mirror of https://github.com/CISOfy/lynis.git
406 lines
12 KiB
Bash
Executable File
406 lines
12 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
#########################################################################
|
|
#
|
|
# Builds Lynis distribution
|
|
#
|
|
# Usage: this script creates Lynis builds
|
|
#
|
|
# *** NOTE ***
|
|
# This script is not fully functional yet, several options like digital
|
|
# signing, RPM/DEB package creation are missing.
|
|
#
|
|
#########################################################################
|
|
#
|
|
# Options:
|
|
|
|
echo "[*] Activity [V] Successful [X] Error [=] Result"
|
|
echo ""
|
|
|
|
# Umask used when creating files/directories
|
|
OPTION_UMASK="027"
|
|
|
|
# Directory name used to create package related directories (like /usr/local/include/lynis)
|
|
OPTION_PACKAGE_DIRNAME="lynis"
|
|
|
|
# Binary to test
|
|
OPTION_BINARY_FILE="../lynis"
|
|
|
|
# Check number of parameters
|
|
if [ $# -eq 0 ]; then
|
|
echo "[X] This build tool needs at least a version number (--version). Use --help for all parameters."
|
|
exit 1
|
|
fi
|
|
|
|
# Check parameters
|
|
case $1 in
|
|
--help)
|
|
echo "Define version:"
|
|
echo "--version 1.2.3"
|
|
exit 1
|
|
;;
|
|
--version)
|
|
shift
|
|
LYNIS_VERSION=$1
|
|
;;
|
|
*)
|
|
echo "[X] Incorrect parameter"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
#
|
|
#########################################################################
|
|
#
|
|
# Functions:
|
|
|
|
# Clean temporary files up
|
|
CleanUp()
|
|
{
|
|
if [ ! "${TMPDIR}" = "" -a -d "${TMPDIR}" ]; then
|
|
rm -rf ${TMPDIR}
|
|
fi
|
|
}
|
|
|
|
Exit()
|
|
{
|
|
CleanUp
|
|
exit 0
|
|
}
|
|
ExitFatal()
|
|
{
|
|
CleanUp
|
|
exit 1
|
|
}
|
|
#
|
|
#########################################################################
|
|
#
|
|
|
|
# Clean files up if we get interrupted
|
|
trap CleanUp INT
|
|
|
|
#
|
|
#########################################################################
|
|
#
|
|
MYUSER=$(whoami)
|
|
if [ "${MYUSER}" = "" ]; then
|
|
echo "[X] Could not determine user"
|
|
fi
|
|
if [ "${MYUSER}" = "root" ]; then
|
|
echo "[X] This script should not be executed as root"
|
|
fi
|
|
|
|
|
|
MYWORKDIR=$(pwd | awk -F / '{ for (i=1;i<=NF-2;i++){ printf $i"/" }; printf "\n"}' | sed 's./$..')
|
|
if [ ! -d ${MYWORKDIR} ]; then
|
|
echo "[X] Could not determine workdir (result: ${MYWORKDIR} seems invalid)"
|
|
ExitFatal
|
|
else
|
|
echo "[=] workdir: ${MYWORKDIR}"
|
|
fi
|
|
|
|
|
|
MYBUILDDIR="/home/${MYUSER}/lynis-build"
|
|
if [ ! -d ${MYBUILDDIR} ]; then
|
|
echo "[X] ${MYBUILDDIR} not found"
|
|
echo " Hint: create it with mkdir ${MYBUILDDIR}"
|
|
ExitFatal
|
|
else
|
|
echo "[=] builddir: ${MYBUILDDIR}"
|
|
fi
|
|
|
|
NEEDED_DIRS="debbuild rpmbuild rpmbuild/BUILD rpmbuild/BUILDROOT rpmbuild/RPMS rpmbuild/SOURCES rpmbuild/SRPMS"
|
|
for I in ${NEEDED_DIRS}; do
|
|
if [ ! -d "${MYBUILDDIR}/${I}" ]; then
|
|
echo "[X] Missing directory: ${MYBUILDDIR}/${I}"
|
|
echo " Hint: create subdirs with cd ${MYBUILDDIR} && mkdir -p ${NEEDED_DIRS}"
|
|
ExitFatal
|
|
fi
|
|
done
|
|
|
|
DEBWORKDIR="${MYBUILDDIR}/debbuild"
|
|
RPMWORKDIR="${MYBUILDDIR}/rpmbuild"
|
|
echo "[=] RPM workdir: ${RPMWORKDIR}"
|
|
#echo "Use: cd ${MYBUILDDIR} && mkdir rpm"
|
|
|
|
|
|
# Check binaries
|
|
|
|
GITBUILDPACKAGEBINARY=$(which git-buildpackage)
|
|
if [ ! "${GITBUILDPACKAGEBINARY}" = "" ]; then
|
|
echo "[=] git-buildpackage = ${GITBUILDPACKAGEBINARY}"
|
|
else
|
|
echo "[X] Can not find git-buildpackage binary"
|
|
echo " Hint: install git-buildpackage"
|
|
ExitFatal
|
|
fi
|
|
|
|
RPMBUILDBINARY=$(which rpmbuild)
|
|
if [ ! "${RPMBUILDBINARY}" = "" ]; then
|
|
echo "[=] rpmbuild = ${RPMBUILDBINARY}"
|
|
else
|
|
echo "[X] Can not find rpmbuild binary"
|
|
echo " Hint: install rpmbuild"
|
|
ExitFatal
|
|
fi
|
|
|
|
|
|
# Set umask
|
|
umask ${OPTION_UMASK}
|
|
if [ $? -eq 0 ]; then
|
|
echo "[V] Setting umask to ${OPTION_UMASK}"
|
|
else
|
|
echo "[X] Could not set umask"
|
|
ExitFatal
|
|
fi
|
|
|
|
# Check if we are in dev directory
|
|
if [ -f ../lynis -a -f ./build-lynis.sh ]; then
|
|
echo "[V] Active in proper directory"
|
|
else
|
|
echo "[X] This script should be executed from dev directory itself"
|
|
ExitFatal
|
|
fi
|
|
|
|
|
|
|
|
|
|
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
|
|
# Create temporary build directory
|
|
TMPDIR=$(mktemp -d /tmp/lynis-BUILDROOT.XXXXXX)
|
|
if [ $? -eq 0 ]; then
|
|
echo "[V] Creating temporary build directory"
|
|
#echo " BUILDROOT: ${TMPDIR}"
|
|
else
|
|
echo "[X] Could not create temporary build directory"
|
|
ExitFatal
|
|
fi
|
|
|
|
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
|
|
echo "[*] Starting with building tarball"
|
|
|
|
TARBALL="${MYBUILDDIR}/lynis_${LYNIS_VERSION}.orig.tar.gz"
|
|
#if [ -f ${TARBALL} ]; then
|
|
# echo "[X] Tarball already exists "
|
|
# echo " Hint: remove ${TARBALL}"
|
|
# ExitFatal
|
|
#fi
|
|
|
|
# Create tarball
|
|
|
|
if [ -f ${TARBALL} ]; then
|
|
echo "Tarball already exists for this version, not overwriting it"
|
|
else
|
|
tar -C ${MYWORKDIR} --exclude=debian --exclude=README.md --exclude=.bzr* --exclude=.git* -c -z -f ${TARBALL} lynis 2> /dev/null
|
|
if [ -f ${TARBALL} ]; then
|
|
echo "[V] Tarball created"
|
|
else
|
|
echo "[X] Tarball ${TARBALL} could not be created"
|
|
ExitFatal
|
|
fi
|
|
fi
|
|
|
|
TARBALL_MD5=$(md5sum ${TARBALL})
|
|
TARBALL_SHA1=$(sha1sum ${TARBALL})
|
|
|
|
echo "[*] Starting with RPM building process"
|
|
|
|
# RPM creation
|
|
SOURCEFILE_RPM="${RPMWORKDIR}/SOURCES/lynis-${LYNIS_VERSION}.tar.gz"
|
|
if [ -f ${SOURCEFILE_RPM} ]; then
|
|
if [ -f lynis.spec ]; then
|
|
# adjust version in spec file
|
|
VERSION_IN_SPECFILE=$(awk '/^Version:/ { print $2 }' lynis.spec)
|
|
echo "[=] Found version ${VERSION_IN_SPECFILE}"
|
|
if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
|
|
echo "[X] Version in specfile is outdated"
|
|
ExitFatal
|
|
fi
|
|
echo "[*] Start RPM building"
|
|
#${RPMBUILDBINARY} --quiet -ba -bl lynis.spec 2> /dev/null
|
|
else
|
|
echo "[X] lynis.spec not found"
|
|
ExitFatal
|
|
fi
|
|
|
|
RPMFILE="${RPMWORKDIR}/RPMS/noarch/lynis-${LYNIS_VERSION}-1.noarch.rpm"
|
|
if [ -f ${RPMFILE} ]; then
|
|
echo "[V] Building RPM successful!"
|
|
else
|
|
echo "[X] Could not find RPM file, most likely failed"
|
|
echo " Expected: ${RPMFILE}"
|
|
ExitFatal
|
|
fi
|
|
else
|
|
echo "[X] Could not find source file (${SOURCEFILE_RPM})"
|
|
echo " Hint: cp <lynis.tar.gz> ${SOURCEFILE_RPM}"
|
|
#ExitFatal
|
|
fi
|
|
|
|
echo "[*] Starting with DEB building process"
|
|
|
|
DEBCHANGELOGFULLVERSION=$(head -1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
|
|
DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }')
|
|
DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }')
|
|
if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then
|
|
echo "[V] Debian/changelog up-to-date"
|
|
else
|
|
echo "[X] Debian/changelog outdated"
|
|
ExitFatal
|
|
fi
|
|
|
|
# BZRSTATUS=$(${BZRBINARY} status . 2>&1 > /dev/null; echo $?)
|
|
# if [ "${BZRSTATUS}" = "0" ]; then
|
|
# echo "[V] bzr has proper directory tree"
|
|
# DEBCHANGELOGFULLVERSION=$(head -1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
|
|
# DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }')
|
|
# DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }')
|
|
# echo "[=] Version in Debian changelog: ${DEBCHANGELOGVERSION} (revision: ${DEBCHANGELOGVERSIONREV})"
|
|
# if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then
|
|
# echo "[V] Debian/changelog up-to-date"
|
|
# else
|
|
# echo "[X] Debian/changelog outdated"
|
|
## ExitFatal
|
|
# fi
|
|
# # execute command
|
|
# # bzr builddeb . --build-dir ${DEBWORKDIR}/build-area/ --result-dir ${DEBWORKDIR}
|
|
# elif [ "${BZRSTATUS}" = "3" ]; then
|
|
# echo "[X] Tree is not initialized for BZR"
|
|
# echo " Hint: run bzr init while being in lynis directory (or bzr init ..)"
|
|
# ExitFatal
|
|
# else
|
|
# echo "[X] Unknown error"
|
|
# echo "Output: ${BZRSTATUS}"
|
|
# fi
|
|
|
|
if [ ! -d ${MYBUILDDIR}/git ]; then
|
|
mkdir ${MYBUILDDIR}/git
|
|
fi
|
|
|
|
if [ -d ${MYBUILDDIR}/git/Lynis ]; then
|
|
echo "git clone already exists"
|
|
rm -rf ${MYBUILDDIR}/git/Lynis
|
|
#git checkout tags/${LYNIS_VERSION}
|
|
fi
|
|
git clone https://github.com/CISOfy/Lynis.git ${MYBUILDDIR}/git/Lynis
|
|
|
|
if [ -d ${MYBUILDDIR}/git/Lynis/debian/ ]; then
|
|
echo "Copying build files into new tree"
|
|
cp -R ../debian/* ${MYBUILDDIR}/git/Lynis/debian/
|
|
cd ${MYBUILDDIR}/git/Lynis/debian/
|
|
git add .
|
|
git commit -m "Building process for Lynis release version ${LYNIS_VERSION}"
|
|
else
|
|
echo "[X] Could not copy debian directory and commit changes"
|
|
fi
|
|
#git tag -l ${MYBUILDDIR}/git/Lynis
|
|
|
|
cd ..
|
|
echo "Executing: ${GITBUILDPACKAGEBINARY} --git-tarball-dir=${MYBUILDDIR} --git-export-dir=${DEBWORKDIR} --git-ignore-new"
|
|
${GITBUILDPACKAGEBINARY} -S --git-tarball-dir=${MYBUILDDIR} --git-export-dir=${DEBWORKDIR} --git-ignore-new
|
|
cd ${MYWORKDIR}
|
|
|
|
echo "[V] Done"
|
|
echo ""
|
|
echo "---------------------------------------------"
|
|
echo "RPM file: ${RPMFILE}"
|
|
echo "DEB file: ${DEBWORKDIR}/lynis_${LYNIS_VERSION}_amd64.deb"
|
|
echo "Tarball: ${TARBALL}"
|
|
echo "Tarball (SHA1): ${TARBALL_SHA1}"
|
|
echo ""
|
|
echo "Actions:"
|
|
echo " - Upload Debian package with dput (-f) my-ppa <source.changes>"
|
|
|
|
|
|
|
|
#=====================================================================
|
|
|
|
# Stop the script at this stage, rest is under development
|
|
Exit
|
|
|
|
#=====================================================================
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
|
|
# Test script for errors
|
|
echo -n "- Test Lynis script "
|
|
|
|
# Is file there?
|
|
if [ ! -f ${OPTION_BINARY_FILE} ]; then echo "BAD (can't find ${OPTION_BINARY_FILE})"; exit 1; fi
|
|
|
|
# Check script
|
|
FIND=$(sh -n ${OPTION_BINARY_FILE} ; echo $?)
|
|
if [ $FIND -eq 0 ]; then
|
|
echo "OK"
|
|
else
|
|
echo "BAD"
|
|
fi
|
|
|
|
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
|
|
# Create SHA1 hashes
|
|
echo -n "- Create SHA1 hashes "
|
|
SHA1HASH_LYNIS=$(grep -v '^#' ${OPTION_BINARY_FILE} | sha1)
|
|
echo "DONE"
|
|
echo " Lynis (SHA1): ${SHA1HASH_LYNIS}"
|
|
|
|
# Add hashes to script
|
|
echo -n "- Injecting SHA1 hash into Lynis script "
|
|
echo "-NOT DONE-"
|
|
|
|
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
|
|
echo -n "- Cleaning up OpenBSD package build... "
|
|
if [ -f openbsd/+CONTENTS ]; then rm openbsd/+CONTENTS; fi
|
|
echo "DONE"
|
|
OPENBSD_CONTENTS="openbsd/+CONTENTS"
|
|
|
|
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
|
|
echo -n "- Creating MD5 hashes..."
|
|
PACKAGE_LIST_FILES=$(grep "^file:" files.dat | cut -d ':' -f3)
|
|
|
|
for I in ${PACKAGE_LIST_FILES}; do
|
|
|
|
echo -n "${I} "
|
|
#FULLNAME=$(grep ":file:include:" files.dat)
|
|
#echo "${FULLNAME}" >> ${OPENBSD_CONTENTS}
|
|
echo "${I}" >> ${OPENBSD_CONTENTS}
|
|
FILE="../${I}"
|
|
MD5HASH=$(md5 -q ${FILE})
|
|
echo "@md5 ${MD5HASH}" >> ${OPENBSD_CONTENTS}
|
|
echo "@size 0000" >> ${OPENBSD_CONTENTS}
|
|
done
|
|
echo ""
|
|
|
|
|
|
|
|
|
|
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
|
|
echo -n "- Cleaning up... "
|
|
|
|
# Exit cleanly
|
|
Exit
|
|
|
|
echo "DONE"
|
|
|
|
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
|
|
# The End!
|
|
|