mirror of
https://github.com/CISOfy/lynis.git
synced 2026-03-11 08:55:28 +00:00
* Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
285 lines
15 KiB
Bash
285 lines
15 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2017, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Report
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Hardening Index
|
|
# Define approximately how strong a machine has been hardened
|
|
#
|
|
#################################################################################
|
|
#
|
|
# If no hardening has been found, set value to 1
|
|
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
|
|
HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
|
|
HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL))
|
|
# Set color related to rating
|
|
if [ ${HPINDEX} -lt 50 ]; then
|
|
HPCOLOR="${RED}"
|
|
HIDESCRIPTION="System has not or a low amount been hardened"
|
|
fi
|
|
if [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
|
|
HPCOLOR="${YELLOW}"
|
|
HIDESCRIPTION="System has been hardened, but could use additional hardening"
|
|
fi
|
|
if [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
|
|
HPCOLOR="${GREEN}"
|
|
HIDESCRIPTION="System seem to be decent hardened"
|
|
fi
|
|
if [ ${HPINDEX} -gt 89 ]; then
|
|
HPCOLOR="${GREEN}"
|
|
HIDESCRIPTION="System seem to be well hardened"
|
|
fi
|
|
|
|
case ${HPAOBLOCKS} in
|
|
0) HPBLOCKS="#"; HPEMPTY=" " ;;
|
|
1) HPBLOCKS="#"; HPEMPTY=" " ;;
|
|
2) HPBLOCKS="##"; HPEMPTY=" " ;;
|
|
3) HPBLOCKS="###"; HPEMPTY=" " ;;
|
|
4) HPBLOCKS="####"; HPEMPTY=" " ;;
|
|
5) HPBLOCKS="#####"; HPEMPTY=" " ;;
|
|
6) HPBLOCKS="######"; HPEMPTY=" " ;;
|
|
7) HPBLOCKS="#######"; HPEMPTY=" " ;;
|
|
8) HPBLOCKS="########"; HPEMPTY=" " ;;
|
|
9) HPBLOCKS="#########"; HPEMPTY=" " ;;
|
|
10) HPBLOCKS="##########"; HPEMPTY=" " ;;
|
|
11) HPBLOCKS="###########"; HPEMPTY=" " ;;
|
|
12) HPBLOCKS="############"; HPEMPTY=" " ;;
|
|
13) HPBLOCKS="#############"; HPEMPTY=" " ;;
|
|
14) HPBLOCKS="##############"; HPEMPTY=" " ;;
|
|
15) HPBLOCKS="###############"; HPEMPTY=" " ;;
|
|
16) HPBLOCKS="################"; HPEMPTY=" " ;;
|
|
17) HPBLOCKS="#################"; HPEMPTY=" " ;;
|
|
18) HPBLOCKS="##################"; HPEMPTY=" " ;;
|
|
19) HPBLOCKS="###################"; HPEMPTY=" " ;;
|
|
20) HPBLOCKS="####################"; HPEMPTY="" ;;
|
|
esac
|
|
|
|
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
|
|
LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
|
|
LogText "Hardening strength: ${HIDESCRIPTION}"
|
|
|
|
|
|
# Only show overview if not running in quiet mode
|
|
if [ ${QUIET} -eq 0 ]; then
|
|
echo ""; echo "================================================================================"
|
|
echo ""; echo " -[ ${WHITE}${PROGRAM_NAME} ${PROGRAM_VERSION} Results${NORMAL} ]-"
|
|
echo "";
|
|
|
|
|
|
if [ ${SHOW_REPORT} -eq 1 ]; then
|
|
|
|
LogTextBreak
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Show test results overview
|
|
#
|
|
#################################################################################
|
|
#
|
|
if [ "${CONTROL_URL_PROTOCOL}" = "" ]; then CONTROL_URL_PROTOCOL="https"; fi
|
|
if [ "${CONTROL_URL_PREPEND}" = "" ]; then CONTROL_URL_PREPEND="cisofy.com/controls/"; fi
|
|
if [ "${CONTROL_URL_APPEND}" = "" ]; then CONTROL_URL_APPEND="/"; fi
|
|
if [ "${CUSTOM_URL_PROTOCOL}" = "" ]; then CUSTOM_URL_PROTOCOL="https"; fi
|
|
if [ "${CUSTOM_URL_PREPEND}" = "" ]; then CUSTOM_URL_PREPEND="your-domain.example.org/controls/"; fi
|
|
if [ "${CUSTOM_URL_APPEND}" = "" ]; then CUSTOM_URL_APPEND="/"; fi
|
|
|
|
# Show warnings from logfile
|
|
SWARNINGS=$(${GREPBINARY} -i 'warning:' ${LOGFILE} | sed 's/ /!space!/g')
|
|
if [ -z "${SWARNINGS}" ]; then
|
|
echo " ${OK}Great, no warnings${NORMAL}"; echo ""
|
|
else
|
|
echo " ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):"
|
|
echo " ${WHITE}----------------------------${NORMAL}"
|
|
for WARNING in ${SWARNINGS}; do
|
|
SOLUTION=""
|
|
SHOWWARNING=$(echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^.* Warning: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://')
|
|
ADDLINK=$(echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^.* Warning: \(.*\)\[test://' | sed 's/\]\(.*\)]//')
|
|
DETAILS=$(echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^.* Warning: \(.*\)\[details://' | sed 's/\]\(.*\)]//')
|
|
SUGGESTION_PIECES=$(echo ${WARNING} | sed 's/\[/ [/g')
|
|
for PIECE in ${SUGGESTION_PIECES}; do
|
|
if [ -z "${SOLUTION}" ]; then
|
|
SEARCH=$(echo ${PIECE} | grep "^\[solution:")
|
|
if [ $? -eq 0 ]; then SOLUTION=$(echo ${SEARCH} | sed 's/!space!/ /g' | sed 's/solution://' | sed 's/text://' | tr -d '[]'); fi
|
|
fi
|
|
done
|
|
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
|
|
echo " ${RED}!${NORMAL} ${SHOWWARNING}"
|
|
if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
|
|
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
|
|
if [ -z "${IS_CUSTOM}" ]; then
|
|
echo " ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}"
|
|
else
|
|
echo " ${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}"
|
|
fi
|
|
echo ""
|
|
done
|
|
fi
|
|
|
|
# Show suggestions from logfile
|
|
SSUGGESTIONS=$(grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g')
|
|
|
|
if [ "${SSUGGESTIONS}" = "" ]; then
|
|
echo " ${OK}No suggestions${NORMAL}"; echo ""
|
|
else
|
|
echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):"
|
|
echo " ${WHITE}----------------------------${NORMAL}"
|
|
for SUGGESTION in ${SSUGGESTIONS}; do
|
|
SOLUTION=""
|
|
SHOWSUGGESTION=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://')
|
|
ADDLINK=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//')
|
|
DETAILS=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[details://' | sed 's/\]\(.*\)]//')
|
|
SUGGESTION_PIECES=$(echo ${SUGGESTION} | sed 's/\[/ [/g')
|
|
for PIECE in ${SUGGESTION_PIECES}; do
|
|
if [ -z "${SOLUTION}" ]; then
|
|
SEARCH=$(echo ${PIECE} | grep "^\[solution:")
|
|
if [ $? -eq 0 ]; then SOLUTION=$(echo ${SEARCH} | sed 's/!space!/ /g' | sed 's/solution://' | sed 's/text://' | tr -d '[]'); fi
|
|
fi
|
|
done
|
|
IS_CUSTOM=$(echo ${ADDLINK} | grep "^CUST")
|
|
echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}"
|
|
if [ ! "${DETAILS}" = "-" -a ! -z "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
|
|
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
|
|
if [ -z "${IS_CUSTOM}" ]; then
|
|
echo " ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
|
|
else
|
|
echo " ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}"
|
|
fi
|
|
echo ""
|
|
done
|
|
fi
|
|
# Show tip on how to continue (next steps)
|
|
if [ ! "${SWARNINGS}" = "" -o ! "${SSUGGESTIONS}" = "" ]; then
|
|
echo " ${CYAN}Follow-up${NORMAL}:"
|
|
echo " ${WHITE}----------------------------${NORMAL}"
|
|
echo " ${WHITE}-${NORMAL} Show details of a test (lynis show details TEST-ID)"
|
|
echo " ${WHITE}-${NORMAL} Check the logfile for all details (less ${LOGFILE})"
|
|
echo " ${WHITE}-${NORMAL} Read security controls texts (https://cisofy.com)"
|
|
if [ ${UPLOAD_DATA} -eq 0 ]; then echo " ${WHITE}-${NORMAL} Use --upload to upload data to central system (Lynis Enterprise users)"; fi
|
|
echo ""
|
|
fi
|
|
echo "================================================================================"
|
|
echo ""
|
|
echo " ${WHITE}Lynis security scan details${NORMAL}:"
|
|
echo ""
|
|
echo " ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}"
|
|
echo " ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}"
|
|
if [ ${SKIP_PLUGINS} -eq 0 ]; then echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"; fi
|
|
echo ""
|
|
echo " ${WHITE}Components${NORMAL}:"
|
|
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then FIREWALL="${GREEN}V"; else FIREWALL="${RED}X"; fi
|
|
if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then MALWARE="${GREEN}V"; else MALWARE="${RED}X"; fi
|
|
if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then IDSIPS="${GREEN}V"; else IDSIPS="${RED}X"; fi
|
|
|
|
echo " - Firewall [${FIREWALL}${NORMAL}]"
|
|
#echo " - Integrity monitoring [${IDSIPS}${NORMAL}]"
|
|
#echo " - Intrusion software [${IDSIPS}${NORMAL}]"
|
|
echo " - Malware scanner [${MALWARE}${NORMAL}]"
|
|
|
|
echo ""
|
|
echo " ${SECTION}Lynis Modules${NORMAL}:"
|
|
if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then
|
|
if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
|
|
else COMPLIANCE="${YELLOW}?";
|
|
fi
|
|
echo " - Compliance Status [${COMPLIANCE}${NORMAL}]"
|
|
echo " - Security Audit [${GREEN}V${NORMAL}]"
|
|
echo " - Vulnerability Scan [${GREEN}V${NORMAL}]"
|
|
echo ""
|
|
echo " ${SECTION}Files${NORMAL}:"
|
|
echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}"
|
|
echo " - Report data : ${WHITE}${REPORTFILE}${NORMAL}"
|
|
echo ""
|
|
echo "================================================================================"
|
|
if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
|
|
echo " ${NOTICE}Notice: ${WHITE}${PROGRAM_NAME} ${GEN_UPDATE_AVAILABLE}${NORMAL}"
|
|
echo " ${GEN_CURRENT_VERSION} : ${WHITE}${PROGRAM_AC}${NORMAL} ${GEN_LATEST_VERSION} : ${WHITE}${PROGRAM_LV}${NORMAL}"
|
|
echo "================================================================================"
|
|
else
|
|
###########################################################################################
|
|
#
|
|
# Software quality program
|
|
# Only provide this hint when the tool is at the latest version
|
|
#
|
|
###########################################################################################
|
|
|
|
if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
|
|
# Determine if the quality of the program can be increased by filtering out the exceptions
|
|
FIND=$(${GREPBINARY} "^exception" ${REPORTFILE})
|
|
if [ ! "${FIND}" = "" ]; then
|
|
echo ""
|
|
echo " ${RED}${NOTE_EXCEPTIONS_FOUND}${NORMAL}"
|
|
echo " ${WHITE}${NOTE_EXCEPTIONS_FOUND_DETAILED}!${NORMAL}"
|
|
echo ""
|
|
echo " ${CYAN}${GEN_WHAT_TO_DO}:${NORMAL}"
|
|
echo " ${TEXT_YOU_CAN_HELP_LOGFILE} (${LOGFILE})."
|
|
echo " Go to https://cisofy.com/contact/ and send your file to the e-mail address listed"
|
|
echo ""
|
|
echo "================================================================================"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# Display what tests are skipped in non-privileged scan for awareness
|
|
if [ ${PENTESTINGMODE} -eq 1 -a ! "${SKIPPED_TESTS_ROOTONLY}" = "" ]; then
|
|
echo ""
|
|
echo " ${PURPLE}${NOTE_SKIPPED_TESTS_NON_PRIVILEGED}${NORMAL}"
|
|
|
|
FIND=$(echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g')
|
|
# Split entries
|
|
FIND=$(echo ${FIND} | sed 's/====/ /g')
|
|
# Display found entries
|
|
for I in ${FIND}; do
|
|
J=$(echo ${I} | sed 's/:space:/ /g')
|
|
echo " ${J}"
|
|
done
|
|
echo ""
|
|
echo "================================================================================"
|
|
fi
|
|
|
|
echo ""
|
|
fi
|
|
|
|
fi
|
|
|
|
# Report data, even if it is not displayed on screen
|
|
Report "hardening_index=${HPINDEX}"
|
|
|
|
if [ ${QUIET} -eq 0 ]; then
|
|
echo " ${WHITE}${PROGRAM_NAME}${NORMAL} ${PROGRAM_VERSION}"
|
|
echo ""
|
|
echo " Auditing, system hardening, and compliance for UNIX-based systems"
|
|
echo " (Linux, macOS, BSD, and others)"
|
|
echo ""
|
|
echo " ${PROGRAM_COPYRIGHT}"
|
|
echo " ${WHITE}${PROGRAM_EXTRAINFO}${NORMAL}"
|
|
echo ""
|
|
echo "================================================================================"
|
|
fi
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|