tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-04-08 17:15:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improve HostID generation and logging

Browse Source
This commit is contained in:
Michael Boelen 2021-07-02 14:23:53 +02:00
parent 9070bc4ea6
commit da024079f1
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
3 changed files with 66 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/consts
View File

@ -133,7 +133,9 @@ ETC_PATHS="/etc /usr/local/etc"
HEADBINARY=""
HELPER=""
HOSTID=""
HOSTID_GEN="unknown"
HOSTID2=""
HOSTID2_GEN="unknown"
HTTPDBINARY=""
IDS_IPS_TOOL_FOUND=0
IFCONFIGBINARY=""

85
include/functions
View File

@ -899,20 +899,22 @@
################################################################################
GetHostID() {
if [ ${SKIP_GETHOSTID} -eq 1 ]; then
Debug "Skipping HostID generation due to SKIP_GETHOSTID"
return 2
fi
if [ -n "${HOSTID}" -a -n "${HOSTID2}" ]; then
Debug "Skipping creation of host identifiers, as they are already configured (via profile)"
HOSTID_GEN="profile"
return 2
fi
if [ -f "${ROOTDIR}etc/lynis/hostids" ]; then
Debug "Used hostids file to fetch values"
HOSTID=$(grep "^hostid=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}')
HOSTID2=$(grep "^hostid2=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}')
Debug "Used hostids file to fetch values"
HOSTID_GEN="hostids-file"
return 0
fi
@ -940,7 +942,7 @@
fi
if [ ! "${SHA1SUMBINARY}" = "" -o ! "${OPENSSLBINARY}" = "" -o ! "${CSUMBINARY}" = "" ]; then
LogText "Info: found hashing tool, start generation of HostID"
case "${OS}" in
"AIX")
@ -988,15 +990,29 @@
;;
"Linux")
# Future change
# Show brief output of ip of links that are UP. Filter out items like 'UNKNOWN' in col 2
# Using the {2} syntax does not work on all systems
# ip -br link show up | sort | awk '$2=="UP" && $3 ~ /^[a-f0-9][a-f0-9]:/ {print $3}'
# Use ifconfig
if [ -n "${IFCONFIGBINARY}" ]; then
# Determine if we have the eth0 interface (not all Linux distro have this, e.g. Arch)
# First use ip, then ifconfig as fallback
if [ -n "${IPBINARY}" ]; then
# Determine if we have the common available eth0 interface. If so, give that priority.
# Note: apply sorting in case there would be multiple MAC addresses linked to increase predictable end result
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | grep -E "link/ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]' | sort | head -1)
if HasData "${FIND}"; then
HOSTID_GEN="linux-ip-interface-eth0"
else
# Trying the most stable route here:
# 1) First fetch all links that are UP and filter out everything not starting with 'en'
# 2) Filter entries that have a MAC address and filter out Docker related MAC addresses starting with '02:42:'
# 3) Convert everything to lowercase
# 4) Sort the entries, so that the output is more predictable between runs when the same interfaces are available
# 5) Select first entry
FIND=$(${IPBINARY} -family link addr show up label 'en*' 2> /dev/null | awk '{if($1=="link/ether" && $2 !~ "^02:42:"){print $2}}' | tr '[:upper:]' '[:lower:]' | sort | head -1)
if HasData "${FIND}"; then
HOSTID_GEN="linux-ip-interface-other"
else
ReportException "GetHostID" "Can't create hostid (no MAC addresses found)"
fi
fi
elif [ -n "${IFCONFIGBINARY}" ]; then
# Determine if we have the eth0 interface (not all Linux distributions have this, e.g. Arch)
HASETH0=$(${IFCONFIGBINARY} | grep "^eth0")
# Check if we can find it with HWaddr on the line
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
@ -1009,38 +1025,32 @@
# If not, then falling back to getting first interface. Better than nothing.
if HasData "${HASETH0}"; then
FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if HasData "${FIND}"; then
HOSTID_GEN="linux-ifconfig-interface-eth0-ether"
fi
else
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]')
if IsEmpty "${FIND}"; then
ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
else
LogText "Result: No eth0 found (ether found), using first network interface to determine hostid (with ifconfig)"
HOSTID_GEN="linux-ifconfig-interface-first-ether"
LogText "Result: No eth0 found (but ether found), using first network interface to determine hostid (with ifconfig)"
fi
fi
else
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
LogText "GetHostID: No eth0 found (but HWaddr was found), using first network interface to determine hostid, with ifconfig"
fi
fi
elif [ -n "${IPBINARY}" ]; then
# Determine if we have the common available eth0 interface
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | grep -E "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if IsEmpty "${FIND}"; then
# Determine the MAC address of first interface with the ip command
FIND=$(${IPBINARY} addr show 2> /dev/null | grep -E "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if IsEmpty "${FIND}"; then
ReportException "GetHostID" "Can't create hostid (no MAC addresses found)"
HOSTID_GEN="linux-ifconfig-interface-first-hwaddr"
fi
else
HOSTID_GEN="linux-ifconfig-interface-eth0-hwaddr"
fi
else
ReportException "GetHostID" "Both ip and ifconfig tools are missing"
fi
# Check if we found a HostID
if HasData "${FIND}"; then
LogText "Info: using hardware address ${FIND} to create ID"
LogText "Info: using hardware address ${FIND} to create HostID"
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
LogText "Result: Found HostID: ${HOSTID}"
else
@ -1100,9 +1110,9 @@
done
if [ ${FOUND} -eq 1 ]; then
FIND=$(${IFCONFIGBINARY} ${I} | grep ether | awk '{ if ($1=="ether") { print $2 }}')
if [ ! "${SHA1SUMBINARY}" = "" ]; then
if [ -n "${SHA1SUMBINARY}" ]; then
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
elif [ ! "${OPENSSLBINARY}" = "" ]; then
elif [ -n "${OPENSSLBINARY}" ]; then
HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }')
else
ReportException "GetHostID" "Can not find sha1/sha1sum or openssl"
@ -1116,8 +1126,9 @@
ReportException "GetHostID" "Can't create HOSTID as OS is not supported yet by this function"
;;
esac
# Remove HOSTID if it contains a default MAC address with a related hash value
if [ ! "${HOSTID}" = "" ]; then
if [ -n "${HOSTID}" ]; then
for CHECKHASH in ${BLACKLISTED_HASHES}; do
if [ "${CHECKHASH}" = "${HOSTID}" ]; then
LogText "Result: hostid is a blacklisted value"
@ -1125,6 +1136,7 @@
fi
done
fi
else
ReportException "GetHostID" "Can't create HOSTID as there is no SHA1 hash tool available (sha1, sha1sum, openssl)"
fi
@ -1152,6 +1164,7 @@
if [ -n "${SHA1SUMBINARY}" ]; then
HOSTID=$(${SHA1SUMBINARY} /etc/ssh/${I} | awk '{ print $1 }')
LogText "result: Created HostID with SSH key ($I): ${HOSTID}"
HOSTID_GEN="fallback-ssh-public-key"
else
ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing"
fi
@ -1163,9 +1176,9 @@
fi
fi
# New style host ID
if [ "${HOSTID2}" = "" ]; then
LogText "Info: creating a HostID (version 2)"
# Generation of HostID version 2
if [ -z "${HOSTID2}" ]; then
LogText "Info: start generation of HostID (version 2)"
FOUND=0
DATA_SSH=""
# Use public keys
@ -1188,19 +1201,21 @@
if [ ${FOUND} -eq 1 -a -n "${DATA_SSH}" ]; then
LogText "Using SSH public key to create the second host identifier"
STRING_TO_HASH="${DATA_SSH}"
HOSTID2_GEN="ssh-public-key"
else
if [ -n "${MACHINEID}" ]; then
LogText "Using the machine ID to create the second host identifier"
STRING_TO_HASH="${MACHINEID}"
HOSTID2_GEN="machine-id"
fi
fi
# Check if we have a string to turn into a host identifier
if [ -n "${STRING_TO_HASH}" ]; then
# Create hashes
if [ ! "${SHA256SUMBINARY}" = "" ]; then
if [ -n "${SHA256SUMBINARY}" ]; then
HASH2=$(echo ${STRING_TO_HASH} | ${SHA256SUMBINARY} | awk '{ print $1 }')
HASH_HOSTNAME=$(echo ${HOSTNAME} | ${SHA256SUMBINARY} | awk '{ print $1 }')
elif [ ! "${OPENSSLBINARY}" = "" ]; then
elif [ -n "${OPENSSLBINARY}" ]; then
HASH2=$(echo ${STRING_TO_HASH} | ${OPENSSLBINARY} dgst -${OPENSSL_HASHTYPE} | awk '{ print $2 }')
HASH_HOSTNAME=$(echo ${HOSTNAME} | ${OPENSSLBINARY} dgst -${OPENSSL_HASHTYPE} | awk '{ print $2 }')
fi

22
lynis
View File

@ -970,17 +970,23 @@ ${NORMAL}
# Get host ID
LogTextBreak
GetHostID
LogText "hostid-generation: method ${HOSTID_GEN}"
LogText "hostid2-generation: method ${HOSTID2_GEN}"
# Check if result is not empty (no blank, or hash of blank value, or minus, or zeros)
if [ ! "${HOSTID}" = "-" -a ! "${HOSTID}" = "" -a ! "${HOSTID}" = "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" -a ! "${HOSTID}" = "6ef1338f520d075957424741d7ed35ab5966ae97" ]; then
LogText "Info: found valid HostID ${HOSTID}"
Report "hostid=${HOSTID}"
else
LogText "Info: no HostID found or invalid one"
fi
if [ ! "${HOSTID2}" = "" ]; then
case ${HOSTID} in
"" | "-" | "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" | "6ef1338f520d075957424741d7ed35ab5966ae97")
LogText "Info: no HostID found or invalid one"
;;
*)
LogText "Info: HostID ${HOSTID} looks to be valid"
Report "hostid=${HOSTID}"
;;
esac
if [ -n "${HOSTID2}" ]; then
Report "hostid2=${HOSTID2}"
fi
if [ ! "${MACHINEID}" = "" ]; then
if [ -n "${MACHINEID}" ]; then
LogText "Info: found a machine ID ${MACHINEID}"
Report "machineid=${MACHINEID}"
else