lynis - security auditing tool for Unix based systems

madaidan · June 29, 2019, 10:21am

Lynis is a good tool for automating audits. It’s in the debian repos. We’ve applied most of the changes already but there may be some more useful stuff there.

Patrick · June 29, 2019, 10:23am

sudo apt update
sudo apt install lynis
sudo lynis audit system

madaidan · June 29, 2019, 12:44pm

It would be best to test this with the testing Whonix versions so it detects all of the recent changes.

Patrick · June 29, 2019, 7:42pm

Install libpam-tmpdir to set $TMP and $TMPDIR for PAM sessions [CUST-0280]
https://your-domain.example.org/controls/CUST-0280/

So let’s install https://packages.debian.org/buster/libpam-tmpdir by default?

Install debsecan to generate lists of vulnerabilities which affect this installation. [CUST-0870]
https://your-domain.example.org/controls/CUST-0870/

https://packages.debian.org/buster/debsecan

I did not manage to gather any actionable / useful advice. If annyone has more luck on how to use this, please share.

madaidan · June 29, 2019, 9:14pm

I’m not entirely sure how that works or how it would help. Don’t most programs just use /tmp?

Doesn’t seem to install properly for me.

Patrick · June 30, 2019, 10:29am

Most programs use mktemp, I think, I hope? Or some sort of API around it? The are not supposed to have their own logic of creating a temp folder. That is supposed to be abstracted and secure.

As far as I understand libpam-tmpdir attempts to make this process more secure by adding per-user temp folder separation.

It sets environment variables TMP and TEMP to /tmp/user/<userid>. These will then be private temp folders.

Not sure that is really needed but might be since systemd also has an instance PrivateTmp=true?

Examples:

user:

mktemp

/tmp/user/1000/tmp.16V0NDw304

root:

mktemp

/tmp/user/0/tmp.SWfIATj8AU

Unfortunately it seems to be incompatible with some Debian packaging tools? Perhaps since this package is rather unpopular? Examples:

dpkg-deb: building package 'pbuilder-satisfydepends-dummy' in '/tmp/satisfydepends-aptitude/pbuilder-satisfydepends-dummy.deb'.
dpkg-deb: error: failed to make temporary file (control member): No such file or directory
E: pbuilder-satisfydepends failed.

Happening during 1100_prepare-build-machine cowbuilder --create. Perhaps since environment variables user vs root do not match in chroot. Unsetting the TMP / TEMP environment variables and/or installing libpam-tmpdir in chroot does not solve this issue either.

+ /usr/lib/security-misc/apt-get-wrapper -o Acquire::http::Proxy=http://127.0.0.1:3142 -o Acquire::https::Proxy=http://127.0.0.1:3142 -o Acquire::tor::Proxy=http://127.0.0.1:3142 -o Acquire::Languages=none -o Acquire::IndexTargets::deb::Contents-deb::DefaultEnabled=false -o Acquire::Retries=3 -o Acquire::BlockDotOnion=false update
+ set -e
+ set -o pipefail
+ set -o errtrace
++ mktemp --directory
mktemp: failed to create directory via template '/tmp/user/0/tmp.XXXXXXXXXX': No such file or directory

madaidan · June 30, 2019, 1:32pm

Ohh. That makes sense. It would be good to install that by default then.

We should contact upstream about the errors.