mirror of
https://github.com/CISOfy/lynis.git
synced 2025-07-31 01:34:23 +02:00
b595cc0fb5
* Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
210 lines
6.5 KiB
Bash
210 lines
6.5 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2017, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
|
|
if [ $# -eq 0 ]; then
|
|
|
|
Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
|
|
Display --text " "; Display --text " "
|
|
ExitFatal
|
|
else
|
|
FILE=$(echo $1 | egrep "^http|https")
|
|
if [ ! "${FILE}" = "" ] ; then
|
|
CreateTempFile
|
|
TMP_FILE="${TEMP_FILE}"
|
|
Display --indent 2 --text "Downloading URL ${FILE} with wget"
|
|
wget -o ${TMP_FILE} ${FILE}
|
|
if [ $? -gt 0 ]; then
|
|
AUDIT_FILE="${TMP_FILE}"
|
|
else
|
|
if [ -f ${TMP_FILE} ]; then
|
|
rm -f ${TMP_FILE}
|
|
fi
|
|
Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
|
|
ExitFatal
|
|
fi
|
|
else
|
|
if [ -f $1 ]; then
|
|
AUDIT_FILE="$1"
|
|
else
|
|
Display --indent 2 --text "File $1 does not exist"
|
|
ExitFatal
|
|
fi
|
|
fi
|
|
Display --indent 2 --text "File to audit = ${AUDIT_FILE}"
|
|
fi
|
|
|
|
#####################################################
|
|
|
|
#
|
|
##################################################################################################
|
|
#
|
|
|
|
InsertSection "Image"
|
|
|
|
PKGMGR=""
|
|
FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g')
|
|
for I in ${FIND}; do
|
|
IMAGE=$(echo ${I} | sed 's/:space:/ /g' | awk '{ if ($1=="FROM") { print $2 }}')
|
|
Display --indent 2 --text "Found image:" --result "${IMAGE}"
|
|
|
|
IS_UBUNTU=$(echo ${IMAGE} | grep -i ubuntu)
|
|
if [ ! "${IS_DEBIAN}" = "" ]; then IMAGE="debian"; fi
|
|
if [ ! "${IS_FEDORA}" = "" ]; then IMAGE="fedora"; fi
|
|
if [ ! "${IS_UBUNTU}" = "" ]; then IMAGE="ubuntu"; fi
|
|
|
|
case ${IMAGE} in
|
|
"debian")
|
|
LogText "Image = Debian based"
|
|
PKGMGR="apt"
|
|
;;
|
|
|
|
"fedora*")
|
|
LogText " Image = Fedora based"
|
|
PKGMGR="yum"
|
|
;;
|
|
"ubuntu")
|
|
LogText " Image = Ubuntu based"
|
|
PKGMGR="apt"
|
|
;;
|
|
*)
|
|
Display --indent 2 --text "Unknown image" --result "" --color YELLOW
|
|
;;
|
|
esac
|
|
done
|
|
|
|
#
|
|
##################################################################################################
|
|
#
|
|
|
|
InsertSection "Basics"
|
|
|
|
FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g')
|
|
if [ "${FIND}" = "" ]; then
|
|
ReportWarning "dockerfile" "No maintainer found. Unclear who created this file."
|
|
else
|
|
MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}')
|
|
Display --indent 2 --text "Maintainer" --result "${MAINTAINER}"
|
|
fi
|
|
|
|
#
|
|
##################################################################################################
|
|
#
|
|
|
|
InsertSection "Software"
|
|
|
|
case $PKGMGR in
|
|
"apt")
|
|
FIND=$(egrep "apt-get(.*) install" ${AUDIT_FILE})
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Found installation via apt-get"
|
|
else
|
|
LogText "No installations found via apt-get"
|
|
fi
|
|
;;
|
|
*)
|
|
LogText "Unknown package manager"
|
|
;;
|
|
esac
|
|
|
|
FIND=$(egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#")
|
|
if [ ! "${FIND}" = "" ]; then
|
|
ReportWarning "dockerfile" "Possible development utilities found, which is not advised for production environment"
|
|
LogText "Details: ${FIND}"
|
|
fi
|
|
|
|
# SSH
|
|
FIND_OPENSSH=$(grep openssh ${AUDIT_FILE})
|
|
if [ ! "${FIND_OPENSSH}" = "" ]; then
|
|
Display --indent 2 --text "OpenSSH" --result "FOUND" --color RED
|
|
ReportSuggestion "dockerfile" "Don't use OpenSSH in container, use 'docker exec' instead"
|
|
fi
|
|
#
|
|
##################################################################################################
|
|
#
|
|
InsertSection "Downloads"
|
|
|
|
FILE_DOWNLOAD=0
|
|
|
|
LogText "Checking usage of cURL"
|
|
FIND_CURL=$(grep curl ${AUDIT_FILE})
|
|
if [ ! "${FIND_CURL}" = "" ]; then
|
|
Display --indent 4 --text "Download tool" --result "curl"
|
|
FILE_DOWNLOAD=1
|
|
fi
|
|
|
|
LogText "Checking usage of wget"
|
|
FIND_WGET=$(grep wget ${AUDIT_FILE})
|
|
if [ ! "${FIND_WGET}" = "" ]; then
|
|
Display --indent 4 --text "Download tool" --result "wget"
|
|
FILE_DOWNLOAD=1
|
|
fi
|
|
|
|
|
|
FIND=$(grep "^ADD http" ${AUDIT_FILE})
|
|
if [ ! "${FIND}" = "" ]; then
|
|
FILE_DOWNLOAD=1
|
|
ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
|
|
LogText "Details: ${FIND}"
|
|
fi
|
|
|
|
if [ ${FILE_DOWNLOAD} -eq 1 ]; then
|
|
|
|
SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE})
|
|
|
|
if [ ! "${SSL_USED_FIND}" = "" ]; then
|
|
SSL_USED="YES"
|
|
COLOR="GREEN"
|
|
else
|
|
SSL_USED="NO"
|
|
COLOR="RED"
|
|
ReportSuggestion "Use SSL downloads when possible to increase security (DNSSEC, HTTPS, validation of domain, avoid MitM)"
|
|
fi
|
|
Display --indent 2 --text "Integrity testing performed" --result "${SSL_USED}" --color ${COLOR}
|
|
HASHING_USED=$(egrep "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE})
|
|
Display --indent 2 --text "Hashing" --result "${HASHING_USED}"
|
|
KEYS_USED=$(egrep "(apt-key adv)" ${AUDIT_FILE})
|
|
Display --indent 2 --text "Signing keys used" --result ${SSL_USED}
|
|
Display --indent 2 --text "All downloads properly checked" --result "?"
|
|
else
|
|
Display --indent 2 --text "No files seems to be downloaded in this Dockerfile"
|
|
|
|
fi
|
|
#
|
|
##################################################################################################
|
|
#
|
|
InsertSection "Permissions"
|
|
|
|
FIND=$(grep -i "chmod 777" ${AUDIT_FILE})
|
|
if [ ! "${FIND}" = "" ]; then
|
|
ReportWarning "dockerfile" "Warning: chmod 777 found"
|
|
fi
|
|
#
|
|
##################################################################################################
|
|
#
|
|
|
|
# Removing temp file
|
|
LogText "Action: Removing temporary file ${TMP_FILE}"
|
|
if [ -f ${TMP_FILE} ]; then
|
|
rm -f ${TMP_FILE}
|
|
fi
|
|
|
|
|
|
# The End
|