Bootloader not detected for Gentoo VM about lynis HOT 10 CLOSED

Thanks for reporting. Please share some part of the logfile, or related files.

from lynis.

Trying to determine what would be relevant data to post....

Both /boot/grub/grub.conf and /boot/grub/menu.lst exist (menu.lst is a symbolic link to grub.conf).

That said, I think I have this identified. I was skipping the BOOT-5121 test, because bootloader password isn't required for this system (home VM). This also excluded the GRUB existence check.

So, the GRUB existence check needs to be separated from the GRUB password check. This will prevent the exception_event from firing, if the password test is skipped.

from lynis.

I tried this:

--- include/tests_boot_services.old     2014-09-23 14:55:21.000000000 -0700
+++ include/tests_boot_services 2014-09-23 18:36:28.000000000 -0700
@@ -42,6 +42,8 @@
             if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
             logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
             FileIsReadable ${GRUBCONFFILE}
+           Register --test-no BOOT-5121.1 --weight L --network NO --description "Check for GRUB boot loader pasword protection."
+           if [ ${SKIPTEST} -eq 0 ]; then
             if [ ${CANREAD} -eq 1 ]; then
                 FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
                 FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
@@ -63,6 +65,7 @@
                 logtext "Result: Can not read ${GRUBCONFFILE} (no permission)"
             fi
         fi
+        fi

         # GRUB2 configuration file
         if [ -f /boot/grub/grub.cfg ]; then

...which produced some strange behavior.

The warning for no GRUB password went away, but the exception still fires that no boot loader was found. So, it's almost as if the presence check ran, but something wasn't set properly to let the reporting mechanism know.

from lynis.

I get the same issue on Ubuntu when test BOOT-5121 is skipped.

from lynis.

Test BOOT-5121 has been split into BOOT-5121 and BOOT-5122 now.
Can you confirm the patch is working for you?

from lynis.

Checking....

from lynis.

I get the following when running lynis, while /boot/ is not mounted:

  - Checking boot loaders
    - Checking presence GRUB2                                 [ FOUND ]
    - Checking presence GRUB2                                 [ POSSIBLE MATCH ]

Then, mounting /boot/, I get the following:

  - Checking boot loaders
    - Checking presence GRUB                                  [ OK ]
    - Checking presence GRUB2                                 [ FOUND ]

So, I'd say the detection is there.

from lynis.

Noticed an error in output, so change improved with another round. Since the "possible match" shows up, the detection seems to be accurate. Thanks for checking. Closing this issue.

from lynis.

@mboelen I'm seeing a similar issue on a different Gentoo VM. Similar build, just a (slightly) different package set.

Test BOOT-5122 is skipped via /etc/lynis/custom.prf, but BOOT-5121 is not. Do you want to reopen this issue or should I file a new one?

from lynis.

A new one please. Thanks :)

from lynis.