tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update to reflect renamed functions logtext and report

This commit is contained in:
mboelen 2015-12-22 16:02:32 +01:00
parent ae6ca56581
commit 95832c61d1
9 changed files with 217 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
include/binaries
View File

@ -5,7 +5,7 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -216,4 +216,4 @@
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

4
include/consts
View File

@ -5,7 +5,7 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com # Web site: https://cisofy.com
# #
# This software is licensed under GPL, version 3. See LICENSE file for # This software is licensed under GPL, version 3. See LICENSE file for
@ -225,4 +225,4 @@ unset LANG
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

4
include/data_upload
View File

@ -5,7 +5,7 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), CISOfy # Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com), CISOfy
# Web site: https://cisofy.com # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -168,4 +168,4 @@ output "Settings file: ${SETTINGS_FILE}"
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

343
include/functions
View File

@ -5,7 +5,7 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen - CISOfy (michael.boelen@cisofy.com) # Copyright 2007-2016, Michael Boelen - CISOfy (michael.boelen@cisofy.com)
# Website: https://cisofy.com # Website: https://cisofy.com
# #
# This software is licensed under GPL, version 3. See LICENSE file for # This software is licensed under GPL, version 3. See LICENSE file for
@ -43,8 +43,11 @@
# IsWorldExecutable Check if a file is world executable # IsWorldExecutable Check if a file is world executable
# IsWorldReadable Check if a file is world readable # IsWorldReadable Check if a file is world readable
# IsWorldWritable Check if a file is world writable # IsWorldWritable Check if a file is world writable
# LogText Log text strings to logfile, prefixed with date/time
# ParseNginx Parse nginx configuration lines # ParseNginx Parse nginx configuration lines
# Progress Show progress on screen # Progress Show progress on screen
# RandomString Show a random string
# Report Add string of data to report file
# ReportException Add an exception to the report file (for debugging purposes) # ReportException Add an exception to the report file (for debugging purposes)
# ReportSuggestion Add a suggestion to report file # ReportSuggestion Add a suggestion to report file
# ReportWarning Add a warning and priority to report file # ReportWarning Add a warning and priority to report file
@ -54,8 +57,7 @@
# ShowComplianceFinding Display a particular finding regarding compliance or a security standard # ShowComplianceFinding Display a particular finding regarding compliance or a security standard
# ShowSymlinkPath Show a path behind a symlink # ShowSymlinkPath Show a path behind a symlink
# ViewCategories Display tests categories # ViewCategories Display tests categories
# logtext Log text strings to logfile, prefixed with date/time # WaitForKeypress Wait for user to press a key to continue
# report Add string of data to report file
# #
################################################################################# #################################################################################
@ -65,7 +67,7 @@
HPADD=$1; HPADDMAX=$2 HPADD=$1; HPADDMAX=$2
HPPOINTS=`expr ${HPPOINTS} + ${HPADD}` HPPOINTS=`expr ${HPPOINTS} + ${HPADD}`
HPTOTAL=`expr ${HPTOTAL} + ${HPADDMAX}` HPTOTAL=`expr ${HPTOTAL} + ${HPADDMAX}`
logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}" LogText "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}"
} }
@ -77,7 +79,7 @@
AddSystemGroup() AddSystemGroup()
{ {
report "system_group[]=$1" Report "system_group[]=$1"
} }
@ -116,16 +118,16 @@
# Don't search in /dev/null, it's too empty there # Don't search in /dev/null, it's too empty there
if [ ! "${REPORTFILE}" = "/dev/null" ]; then if [ ! "${REPORTFILE}" = "/dev/null" ]; then
# Check if we can find the main type (with or without brackets) # Check if we can find the main type (with or without brackets)
logtext "Test: search string $2 in earlier discovered results" LogText "Test: search string $2 in earlier discovered results"
FIND=`egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2"` FIND=`egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
ITEM_FOUND=1 ITEM_FOUND=1
logtext "Result: found search string (result: $FIND)" LogText "Result: found search string (result: $FIND)"
else else
logtext "Result: search string NOT found" LogText "Result: search string NOT found"
fi fi
else else
logtext "Skipping search, as /dev/null is being used" LogText "Skipping search, as /dev/null is being used"
fi fi
else else
ReportException ${TEST_NO} "Error in function call to CheckItem" ReportException ${TEST_NO} "Error in function call to CheckItem"
@ -151,7 +153,7 @@
PROGRAM_LV=`drill txt ${LYNIS_LV_RECORD} | awk '{ if ($1=="lynis-latest-version.cisofy.com." && $4=="TXT") { print $5 }}' | tr -d '"' | grep "^[1-9][0-9][0-9]$"` PROGRAM_LV=`drill txt ${LYNIS_LV_RECORD} | awk '{ if ($1=="lynis-latest-version.cisofy.com." && $4=="TXT") { print $5 }}' | tr -d '"' | grep "^[1-9][0-9][0-9]$"`
if [ "${PROGRAM_LV}" = "" ]; then PROGRAM_LV=0; fi if [ "${PROGRAM_LV}" = "" ]; then PROGRAM_LV=0; fi
else else
logtext "Result: dig, drill or host not installed, update check skipped" LogText "Result: dig, drill or host not installed, update check skipped"
UPDATE_CHECK_SKIPPED=1 UPDATE_CHECK_SKIPPED=1
fi fi
fi fi
@ -168,12 +170,12 @@
DirectoryExists() DirectoryExists()
{ {
DIRECTORY_FOUND=0 DIRECTORY_FOUND=0
logtext "Test: checking if directory $1 exists" LogText "Test: checking if directory $1 exists"
if [ -d $1 ]; then if [ -d $1 ]; then
logtext "Result: directory $1 exists" LogText "Result: directory $1 exists"
DIRECTORY_FOUND=1 DIRECTORY_FOUND=1
else else
logtext "Result: directory $1 NOT found" LogText "Result: directory $1 NOT found"
fi fi
} }
@ -198,11 +200,11 @@
DigitsOnly() DigitsOnly()
{ {
VALUE=$1 VALUE=$1
logtext "Value is now: ${VALUE}" LogText "Value is now: ${VALUE}"
if [ ! "${AWKBINARY}" = "" ]; then if [ ! "${AWKBINARY}" = "" ]; then
VALUE=`echo ${VALUE} | grep -Eo '[0-9]{1,}'` VALUE=`echo ${VALUE} | grep -Eo '[0-9]{1,}'`
fi fi
logtext "Returning value: ${VALUE}" LogText "Returning value: ${VALUE}"
} }
@ -319,12 +321,12 @@
FileExists() FileExists()
{ {
FILE_FOUND=0 FILE_FOUND=0
logtext "Test: checking if file $1 exists" LogText "Test: checking if file $1 exists"
if [ -f $1 ]; then if [ -f $1 ]; then
logtext "Result: file $1 exists" LogText "Result: file $1 exists"
FILE_FOUND=1 FILE_FOUND=1
else else
logtext "Result: file $1 NOT found" LogText "Result: file $1 NOT found"
fi fi
} }
@ -337,36 +339,38 @@
FileIsEmpty() FileIsEmpty()
{ {
EMPTY=0 EMPTY=0
logtext "Test: checking if file $1 is empty" LogText "Test: checking if file $1 is empty"
if [ -z $1 ]; then if [ -z $1 ]; then
logtext "Result: file $1 is empty" LogText "Result: file $1 is empty"
EMPTY=1 EMPTY=1
else else
logtext "Result: file $1 is NOT empty" LogText "Result: file $1 is NOT empty"
fi fi
} }
################################################################################ ################################################################################
# Name : FileIsReadable # Name : FileIsReadable
# Description : Check if a file readable or directory is accessible # Description : Check if a file readable or directory is accessible
# Returns : CANREAD (0 or 1) # Returns : Return code (0 = readable, 1 = not readable)
# Usage : if FileIsReadable /etc/shadow; then echo "File is readable"; fi
################################################################################ ################################################################################
FileIsReadable() FileIsReadable()
{ {
sFILE=$1 sFILE=$1
CANREAD=0 CANREAD=0
logtext "Test: testing if we can access ${sFILE}" LogText "Test: testing if we can access ${sFILE}"
# Check for symlink # Check for symlink
if [ -L ${sFILE} ]; then if [ -L ${sFILE} ]; then
ShowSymlinkPath ${sFILE} ShowSymlinkPath ${sFILE}
if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi
fi fi
# Only check the file if it isn't a symlink (after previous check) # Only check the file if it isn't a symlink (after previous check)
if [ -L ${sFILE} ]; then if [ -L ${sFILE} ]; then
OTHERPERMS="-" OTHERPERMS="-"
logtext "Result: unclear if we can read this file, as this is a symlink" LogText "Result: unclear if we can read this file, as this is a symlink"
ReportException "FileIsReadable" "Can not determine symlink ${sFILE}" ReportException "FileIsReadable" "Can not determine symlink ${sFILE}"
elif [ -d ${sFILE} ]; then elif [ -d ${sFILE} ]; then
OTHERPERMS=`ls -d -l ${sFILE} | cut -c 8` OTHERPERMS=`ls -d -l ${sFILE} | cut -c 8`
@ -379,22 +383,24 @@
# Also check if we are the actual owner of the file # Also check if we are the actual owner of the file
FILEOWNER=`ls -ln ${sFILE} | awk -F" " '{ print $3 }'` FILEOWNER=`ls -ln ${sFILE} | awk -F" " '{ print $3 }'`
if [ "${FILEOWNER}" = "${MYID}" ]; then if [ "${FILEOWNER}" = "${MYID}" ]; then
logtext "Result: file is owned by our current user ID (${MYID}), checking if it is readable" LogText "Result: file is owned by our current user ID (${MYID}), checking if it is readable"
if [ -d ${sFILE} ]; then if [ -d ${sFILE} ]; then
OTHERPERMS=`ls -d -l ${sFILE} | cut -c 2` OTHERPERMS=`ls -d -l ${sFILE} | cut -c 2`
elif [ -f ${sFILE} ]; then elif [ -f ${sFILE} ]; then
OTHERPERMS=`ls -d -l ${sFILE} | cut -c 2` OTHERPERMS=`ls -d -l ${sFILE} | cut -c 2`
fi fi
else else
logtext "Result: file is not owned by current user ID (${MYID}), but UID ${FILEOWNER}" LogText "Result: file is not owned by current user ID (${MYID}), but UID ${FILEOWNER}"
fi fi
# Check if we have the read bit # Check if we have the read bit
if [ "${OTHERPERMS}" = "r" ]; then if [ "${OTHERPERMS}" = "r" ]; then
CANREAD=1 CANREAD=1
logtext "Result: file ${sFILE} is readable (or directory accessible)." return 0
LogText "Result: file ${sFILE} is readable (or directory accessible)."
else else
logtext "Result: file ${sFILE} is NOT readable (or directory accessible), symlink, or does not exist. (OTHERPERMS: ${OTHERPERMS})" LogText "Result: file ${sFILE} is NOT readable (or directory accessible), symlink, or does not exist. (OTHERPERMS: ${OTHERPERMS})"
return 1
fi fi
} }
@ -465,7 +471,7 @@
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)" ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
else else
logtext "Result: No eth0 found (ether found), using first network interface to determine hostid (with ifconfig)" LogText "Result: No eth0 found (ether found), using first network interface to determine hostid (with ifconfig)"
fi fi
fi fi
else else
@ -493,7 +499,7 @@
# Check if we found a HostID # Check if we found a HostID
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'` HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'`
logtext "Result: Found HostID: ${HOSTID}" LogText "Result: Found HostID: ${HOSTID}"
else else
ReportException "GetHostID" "Can't create HOSTID, command ip not found" ReportException "GetHostID" "Can't create HOSTID, command ip not found"
fi fi
@ -532,7 +538,7 @@
for I in ${INTERFACES_TO_TEST}; do for I in ${INTERFACES_TO_TEST}; do
FIND=`${IFCONFIGBINARY} -a | grep "^${I}"` FIND=`${IFCONFIGBINARY} -a | grep "^${I}"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1; logtext "Found interface ${I} on Solaris" FOUND=1; LogText "Found interface ${I} on Solaris"
fi fi
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
@ -560,7 +566,7 @@
if [ ! "${HOSTID}" = "" ]; then if [ ! "${HOSTID}" = "" ]; then
for CHECKHASH in ${BLACKLISTED_HASHES}; do for CHECKHASH in ${BLACKLISTED_HASHES}; do
if [ "${CHECKHASH}" = "${HOSTID}" ]; then if [ "${CHECKHASH}" = "${HOSTID}" ]; then
logtext "Result: hostid is a blacklisted value" LogText "Result: hostid is a blacklisted value"
HOSTID="" HOSTID=""
fi fi
done done
@ -581,17 +587,17 @@
fi fi
if [ "${HOSTID}" = "" ]; then if [ "${HOSTID}" = "" ]; then
logtext "Result: no HOSTID available, trying to use SSH key as unique source" LogText "Result: no HOSTID available, trying to use SSH key as unique source"
# Create host ID when a MAC address was not found # Create host ID when a MAC address was not found
SSH_KEY_FILES="ssh_host_ed25519_key ssh_host_ed25519_key.pub ssh_host_ecdsa_key ssh_host_ecdsa_key.pub ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_rsa_key ssh_host_rsa_key.pub" SSH_KEY_FILES="ssh_host_ed25519_key ssh_host_ed25519_key.pub ssh_host_ecdsa_key ssh_host_ecdsa_key.pub ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_rsa_key ssh_host_rsa_key.pub"
if [ -d /etc/ssh ]; then if [ -d /etc/ssh ]; then
for I in ${SSH_KEY_FILES}; do for I in ${SSH_KEY_FILES}; do
if [ "${HOSTID}" = "" ]; then if [ "${HOSTID}" = "" ]; then
if [ -f /etc/ssh/${I} ]; then if [ -f /etc/ssh/${I} ]; then
logtext "Result: found ${I} in /etc/ssh" LogText "Result: found ${I} in /etc/ssh"
if [ ! "${SHA1SUMBINARY}" = "" ]; then if [ ! "${SHA1SUMBINARY}" = "" ]; then
HOSTID=`cat /etc/ssh/${I} | ${SHA1SUMBINARY} | awk '{ print $1 }'` HOSTID=`cat /etc/ssh/${I} | ${SHA1SUMBINARY} | awk '{ print $1 }'`
logtext "result: Created HostID with SSH key ($I): ${HOSTID}" LogText "result: Created HostID with SSH key ($I): ${HOSTID}"
else else
ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing" ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing"
fi fi
@ -599,7 +605,7 @@
fi fi
done done
else else
logtext "Result: no /etc/ssh directory found, skipping" LogText "Result: no /etc/ssh directory found, skipping"
fi fi
fi fi
@ -618,7 +624,7 @@
echo "------------------------------------" echo "------------------------------------"
fi fi
logtextbreak logtextbreak
logtext "Action: Performing tests from category: $1" LogText "Action: Performing tests from category: $1"
} }
# Insert section block for plugins # Insert section block for plugins
@ -629,7 +635,7 @@
echo "[+] ${MAGENTA}$1${NORMAL}" echo "[+] ${MAGENTA}$1${NORMAL}"
echo "------------------------------------" echo "------------------------------------"
fi fi
logtext "Action: Performing plugin tests" LogText "Action: Performing plugin tests"
} }
# Is a process running? # Is a process running?
@ -642,9 +648,9 @@
FIND=`${PSBINARY} ${PSOPTIONS} | egrep "( |/)$1" | grep -v "grep"` FIND=`${PSBINARY} ${PSOPTIONS} | egrep "( |/)$1" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
RUNNING=1 RUNNING=1
logtext "IsRunning: process '$1' found (${FIND})" LogText "IsRunning: process '$1' found (${FIND})"
else else
logtext "IsRunning: process '$1' not found" LogText "IsRunning: process '$1' not found"
fi fi
} }
@ -658,7 +664,7 @@
IsVirtualMachine() IsVirtualMachine()
{ {
logtext "Test: Determine if this system is a virtual machine" LogText "Test: Determine if this system is a virtual machine"
# 0 = no, 1 = yes, 2 = unknown # 0 = no, 1 = yes, 2 = unknown
ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown" ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown"
SHORT="" SHORT=""
@ -669,87 +675,87 @@
case "`facter is_virtual`" in case "`facter is_virtual`" in
"true") "true")
SHORT=`facter virtual` SHORT=`facter virtual`
logtext "Result: found ${SHORT}" LogText "Result: found ${SHORT}"
;; ;;
"false") "false")
logtext "Result: facter says this machine is not a virtual" LogText "Result: facter says this machine is not a virtual"
;; ;;
esac esac
else else
logtext "Result: facter utility not found" LogText "Result: facter utility not found"
fi fi
else else
logtext "Result: skipped facter test, as we already found machine type" LogText "Result: skipped facter test, as we already found machine type"
fi fi
# systemd # systemd
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/systemd-detect-virt ]; then if [ -x /usr/bin/systemd-detect-virt ]; then
logtext "Test: trying to guess virtualization technology with systemd-detect-virt" LogText "Test: trying to guess virtualization technology with systemd-detect-virt"
FIND=`/usr/bin/systemd-detect-virt` FIND=`/usr/bin/systemd-detect-virt`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${FIND}" LogText "Result: found ${FIND}"
SHORT="${FIND}" SHORT="${FIND}"
fi fi
else else
logtext "Result: systemd-detect-virt not found" LogText "Result: systemd-detect-virt not found"
fi fi
else else
logtext "Result: skipped systemd test, as we already found machine type" LogText "Result: skipped systemd test, as we already found machine type"
fi fi
# lscpu # lscpu
# Values: VMware # Values: VMware
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/lscpu ]; then if [ -x /usr/bin/lscpu ]; then
logtext "Test: trying to guess virtualization with lscpu" LogText "Test: trying to guess virtualization with lscpu"
FIND=`lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g'` FIND=`lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${FIND}" LogText "Result: found ${FIND}"
SHORT="${FIND}" SHORT="${FIND}"
else else
logtext "Result: can't find hypervisor vendor with lscpu" LogText "Result: can't find hypervisor vendor with lscpu"
fi fi
else else
logtext "Result: lscpu not found" LogText "Result: lscpu not found"
fi fi
else else
logtext "Result: skipped lscpu test, as we already found machine type" LogText "Result: skipped lscpu test, as we already found machine type"
fi fi
# dmidecode # dmidecode
# Values: VMware Virtual Platform / VirtualBox # Values: VMware Virtual Platform / VirtualBox
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
if [ -x /usr/sbin/dmidecode ]; then if [ -x /usr/sbin/dmidecode ]; then
logtext "Test: trying to guess virtualization with dmidecode" LogText "Test: trying to guess virtualization with dmidecode"
FIND=`dmidecode -s system-product-name | awk '{ print $1 }'` FIND=`dmidecode -s system-product-name | awk '{ print $1 }'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${FIND}" LogText "Result: found ${FIND}"
SHORT="${FIND}" SHORT="${FIND}"
else else
logtext "Result: can't find product name with dmidecode" LogText "Result: can't find product name with dmidecode"
fi fi
else else
logtext "Result: dmidecode not found" LogText "Result: dmidecode not found"
fi fi
else else
logtext "Result: skipped dmidecode test, as we already found machine type" LogText "Result: skipped dmidecode test, as we already found machine type"
fi fi
# lshw # lshw
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/lshw ]; then if [ -x /usr/bin/lshw ]; then
logtext "Test: trying to guess virtualization with lshw" LogText "Test: trying to guess virtualization with lshw"
FIND=`lshw -quiet -class system | awk '{ if ($1=="product:") { print $2 }}'` FIND=`lshw -quiet -class system | awk '{ if ($1=="product:") { print $2 }}'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${FIND}" LogText "Result: found ${FIND}"
SHORT="${FIND}" SHORT="${FIND}"
fi fi
else else
logtext "Result: lshw not found" LogText "Result: lshw not found"
fi fi
else else
logtext "Result: skipped lshw test, as we already found machine type" LogText "Result: skipped lshw test, as we already found machine type"
fi fi
# Other options # Other options
@ -758,7 +764,7 @@
# Try common guest processes # Try common guest processes
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
logtext "Test: trying to guess virtual machine type by running processes" LogText "Test: trying to guess virtual machine type by running processes"
# VMware # VMware
IsRunning vmware-guestd IsRunning vmware-guestd
@ -772,24 +778,24 @@
IsRunning VBoxClient IsRunning VBoxClient
if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi
else else
logtext "Result: skipped processes test, as we already found platform" LogText "Result: skipped processes test, as we already found platform"
fi fi
# Amazon EC2 # Amazon EC2
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
logtext "Test: checking specific files for Amazon" LogText "Test: checking specific files for Amazon"
if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then
SHORT="amazon-ec2" SHORT="amazon-ec2"
else else
logtext "Result: system not hosted on Amazon" LogText "Result: system not hosted on Amazon"
fi fi
else else
logtext "Result: skipped Amazon EC2 test, as we already found platform" LogText "Result: skipped Amazon EC2 test, as we already found platform"
fi fi
# sysctl values # sysctl values
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
logtext "Test: trying to guess virtual machine type by sysctl keys" LogText "Test: trying to guess virtual machine type by sysctl keys"
# FreeBSD: hw.hv_vendor (remains empty for VirtualBox) # FreeBSD: hw.hv_vendor (remains empty for VirtualBox)
# NetBSD: machdep.dmi.system-product # NetBSD: machdep.dmi.system-product
@ -799,7 +805,7 @@
SHORT="${FIND}" SHORT="${FIND}"
fi fi
else else
logtext "Result: skipped sysctl test, as we already found platform" LogText "Result: skipped sysctl test, as we already found platform"
fi fi
# Check if we catched some string along all tests # Check if we catched some string along all tests
@ -823,20 +829,20 @@
vmware) ISVIRTUALMACHINE=1; VMTYPE="vmware"; VMFULLTYPE="VMware product" ;; vmware) ISVIRTUALMACHINE=1; VMTYPE="vmware"; VMFULLTYPE="VMware product" ;;
xen) ISVIRTUALMACHINE=1; VMTYPE="xen"; VMFULLTYPE="XEN" ;; xen) ISVIRTUALMACHINE=1; VMTYPE="xen"; VMFULLTYPE="XEN" ;;
zvm) ISVIRTUALMACHINE=1; VMTYPE="zvm"; VMFULLTYPE="IBM z/VM" ;; zvm) ISVIRTUALMACHINE=1; VMTYPE="zvm"; VMFULLTYPE="IBM z/VM" ;;
*) logtext "Result: Unknown virtualization type, so most likely system is physical" ;; *) LogText "Result: Unknown virtualization type, so most likely system is physical" ;;
esac esac
fi fi
# Check final status # Check final status
if [ ${ISVIRTUALMACHINE} -eq 1 ]; then if [ ${ISVIRTUALMACHINE} -eq 1 ]; then
logtext "Result: found virtual machine (type: ${VMTYPE}, ${VMFULLTYPE})" LogText "Result: found virtual machine (type: ${VMTYPE}, ${VMFULLTYPE})"
report "vm=1" Report "vm=1"
report "vmtype=${VMTYPE}" Report "vmtype=${VMTYPE}"
elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then
logtext "Result: unknown if this system is a virtual machine" LogText "Result: unknown if this system is a virtual machine"
report "vm=2" Report "vm=2"
else else
logtext "Result: system seems to be non-virtual" LogText "Result: system seems to be non-virtual"
fi fi
} }
@ -854,7 +860,7 @@
# Only check the file if it isn't a symlink (after previous check) # Only check the file if it isn't a symlink (after previous check)
if [ -f ${sFILE} -a ! -L ${sFILE} ]; then if [ -f ${sFILE} -a ! -L ${sFILE} ]; then
FINDVAL=`ls -l ${sFILE} | cut -c 8` FINDVAL=`ls -l ${sFILE} | cut -c 8`
if [ "${FINDVAL}" = "r" ]; then return 1; else return 0; fi if [ "${FINDVAL}" = "r" ]; then return 0; else return 1; fi
else else
return 255 return 255
fi fi
@ -876,13 +882,19 @@
# Only check the file if it isn't a symlink (after previous check) # Only check the file if it isn't a symlink (after previous check)
if [ -f ${sFILE} -a ! -L ${sFILE} ]; then if [ -f ${sFILE} -a ! -L ${sFILE} ]; then
FINDVAL=`ls -l ${sFILE} | cut -c 10` FINDVAL=`ls -l ${sFILE} | cut -c 10`
if [ "${FINDVAL}" = "x" ]; then return 1; else return 0; fi if [ "${FINDVAL}" = "x" ]; then return 0; else return 1; fi
else else
return 255 return 255
fi fi
} }
# Function IsWorldWritable ################################################################################
# Name : IsWorldWritable()
# Description : Determines if a file is writable for all users
# Returns : exit code (0 = writable, 1 = not writable, 255 = error)
# Usage : if IsWorldWritable /etc/motd; then echo "File is writable"; fi
################################################################################
IsWorldWritable() IsWorldWritable()
{ {
sFILE=$1 sFILE=$1
@ -891,14 +903,20 @@
# Only check the file if it isn't a symlink (after previous check) # Only check the file if it isn't a symlink (after previous check)
if [ -f ${sFILE} -a ! -L ${sFILE} ]; then if [ -f ${sFILE} -a ! -L ${sFILE} ]; then
FINDVAL=`ls -l ${sFILE} | cut -c 9` FINDVAL=`ls -l ${sFILE} | cut -c 9`
if [ "${FINDVAL}" = "w" ]; then return 1; else return 0; fi if [ "${FINDVAL}" = "w" ]; then return 0; else return 1; fi
else else
return 255 return 255
fi fi
} }
# Function logtext (redirect data ($1) to log file) ################################################################################
logtext() # Name : LogText()
# Description : Function logtext (redirect data ($1) to log file)
# Returns : Nothing
# Usage : LogText "This goes into the log file"
################################################################################
LogText()
{ {
if [ ! "${LOGFILE}" = "" ]; then if [ ! "${LOGFILE}" = "" ]; then
CDATE=`date "+[%H:%M:%S]"` CDATE=`date "+[%H:%M:%S]"`
@ -906,6 +924,11 @@
fi fi
} }
# Alias for older tests (do no longer use this as it will be deprecated)
logtext()
{
LogText "$1"
}
################################################################################ ################################################################################
# Name : logtextbreak() # Name : logtextbreak()
@ -948,18 +971,18 @@
I=`echo ${I} | sed 's/:space:/ /g' | sed 's/;$//'` I=`echo ${I} | sed 's/:space:/ /g' | sed 's/;$//'`
OPTION=`echo ${I} | awk '{ print $1 }'` OPTION=`echo ${I} | awk '{ print $1 }'`
VALUE=`echo ${I}| cut -d' ' -f2-` VALUE=`echo ${I}| cut -d' ' -f2-`
logtext "Result: found option ${OPTION} with parameters ${VALUE}" LogText "Result: found option ${OPTION} with parameters ${VALUE}"
case ${OPTION} in case ${OPTION} in
access_log) access_log)
if [ "${VALUE}" = "off" ]; then if [ "${VALUE}" = "off" ]; then
logtext "Result: found logging disabled for one virtual host" LogText "Result: found logging disabled for one virtual host"
NGINX_ACCESS_LOG_DISABLED=1 NGINX_ACCESS_LOG_DISABLED=1
else else
if [ ! "${VALUE}" = "" ]; then if [ ! "${VALUE}" = "" ]; then
# If multiple values follow, select first one # If multiple values follow, select first one
VALUE=`echo ${VALUE} | awk '{ print $1 }'` VALUE=`echo ${VALUE} | awk '{ print $1 }'`
if [ ! -f ${VALUE} ]; then if [ ! -f ${VALUE} ]; then
logtext "Result: could not find referenced log file ${VALUE} in nginx configuration" LogText "Result: could not find referenced log file ${VALUE} in nginx configuration"
NGINX_ACCESS_LOG_MISSING=1 NGINX_ACCESS_LOG_MISSING=1
fi fi
fi fi
@ -969,8 +992,8 @@
add_header) add_header)
HEADER=`echo ${VALUE} | awk '{ print $1 }'` HEADER=`echo ${VALUE} | awk '{ print $1 }'`
HEADER_VALUE=`echo ${VALUE} | cut -d' ' -f2-` HEADER_VALUE=`echo ${VALUE} | cut -d' ' -f2-`
logtext "Result: found header ${HEADER} with value ${HEADER_VALUE}" LogText "Result: found header ${HEADER} with value ${HEADER_VALUE}"
#report "nginx_header[]=${HEADER}|${HEADER_VALUE}|" #Report "nginx_header[]=${HEADER}|${HEADER_VALUE}|"
;; ;;
alias) alias)
NGINX_ALIAS_FOUND=1 NGINX_ALIAS_FOUND=1
@ -999,7 +1022,7 @@
NGINX_ERROR_LOG_MISSING=1 NGINX_ERROR_LOG_MISSING=1
fi fi
else else
logtext "Warning: did not find a filename after error_log in nginx configuration" LogText "Warning: did not find a filename after error_log in nginx configuration"
fi fi
;; ;;
error_page) error_page)
@ -1041,7 +1064,7 @@
if [ "${VALUE}" = "on" ]; then NGINX_SSL_ON=1; fi if [ "${VALUE}" = "on" ]; then NGINX_SSL_ON=1; fi
;; ;;
ssl_certificate) ssl_certificate)
logtext "Found SSL certificate in nginx configuration" LogText "Found SSL certificate in nginx configuration"
;; ;;
ssl_certificate_key) ssl_certificate_key)
;; ;;
@ -1053,7 +1076,7 @@
;; ;;
ssl_protocols) ssl_protocols)
NGINX_SSL_PROTOCOLS=1 NGINX_SSL_PROTOCOLS=1
#report "nginx_ssl_protocols=${VALUE}" #Report "nginx_ssl_protocols=${VALUE}"
;; ;;
ssl_session_cache) ssl_session_cache)
;; ;;
@ -1062,7 +1085,7 @@
types) types)
;; ;;
*) *)
logtext "Found unknown option ${OPTION} in nginx configuration" LogText "Found unknown option ${OPTION} in nginx configuration"
;; ;;
esac esac
done done
@ -1074,6 +1097,8 @@
# Input : finish or text # Input : finish or text
# Returns : nothing # Returns : nothing
# Tip : Use this function from Register with the --progress parameter # Tip : Use this function from Register with the --progress parameter
################################################################################
Progress() Progress()
{ {
if [ ${CRONJOB} -eq 0 ]; then if [ ${CRONJOB} -eq 0 ]; then
@ -1090,6 +1115,26 @@
fi fi
} }
################################################################################
# Name : Progress()
# Description : Displays progress on screen with dots
# Input : Amount of characters (optional)
# Returns : RANDOMSTRING
# Usage : RandomString 32
################################################################################
RandomString() {
# Check a (pseudo) random character device
if [ -c /dev/urandom ]; then local FILE="/dev/urandom"
elif [ -c /dev/random ]; then local FILE="/dev/random"
else
Display "Can not use RandomString function, as there is no random device to be used"
fi
if [ $# -eq 0 ]; then local SIZE=16; else local SIZE=$1; fi
local CSIZE=`expr ${SIZE} / 2`
RANDOMSTRING=`head -c ${CSIZE} /dev/urandom | od -An -x | tr -d ' ' | cut -c 1-${SIZE}`
}
################################################################################ ################################################################################
# Name : RealFilename() # Name : RealFilename()
# Description : Return file behind a symlink # Description : Return file behind a symlink
@ -1108,7 +1153,7 @@
# # Check if we can find the file now # # Check if we can find the file now
# if [ -f ${tFILE} ]; then # if [ -f ${tFILE} ]; then
# rFILE="${tFILE}" # rFILE="${tFILE}"
# logtext "Result: symlink found, pointing to ${sFILE}" # LogText "Result: symlink found, pointing to ${sFILE}"
# SYMLINK=1 # SYMLINK=1
# else # else
# # Check the full path of the symlink, strip the filename, copy the path and linked filename together # # Check the full path of the symlink, strip the filename, copy the path and linked filename together
@ -1116,7 +1161,7 @@
# tFILE="${tDIR}/${tFILE}" # tFILE="${tDIR}/${tFILE}"
# if [ -f ${tFILE} ]; then # if [ -f ${tFILE} ]; then
# rFILE="${tFILE}" # rFILE="${tFILE}"
# logtext "Result: symlink found, seems to be ${rFILE}" # LogText "Result: symlink found, seems to be ${rFILE}"
# fi # fi
# fi # fi
# fi # fi
@ -1235,11 +1280,11 @@
# Increase counter for every registered test which is performed # Increase counter for every registered test which is performed
counttests counttests
if [ ${SKIPLOGTEST} -eq 0 ]; then logtext "Performing test ID ${TEST_NO} ($TEST_DESCRIPTION)"; fi if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Performing test ID ${TEST_NO} ($TEST_DESCRIPTION)"; fi
TESTS_EXECUTED="${TEST_NO}|${TESTS_EXECUTED}" TESTS_EXECUTED="${TEST_NO}|${TESTS_EXECUTED}"
else else
if [ ${SKIPLOGTEST} -eq 0 ]; then logtext "Skipped test ${TEST_NO} ($TEST_DESCRIPTION)"; fi if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Skipped test ${TEST_NO} ($TEST_DESCRIPTION)"; fi
if [ ${SKIPLOGTEST} -eq 0 ]; then logtext "Reason to skip: ${SKIPREASON}"; fi if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Reason to skip: ${SKIPREASON}"; fi
TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}" TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}"
fi fi
@ -1252,27 +1297,32 @@
if [ ! "${PIDFILE}" = "" ]; then if [ ! "${PIDFILE}" = "" ]; then
if [ -f ${PIDFILE} ]; then if [ -f ${PIDFILE} ]; then
rm -f $PIDFILE; rm -f $PIDFILE;
logtext "PID file removed (${PIDFILE})" LogText "PID file removed (${PIDFILE})"
else else
logtext "PID file not found (${PIDFILE})" LogText "PID file not found (${PIDFILE})"
fi fi
fi fi
} }
# Dump to report file # Dump to report file
report() Report()
{ {
echo "$1" >> ${REPORTFILE} echo "$1" >> ${REPORTFILE}
} }
# Old alias for Report function (will be deprecated)
report()
{
Report "$1"
}
# Log exceptions # Log exceptions
ReportException() ReportException()
{ {
# 1 parameters # 1 parameters
# <ID>:<2 char numeric>|text| # <ID>:<2 char numeric>|text|
report "exception_event[]=$1|$2|" Report "exception_event[]=$1|$2|"
logtext "Exception: test has an exceptional event ($1) with text $2" LogText "Exception: test has an exceptional event ($1) with text $2"
} }
@ -1281,8 +1331,8 @@
{ {
# 1 parameters # 1 parameters
# <ID>:<2 char numeric> # <ID>:<2 char numeric>
report "manual_event[]=$1" Report "manual_event[]=$1"
logtext "Manual: one or more manual actions are required for further testing of this control/plugin" LogText "Manual: one or more manual actions are required for further testing of this control/plugin"
} }
# Report data (TESTID STATUS IMPACT MESSAGE) # Report data (TESTID STATUS IMPACT MESSAGE)
@ -1291,7 +1341,7 @@
if [ $1 = "" ]; then TESTID="UNKNOWN"; fi if [ $1 = "" ]; then TESTID="UNKNOWN"; fi
# Status: OK, WARNING, NEUTRAL, SUGGESTION # Status: OK, WARNING, NEUTRAL, SUGGESTION
# Impact: HIGH, SEVERE, LOW, # Impact: HIGH, SEVERE, LOW,
#report "result[]=TESTID-${TESTID},STATUS-$2,IMPACT-$3,MESSAGE-$4-" #Report "result[]=TESTID-${TESTID},STATUS-$2,IMPACT-$3,MESSAGE-$4-"
# Reset ID before next test # Reset ID before next test
TESTID="" TESTID=""
} }
@ -1313,8 +1363,8 @@
if [ "$2" = "" ]; then MESSAGE="UNKNOWN"; else MESSAGE="$2"; fi if [ "$2" = "" ]; then MESSAGE="UNKNOWN"; else MESSAGE="$2"; fi
if [ "$3" = "" ]; then DETAILS="-"; else DETAILS="$3"; fi if [ "$3" = "" ]; then DETAILS="-"; else DETAILS="$3"; fi
if [ "$4" = "" ]; then SOLUTION="-"; else SOLUTION="$4"; fi if [ "$4" = "" ]; then SOLUTION="-"; else SOLUTION="$4"; fi
report "suggestion[]=${TEST}|${MESSAGE}|${DETAILS}|${SOLUTION}|" Report "suggestion[]=${TEST}|${MESSAGE}|${DETAILS}|${SOLUTION}|"
logtext "Suggestion: ${MESSAGE} [test:$1] [details:${DETAILS}] [solution:${SOLUTION}]" LogText "Suggestion: ${MESSAGE} [test:$1] [details:${DETAILS}] [solution:${SOLUTION}]"
} }
# Log warning to report file # Log warning to report file
@ -1344,20 +1394,20 @@
if [ "$3" = "" ]; then DETAILS="-"; else DETAILS="$3"; fi if [ "$3" = "" ]; then DETAILS="-"; else DETAILS="$3"; fi
if [ "$4" = "" ]; then SOLUTION="-"; else SOLUTION="$4"; fi if [ "$4" = "" ]; then SOLUTION="-"; else SOLUTION="$4"; fi
fi fi
report "warning[]=${TEST}|${MESSAGE}|${DETAILS}|${SOLUTION}|" Report "warning[]=${TEST}|${MESSAGE}|${DETAILS}|${SOLUTION}|"
logtext "Warning: ${MESSAGE} [test:${TEST}] [details:${DETAILS}] [solution:${SOLUTION}]" LogText "Warning: ${MESSAGE} [test:${TEST}] [details:${DETAILS}] [solution:${SOLUTION}]"
} }
SafePerms() SafePerms()
{ {
PERMS_OK=0 PERMS_OK=0
logtext "Checking permissions of $1" LogText "Checking permissions of $1"
if [ $# -eq 1 ]; then if [ $# -eq 1 ]; then
IS_PARAMETERS_FILE=`echo $1 | grep "/parameters"` IS_PARAMETERS_FILE=`echo $1 | grep "/parameters"`
# Check file permissions # Check file permissions
if [ ! -f "$1" ]; then if [ ! -f "$1" ]; then
logtext "Fatal error: file $1 does not exist. Quitting." LogText "Fatal error: file $1 does not exist. Quitting."
echo "Fatal error: file $1 does not exist" echo "Fatal error: file $1 does not exist"
ExitFatal ExitFatal
else else
@ -1371,7 +1421,7 @@
ExitFatal ExitFatal
fi fi
else else
logtext "Note: Owner permissions of file $1 to be expected similar as the UID executing the process" LogText "Note: Owner permissions of file $1 to be expected similar as the UID executing the process"
fi fi
# Group permissions # Group permissions
GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'` GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'`
@ -1383,7 +1433,7 @@
ExitFatal ExitFatal
fi fi
else else
logtext "Note: Group permissions of file $1 to be expected similar as the UID executing the process" LogText "Note: Group permissions of file $1 to be expected similar as the UID executing the process"
fi fi
# Other permissions # Other permissions
OTHER_PERMS=`echo ${PERMS} | cut -c8-10` OTHER_PERMS=`echo ${PERMS} | cut -c8-10`
@ -1393,10 +1443,10 @@
fi fi
# Set PERMS_OK to 1 if no fatal errors occurred # Set PERMS_OK to 1 if no fatal errors occurred
PERMS_OK=1 PERMS_OK=1
logtext "File permissions are OK" LogText "File permissions are OK"
fi fi
else else
logtext "Fatal error: invalid amount of parameters when calling function SafePerms()" LogText "Fatal error: invalid amount of parameters when calling function SafePerms()"
echo "Invalid amount of parameters for function SafePerms()" echo "Invalid amount of parameters for function SafePerms()"
ExitFatal ExitFatal
fi fi
@ -1417,17 +1467,17 @@
# Don't search in /dev/null, it's too empty there # Don't search in /dev/null, it's too empty there
if [ -f $2 ]; then if [ -f $2 ]; then
# Check if we can find the main type (with or without brackets) # Check if we can find the main type (with or without brackets)
logtext "Test: search string $1 in file $2" LogText "Test: search string $1 in file $2"
FIND=`egrep "$1" $2` FIND=`egrep "$1" $2`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
ITEM_FOUND=1 ITEM_FOUND=1
logtext "Result: found string" LogText "Result: found string"
logtext "Full string: ${FILE}" LogText "Full string: ${FIND}"
else else
logtext "Result: search string NOT found" LogText "Result: search string NOT found"
fi fi
else else
logtext "Skipping search, file does not exist" LogText "Skipping search, file does not exist"
ReportException ${TEST_NO} "Test is trying to search for a string in nonexistent file" ReportException ${TEST_NO} "Test is trying to search for a string in nonexistent file"
fi fi
else else
@ -1446,9 +1496,9 @@
WARNING) WARNING)
echo "[ ${WARNING}WARNING${NORMAL} ]" echo "[ ${WARNING}WARNING${NORMAL} ]"
# log the warning to our log file # log the warning to our log file
#logtext "Warning: $2" #LogText "Warning: $2"
# add the warning to our report file # add the warning to our report file
#report "warning=$2" #Report "warning=$2"
;; ;;
esac esac
} }
@ -1561,51 +1611,51 @@
# If a Python binary is found, use the one in path # If a Python binary is found, use the one in path
if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${PYTHONBINARY}" = "" ]; then if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${PYTHONBINARY}" = "" ]; then
FIND=`which python 2> /dev/null` FIND=`which python 2> /dev/null`
if [ ! "${FIND}" = "" ]; then logtext "Setting temporary pythonbinary variable"; PYTHONBINARY="${FIND}"; fi if [ ! "${FIND}" = "" ]; then LogText "Setting temporary pythonbinary variable"; PYTHONBINARY="${FIND}"; fi
fi fi
if [ ! "${PYTHONBINARY}" = "" ]; then if [ ! "${PYTHONBINARY}" = "" ]; then
SYMLINK_USE_PYTHON=1 SYMLINK_USE_PYTHON=1
logtext "Note: using Python to determine symlinks" LogText "Note: using Python to determine symlinks"
tFILE=`python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" $1` tFILE=`python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" $1`
fi fi
else else
if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${READLINKBINARY}" = "" ]; then if [ ${BINARY_SCAN_FINISHED} -eq 0 -a "${READLINKBINARY}" = "" ]; then
FIND=`which readlink 2> /dev/null` FIND=`which readlink 2> /dev/null`
if [ ! "${FIND}" = "" ]; then logtext "Setting temporary readlinkbinary variable"; READLINKBINARY="${FIND}"; fi if [ ! "${FIND}" = "" ]; then LogText "Setting temporary readlinkbinary variable"; READLINKBINARY="${FIND}"; fi
fi fi
if [ ! "${READLINKBINARY}" = "" ]; then if [ ! "${READLINKBINARY}" = "" ]; then
SYMLINK_USE_READLINK=1 SYMLINK_USE_READLINK=1
logtext "Note: Using real readlink binary to determine symlinks" LogText "Note: Using real readlink binary to determine symlinks"
tFILE=`${READLINKBINARY} -f ${sFILE}` tFILE=`${READLINKBINARY} -f ${sFILE}`
logtext "Result: readlink shows ${tFILE} as output" LogText "Result: readlink shows ${tFILE} as output"
fi fi
fi fi
# Check if we can find the file now # Check if we can find the file now
if [ "${tFILE}" = "" ]; then if [ "${tFILE}" = "" ]; then
logtext "Result: command did not return any value" LogText "Result: command did not return any value"
elif [ -f ${tFILE} ]; then elif [ -f ${tFILE} ]; then
sFILE="${tFILE}" sFILE="${tFILE}"
logtext "Result: symlink found, pointing to file ${sFILE}" LogText "Result: symlink found, pointing to file ${sFILE}"
FOUNDPATH=1 FOUNDPATH=1
elif [ -b ${tFILE} ]; then elif [ -b ${tFILE} ]; then
sFILE="${tFILE}" sFILE="${tFILE}"
logtext "Result: symlink found, pointing to block device ${sFILE}" LogText "Result: symlink found, pointing to block device ${sFILE}"
FOUNDPATH=1 FOUNDPATH=1
elif [ -c ${tFILE} ]; then elif [ -c ${tFILE} ]; then
sFILE="${tFILE}" sFILE="${tFILE}"
logtext "Result: symlink found, pointing to character device ${sFILE}" LogText "Result: symlink found, pointing to character device ${sFILE}"
FOUNDPATH=1 FOUNDPATH=1
elif [ -d ${tFILE} ]; then elif [ -d ${tFILE} ]; then
sFILE="${tFILE}" sFILE="${tFILE}"
logtext "Result: symlink found, pointing to directory ${sFILE}" LogText "Result: symlink found, pointing to directory ${sFILE}"
FOUNDPATH=1 FOUNDPATH=1
else else
# Check the full path of the symlink, strip the filename, copy the path and linked filename together # Check the full path of the symlink, strip the filename, copy the path and linked filename together
tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'` tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'`
tFILE="${tDIR}/${tFILE}" tFILE="${tDIR}/${tFILE}"
if [ -L ${tFILE} ]; then if [ -L ${tFILE} ]; then
logtext "Result: this symlink links to another symlink" LogText "Result: this symlink links to another symlink"
# Ensure that we use a second try with the right tool as well # Ensure that we use a second try with the right tool as well
if [ ${SYMLINK_USE_PYTHON} -eq 1 ]; then if [ ${SYMLINK_USE_PYTHON} -eq 1 ]; then
tFILE=`python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" ${tFILE}` tFILE=`python -c "import os,sys; print(os.path.realpath(os.path.expanduser(sys.argv[1])))" ${tFILE}`
@ -1615,33 +1665,33 @@
# Check if we now have a normal file # Check if we now have a normal file
if [ -f ${tFILE} ]; then if [ -f ${tFILE} ]; then
sFILE="${tFILE}" sFILE="${tFILE}"
logtext "Result: symlink finally found, seems to be file ${sFILE}" LogText "Result: symlink finally found, seems to be file ${sFILE}"
FOUNDPATH=1 FOUNDPATH=1
elif [ -d ${tFILE} ]; then elif [ -d ${tFILE} ]; then
sFILE="${tFILE}" sFILE="${tFILE}"
logtext "Result: symlink finally found, seems to be directory ${sFILE}" LogText "Result: symlink finally found, seems to be directory ${sFILE}"
FOUNDPATH=1 FOUNDPATH=1
else else
logtext "Result: could not find file ${tFILE}, most likely too complicated symlink or too often linked" LogText "Result: could not find file ${tFILE}, most likely too complicated symlink or too often linked"
fi fi
elif [ -f ${tFILE} ]; then elif [ -f ${tFILE} ]; then
sFILE="${tFILE}" sFILE="${tFILE}"
logtext "Result: symlink found, seems to be file ${sFILE}" LogText "Result: symlink found, seems to be file ${sFILE}"
FOUNDPATH=1 FOUNDPATH=1
elif [ -d ${tFILE} ]; then elif [ -d ${tFILE} ]; then
sFILE="${tFILE}" sFILE="${tFILE}"
logtext "Result: symlink found, seems to be directory ${sFILE}" LogText "Result: symlink found, seems to be directory ${sFILE}"
FOUNDPATH=1 FOUNDPATH=1
else else
logtext "Result: file ${tFILE} in ${tDIR} not found" LogText "Result: file ${tFILE} in ${tDIR} not found"
fi fi
fi fi
else else
logtext "Result: file not a symlink" LogText "Result: file not a symlink"
fi fi
# Now check if our new location is actually a file or directory destination # Now check if our new location is actually a file or directory destination
if [ -L ${sFILE} ]; then if [ -L ${sFILE} ]; then
logtext "Result: unable to determine symlink, or location ${sFILE} is just another symlink" LogText "Result: unable to determine symlink, or location ${sFILE} is just another symlink"
FOUNDPATH=0 FOUNDPATH=0
fi fi
if [ ${FOUNDPATH} -eq 1 ]; then if [ ${FOUNDPATH} -eq 1 ]; then
@ -1662,6 +1712,7 @@
echo "" echo ""
exit 0 exit 0
} }
# Wait for [ENTER] or manually break # Wait for [ENTER] or manually break
wait_for_keypress() wait_for_keypress()
{ {
@ -1671,8 +1722,16 @@
fi fi
} }
# Wait for [ENTER] or manually break
WaitForKeypress()
{
if [ ! ${QUICKMODE} -eq 1 ]; then
echo ""; echo "[ ${WHITE}Press [ENTER] to continue, or [CTRL]+C to stop${NORMAL} ]"
read void
fi
}
#================================================================================ #================================================================================
# Lynis is part of Lynis Enterprise and released under GPLv3 license # Lynis is part of Lynis Enterprise and released under GPLv3 license
# Copyright 2007-2015 - Michael Boelen, CISOfy - https://cisofy.com # Copyright 2007-2016 - Michael Boelen, CISOfy - https://cisofy.com

4
include/osdetection
View File

@ -5,7 +5,7 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com # Web site: https://cisofy.com
# #
# This software is licensed under GPL, version 3. See LICENSE file for # This software is licensed under GPL, version 3. See LICENSE file for
@ -416,4 +416,4 @@
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2016 Michael Boelen, CISOfy - https://cisofy.com

4
include/parameters
View File

@ -5,7 +5,7 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) # Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -263,4 +263,4 @@
done done
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

4
include/profiles
View File

@ -5,7 +5,7 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -228,4 +228,4 @@
logtextbreak logtextbreak
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - CISOfy, https://cisofy.com # Lynis - Copyright 2007-2016, Michael Boelen - CISOfy, https://cisofy.com

4
include/report
View File

@ -5,7 +5,7 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -251,4 +251,4 @@
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

4
include/tool_tips
View File

@ -5,7 +5,7 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -37,4 +37,4 @@
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com