#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Report # ################################################################################# # # ################################################################################# # # Hardening Index # Define approximately how strong a machine has been hardened # ################################################################################# # # If no hardening has been found, set value to 1 if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi HPINDEX=`expr $HPPOINTS \* 100 / $HPTOTAL` HPAOBLOCKS=`expr $HPPOINTS \* 20 / $HPTOTAL` # Set color related to rating if [ ${HPINDEX} -lt 50 ]; then HPCOLOR="${RED}" HIDESCRIPTION="System has not or a low amount been hardened" fi if [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then HPCOLOR="${YELLOW}" HIDESCRIPTION="System has been hardened, but could use additional hardening" fi if [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then HPCOLOR="${GREEN}" HIDESCRIPTION="System seem to be decent hardened" fi if [ ${HPINDEX} -gt 89 ]; then HPCOLOR="${GREEN}" HIDESCRIPTION="System seem to be well hardened" fi case ${HPAOBLOCKS} in 0) HPBLOCKS="#"; HPEMPTY=" " ;; 1) HPBLOCKS="#"; HPEMPTY=" " ;; 2) HPBLOCKS="##"; HPEMPTY=" " ;; 3) HPBLOCKS="###"; HPEMPTY=" " ;; 4) HPBLOCKS="####"; HPEMPTY=" " ;; 5) HPBLOCKS="#####"; HPEMPTY=" " ;; 6) HPBLOCKS="######"; HPEMPTY=" " ;; 7) HPBLOCKS="#######"; HPEMPTY=" " ;; 8) HPBLOCKS="########"; HPEMPTY=" " ;; 9) HPBLOCKS="#########"; HPEMPTY=" " ;; 10) HPBLOCKS="##########"; HPEMPTY=" " ;; 11) HPBLOCKS="###########"; HPEMPTY=" " ;; 12) HPBLOCKS="############"; HPEMPTY=" " ;; 13) HPBLOCKS="#############"; HPEMPTY=" " ;; 14) HPBLOCKS="##############"; HPEMPTY=" " ;; 15) HPBLOCKS="###############"; HPEMPTY=" " ;; 16) HPBLOCKS="################"; HPEMPTY=" " ;; 17) HPBLOCKS="#################"; HPEMPTY=" " ;; 18) HPBLOCKS="##################"; HPEMPTY=" " ;; 19) HPBLOCKS="###################"; HPEMPTY=" " ;; 20) HPBLOCKS="####################"; HPEMPTY="" ;; esac HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]" logtext "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" logtext "Hardening strength: ${HIDESCRIPTION}" # Only show overview if not running in quiet mode if [ ${QUIET} -eq 0 ]; then echo ""; echo "================================================================================" echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-" echo ""; if [ ${SHOW_REPORT} -eq 1 ]; then logtextbreak # ################################################################################# # # Show test results overview # ################################################################################# # if [ "${CONTROL_URL_PREPEND}" = "" ]; then CONTROL_URL_PREPEND="https://cisofy.com/controls/"; fi if [ "${CONTROL_URL_APPEND}" = "" ]; then CONTROL_URL_APPEND="/"; fi if [ "${CUSTOM_URL_PREPEND}" = "" ]; then CUSTOM_URL_PREPEND="https://your-domain.example.org/controls/"; fi if [ "${CUSTOM_URL_APPEND}" = "" ]; then CUSTOM_URL_APPEND="/"; fi # Show warnings from logfile SWARNINGS=`grep -i 'warning:' ${LOGFILE} | sed 's/ /!space!/g'` if [ "${SWARNINGS}" = "" ]; then echo " ${OK}No warnings${NORMAL}"; echo "" else echo " ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):" echo " ${WHITE}----------------------------${NORMAL}" for WARNING in ${SWARNINGS}; do SHOWWARNING=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://'` ADDLINK=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: \(.*\)\[test://' | sed 's/\]\(.*\)]//'` IS_CUSTOM=`echo ${ADDLINK} | grep "^CUST"` echo " ${WHITE}- ${SHOWWARNING}${NORMAL}" if [ "${IS_CUSTOM}" = "" ]; then echo " ${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}" else echo " ${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}" fi echo "" done fi # Show suggestions from logfile SSUGGESTIONS=`grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g'` if [ "${SSUGGESTIONS}" = "" ]; then echo " ${OK}No suggestions${NORMAL}"; echo "" else echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):" echo " ${WHITE}----------------------------${NORMAL}" for SUGGESTION in ${SSUGGESTIONS}; do SHOWSUGGESTION=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://'` ADDLINK=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//'` DETAILS=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: \(.*\)\[details://' | sed 's/\]\(.*\)]//'` IS_CUSTOM=`echo ${ADDLINK} | grep "^CUST"` echo " - ${SHOWSUGGESTION}" if [ ! "${DETAILS}" = "-" ]; then echo " - Details: ${DETAILS}"; fi if [ "${IS_CUSTOM}" = "" ]; then echo " ${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}" else echo " ${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}" fi done echo "" fi if [ ! "${SWARNINGS}" = "" -o ! "${SSUGGESTIONS}" = "" ]; then echo " ${CYAN}Follow-up${NORMAL}:" echo " ${WHITE}----------------------------${NORMAL}" echo " ${WHITE}-${NORMAL} Check the logfile for more details (less $LOGFILE)" echo " ${WHITE}-${NORMAL} Read security controls texts (https://cisofy.com)" echo " ${WHITE}-${NORMAL} Use --upload to upload data (Lynis Enterprise users)" echo "" fi echo "================================================================================" echo "" echo " ${WHITE}Lynis security scan details${NORMAL}:" echo "" echo " ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}" echo " ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}" echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}" echo "" echo " ${WHITE}Quick overview${NORMAL}:" if [ ${FIREWALL_ACTIVE} -eq 1 ]; then FIREWALL="${GREEN}V"; else FIREWALL="${RED}X"; fi if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then MALWARE="${GREEN}V"; else MALWARE="${RED}X"; fi echo " - Firewall [${FIREWALL}${NORMAL}] - Malware scanner [${MALWARE}${NORMAL}]" echo "" echo " ${SECTION}Lynis Modules${NORMAL}:" if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi else COMPLIANCE="${YELLOW}NA"; fi echo " - Compliance Status [${COMPLIANCE}${NORMAL}]" echo " - Security Audit [${GREEN}V${NORMAL}]" echo " - Vulnerability Scan [${GREEN}V${NORMAL}]" echo "" echo " ${SECTION}Files${NORMAL}:" echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}" echo " - Report data : ${WHITE}${REPORTFILE}${NORMAL}" echo "" echo "================================================================================" if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then echo " ${NOTICE}Notice: ${WHITE}${PROGRAM_name} update available${NORMAL}" echo " Current version : ${WHITE}${PROGRAM_AC}${NORMAL} Latest version : ${WHITE}${PROGRAM_LV}${NORMAL}" echo "================================================================================" else ########################################################################################### # # Software quality program # Only provide this hint when the tool is at the latest version # ########################################################################################### if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then # Determine if the quality of the program can be increased by filtering out the exceptions FIND=`${GREPBINARY} "^exception" ${REPORTFILE}` if [ ! "${FIND}" = "" ]; then echo "" echo " ${RED}Exceptions found${NORMAL}" echo " ${WHITE}Some exceptional events or information was found!${NORMAL}" echo "" echo " ${CYAN}What to do:${NORMAL}" echo " You can help improving Lynis by providing your /var/log/lynis.log file." echo " Go to https://cisofy.com/contact/ and send your file to the e-mail address listed" echo "" echo "================================================================================" fi fi fi # Display what tests are skipped in non-privileged scan for awareness if [ ${PENTESTINGMODE} -eq 1 -a ! "${SKIPPED_TESTS_ROOTONLY}" = "" ]; then echo "" echo " ${PURPLE}Skipped tests due to non-privileged scan${NORMAL}" FIND=`echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g'` # Split entries FIND=`echo ${FIND} | sed 's/====/ /g'` # Display found entries for I in ${FIND}; do J=`echo ${I} | sed 's/:space:/ /g'` echo " ${J}" done echo "" echo "================================================================================" fi echo ""; echo "" fi fi # Report data, even if it is not displayed on screen report "hardening_index=${HPINDEX}" if [ ${QUIET} -eq 0 ]; then echo " ${PROGRAM_name} ${PROGRAM_version}" echo " Auditing, hardening and compliance for Linux, Mac OS and Unix systems" echo "" echo " ${PROGRAM_copyright}" echo " ${WHITE}${PROGRAM_extrainfo}${NORMAL}" echo "================================================================================" fi # #================================================================================ # Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com