lynis/include/helper_system_remote_scan

#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2017, CISOfy
#
# Website  : https://cisofy.com
# Blog     : http://linux-audit.com
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
######################################################################
#
# Helper program to perform a remote scan
#
######################################################################
#
# Options:
# ---------
# 1) lynis update info     - Show version information (external)
# 2) lynis update release  - Check and install new release (internal)
#
# How to use:
# ------------
# Run option 1 to know about current and latest release information.
# Run option 2 to query internal server for possible upgrade of Lynis.
#
# Steps for updating to new release:
# 1) Run Lynis with: lynis update release
# 2) Lynis will use this helper and check the profile
# 3) The configured web server will be queried (lynis-latest-version)
# 4) The contents of this file will be compared with a local file
# 5) If there is a difference, download package
# 6) Check paths and extract files
# 7) Quit program
#
# Suggested documentation if you want to use this functionality:
# https://cisofy.com/documentation/lynis/upgrading/
#
######################################################################

    # Enable screen output again
    QUIET=0

    SCP_BINARY=$(which scp 2> /dev/null | grep -v "no [^ ]* in ")
    SSH_BINARY=$(which ssh 2> /dev/null | grep -v "no [^ ]* in ")
    if [ "${SCP_BINARY}" = "" ]; then echo "Could not find scp binary"; ExitFatal; fi
    if [ "${SSH_BINARY}" = "" ]; then echo "Could not find ssh binary"; ExitFatal; fi

    LYNIS_TARBALL="lynis-remote.tar.gz"
    echo ""
    echo  "  ${BLUE}* ${WHITE}Step 1${NORMAL}: ${CYAN}Create tarball${NORMAL}"
    printf "%s\n\n" "    mkdir -p ./files && cd .. && tar czf ./lynis/files/${LYNIS_TARBALL} --exclude=files/${LYNIS_TARBALL} ./lynis && cd lynis"

    echo "  ${BLUE}* ${WHITE}Step 2${NORMAL}: ${CYAN}Copy tarball to target ${REMOTE_TARGET}${NORMAL}"
    LYNIS_TARBALL="./files/lynis-remote.tar.gz"
    printf "%s\n\n" "    scp -q ${LYNIS_TARBALL} ${REMOTE_TARGET}:~/tmp-lynis-remote.tgz"
    #if [ $? -gt 0 ]; then echo "Could not copy tarball to target"; ExitFatal; fi

    echo "  ${BLUE}* ${WHITE}Step 3${NORMAL}: ${CYAN}Execute audit command${NORMAL}"

    printf "%s\n\n" "    ssh ${REMOTE_TARGET} \"mkdir -p ~/tmp-lynis && cd ~/tmp-lynis && tar xzf ../tmp-lynis-remote.tgz && rm ../tmp-lynis-remote.tgz && cd lynis && ${REMOTE_COMMAND}\""
    #if [ $? -gt 1 ]; then echo "Could not perform remote audit"; ExitFatal; fi

    echo "  ${BLUE}* ${WHITE}Step 4${NORMAL}: ${CYAN}Clean up directory${NORMAL}"
    printf "%s\n\n" "    ssh ${REMOTE_TARGET} \"rm -rf ~/tmp-lynis\""

    echo "  ${BLUE}* ${WHITE}Step 5${NORMAL}: ${CYAN}Retrieve log and report${NORMAL}"
    printf "%s\n" "    scp -q ${REMOTE_TARGET}:/tmp/lynis.log ./files/${REMOTE_TARGET}-lynis.log"
    printf "%s\n\n" "    scp -q ${REMOTE_TARGET}:/tmp/lynis-report.dat ./files/${REMOTE_TARGET}-lynis-report.dat"

    echo "  ${BLUE}* ${WHITE}Step 6${NORMAL}: ${CYAN}Clean up tmp files (when using non-privileged account)${NORMAL}"
    printf "%s\n\n" "    ssh ${REMOTE_TARGET} \"rm /tmp/lynis.log /tmp/lynis-report.dat\""

    # No more Lynis output
    QUIET=1

# The End
Initial import of remote system scanning 2016-05-14 15:43:29 +02:00			`#!/bin/sh`

			`#################################################################################`
			`#`
			`# Lynis`
			`# ------------------`
			`#`
			`# Copyright 2007-2013, Michael Boelen`
Changed date and preparing for release 2017-02-09 13:35:40 +01:00			`# Copyright 2007-2017, CISOfy`
Initial import of remote system scanning 2016-05-14 15:43:29 +02:00			`#`
			`# Website : https://cisofy.com`
			`# Blog : http://linux-audit.com`
			`# GitHub : https://github.com/CISOfy/lynis`
			`#`
			`# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are`
			`# welcome to redistribute it under the terms of the GNU General Public License.`
			`# See LICENSE file for usage of this software.`
			`#`
			`######################################################################`
			`#`
			`# Helper program to perform a remote scan`
			`#`
			`######################################################################`
			`#`
			`# Options:`
			`# ---------`
			`# 1) lynis update info - Show version information (external)`
			`# 2) lynis update release - Check and install new release (internal)`
			`#`
			`# How to use:`
			`# ------------`
			`# Run option 1 to know about current and latest release information.`
			`# Run option 2 to query internal server for possible upgrade of Lynis.`
			`#`
			`# Steps for updating to new release:`
			`# 1) Run Lynis with: lynis update release`
			`# 2) Lynis will use this helper and check the profile`
			`# 3) The configured web server will be queried (lynis-latest-version)`
			`# 4) The contents of this file will be compared with a local file`
			`# 5) If there is a difference, download package`
			`# 6) Check paths and extract files`
			`# 7) Quit program`
			`#`
			`# Suggested documentation if you want to use this functionality:`
			`# https://cisofy.com/documentation/lynis/upgrading/`
			`#`
			`######################################################################`

			`# Enable screen output again`
			`QUIET=0`

A bunch of Solaris compatibility tweaks (#367) * Work around Solaris' /bin/sh not being POSIX. If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or a derivative, and /bin/sh cannot be trusted to support POSIX, but /usr/xpg4/bin/sh can be. Exec it right away. * Work around Solaris 'which' command oddity. Solaris' (at least) 'which' command outputs not-found errors to STDOUT instead of STDERR. This makes "did we get any output from which" checks insufficient; piping to grep -v the "no foo in ..." message should work. Note that this patch set includes all such uses of which that I could find, including ones that should never be reached on Solaris (i.e. only executed on some other OS) just for consistency. * Improved alternate-sh exec to avoid looping. * Solaris' /usr/ucb/echo supports -n. * Check for the best hash type that openssl supports. When using openssl to generate hashes, do not assume it supports sha256; try that, then sha1, then give up and use md5. * Solaris does not support sed -i; use a tempfile. * Use the full path for modinfo. When running as non-root, /usr/sbin/ might not be in PATH. include/tests_accounting already calls modinfo by full path, but include/tests_kernel did not. * Solaris find does not support -maxdepth. This mirrors the logic already in tests_homedirs. * Use PSBINARY instead of ps. * Work around Solaris' date not supporting +%s. Printing nawk's srand value is a bizarre but apparently once popular workaround for there being no normal userland command to print UNIX epoch seconds. A perl one-liner is the other common approach, but nawk may be more reliably present on Solaris than perl. * Revert to using sha1 for HOSTID. * Whitespace cleanup for openssl hash tests. 2017-03-08 17:24:24 +01:00			`SCP_BINARY=$(which scp 2> /dev/null \| grep -v "no [^ ]* in ")`
			`SSH_BINARY=$(which ssh 2> /dev/null \| grep -v "no [^ ]* in ")`
Initial import of remote system scanning 2016-05-14 15:43:29 +02:00			`if [ "${SCP_BINARY}" = "" ]; then echo "Could not find scp binary"; ExitFatal; fi`
			`if [ "${SSH_BINARY}" = "" ]; then echo "Could not find ssh binary"; ExitFatal; fi`

			`LYNIS_TARBALL="lynis-remote.tar.gz"`
			`echo ""`
			`echo " ${BLUE}* ${WHITE}Step 1${NORMAL}: ${CYAN}Create tarball${NORMAL}"`
			`printf "%s\n\n" " mkdir -p ./files && cd .. && tar czf ./lynis/files/${LYNIS_TARBALL} --exclude=files/${LYNIS_TARBALL} ./lynis && cd lynis"`

			`echo " ${BLUE}* ${WHITE}Step 2${NORMAL}: ${CYAN}Copy tarball to target ${REMOTE_TARGET}${NORMAL}"`
			`LYNIS_TARBALL="./files/lynis-remote.tar.gz"`
			`printf "%s\n\n" " scp -q ${LYNIS_TARBALL} ${REMOTE_TARGET}:~/tmp-lynis-remote.tgz"`
			`#if [ $? -gt 0 ]; then echo "Could not copy tarball to target"; ExitFatal; fi`

			`echo " ${BLUE}* ${WHITE}Step 3${NORMAL}: ${CYAN}Execute audit command${NORMAL}"`

			`printf "%s\n\n" " ssh ${REMOTE_TARGET} \"mkdir -p ~/tmp-lynis && cd ~/tmp-lynis && tar xzf ../tmp-lynis-remote.tgz && rm ../tmp-lynis-remote.tgz && cd lynis && ${REMOTE_COMMAND}\""`
			`#if [ $? -gt 1 ]; then echo "Could not perform remote audit"; ExitFatal; fi`

			`echo " ${BLUE}* ${WHITE}Step 4${NORMAL}: ${CYAN}Clean up directory${NORMAL}"`
Added quote marks on SSH commands (#372) Added quote marks for the SSH commands in steps and 6. 2017-03-27 09:19:01 +02:00			`printf "%s\n\n" " ssh ${REMOTE_TARGET} \"rm -rf ~/tmp-lynis\""`
Initial import of remote system scanning 2016-05-14 15:43:29 +02:00
			`echo " ${BLUE}* ${WHITE}Step 5${NORMAL}: ${CYAN}Retrieve log and report${NORMAL}"`
			`printf "%s\n" " scp -q ${REMOTE_TARGET}:/tmp/lynis.log ./files/${REMOTE_TARGET}-lynis.log"`
			`printf "%s\n\n" " scp -q ${REMOTE_TARGET}:/tmp/lynis-report.dat ./files/${REMOTE_TARGET}-lynis-report.dat"`

			`echo " ${BLUE}* ${WHITE}Step 6${NORMAL}: ${CYAN}Clean up tmp files (when using non-privileged account)${NORMAL}"`
Added quote marks on SSH commands (#372) Added quote marks for the SSH commands in steps and 6. 2017-03-27 09:19:01 +02:00			`printf "%s\n\n" " ssh ${REMOTE_TARGET} \"rm /tmp/lynis.log /tmp/lynis-report.dat\""`
Initial import of remote system scanning 2016-05-14 15:43:29 +02:00
			`# No more Lynis output`
			`QUIET=1`

			`# The End`