mirror of https://github.com/CISOfy/lynis.git
1182 lines
51 KiB
Bash
Executable File
1182 lines
51 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# 2013-now, CISOfy
|
|
#
|
|
# Web site: https://cisofy.com
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
# Lynis is licensed under GPLv3, Plugins are licensed differently (see plugins)
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Lynis is an automated auditing tool for Unix based operating systems.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# In Solaris /bin/sh is not POSIX, but /usr/xpg4/bin/sh is.
|
|
# Switch to /usr/xpg4/bin/sh if it exists and we are not already running it.
|
|
if [ "$(uname)" = "SunOS" ]; then
|
|
test "$_" != "/usr/xpg4/bin/sh" && test -f /usr/xpg4/bin/sh && exec /usr/xpg4/bin/sh "$0" "$@"
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Code quality: don't allow using undefined variables
|
|
# Notes: $_ may be empty on FreeBSD
|
|
set -o nounset
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Program information
|
|
PROGRAM_NAME="Lynis"
|
|
PROGRAM_AUTHOR="CISOfy"
|
|
PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com"
|
|
PROGRAM_WEBSITE="https://cisofy.com/lynis/"
|
|
|
|
# Version details
|
|
PROGRAM_RELEASE_DATE="2021-07-08"
|
|
PROGRAM_RELEASE_TIMESTAMP=1625744373
|
|
PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release
|
|
PROGRAM_VERSION="3.0.6"
|
|
|
|
# Source, documentation and license
|
|
PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
|
|
PROGRAM_PACKAGE="https://packages.cisofy.com/"
|
|
PROGRAM_DOCUMENTATION="https://cisofy.com/docs/"
|
|
PROGRAM_COPYRIGHT="2007-2021, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
|
|
PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
welcome to redistribute it under the terms of the GNU General Public License.
|
|
See the LICENSE file for details about using this software."
|
|
PROGRAM_EXTRAINFO="Enterprise support available (compliance, plugins, interface and tools)"
|
|
|
|
# Version number of report files (when format changes in future)
|
|
REPORT_version_major="1"; REPORT_version_minor="0"
|
|
REPORT_version="${REPORT_version_major}.${REPORT_version_minor}"
|
|
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Configure Include path and files
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Check setuid bit
|
|
if [ -u "$0" ]; then echo "The called binary has the set-user-id bit - As this is unusual, execution will be stopped."; exit 1; fi
|
|
|
|
# Work directory
|
|
WORKDIR=$(pwd)
|
|
|
|
# Test from which directories we can use all functions and tests
|
|
USE_CWD=0
|
|
if case "$@" in *--usecwd*) true;; *) false;; esac; then
|
|
USE_CWD=1
|
|
INCLUDEDIR="./include"
|
|
else
|
|
INCLUDEDIR=""
|
|
tINCLUDE_TARGETS="/usr/local/include/lynis /usr/local/lynis/include /usr/share/lynis/include ./include" # Default paths to check (CWD as last option, in case we run from standalone)
|
|
for I in ${tINCLUDE_TARGETS}; do
|
|
if [ "${I}" = "./include" ]; then
|
|
if [ -d "${WORKDIR}/include" ]; then INCLUDEDIR="${WORKDIR}/include"; fi
|
|
elif [ -d ${I} -a -z "${INCLUDEDIR}" ]; then
|
|
INCLUDEDIR=${I}
|
|
break
|
|
fi
|
|
done
|
|
fi
|
|
|
|
# Drop out if our include directory can't be found
|
|
if [ -z "${INCLUDEDIR}" ]; then
|
|
printf "%s" "\nFatal error: can't find include directory\nMake sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
|
|
exit 1
|
|
fi
|
|
|
|
# Test for database directory
|
|
if [ ${USE_CWD} -eq 1 ]; then
|
|
DBDIR="./db"
|
|
else
|
|
DBDIR=""; tDB_TARGETS="/usr/local/share/lynis/db /usr/local/lynis/db /usr/share/lynis/db ./db"
|
|
for I in ${tDB_TARGETS}; do
|
|
if [ "${I}" = "./db" ]; then
|
|
if [ -d "${WORKDIR}/db" ]; then DBDIR="${WORKDIR}/db"; fi
|
|
elif [ -d ${I} -a -z "${DBDIR}" ]; then
|
|
DBDIR="${I}"
|
|
fi
|
|
done
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
MYID=""
|
|
# Check user to determine file permissions later on. If we encounter Solaris, use related id binary instead
|
|
if [ -x /usr/xpg4/bin/id ]; then
|
|
MYID=$(/usr/xpg4/bin/id -u 2> /dev/null)
|
|
elif [ "$(uname)" = "SunOS" ]; then
|
|
MYID=$(id | tr '=' ' ' | tr '(' ' ' | awk '{ print $2 }' 2> /dev/null)
|
|
else
|
|
MYID=$(id -u 2> /dev/null)
|
|
fi
|
|
if [ -z "${MYID}" ]; then Display "Could not find user ID with id command. Want to help improve Lynis? Raise a ticket at ${PROGRAM_SOURCE}"; ExitFatal; fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Set basic values and test permissions of the files to include, such as:
|
|
# - consts: bin paths, text strings, colors
|
|
# - functions: function library
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Determine if we are root (UID = 0)
|
|
if [ ${MYID} -eq 0 ]; then
|
|
PRIVILEGED=1
|
|
PENTESTINGMODE=0
|
|
else
|
|
PRIVILEGED=0
|
|
# Set to pentesting mode if scan is without root privileges
|
|
PENTESTINGMODE=1
|
|
fi
|
|
|
|
# Perform a basic check for permissions. After including functions, using SafePerms()
|
|
IGNORE_FILE_PERMISSION_ISSUES=0
|
|
|
|
FILES_TO_CHECK="consts functions"
|
|
|
|
ISSUE=0
|
|
ISSUE_TYPE=""
|
|
SHOWPERMERROR=0
|
|
|
|
for FILE in ${FILES_TO_CHECK}; do
|
|
PERMS=$(ls -l ${INCLUDEDIR}/${FILE} | cut -c 2-10)
|
|
GROUPPERMS=$(ls -l ${INCLUDEDIR}/${FILE} | cut -c 5-7)
|
|
GROUPOWNERID=$(ls -n ${INCLUDEDIR}/${FILE} | awk '{ print $4 }')
|
|
OWNER=$(ls -l ${INCLUDEDIR}/${FILE} | awk -F" " '{ print $3 }')
|
|
OWNERID=$(ls -n ${INCLUDEDIR}/${FILE} | awk -F" " '{ print $3 }')
|
|
|
|
# Check permissions of include/X file (400, 600, 640, 644)
|
|
if [ "${PERMS}" = "rwxrwxrwx" ]; then
|
|
ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}"
|
|
elif [ ! "${PERMS}" = "r--------" -a ! "${PERMS}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then
|
|
# If group ID equals user ID, we consider permissions to be fine (probably default umask)
|
|
if [ ! "${GROUPOWNERID}" = "${OWNERID}" ]; then
|
|
ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}"
|
|
fi
|
|
fi
|
|
|
|
# Check if owner of both files is root user, or the same user which is running Lynis (for pentester mode)
|
|
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
|
|
if [ ! "${MYID}" = "${OWNERID}" ]; then
|
|
ISSUE=1; ISSUE_TYPE="owner"; SHOWPERMERROR=1; ISSUE_FILE="${FILE}"; ISSUE_OWNER="${OWNER}"; ISSUE_OWNERID="${OWNERID}"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
if [ ${SHOWPERMERROR} -eq 1 ]; then
|
|
printf "%s" "
|
|
|
|
[!] Change ownership of ${INCLUDEDIR}/${ISSUE_FILE} to 'root' or similar (found: ${ISSUE_OWNER} with UID ${ISSUE_OWNERID}).
|
|
|
|
Command:
|
|
# chown 0:0 ${INCLUDEDIR}/${ISSUE_FILE}
|
|
"
|
|
fi
|
|
|
|
# Now if there is an issue with permissions, show it to the user and let them decide how to continue.
|
|
if [ ${ISSUE} -eq 1 ]; then
|
|
printf "\n[X] Security check failed\n\n Why do I see this error?\n -------------------------------\n This is a protection mechanism to prevent the root user from executing user created files. The files may be altered, or including malicious pieces of script.\n\n What can I do?\n ---------------------\n Option 1) Check if a trusted user created the files (e.g. due to using Git, Homebrew or similar).\n If you trust these files, you can decide to continue this run by pressing ENTER.\n"
|
|
if [ "${ISSUE_TYPE}" = "perms" ]; then
|
|
printf "\n Option 2) Change permissions of the related files.\n\n Commands (full directory):\n # chmod 640 include/*\n # ./lynis audit system"
|
|
elif [ "${ISSUE_TYPE}" = "owner" ]; then
|
|
printf "\n Option 2) Change ownership of the related files (or full directory).\n\n Commands (full directory):\n # cd ..\n # chown -R 0:0 lynis\n # cd lynis\n # ./lynis audit system"
|
|
fi
|
|
printf "\n\n[ Press ENTER to continue, or CTRL+C to cancel ]"
|
|
IGNORE_FILE_PERMISSION_ISSUES=1
|
|
read -r void
|
|
fi
|
|
|
|
# Now include files if permissions are correct, or user decided to continue
|
|
. ${INCLUDEDIR}/consts
|
|
. ${INCLUDEDIR}/functions
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Language settings
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Auto detection of language based on shell LANG variable. This is required by the Display() function to deal with multi-bytes characters.
|
|
DISPLAY_LANG="${LANG:-}"
|
|
|
|
# Extract the short notation of the language (first two characters).
|
|
if [ -x "$(command -v locale 2> /dev/null)" ]; then
|
|
LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$")
|
|
# Try locale command if shell variable had no value
|
|
if [ -z "${DISPLAY_LANG}" ]; then
|
|
DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2)
|
|
fi
|
|
else
|
|
LANGUAGE="en"
|
|
fi
|
|
|
|
# Set default language: 'en' (English) if no value is set
|
|
if [ -z "${LANGUAGE}" ]; then
|
|
LANGUAGE="en"
|
|
fi
|
|
|
|
# Import translations. First import English to prefill all texts
|
|
if [ -f ${DBDIR}/languages/en ]; then
|
|
if SafeFile "${DBDIR}/languages/en"; then
|
|
. ${DBDIR}/languages/en
|
|
else
|
|
ExitFatal "Incorrect ownership or permissions of language file (${DBDIR}/languages/en)"
|
|
fi
|
|
else
|
|
echo "Could not find languages directory (file: ${DBDIR}/languages/en)"
|
|
exit 1
|
|
fi
|
|
|
|
# Now that we have determined the language, we unset it from shell
|
|
# Some tools with translated strings are very hard to parse
|
|
unset LANG
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Traps
|
|
#
|
|
#################################################################################
|
|
#
|
|
trap CleanUp INT TERM
|
|
trap Status USR1
|
|
|
|
# Use safe umask for the files we create
|
|
umask 027
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Parameter checks
|
|
#
|
|
#################################################################################
|
|
#
|
|
SafePerms ${INCLUDEDIR}/parameters
|
|
. ${INCLUDEDIR}/parameters
|
|
|
|
|
|
# Disable logging if no alternative was provided
|
|
if [ ${PRIVILEGED} -eq 0 ]; then
|
|
if [ -z "${LOGFILE}" ]; then
|
|
# Try creating a log file in home directory
|
|
if [ ! -f "$HOME/lynis.log" ]; then
|
|
if [ -L "$HOME/lynis.log" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
|
|
touch "$HOME/lynis.log"
|
|
if [ $? -eq 0 ]; then LOGFILE="$HOME/lynis.log"; else LOGFILE="/dev/null"; fi
|
|
else
|
|
LOGFILE="$HOME/lynis.log"
|
|
fi
|
|
else
|
|
if [ -L "${LOGFILE}" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
|
|
fi
|
|
if [ -z "${REPORTFILE}" ]; then
|
|
touch "$HOME/lynis-report.dat"
|
|
if [ -L "$HOME/lynis-report.dat" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
|
|
if [ $? -eq 0 ]; then REPORTFILE="$HOME/lynis-report.dat"; else REPORTFILE="/dev/null"; fi
|
|
else
|
|
if [ -L "${REPORTFILE}" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Program information
|
|
#
|
|
#################################################################################
|
|
#
|
|
# CV - Current Version
|
|
PROGRAM_AC=$(echo ${PROGRAM_VERSION} | awk '{ print $1 }' | sed 's/[.]//g')
|
|
PROGRAM_LV=0
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Initialize and default settings
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
if [ ${QUIET} -eq 0 ]; then
|
|
printf "\n${WHITE}[ ${PROGRAM_NAME} ${PROGRAM_VERSION} ]${NORMAL}\n\n################################################################################\n ${PROGRAM_LICENSE}\n\n ${PROGRAM_COPYRIGHT}\n ${PROGRAM_EXTRAINFO}\n################################################################################\n\n"
|
|
fi
|
|
|
|
if [ "${PROGRAM_RELEASE_TYPE}" = "beta" ]; then
|
|
printf "%s" "
|
|
${WHITE}
|
|
#########################################################
|
|
# ${YELLOW}BETA VERSION${WHITE} #
|
|
#########################################################
|
|
|
|
Thank you for testing a beta release. Make sure to read
|
|
all available documentation before proceeding and/or
|
|
requesting support. Due the nature of beta releases, it
|
|
is possible new features give unexpected warnings.
|
|
|
|
|
|
#########################################################
|
|
${NORMAL}
|
|
"
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "${GEN_INITIALIZE_PROGRAM}"
|
|
|
|
# Discover any profiles
|
|
DiscoverProfiles
|
|
|
|
# Initialize and check profile file, auditor name, log file and report file
|
|
if [ -z "${LOGDIR}" ]; then LOGDIR="/var/log"; fi
|
|
if [ -z "${AUDITORNAME}" ]; then AUDITORNAME="[Not Specified]"; fi
|
|
if [ -z "${LOGFILE}" ]; then LOGFILE="${LOGDIR}/lynis.log"; fi
|
|
if [ -z "${REPORTFILE}" ]; then REPORTFILE="${LOGDIR}/lynis-report.dat"; fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# PID :: Check PID file, to avoid multiple instances running at the same time.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Decide where to write our PID file. For unprivileged users this will be in their home directory, or /tmp if their
|
|
# home directory isn't set. For root it will be /var/run, or the current working directory if /var/run doesn't exist.
|
|
MYHOMEDIR=$(echo ~ 2> /dev/null)
|
|
if [ -z "${MYHOMEDIR}" ]; then MYHOMEDIR="/tmp"; fi
|
|
|
|
if [ ${PRIVILEGED} -eq 0 ]; then
|
|
PIDFILE="${MYHOMEDIR}/lynis.pid"
|
|
elif [ -d /var/run ]; then
|
|
PIDFILE="/var/run/lynis.pid"
|
|
else
|
|
PIDFILE="./lynis.pid"
|
|
fi
|
|
|
|
# Check if there is already a PID file in any of the locations (incorrect termination of previous instance)
|
|
if [ -f "${MYHOMEDIR}/lynis.pid" -o -f "./lynis.pid" -o -f "/var/run/lynis.pid" ]; then
|
|
printf "%s" "
|
|
|
|
${WARNING}Warning${NORMAL}: ${WHITE}PID file exists, probably another Lynis process is running.${NORMAL}
|
|
------------------------------------------------------------------------------
|
|
If you are unsure if another Lynis process is running currently, you are advised
|
|
to stop the current process and check the process list first. If you cancelled
|
|
a previous instance (by using CTRL+C), you can ignore this message.
|
|
|
|
You are advised to check for temporary files after program completion.
|
|
------------------------------------------------------------------------------
|
|
|
|
${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${NORMAL}
|
|
"
|
|
|
|
# Quit directly for cron jobs.
|
|
if [ ${CRONJOB} -eq 1 ]; then
|
|
echo "Quitting, to prevent multiple cron jobs running at the same time"
|
|
exit 1 # Manually exit, no cleanups to prevent deleting an active PID file
|
|
else
|
|
WaitForKeyPress
|
|
fi
|
|
|
|
# Deleting any stale PID files that might exist. Note: Display function does not work yet at this point
|
|
if [ -f "${MYHOMEDIR}/lynis.pid" ]; then rm -f "${MYHOMEDIR}/lynis.pid"; fi
|
|
if [ -f "./lynis.pid" ]; then rm -f "./lynis.pid"; fi
|
|
if [ -f "/var/run/lynis.pid" ]; then rm -f "/var/run/lynis.pid"; fi
|
|
fi
|
|
|
|
# Ensure symlink attack is not possible, by confirming there is no symlink of the file already
|
|
OURPID=$(echo $$)
|
|
if [ -L ${PIDFILE} ]; then
|
|
echo "Found symlinked PID file (${PIDFILE}), quitting"
|
|
ExitFatal
|
|
else
|
|
# Create new PID file writable only by owner
|
|
echo "${OURPID}" > ${PIDFILE}
|
|
chmod 600 ${PIDFILE}
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Check program parameters
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Bail out if we didn't get any parameter, or incorrect ones
|
|
if [ ${PARAMCOUNT} -eq 0 -o ${WRONGOPTION} -eq 1 -o ${VIEWHELP} -eq 1 ]; then
|
|
printf "%s" "
|
|
|
|
${GREEN}Usage:${NORMAL} lynis ${CYAN}command ${GRAY}[options]${NORMAL}
|
|
|
|
|
|
${WHITE}Command:${NORMAL}
|
|
|
|
${CYAN}audit${NORMAL}
|
|
audit system : Perform local security scan
|
|
audit system remote <host> : Remote security scan
|
|
audit dockerfile <file> : Analyze Dockerfile
|
|
|
|
${CYAN}show${NORMAL}
|
|
show : Show all commands
|
|
show version : Show ${PROGRAM_NAME} version
|
|
show help : Show help
|
|
|
|
${CYAN}update${NORMAL}
|
|
update info : Show update details
|
|
|
|
|
|
${WHITE}Options:${NORMAL}
|
|
|
|
${WHITE}Alternative system audit modes${NORMAL}
|
|
${GRAY}--forensics${NORMAL} : Perform forensics on a running or mounted system
|
|
${GRAY}--pentest${NORMAL} : Non-privileged, show points of interest for pentesting
|
|
|
|
${WHITE}Layout options${NORMAL}
|
|
${GRAY}--no-colors${NORMAL} : Don't use colors in output
|
|
${GRAY}--quiet (-q)${NORMAL} : No output
|
|
${GRAY}--reverse-colors${NORMAL} : Optimize color display for light backgrounds
|
|
${GRAY}--reverse-colours${NORMAL} : Optimize colour display for light backgrounds
|
|
|
|
${WHITE}Misc options${NORMAL}
|
|
${GRAY}--debug${NORMAL} : Debug logging to screen
|
|
${GRAY}--no-log${NORMAL} : Don't create a log file
|
|
${GRAY}--profile ${BROWN}<profile>${NORMAL} : Scan the system with the given profile file
|
|
${GRAY}--view-manpage (--man)${NORMAL} : View man page
|
|
${GRAY}--verbose${NORMAL} : Show more details on screen
|
|
${GRAY}--version (-V)${NORMAL} : Display version number and quit
|
|
${GRAY}--wait${NORMAL} : Wait between a set of tests
|
|
${GRAY}--slow-warning ${BROWN}<seconds>${NORMAL} : Threshold for slow test warning in seconds (default 10)
|
|
|
|
${WHITE}Enterprise options${NORMAL}
|
|
${GRAY}--plugindir ${BROWN}<path>${NORMAL} : Define path of available plugins
|
|
${GRAY}--upload${NORMAL} : Upload data to central node
|
|
|
|
More options available. Run '$0 show options', or use the man page.
|
|
|
|
|
|
"
|
|
|
|
if [ ${WRONGOPTION} -eq 1 ]; then
|
|
echo " ${RED}Error${NORMAL}: ${WHITE}Invalid option '${WRONGOPTION_value}'${NORMAL}"
|
|
else
|
|
if [ ${VIEWHELP} -eq 0 ]; then
|
|
echo " ${RED}No command provided.${WHITE} Exiting..${NORMAL}"
|
|
echo ""
|
|
fi
|
|
fi
|
|
echo ""
|
|
# Cleanup PID file if we drop out earlier
|
|
RemovePIDFile
|
|
# Exit with exit code 1
|
|
exit 64
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
if [ ${PRIVILEGED} -eq 0 -a ${CHECK} -eq 1 -a ${QUIET} -eq 0 ]; then
|
|
printf "%s" "${WHITE}
|
|
###################################################################
|
|
# #
|
|
# ${PURPLE}NON-PRIVILEGED SCAN MODE${WHITE} #
|
|
# #
|
|
###################################################################
|
|
${NORMAL}
|
|
${YELLOW}NOTES:${NORMAL}
|
|
--------------
|
|
${WHITE}*${NORMAL} Some tests will be skipped (as they require root permissions)
|
|
${WHITE}*${NORMAL} Some tests might fail silently or give different results
|
|
|
|
"
|
|
sleep 3
|
|
if [ -z "${LOGFILE}" -o "${LOGFILE}" = "/dev/null" ]; then
|
|
printf "%s" "
|
|
${RED}WARNING:${NORMAL}
|
|
${WHITE}*${NORMAL} No suggestions or warnings will be displayed in report (due to missing log file)"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# OS Detection
|
|
#
|
|
#################################################################################
|
|
#
|
|
SafePerms ${INCLUDEDIR}/osdetection
|
|
. ${INCLUDEDIR}/osdetection
|
|
Display --indent 2 --text "- Detecting OS... " --result "${STATUS_DONE}" --color GREEN
|
|
|
|
# Check hostname
|
|
case ${OS} in
|
|
HP-UX)
|
|
HOSTNAME=$(hostname) ;;
|
|
Solaris)
|
|
HOSTNAME=$(uname -n) ;;
|
|
*)
|
|
HOSTNAME=$(hostname -s 2> /dev/null) ;;
|
|
esac
|
|
if [ -z "${HOSTNAME}" ]; then
|
|
HOSTNAME=$(hostname 2> /dev/null)
|
|
if [ -z "${HOSTNAME}" ]; then HOSTNAME="no-hostname"; fi
|
|
fi
|
|
FQDN=$(hostname 2> /dev/null)
|
|
if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then
|
|
FQDN=$(hostname -f 2> /dev/null)
|
|
fi
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Clear log and report files
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Clear log file and test if it's writable
|
|
CDATE=$(date "+%Y-%m-%d %H:%M:%S")
|
|
if [ ${LOGTEXT} -eq 1 ]; then echo "${CDATE} Starting ${PROGRAM_NAME} ${PROGRAM_VERSION} with PID ${OURPID}, build date ${PROGRAM_RELEASE_DATE}" > ${LOGFILE}; fi
|
|
if [ $? -gt 0 ]; then
|
|
Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result "${STATUS_WARNING}" --color RED
|
|
echo "${WARNING}Fatal error${NORMAL}: problem while writing to log file. Check location and permissions."
|
|
RemovePIDFile
|
|
exit 1
|
|
fi
|
|
LogTextBreak
|
|
LogText "### ${PROGRAM_COPYRIGHT} ###"
|
|
|
|
# Clear report file (to avoid appending to an existing file)
|
|
if [ ${CREATE_REPORT_FILE} -eq 1 ]; then echo "# ${PROGRAM_NAME} Report" > ${REPORTFILE}; fi
|
|
Report "report_version_major=${REPORT_version_major}"
|
|
Report "report_version_minor=${REPORT_version_minor}"
|
|
CDATE=$(date "+%F %H:%M:%S")
|
|
Report "report_datetime_start=${CDATE}"
|
|
Report "auditor=${AUDITORNAME}"
|
|
Report "lynis_version=${PROGRAM_VERSION}"
|
|
Report "os=${OS}"
|
|
Report "os_name=${OS_NAME}"
|
|
Report "os_fullname=${OS_FULLNAME}"
|
|
Report "os_version=${OS_VERSION}"
|
|
if [ "${OS}" = "Linux" ]; then Report "linux_version=${LINUX_VERSION}"; fi
|
|
if [ -n "${OS_KERNELVERSION}" ]; then Report "os_kernel_version=${OS_KERNELVERSION}"; fi
|
|
if [ -n "${OS_KERNELVERSION_FULL}" ]; then Report "os_kernel_version_full=${OS_KERNELVERSION_FULL}"; fi
|
|
|
|
Report "hostname=${HOSTNAME}"
|
|
|
|
if [ -z "${HOSTNAME}" ]; then
|
|
HOSTNAME="no-hostname"
|
|
LogText "Info: could not find a hostname, using 'no-hostname' instead"
|
|
ReportSuggestion "LYNIS" "Check your hostname configuration" "hostname -s"
|
|
fi
|
|
Report "test_category=${TEST_CATEGORY_TO_CHECK}"
|
|
Report "test_group=${TEST_GROUP_TO_CHECK}"
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Read profile, set code checks, define language
|
|
#
|
|
#################################################################################
|
|
#
|
|
ParseProfiles
|
|
|
|
# Define if we keep working in strict mode (development)
|
|
if [ ${SET_STRICT} -eq 0 ]; then
|
|
set +u # Allow uninitialized variables
|
|
else
|
|
set -u # Do not allow uninitialized variables
|
|
fi
|
|
|
|
# Import a different language when configured
|
|
if [ ! "${LANGUAGE}" = "en" ]; then
|
|
LogText "Language is set to ${LANGUAGE}"
|
|
Display --indent 2 --text "- Detecting language and localization" --result "${LANGUAGE}" --color WHITE
|
|
if [ ! -f ${DBDIR}/languages/${LANGUAGE} ]; then
|
|
Display --indent 4 --text "${YELLOW}Notice:${NORMAL} no language file found for '${LANGUAGE}' (tried: ${DBDIR}/languages/${LANGUAGE})"
|
|
if IsDeveloperVersion; then Display --indent 4 --text "See https://github.com/CISOfy/lynis-sdk/blob/master/documentation/10-translations.md for more details to help translate Lynis"; fi
|
|
sleep 5
|
|
else
|
|
if SafeFile "${DBDIR}/languages/${LANGUAGE}"; then
|
|
LogText "Importing language file (${DBDIR}/languages/${LANGUAGE})"
|
|
. ${DBDIR}/languages/${LANGUAGE}
|
|
# Check for missing translations if we are a pre-release or less than a week old
|
|
if grep -E -q -s "^#" ${DBDIR}/languages/${LANGUAGE}; then
|
|
TIME_DIFFERENCE_CHECK=604800 # 1 week
|
|
RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK))
|
|
if IsDeveloperVersion || [ ${NOW} -lt ${RELEASE_PLUS_TIMEDIFF} ]; then
|
|
Display --indent 4 --text "Translation file (db/languages/${LANGUAGE}) needs an update" --result "OUTDATED" --color RED
|
|
Display --indent 4 --text "======================================================================="
|
|
Display --indent 4 --text "Help other users and translate the missing lines:"
|
|
Display --indent 4 --text "1) Go to: https://github.com/CISOfy/lynis/edit/master/db/languages/${LANGUAGE}"
|
|
Display --indent 4 --text "2) Translate (some of) the lines starting with a hash (#) and remove the leading hash"
|
|
Display --indent 4 --text "3) Commit the changes"
|
|
Display --indent 4 --text "Thank you!"
|
|
Display --indent 4 --text "Note: no lines with a hash? Look if the file recently has been changed by another translator."
|
|
Display --indent 4 --text "======================================================================="
|
|
sleep 30
|
|
fi
|
|
fi
|
|
else
|
|
LogText "Could not import language file due to incorrect permissions"
|
|
fi
|
|
|
|
fi
|
|
fi
|
|
LogTextBreak
|
|
|
|
# Pre-execution tests
|
|
if [ ${UPLOAD_DATA} -eq 1 -a -z "${LICENSE_KEY}" ]; then DisplayError "${ERROR_NO_LICENSE}" 64; fi
|
|
if [ ${UPLOAD_DATA} -eq 1 -a -z "${UPLOAD_SERVER}" ]; then DisplayError "${ERROR_NO_UPLOAD_SERVER}" 64; fi
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Plugins
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Plugin directory test
|
|
if [ -z "${PLUGINDIR}" ]; then
|
|
#LogText "Result: Searching for plugindir"
|
|
tPLUGIN_TARGETS="/usr/local/lynis/plugins /usr/local/share/lynis/plugins /usr/share/lynis/plugins /etc/lynis/plugins ./plugins"
|
|
for DIR in ${tPLUGIN_TARGETS}; do
|
|
if [ -d ${DIR} -a -z "${PLUGINDIR}" ]; then
|
|
PLUGINDIR=${DIR}
|
|
Debug "Result: found plugindir ${PLUGINDIR}"
|
|
fi
|
|
done
|
|
else
|
|
Debug "Plugin was already set before to ${PLUGINDIR} (most likely via program argument or profile)"
|
|
fi
|
|
|
|
# Drop out if our plugin directory can't be found
|
|
if [ -z "${PLUGINDIR}" -o ! -d ${PLUGINDIR} ]; then
|
|
echo "Fatal error: can't find plugin directory ${PLUGINDIR}"
|
|
echo "Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
|
|
exit 1
|
|
fi
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Show program information to display
|
|
#
|
|
#################################################################################
|
|
#
|
|
if [ ${QUIET} -eq 0 -a ${SHOW_PROGRAM_DETAILS} -eq 1 ]; then
|
|
echo ""
|
|
echo " ---------------------------------------------------"
|
|
echo " Program version: ${PROGRAM_VERSION}"
|
|
echo " Operating system: ${OS}"
|
|
echo " Operating system name: ${OS_NAME}"
|
|
echo " Operating system version: ${OS_VERSION}"
|
|
LogText "EOL check: ${EOL}"
|
|
if [ ${EOL} -eq 1 ]; then
|
|
echo " End-of-life: ${WARNING}YES${NORMAL}"
|
|
ReportWarning "GEN-0010" "This version ${OS_VERSION} is marked end-of-life as of ${EOL_DATE}"
|
|
elif [ ${EOL} -eq 255 ]; then
|
|
# TODO - mark as item where community can provide help
|
|
LogText "Note: the end-of-life of '${OS_FULLNAME}' could not be checked. Entry missing in software-eol.db?"
|
|
fi
|
|
|
|
if [ -n "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi
|
|
echo " Kernel version: ${OS_KERNELVERSION}"
|
|
echo " Hardware platform: ${HARDWARE}"
|
|
echo " Hostname: ${HOSTNAME}"
|
|
echo " ---------------------------------------------------"
|
|
echo " Profiles: ${PROFILES}"
|
|
echo " Log file: ${LOGFILE}"
|
|
echo " Report file: ${REPORTFILE}"
|
|
echo " Report version: ${REPORT_version}"
|
|
echo " Plugin directory: ${PLUGINDIR}"
|
|
echo " ---------------------------------------------------"
|
|
echo " Auditor: ${AUDITORNAME}"
|
|
echo " Language: ${LANGUAGE}"
|
|
echo " Test category: ${TEST_CATEGORY_TO_CHECK}"
|
|
echo " Test group: ${TEST_GROUP_TO_CHECK}"
|
|
if [ ! "${ROOTDIR}" = "/" ]; then echo " Root directory (custom): ${ROOTDIR}"; fi
|
|
echo " ---------------------------------------------------"
|
|
fi
|
|
|
|
LogText "Program version: ${PROGRAM_VERSION}"
|
|
LogText "Operating system: ${OS}"
|
|
LogText "Operating system name: ${OS_NAME}"
|
|
LogText "Operating system version: ${OS_VERSION}"
|
|
if [ -n "${OS_MODE}" ]; then LogText "Operating system mode: ${OS_MODE}"; fi
|
|
LogText "Kernel version: ${OS_KERNELVERSION}"
|
|
if [ -n "${OS_KERNELVERSION_FULL}" ]; then
|
|
LogText "Kernel version (full): ${OS_KERNELVERSION_FULL}"
|
|
fi
|
|
LogText "Hardware platform: ${HARDWARE}"
|
|
LogText "-----------------------------------------------------"
|
|
LogText "Hostname: ${HOSTNAME}"
|
|
LogText "Auditor: ${AUDITORNAME}"
|
|
LogText "Profiles: ${PROFILES}"
|
|
LogText "Work directory: ${WORKDIR}"
|
|
LogText "Include directory: ${INCLUDEDIR}"
|
|
LogText "Plugin directory: ${PLUGINDIR}"
|
|
LogText "-----------------------------------------------------"
|
|
LogText "Log file: ${LOGFILE}"
|
|
LogText "Report file: ${REPORTFILE}"
|
|
LogText "Report version: ${REPORT_version}"
|
|
LogText "-----------------------------------------------------"
|
|
LogText "Test category: ${TEST_CATEGORY_TO_CHECK}"
|
|
LogText "Test group: ${TEST_GROUP_TO_CHECK}"
|
|
LogText "BusyBox used: ${SHELL_IS_BUSYBOX}"
|
|
|
|
Report "plugin_directory=${PLUGINDIR}"
|
|
|
|
LogTextBreak
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Check for program update (and friendly force people to upgrade)
|
|
#
|
|
#################################################################################
|
|
#
|
|
LogText "Test: Checking for program update..."
|
|
UPDATE_AVAILABLE=0
|
|
|
|
if [ ${SKIP_UPGRADE_TEST} -eq 1 ]; then
|
|
LogText "Upgrade test skipped due profile option set (skip_upgrade_test)"
|
|
PROGRAM_LV="${PROGRAM_AC}"
|
|
else
|
|
CheckUpdates
|
|
fi
|
|
|
|
if [ -z "${PROGRAM_AC}" -o -z "${PROGRAM_LV}" ]; then
|
|
Display --indent 2 --text "- Program update status... " --result "${STATUS_UNKNOWN}" --color YELLOW
|
|
LogText "Result: Update check failed. No network connection?"
|
|
LogText "Info: to perform an automatic update check, outbound DNS connections should be allowed (TXT record)."
|
|
# Set both to safe values
|
|
PROGRAM_AC=0; PROGRAM_LV=0
|
|
else
|
|
LogText "Current installed version : ${PROGRAM_AC}"
|
|
LogText "Latest stable version : ${PROGRAM_LV}"
|
|
if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
|
|
# Check if current version is REALLY outdated (10 versions ago)
|
|
PROGRAM_MINVERSION=$((PROGRAM_LV - 10))
|
|
LogText "Minimum required version : ${PROGRAM_MINVERSION}"
|
|
if [ ${PROGRAM_MINVERSION} -gt ${PROGRAM_AC} ]; then
|
|
Display --indent 2 --text "- Program update status... " --result "${STATUS_WARNING}" --color RED
|
|
LogText "Result: This version is VERY outdated. Newer ${PROGRAM_NAME} release available!"
|
|
ReportWarning "LYNIS" "Version of Lynis is very old and should be updated"
|
|
Report "lynis_update_available=1"
|
|
UPDATE_AVAILABLE=1
|
|
else
|
|
Display --indent 2 --text "- Program update status... " --result "${STATUS_UPDATE_AVAILABLE}" --color YELLOW
|
|
LogText "Result: newer ${PROGRAM_NAME} release available!"
|
|
ReportSuggestion "LYNIS" "Version of Lynis outdated, consider upgrading to the latest version"
|
|
Report "lynis_update_available=1"
|
|
UPDATE_AVAILABLE=1
|
|
fi
|
|
else
|
|
if [ ${UPDATE_CHECK_SKIPPED} -eq 0 ]; then
|
|
Display --indent 2 --text "- Program update status... " --result "${STATUS_NO_UPDATE}" --color GREEN
|
|
LogText "No ${PROGRAM_NAME} update available."
|
|
Report "lynis_update_available=0"
|
|
else
|
|
Display --indent 2 --text "- Program update status... " --result "${STATUS_SKIPPED}" --color YELLOW
|
|
LogText "Update check skipped due to constraints (e.g. missing dig binary)"
|
|
Report "lynis_update_available=-1"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# Test for older releases, without testing via update mechanism
|
|
if [ "${OS}" = "Solaris" ]; then
|
|
NOW=$(nawk 'BEGIN{print srand()}')
|
|
else
|
|
NOW=$(date "+%s")
|
|
fi
|
|
|
|
OLD_RELEASE=0
|
|
TIME_DIFFERENCE_CHECK=10368000 # 4 months
|
|
RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK))
|
|
if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then
|
|
# Show if release is old, only if we didn't show it with normal update check
|
|
if [ ${UPDATE_AVAILABLE} -eq 0 ]; then
|
|
ReportSuggestion "LYNIS" "This release is more than 4 months old. Check the website or GitHub to see if there is an update available."
|
|
fi
|
|
OLD_RELEASE=1
|
|
fi
|
|
|
|
# Show on screen message if release is very outdated (unless --quiet/--silent is used)
|
|
if [ ${UPDATE_AVAILABLE} -eq 1 -a ${QUIET} -eq 0 ]; then
|
|
echo ""
|
|
echo " ==============================================================================="
|
|
echo " ${CYAN}${PROGRAM_NAME} ${TEXT_UPDATE_AVAILABLE}${NORMAL}"
|
|
echo " ==============================================================================="
|
|
echo ""
|
|
if [ ${OLD_RELEASE} -eq 1 ]; then
|
|
echo " ${YELLOW}Current version is more than 4 months old${NORMAL}"
|
|
echo ""
|
|
fi
|
|
if [ ${PROGRAM_LV} -gt 0 ]; then
|
|
echo " Current version : ${YELLOW}${PROGRAM_AC}${NORMAL} Latest version : ${GREEN}${PROGRAM_LV}${NORMAL}"
|
|
echo ""
|
|
fi
|
|
echo " ${WHITE}Please update to the latest version.${NORMAL}"
|
|
echo " New releases include additional features, bug fixes, tests, and baselines.${NORMAL}"
|
|
echo ""
|
|
echo " Download the latest version:"
|
|
echo ""
|
|
echo " Packages (DEB/RPM) - https://packages.cisofy.com"
|
|
echo " Website (TAR) - https://cisofy.com/downloads/"
|
|
echo " GitHub (source) - https://github.com/CISOfy/lynis"
|
|
echo ""
|
|
echo " ==============================================================================="
|
|
echo ""
|
|
sleep 5
|
|
fi
|
|
|
|
LogTextBreak
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Check which binaries are available to the scanning process
|
|
if [ -f ${INCLUDEDIR}/binaries ]; then
|
|
SafePerms ${INCLUDEDIR}/binaries
|
|
. ${INCLUDEDIR}/binaries
|
|
fi
|
|
LogTextBreak
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test if we have a package manager available by testing for a dummy package (should not exist)
|
|
if PackageIsInstalled "__dummy__"; then
|
|
HAS_PACKAGE_MANAGER=1
|
|
LogText "Informational: package manager is used"
|
|
else
|
|
LogText "Informational: no known package manager for this system"
|
|
fi
|
|
|
|
# Use hardware detection capabilities
|
|
IsVirtualMachine
|
|
if IsContainer; then
|
|
LogText "Result: ${PROGRAM_NAME} is running in container (${CONTAINER_TYPE})"
|
|
Report "container=1"
|
|
Report "container_type=${CONTAINER_TYPE}"
|
|
else
|
|
LogText "Result: ${PROGRAM_NAME} is not running in container"
|
|
Report "container=0"
|
|
fi
|
|
IsNotebook
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Check for systemd active
|
|
if [ -d /run/systemd/system ]; then
|
|
LogText "Result: system is using systemd"
|
|
HAS_SYSTEMD=1
|
|
Report "systemd=1"
|
|
else
|
|
LogText "Result: systemd not found"
|
|
HAS_SYSTEMD=0
|
|
Report "systemd=0"
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
if IsVerbose; then
|
|
InsertSection "${SECTION_PROGRAM_DETAILS}"
|
|
Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "${STATUS_YES}" --color GREEN
|
|
if IsDebug; then
|
|
Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "${STATUS_YES}" --color GREEN
|
|
else
|
|
Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "${STATUS_NO}" --color RED
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Plugins
|
|
if [ ${SKIP_PLUGINS} -eq 0 ]; then
|
|
|
|
N_PLUGIN=0
|
|
N_PLUGIN_ENABLED=0
|
|
|
|
# Plugins function
|
|
RunPlugins() {
|
|
if [ $# -eq 0 ]; then echo "RunPlugins should be started with phase number"; ExitFatal; fi
|
|
PLUGIN_PHASE=$1
|
|
if [ ${PLUGIN_PHASE} -eq 0 -o ${PLUGIN_PHASE} -gt 2 ]; then echo "Incorrect phase number when calling RunPlugins"; ExitFatal; fi
|
|
LogTextBreak
|
|
InsertPluginSection "Plugins (${GEN_PHASE} ${PLUGIN_PHASE})"
|
|
if [ ${PLUGIN_PHASE} -eq 1 ]; then
|
|
Display --text "${NOTE_PLUGINS_TAKE_TIME}"
|
|
Display --text " "
|
|
LogText "Searching plugins..."
|
|
fi
|
|
|
|
# Search plugins
|
|
FIND_PLUGINS=$(find ${PLUGINDIR} -type f -name "plugin_[a-z]*_phase${PLUGIN_PHASE}" | sort)
|
|
for PLUGIN_FILE in ${FIND_PLUGINS}; do
|
|
LogText "Found plugin file: ${PLUGIN_FILE}"
|
|
# Double check if output is a valid file name
|
|
if [ -f ${PLUGIN_FILE} ]; then
|
|
FIND2=$(grep "^# PLUGIN_NAME=" ${PLUGIN_FILE} | awk -F= '{ print $2 }')
|
|
if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then
|
|
if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN=$((N_PLUGIN + 1)); fi
|
|
# Check if the plugin is enabled in any of the profiles
|
|
PLUGIN_ENABLED_STATE=0
|
|
for PROFILE in ${PROFILES}; do
|
|
LogText "Action: checking plugin status in profile: ${PROFILE}"
|
|
FIND3=$(grep "^plugin=${FIND2}" ${PROFILE})
|
|
if [ -n "${FIND3}" ]; then
|
|
FOUND=0
|
|
for I in ${DISABLED_PLUGINS}; do
|
|
if [ "${I}" = "${FIND2}" ]; then
|
|
FOUND=1
|
|
LogText "Result: plugin ${FIND2} is specifically disabled"
|
|
fi
|
|
done
|
|
if [ ${FOUND} -eq 0 ]; then
|
|
LogText "Result: plugin enabled in profile (${PROFILE})"
|
|
PLUGIN_ENABLED_STATE=1
|
|
fi
|
|
fi
|
|
done
|
|
if [ ${PLUGIN_ENABLED_STATE} -eq 1 ]; then
|
|
LogText "Result: plugin ${FIND2} is enabled"
|
|
PLUGINFILE="${PLUGINDIR}/plugin_${FIND2}_phase${PLUGIN_PHASE}"
|
|
if [ -f ${PLUGINFILE} ]; then
|
|
PLUGIN_VERSION=$(grep "^# PLUGIN_VERSION=" ${PLUGIN_FILE} | awk -F= '{ print $2 }')
|
|
PLUGIN_VERSION_NODOTS=$(echo ${PLUGIN_VERSION} | sed 's/.//g')
|
|
if SafePerms ${PLUGINFILE}; then
|
|
LogText "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})"
|
|
Report "plugin_enabled_phase${PLUGIN_PHASE}[]=${FIND2}|${PLUGIN_VERSION}|"
|
|
if [ ${PLUGIN_PHASE} -eq 1 ]; then N_PLUGIN_ENABLED=$((N_PLUGIN_ENABLED + 1)); fi
|
|
Display --indent 2 --text "- ${CYAN}Plugin${NORMAL}: ${WHITE}${FIND2}${NORMAL}"
|
|
if [ ${PLUGIN_PHASE} -eq 1 ]; then Progress " ["; fi
|
|
. ${PLUGINFILE}
|
|
if [ ${PLUGIN_PHASE} -eq 1 ]; then Progress "]"; Progress --finish; fi
|
|
LogTextBreak
|
|
LogText "Result: ${FIND2} plugin (phase ${PLUGIN_PHASE}) finished"
|
|
else
|
|
LogText "Plugin ${FIND2}: Skipped (bad file permissions, should be 644, 640, 600 or 400)"
|
|
fi
|
|
else
|
|
LogText "Plugin ${FIND2}: Skipped for phase ${PLUGIN_PHASE} (no file found: ${PLUGINFILE})"
|
|
fi
|
|
else
|
|
LogText "Plugin ${FIND2}: Skipped (not enabled)"
|
|
fi
|
|
else
|
|
LogText "Skipping plugin file ${PLUGIN_FILE} (no valid plugin name found)"
|
|
fi
|
|
fi
|
|
LogText "--"
|
|
done
|
|
LogText "Result: Found ${N_PLUGIN} plugins of which ${N_PLUGIN_ENABLED} are enabled"
|
|
LogText "Result: Plugins phase ${PLUGIN_PHASE} finished"
|
|
}
|
|
RunPlugins 1
|
|
|
|
if [ ${N_PLUGIN_ENABLED} -eq 0 ]; then
|
|
Display --indent 2 --text "- ${GEN_PLUGINS_ENABLED}" --result "${STATUS_NONE}" --color WHITE
|
|
Report "plugins_enabled=0"
|
|
else
|
|
Report "plugins_enabled=1"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Get host ID
|
|
LogTextBreak
|
|
GetHostID
|
|
LogText "hostid-generation: method ${HOSTID_GEN}"
|
|
LogText "hostid2-generation: method ${HOSTID2_GEN}"
|
|
# Check if result is not empty (no blank, or hash of blank value, or minus, or zeros)
|
|
case ${HOSTID} in
|
|
"" | "-" | "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" | "6ef1338f520d075957424741d7ed35ab5966ae97")
|
|
LogText "Info: no HostID found or invalid one"
|
|
;;
|
|
*)
|
|
LogText "Info: HostID ${HOSTID} looks to be valid"
|
|
Report "hostid=${HOSTID}"
|
|
;;
|
|
esac
|
|
|
|
if [ -n "${HOSTID2}" ]; then
|
|
Report "hostid2=${HOSTID2}"
|
|
fi
|
|
if [ -n "${MACHINEID}" ]; then
|
|
LogText "Info: found a machine ID ${MACHINEID}"
|
|
Report "machineid=${MACHINEID}"
|
|
else
|
|
LogText "Info: no machine ID found"
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
if [ ${RUN_TESTS} -eq 1 ]; then
|
|
|
|
LogTextBreak
|
|
# Test sections
|
|
if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then
|
|
LogText "Info: perform tests from all categories"
|
|
|
|
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
|
|
filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \
|
|
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
|
|
insecure_services banners scheduling accounting time crypto virtualization containers \
|
|
mac_frameworks file_integrity tooling malware file_permissions homedirs \
|
|
kernel_hardening hardening"
|
|
else
|
|
INCLUDE_TESTS="${TEST_GROUP_TO_CHECK}"
|
|
LogText "Info: only performing tests from groups: ${TEST_GROUP_TO_CHECK}"
|
|
fi
|
|
|
|
# Include available tests
|
|
for INCLUDE_TEST in ${INCLUDE_TESTS}; do
|
|
INCLUDE_FILE="${INCLUDEDIR}/tests_${INCLUDE_TEST}"
|
|
if [ -f ${INCLUDE_FILE} ]; then
|
|
if SafeFile ${INCLUDE_FILE}; then
|
|
. ${INCLUDE_FILE}
|
|
else
|
|
LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)"
|
|
ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}"
|
|
# Insert a section and warn user also on screen
|
|
InsertSection "${SECTION_GENERAL}"
|
|
Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "${STATUS_SKIPPED}" --color RED
|
|
fi
|
|
else
|
|
echo "Error: Can't find file (category: ${INCLUDE_TEST})"
|
|
fi
|
|
done
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
if [ ${RUN_TESTS} -eq 1 ]; then
|
|
|
|
InsertSection "${SECTION_CUSTOM_TESTS}"
|
|
LogText "Test: Checking for tests_custom file"
|
|
# Custom tests
|
|
if [ -f ${INCLUDEDIR}/tests_custom ]; then
|
|
LogText "Result: tests_custom file found in include directory"
|
|
if SafePerms ${INCLUDEDIR}/tests_custom; then
|
|
Display --indent 2 --text "- Start custom tests... "
|
|
LogText "Result: file permissions fine, running custom tests"
|
|
. ${INCLUDEDIR}/tests_custom
|
|
else
|
|
LogText "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)"
|
|
ReportWarning "NONE" "Invalid permissions on custom tests file"
|
|
Display --indent 2 --text "- Running custom tests... " --result "${STATUS_WARNING}" --color RED
|
|
fi
|
|
else
|
|
Display --indent 2 --text "- Running custom tests... " --result "${STATUS_NONE}" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Run helpers
|
|
#
|
|
#################################################################################
|
|
#
|
|
if [ ${RUN_HELPERS} -eq 1 ]; then
|
|
if [ ! "${HELPER}" = "" ]; then
|
|
LogText "Helper tool is $HELPER"
|
|
if [ -f ${INCLUDEDIR}/helper_${HELPER} ]; then
|
|
SafePerms ${INCLUDEDIR}/helper_${HELPER}
|
|
LogText "Running helper tool ${HELPER} with params: ${HELPER_PARAMS}"
|
|
InsertPluginSection "Helper: ${HELPER}"
|
|
. ${INCLUDEDIR}/helper_${HELPER} ${HELPER_PARAMS}
|
|
else
|
|
echo "Error, could not find helper"
|
|
fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Run phase 2 of plugins
|
|
#
|
|
#################################################################################
|
|
#
|
|
if [ ${SKIP_PLUGINS} -eq 0 ]; then
|
|
RunPlugins 2
|
|
if [ ${N_PLUGIN_ENABLED} -gt 1 ]; then
|
|
Display --indent 2 --text "- Plugins (phase 2)" --result "${STATUS_DONE}" --color GREEN
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Show test results overview
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Store total performed tests
|
|
Report "lynis_tests_done=${CTESTS_PERFORMED}"
|
|
CDATE=$(date "+%F %H:%M:%S")
|
|
Report "report_datetime_end=${CDATE}"
|
|
|
|
# Show report
|
|
if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi
|
|
|
|
# Show tool tips
|
|
if [ -f ${INCLUDEDIR}/tool_tips ]; then SafePerms ${INCLUDEDIR}/tool_tips; . ${INCLUDEDIR}/tool_tips; fi
|
|
|
|
LogText "================================================================================"
|
|
LogText "Tests performed: ${CTESTS_PERFORMED}"
|
|
LogText "Total tests: ${TOTAL_TESTS}"
|
|
LogText "Active plugins: ${N_PLUGIN_ENABLED}"
|
|
LogText "Total plugins: ${N_PLUGIN}"
|
|
LogText "================================================================================"
|
|
Report "tests_executed=${TESTS_EXECUTED}"
|
|
Report "tests_skipped=${TESTS_SKIPPED}"
|
|
Report "finish=true"
|
|
|
|
# Upload data
|
|
if [ ${UPLOAD_DATA} -eq 1 ]; then
|
|
if [ -f ${INCLUDEDIR}/data_upload ]; then
|
|
SafePerms ${INCLUDEDIR}/data_upload
|
|
. ${INCLUDEDIR}/data_upload
|
|
else
|
|
echo "Fatal error: can't find upload_data script"
|
|
fi
|
|
fi
|
|
|
|
LogText "${PROGRAM_NAME} ${PROGRAM_VERSION}"
|
|
LogText "${PROGRAM_COPYRIGHT}"
|
|
LogText "${PROGRAM_EXTRAINFO}"
|
|
LogText "Program ended successfully"
|
|
LogText "================================================================================"
|
|
|
|
# Tool tips
|
|
|
|
if [ ${QUIET} -eq 0 ]; then
|
|
|
|
if [ -z "${CUSTOM_PROFILE}" ]; then DisplayToolTip "Enhance ${PROGRAM_NAME} audits by adding your settings to custom.prf (see ${DEFAULT_PROFILE} for all settings)"; fi
|
|
fi
|
|
|
|
# Clean exit (Delete PID file)
|
|
if [ ${TOTAL_WARNINGS} -gt 0 ]; then
|
|
# Use exit code 78 if we found any warnings (and enabled)
|
|
if [ ${ERROR_ON_WARNINGS} -eq 1 ]; then
|
|
ExitCustom 78
|
|
else
|
|
ExitClean
|
|
fi
|
|
else
|
|
ExitClean
|
|
fi
|
|
|
|
# The End
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Copyright 2007-2021, Michael Boelen, CISOfy - https://cisofy.com
|