2014-08-26 17:33:55 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Lynis
|
|
|
|
# ------------------
|
|
|
|
#
|
2016-03-13 16:00:39 +01:00
|
|
|
# Copyright 2007-2013, Michael Boelen
|
|
|
|
# Copyright 2013-2016, CISOfy
|
|
|
|
#
|
|
|
|
# Website : https://cisofy.com
|
|
|
|
# Blog : http://linux-audit.com
|
|
|
|
# GitHub : https://github.com/CISOfy/lynis
|
2014-08-26 17:33:55 +02:00
|
|
|
#
|
|
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
|
|
# See LICENSE file for usage of this software.
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Data upload
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
2016-04-05 10:02:32 +02:00
|
|
|
PROGRAM_VERSION="104"
|
2014-12-05 12:06:41 +01:00
|
|
|
|
2015-02-03 18:26:30 +01:00
|
|
|
# Data upload destination
|
2016-03-04 03:06:32 +01:00
|
|
|
if [ "${UPLOAD_SERVER}" = "" ]; then UPLOAD_SERVER="portal.cisofy.com"; fi
|
2015-02-03 18:26:30 +01:00
|
|
|
UPLOAD_URL="https://${UPLOAD_SERVER}/upload/"
|
2016-02-02 17:08:53 +01:00
|
|
|
LogText "Upload server: ${UPLOAD_SERVER}"
|
|
|
|
LogText "URL to upload to: ${UPLOAD_URL}"
|
2014-12-05 12:06:41 +01:00
|
|
|
|
2015-02-03 18:26:30 +01:00
|
|
|
# License server (set to upload server if not configured)
|
2016-03-03 10:20:23 +01:00
|
|
|
if [ "${LICENSE_SERVER}" = "" ]; then LICENSE_SERVER="${UPLOAD_SERVER}"; fi
|
2015-02-03 18:26:30 +01:00
|
|
|
LICENSE_SERVER_URL="https://${LICENSE_SERVER}/license/"
|
2016-02-02 17:08:53 +01:00
|
|
|
LogText "License server: ${LICENSE_SERVER}"
|
2015-02-03 18:26:30 +01:00
|
|
|
|
2016-04-05 10:02:32 +02:00
|
|
|
# Additional options to curl
|
|
|
|
if [ "${UPLOAD_OPTIONS}" = "" ]; then
|
|
|
|
CURL_OPTIONS=""
|
|
|
|
else
|
|
|
|
CURL_OPTIONS=" ${UPLOAD_OPTIONS}"
|
|
|
|
fi
|
|
|
|
|
|
|
|
SETTINGS_FILE="${PROFILE}"
|
2014-08-26 17:33:55 +02:00
|
|
|
|
|
|
|
# Only output text to stdout if DEBUG mode is not used
|
|
|
|
output()
|
|
|
|
{
|
|
|
|
if [ ${DEBUG} -eq 1 ]; then echo "$1"; fi
|
|
|
|
}
|
|
|
|
|
|
|
|
#####################################################################################
|
|
|
|
#
|
|
|
|
# SYSTEM CHECKS
|
|
|
|
#
|
|
|
|
#####################################################################################
|
|
|
|
|
|
|
|
output "Lynis Enterprise data uploader starting"
|
|
|
|
output "Settings file: ${SETTINGS_FILE}"
|
|
|
|
|
|
|
|
# Check if we can find curl
|
|
|
|
# Suggestion: If you want to keep the system hardened, copying the binary from a trusted source is a good alternative.
|
|
|
|
# Restrict access to this binary to the user who is running this script.
|
|
|
|
if [ "${CURLBINARY}" = "" ]; then
|
|
|
|
echo "Fatal: can't find curl binary. Please install the related package or put the binary in the PATH. Quitting.."
|
2016-02-02 17:08:53 +01:00
|
|
|
LogText "Error: Could not find cURL binary"
|
2014-08-26 17:33:55 +02:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Extra the license key from the settings file
|
|
|
|
if [ "${LICENSE_KEY}" = "" ]; then
|
|
|
|
echo "Fatal: no license key found. Quitting.."
|
2016-02-02 17:08:53 +01:00
|
|
|
LogText "Error: no license key was specified in the profile (${PROFILE})"
|
2015-01-30 19:58:00 +01:00
|
|
|
ExitFatal
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
|
|
|
output "License key = ${LICENSE_KEY}"
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
#####################################################################################
|
|
|
|
#
|
|
|
|
# JOB CONTROL
|
|
|
|
#
|
|
|
|
#####################################################################################
|
|
|
|
|
2016-04-05 10:02:32 +02:00
|
|
|
|
2014-08-26 17:33:55 +02:00
|
|
|
# Check report file
|
|
|
|
if [ -f ${REPORTFILE} ]; then
|
|
|
|
output "${WHITE}Report file found.${NORMAL} Starting with connectivity check.."
|
2016-02-15 13:50:03 +01:00
|
|
|
|
|
|
|
if [ ! "${UPLOAD_PROXY_SERVER}" = "" ]; then
|
|
|
|
LogText "Upload: Proxy is configured: ${UPLOAD_SERVER}"
|
2016-04-05 10:02:32 +02:00
|
|
|
# Port is optional
|
2016-02-15 13:50:03 +01:00
|
|
|
if [ ! "${UPLOAD_PROXY_PORT}" = "" ]; then
|
|
|
|
LogText "Upload: Proxy port number is ${UPLOAD_PROXY_PORT}"
|
|
|
|
UPLOAD_PROXY_PORT=":${UPLOAD_PROXY_PORT}"
|
|
|
|
fi
|
|
|
|
LogText "Upload: Proxy protocol is ${UPLOAD_PROXY_PROTOCOL}"
|
|
|
|
case ${UPLOAD_PROXY_PROTOCOL} in
|
2016-04-05 10:02:32 +02:00
|
|
|
"http"|"https")
|
|
|
|
UPLOAD_PROXY="${UPLOAD_PROXY_PROTOCOL}://${UPLOAD_PROXY_SERVER}${UPLOAD_PROXY_PORT}"
|
2016-02-15 13:50:03 +01:00
|
|
|
CURL_OPTIONS="${CURL_OPTIONS} --proxy ${UPLOAD_PROXY}"
|
|
|
|
;;
|
|
|
|
"socks5")
|
|
|
|
UPLOAD_PROXY="${UPLOAD_PROXY_SERVER}${UPLOAD_PROXY_PORT}"
|
|
|
|
CURL_OPTIONS="${CURL_OPTIONS} --socks5 ${UPLOAD_PROXY}"
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
echo "Unknown protocol. Please report to lynis-dev@cisofy.com"
|
|
|
|
ExitFatal
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
|
2016-04-05 10:02:32 +02:00
|
|
|
# Currently compressed uploads are not supported yet on central node. Therefore default value is set to 0.
|
|
|
|
if [ ${COMPRESSED_UPLOADS} -eq 1 ]; then
|
|
|
|
CURL_OPTIONS="${CURL_OPTIONS} --compressed -H 'Content-Encoding: gzip'"
|
|
|
|
fi
|
|
|
|
|
2014-08-26 17:33:55 +02:00
|
|
|
# Quit if license is not valid, to reduce load on both client and server.
|
2016-02-15 13:50:03 +01:00
|
|
|
LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null"
|
|
|
|
UPLOAD=`${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null`
|
2015-08-19 15:51:52 +02:00
|
|
|
EXITCODE=$?
|
|
|
|
if [ ${EXITCODE} -gt 0 ]; then
|
2016-02-02 17:08:53 +01:00
|
|
|
LogText "Exit code: ${EXITCODE}"
|
2016-04-05 10:02:32 +02:00
|
|
|
if [ ${EXITCODE} -eq 5 ]; then
|
|
|
|
LogText "Result: could not resolve the defined proxy server (${UPLOAD_PROXY_SERVER})."
|
|
|
|
LogText "Suggestion: check if the proxy is properly defined in the profile."
|
|
|
|
echo "${RED}Error${NORMAL}: could not use the defined proxy (${UPLOAD_PROXY_SERVER}). See ${LOGFILE} for details."
|
|
|
|
elif [ ${EXITCODE} -eq 7 ]; then
|
2016-02-02 17:08:53 +01:00
|
|
|
LogText "Result: could not contact license server."
|
|
|
|
LogText "Details: used URL ${LICENSE_SERVER_URL}"
|
|
|
|
LogText "Suggestion: check if the upload host is correctly configured."
|
2015-11-22 20:43:06 +01:00
|
|
|
echo "${RED}Error${NORMAL}: license server not available. See ${LOGFILE} for details."
|
2015-11-22 19:35:34 +01:00
|
|
|
elif [ ${EXITCODE} -eq 60 ]; then
|
2015-08-19 16:19:14 +02:00
|
|
|
echo "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}"
|
|
|
|
echo "If you want to accept a self-signed certificate, use the -k option in the profile."
|
2015-08-19 16:20:21 +02:00
|
|
|
echo "Example: ${WHITE}config:upload_options:-k:${NORMAL}"
|
2016-02-02 17:08:53 +01:00
|
|
|
LogText "Result: found self-signed certificate, however cURL -k option not used."
|
2015-08-19 15:51:52 +02:00
|
|
|
else
|
2015-11-22 19:35:34 +01:00
|
|
|
echo "${RED}Upload Error: ${NORMAL}cURL exited with code ${EXITCODE}. See ${LOGFILE} for details."
|
2016-02-02 17:08:53 +01:00
|
|
|
LogText "Result: cURL exited with code ${EXITCODE}."
|
2015-08-19 15:51:52 +02:00
|
|
|
fi
|
2016-02-02 17:08:53 +01:00
|
|
|
LogText "Result: quitting, can't check license"
|
2015-08-19 15:51:52 +02:00
|
|
|
ExitFatal
|
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}'`
|
|
|
|
if [ "${UPLOAD_CODE}" = "100" ]; then
|
2014-12-05 12:06:41 +01:00
|
|
|
output "${WHITE}License is valid${NORMAL}"
|
2016-02-02 17:08:53 +01:00
|
|
|
LogText "Result: license is valid"
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
2016-02-02 17:08:53 +01:00
|
|
|
LogText "Result: error while checking license"
|
|
|
|
LogText "Output: ${UPLOAD_CODE}"
|
2015-04-22 11:02:22 +02:00
|
|
|
echo "${RED}Fatal error: ${WHITE}Error while checking the license.${NORMAL}"
|
|
|
|
echo ""
|
|
|
|
echo "Possible causes and steps you can take:"
|
|
|
|
echo "- Connection with license server could not be established (try address in your web browser)"
|
2015-11-22 19:25:32 +01:00
|
|
|
echo "- Incorrect server has been configured in profile"
|
|
|
|
echo "- License is expired (listed in Configuration screen) or No credits left (listed in Configuration screen)"
|
|
|
|
echo "- Collector version of Lynis version outdated (upgrade to latest version of Lynis and/or Lynis Collector)"
|
2015-04-22 11:02:22 +02:00
|
|
|
echo ""
|
|
|
|
echo "If you need support in solving this, please contact support@cisofy.com and include this screen output."
|
|
|
|
echo ""
|
|
|
|
echo "URL: ${LICENSE_SERVER_URL}"
|
|
|
|
echo "Key: ${LICENSE_KEY}"
|
2014-08-26 17:33:55 +02:00
|
|
|
output "Debug information: ${UPLOAD}"
|
|
|
|
# Quit
|
2015-08-19 15:51:52 +02:00
|
|
|
ExitFatal
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
# Extract the hostid from the parse file
|
2015-10-10 13:25:14 +02:00
|
|
|
HOSTID=`awk -F= '/^hostid=/ { print $2 }' ${REPORTFILE}`
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ ! "${HOSTID}" = "" ]; then
|
|
|
|
output "${WHITE}Found hostid: ${HOSTID}${NORMAL}"
|
|
|
|
# Try to connect
|
|
|
|
output "Uploading data.."
|
2016-02-02 17:08:53 +01:00
|
|
|
LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
|
2015-12-21 12:08:47 +01:00
|
|
|
UPLOAD=`${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL} 2> /dev/null`
|
2015-08-19 15:31:24 +02:00
|
|
|
EXITCODE=$?
|
|
|
|
if [ ${EXITCODE} -gt 0 ]; then
|
2016-01-07 12:57:24 +01:00
|
|
|
echo ""
|
2015-11-22 19:25:32 +01:00
|
|
|
echo "${RED}Upload Error${NORMAL}: cURL could not upload data. See ${LOGFILE} for details."
|
2016-01-07 12:57:24 +01:00
|
|
|
echo "Suggested command: tail -n 20 ${LOGFILE}"
|
|
|
|
echo ""
|
|
|
|
case ${EXITCODE} in
|
|
|
|
5) echo "${YELLOW}Error (5): ${NORMAL}Could not resolve the hostname of the proxy." ;;
|
|
|
|
6) echo "${YELLOW}Error (6): ${NORMAL}Could not resolve the hostname of central server." ;;
|
|
|
|
7) echo "${YELLOW}Error (7): ${NORMAL}Could not connect to central server or proxy server." ;;
|
|
|
|
59) echo "${YELLOW}Error (59): ${NORMAL}Could not connect because of used SSL cipher." ;;
|
|
|
|
83) echo "${YELLOW}Error (83): ${NORMAL}Could not check used certificate of server." ;;
|
|
|
|
*) echo "Related exit code: ${YELLOW}{EXITCODE}${NORMAL}. See man page of cURL for the meaning of this code." ;;
|
|
|
|
esac
|
|
|
|
if [ ! "${UPLOAD}" = "" ]; then echo ""; echo "Debug:"; echo ${UPLOAD}; fi
|
|
|
|
echo ""
|
2014-08-26 17:33:55 +02:00
|
|
|
# Quit
|
|
|
|
ExitClean
|
|
|
|
fi
|
|
|
|
else
|
2015-08-19 15:51:52 +02:00
|
|
|
echo "${RED}Error${NORMAL}: No hostid found in report file. Can not upload report file."
|
2014-08-26 17:33:55 +02:00
|
|
|
# Quit
|
2015-08-19 15:51:52 +02:00
|
|
|
ExitFatal
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
else
|
|
|
|
output "${YELLOW}No report file found to upload.${NORMAL}"
|
2015-08-19 15:51:52 +02:00
|
|
|
ExitFatal
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
|
|
|
|
#
|
|
|
|
#================================================================================
|
2016-03-13 16:03:46 +01:00
|
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|