dpkg-deb: building package 'pbuilder-satisfydepends-dummy' in '/tmp/satisfydepends-aptitude/pbuilder-satisfydepends-dummy.deb'.
dpkg-deb: error: failed to make temporary file (control member): No such file or directory
E: pbuilder-satisfydepends failed.

Happening during 1100_prepare-build-machine cowbuilder --create. Perhaps since environment variables user vs root do not match in chroot. Unsetting the TMP / TEMP environment variables and/or installing libpam-tmpdir in chroot does not solve this issue either.

+ /usr/lib/security-misc/apt-get-wrapper -o Acquire::http::Proxy=http://127.0.0.1:3142 -o Acquire::https::Proxy=http://127.0.0.1:3142 -o Acquire::tor::Proxy=http://127.0.0.1:3142 -o Acquire::Languages=none -o Acquire::IndexTargets::deb::Contents-deb::DefaultEnabled=false -o Acquire::Retries=3 -o Acquire::BlockDotOnion=false update
+ set -e
+ set -o pipefail
+ set -o errtrace
++ mktemp --directory
mktemp: failed to create directory via template '/tmp/user/0/tmp.XXXXXXXXXX': No such file or directory
1 Like

Ohh. That makes sense. It would be good to install that by default then.

We should contact upstream about the errors.

1 Like