Hello Marcel,

trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there already a lynis-3.0.6.tar.gz file
on https://source.ipfire.org/ with a different MD5 checksum and file size than the .tar.gz provided
by Lynis upstream (hosted on GitHub):

> pmueller(a)people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz 
> -rw-r--r-- 1 mlorenz people 329K Aug  1 11:45 lynis-3.0.6.tar.gz
> pmueller(a)people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz
> 23cc369984d564e4a8232473b1ace137  lynis-3.0.6.tar.gz

Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs/tags/3.0.6.tar.gz) via
three different Tor circuits, using exit nodes in three different countries, always return a file
having these characteristics:

> $ ls -lah lynis-3.0.6.tar.gz
> -rw-r--r-- 1 pmu users 335K  4. Sep 10:56 lynis-3.0.6.tar.gz
> $ md5sum lynis-3.0.6.tar.gz
> c5429c532653a762a55a994d565372aa  lynis-3.0.6.tar.gz

Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 gains a hit
(https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8643bb0d0a049bcaf64b7ccb4fd272c/detection),
while a search for c5429c532653a762a55a994d565372aa returns nothing.

Looking at the contents of both .tar.gz's, your version is missing these files:

> ~/.github
> ~/.gitignore
> ~/plugins/plugin_pam_phase1
> ~/plugins/plugin_systemd_phase1
> ~/README.md
> ~/.travis.yml

Unfortunately, the maintainer of Lynis does not seem to provide a GPG signature or any other method
to verify the integrity of a downloaded source code. Therefore: Where did you fetch the lynis-3.0.6.tar.gz
file currently present on IPFire's source code server from? GitHub?

Thanks, and best regards,
Peter Müller