tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-28 16:24:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improve HostID generation and logging

Browse Source
This commit is contained in:
Michael Boelen 2021-07-02 14:23:53 +02:00
parent 9070bc4ea6
commit da024079f1
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
3 changed files with 66 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/consts
View File

@ -133,7 +133,9 @@ ETC_PATHS="/etc /usr/local/etc"
HEADBINARY="" HEADBINARY=""
HELPER="" HELPER=""
HOSTID="" HOSTID=""
HOSTID_GEN="unknown"
HOSTID2="" HOSTID2=""
HOSTID2_GEN="unknown"
HTTPDBINARY="" HTTPDBINARY=""
IDS_IPS_TOOL_FOUND=0 IDS_IPS_TOOL_FOUND=0
IFCONFIGBINARY="" IFCONFIGBINARY=""

85
include/functions
View File

@ -899,20 +899,22 @@
################################################################################ ################################################################################
GetHostID() { GetHostID() {
if [ ${SKIP_GETHOSTID} -eq 1 ]; then if [ ${SKIP_GETHOSTID} -eq 1 ]; then
Debug "Skipping HostID generation due to SKIP_GETHOSTID"
return 2 return 2
fi fi
if [ -n "${HOSTID}" -a -n "${HOSTID2}" ]; then if [ -n "${HOSTID}" -a -n "${HOSTID2}" ]; then
Debug "Skipping creation of host identifiers, as they are already configured (via profile)" Debug "Skipping creation of host identifiers, as they are already configured (via profile)"
HOSTID_GEN="profile"
return 2 return 2
fi fi
if [ -f "${ROOTDIR}etc/lynis/hostids" ]; then if [ -f "${ROOTDIR}etc/lynis/hostids" ]; then
Debug "Used hostids file to fetch values"
HOSTID=$(grep "^hostid=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}') HOSTID=$(grep "^hostid=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}')
HOSTID2=$(grep "^hostid2=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}') HOSTID2=$(grep "^hostid2=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}')
Debug "Used hostids file to fetch values"
HOSTID_GEN="hostids-file"
return 0 return 0
fi fi
@ -940,7 +942,7 @@
fi fi
if [ ! "${SHA1SUMBINARY}" = "" -o ! "${OPENSSLBINARY}" = "" -o ! "${CSUMBINARY}" = "" ]; then if [ ! "${SHA1SUMBINARY}" = "" -o ! "${OPENSSLBINARY}" = "" -o ! "${CSUMBINARY}" = "" ]; then
LogText "Info: found hashing tool, start generation of HostID"
case "${OS}" in case "${OS}" in
"AIX") "AIX")
@ -988,15 +990,29 @@
;; ;;
"Linux") "Linux")
# First use ip, then ifconfig as fallback
# Future change if [ -n "${IPBINARY}" ]; then
# Show brief output of ip of links that are UP. Filter out items like 'UNKNOWN' in col 2 # Determine if we have the common available eth0 interface. If so, give that priority.
# Using the {2} syntax does not work on all systems # Note: apply sorting in case there would be multiple MAC addresses linked to increase predictable end result
# ip -br link show up | sort | awk '$2=="UP" && $3 ~ /^[a-f0-9][a-f0-9]:/ {print $3}' FIND=$(${IPBINARY} addr show eth0 2> /dev/null | grep -E "link/ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]' | sort | head -1)
if HasData "${FIND}"; then
# Use ifconfig HOSTID_GEN="linux-ip-interface-eth0"
if [ -n "${IFCONFIGBINARY}" ]; then else
# Determine if we have the eth0 interface (not all Linux distro have this, e.g. Arch) # Trying the most stable route here:
# 1) First fetch all links that are UP and filter out everything not starting with 'en'
# 2) Filter entries that have a MAC address and filter out Docker related MAC addresses starting with '02:42:'
# 3) Convert everything to lowercase
# 4) Sort the entries, so that the output is more predictable between runs when the same interfaces are available
# 5) Select first entry
FIND=$(${IPBINARY} -family link addr show up label 'en*' 2> /dev/null | awk '{if($1=="link/ether" && $2 !~ "^02:42:"){print $2}}' | tr '[:upper:]' '[:lower:]' | sort | head -1)
if HasData "${FIND}"; then
HOSTID_GEN="linux-ip-interface-other"
else
ReportException "GetHostID" "Can't create hostid (no MAC addresses found)"
fi
fi
elif [ -n "${IFCONFIGBINARY}" ]; then
# Determine if we have the eth0 interface (not all Linux distributions have this, e.g. Arch)
HASETH0=$(${IFCONFIGBINARY} | grep "^eth0") HASETH0=$(${IFCONFIGBINARY} | grep "^eth0")
# Check if we can find it with HWaddr on the line # Check if we can find it with HWaddr on the line
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]') FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
@ -1009,38 +1025,32 @@
# If not, then falling back to getting first interface. Better than nothing. # If not, then falling back to getting first interface. Better than nothing.
if HasData "${HASETH0}"; then if HasData "${HASETH0}"; then
FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if HasData "${FIND}"; then
HOSTID_GEN="linux-ifconfig-interface-eth0-ether"
fi
else else
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]') FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]')
if IsEmpty "${FIND}"; then if IsEmpty "${FIND}"; then
ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)" ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
else else
LogText "Result: No eth0 found (ether found), using first network interface to determine hostid (with ifconfig)" HOSTID_GEN="linux-ifconfig-interface-first-ether"
LogText "Result: No eth0 found (but ether found), using first network interface to determine hostid (with ifconfig)"
fi fi
fi fi
else else
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]') FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
LogText "GetHostID: No eth0 found (but HWaddr was found), using first network interface to determine hostid, with ifconfig" HOSTID_GEN="linux-ifconfig-interface-first-hwaddr"
fi
fi
elif [ -n "${IPBINARY}" ]; then
# Determine if we have the common available eth0 interface
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | grep -E "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if IsEmpty "${FIND}"; then
# Determine the MAC address of first interface with the ip command
FIND=$(${IPBINARY} addr show 2> /dev/null | grep -E "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if IsEmpty "${FIND}"; then
ReportException "GetHostID" "Can't create hostid (no MAC addresses found)"
fi fi
else
HOSTID_GEN="linux-ifconfig-interface-eth0-hwaddr"
fi fi
else else
ReportException "GetHostID" "Both ip and ifconfig tools are missing" ReportException "GetHostID" "Both ip and ifconfig tools are missing"
fi fi
# Check if we found a HostID # Check if we found a HostID
if HasData "${FIND}"; then if HasData "${FIND}"; then
LogText "Info: using hardware address ${FIND} to create ID" LogText "Info: using hardware address ${FIND} to create HostID"
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }') HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
LogText "Result: Found HostID: ${HOSTID}" LogText "Result: Found HostID: ${HOSTID}"
else else
@ -1100,9 +1110,9 @@
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
FIND=$(${IFCONFIGBINARY} ${I} | grep ether | awk '{ if ($1=="ether") { print $2 }}') FIND=$(${IFCONFIGBINARY} ${I} | grep ether | awk '{ if ($1=="ether") { print $2 }}')
if [ ! "${SHA1SUMBINARY}" = "" ]; then if [ -n "${SHA1SUMBINARY}" ]; then
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }') HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
elif [ ! "${OPENSSLBINARY}" = "" ]; then elif [ -n "${OPENSSLBINARY}" ]; then
HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }') HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }')
else else
ReportException "GetHostID" "Can not find sha1/sha1sum or openssl" ReportException "GetHostID" "Can not find sha1/sha1sum or openssl"
@ -1116,8 +1126,9 @@
ReportException "GetHostID" "Can't create HOSTID as OS is not supported yet by this function" ReportException "GetHostID" "Can't create HOSTID as OS is not supported yet by this function"
;; ;;
esac esac
# Remove HOSTID if it contains a default MAC address with a related hash value # Remove HOSTID if it contains a default MAC address with a related hash value
if [ ! "${HOSTID}" = "" ]; then if [ -n "${HOSTID}" ]; then
for CHECKHASH in ${BLACKLISTED_HASHES}; do for CHECKHASH in ${BLACKLISTED_HASHES}; do
if [ "${CHECKHASH}" = "${HOSTID}" ]; then if [ "${CHECKHASH}" = "${HOSTID}" ]; then
LogText "Result: hostid is a blacklisted value" LogText "Result: hostid is a blacklisted value"
@ -1125,6 +1136,7 @@
fi fi
done done
fi fi
else else
ReportException "GetHostID" "Can't create HOSTID as there is no SHA1 hash tool available (sha1, sha1sum, openssl)" ReportException "GetHostID" "Can't create HOSTID as there is no SHA1 hash tool available (sha1, sha1sum, openssl)"
fi fi
@ -1152,6 +1164,7 @@
if [ -n "${SHA1SUMBINARY}" ]; then if [ -n "${SHA1SUMBINARY}" ]; then
HOSTID=$(${SHA1SUMBINARY} /etc/ssh/${I} | awk '{ print $1 }') HOSTID=$(${SHA1SUMBINARY} /etc/ssh/${I} | awk '{ print $1 }')
LogText "result: Created HostID with SSH key ($I): ${HOSTID}" LogText "result: Created HostID with SSH key ($I): ${HOSTID}"
HOSTID_GEN="fallback-ssh-public-key"
else else
ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing" ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing"
fi fi
@ -1163,9 +1176,9 @@
fi fi
fi fi
# New style host ID # Generation of HostID version 2
if [ "${HOSTID2}" = "" ]; then if [ -z "${HOSTID2}" ]; then
LogText "Info: creating a HostID (version 2)" LogText "Info: start generation of HostID (version 2)"
FOUND=0 FOUND=0
DATA_SSH="" DATA_SSH=""
# Use public keys # Use public keys
@ -1188,19 +1201,21 @@
if [ ${FOUND} -eq 1 -a -n "${DATA_SSH}" ]; then if [ ${FOUND} -eq 1 -a -n "${DATA_SSH}" ]; then
LogText "Using SSH public key to create the second host identifier" LogText "Using SSH public key to create the second host identifier"
STRING_TO_HASH="${DATA_SSH}" STRING_TO_HASH="${DATA_SSH}"
HOSTID2_GEN="ssh-public-key"
else else
if [ -n "${MACHINEID}" ]; then if [ -n "${MACHINEID}" ]; then
LogText "Using the machine ID to create the second host identifier" LogText "Using the machine ID to create the second host identifier"
STRING_TO_HASH="${MACHINEID}" STRING_TO_HASH="${MACHINEID}"
HOSTID2_GEN="machine-id"
fi fi
fi fi
# Check if we have a string to turn into a host identifier # Check if we have a string to turn into a host identifier
if [ -n "${STRING_TO_HASH}" ]; then if [ -n "${STRING_TO_HASH}" ]; then
# Create hashes # Create hashes
if [ ! "${SHA256SUMBINARY}" = "" ]; then if [ -n "${SHA256SUMBINARY}" ]; then
HASH2=$(echo ${STRING_TO_HASH} | ${SHA256SUMBINARY} | awk '{ print $1 }') HASH2=$(echo ${STRING_TO_HASH} | ${SHA256SUMBINARY} | awk '{ print $1 }')
HASH_HOSTNAME=$(echo ${HOSTNAME} | ${SHA256SUMBINARY} | awk '{ print $1 }') HASH_HOSTNAME=$(echo ${HOSTNAME} | ${SHA256SUMBINARY} | awk '{ print $1 }')
elif [ ! "${OPENSSLBINARY}" = "" ]; then elif [ -n "${OPENSSLBINARY}" ]; then
HASH2=$(echo ${STRING_TO_HASH} | ${OPENSSLBINARY} dgst -${OPENSSL_HASHTYPE} | awk '{ print $2 }') HASH2=$(echo ${STRING_TO_HASH} | ${OPENSSLBINARY} dgst -${OPENSSL_HASHTYPE} | awk '{ print $2 }')
HASH_HOSTNAME=$(echo ${HOSTNAME} | ${OPENSSLBINARY} dgst -${OPENSSL_HASHTYPE} | awk '{ print $2 }') HASH_HOSTNAME=$(echo ${HOSTNAME} | ${OPENSSLBINARY} dgst -${OPENSSL_HASHTYPE} | awk '{ print $2 }')
fi fi

22
lynis
View File

@ -970,17 +970,23 @@ ${NORMAL}
# Get host ID # Get host ID
LogTextBreak LogTextBreak
GetHostID GetHostID
LogText "hostid-generation: method ${HOSTID_GEN}"
LogText "hostid2-generation: method ${HOSTID2_GEN}"
# Check if result is not empty (no blank, or hash of blank value, or minus, or zeros) # Check if result is not empty (no blank, or hash of blank value, or minus, or zeros)
if [ ! "${HOSTID}" = "-" -a ! "${HOSTID}" = "" -a ! "${HOSTID}" = "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" -a ! "${HOSTID}" = "6ef1338f520d075957424741d7ed35ab5966ae97" ]; then case ${HOSTID} in
LogText "Info: found valid HostID ${HOSTID}" "" | "-" | "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" | "6ef1338f520d075957424741d7ed35ab5966ae97")
Report "hostid=${HOSTID}" LogText "Info: no HostID found or invalid one"
else ;;
LogText "Info: no HostID found or invalid one" *)
fi LogText "Info: HostID ${HOSTID} looks to be valid"
if [ ! "${HOSTID2}" = "" ]; then Report "hostid=${HOSTID}"
;;
esac
if [ -n "${HOSTID2}" ]; then
Report "hostid2=${HOSTID2}" Report "hostid2=${HOSTID2}"
fi fi
if [ ! "${MACHINEID}" = "" ]; then if [ -n "${MACHINEID}" ]; then
LogText "Info: found a machine ID ${MACHINEID}" LogText "Info: found a machine ID ${MACHINEID}"
Report "machineid=${MACHINEID}" Report "machineid=${MACHINEID}"
else else