lynis/include/report
hlein b595cc0fb5 Various cleanups (#363)
* Typo fix.

* Style change: always use $(), never ``.

The Lynis code already mostly used $(), but backticks were sprinkled
around.  Converted all of them.

* Lots of minor spelling/typo fixes.

FWIW these were found with:

  find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less

And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
2017-03-06 07:41:21 +00:00

285 lines
15 KiB
Bash

#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2017, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Report
#
#################################################################################
#
#
#################################################################################
#
# Hardening Index
# Define approximately how strong a machine has been hardened
#
#################################################################################
#
# If no hardening has been found, set value to 1
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL))
# Set color related to rating
if [ ${HPINDEX} -lt 50 ]; then
HPCOLOR="${RED}"
HIDESCRIPTION="System has not or a low amount been hardened"
fi
if [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
HPCOLOR="${YELLOW}"
HIDESCRIPTION="System has been hardened, but could use additional hardening"
fi
if [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be decent hardened"
fi
if [ ${HPINDEX} -gt 89 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be well hardened"
fi
case ${HPAOBLOCKS} in
0) HPBLOCKS="#"; HPEMPTY=" " ;;
1) HPBLOCKS="#"; HPEMPTY=" " ;;
2) HPBLOCKS="##"; HPEMPTY=" " ;;
3) HPBLOCKS="###"; HPEMPTY=" " ;;
4) HPBLOCKS="####"; HPEMPTY=" " ;;
5) HPBLOCKS="#####"; HPEMPTY=" " ;;
6) HPBLOCKS="######"; HPEMPTY=" " ;;
7) HPBLOCKS="#######"; HPEMPTY=" " ;;
8) HPBLOCKS="########"; HPEMPTY=" " ;;
9) HPBLOCKS="#########"; HPEMPTY=" " ;;
10) HPBLOCKS="##########"; HPEMPTY=" " ;;
11) HPBLOCKS="###########"; HPEMPTY=" " ;;
12) HPBLOCKS="############"; HPEMPTY=" " ;;
13) HPBLOCKS="#############"; HPEMPTY=" " ;;
14) HPBLOCKS="##############"; HPEMPTY=" " ;;
15) HPBLOCKS="###############"; HPEMPTY=" " ;;
16) HPBLOCKS="################"; HPEMPTY=" " ;;
17) HPBLOCKS="#################"; HPEMPTY=" " ;;
18) HPBLOCKS="##################"; HPEMPTY=" " ;;
19) HPBLOCKS="###################"; HPEMPTY=" " ;;
20) HPBLOCKS="####################"; HPEMPTY="" ;;
esac
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
LogText "Hardening strength: ${HIDESCRIPTION}"
# Only show overview if not running in quiet mode
if [ ${QUIET} -eq 0 ]; then
echo ""; echo "================================================================================"
echo ""; echo " -[ ${WHITE}${PROGRAM_NAME} ${PROGRAM_VERSION} Results${NORMAL} ]-"
echo "";
if [ ${SHOW_REPORT} -eq 1 ]; then
LogTextBreak
#
#################################################################################
#
# Show test results overview
#
#################################################################################
#
if [ "${CONTROL_URL_PROTOCOL}" = "" ]; then CONTROL_URL_PROTOCOL="https"; fi
if [ "${CONTROL_URL_PREPEND}" = "" ]; then CONTROL_URL_PREPEND="cisofy.com/controls/"; fi
if [ "${CONTROL_URL_APPEND}" = "" ]; then CONTROL_URL_APPEND="/"; fi
if [ "${CUSTOM_URL_PROTOCOL}" = "" ]; then CUSTOM_URL_PROTOCOL="https"; fi
if [ "${CUSTOM_URL_PREPEND}" = "" ]; then CUSTOM_URL_PREPEND="your-domain.example.org/controls/"; fi
if [ "${CUSTOM_URL_APPEND}" = "" ]; then CUSTOM_URL_APPEND="/"; fi
# Show warnings from logfile
SWARNINGS=$(${GREPBINARY} -i 'warning:' ${LOGFILE} | sed 's/ /!space!/g')
if [ -z "${SWARNINGS}" ]; then
echo " ${OK}Great, no warnings${NORMAL}"; echo ""
else
echo " ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):"
echo " ${WHITE}----------------------------${NORMAL}"
for WARNING in ${SWARNINGS}; do
SOLUTION=""
SHOWWARNING=$(echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^.* Warning: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://')
ADDLINK=$(echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^.* Warning: \(.*\)\[test://' | sed 's/\]\(.*\)]//')
DETAILS=$(echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^.* Warning: \(.*\)\[details://' | sed 's/\]\(.*\)]//')
SUGGESTION_PIECES=$(echo ${WARNING} | sed 's/\[/ [/g')
for PIECE in ${SUGGESTION_PIECES}; do
if [ -z "${SOLUTION}" ]; then
SEARCH=$(echo ${PIECE} | grep "^\[solution:")
if [ $? -eq 0 ]; then SOLUTION=$(echo ${SEARCH} | sed 's/!space!/ /g' | sed 's/solution://' | sed 's/text://' | tr -d '[]'); fi
fi
done
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
echo " ${RED}!${NORMAL} ${SHOWWARNING}"
if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
if [ -z "${IS_CUSTOM}" ]; then
echo " ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}"
else
echo " ${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}"
fi
echo ""
done
fi
# Show suggestions from logfile
SSUGGESTIONS=$(grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g')
if [ "${SSUGGESTIONS}" = "" ]; then
echo " ${OK}No suggestions${NORMAL}"; echo ""
else
echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):"
echo " ${WHITE}----------------------------${NORMAL}"
for SUGGESTION in ${SSUGGESTIONS}; do
SOLUTION=""
SHOWSUGGESTION=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://')
ADDLINK=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//')
DETAILS=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[details://' | sed 's/\]\(.*\)]//')
SUGGESTION_PIECES=$(echo ${SUGGESTION} | sed 's/\[/ [/g')
for PIECE in ${SUGGESTION_PIECES}; do
if [ -z "${SOLUTION}" ]; then
SEARCH=$(echo ${PIECE} | grep "^\[solution:")
if [ $? -eq 0 ]; then SOLUTION=$(echo ${SEARCH} | sed 's/!space!/ /g' | sed 's/solution://' | sed 's/text://' | tr -d '[]'); fi
fi
done
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}"
if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
if [ -z "${IS_CUSTOM}" ]; then
echo " ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
else
echo " ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}"
fi
echo ""
done
fi
# Show tip on how to continue (next steps)
if [ ! "${SWARNINGS}" = "" -o ! "${SSUGGESTIONS}" = "" ]; then
echo " ${CYAN}Follow-up${NORMAL}:"
echo " ${WHITE}----------------------------${NORMAL}"
echo " ${WHITE}-${NORMAL} Show details of a test (lynis show details TEST-ID)"
echo " ${WHITE}-${NORMAL} Check the logfile for all details (less ${LOGFILE})"
echo " ${WHITE}-${NORMAL} Read security controls texts (https://cisofy.com)"
if [ ${UPLOAD_DATA} -eq 0 ]; then echo " ${WHITE}-${NORMAL} Use --upload to upload data to central system (Lynis Enterprise users)"; fi
echo ""
fi
echo "================================================================================"
echo ""
echo " ${WHITE}Lynis security scan details${NORMAL}:"
echo ""
echo " ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}"
echo " ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}"
if [ ${SKIP_PLUGINS} -eq 0 ]; then echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"; fi
echo ""
echo " ${WHITE}Components${NORMAL}:"
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then FIREWALL="${GREEN}V"; else FIREWALL="${RED}X"; fi
if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then MALWARE="${GREEN}V"; else MALWARE="${RED}X"; fi
if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then IDSIPS="${GREEN}V"; else IDSIPS="${RED}X"; fi
echo " - Firewall [${FIREWALL}${NORMAL}]"
#echo " - Integrity monitoring [${IDSIPS}${NORMAL}]"
#echo " - Intrusion software [${IDSIPS}${NORMAL}]"
echo " - Malware scanner [${MALWARE}${NORMAL}]"
echo ""
echo " ${SECTION}Lynis Modules${NORMAL}:"
if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then
if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
else COMPLIANCE="${YELLOW}?";
fi
echo " - Compliance Status [${COMPLIANCE}${NORMAL}]"
echo " - Security Audit [${GREEN}V${NORMAL}]"
echo " - Vulnerability Scan [${GREEN}V${NORMAL}]"
echo ""
echo " ${SECTION}Files${NORMAL}:"
echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}"
echo " - Report data : ${WHITE}${REPORTFILE}${NORMAL}"
echo ""
echo "================================================================================"
if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo " ${NOTICE}Notice: ${WHITE}${PROGRAM_NAME} ${GEN_UPDATE_AVAILABLE}${NORMAL}"
echo " ${GEN_CURRENT_VERSION} : ${WHITE}${PROGRAM_AC}${NORMAL} ${GEN_LATEST_VERSION} : ${WHITE}${PROGRAM_LV}${NORMAL}"
echo "================================================================================"
else
###########################################################################################
#
# Software quality program
# Only provide this hint when the tool is at the latest version
#
###########################################################################################
if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
# Determine if the quality of the program can be increased by filtering out the exceptions
FIND=$(${GREPBINARY} "^exception" ${REPORTFILE})
if [ ! "${FIND}" = "" ]; then
echo ""
echo " ${RED}${NOTE_EXCEPTIONS_FOUND}${NORMAL}"
echo " ${WHITE}${NOTE_EXCEPTIONS_FOUND_DETAILED}!${NORMAL}"
echo ""
echo " ${CYAN}${GEN_WHAT_TO_DO}:${NORMAL}"
echo " ${TEXT_YOU_CAN_HELP_LOGFILE} (${LOGFILE})."
echo " Go to https://cisofy.com/contact/ and send your file to the e-mail address listed"
echo ""
echo "================================================================================"
fi
fi
fi
# Display what tests are skipped in non-privileged scan for awareness
if [ ${PENTESTINGMODE} -eq 1 -a ! "${SKIPPED_TESTS_ROOTONLY}" = "" ]; then
echo ""
echo " ${PURPLE}${NOTE_SKIPPED_TESTS_NON_PRIVILEGED}${NORMAL}"
FIND=$(echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g')
# Split entries
FIND=$(echo ${FIND} | sed 's/====/ /g')
# Display found entries
for I in ${FIND}; do
J=$(echo ${I} | sed 's/:space:/ /g')
echo " ${J}"
done
echo ""
echo "================================================================================"
fi
echo ""
fi
fi
# Report data, even if it is not displayed on screen
Report "hardening_index=${HPINDEX}"
if [ ${QUIET} -eq 0 ]; then
echo " ${WHITE}${PROGRAM_NAME}${NORMAL} ${PROGRAM_VERSION}"
echo ""
echo " Auditing, system hardening, and compliance for UNIX-based systems"
echo " (Linux, macOS, BSD, and others)"
echo ""
echo " ${PROGRAM_COPYRIGHT}"
echo " ${WHITE}${PROGRAM_EXTRAINFO}${NORMAL}"
echo ""
echo "================================================================================"
fi
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com