lynis: add package

Lynis is a security auditing tool for Unix/Linux systems. It performs
an in-depth security scan to detect software and security issues,
installed packages, and configuration errors.

This commit includes pending PRs which provide basic support for OpenWrt
version 23.05 --> SNAPSHOT thanks to issue 1600[1] which includes five
pending PRs[2-6].

1. CISOfy/lynis#1600
2. CISOfy/lynis#1601
3. CISOfy/lynis#1602
4. CISOfy/lynis#1620
5. CISOfy/lynis#1621
6. CISOfy/lynis#1748

Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc

Signed-off-by: John Audia <therealgraysky@proton.me>

Author: graysky2

admin/lynis/Makefile

@@ -0,0 +1,57 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=lynis
+PKG_VERSION:=3.1.6
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://downloads.cisofy.com/lynis/
+PKG_HASH:=0513f62ba5ab615c4333827b804237d58cf7bd623d09e1b4918d3fc85f08fc70
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
+
+PKG_MAINTAINER:=John Audia <therealgraysky@proton.me>
+PKG_LICENSE:=GPL-3.0-only
+PKG_LICENSE_FILES:=LICENSE
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/lynis
+  SECTION:=admin
+  CATEGORY:=Administration
+  TITLE:=Security and system auditing tool
+  URL:=https://cisofy.com/lynis/
+  PKGARCH:=all
+  DEPENDS:=+bind-dig +file +net-tools-netstat +net-tools-route
+endef
+
+define Package/lynis/description
+  Lynis is a security auditing tool for Unix/Linux systems. It performs
+  an in-depth security scan to detect software and security issues,
+  installed packages, and possible configuration errors.
+endef
+
+define Package/lynis/conffiles
+/etc/lynis/default.prf
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/lynis/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/lynis $(1)/usr/bin/lynis
+
+	$(INSTALL_DIR) $(1)/etc/lynis
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/default.prf $(1)/etc/lynis/default.prf
+
+	$(INSTALL_DIR) $(1)/usr/share/lynis
+	$(CP) $(PKG_BUILD_DIR)/db $(1)/usr/share/lynis/
+	$(CP) $(PKG_BUILD_DIR)/include $(1)/usr/share/lynis/
+	$(CP) $(PKG_BUILD_DIR)/plugins $(1)/usr/share/lynis/
+endef
+
+$(eval $(call BuildPackage,lynis))

admin/lynis/patches/0001-feat-Detect-OpenWrt-OS.patch

@@ -0,0 +1,27 @@
+From dc26caa98a7c77e9f1b5b2f02bdeba5174d98167 Mon Sep 17 00:00:00 2001
+From: macie <macie@users.noreply.github.com>
+Date: Sat, 8 Feb 2025 12:35:41 +0100
+Subject: [PATCH 1/9] feat: Detect OpenWrt OS
+
+HARDWARE value is a name of compilation target
+(SoC type). This will simplify selection of proper installer
+version for OS upgrade.
+---
+ include/osdetection | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/include/osdetection
++++ b/include/osdetection
+@@ -434,6 +434,12 @@
+                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                             OS_NAME="openSUSE"
+                         ;;
++                        "openwrt")
++                            LINUX_VERSION='OpenWrt'
++                            HARDWARE=$(grep '^OPENWRT_BOARD=' /etc/os-release | awk -F= '{print $2}' | tr -d '"')
++                            OS_NAME=$(grep '^NAME=' /etc/os-release | awk -F= '{print $2}' | tr -d '"')
++                            OS_VERSION=$(grep '^VERSION=' /etc/os-release | awk -F= '{print $2}' | tr -d '"')
++                        ;;
+                         "osmc")
+                             LINUX_VERSION="OSMC"
+                             LINUX_VERSION_LIKE="Debian"

admin/lynis/patches/0002-feat-Add-EOL-dates-for-OpenWrt.patch

@@ -0,0 +1,31 @@
+From 44b1c4da3162e2573e1329feec65b7d3480239a8 Mon Sep 17 00:00:00 2001
+From: macie <macie@users.noreply.github.com>
+Date: Sat, 8 Feb 2025 13:00:17 +0100
+Subject: [PATCH 2/9] feat: Add EOL dates for OpenWrt
+
+Historically, updates were released up to the end of the month, see:
+<https://en.wikipedia.org/wiki/OpenWrt#Releases>.
+---
+ db/software-eol.db | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/db/software-eol.db
++++ b/db/software-eol.db
+@@ -283,6 +283,17 @@ os:OpenBSD 7.4:2024-10-08:1728338400:
+ os:OpenBSD 7.5:2025-05-31:1748642400:
+ os:OpenBSD 7.6:2025-10-31:1761865200:
+ #
++# OpenWrt - https://openwrt.org/docs/guide-developer/security#support_status
++#
++os:OpenWrt 15.05:2016-03-31:1459375200:
++os:OpenWrt 17.01:2018-09-30:1538258400:
++os:OpenWrt 18.06:2020-12-31:1609369200:
++os:OpenWrt 19.07:2022-04-30:1651269600:
++os:OpenWrt 21.02:2023-05-31:1685484000:
++os:OpenWrt 22.03:2024-07-31:1722376800:
++os:OpenWrt 23.05:2025-07-31:1753912800:
++os:OpenWrt 24.10:2026-02-28:1772233200:
++#
+ # Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/
+ #
+ os:Red Hat Enterprise Linux Server release 6:2020-11-30:1606690800:

admin/lynis/patches/0003-refactor-Specify-linux-HOSTNAME-detection.patch

@@ -0,0 +1,51 @@
+From 5ff39b5ffba427c75394b7c7b7f5fcd0b3fb13d2 Mon Sep 17 00:00:00 2001
+From: macie <macie@users.noreply.github.com>
+Date: Sat, 8 Feb 2025 17:16:37 +0100
+Subject: [PATCH 3/9] refactor: Specify linux HOSTNAME detection
+
+This is the first step to fix error on OpenWrt without changing current
+behavior.
+---
+ lynis | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+--- a/lynis
++++ b/lynis
+@@ -514,22 +514,27 @@ ${NORMAL}
+     . ${INCLUDEDIR}/osdetection
+     Display --indent 2 --text "- Detecting OS... " --result "${STATUS_DONE}" --color GREEN
+ 
+-    # Check hostname and get timestamp
++    # Detect hostname and domain
++    FQDN=$(hostname 2> /dev/null)
+     case ${OS} in
+         HP-UX)
+-                    HOSTNAME=$(hostname) ;;
++            HOSTNAME=$(hostname) ;;
++        Linux)
++            HOSTNAME=$(hostname -s 2> /dev/null)
++            if [ -z "${HOSTNAME}" ]; then
++                HOSTNAME="${FQDN:-no-hostname}"
++            fi
++            if [ "${HOSTNAME}" = "${FQDN}" ]; then
++                FQDN=$(hostname -f 2> /dev/null)
++            fi
++            ;;
+         Solaris)
+-                    HOSTNAME=$(uname -n) ;;
++            HOSTNAME=$(uname -n) ;;
+         *)
+-                    HOSTNAME=$(hostname -s 2> /dev/null) ;;
++            HOSTNAME=$(hostname -s 2> /dev/null) ;;
+     esac
+     if [ -z "${HOSTNAME}" ]; then
+-        HOSTNAME=$(hostname 2> /dev/null)
+-        if [ -z "${HOSTNAME}" ]; then HOSTNAME="no-hostname"; fi
+-    fi
+-    FQDN=$(hostname 2> /dev/null)
+-    if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then
+-        FQDN=$(hostname -f 2> /dev/null)
++        HOSTNAME="${FQDN:-no-hostname}"
+     fi
+ #
+ #################################################################################

admin/lynis/patches/0004-fix-Detect-HOSTNAME-on-OpenWrt.patch

@@ -0,0 +1,38 @@
+From dcbd67cb795758bf1c2becbe8281970953b63ec3 Mon Sep 17 00:00:00 2001
+From: macie <macie@users.noreply.github.com>
+Date: Sat, 8 Feb 2025 16:32:38 +0100
+Subject: [PATCH 4/9] fix: Detect HOSTNAME on OpenWrt
+
+OpenWrt can be run on devices with little resource, so it can miss some BusyBox
+commands (eg. hostname). The standard way of gathering info about OpenWrt is by
+the `uci` command, see: <https://openwrt.org/docs/guide-user/base-system/uci>.
+---
+ lynis | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/lynis
++++ b/lynis
+@@ -520,12 +520,17 @@ ${NORMAL}
+         HP-UX)
+             HOSTNAME=$(hostname) ;;
+         Linux)
+-            HOSTNAME=$(hostname -s 2> /dev/null)
+-            if [ -z "${HOSTNAME}" ]; then
+-                HOSTNAME="${FQDN:-no-hostname}"
+-            fi
+-            if [ "${HOSTNAME}" = "${FQDN}" ]; then
+-                FQDN=$(hostname -f 2> /dev/null)
++            if [ "${LINUX_VERSION}" = "OpenWrt" ]; then
++                HOSTNAME=$(uname -n)
++                FQDN="${HOSTNAME:+$HOSTNAME.}$(uci -q get dhcp.@dnsmasq[0].domain)"
++            else
++                HOSTNAME=$(hostname -s 2> /dev/null)
++                if [ -z "${HOSTNAME}" ]; then
++                  HOSTNAME="${FQDN:-no-hostname}"
++                fi
++                if [ "${HOSTNAME}" = "${FQDN}" ]; then
++                    FQDN=$(hostname -f 2> /dev/null)
++                fi
+             fi
+             ;;
+         Solaris)

admin/lynis/patches/0005-fix-False-positive-NETW-2400-on-OpenWrt.patch

@@ -0,0 +1,25 @@
+From 7a410ee5fd4323c6f6db116c3060ff6ffc5a53fd Mon Sep 17 00:00:00 2001
+From: macie <macie@users.noreply.github.com>
+Date: Sat, 8 Feb 2025 16:38:52 +0100
+Subject: [PATCH 5/9] fix: False positive NETW-2400 on OpenWrt
+
+To save resources, BusyBox for OpenWrt is compiled without support for
+character classes in `tr` command (FEATURE_TR_CLASSES). In that case `tr`
+treats `[:alnum:]` like a group of single characters, so it misses all numbers
+and most of letters.
+---
+ include/tests_networking | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/tests_networking
++++ b/include/tests_networking
+@@ -69,7 +69,8 @@
+                 LogText "Result: hostnamed is defined and not longer than 63 characters"
+             fi
+             # Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name)
+-            FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[:alnum:]\.\-')
++            # (we are NOT using [:alnum:] to support BusyBox's tr on devices with limited resources)
++            FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[a-zA-Z0-9]\.\-')
+             if [ -z "${FIND}" ]; then
+                 LogText "Result: good, no unexpected characters discovered in hostname"
+                 if IsVerbose; then Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_OK}" --color GREEN; fi

admin/lynis/patches/0006-refactor-Indent-with-spaces.patch

@@ -0,0 +1,30 @@
+From 1ac0704e57fd351d3fa6ae75c515af5e93eaa09c Mon Sep 17 00:00:00 2001
+From: macie <macie@users.noreply.github.com>
+Date: Sun, 23 Mar 2025 20:32:52 +0100
+Subject: [PATCH 6/9] refactor: Indent with spaces
+
+Most of the file has spaces for indentation.
+---
+ include/tests_boot_services | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/tests_boot_services
++++ b/include/tests_boot_services
+@@ -111,7 +111,7 @@
+                                 runit)
+                                     SERVICE_MANAGER="runit"
+                                 ;;
+-				openrc-init)
++                                openrc-init)
+                                     SERVICE_MANAGER="openrc"
+                                 ;;
+                                 *)
+@@ -280,7 +280,7 @@
+         BOOT_LOADER_SEARCHED=1
+         CURRENT_BOOT_LOADER=$(${BOOTCTLBINARY} status --no-pager 2>/dev/null | ${AWKBINARY} '/Current Boot Loader/{ getline; print $2 }')
+         if [ "${CURRENT_BOOT_LOADER}" = "systemd-boot" ]; then
+-	    Display --indent 2 --text "- Checking systemd-boot presence" --result "${STATUS_FOUND}" --color GREEN
++        Display --indent 2 --text "- Checking systemd-boot presence" --result "${STATUS_FOUND}" --color GREEN
+             LogText "Result: found systemd-boot"
+             BOOT_LOADER="systemd-boot"
+             BOOT_LOADER_FOUND=1

admin/lynis/patches/0007-fix-Define-service-manager-for-OpenWrt.patch

@@ -0,0 +1,32 @@
+From 2e0f28695e97908d4c7928f7348b812583ef9488 Mon Sep 17 00:00:00 2001
+From: macie <macie@users.noreply.github.com>
+Date: Sun, 23 Mar 2025 20:39:16 +0100
+Subject: [PATCH 7/9] fix: Define service manager for OpenWrt
+
+OpenWrt uses `procd` as a service manager (see: <https://openwrt.org/docs/techref/procd>).
+
+This fixes exception "Unknown service manager" returned by BOOT-5104 test.
+---
+ include/tests_boot_services | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/include/tests_boot_services
++++ b/include/tests_boot_services
+@@ -65,6 +65,7 @@
+     # runit           - Used by Artix, Devuan, Dragora and Void
+     # systemd         - Common option with more Linux distros implementing it
+     # upstart         - Used by Debian/Ubuntu
++    # procd           - Used by OpenWrt
+     Register --test-no BOOT-5104 --weight L --network NO --category security --description "Determine service manager"
+     if [ ${SKIPTEST} -eq 0 ]; then
+         BOOT_LOADER_SEARCHED=1
+@@ -114,6 +115,9 @@
+                                 openrc-init)
+                                     SERVICE_MANAGER="openrc"
+                                 ;;
++                                procd)
++                                    SERVICE_MANAGER="procd"
++                                ;;
+                                 *)
+                                     CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd")
+                                     if [ -n "${CONTAINS_SYSTEMD}" ]; then

admin/lynis/patches/0008-refactor-Use-IsRunning-instead-of-ps-grep.patch

@@ -0,0 +1,87 @@
+From 9f25b293a639be7b9f92cb41b4a0fa50e2678a58 Mon Sep 17 00:00:00 2001
+From: macie <macie@users.noreply.github.com>
+Date: Sun, 23 Mar 2025 21:38:41 +0100
+Subject: [PATCH 8/9] refactor: Use IsRunning instead of `ps | grep`
+
+Command `ps ax | grep '<WORD1>|<WORD2>' | grep -v 'grep'` can be directly
+transformed to `IsRunning '<WORD1>' || IsRunning '<WORD2>'`.
+
+`IsRunning` supports BusyBox `ps` (without `-ax` option, see: <https://github.com/mirror/busybox/blob/master/procps/ps.c>).
+---
+ include/tests_databases   | 6 ++----
+ include/tests_logging     | 3 +--
+ include/tests_squid       | 3 +--
+ include/tests_storage_nfs | 3 +--
+ include/tests_time        | 3 +--
+ 5 files changed, 6 insertions(+), 12 deletions(-)
+
+--- a/include/tests_databases
++++ b/include/tests_databases
+@@ -44,8 +44,7 @@
+     # Description : Check if MySQL is being used
+     Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process"
+     if [ ${SKIPTEST} -eq 0 ]; then
+-        FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
+-        if [ -z "${FIND}" ]; then
++        if ! IsRunning 'mariadb' && ! IsRunning 'mysqld' && ! IsRunning 'mysqld_safe'; then
+             if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
+             LogText "Result: MySQL process not active"
+         else
+@@ -248,8 +247,7 @@
+     #               reco: recovery (optional)
+     Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes"
+     if [ ${SKIPTEST} -eq 0 ]; then
+-        FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
+-        if [ -z "${FIND}" ]; then
++        if ! IsRunning 'ora_pmon' && ! IsRunning 'ora_smon' && ! IsRunning 'tnslsnr'; then
+             if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
+             LogText "Result: Oracle process(es) not active"
+         else
+--- a/include/tests_logging
++++ b/include/tests_logging
+@@ -45,8 +45,7 @@
+     Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon"
+     if [ ${SKIPTEST} -eq 0 ]; then
+         LogText "Test: Searching for a logging daemon"
+-        FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
+-        if [ -z "${FIND}" ]; then
++        if ! IsRunning 'syslogd' && ! IsRunning 'syslog-ng' && ! IsRunning 'metalog' && ! IsRunning 'systemd-journal'; then
+             Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
+             LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
+             ReportSuggestion "${TEST_NO}" "Check if any syslog daemon is running and correctly configured."
+--- a/include/tests_squid
++++ b/include/tests_squid
+@@ -41,8 +41,7 @@
+         LogText "Test: Searching for a Squid daemon"
+         FOUND=0
+         # Check running processes
+-        FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(squid|squid3) " | ${GREPBINARY} -v "grep")
+-        if [ -n "${FIND}" ]; then
++        if IsRunning 'squid' || IsRunning 'squid3'; then
+             SQUID_DAEMON_RUNNING=1
+             LogText "Result: Squid daemon is running"
+             Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN
+--- a/include/tests_storage_nfs
++++ b/include/tests_storage_nfs
+@@ -93,8 +93,7 @@
+     Register --test-no STRG-1920 --weight L --network NO --category security --description "Checking NFS daemon"
+     if [ ${SKIPTEST} -eq 0 ]; then
+         LogText "Test: Checking running NFS daemon"
+-        FIND=$(${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep")
+-        if [ -z "${FIND}" ]; then
++        if ! IsRunning 'nfsd'; then
+             LogText "Output: NFS daemon is not running"
+             Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
+         else
+--- a/include/tests_time
++++ b/include/tests_time
+@@ -122,8 +122,7 @@
+         fi
+ 
+         # Check timedate daemon (systemd)
+-        FIND=$(${PSBINARY} ax | ${GREPBINARY} "systemd-timesyncd" | ${GREPBINARY} -v "grep")
+-        if [  -n "${FIND}" ]; then
++        if IsRunning 'systemd-timesyncd'; then
+             FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
+             Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN
+             LogText "Result: Found running systemd-timesyncd in process list"