[bug#33464] [PATCH] gnu: Add lynis.

[Marius Bakke <mbakke@fastmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3566 bytes --]

Arun Isaac <arunisaac@systemreboot.net> writes:

> * gnu/packages/admin.scm (lynis): New variable.

[...]

> +(define-public lynis
> +  (package
> +    (name "lynis")
> +    (version "2.7.0")
> +    (source
> +     (origin
> +       (method url-fetch)
> +       (uri (string-append "https://github.com/CISOfy/lynis/archive/"
> +                           version ".tar.gz"))
> +       (file-name (string-append name "-" version ".tar.gz"))

Can you use "git-fetch" here instead?  The autogenerated GitHub
"archive" tarballs are not stable: their hash may change in the future.

> +       (sha256
> +        (base32
> +         "13np0bbkcz7k8336wdcq69b93wmc2vm1ryz988cr0kan11mxsr3k"))
> +       (modules '((guix build utils)))
> +       (snippet
> +        '(begin
> +           ;; Remove proprietary plugins
> +           (with-directory-excursion "plugins"
> +             (for-each delete-file (list "plugin_pam_phase1"
> +                                         "plugin_systemd_phase1")))

Only one of these files have an explicit proprietary license, but given
the wording in the README it is safe to assume the other might not be
free.

In fact, since the README states "community plugins are available under
a restriced license", I would prefer to delete everything except a
whitelist here.  WDYT?

> +           #t))))
> +    (build-system gnu-build-system)
> +    (arguments
> +     `(#:tests? #f ; no tests

The .travis.yml runs "cd ./lynis-sdk && sh lynis-devkit run
unit-tests".  Is that an option for us?

> +       #:phases
> +       (modify-phases %standard-phases
> +         (replace 'configure
> +           (lambda* (#:key outputs #:allow-other-keys)
> +             (substitute* "lynis"
> +               (("/usr/share/lynis")
> +                (string-append (assoc-ref outputs "out") "/share/lynis")))
> +             (substitute* "include/functions"
> +               (("/usr/local/etc/lynis")
> +                (string-append (assoc-ref outputs "out") "/etc/lynis")))
> +             #t))
> +         (delete 'build)
> +         (replace 'install
> +           (lambda* (#:key outputs #:allow-other-keys)
> +             (let ((out (assoc-ref outputs "out")))
> +               (install-file "lynis" (string-append out "/bin/"))
> +               (install-file "default.prf" (string-append out "/etc/lynis"))
> +               (for-each
> +                (lambda (dir)
> +                  (copy-recursively dir (string-append out "/share/lynis/" dir)))
> +                (list "db" "include" "plugins"))
> +               (install-file "lynis.8" (string-append out "/share/man/man8"))
> +               #t))))))
> +    (home-page "https://cisofy.com/lynis/")
> +    (synopsis "Security auditing tool")
> +    (description "Lynis is a security auditing tool.  It performs an in-depth
> +security scan and runs on the system itself.  The primary goal is to test
> +security defenses and provide tips for further system hardening.  It will also
> +scan for general system information, vulnerable software packages, and
> +possible configuration issues.")
> +    (license license:gpl3)))

The file headers only say "This is free software, and you are welcome to
redistribute it under the terms of the GNU General Public License. See
LICENSE file for usage of this software.".

The GPL3 copy in LICENSE states that:

  If the Program does not specify a version number of the GNU General
  Public License, you may choose any version ever published by the Free
  Software Foundation.

So I think this should be "gpl3+".

The rest LGTM, thanks!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]