lynis/include/report

#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
#
# Website  : https://cisofy.com
# Blog     : http://linux-audit.com
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Report
#
#################################################################################
#
    # Add additional data fields to the report file at the end of the scan
    Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
    Report "arpwatch_running=${ARPWATCH_RUNNING}"

    # Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.
    Report "firewall_active=${FIREWALL_ACTIVE}"
    Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}"
    Report "firewall_installed=${FIREWALL_ACTIVE}"

    if [ -n "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi

    Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}"
    Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}"
    Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}"
#
#################################################################################
#
    # Hardening Index
    #
    # Goal:
    # Provide a visual way to show how much the system is hardened
    #
    # Important:
    # The index gives a simplified version of the measures taken on the system.
    # It should be used to get a first impression about the state of the system or to compare similar systems.
    # Getting the maximum score (100 or full bar) does not indicate that the system is fully secured.

    # If no hardening has been found, set value to 1
    if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
    HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
    HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL))
    # Set color related to rating
    if [ ${HPINDEX} -lt 50 ]; then
        HPCOLOR="${RED}"
        HIDESCRIPTION="System has not or a low amount been hardened"
    elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
        HPCOLOR="${YELLOW}"
        HIDESCRIPTION="System has been hardened, but could use additional hardening"
    elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
        HPCOLOR="${GREEN}"
        HIDESCRIPTION="System seem to be decent hardened"
    elif [ ${HPINDEX} -gt 89 ]; then
        HPCOLOR="${GREEN}"
        HIDESCRIPTION="System seem to be well hardened"
    fi

    case ${HPAOBLOCKS} in
        0)  HPBLOCKS="#"; HPEMPTY="                   " ;;
        1)  HPBLOCKS="#"; HPEMPTY="                   " ;;
        2)  HPBLOCKS="##"; HPEMPTY="                  " ;;
        3)  HPBLOCKS="###"; HPEMPTY="                 " ;;
        4)  HPBLOCKS="####"; HPEMPTY="                " ;;
        5)  HPBLOCKS="#####"; HPEMPTY="               " ;;
        6)  HPBLOCKS="######"; HPEMPTY="              " ;;
        7)  HPBLOCKS="#######"; HPEMPTY="             " ;;
        8)  HPBLOCKS="########"; HPEMPTY="            " ;;
        9)  HPBLOCKS="#########"; HPEMPTY="           " ;;
        10) HPBLOCKS="##########"; HPEMPTY="          " ;;
        11) HPBLOCKS="###########"; HPEMPTY="         " ;;
        12) HPBLOCKS="############"; HPEMPTY="        " ;;
        13) HPBLOCKS="#############"; HPEMPTY="       " ;;
        14) HPBLOCKS="##############"; HPEMPTY="      " ;;
        15) HPBLOCKS="###############"; HPEMPTY="     " ;;
        16) HPBLOCKS="################"; HPEMPTY="    " ;;
        17) HPBLOCKS="#################"; HPEMPTY="   " ;;
        18) HPBLOCKS="##################"; HPEMPTY="  " ;;
        19) HPBLOCKS="###################"; HPEMPTY=" " ;;
        20) HPBLOCKS="####################"; HPEMPTY="" ;;
    esac

    HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
    LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
    LogText "Hardening strength: ${HIDESCRIPTION}"
#
#################################################################################
#
    # Only show overview if not running in quiet mode
    if [ ${QUIET} -eq 0 ]; then
        echo ""; echo "================================================================================"
        echo ""; echo "  -[ ${WHITE}${PROGRAM_NAME} ${PROGRAM_VERSION} Results${NORMAL} ]-"
        echo "";


    if [ ${SHOW_REPORT} -eq 1 ]; then

        LogTextBreak

        # Show test results overview

            if [ -z "${CONTROL_URL_PROTOCOL}" ]; then CONTROL_URL_PROTOCOL="https"; fi
            if [ -z "${CONTROL_URL_PREPEND}" ]; then CONTROL_URL_PREPEND="cisofy.com/lynis/controls/"; fi
            if [ -z "${CONTROL_URL_APPEND}" ]; then CONTROL_URL_APPEND="/"; fi
            if [ -z "${CUSTOM_URL_PROTOCOL}" ]; then CUSTOM_URL_PROTOCOL="https"; fi
            if [ -z "${CUSTOM_URL_PREPEND}" ]; then CUSTOM_URL_PREPEND="your-domain.example.org/controls/"; fi
            if [ -z "${CUSTOM_URL_APPEND}" ]; then CUSTOM_URL_APPEND="/"; fi

            # Show warnings from logfile
            SWARNINGS=$(${GREPBINARY} 'Warning: ' ${LOGFILE} | sed 's/ /!space!/g')
            if [ -z "${SWARNINGS}" ]; then
                echo "  ${OK}Great, no warnings${NORMAL}"; echo ""
            else
                echo "  ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):"
                echo "  ${WHITE}----------------------------${NORMAL}"
                for WARNING in ${SWARNINGS}; do
                    SOLUTION=""
                    SHOWWARNING=$(echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^.* Warning: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://')
                    ADDLINK=$(echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^.* Warning: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}')
                    DETAILS=$(echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^.* Warning: \(.*\)\[details://' | sed 's/\]\(.*\)]//')
                    SUGGESTION_PIECES=$(echo ${WARNING} | sed 's/\[/ [/g')
                    for PIECE in ${SUGGESTION_PIECES}; do
                        if [ -z "${SOLUTION}" ]; then
                            SEARCH=$(echo ${PIECE} | grep "^\[solution:")
                            if [ $? -eq 0 ]; then SOLUTION=$(echo ${SEARCH} | sed 's/!space!/ /g' | sed 's/solution://' | sed 's/text://' | tr -d '[]'); fi
                        fi
                    done
                    IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
                    echo "  ${RED}!${NORMAL} ${SHOWWARNING}"
                    if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo "    - Details  : ${CYAN}${DETAILS}${NORMAL}"; fi
                    if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo "    - Solution : ${SOLUTION}"; fi
                    if [ -z "${IS_CUSTOM}" ]; then
                        echo "      ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}"
                    else
                        echo "      ${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}"
                    fi
                    echo ""
                done
            fi

            # Show suggestions from logfile
            SUGGESTIONS=$(${GREPBINARY} 'Suggestion: ' ${LOGFILE} | sed 's/ /!space!/g')

            if [ -z "${SUGGESTIONS}" ]; then
                echo "  ${OK}No suggestions${NORMAL}"; echo ""
            else
                echo "  ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):"
                echo "  ${WHITE}----------------------------${NORMAL}"
                for SUGGESTION in ${SUGGESTIONS}; do
                    SOLUTION=""
                    SHOWSUGGESTION=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://')
                    ADDLINK=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}')
                    DETAILS=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[details://' | sed 's/\]\(.*\)]//')
                    SUGGESTION_PIECES=$(echo ${SUGGESTION} | sed 's/\[/ [/g')
                    for PIECE in ${SUGGESTION_PIECES}; do
                        if [ -z "${SOLUTION}" ]; then
                            SEARCH=$(echo ${PIECE} | grep "^\[solution:")
                            if [ $? -eq 0 ]; then SOLUTION=$(echo ${SEARCH} | sed 's/!space!/ /g' | sed 's/solution://' | sed 's/text://' | tr -d '[]'); fi
                        fi
                    done
                    IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
                    echo "  ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}"
                    if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo "    - Details  : ${CYAN}${DETAILS}${NORMAL}"; fi
                    if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo "    - Solution : ${SOLUTION}"; fi
                    if [ -z "${IS_CUSTOM}" ]; then
                        echo "      ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
                    else
                        echo "      ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}"
                    fi
                    echo ""
                done
            fi
            # Show tip on how to continue (next steps)
            if [ ! "${SWARNINGS}" = "" -o ! "${SUGGESTIONS}" = "" ]; then
                echo "  ${CYAN}Follow-up${NORMAL}:"
                echo "  ${WHITE}----------------------------${NORMAL}"
                echo "  ${WHITE}-${NORMAL} Show details of a test (lynis show details TEST-ID)"
                echo "  ${WHITE}-${NORMAL} Check the logfile for all details (less ${LOGFILE})"
                echo "  ${WHITE}-${NORMAL} Read security controls texts (https://cisofy.com)"
                if [ ${UPLOAD_DATA} -eq 0 ]; then echo "  ${WHITE}-${NORMAL} Use --upload to upload data to central system (Lynis Enterprise users)"; fi
                echo ""
            fi
            echo "================================================================================"
            echo ""
            echo "  ${WHITE}Lynis security scan details${NORMAL}:"
            echo ""
            echo "  ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}"
            echo "  ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}"
            if [ ${SKIP_PLUGINS} -eq 0 ]; then
                echo "  ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"
            else
                echo "  ${CYAN}Plugins enabled${NORMAL} : ${WHITE}Skipped${NORMAL}"
            fi
            echo ""
            echo "  ${WHITE}Components${NORMAL}:"
            if [ ${FIREWALL_ACTIVE} -eq 1 ]; then FIREWALL="${GREEN}V"; else FIREWALL="${RED}X"; fi
            if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then MALWARE="${GREEN}V"; else MALWARE="${RED}X"; fi
            if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then IDSIPS="${GREEN}V"; else IDSIPS="${RED}X"; fi

            echo "  - Firewall               [${FIREWALL}${NORMAL}]"
            #echo "  - Integrity monitoring   [${IDSIPS}${NORMAL}]"
            #echo "  - Intrusion software     [${IDSIPS}${NORMAL}]"
            echo "  - Malware scanner        [${MALWARE}${NORMAL}]"

            echo ""
            echo "  ${SECTION}Scan mode${NORMAL}:"
            if [ ${DEVOPS_MODE} -eq 1 ]; then
                echo "  Normal [ ]  Forensics [ ]  Integration [V]  Pentest [ ]"
            elif [ ${FORENSICS_MODE} -eq 1 ]; then
                echo "  Normal [ ]  Forensics [V]  Integration [ ]  Pentest [ ]"
            elif [ ${PENTESTINGMODE} -eq 1 ]; then
                if [ ${PRIVILEGED} -eq 0 ]; then
                    echo "  Normal [ ]  Forensics [ ]  Integration [ ]  Pentest [V] (running non-privileged)"
                else
                    echo "  Normal [ ]  Forensics [ ]  Integration [ ]  Pentest [V] (running privileged)"
                fi
            else
                echo "  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]"
            fi
            echo ""

            echo "  ${SECTION}Lynis modules${NORMAL}:"
            if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then
                if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
            else
                COMPLIANCE="${YELLOW}?"
            fi
            echo "  - Compliance status      [${COMPLIANCE}${NORMAL}]"
            echo "  - Security audit         [${GREEN}V${NORMAL}]"
            echo "  - Vulnerability scan     [${GREEN}V${NORMAL}]"
            echo ""
            echo "  ${SECTION}Files${NORMAL}:"
            echo "  - Test and debug information      : ${WHITE}${LOGFILE}${NORMAL}"
            echo "  - Report data                     : ${WHITE}${REPORTFILE}${NORMAL}"
            echo ""
            echo "================================================================================"
            if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
                echo "  ${NOTICE}Notice: ${WHITE}${PROGRAM_NAME} ${GEN_UPDATE_AVAILABLE}${NORMAL}"
                echo "  ${GEN_CURRENT_VERSION} : ${WHITE}${PROGRAM_AC}${NORMAL}    ${GEN_LATEST_VERSION} : ${WHITE}${PROGRAM_LV}${NORMAL}"
                echo "================================================================================"
            else
                ###########################################################################################
                #
                # Software quality program
                # Only provide this hint when the tool is at the latest version
                #
                ###########################################################################################

                if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
                    # Determine if the quality of the program can be increased by filtering out the exceptions
                    FIND=$(${GREPBINARY} "^exception" ${REPORTFILE})
                    if [ -n "${FIND}" ]; then
                        echo ""
                        echo "  ${RED}${NOTE_EXCEPTIONS_FOUND}${NORMAL}"
                        echo "  ${WHITE}${NOTE_EXCEPTIONS_FOUND_DETAILED}!${NORMAL}"
                        echo ""
                        echo "  ${CYAN}${GEN_WHAT_TO_DO}:${NORMAL}"
                        echo "  ${TEXT_YOU_CAN_HELP_LOGFILE} (${LOGFILE})."
                        echo "  Go to https://cisofy.com/contact/ and send your file to the e-mail address listed"
                        echo ""
                        echo "================================================================================"
                    fi
                fi
            fi

            # Display what tests are skipped in non-privileged scan for awareness
            if [ ${PENTESTINGMODE} -eq 1 -a ! "${SKIPPED_TESTS_ROOTONLY}" = "" ]; then
                echo ""
                echo "  ${PURPLE}${NOTE_SKIPPED_TESTS_NON_PRIVILEGED}${NORMAL}"

                FIND=$(echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g')
                # Split entries
                FIND=$(echo ${FIND} | sed 's/====/ /g')
                # Display found entries
                for ITEM in ${FIND}; do
                    OUTPUT=$(echo ${ITEM} | sed 's/:space:/ /g')
                    echo "    ${OUTPUT}"
                done
                echo ""
                echo "================================================================================"
            fi

            echo ""
        fi

    fi

    # Report data, even if it is not displayed on screen
    Report "hardening_index=${HPINDEX}"

    if [ ${QUIET} -eq 0 ]; then
        echo "  ${WHITE}${PROGRAM_NAME}${NORMAL} ${PROGRAM_VERSION}"
        echo ""
        echo "  Auditing, system hardening, and compliance for UNIX-based systems"
        echo "  (Linux, macOS, BSD, and others)"
        echo ""
        echo "  ${PROGRAM_COPYRIGHT}"
        echo "  ${WHITE}${PROGRAM_EXTRAINFO}${NORMAL}"
        echo ""
        echo "================================================================================"
    fi

#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com