FILE-6430 Check other files too

[moerkey]

Describe the bug
I disabled dccp from NETW-3200 in /etc/modprobe.d/blacklist-custom.conf but still get an info about FILE-6430.

Version

• Ubuntu 18.04
• Lynis version 3.0.1-100

Expected behavior
When I disable dccp from NETW-3200 in /etc/modprobe.d/blacklist-custom.conf, I don´t want to get an info about FILE-6430.

Output

  * Consider disabling unused kernel modules [FILE-6430]
    - Details  : /etc/modprobe.d/blacklist.conf
    - Solution : Add 'install MODULENAME /bin/true' (without quotes)
      https://cisofy.com/lynis/controls/FILE-6430/

[mboelen]

Both tests have a different target. NETW-3200 is focused on network protocols. FILE-6430 on file systems and related modules.

So looks like normal behavior. Or am I missing something?

[moerkey]

Kinda no but also yes.

IMHO the check for FILE-6430 is not sufficient.

I guess you only check a pattern against the file /etc/modprobe.d/blacklist.conf.
But I am disabling modules via /etc/modprobe.d/blacklist-custom.conf.

That are two different files.
Under Ubuntu the first one is coming from the OS (packages).
The second one is my custom config.

I try not to touch any files from any package to have an easy way to update the system.

[mboelen]

Had a look, but FILE-6430 looks in /etc/modprobe.d/* and so does NETW-3200.

Can you provide a specific example from your blacklist-custom.conf file? Please include the relevant details from the test that shows up (lynis show details FILE-6430). Include only the relevant lines related to the module.

[moerkey]

Here you go.

cat /etc/modprobe.d/blacklist-custom.conf 
# https://cisofy.com/lynis/controls/FILE-6430/
# https://cisofy.com/lynis/controls/NETW-3200/
install dccp /bin/true
install rds /bin/true
install sctp /bin/true
install tipc /bin/true

root@host:~# lynis show details FILE-6430
root@host:~# 

2021-01-06 15:21:17 Performing test ID FILE-6430 (Disable mounting of some filesystems)
2021-01-06 15:21:17 Result: found cramfs support in the kernel (output = insmod /lib/modules/5.4.0-58-generic/kernel/fs/cramfs/cramfs.ko )
2021-01-06 15:21:17 Test: Checking if cramfs is active
2021-01-06 15:21:17 Result: module cramfs is currently not loaded in the kernel.
2021-01-06 15:21:17 Hardening: assigned partial number of hardening points (2 of 3). Currently having 72 points (out of 85)
2021-01-06 15:21:17 Result: found freevxfs support in the kernel (output = insmod /lib/modules/5.4.0-58-generic/kernel/fs/freevxfs/freevxfs.ko )
2021-01-06 15:21:17 Test: Checking if freevxfs is active
2021-01-06 15:21:17 Result: module freevxfs is currently not loaded in the kernel.
2021-01-06 15:21:17 Hardening: assigned partial number of hardening points (2 of 3). Currently having 74 points (out of 88)
2021-01-06 15:21:17 Hardening: assigned maximum number of hardening points for this item (3). Currently having 77 points (out of 91)
2021-01-06 15:21:17 Hardening: assigned maximum number of hardening points for this item (3). Currently having 80 points (out of 94)
2021-01-06 15:21:17 Result: found jffs2 support in the kernel (output = insmod /lib/modules/5.4.0-58-generic/kernel/fs/jffs2/jffs2.ko )
2021-01-06 15:21:17 Test: Checking if jffs2 is active
2021-01-06 15:21:17 Result: module jffs2 is currently not loaded in the kernel.
2021-01-06 15:21:17 Hardening: assigned partial number of hardening points (2 of 3). Currently having 82 points (out of 97)
2021-01-06 15:21:17 Hardening: assigned maximum number of hardening points for this item (3). Currently having 85 points (out of 100)
2021-01-06 15:21:17 Result: found udf support in the kernel (output = insmod /lib/modules/5.4.0-58-generic/kernel/fs/udf/udf.ko )
2021-01-06 15:21:17 Test: Checking if udf is active
2021-01-06 15:21:17 Result: module udf is currently not loaded in the kernel.
2021-01-06 15:21:17 Hardening: assigned partial number of hardening points (2 of 3). Currently having 87 points (out of 103)
2021-01-06 15:21:17 Suggestion: Consider disabling unused kernel modules [test:FILE-6430] [details:/etc/modprobe.d/blacklist.conf] [solution:Add 'install MODULENAME /bin/true' (without quotes)]
2021-01-06 15:21:17 Security check: file is normal
2021-01-06 15:21:17 Checking permissions of /usr/share/lynis/include/tests_usb
2021-01-06 15:21:17 File permissions are OK

[moerkey]

Hey, please reopen it. The issue is still present.

[mboelen]

I don't see any mentioning of dccp in that Lynis output, so that is good (as it is tested within NETW-3200).

I'm a bit confused now. You stated that you disabled dccp for NETW-3200 (and seeing your configuration files, it looks good to me). You also say that FILE-6430 shows up. And that is correct, as it tests for different kernel modules. Both can pop up independently of each other. So the question is what specifically do you think is being tested incorrectly?

[moerkey]

Yeah, after 4 month I am confused too and I will dig into it nearly from beginning.

So, FILE-6430 says that I should disable some unused modules to be more secure.

Do I have to use the file /etc/modprobe.d/blacklist.conf for that?

Ubuntu is using the file already but only with lines like "blacklist MODULE".

I understand the following like that FILE-6430 just searches for the pattern 'install MODULENAME /bin/true' (without quotes) in the file /etc/modprobe.d/blacklist.conf.

 * Consider disabling unused kernel modules [FILE-6430]
    - Details  : /etc/modprobe.d/blacklist.conf
    - Solution : Add 'install MODULENAME /bin/true' (without quotes)
      https://cisofy.com/lynis/controls/FILE-6430/

Is that correct?

I am just wondering why it is not using grep with the pattern over the directories /etc/modprobe.d/ too.
There you can find more files which are disabling unused modules.

Don´t get confused by dccp. It was just an example.

So, why is FILE-6430 complaining about disabling unused modules when I have them already disabled in another file?

[github-actions]

Stale issue message