1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
|
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Data upload
#
#################################################################################
#
InsertSection "${SECTION_DATA_UPLOAD}"
PROGRAM_VERSION="105"
# Data upload destination
if [ "${UPLOAD_SERVER}" = "" ]; then UPLOAD_SERVER="portal.cisofy.com"; fi
UPLOAD_URL="https://${UPLOAD_SERVER}/upload/"
LogText "Upload server: ${UPLOAD_SERVER}"
LogText "URL to upload to: ${UPLOAD_URL}"
# License server (set to upload server if not configured)
if [ "${LICENSE_SERVER}" = "" ]; then LICENSE_SERVER="${UPLOAD_SERVER}"; fi
LICENSE_SERVER_URL="https://${LICENSE_SERVER}/license/"
LogText "License server: ${LICENSE_SERVER}"
# Additional options to curl
if [ "${UPLOAD_OPTIONS}" = "" ]; then
CURL_OPTIONS=""
else
CURL_OPTIONS=" ${UPLOAD_OPTIONS}"
fi
SETTINGS_FILE="${PROFILE}"
#if [ "${UPLOAD_TOOL}" = "" ]; then UPLOAD_TOOL="${CURLBINARY}"; fi
# Only output text to stdout if DEBUG mode is not used
Output() {
if [ ${DEBUG} -eq 1 ]; then echo "$1"; fi
}
#####################################################################################
#
# SYSTEM CHECKS
#
#####################################################################################
Output "Lynis Enterprise data uploader starting"
Output "Settings file: ${SETTINGS_FILE}"
# Check if we can find curl
# Suggestion: If you want to keep the system hardened, copying the binary from a trusted source is a good alternative.
# Restrict access to this binary to the user who is running this script.
if IsEmpty "${CURLBINARY}"; then
echo "Fatal: can't find curl binary. Please install the related package or put the binary in the PATH. Quitting.."
LogText "Error: Could not find cURL binary"
exit 1
fi
# Extra the license key from the settings file
if [ "${LICENSE_KEY}" = "" ]; then
echo "Fatal: no license key found. Quitting.."
LogText "Error: no license key was specified in the profile (${PROFILE})"
ExitFatal
else
Output "License key = ${LICENSE_KEY}"
# Create a temporary file to use during upload (prevent license key being displayed in process table)
CreateTempFile || ExitFatal
LICENSE_KEY_FILE="${TEMP_FILE}"
echo "${LICENSE_KEY}" | ${TRBINARY} -cd '[a-f0-9-]' > ${LICENSE_KEY_FILE}
fi
#####################################################################################
#
# JOB CONTROL
#
#####################################################################################
# Check report file
if [ -f ${REPORTFILE} ]; then
Output "${WHITE}Report file found.${NORMAL} Starting with content check."
FIND=$(${GREPBINARY} "finish=true" ${REPORTFILE})
if [ $? -gt 0 ]; then ExitFatal "The report is not complete, skipping upload"; fi
Output "${WHITE}Report file found.${NORMAL} Starting with connectivity check."
if [ ! "${UPLOAD_PROXY_SERVER}" = "" ]; then
LogText "Upload: Proxy is configured: ${UPLOAD_SERVER}"
# Port is optional
if [ ! "${UPLOAD_PROXY_PORT}" = "" ]; then
LogText "Upload: Proxy port number is ${UPLOAD_PROXY_PORT}"
UPLOAD_PROXY_PORT=":${UPLOAD_PROXY_PORT}"
fi
LogText "Upload: Proxy protocol is ${UPLOAD_PROXY_PROTOCOL}"
case ${UPLOAD_PROXY_PROTOCOL} in
"http"|"https")
UPLOAD_PROXY="${UPLOAD_PROXY_PROTOCOL}://${UPLOAD_PROXY_SERVER}${UPLOAD_PROXY_PORT}"
CURL_OPTIONS="${CURL_OPTIONS} --proxy ${UPLOAD_PROXY}"
;;
"socks5")
UPLOAD_PROXY="${UPLOAD_PROXY_SERVER}${UPLOAD_PROXY_PORT}"
CURL_OPTIONS="${CURL_OPTIONS} --socks5 ${UPLOAD_PROXY}"
;;
*)
echo "Unknown protocol. Please report to lynis-dev@cisofy.com"
ExitFatal
;;
esac
fi
# Currently compressed uploads are not supported yet on central node. Therefore default value is set to 0.
#if [ ${COMPRESSED_UPLOADS} -eq 1 ]; then
# CURL_OPTIONS="${CURL_OPTIONS} --compressed -H 'Content-Encoding: gzip'"
#fi
# License check
LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null"
UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null)
EXITCODE=$?
LogText "Exit code: ${EXITCODE}"
if [ ${EXITCODE} -gt 0 ]; then
Display --indent 2 --text "- License check" --result "FAILED" --color RED
echo ""
case ${EXITCODE} in
2)
LogText "Result: could not initialize"
LogText "Possible cause: most likely your cURL version is too old and does not support the --data-urlencode option."
LogText "Suggestion: copy the data to a different server and use a new cURL version there, or use the Lynis Collector tool."
echo "${RED}Error (2)${NORMAL}: could not initialize cURL."
;;
5)
LogText "Result: could not resolve the defined proxy server (${UPLOAD_PROXY_SERVER})."
LogText "Suggestion: check if the proxy is properly defined in the profile."
echo "${RED}Error (5)${NORMAL}: could not use the defined proxy (${UPLOAD_PROXY_SERVER}). See ${LOGFILE} for details."
;;
6)
echo "${RED}Error (6)${NORMAL}: Could not resolve the hostname of central server."
;;
7)
LogText "Result: could not contact license server."
LogText "Details: used URL ${LICENSE_SERVER_URL}"
LogText "Suggestion: check if the upload host is correctly configured."
echo "${RED}Error (7)${NORMAL}: license server not available."
;;
59)
echo "${RED}Error (59)${NORMAL}: Could not connect because of used SSL cipher."
LogText "Result: SSL cipher used is not understood or accepted."
;;
60)
echo "${RED}Error (60)${NORMAL}: Self-signed certificate used on Lynis Enterprise node${NORMAL}"
echo "If you want to accept a self-signed certificate, configure your profile and set the -k option in the upload-options."
echo "Example: ${WHITE}$0 configure settings upload-options=-k${NORMAL}"
LogText "Result: found self-signed certificate, however cURL -k option not used."
;;
77)
echo "${YELLOW}Error (77)${NORMAL}: Could not use CA certificates to check certificate chain. See ${LOGFILE} for details."
LogText "Result: could not use CA certificates to check certificate chain"
LogText "Possible cause: missing CA certificates, or no permissions to access them"
LogText "Suggestion: update your ca-certificates package. Usually updating your packages already solves the issue with missing CA certificates."
;;
83)
echo "${YELLOW}Error (83)${NORMAL}: Could not check used certificate of server. See ${LOGFILE} for details." ;;
*)
echo "${RED}Upload Error: ${NORMAL}cURL exited with code ${EXITCODE}. See ${LOGFILE} for details."
LogText "Result: cURL exited with code ${EXITCODE}. See man page of cURL for the meaning of this code."
;;
esac
echo ""
echo "${RED}Upload Error${NORMAL}: License could not be checked. See ${LOGFILE} for details."
echo "Suggested command: tail -n 20 ${LOGFILE}"
echo ""
LogText "Suggestion: run the cURL command manually without the options -s and -S"
LogText "Result: quitting, can't check license"
# Quit if license is not valid, to reduce load on both client and server.
ExitFatal
fi
UPLOAD_CODE=$(echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}')
if [ "${UPLOAD_CODE}" = "100" ]; then
Output "${WHITE}License is valid${NORMAL}"
LogText "Result: license is valid"
Display --indent 2 --text "- License check" --result "${STATUS_DONE}" --color GREEN
else
LogText "Result: error while checking license"
LogText "Output: ${UPLOAD_CODE}"
echo "${RED}Fatal error: ${WHITE}Error while checking the license.${NORMAL}"
echo ""
echo "Possible causes and steps you can take:"
echo "- Connection with license server could not be established (try address in your web browser)"
echo "- Incorrect server has been configured in profile"
echo "- License is expired (listed in Configuration screen) or No credits left (listed in Configuration screen)"
echo "- Collector version of Lynis version outdated (upgrade to latest version of Lynis and/or Lynis Collector)"
echo ""
echo "If you need support in solving this, please contact support@cisofy.com and include this screen output."
echo ""
echo "URL: ${LICENSE_SERVER_URL}"
echo "Key: ${LICENSE_KEY}"
Output "Debug information: ${UPLOAD}"
# Quit
ExitFatal
fi
# Check for host IDs
if [ -n "${HOSTID}" -a -n "${HOSTID2}" ]; then
Output "${WHITE}Found hostid: ${HOSTID}${NORMAL}"
# Try to connect
Output "Uploading data.."
LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
LogText "Tip: to just retry an upload, use: lynis upload-only"
UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null)
EXITCODE=$?
LogText "Exit code: ${EXITCODE}"
if [ ${EXITCODE} -gt 0 ]; then
Display --indent 2 --text "- Data upload (${UPLOAD_SERVER})" --result "${STATUS_FAILED}" --color RED
echo ""
echo "${RED}Upload Error${NORMAL}: cURL could not upload data. See ${LOGFILE} for details."
echo "Suggested command: tail -n 20 ${LOGFILE}"
echo ""
case ${EXITCODE} in
5) echo "${YELLOW}Error (5): ${NORMAL}Could not resolve the hostname of the proxy." ;;
6) echo "${YELLOW}Error (6): ${NORMAL}Could not resolve the hostname of central server." ;;
7) echo "${YELLOW}Error (7): ${NORMAL}Could not connect to central server or proxy server." ;;
59) echo "${YELLOW}Error (59): ${NORMAL}Could not connect because of used SSL cipher." ;;
83) echo "${YELLOW}Error (83): ${NORMAL}Could not check used certificate of server." ;;
*) echo "Related exit code: ${YELLOW}${EXITCODE}${NORMAL}. See man page of cURL for the meaning of this code." ;;
esac
if [ ! "${UPLOAD}" = "" ]; then echo ""; echo "Debug:"; echo ${UPLOAD}; fi
echo ""
# Quit
ExitClean
else
Display --indent 2 --text "- Data upload (${UPLOAD_SERVER})" --result "${STATUS_DONE}" --color GREEN
fi
else
echo "${RED}Error${NORMAL}: No hostid and/or hostid2 found. Can not upload report file."
echo "Suggested command: lynis generate hostids --save"
echo ""
echo "Note: do not replicate the values to other systems, as it needs to be unique per system"
# Quit
ExitFatal
fi
else
Output "${YELLOW}No report file found to upload.${NORMAL}"
ExitFatal
fi
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|
