GNU bug report logs - #33464
[PATCH] gnu: Add lynis.

Previous Next

Package: guix-patches;

Reported by: Arun Isaac <arunisaac <at> systemreboot.net>

Date: Thu, 22 Nov 2018 13:36:01 UTC

Severity: normal

Tags: patch

Done: Arun Isaac <arunisaac <at> systemreboot.net>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 33464 in the body.
You can then email your comments to 33464 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#33464; Package guix-patches. (Thu, 22 Nov 2018 13:36:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arun Isaac <arunisaac <at> systemreboot.net>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Thu, 22 Nov 2018 13:36:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: guix-patches <at> gnu.org
Cc: Arun Isaac <arunisaac <at> systemreboot.net>
Subject: [PATCH] gnu: Add lynis.
Date: Thu, 22 Nov 2018 19:04:28 +0530
* gnu/packages/admin.scm (lynis): New variable.
---
 gnu/packages/admin.scm | 56 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 28961ecf8..513d7a26b 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -2837,3 +2837,59 @@ support forum.  It runs with the @code{/exec} command in most IRC clients.")
     (description "This package provides tools to manage clients of the
 Logitech Unifying Receiver.")
     (license license:gpl2)))
+
+(define-public lynis
+  (package
+    (name "lynis")
+    (version "2.7.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/CISOfy/lynis/archive/"
+                           version ".tar.gz"))
+       (file-name (string-append name "-" version ".tar.gz"))
+       (sha256
+        (base32
+         "13np0bbkcz7k8336wdcq69b93wmc2vm1ryz988cr0kan11mxsr3k"))
+       (modules '((guix build utils)))
+       (snippet
+        '(begin
+           ;; Remove proprietary plugins
+           (with-directory-excursion "plugins"
+             (for-each delete-file (list "plugin_pam_phase1"
+                                         "plugin_systemd_phase1")))
+           #t))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:tests? #f ; no tests
+       #:phases
+       (modify-phases %standard-phases
+         (replace 'configure
+           (lambda* (#:key outputs #:allow-other-keys)
+             (substitute* "lynis"
+               (("/usr/share/lynis")
+                (string-append (assoc-ref outputs "out") "/share/lynis")))
+             (substitute* "include/functions"
+               (("/usr/local/etc/lynis")
+                (string-append (assoc-ref outputs "out") "/etc/lynis")))
+             #t))
+         (delete 'build)
+         (replace 'install
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out")))
+               (install-file "lynis" (string-append out "/bin/"))
+               (install-file "default.prf" (string-append out "/etc/lynis"))
+               (for-each
+                (lambda (dir)
+                  (copy-recursively dir (string-append out "/share/lynis/" dir)))
+                (list "db" "include" "plugins"))
+               (install-file "lynis.8" (string-append out "/share/man/man8"))
+               #t))))))
+    (home-page "https://cisofy.com/lynis/")
+    (synopsis "Security auditing tool")
+    (description "Lynis is a security auditing tool.  It performs an in-depth
+security scan and runs on the system itself.  The primary goal is to test
+security defenses and provide tips for further system hardening.  It will also
+scan for general system information, vulnerable software packages, and
+possible configuration issues.")
+    (license license:gpl3)))
-- 
2.19.1





Information forwarded to guix-patches <at> gnu.org:
bug#33464; Package guix-patches. (Fri, 23 Nov 2018 19:15:02 GMT) Full text and rfc822 format available.

Message #8 received at 33464 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Arun Isaac <arunisaac <at> systemreboot.net>, 33464 <at> debbugs.gnu.org
Subject: Re: [bug#33464] [PATCH] gnu: Add lynis.
Date: Fri, 23 Nov 2018 20:14:07 +0100
[Message part 1 (text/plain, inline)]
Arun Isaac <arunisaac <at> systemreboot.net> writes:

> * gnu/packages/admin.scm (lynis): New variable.

[...]

> +(define-public lynis
> +  (package
> +    (name "lynis")
> +    (version "2.7.0")
> +    (source
> +     (origin
> +       (method url-fetch)
> +       (uri (string-append "https://github.com/CISOfy/lynis/archive/"
> +                           version ".tar.gz"))
> +       (file-name (string-append name "-" version ".tar.gz"))

Can you use "git-fetch" here instead?  The autogenerated GitHub
"archive" tarballs are not stable: their hash may change in the future.

> +       (sha256
> +        (base32
> +         "13np0bbkcz7k8336wdcq69b93wmc2vm1ryz988cr0kan11mxsr3k"))
> +       (modules '((guix build utils)))
> +       (snippet
> +        '(begin
> +           ;; Remove proprietary plugins
> +           (with-directory-excursion "plugins"
> +             (for-each delete-file (list "plugin_pam_phase1"
> +                                         "plugin_systemd_phase1")))

Only one of these files have an explicit proprietary license, but given
the wording in the README it is safe to assume the other might not be
free.

In fact, since the README states "community plugins are available under
a restriced license", I would prefer to delete everything except a
whitelist here.  WDYT?

> +           #t))))
> +    (build-system gnu-build-system)
> +    (arguments
> +     `(#:tests? #f ; no tests

The .travis.yml runs "cd ./lynis-sdk && sh lynis-devkit run
unit-tests".  Is that an option for us?

> +       #:phases
> +       (modify-phases %standard-phases
> +         (replace 'configure
> +           (lambda* (#:key outputs #:allow-other-keys)
> +             (substitute* "lynis"
> +               (("/usr/share/lynis")
> +                (string-append (assoc-ref outputs "out") "/share/lynis")))
> +             (substitute* "include/functions"
> +               (("/usr/local/etc/lynis")
> +                (string-append (assoc-ref outputs "out") "/etc/lynis")))
> +             #t))
> +         (delete 'build)
> +         (replace 'install
> +           (lambda* (#:key outputs #:allow-other-keys)
> +             (let ((out (assoc-ref outputs "out")))
> +               (install-file "lynis" (string-append out "/bin/"))
> +               (install-file "default.prf" (string-append out "/etc/lynis"))
> +               (for-each
> +                (lambda (dir)
> +                  (copy-recursively dir (string-append out "/share/lynis/" dir)))
> +                (list "db" "include" "plugins"))
> +               (install-file "lynis.8" (string-append out "/share/man/man8"))
> +               #t))))))
> +    (home-page "https://cisofy.com/lynis/")
> +    (synopsis "Security auditing tool")
> +    (description "Lynis is a security auditing tool.  It performs an in-depth
> +security scan and runs on the system itself.  The primary goal is to test
> +security defenses and provide tips for further system hardening.  It will also
> +scan for general system information, vulnerable software packages, and
> +possible configuration issues.")
> +    (license license:gpl3)))

The file headers only say "This is free software, and you are welcome to
redistribute it under the terms of the GNU General Public License. See
LICENSE file for usage of this software.".

The GPL3 copy in LICENSE states that:

  If the Program does not specify a version number of the GNU General
  Public License, you may choose any version ever published by the Free
  Software Foundation.

So I think this should be "gpl3+".

The rest LGTM, thanks!
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#33464; Package guix-patches. (Sat, 24 Nov 2018 19:53:01 GMT) Full text and rfc822 format available.

Message #11 received at 33464 <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Marius Bakke <mbakke <at> fastmail.com>, 33464 <at> debbugs.gnu.org
Subject: Re: [bug#33464] [PATCH] gnu: Add lynis.
Date: Sun, 25 Nov 2018 01:21:46 +0530
[Message part 1 (text/plain, inline)]
I have made all the suggested changes. Please find attached a new patch.

[v2-0001-gnu-Add-lynis.patch (text/x-patch, inline)]
From 6a39021cd2ee2ad2c74dddc7c1649e79fad97e41 Mon Sep 17 00:00:00 2001
From: Arun Isaac <arunisaac <at> systemreboot.net>
Date: Thu, 22 Nov 2018 19:00:48 +0530
Subject: [PATCH v2] gnu: Add lynis.

* gnu/packages/admin.scm (lynis): New variable.
---
 gnu/packages/admin.scm | 79 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)

diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 28961ecf8..02fe3f0c5 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -2837,3 +2837,82 @@ support forum.  It runs with the @code{/exec} command in most IRC clients.")
     (description "This package provides tools to manage clients of the
 Logitech Unifying Receiver.")
     (license license:gpl2)))
+
+(define-public lynis
+  (package
+    (name "lynis")
+    (version "2.7.0")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/CISOfy/lynis")
+             (commit version)))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32
+         "0rzc0y8lk22bymf56249jzmllki2lh0rz5in4lkrc5fkmp29c2wv"))
+       (modules '((guix build utils)))
+       (snippet
+        '(begin
+           ;; Remove proprietary plugins. As of now, all plugins supplied with
+           ;; lynis are proprietary. In the future, if free plugins are
+           ;; provided, whitelist them from deletion.
+           (for-each delete-file (find-files "plugins"))
+           #t))))
+    (build-system gnu-build-system)
+    (native-inputs
+     `(;; For tests
+       ("lynis-sdk"
+        ,(origin
+           (method git-fetch)
+           (uri (git-reference
+                 (url "https://github.com/CISOfy/lynis-sdk")
+                 (commit "3310aef4f2b3dd97d166c96ad0253c89c4ad390d")))
+           (file-name (git-file-name "lynis-sdk" version))
+           (sha256
+            (base32
+             "0sqsrm5wal742yrwps8bqb8a8lxd93n4b93n3kkm1b30nbs25g7y"))))))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (replace 'configure
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (substitute* "lynis"
+               (("/usr/share/lynis")
+                (string-append (assoc-ref outputs "out") "/share/lynis")))
+             (substitute* "include/functions"
+               (("/usr/local/etc/lynis")
+                (string-append (assoc-ref outputs "out") "/etc/lynis")))
+             #t))
+         (delete 'build)
+         (replace 'install
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out")))
+               (install-file "lynis" (string-append out "/bin/"))
+               (install-file "default.prf" (string-append out "/etc/lynis"))
+               (for-each
+                (lambda (dir)
+                  (copy-recursively dir (string-append out "/share/lynis/" dir)))
+                (list "db" "include" "plugins"))
+               (install-file "lynis.8" (string-append out "/share/man/man8"))
+               #t)))
+         (replace 'check
+           (lambda* (#:key inputs #:allow-other-keys)
+             (copy-recursively (assoc-ref inputs "lynis-sdk") "../lynis-sdk")
+             (setenv "LANG" "en_US.UTF-8")
+             (let ((lynis-dir (getcwd)))
+               (with-directory-excursion "../lynis-sdk"
+                 (substitute* "config"
+                   (("\\.\\./lynis") lynis-dir))
+                 (substitute* "unit-tests/tests-language-translations.sh"
+                   (("\\.\\./lynis") lynis-dir))
+                 (invoke "sh" "lynis-devkit" "run" "unit-tests"))))))))
+    (home-page "https://cisofy.com/lynis/")
+    (synopsis "Security auditing tool")
+    (description "Lynis is a security auditing tool.  It performs an in-depth
+security scan and runs on the system itself.  The primary goal is to test
+security defenses and provide tips for further system hardening.  It will also
+scan for general system information, vulnerable software packages, and
+possible configuration issues.")
+    (license license:gpl3+)))
-- 
2.19.1


Information forwarded to guix-patches <at> gnu.org:
bug#33464; Package guix-patches. (Thu, 29 Nov 2018 20:34:01 GMT) Full text and rfc822 format available.

Message #14 received at 33464 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Arun Isaac <arunisaac <at> systemreboot.net>, 33464 <at> debbugs.gnu.org
Subject: Re: [bug#33464] [PATCH] gnu: Add lynis.
Date: Thu, 29 Nov 2018 21:33:11 +0100
[Message part 1 (text/plain, inline)]
Arun Isaac <arunisaac <at> systemreboot.net> writes:

> I have made all the suggested changes. Please find attached a new patch.

LGTM, thank you!
[signature.asc (application/pgp-signature, inline)]

Reply sent to Arun Isaac <arunisaac <at> systemreboot.net>:
You have taken responsibility. (Fri, 30 Nov 2018 07:06:02 GMT) Full text and rfc822 format available.

Notification sent to Arun Isaac <arunisaac <at> systemreboot.net>:
bug acknowledged by developer. (Fri, 30 Nov 2018 07:06:02 GMT) Full text and rfc822 format available.

Message #19 received at 33464-done <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Marius Bakke <mbakke <at> fastmail.com>, 33464-done <at> debbugs.gnu.org
Subject: Re: [bug#33464] [PATCH] gnu: Add lynis.
Date: Fri, 30 Nov 2018 12:35:33 +0530
Pushed to master! Thanks for the review! :-)




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 28 Dec 2018 12:24:05 GMT) Full text and rfc822 format available.

This bug report was last modified 5 years and 93 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.