Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix #1562 #1589

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix #1562 #1589

wants to merge 1 commit into from

Conversation

pyllyukko
Copy link
Contributor

kadmin.local binary might exist, even though Kerberos is not configured and /etc/krb5.conf does not exist.

@pyllyukko
Fix CISOfy#1562
d884492 
kadmin.local binary might exist, even though Kerberos is not configured
and /etc/krb5.conf does not exist.
@pyllyukko pyllyukko mentioned this pull request Dec 25, 2024
Open
@jwadodson
Copy link

OK, so what are the conditions where that might occur?
Would not the best option to test it's existence before throwing such an error?
& then trying to be more specific about why the kadmin.local binary might exist
when other conditions for it's safe & usual operation do not exist?

Is the binary ever installed "without control"?
Under what special circumstances?
What are the dangers?
etc.?

Cheers

John

@jwadodson
Copy link

I have now been running lynis.noarch 3.1.3-1.fc41 for a few days.

It still gives this output (one line)

    kadmin.local: unable to get default realm

if I run lynis using this command line...

   lynis audit system 2>&1 > config/chklynis.$DATE

If that error was able to be redirected to my "log" file, I'd be satisfied, if not happy
But an error that is unable to be redirected for later analysis/processing is a little annoying.

As I said previously I think I have no trace of kerberos on this system.

@pyllyukko
Copy link
Contributor Author

OK, so what are the conditions where that might occur? Would not the best option to test it's existence before throwing such an error? & then trying to be more specific about why the kadmin.local binary might exist when other conditions for it's safe & usual operation do not exist?

Is the binary ever installed "without control"? Under what special circumstances? What are the dangers? etc.?

Clearly you have the kadmin.local binary as it throws an error. You can also see it in Lynis' logs (lynis.log), e.g.:

Found known binary: kadmin.local (krb5) - /usr/sbin/kadmin.local

You can see the actual code that discovers the binary here. You probably have some Kerberos package installed in your system, but this is really something you need to look into on your own.

The fact that you get an error from kadmin.local was an oversight from me when I initially implemented this functionality (see #1456). And this fix would just discard the error in the prerequisites test.

I have now been running lynis.noarch 3.1.3-1.fc41 for a few days.

It is not fixed yet in that version, as the potential fix resides in this particular pull request (which has not been merged yet) and I would ask you to test this fix and see if it resolves your issue?

@jwadodson
Copy link

OK thanks.
/usr/sbin/kadmin.local was installed as part of krb5-server which was called for by samba-dc
which is not being used.
Hopefully that will fix it for me.
I'll leave it till the lynis run tonight to check...

@pyllyukko
Copy link
Contributor Author

Hopefully that will fix it for me.
I'll leave it till the lynis run tonight to check...

No. The problem will not fix itself. You will need to manually try out the proposed fix in this PR and report back whether it worked.

@jwadodson
Copy link

I have removed krb5-server & samba-dc so I should not now see that error, as you thought it was coming
from the /usr/sbin/kadmin.local binary? With /usr/sbin/kadmin.local gone is that not the case?

@pyllyukko
Copy link
Contributor Author

pyllyukko commented Dec 30, 2024
edited
Loading

I have removed krb5-server & samba-dc so I should not now see that error, as you thought it was coming
from the /usr/sbin/kadmin.local binary? With /usr/sbin/kadmin.local gone is that not the case?

Well it mitigates the problem for you when the kadmin.local binary is gone, but it will happen to someone else later on. So in order to fix it in Lynis, I again ask you to try this fix (PR #1589) in such a way, that the kadmin.local binary is still there.

@jwadodson
Copy link

It looks like it will work (stderr > /dev/null) & having reinstalled krb5-server on it's own (which supplies
the /usr/sbin/kadmin.local binary) it works as expected (ie. no error from the /usr/sbin/kadmin.local binary)

@pyllyukko
Copy link
Contributor Author

pyllyukko commented Dec 30, 2024
edited
Loading

E.g.:

  1. Git clone Lynis with git clone https://github.com/CISOfy/lynis.git
  2. Fetch this PR with git fetch origin pull/1589/head:fix-1562
  3. Switch to the proper branch git switch fix-1562
  4. Run Lynis from there (and not the one installed on your OS) ./lynis audit system --profile default.prf --tests-from-group kerberos --no-plugins --usecwd

@pyllyukko
Copy link
Contributor Author

It looks like it will work (stderr > /dev/null) & having reinstalled krb5-server on it's own (which supplies
the /usr/sbin/kadmin.local binary) it works as expected (ie. no error from the /usr/sbin/kadmin.local binary)

Looks like, or did you test it? Can you please try with the instructions provided in my previous comment and report back?

@jwadodson
Copy link

I did it by adding that redirect to that line (17) of /usr/share/lynis/include/tests_kerberos

Then running lynis.
It worked as expected & I did not get that error.

Sorry but I really can't get involved in playing "git". Having got a 2nd new hip almost 2 weeks ago, I just
can't sit at a computer for long enough at the moment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pyllyukko @jwadodson