2016-05-14 15:43:29 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Lynis
|
|
|
|
# ------------------
|
|
|
|
#
|
|
|
|
# Copyright 2007-2013, Michael Boelen
|
2017-02-09 13:35:40 +01:00
|
|
|
# Copyright 2007-2017, CISOfy
|
2016-05-14 15:43:29 +02:00
|
|
|
#
|
|
|
|
# Website : https://cisofy.com
|
|
|
|
# Blog : http://linux-audit.com
|
|
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
|
|
#
|
|
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
|
|
# See LICENSE file for usage of this software.
|
|
|
|
#
|
|
|
|
######################################################################
|
|
|
|
#
|
|
|
|
# Helper program to perform a remote scan
|
|
|
|
#
|
|
|
|
######################################################################
|
|
|
|
#
|
|
|
|
# Options:
|
|
|
|
# ---------
|
|
|
|
# 1) lynis update info - Show version information (external)
|
|
|
|
# 2) lynis update release - Check and install new release (internal)
|
|
|
|
#
|
|
|
|
# How to use:
|
|
|
|
# ------------
|
|
|
|
# Run option 1 to know about current and latest release information.
|
|
|
|
# Run option 2 to query internal server for possible upgrade of Lynis.
|
|
|
|
#
|
|
|
|
# Steps for updating to new release:
|
|
|
|
# 1) Run Lynis with: lynis update release
|
|
|
|
# 2) Lynis will use this helper and check the profile
|
|
|
|
# 3) The configured web server will be queried (lynis-latest-version)
|
|
|
|
# 4) The contents of this file will be compared with a local file
|
|
|
|
# 5) If there is a difference, download package
|
|
|
|
# 6) Check paths and extract files
|
|
|
|
# 7) Quit program
|
|
|
|
#
|
|
|
|
# Suggested documentation if you want to use this functionality:
|
|
|
|
# https://cisofy.com/documentation/lynis/upgrading/
|
|
|
|
#
|
|
|
|
######################################################################
|
|
|
|
|
|
|
|
# Enable screen output again
|
|
|
|
QUIET=0
|
|
|
|
|
A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.
If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be. Exec it right away.
* Work around Solaris 'which' command oddity.
Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.
This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.
Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.
* Improved alternate-sh exec to avoid looping.
* Solaris' /usr/ucb/echo supports -n.
* Check for the best hash type that openssl supports.
When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.
* Solaris does not support sed -i; use a tempfile.
* Use the full path for modinfo.
When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.
* Solaris find does not support -maxdepth.
This mirrors the logic already in tests_homedirs.
* Use PSBINARY instead of ps.
* Work around Solaris' date not supporting +%s.
Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds. A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.
* Revert to using sha1 for HOSTID.
* Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
|
|
|
SCP_BINARY=$(which scp 2> /dev/null | grep -v "no [^ ]* in ")
|
|
|
|
SSH_BINARY=$(which ssh 2> /dev/null | grep -v "no [^ ]* in ")
|
2016-05-14 15:43:29 +02:00
|
|
|
if [ "${SCP_BINARY}" = "" ]; then echo "Could not find scp binary"; ExitFatal; fi
|
|
|
|
if [ "${SSH_BINARY}" = "" ]; then echo "Could not find ssh binary"; ExitFatal; fi
|
|
|
|
|
|
|
|
LYNIS_TARBALL="lynis-remote.tar.gz"
|
|
|
|
echo ""
|
|
|
|
echo " ${BLUE}* ${WHITE}Step 1${NORMAL}: ${CYAN}Create tarball${NORMAL}"
|
|
|
|
printf "%s\n\n" " mkdir -p ./files && cd .. && tar czf ./lynis/files/${LYNIS_TARBALL} --exclude=files/${LYNIS_TARBALL} ./lynis && cd lynis"
|
|
|
|
|
|
|
|
echo " ${BLUE}* ${WHITE}Step 2${NORMAL}: ${CYAN}Copy tarball to target ${REMOTE_TARGET}${NORMAL}"
|
|
|
|
LYNIS_TARBALL="./files/lynis-remote.tar.gz"
|
|
|
|
printf "%s\n\n" " scp -q ${LYNIS_TARBALL} ${REMOTE_TARGET}:~/tmp-lynis-remote.tgz"
|
|
|
|
#if [ $? -gt 0 ]; then echo "Could not copy tarball to target"; ExitFatal; fi
|
|
|
|
|
|
|
|
echo " ${BLUE}* ${WHITE}Step 3${NORMAL}: ${CYAN}Execute audit command${NORMAL}"
|
|
|
|
|
|
|
|
printf "%s\n\n" " ssh ${REMOTE_TARGET} \"mkdir -p ~/tmp-lynis && cd ~/tmp-lynis && tar xzf ../tmp-lynis-remote.tgz && rm ../tmp-lynis-remote.tgz && cd lynis && ${REMOTE_COMMAND}\""
|
|
|
|
#if [ $? -gt 1 ]; then echo "Could not perform remote audit"; ExitFatal; fi
|
|
|
|
|
|
|
|
echo " ${BLUE}* ${WHITE}Step 4${NORMAL}: ${CYAN}Clean up directory${NORMAL}"
|
|
|
|
printf "%s\n\n" " ssh ${REMOTE_TARGET} rm -rf ~/tmp-lynis"
|
|
|
|
|
|
|
|
echo " ${BLUE}* ${WHITE}Step 5${NORMAL}: ${CYAN}Retrieve log and report${NORMAL}"
|
|
|
|
printf "%s\n" " scp -q ${REMOTE_TARGET}:/tmp/lynis.log ./files/${REMOTE_TARGET}-lynis.log"
|
|
|
|
printf "%s\n\n" " scp -q ${REMOTE_TARGET}:/tmp/lynis-report.dat ./files/${REMOTE_TARGET}-lynis-report.dat"
|
|
|
|
|
|
|
|
echo " ${BLUE}* ${WHITE}Step 6${NORMAL}: ${CYAN}Clean up tmp files (when using non-privileged account)${NORMAL}"
|
|
|
|
printf "%s\n\n" " ssh ${REMOTE_TARGET} rm /tmp/lynis.log /tmp/lynis-report.dat"
|
|
|
|
|
|
|
|
# No more Lynis output
|
|
|
|
QUIET=1
|
|
|
|
|
|
|
|
# The End
|