Hello Marcel,
trying to update Lynis to 3.0.6 (from 3.0.3), I just noticed there already a lynis-3.0.6.tar.gz file on https://source.ipfire.org/ with a different MD5 checksum and file size than the .tar.gz provided by Lynis upstream (hosted on GitHub):
pmueller@people01:/pub/sources/source-2.x$ ls -lah lynis-3.0.6.tar.gz -rw-r--r-- 1 mlorenz people 329K Aug 1 11:45 lynis-3.0.6.tar.gz pmueller@people01:/pub/sources/source-2.x$ md5sum lynis-3.0.6.tar.gz 23cc369984d564e4a8232473b1ace137 lynis-3.0.6.tar.gz
Fetching the upstream's URL (https://github.com/CISOfy/lynis/archive/refs/tags/3.0.6.tar.gz) via three different Tor circuits, using exit nodes in three different countries, always return a file having these characteristics:
$ ls -lah lynis-3.0.6.tar.gz -rw-r--r-- 1 pmu users 335K 4. Sep 10:56 lynis-3.0.6.tar.gz $ md5sum lynis-3.0.6.tar.gz c5429c532653a762a55a994d565372aa lynis-3.0.6.tar.gz
Oddly enough, searching VirusTotal for 23cc369984d564e4a8232473b1ace137 gains a hit (https://www.virustotal.com/gui/file/3005346e90339c18a4c626169c6f1d9fb8643bb0...), while a search for c5429c532653a762a55a994d565372aa returns nothing.
Looking at the contents of both .tar.gz's, your version is missing these files:
~/.github ~/.gitignore ~/plugins/plugin_pam_phase1 ~/plugins/plugin_systemd_phase1 ~/README.md ~/.travis.yml
Unfortunately, the maintainer of Lynis does not seem to provide a GPG signature or any other method to verify the integrity of a downloaded source code. Therefore: Where did you fetch the lynis-3.0.6.tar.gz file currently present on IPFire's source code server from? GitHub?
Thanks, and best regards, Peter Müller