#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Report
#
#################################################################################
#
logtextbreak
#if [ ${QUIET} -eq 0 ]; then
# echo ""
# echo " ---------------------------------------------------"
# echo " Program version: ${PROGRAM_version}"
# echo " Operating system: ${OS_NAME}"
# echo " Operating system version: ${OS_VERSION}"
# if [ ! "${OS_MODE}" = "" ]; then echo " Operating system mode: ${OS_MODE}"; fi
# echo " Kernel version: ${OS_KERNELVERSION}"
# echo " Hardware platform: ${HARDWARE}"
# echo " Hostname: ${HOSTNAME}"
# echo " Auditor: ${AUDITORNAME}"
# echo " Profile: ${PROFILE}"
# echo " Log file: ${LOGFILE}"
# echo " Report file: ${REPORTFILE}"
# echo " Report version: ${REPORT_version}"
# echo " ---------------------------------------------------"
# fi
#
#################################################################################
#
# Hardening Index
# Define approximately how strong a machine has been hardened
#
#################################################################################
#
# If no hardening has been found, set value to 1
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
HPINDEX=`expr $HPPOINTS \* 100 / $HPTOTAL`
HPAOBLOCKS=`expr $HPPOINTS \* 20 / $HPTOTAL`
# Set color related to rating
if [ ${HPINDEX} -lt 50 ]; then
HPCOLOR="${RED}"
HIDESCRIPTION="System has not or a low amount been hardened"
fi
if [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
HPCOLOR="${YELLOW}"
HIDESCRIPTION="System has been hardened, but could use additional hardening"
fi
if [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be decent hardened"
fi
if [ ${HPINDEX} -gt 89 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be well hardened"
fi
case ${HPAOBLOCKS} in
0) HPBLOCKS="#"; HPEMPTY=" " ;;
1) HPBLOCKS="#"; HPEMPTY=" " ;;
2) HPBLOCKS="##"; HPEMPTY=" " ;;
3) HPBLOCKS="###"; HPEMPTY=" " ;;
4) HPBLOCKS="####"; HPEMPTY=" " ;;
5) HPBLOCKS="#####"; HPEMPTY=" " ;;
6) HPBLOCKS="######"; HPEMPTY=" " ;;
7) HPBLOCKS="#######"; HPEMPTY=" " ;;
8) HPBLOCKS="########"; HPEMPTY=" " ;;
9) HPBLOCKS="#########"; HPEMPTY=" " ;;
10) HPBLOCKS="##########"; HPEMPTY=" " ;;
11) HPBLOCKS="###########"; HPEMPTY=" " ;;
12) HPBLOCKS="############"; HPEMPTY=" " ;;
13) HPBLOCKS="#############"; HPEMPTY=" " ;;
14) HPBLOCKS="##############"; HPEMPTY=" " ;;
15) HPBLOCKS="###############"; HPEMPTY=" " ;;
16) HPBLOCKS="################"; HPEMPTY=" " ;;
17) HPBLOCKS="#################"; HPEMPTY=" " ;;
18) HPBLOCKS="##################"; HPEMPTY=" " ;;
19) HPBLOCKS="###################"; HPEMPTY=" " ;;
20) HPBLOCKS="####################"; HPEMPTY="" ;;
esac
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
logtext "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
logtext "Hardening strength: ${HIDESCRIPTION}"
report "hardening_index=${HPINDEX}"
#
#################################################################################
#
# Show test results overview
#
#################################################################################
#
# Only show overview if not running in quiet mode
if [ ${QUIET} -eq 0 ]; then
echo ""; echo "================================================================================"
echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-"
echo "";
# Show warnings from logfile
SWARNINGS=`cat ${LOGFILE} | grep -i 'warning:' | sed 's/ /!space!/g'`
if [ "${SWARNINGS}" = "" ]; then
echo " ${OK}No warnings${NORMAL}"; echo ""
else
echo " ${WARNING}Warnings${NORMAL}:"
echo " ${WHITE}----------------------------${NORMAL}"
for WARNING in ${SWARNINGS}; do
SHOWWARNING=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: //'`
ADDLINK=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: \(.*\)\[//' | sed 's/\]//'`
echo " ${WHITE}- ${SHOWWARNING}${NORMAL}"
echo " http://cisofy.com/controls/${ADDLINK}/"
echo ""
done
fi
# Show suggestions from logfile
SSUGGESTIONS=`grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g'`
if [ "${SSUGGESTIONS}" = "" ]; then
echo " ${OK}No suggestions${NORMAL}"; echo ""
else
echo " ${YELLOW}Suggestions${NORMAL}:"
echo " ${WHITE}----------------------------${NORMAL}"
for SUGGESTION in ${SSUGGESTIONS}; do
SHOWSUGGESTION=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: //'`
ADDLINK=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: \(.*\)\[//' | sed 's/\]//'`
echo " - ${SHOWSUGGESTION}"
echo " http://cisofy.com/controls/${ADDLINK}/"
done
echo ""
fi
if [ ! "${SWARNINGS}" = "" -o ! "${SSUGGESTIONS}" = "" ]; then
echo " ${CYAN}Follow-up${NORMAL}:"
echo " ${WHITE}----------------------------${NORMAL}"
echo " ${WHITE}-${NORMAL} Check the logfile (less $LOGFILE)"
echo " ${WHITE}-${NORMAL} Read security controls texts (http://cisofy.com)"
echo " ${WHITE}-${NORMAL} Use --upload to upload data (Lynis Enterprise users)"
echo ""
fi
echo "================================================================================"
echo " ${WHITE}Lynis Scanner (details)${NORMAL}:"
echo ""
echo " ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}"
echo " ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}"
echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"
echo ""
echo " ${SECTION}Lynis Modules${NORMAL}:"
# Heuristics will be implemented later
echo " - Heuristics Check [${WHITE}NA${NORMAL}] - Security Audit [${GREEN}V${NORMAL}] - Vulnerability Scan [${GREEN}V${NORMAL}]"
echo ""
echo " ${SECTION}Compliance Checks${NORMAL}:"
# Compliance checks and status will be marked in upcoming releases
echo " - HIPAA [${WHITE}NA${NORMAL}] - PCI [${WHITE}NA${NORMAL}] - SOx [${WHITE}NA${NORMAL}] "
echo ""
echo " ${SECTION}Files${NORMAL}:"
echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}"
echo " - Report data : ${WHITE}${REPORTFILE}${NORMAL}"
echo "================================================================================"
if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo " ${NOTICE}Notice: ${WHITE}${PROGRAM_name} update available${NORMAL}"
echo " Current version : ${WHITE}${PROGRAM_AC}${NORMAL} Latest version : ${WHITE}${PROGRAM_LV}${NORMAL}"
echo "================================================================================"
else
###########################################################################################
#
# Software quality program
# Only provide this hint when the tool is at the latest version
#
###########################################################################################
if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
# Determine if the quality of the program can be increased by filtering out the exceptions
FIND=`${GREPBINARY} "^exception" ${REPORTFILE}`
if [ ! "${FIND}" = "" ]; then
echo ""
echo " ${RED}Exceptions found${NORMAL}"
echo " ${WHITE}Some exceptional events or information was found!${NORMAL}"
echo ""
echo " ${CYAN}What to do:${NORMAL}"
echo " You can help improving Lynis by providing your report file."
echo " Go to http://cisofy.com/contact/ and send your file to the e-mail address listed"
echo ""
echo "================================================================================"
fi
fi
fi
# Display what tests are skipped in non-privileged scan for awareness
if [ ${PENTESTINGMODE} -eq 1 -a ! "${SKIPPED_TESTS_ROOTONLY}" = "" ]; then
echo ""
echo " ${PURPLE}Skipped tests due to non-privileged scan${NORMAL}"
FIND=`echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g'`
# Split entries
FIND=`echo ${FIND} | sed 's/====/ /g'`
# Display found entries
for I in ${FIND}; do
J=`echo ${I} | sed 's/:space:/ /g'`
echo " ${J}"
done
echo ""
echo "================================================================================"
fi
if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then
echo " Tip: Disable all tests which are not relevant or are too strict for the"
echo " purpose of this particular machine. This will remove unwanted suggestions"
echo " and also boost the hardening index. Each test should be properly analyzed"
echo " to see if the related risks can be accepted, before disabling the test."
echo "================================================================================"
fi
echo " ${PROGRAM_name} ${PROGRAM_version}"
echo " ${PROGRAM_copyright}"
echo " ${WHITE}${PROGRAM_extrainfo}${NORMAL}"
echo "================================================================================"
echo ""; echo ""
fi
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - cisofy.com - The Netherlands