#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website  : https://cisofy.com
# Blog     : http://linux-audit.com
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Report
#
#################################################################################
#

    #
    #################################################################################
    #
    # Hardening Index
    # Define approximately how strong a machine has been hardened
    #
    #################################################################################
    #
            # If no hardening has been found, set value to 1
            if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
            HPINDEX=`expr $HPPOINTS \* 100 / $HPTOTAL`
            HPAOBLOCKS=`expr $HPPOINTS \* 20 / $HPTOTAL`
            # Set color related to rating
            if [ ${HPINDEX} -lt 50 ]; then
                HPCOLOR="${RED}"
                HIDESCRIPTION="System has not or a low amount been hardened"
            fi
            if [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
                HPCOLOR="${YELLOW}"
                HIDESCRIPTION="System has been hardened, but could use additional hardening"
            fi
            if [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
                HPCOLOR="${GREEN}"
                HIDESCRIPTION="System seem to be decent hardened"
            fi
            if [ ${HPINDEX} -gt 89 ]; then
                HPCOLOR="${GREEN}"
                HIDESCRIPTION="System seem to be well hardened"
            fi

            case ${HPAOBLOCKS} in
                0)  HPBLOCKS="#"; HPEMPTY="                   " ;;
                1)  HPBLOCKS="#"; HPEMPTY="                   " ;;
                2)  HPBLOCKS="##"; HPEMPTY="                  " ;;
                3)  HPBLOCKS="###"; HPEMPTY="                 " ;;
                4)  HPBLOCKS="####"; HPEMPTY="                " ;;
                5)  HPBLOCKS="#####"; HPEMPTY="               " ;;
                6)  HPBLOCKS="######"; HPEMPTY="              " ;;
                7)  HPBLOCKS="#######"; HPEMPTY="             " ;;
                8)  HPBLOCKS="########"; HPEMPTY="            " ;;
                9)  HPBLOCKS="#########"; HPEMPTY="           " ;;
                10) HPBLOCKS="##########"; HPEMPTY="          " ;;
                11) HPBLOCKS="###########"; HPEMPTY="         " ;;
                12) HPBLOCKS="############"; HPEMPTY="        " ;;
                13) HPBLOCKS="#############"; HPEMPTY="       " ;;
                14) HPBLOCKS="##############"; HPEMPTY="      " ;;
                15) HPBLOCKS="###############"; HPEMPTY="     " ;;
                16) HPBLOCKS="################"; HPEMPTY="    " ;;
                17) HPBLOCKS="#################"; HPEMPTY="   " ;;
                18) HPBLOCKS="##################"; HPEMPTY="  " ;;
                19) HPBLOCKS="###################"; HPEMPTY=" " ;;
                20) HPBLOCKS="####################"; HPEMPTY="" ;;
            esac

            HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
            LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
            LogText "Hardening strength: ${HIDESCRIPTION}"


    # Only show overview if not running in quiet mode
    if [ ${QUIET} -eq 0 ]; then
        echo ""; echo "================================================================================"
        echo ""; echo "  -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-"
        echo "";


    if [ ${SHOW_REPORT} -eq 1 ]; then

        logtextbreak

        #
        #################################################################################
        #
        # Show test results overview
        #
        #################################################################################
        #
            if [ "${CONTROL_URL_PROTOCOL}" = "" ]; then CONTROL_URL_PROTOCOL="https"; fi
            if [ "${CONTROL_URL_PREPEND}" = "" ]; then CONTROL_URL_PREPEND="cisofy.com/controls/"; fi
            if [ "${CONTROL_URL_APPEND}" = "" ]; then CONTROL_URL_APPEND="/"; fi
            if [ "${CUSTOM_URL_PROTOCOL}" = "" ]; then CUSTOM_URL_PROTOCOL="https"; fi
            if [ "${CUSTOM_URL_PREPEND}" = "" ]; then CUSTOM_URL_PREPEND="your-domain.example.org/controls/"; fi
            if [ "${CUSTOM_URL_APPEND}" = "" ]; then CUSTOM_URL_APPEND="/"; fi

            # Show warnings from logfile
            SWARNINGS=`grep -i 'warning:' ${LOGFILE} | sed 's/ /!space!/g'`

            if [ "${SWARNINGS}" = "" ]; then
                echo "  ${OK}No warnings${NORMAL}"; echo ""
              else
                echo "  ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):"
                echo "  ${WHITE}----------------------------${NORMAL}"
                for WARNING in ${SWARNINGS}; do
                    SHOWWARNING=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://'`
                    ADDLINK=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: \(.*\)\[test://' | sed 's/\]\(.*\)]//'`
                    IS_CUSTOM=`echo ${ADDLINK} | grep "^CUST"`
                    echo "  ${WHITE}- ${SHOWWARNING}${NORMAL}"
                    if [ "${IS_CUSTOM}" = "" ]; then
                        echo "      ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}"
                      else
                        echo "      ${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}"
                    fi
                    echo ""
                done
            fi

            # Show suggestions from logfile
            SSUGGESTIONS=`grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g'`

            if [ "${SSUGGESTIONS}" = "" ]; then
                echo "  ${OK}No suggestions${NORMAL}"; echo ""
              else
                echo "  ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):"
                echo "  ${WHITE}----------------------------${NORMAL}"
                for SUGGESTION in ${SSUGGESTIONS}; do
                    SHOWSUGGESTION=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://'`
                    ADDLINK=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//'`
                    DETAILS=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: \(.*\)\[details://' | sed 's/\]\(.*\)]//'`
                    IS_CUSTOM=`echo ${ADDLINK} | grep "^CUST"`
                    echo "  - ${SHOWSUGGESTION}"
                    if [ ! "${DETAILS}" = "-" ]; then echo "    - Details: ${DETAILS}"; fi
                    if [ "${IS_CUSTOM}" = "" ]; then
                        echo "      ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}"
                      else
                        echo "      ${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}"
                    fi
                done
                echo ""
            fi

            if [ ! "${SWARNINGS}" = "" -o ! "${SSUGGESTIONS}" = "" ]; then
                echo "  ${CYAN}Follow-up${NORMAL}:"
                echo "  ${WHITE}----------------------------${NORMAL}"
                echo "  ${WHITE}-${NORMAL} Check the logfile for more details (less $LOGFILE)"
                echo "  ${WHITE}-${NORMAL} Read security controls texts (https://cisofy.com)"
                echo "  ${WHITE}-${NORMAL} Use --upload to upload data (Lynis Enterprise users)"
                echo ""
            fi
            echo "================================================================================"
            echo ""
            echo "  ${WHITE}Lynis security scan details${NORMAL}:"
            echo ""
            echo "  ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}"
            echo "  ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}"
            echo "  ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"
            echo ""
            echo "  ${WHITE}Quick overview${NORMAL}:"
            if [ ${FIREWALL_ACTIVE} -eq 1 ]; then FIREWALL="${GREEN}V"; else FIREWALL="${RED}X"; fi
            if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then MALWARE="${GREEN}V"; else MALWARE="${RED}X"; fi

            echo "  - Firewall [${FIREWALL}${NORMAL}] - Malware scanner [${MALWARE}${NORMAL}]"

            echo ""
            echo "  ${SECTION}Lynis Modules${NORMAL}:"
            if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then
                if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
              else COMPLIANCE="${YELLOW}NA";
            fi
            echo "  - Compliance Status   [${COMPLIANCE}${NORMAL}]"
            echo "  - Security Audit      [${GREEN}V${NORMAL}]"
            echo "  - Vulnerability Scan  [${GREEN}V${NORMAL}]"
            echo ""
            echo "  ${SECTION}Files${NORMAL}:"
            echo "  - Test and debug information      : ${WHITE}${LOGFILE}${NORMAL}"
            echo "  - Report data                     : ${WHITE}${REPORTFILE}${NORMAL}"
            echo ""
            echo "================================================================================"
            if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
                echo "  ${NOTICE}Notice: ${WHITE}${PROGRAM_name} update available${NORMAL}"
                echo "  Current version : ${WHITE}${PROGRAM_AC}${NORMAL}    Latest version : ${WHITE}${PROGRAM_LV}${NORMAL}"
                echo "================================================================================"
              else
                ###########################################################################################
                #
                # Software quality program
                # Only provide this hint when the tool is at the latest version
                #
                ###########################################################################################

                if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
                    # Determine if the quality of the program can be increased by filtering out the exceptions
                    FIND=`${GREPBINARY} "^exception" ${REPORTFILE}`
                    if [ ! "${FIND}" = "" ]; then
                        echo ""
                        echo "  ${RED}Exceptions found${NORMAL}"
                        echo "  ${WHITE}Some exceptional events or information was found!${NORMAL}"
                        echo ""
                        echo "  ${CYAN}What to do:${NORMAL}"
                        echo "  You can help improving Lynis by providing your /var/log/lynis.log file."
                        echo "  Go to https://cisofy.com/contact/ and send your file to the e-mail address listed"
                        echo ""
                        echo "================================================================================"
                    fi
                fi
            fi

            # Display what tests are skipped in non-privileged scan for awareness
            if [ ${PENTESTINGMODE} -eq 1 -a ! "${SKIPPED_TESTS_ROOTONLY}" = "" ]; then
                echo ""
                echo "  ${PURPLE}Skipped tests due to non-privileged scan${NORMAL}"

                FIND=`echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g'`
                # Split entries
                FIND=`echo ${FIND} | sed 's/====/ /g'`
                # Display found entries
                for I in ${FIND}; do
                    J=`echo ${I} | sed 's/:space:/ /g'`
                    echo "    ${J}"
                done
                echo ""
                echo "================================================================================"
            fi

            echo ""; echo ""
        fi

    fi

    # Report data, even if it is not displayed on screen
    Report "hardening_index=${HPINDEX}"

    if [ ${QUIET} -eq 0 ]; then
        echo "  ${PROGRAM_name} ${PROGRAM_version}"
        echo "  Auditing, hardening and compliance for Linux, Mac OS and Unix systems"
        echo ""
        echo "  ${PROGRAM_copyright}"
        echo "  ${WHITE}${PROGRAM_extrainfo}${NORMAL}"
        echo ""
        echo "================================================================================"
    fi

#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
