blob: e162a9363cdfa70dbbe97309f7b2b58c32124e84 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
|
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com), CISOfy
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Data upload
#
#################################################################################
#
# LogTextbreak
PROGRAM_VERSION="101"
# Data upload destination
if [ "${UPLOAD_SERVER}" = "" ]; then; UPLOAD_SERVER="portal.cisofy.com"; fi
UPLOAD_URL="https://${UPLOAD_SERVER}/upload/"
LogText "Upload server: ${UPLOAD_SERVER}"
LogText "URL to upload to: ${UPLOAD_URL}"
# License server (set to upload server if not configured)
if [ "${LICENSE_SERVER}" = "" ]; then LICENSE_SERVER="${UPLOAD_SERVER}"; fi
LICENSE_SERVER_URL="https://${LICENSE_SERVER}/license/"
LogText "License server: ${LICENSE_SERVER}"
# Additional options to curl
if [ "${UPLOAD_OPTIONS}" = "" ]; then
CURL_OPTIONS=""
else
CURL_OPTIONS=" ${UPLOAD_OPTIONS}"
fi
SETTINGS_FILE="${PROFILE}"
# Only output text to stdout if DEBUG mode is not used
output()
{
if [ ${DEBUG} -eq 1 ]; then echo "$1"; fi
}
#####################################################################################
#
# SYSTEM CHECKS
#
#####################################################################################
output "Lynis Enterprise data uploader starting"
output "Settings file: ${SETTINGS_FILE}"
# Check if we can find curl
# Suggestion: If you want to keep the system hardened, copying the binary from a trusted source is a good alternative.
# Restrict access to this binary to the user who is running this script.
if [ "${CURLBINARY}" = "" ]; then
echo "Fatal: can't find curl binary. Please install the related package or put the binary in the PATH. Quitting.."
LogText "Error: Could not find cURL binary"
exit 1
fi
# Extra the license key from the settings file
if [ "${LICENSE_KEY}" = "" ]; then
echo "Fatal: no license key found. Quitting.."
LogText "Error: no license key was specified in the profile (${PROFILE})"
ExitFatal
else
output "License key = ${LICENSE_KEY}"
fi
#####################################################################################
#
# JOB CONTROL
#
#####################################################################################
# Check report file
if [ -f ${REPORTFILE} ]; then
output "${WHITE}Report file found.${NORMAL} Starting with connectivity check.."
if [ ! "${UPLOAD_PROXY_SERVER}" = "" ]; then
LogText "Upload: Proxy is configured: ${UPLOAD_SERVER}"
if [ ! "${UPLOAD_PROXY_PORT}" = "" ]; then
LogText "Upload: Proxy port number is ${UPLOAD_PROXY_PORT}"
UPLOAD_PROXY_PORT=":${UPLOAD_PROXY_PORT}"
fi
LogText "Upload: Proxy protocol is ${UPLOAD_PROXY_PROTOCOL}"
case ${UPLOAD_PROXY_PROTOCOL} in
"http")
UPLOAD_PROXY="http://${UPLOAD_PROXY_SERVER}${UPLOAD_PROXY_PORT}"
CURL_OPTIONS="${CURL_OPTIONS} --proxy ${UPLOAD_PROXY}"
;;
"https")
UPLOAD_PROXY="https://${UPLOAD_PROXY_SERVER}${UPLOAD_PROXY_PORT}"
CURL_OPTIONS="${CURL_OPTIONS} --proxy ${UPLOAD_PROXY}"
;;
"socks5")
UPLOAD_PROXY="${UPLOAD_PROXY_SERVER}${UPLOAD_PROXY_PORT}"
CURL_OPTIONS="${CURL_OPTIONS} --socks5 ${UPLOAD_PROXY}"
;;
*)
echo "Unknown protocol. Please report to lynis-dev@cisofy.com"
ExitFatal
;;
esac
fi
# Quit if license is not valid, to reduce load on both client and server.
LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null"
UPLOAD=`${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null`
EXITCODE=$?
if [ ${EXITCODE} -gt 0 ]; then
LogText "Exit code: ${EXITCODE}"
if [ ${EXITCODE} -eq 7 ]; then
LogText "Result: could not contact license server."
LogText "Details: used URL ${LICENSE_SERVER_URL}"
LogText "Suggestion: check if the upload host is correctly configured."
echo "${RED}Error${NORMAL}: license server not available. See ${LOGFILE} for details."
elif [ ${EXITCODE} -eq 60 ]; then
echo "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}"
echo "If you want to accept a self-signed certificate, use the -k option in the profile."
echo "Example: ${WHITE}config:upload_options:-k:${NORMAL}"
LogText "Result: found self-signed certificate, however cURL -k option not used."
else
echo "${RED}Upload Error: ${NORMAL}cURL exited with code ${EXITCODE}. See ${LOGFILE} for details."
LogText "Result: cURL exited with code ${EXITCODE}."
fi
LogText "Result: quitting, can't check license"
ExitFatal
fi
UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}'`
if [ "${UPLOAD_CODE}" = "100" ]; then
output "${WHITE}License is valid${NORMAL}"
LogText "Result: license is valid"
else
LogText "Result: error while checking license"
LogText "Output: ${UPLOAD_CODE}"
echo "${RED}Fatal error: ${WHITE}Error while checking the license.${NORMAL}"
echo ""
echo "Possible causes and steps you can take:"
echo "- Connection with license server could not be established (try address in your web browser)"
echo "- Incorrect server has been configured in profile"
echo "- License is expired (listed in Configuration screen) or No credits left (listed in Configuration screen)"
echo "- Collector version of Lynis version outdated (upgrade to latest version of Lynis and/or Lynis Collector)"
echo ""
echo "If you need support in solving this, please contact support@cisofy.com and include this screen output."
echo ""
echo "URL: ${LICENSE_SERVER_URL}"
echo "Key: ${LICENSE_KEY}"
output "Debug information: ${UPLOAD}"
# Quit
ExitFatal
fi
# Extract the hostid from the parse file
HOSTID=`awk -F= '/^hostid=/ { print $2 }' ${REPORTFILE}`
if [ ! "${HOSTID}" = "" ]; then
output "${WHITE}Found hostid: ${HOSTID}${NORMAL}"
# Try to connect
output "Uploading data.."
# Add a space
CURL_OPTIONS=" ${CURL_OPTIONS}"
# Currently compressed uploads are not supported yet on central node. Therefore default value is set to 0.
if [ ${COMPRESSED_UPLOADS} -eq 1 ]; then
CURL_OPTIONS="${CURL_OPTIONS} --compressed -H 'Content-Encoding: gzip'"
fi
if [ ! "${UPLOAD_PROXY_SERVER}" = "" ]; then
LogText "Upload: Proxy is configured: ${UPLOAD_SERVER}"
if [ ! "${UPLOAD_PROXY_PORT}" = "" ]; then
LogText "Upload: Proxy port number is ${UPLOAD_PROXY_PORT}"
UPLOAD_PROXY_PORT=":${UPLOAD_PROXY_PORT}"
fi
LogText "Upload: Proxy protocol is ${UPLOAD_PROXY_PROTOCOL}"
case ${UPLOAD_PROXY_PROTOCOL} in
"http")
UPLOAD_PROXY="http://${UPLOAD_PROXY_SERVER}${UPLOAD_PROXY_PORT}"
CURL_OPTIONS="${CURL_OPTIONS} --proxy ${UPLOAD_PROXY}"
;;
"https")
UPLOAD_PROXY="https://${UPLOAD_PROXY_SERVER}${UPLOAD_PROXY_PORT}"
CURL_OPTIONS="${CURL_OPTIONS} --proxy ${UPLOAD_PROXY}"
;;
"socks5")
UPLOAD_PROXY="${UPLOAD_PROXY_SERVER}${UPLOAD_PROXY_PORT}"
CURL_OPTIONS="${CURL_OPTIONS} --socks5 ${UPLOAD_PROXY}"
;;
*)
echo "Unknown protocol. Please report to lynis-dev@cisofy.com"
ExitFatal
;;
esac
fi
LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
UPLOAD=`${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL} 2> /dev/null`
EXITCODE=$?
if [ ${EXITCODE} -gt 0 ]; then
echo ""
echo "${RED}Upload Error${NORMAL}: cURL could not upload data. See ${LOGFILE} for details."
echo "Suggested command: tail -n 20 ${LOGFILE}"
echo ""
case ${EXITCODE} in
5) echo "${YELLOW}Error (5): ${NORMAL}Could not resolve the hostname of the proxy." ;;
6) echo "${YELLOW}Error (6): ${NORMAL}Could not resolve the hostname of central server." ;;
7) echo "${YELLOW}Error (7): ${NORMAL}Could not connect to central server or proxy server." ;;
59) echo "${YELLOW}Error (59): ${NORMAL}Could not connect because of used SSL cipher." ;;
83) echo "${YELLOW}Error (83): ${NORMAL}Could not check used certificate of server." ;;
*) echo "Related exit code: ${YELLOW}{EXITCODE}${NORMAL}. See man page of cURL for the meaning of this code." ;;
esac
if [ ! "${UPLOAD}" = "" ]; then echo ""; echo "Debug:"; echo ${UPLOAD}; fi
echo ""
# Quit
ExitClean
fi
else
echo "${RED}Error${NORMAL}: No hostid found in report file. Can not upload report file."
# Quit
ExitFatal
fi
else
output "${YELLOW}No report file found to upload.${NORMAL}"
ExitFatal
fi
#
#================================================================================
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com
|
