lynis/include/osdetection

537 lines
21 KiB
Plaintext
Raw Normal View History

2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
2014-08-26 17:33:55 +02:00
#
2016-03-13 16:00:39 +01:00
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Operating System detection
#
#################################################################################
#
# Check operating system
2016-05-03 12:40:05 +02:00
case $(uname) in
2014-08-26 17:33:55 +02:00
# IBM AIX
AIX)
OS="AIX"
OS_NAME="AIX"
OS_VERSION=$(oslevel)
OS_FULLNAME="AIX ${OS_VERSION}"
CPU=$(uname -p)
HARDWARE=$(uname -M)
FIND_BINARIES="whereis -b"
SYSCTL_READKEY=""
2014-08-26 17:33:55 +02:00
;;
# Mac OS X and macOS
2014-08-26 17:33:55 +02:00
Darwin)
OS="macOS"
if [ -x /usr/bin/sw_vers ]; then
OS_NAME=$(/usr/bin/sw_vers -productName)
OS_VERSION=$(/usr/bin/sw_vers -productVersion)
2016-10-15 11:27:04 +02:00
OS_VERSION_NAME="unknown"
2016-10-26 12:19:01 +02:00
OS_FULLNAME="macOS (unknown version)"
2016-10-15 10:43:45 +02:00
case ${OS_VERSION} in
10.0 | 10.0.[0-9]*) OS_FULLNAME="Mac OS X 10.0 (Cheetah)" ;;
10.1 | 10.1.[0-9]*) OS_FULLNAME="Mac OS X 10.1 (Puma)" ;;
10.2 | 10.2.[0-9]*) OS_FULLNAME="Mac OS X 10.2 (Jaguar)" ;;
10.3 | 10.3.[0-9]*) OS_FULLNAME="Mac OS X 10.3 (Panther)" ;;
10.4 | 10.4.[0-9]*) OS_FULLNAME="Mac OS X 10.4 (Tiger)" ;;
10.5 | 10.5.[0-9]*) OS_FULLNAME="Mac OS X 10.5 (Leopard)" ;;
10.6 | 10.6.[0-9]*) OS_FULLNAME="Mac OS X 10.6 (Snow Leopard)" ;;
10.7 | 10.7.[0-9]*) OS_FULLNAME="Mac OS X 10.7 (Lion)" ;;
10.8 | 10.8.[0-9]*) OS_FULLNAME="Mac OS X 10.8 (Mountain Lion)" ;;
10.9 | 10.9.[0-9]*) OS_FULLNAME="Mac OS X 10.9 (Mavericks)" ;;
2016-10-26 12:19:01 +02:00
10.10 | 10.10.[0-9]*) OS_FULLNAME="Mac OS X 10.10 (Yosemite)" ;;
10.11 | 10.11.[0-9]*) OS_FULLNAME="Mac OS X 10.11 (El Capitan)" ;;
10.12 | 10.12.[0-9]*) OS_FULLNAME="macOS Sierra (${OS_VERSION})" ;;
10.13 | 10.13.[0-9]*) OS_FULLNAME="macOS High Sierra (${OS_VERSION})" ;;
2018-12-13 12:12:26 +01:00
10.14 | 10.14.[0-9]*) OS_FULLNAME="macOS Mojave (${OS_VERSION})" ;;
2016-10-15 11:27:04 +02:00
*) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;;
2016-10-15 10:43:45 +02:00
esac
2014-08-26 17:33:55 +02:00
else
# Fall back to a fairly safe name
2016-10-15 10:43:45 +02:00
OS_NAME="macOS"
# uname -s -r shows Darwin 16.1.0
OS_FULLNAME=$(uname -s -r)
# shows 16.1.0 for Darwin's version, not macOS's
OS_VERSION=$(uname -r)
fi
HARDWARE=$(uname -m)
HOMEDIRS="/Users"
FIND_BINARIES="whereis"
OS_KERNELVERSION=$(uname -r)
SYSCTL_READKEY=""
2014-08-26 17:33:55 +02:00
;;
# DragonFly BSD
DragonFly)
OS="DragonFly"
OS_NAME="DragonFly BSD"
OS_FULLNAME=$(uname -s -r)
OS_VERSION=$(uname -r)
HARDWARE=$(uname -m)
HOMEDIRS="/home /root"
FIND_BINARIES="whereis -q -a -b"
OS_KERNELVERSION=$(uname -i)
SYSCTL_READKEY="sysctl -n"
2014-08-26 17:33:55 +02:00
;;
# FreeBSD
FreeBSD)
OS="FreeBSD"
OS_NAME="FreeBSD"
OS_FULLNAME=$(uname -s -r)
OS_VERSION=$(uname -r)
HARDWARE=$(uname -m)
HOMEDIRS="/home /root"
FIND_BINARIES="whereis -q -a -b"
OS_KERNELVERSION=$(uname -i)
SYSCTL_READKEY="sysctl -n"
# TrueOS
if [ -f /etc/defaults/trueos ]; then
OS_NAME="TrueOS"
LogText "Result: found TrueOS file, system is completely based on FreeBSD though. Only adjusting OS name."
fi
2014-08-26 17:33:55 +02:00
;;
# HP-UX
HP-UX)
OS="HP-UX"
OS_NAME="HP-UX"
OS_FULLNAME=$(uname -s -r)
OS_VERSION=$(uname -r)
HARDWARE=$(uname -m)
FIND_BINARIES="whereis -b"
SYSCTL_READKEY=""
LOGDIR="/var/adm/syslog"
2014-08-26 17:33:55 +02:00
;;
# Linux
Linux)
OS="Linux"
OS_NAME="Linux"
OS_FULLNAME=""
OS_VERSION=$(uname -r)
LINUX_VERSION=""
HARDWARE=$(uname -m)
HOMEDIRS="/home"
FIND_BINARIES="whereis -b"
OS_KERNELVERSION_FULL=$(uname -r)
OS_KERNELVERSION=$(echo ${OS_KERNELVERSION_FULL} | sed 's/-.*//')
if [ -e /dev/grsec ]; then GRSEC_FOUND=1; fi
2016-10-16 11:50:23 +02:00
# Generic
if [ -e /etc/os-release ]; then
OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
2016-10-16 11:57:19 +02:00
if [ ! -z "${OS_ID}" ]; then
case ${OS_ID} in
"arch")
LINUX_VERSION="Arch Linux"
OS_FULLNAME="Arch Linux"
OS_VERSION="Rolling release"
;;
2016-10-16 11:57:19 +02:00
"coreos")
2016-10-16 11:50:23 +02:00
LINUX_VERSION="CoreOS"
OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
2016-10-16 11:55:11 +02:00
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
2016-10-16 11:50:23 +02:00
OS_NAME="CoreOS Linux"
;;
2017-03-12 19:27:04 +01:00
"manjaro")
LINUX_VERSION="Manjaro Linux"
OS_FULLNAME="Manjaro Linux"
OS_VERSION="Rolling release"
;;
2016-10-16 11:57:19 +02:00
"ubuntu")
2016-10-16 11:55:11 +02:00
LINUX_VERSION="Ubuntu"
OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Ubuntu Linux"
;;
"opensuse-tumbleweed")
LINUX_VERSION="openSUSE Tumbleweed"
OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
# It's rolling release but has a snapshot version (the date of the snapshot)
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="openSUSE"
;;
"opensuse-leap")
LINUX_VERSION="openSUSE Leap"
OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="openSUSE"
;;
2016-10-16 11:50:23 +02:00
*)
2016-10-16 11:55:11 +02:00
Debug "Unknown OS found in /etc/os-release. Do you know what it is? Create an issue at ${PROGRAM_SOURCE}"
2016-10-16 11:50:23 +02:00
;;
esac
fi
fi
# Amazon
if [ -e "/etc/system-release" ]; then
FIND=$(grep "Amazon" /etc/system-release)
if [ ! "${FIND}" = "" ]; then
OS_REDHAT_OR_CLONE=1
OS_FULLNAME=$(grep "^Amazon" /etc/system-release)
OS_VERSION=$(grep "^Amazon" /etc/system-release | awk '{ if ($4=="release") { print $5 } }')
LINUX_VERSION="Amazon"
fi
fi
# Arch Linux
if [ -z "${OS_FULLNAME}" -a -e "/etc/arch-release" ]; then
OS_FULLNAME="Arch Linux"
OS_VERSION="Unknown"
LINUX_VERSION="Arch Linux"
fi
# Chakra Linux
if [ -e "/etc/chakra-release" ]; then
OS_FULLNAME=$(grep "^Chakra" /etc/chakra-release)
OS_VERSION=$(awk '/^Chakra/ { if ($3=="release") { print $4 }}' /etc/chakra-release)
LINUX_VERSION="Chakra Linux"
fi
# Cobalt
if [ -e "/etc/cobalt-release" ]; then OS_FULLNAME=$(cat /etc/cobalt-release); fi
# CPUBuilders Linux
if [ -e "/etc/cpub-release" ]; then OS_FULLNAME=$(cat /etc/cpub-release); fi
# Debian/Ubuntu (***) - Set first to Debian
if [ -e "/etc/debian_version" ]; then
OS_VERSION=$(cat /etc/debian_version)
OS_FULLNAME="Debian ${OS_VERSION}"
LINUX_VERSION="Debian"
fi
# /etc/lsb-release does not exist on Debian
if [ -e "/etc/debian_version" -a -e /etc/lsb-release ]; then
2016-05-03 12:40:05 +02:00
OS_VERSION=$(cat /etc/debian_version)
FIND=$(grep "^DISTRIB_ID=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g')
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "Ubuntu" ]; then
2016-05-03 12:40:05 +02:00
OS_VERSION=$(grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2)
2014-08-26 17:33:55 +02:00
OS_FULLNAME="Ubuntu ${OS_VERSION}"
LINUX_VERSION="Ubuntu"
elif [ "${FIND}" = "elementary OS" ]; then
2014-08-26 17:33:55 +02:00
LINUX_VERSION="elementary OS"
2016-05-03 12:40:05 +02:00
OS_VERSION=$(grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2)
OS_FULLNAME=$(grep "^DISTRIB_DESCRIPTION=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g')
else
2014-08-26 17:33:55 +02:00
# Catch all, in case it's unclear what specific release this is.
OS_FULLNAME="Debian ${OS_VERSION}"
LINUX_VERSION="Debian"
fi
2016-05-03 12:40:05 +02:00
# Ubuntu test (optional) $(grep "[Uu]buntu" /proc/version)
fi
2017-08-19 10:50:53 +02:00
# Override for Linux Mint, as that is initially detected as Debian or Ubuntu
if [ -x /usr/bin/lsb_release ]; then
FIND=$(lsb_release --id | awk -F: '{ print $2 }' | awk '{ print $1 }')
2017-08-19 10:50:53 +02:00
if [ "${FIND}" = "LinuxMint" ]; then
LINUX_VERSION="Linux Mint"
OS_VERSION=$(lsb_release --release | awk '{ print $2 }')
OS_FULLNAME="Linux Mint ${OS_VERSION}"
fi
fi
# E-smith
if [ -e "/etc/e-smith-release" ]; then OS_FULLNAME=$(cat /etc/e-smith-release); fi
# Gentoo
if [ -e "/etc/gentoo-release" ]; then LINUX_VERSION="Gentoo"; OS_FULLNAME=$(cat /etc/gentoo-release); fi
# Red Hat and others
if [ -e "/etc/redhat-release" ]; then
2014-08-26 17:33:55 +02:00
OS_REDHAT_OR_CLONE=1
# CentOS
2016-05-03 12:40:05 +02:00
FIND=$(grep "CentOS" /etc/redhat-release)
2014-08-26 17:33:55 +02:00
if [ ! "${FIND}" = "" ]; then
2016-05-03 12:40:05 +02:00
OS_FULLNAME=$(grep "CentOS" /etc/redhat-release)
2014-08-26 17:33:55 +02:00
LINUX_VERSION="CentOS"
OS_VERSION="${OS_FULLNAME}"
fi
# ClearOS
2016-05-03 12:40:05 +02:00
FIND=$(grep "ClearOS" /etc/redhat-release)
2014-08-26 17:33:55 +02:00
if [ ! "${FIND}" = "" ]; then
2016-05-03 12:40:05 +02:00
OS_FULLNAME=$(grep "ClearOS" /etc/redhat-release)
2014-08-26 17:33:55 +02:00
LINUX_VERSION="ClearOS"
OS_VERSION="${OS_FULLNAME}"
fi
# Fedora
2016-05-03 12:40:05 +02:00
FIND=$(grep "Fedora" /etc/redhat-release)
2014-08-26 17:33:55 +02:00
if [ ! "${FIND}" = "" ]; then
2016-05-03 12:40:05 +02:00
OS_FULLNAME=$(grep "Fedora" /etc/redhat-release)
2014-08-26 17:33:55 +02:00
OS_VERSION="${OS_FULLNAME}"
LINUX_VERSION="Fedora"
fi
# Mageia (has also /etc/megaia-release)
2016-05-03 12:40:05 +02:00
FIND=$(grep "Mageia" /etc/redhat-release)
2014-08-26 17:33:55 +02:00
if [ ! "${FIND}" = "" ]; then
2016-05-03 12:40:05 +02:00
OS_FULLNAME=$(grep "^Mageia" /etc/redhat-release)
OS_VERSION=$(grep "^Mageia" /etc/redhat-release | awk '{ if ($2=="release") { print $3 } }')
2014-08-26 17:33:55 +02:00
LINUX_VERSION="Mageia"
fi
# Oracle Enterprise Linux
2016-05-03 12:40:05 +02:00
FIND=$(grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release)
2014-08-26 17:33:55 +02:00
if [ ! "${FIND}" = "" ]; then
2016-07-31 21:04:07 +02:00
LINUX_VERSION="Oracle Enterprise Linux"
OS_FULLNAME=$(grep "Enterprise Linux" /etc/redhat-release)
OS_VERSION="${OS_FULLNAME}"
2014-08-26 17:33:55 +02:00
fi
# Oracle Enterprise Linux
if [ -e /etc/oracle-release ]; then
2016-05-03 12:40:05 +02:00
FIND=$(grep "Oracle Linux Server" /etc/oracle-release)
2014-08-26 17:33:55 +02:00
if [ ! "${FIND}" = "" ]; then
2016-07-31 21:04:07 +02:00
LINUX_VERSION="Oracle Enterprise Linux"
OS_FULLNAME=$(grep "Oracle Linux" /etc/oracle-release)
OS_VERSION="${OS_FULLNAME}"
2014-08-26 17:33:55 +02:00
fi
fi
# Oracle VM Server
if [ -e /etc/ovs-release ]; then
2016-05-03 12:40:05 +02:00
FIND=$(grep "Oracle VM" /etc/ovs-release)
2014-08-26 17:33:55 +02:00
if [ ! "${FIND}" = "" ]; then
2016-07-31 21:04:07 +02:00
LINUX_VERSION="Oracle VM Server"
OS_FULLNAME=$(grep "Oracle VM" /etc/ovs-release)
OS_VERSION="${OS_FULLNAME}"
2014-08-26 17:33:55 +02:00
fi
fi
# Scientific
2016-05-03 12:40:05 +02:00
FIND=$(grep "Scientific" /etc/redhat-release)
2014-08-26 17:33:55 +02:00
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=$(grep "^Scientific" /etc/redhat-release)
2016-05-03 12:40:05 +02:00
OS_VERSION=$(grep "^Scientific" /etc/redhat-release | awk '{ if ($3=="release") { print $4 } }')
2014-08-26 17:33:55 +02:00
LINUX_VERSION="Scientific"
fi
if [ -z "${LINUX_VERSION}" ]; then
# Red Hat
FIND=$(grep "Red Hat" /etc/redhat-release)
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=$(grep "Red Hat" /etc/redhat-release)
OS_VERSION="${OS_FULLNAME}"
LINUX_VERSION="Red Hat"
fi
fi
fi
# PCLinuxOS
if [ -f /etc/pclinuxos-release ]; then
Lots of cleanups (#366) * Description fix: SafePerms works on files not dirs. All uses of SafePerms are on files (and indeed, it would reject directories which would have +x set). * Lots of whitespace cleanups. Enforce everywhere(?) the same indentations for if/fi blocks. The standard for the Lynis codebase is 4 spaces. But sometimes it's 1, sometimes 3, sometimes 8. These patches standardize all(?) if blocks but _not_ else's (which are usually indented 2, but sometimes zero); I was too lazy to identify those (see below). This diff is giant, but should not change code behavior at all; diff -w shows no changes apart from whitespace. FWIW I identified instances to check by using: perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1) Which produced output like: ./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then ./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated" ./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then ./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists" ...There's probably formal shellscript-beautification tools that I'm oblivious about. * More whitespace standardization. * Fix a syntax error. This looks like an if [ foo -o bar ]; was converted to if .. elif, but incompletely. * Add whitespace before closing ]. Without it, the shell thinks the ] is part of the last string, and emits warnings like: .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 20:23:08 +01:00
FIND=$(grep "^PCLinuxOS" /etc/pclinuxos-release)
if [ ! "${FIND}" = "" ]; then
Lots of cleanups (#366) * Description fix: SafePerms works on files not dirs. All uses of SafePerms are on files (and indeed, it would reject directories which would have +x set). * Lots of whitespace cleanups. Enforce everywhere(?) the same indentations for if/fi blocks. The standard for the Lynis codebase is 4 spaces. But sometimes it's 1, sometimes 3, sometimes 8. These patches standardize all(?) if blocks but _not_ else's (which are usually indented 2, but sometimes zero); I was too lazy to identify those (see below). This diff is giant, but should not change code behavior at all; diff -w shows no changes apart from whitespace. FWIW I identified instances to check by using: perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1) Which produced output like: ./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then ./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated" ./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then ./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists" ...There's probably formal shellscript-beautification tools that I'm oblivious about. * More whitespace standardization. * Fix a syntax error. This looks like an if [ foo -o bar ]; was converted to if .. elif, but incompletely. * Add whitespace before closing ]. Without it, the shell thinks the ] is part of the last string, and emits warnings like: .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 20:23:08 +01:00
OS_FULLNAME="PCLinuxOS Linux"
LINUX_VERSION="PCLinuxOS"
OS_VERSION=$(grep "^PCLinuxOS" /etc/pclinuxos-release | awk '{ if ($2=="release") { print $3 } }')
fi
fi
# Sabayon Linux
if [ -f /etc/sabayon-edition ]; then
Lots of cleanups (#366) * Description fix: SafePerms works on files not dirs. All uses of SafePerms are on files (and indeed, it would reject directories which would have +x set). * Lots of whitespace cleanups. Enforce everywhere(?) the same indentations for if/fi blocks. The standard for the Lynis codebase is 4 spaces. But sometimes it's 1, sometimes 3, sometimes 8. These patches standardize all(?) if blocks but _not_ else's (which are usually indented 2, but sometimes zero); I was too lazy to identify those (see below). This diff is giant, but should not change code behavior at all; diff -w shows no changes apart from whitespace. FWIW I identified instances to check by using: perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1) Which produced output like: ./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then ./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated" ./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then ./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists" ...There's probably formal shellscript-beautification tools that I'm oblivious about. * More whitespace standardization. * Fix a syntax error. This looks like an if [ foo -o bar ]; was converted to if .. elif, but incompletely. * Add whitespace before closing ]. Without it, the shell thinks the ] is part of the last string, and emits warnings like: .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 20:23:08 +01:00
FIND=$(grep "Sabayon Linux" /etc/sabayon-edition)
if [ ! "${FIND}" = "" ]; then
Lots of cleanups (#366) * Description fix: SafePerms works on files not dirs. All uses of SafePerms are on files (and indeed, it would reject directories which would have +x set). * Lots of whitespace cleanups. Enforce everywhere(?) the same indentations for if/fi blocks. The standard for the Lynis codebase is 4 spaces. But sometimes it's 1, sometimes 3, sometimes 8. These patches standardize all(?) if blocks but _not_ else's (which are usually indented 2, but sometimes zero); I was too lazy to identify those (see below). This diff is giant, but should not change code behavior at all; diff -w shows no changes apart from whitespace. FWIW I identified instances to check by using: perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1) Which produced output like: ./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then ./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated" ./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then ./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists" ...There's probably formal shellscript-beautification tools that I'm oblivious about. * More whitespace standardization. * Fix a syntax error. This looks like an if [ foo -o bar ]; was converted to if .. elif, but incompletely. * Add whitespace before closing ]. Without it, the shell thinks the ] is part of the last string, and emits warnings like: .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 20:23:08 +01:00
OS_FULLNAME="Sabayon Linux"
LINUX_VERSION="Sabayon"
OS_VERSION=$(awk '{ print $3 }' /etc/sabayon-edition)
fi
fi
if [ -f /etc/SLOX-release ]; then
OS_FULLNAME=$(grep "SuSE Linux" /etc/SLOX-release)
LINUX_VERSION="SuSE"
fi
# Slackware
if [ -f /etc/slackware-version ]; then
LINUX_VERSION="Slackware"
OS_VERSION=$(grep "^Slackware" /etc/slackware-version | awk '{ if ($1=="Slackware") { print $2 } }')
OS_FULLNAME="Slackware Linux ${OS_VERSION}"
fi
# SuSE
if [ -e "/etc/SuSE-release" ]; then
OS_VERSION=$(head -n 1 /etc/SuSE-release)
LINUX_VERSION="SuSE"
fi
# Turbo Linux
if [ -e "/etc/turbolinux-release" ]; then OS_FULLNAME=$(cat /etc/turbolinux-release); fi
2014-08-26 17:33:55 +02:00
# YellowDog
if [ -e "/etc/yellowdog-release" ]; then OS_FULLNAME=$(cat /etc/yellowdog-release); fi
# VMware
if [ -e "/etc/vmware-release" ]; then
OS_FULLNAME=$(cat /etc/vmware-release)
OS_VERSION=$(uname -r)
IS_VMWARE_ESXI=$(vmware -vl | grep VMware ESXi)
if [ ! "${IS_VMWARE_ESXI}" = "" ]; then
OS_FULLNAME="VMware ESXi ${OS_VERSION}"
fi
fi
# ===================================================================
# Set OS name to the discovered Linux version
if [ ! "${LINUX_VERSION}" = "" -a "${OS_NAME}" = "Linux" ]; then
OS_NAME="${LINUX_VERSION}"
fi
# If Linux version (full name) is unknown, use uname value
if [ "${OS_FULLNAME}" = "" ]; then OS_FULLNAME=$(uname -s -r); fi
SYSCTL_READKEY="sysctl -n"
2014-08-26 17:33:55 +02:00
;;
# NetBSD
NetBSD)
OS="NetBSD"
OS_NAME="NetBSD"
OS_FULLNAME=$(uname -s -r)
OS_KERNELVERSION=$(uname -v)
OS_VERSION=$(uname -r)
HARDWARE=$(uname -m)
FIND_BINARIES="whereis"
SYSCTL_READKEY=""
2014-08-26 17:33:55 +02:00
;;
# OpenBSD
OpenBSD)
OS="OpenBSD"
OS_NAME="OpenBSD"
OS_FULLNAME=$(uname -s -r)
OS_KERNELVERSION=$(uname -v)
OS_VERSION=$(uname -r)
HARDWARE=$(uname -m)
FIND_BINARIES="whereis"
SYSCTL_READKEY=""
2014-08-26 17:33:55 +02:00
;;
# Solaris / OpenSolaris
SunOS)
OS="Solaris"
OS_NAME="Sun Solaris"
OS_FULLNAME=$(uname -s -r)
OS_VERSION=$(uname -r)
HARDWARE=$(uname -m)
if [ -x /usr/bin/isainfo ]; then
# Returns 32, 64
OS_MODE=$(/usr/bin/isainfo -b)
fi
SYSCTL_READKEY=""
2014-08-26 17:33:55 +02:00
;;
2015-12-16 13:40:28 +01:00
# VMware products
VMkernel)
OS="VMware"
OS_FULLNAME=""
OS_VERSION=""
2016-05-03 12:40:05 +02:00
HARDWARE=$(uname -m)
2015-12-16 13:40:28 +01:00
if [ -e "/etc/vmware-release" ]; then
2016-05-03 12:40:05 +02:00
OS_FULLNAME=$(cat /etc/vmware-release)
OS_VERSION=$(uname -r)
2015-12-16 13:40:28 +01:00
fi
A bunch of Solaris compatibility tweaks (#367) * Work around Solaris' /bin/sh not being POSIX. If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or a derivative, and /bin/sh cannot be trusted to support POSIX, but /usr/xpg4/bin/sh can be. Exec it right away. * Work around Solaris 'which' command oddity. Solaris' (at least) 'which' command outputs not-found errors to STDOUT instead of STDERR. This makes "did we get any output from which" checks insufficient; piping to grep -v the "no foo in ..." message should work. Note that this patch set includes all such uses of which that I could find, including ones that should never be reached on Solaris (i.e. only executed on some other OS) just for consistency. * Improved alternate-sh exec to avoid looping. * Solaris' /usr/ucb/echo supports -n. * Check for the best hash type that openssl supports. When using openssl to generate hashes, do not assume it supports sha256; try that, then sha1, then give up and use md5. * Solaris does not support sed -i; use a tempfile. * Use the full path for modinfo. When running as non-root, /usr/sbin/ might not be in PATH. include/tests_accounting already calls modinfo by full path, but include/tests_kernel did not. * Solaris find does not support -maxdepth. This mirrors the logic already in tests_homedirs. * Use PSBINARY instead of ps. * Work around Solaris' date not supporting +%s. Printing nawk's srand value is a bizarre but apparently once popular workaround for there being no normal userland command to print UNIX epoch seconds. A perl one-liner is the other common approach, but nawk may be more reliably present on Solaris than perl. * Revert to using sha1 for HOSTID. * Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
HAS_VMWARE_UTIL=$(which vmware 2> /dev/null | grep -v "no [^ ]* in ")
2015-12-16 13:40:28 +01:00
if [ ! "${HAS_VMWARE_UTIL}" = "" ]; then
2016-05-03 12:40:05 +02:00
IS_VMWARE_ESXI=$(vmware -vl | grep VMware ESXi)
2015-12-16 13:40:28 +01:00
if [ ! "${IS_VMWARE_ESXI}" = "" ]; then
OS_NAME="VMware ESXi"
OS_FULLNAME="VMware ESXi ${OS_VERSION}"
fi
fi
;;
2014-08-26 17:33:55 +02:00
# Unknown or unsupported systems
*)
echo "[ ${WARNING}WARNING${NORMAL} ]"
echo "${WARNING}Error${NORMAL}: ${WHITE}Unknown OS found. No support available yet for this OS or platform...${NORMAL}"
echo "Please consult the README/documentation for more information."
exit 1
2014-08-26 17:33:55 +02:00
;;
esac
# Set correct echo binary and parameters after detecting operating system
ECHONB=""
2014-08-26 17:33:55 +02:00
case ${OS} in
"AIX") ECHOCMD="echo" ;;
"DragonFly"|"FreeBSD"|"NetBSD") ECHOCMD="echo -e"; ECHONB="echo -n" ;;
"macOS" | "Mac OS X") ECHOCMD="echo"; ECHONB="/bin/echo -n" ;;
A bunch of Solaris compatibility tweaks (#367) * Work around Solaris' /bin/sh not being POSIX. If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or a derivative, and /bin/sh cannot be trusted to support POSIX, but /usr/xpg4/bin/sh can be. Exec it right away. * Work around Solaris 'which' command oddity. Solaris' (at least) 'which' command outputs not-found errors to STDOUT instead of STDERR. This makes "did we get any output from which" checks insufficient; piping to grep -v the "no foo in ..." message should work. Note that this patch set includes all such uses of which that I could find, including ones that should never be reached on Solaris (i.e. only executed on some other OS) just for consistency. * Improved alternate-sh exec to avoid looping. * Solaris' /usr/ucb/echo supports -n. * Check for the best hash type that openssl supports. When using openssl to generate hashes, do not assume it supports sha256; try that, then sha1, then give up and use md5. * Solaris does not support sed -i; use a tempfile. * Use the full path for modinfo. When running as non-root, /usr/sbin/ might not be in PATH. include/tests_accounting already calls modinfo by full path, but include/tests_kernel did not. * Solaris find does not support -maxdepth. This mirrors the logic already in tests_homedirs. * Use PSBINARY instead of ps. * Work around Solaris' date not supporting +%s. Printing nawk's srand value is a bizarre but apparently once popular workaround for there being no normal userland command to print UNIX epoch seconds. A perl one-liner is the other common approach, but nawk may be more reliably present on Solaris than perl. * Revert to using sha1 for HOSTID. * Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
"Solaris") ECHOCMD="echo" ; test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" ;;
"Linux")
# Check if dash is used (Debian/Ubuntu)
DEFAULT_SHELL=$(ls -l /bin/sh | awk -F'>' '{print $2}')
case ${DEFAULT_SHELL} in
" dash") ECHOCMD="/bin/echo -e" ;;
*) ECHOCMD="echo -e" ;;
esac
;;
*) ECHOCMD="echo -e" ;;
2014-08-26 17:33:55 +02:00
esac
# Check if we have full featured commands, or are using BusyBox as a shell
if [ -x /bin/busybox ]; then
if [ -L /bin/ps ]; then
ShowSymlinkPath /bin/ps
if [ "${SYMLINK}" = "/bin/busybox" ]; then
SHELL_IS_BUSYBOX=1
fi
fi
fi
2018-09-19 13:28:46 +02:00
# Specific checks for hardware
# Detect if we are using a QNAP NAS
if [ -d /share/CACHEDEV1_DATA/.qpkg ]; then
QNAP_DEVICE=1
fi
# Check if this OS is end-of-life
EOL=255
EOL_DATE=""
if [ ! -z "${OS_VERSION}" ]; then
if [ -f "${DBDIR}/software-eol.db" ]; then
FIND="${OS_FULLNAME}"
2019-03-04 12:13:47 +01:00
EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
#EOL_DATE=$(grep "os:${FIND}" ${DBDIR}/software-eol.db | awk -F: '{print $3}' | head -n 1)
if [ ! -z "${EOL_DATE}" ]; then
NOW=$(date "+%s")
FIND=$(date "+%s" --date=${EOL_DATE})
if [ ! -z "${FIND}" ]; then
if [ ${NOW} -gt ${FIND} ]; then
EOL=1
else
EOL=0
fi
fi
fi
fi
fi
2018-09-19 13:28:46 +02:00
2014-08-26 17:33:55 +02:00
#================================================================================
2016-05-03 12:40:05 +02:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com