#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Check which tools are installed
#
#################################################################################
#
    COMPILER_INSTALLED=0
    IDLE_SESSION_KILLER_INSTALLED=0
    MALWARE_SCANNER_INSTALLED=0
#
#################################################################################
#
    InsertSection "System Tools"
#
#################################################################################
#
    Display --indent 2 --text "- Scanning available tools..."
    logtext "Start scanning for available audit binaries and tools..."

    # Test        : FILE-7502
    # Description : Check all system binaries
    # Notes       : Always perform test, dependency for many other tests
    Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries"
    #if [ ${SKIPTEST} -eq 0 ]; then
        SCANNEDPATHS=""
        Display --indent 2 --text "- Checking system binaries..."
        logtext "Status: Starting binary scan..."
        for SCANDIR in ${BINPATHS}; do
            logtext "Test: Checking binaries in directory ${SCANDIR}"
	    if [ -d ${SCANDIR} ]; then
	        Display --indent 4 --text "- Checking ${SCANDIR}... " --result FOUND --color GREEN
	        SCANNEDPATHS="${SCANNEDPATHS}, ${SCANDIR}"
    	        logtext "Directory ${SCANDIR} exists. Starting directory scanning..."
    		FIND=`ls ${SCANDIR}`
	        for I in ${FIND}; do
		    BINARY="${SCANDIR}/${I}"
	            logtext "Binary: ${BINARY}"
	            # Optimized, much quicker (no file access needed)
		    case ${I} in
                        aa-status)              APPARMORFOUND=1;       AASTATUSBINARY=${BINARY};                                        logtext "  Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
                        afick.pl)               AFICKFOUND=1;          AFICKBINARY=${BINARY};                                           logtext "  Found known binary: afick (file integrity checker) - ${BINARY}" ;;
                        aide)                   AIDEFOUND=1;           AIDEBINARY=${BINARY};                                            logtext "  Found known binary: aide (file integrity checker) - ${BINARY}" ;;
                        apache2)                HTTPDFOUND=1;          HTTPDBINARY=${BINARY};                                           logtext "  Found known binary: apache2 (web server) - ${BINARY}" ;;
                        auditd)                 AUDITDFOUND=1;         AUDITDBINARY=${BINARY};                                          logtext "  Found known binary: auditd (audit framework) - ${BINARY}" ;;
                        awk)                    if [ -f ${BINARY} ]; then AWKFOUND=1;            AWKBINARY=${BINARY};                                             logtext "  Found known binary: awk (string tool) - ${BINARY}";        fi ;;
                        chkconfig)              CHKCONFIGFOUND=1;      CHKCONFIGBINARY=${BINARY};                                       logtext "  Found known binary: chkconfig (administration tool) - ${BINARY}"			;;
                        clamscan)               CLAMSCANFOUND=1;       CLAMSCANBINARY=${BINARY};                                        logtext "  Found known binary: clamscan (AV scanner) - ${BINARY}"				;;
                        dig)                    DIGFOUND=1;            DIGBINARY=${BINARY};                                             logtext "  Found known binary: dig (nameservice tool) - ${BINARY}"				;;
                        as)                     ASFOUND=1;             ASBINARY="${BINARY}";          COMPILER_INSTALLED=1;             logtext "  Found known binary: as (compiler) - ${BINARY}"					;;
                        auditctl)               AUDITCTLFOUND=1;       AUDITCTLBINARY="${BINARY}";                                      logtext "  Found known binary: auditctl (control utility for audit daemon) - ${BINARY}"	;;
                        autolog)                AUTOLOGFOUND=1;        AUTOLOGBINARY="${BINARY}";     IDLE_SESSION_KILLER_INSTALLED=1;  logtext "  Found known binary: autolog (idle session killer) - ${BINARY}"			;;
                        cfagent)                CFAGENTFOUND=1;        CFAGENTBINARY="${BINARY}";     FILE_INT_TOOL_FOUND=1;            logtext "  Found known binary: cfengine agent (configuration tool) - ${BINARY}"		;;
                        chkrootkit)             CHKROOTKITFOUND=1;     CHKROOTKITBINARY="${BINARY}";                     MALWARE_SCANNER_INSTALLED=1;      logtext "  Found known binary: chkrootkit (malware scanner) - ${BINARY}"			;;
                        dig)                    if [ -f ${BINARY} ]; then DIGFOUND=1;            DIGBINARY=${BINARY};                                             logtext "  Found known binary: dig (network/dns tool) - ${BINARY}";        fi ;;
                        dnsdomainname)          DNSDOMAINNAMEFOUND=1;  DNSDOMAINNAMEBINARY="${BINARY}";						logtext "  Found known binary: dnsdomainname (DNS domain) - ${BINARY}"			;;
                        domainname)             DOMAINNAMEFOUND=1;     DOMAINNAMEBINARY="${BINARY}";							logtext "  Found known binary: domainname (NIS domain) - ${BINARY}"				;;
                        find)                   FINDFOUND=1;           FINDBINARY="${BINARY}";								logtext "  Found known binary: find (search tool) - ${BINARY}"				;;
                        g++)	      		GPLUSPLUSFOUND=1;      GPLUSPLUSBINARY="${BINARY}";   COMPILER_INSTALLED=1;		    	logtext "Found known binary: g++ (compiler) - ${BINARY}"					;;
                        # additional file check due to existance /usr/libexec/gcc (directory)
                        gcc)                    if [ -f ${BINARY} ]; then GCCBINARY="${BINARY}";      COMPILER_INSTALLED=1;             logtext "Found known binary: gcc (compiler) - ${BINARY}";                       fi ;;
                        httpd2-prefork)         HTTPDFOUND=1;          HTTPDBINARY=${BINARY};                                           logtext "  Found known binary: apache2 (web server) - ${BINARY}" ;;
                        lvdisplay)              LVDISPLAYBINARY="${BINARY}";							logtext "Found known binary: lvdisplay (LVM tool) - ${BINARY}"				;;
                        named-checkconf)	NAMEDCHECKCONFIGFOUND=1;  NAMEDCHECKCONFBINARY="${BINARY}";						logtext "Found known binary: named-checkconf (BIND configuration analyzer) - ${BINARY}"	;;
                        rkhunter) 		RKHUNTERFOUND=1;       RKHUNTERBINARY="${BINARY}";             MALWARE_SCANNER_INSTALLED=1;	    	logtext "Found known binary: rkhunter (malware scanner) - ${BINARY}"			;;
                        vgdisplay)              VGDISPLAYFOUND=1;      VGDISPLAYBINARY="${BINARY}";							logtext "Found known binary: vgdisplay (LVM tool) - ${BINARY}"				;;
		    esac
		done
	      else
		Display --indent 4 --text "- Checking ${SCANDIR}... " --result "NOT FOUND" --color WHITE
    	        logtext "Directory ${SCANDIR} does NOT exist."
	    fi
	    logtextbreak        
	done
	SCANNEDPATHS=`echo ${SCANNEDPATHS} | sed 's/^, //g'`
        logtext "Scanned directories: ${SCANNEDPATHS}"
    #fi

    for I in ${BINPATHS}; do
      J=${I}"/exim";      	if [ -f ${J} ]; then EXIMFOUND=1;	 EXIMBINARY=${J};	EXIMVERSION=`${J} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs`; 	logtext "Found ${J} (version ${EXIMVERSION})";		fi
      J=${I}"/grpck";      	if [ -f ${J} ]; then GRPCKFOUND=1;       GRPCKBINARY=${J};      logtext "Found ${J}"; 	fi
      J=${I}"/httpd";      	if [ -f ${J} ]; then HTTPDFOUND=1;       HTTPDBINARY=${J};      logtext "Found ${J}";   fi
      J=${I}"/ip";      	if [ -f ${J} ]; then IPFOUND=1;          IPBINARY=${J};         logtext "Found ${J}"; 	fi
      J=${I}"/ipf";      	if [ -f ${J} ]; then IPFFOUND=1;         IPFBINARY=${J};        logtext "Found ${J}"; 	fi
      J=${I}"/ifconfig";	if [ -f ${J} ]; then IFCONFIGFOUND=1;    IFCONFIGBINARY=${J};   logtext "Found ${J}";   fi
      J=${I}"/iptables";    	if [ -f ${J} ]; then IPTABLESFOUND=1;	 IPTABLESBINARY=${J}; 	logtext "Found ${J}";	fi
      J=${I}"/kldstat";		if [ -f ${J} ]; then KLDSTATFOUND=1;     KLDSTATBINARY=${J};    logtext "Found ${J}";   fi
      J=${I}"/locate";    	if [ -f ${J} ]; then LOCATEFOUND=1;	 LOCATEBINARY=${J};     logtext "Found ${J}";   fi
      J=${I}"/logrotate";	if [ -f ${J} ]; then LOGROTATEFOUND=1;   LOGROTATEBINARY=${J};  logtext "Found ${J}";   fi
      J=${I}"/ls";      	if [ -f ${J} ]; then logtext "Found ${J}"; LSFOUND=1;   	LSBINARY=${J};         fi
      J=${I}"/lsattr";     	if [ -f ${J} ]; then logtext "Found ${J}"; LSATTRFOUND=1;  	LSATTRBINARY=${J};     fi
      J=${I}"/lsmod";      	if [ -f ${J} ]; then logtext "Found ${J}"; LSMODFOUND=1;    	LSMODBINARY=${J};      fi
      J=${I}"/lsof";    	if [ -f ${J} ]; then logtext "Found ${J}"; LSOFFOUND=1;    	LSOFBINARY=${J};       fi
      J=${I}"/lynx";    	if [ -f ${J} ]; then LYNXFOUND=1;	 LYNXBINARY=${J}; 	LYNXVERSION=`${J} -version | grep "^Lynx Version" | cut -d ' ' -f3`;		 logtext "Found ${J} (version ${LYNXVERSION})";		fi
      J=${I}"/md5";     	if [ -f ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	MD5BINARY=${J};        fi
      J=${I}"/md5sum";  	if [ -f ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	MD5BINARY=${J};        fi
      J=${I}"/mysql";    	if [ -f ${J} ]; then MYSQLCLIENTFOUND=1; MYSQLCLIENTBINARY=${J}; MYSQLCLIENTVERSION=`${J} -V | awk '{ if ($4=="Distrib") { print $5 }}' | sed 's/,//g'` ;       logtext "Found ${J} (version: ${MYSQLCLIENTVERSION})"; fi
      J=${I}"/netstat";  	if [ -f ${J} ]; then logtext "Found ${J}"; NETSTATFOUND=1;     	NETSTATBINARY=${J};    fi
      J=${I}"/nmap";    	if [ -f ${J} ]; then NMAPFOUND=1; 	 NMAPBINARY=${J};   	NMAPVERSION=`${J} -V | grep "^Nmap version" | awk '{ print $3 }'`;	  	 logtext "Found ${J} (version ${NMAPVERSION})";         fi
      J=${I}"/ntpq";    	if [ -f ${J} ]; then NTPQFOUND=1; 	 NTPQBINARY=${J};   		 logtext "Found ${J}";         fi      
      #NTPQVERSION=`${J} --version | awk '{ if ($8=="Ver.") { print $9 } }'`;	  
      J=${I}"/openssl";    	if [ -f ${J} ]; then OPENSSLFOUND=1;  	 OPENSSLBINARY=${J};	OPENSSLVERSION=`${J} version | head -n 1 | awk '{ print $2 }' | xargs`;		 logtext "Found ${J} (version ${OPENSSLVERSION})";	fi
      J=${I}"/osiris";    	if [ -f ${J} ]; then OSIRISFOUND=1;	 OSIRISBINARY=${J}; 	logtext "Found ${J}";	fi
      J=${I}"/perl";        	if [ -f ${J} ]; then PERLFOUND=1;	 PERLBINARY=${J};	PERLVERSION=`${J} -V:version | ${J} -pi -e "s/^version='(.*)';$/\1/" | xargs`;   logtext "Found ${J} (version ${PERLVERSION})";		fi
      J=${I}"/postconf";   	if [ -f ${J} ]; then logtext "Found ${J}"; POSTCONFFOUND=1; 	POSTCONFBINARY=${J};   fi
      J=${I}"/postfix";   	if [ -f ${J} ]; then logtext "Found ${J}"; POSTFIXFOUND=1; 	POSTFIXBINARY=${J};    fi
      J=${I}"/prelink";   	if [ -f ${J} ]; then logtext "Found ${J}"; PRELINKFOUND=1; 	PRELINKBINARY=${J};    fi
      J=${I}"/ps";      	if [ -f ${J} ]; then logtext "Found ${J}"; PSFOUND=1;      	PSBINARY=${J};         fi
      J=${I}"/readlink";      	if [ -f ${J} ]; then READLINKFOUND=1;	 READLINKBINARY=${J};	logtext "Found ${J}";              fi

      J=${I}"/rpm";    		if [ -f ${J} ]; then logtext "Found ${J}"; RPMFOUND=1;	 	 RPMBINARY=${J};        fi  
      J=${I}"/samhain";    	if [ -f ${J} ]; then SAMHAINFOUND=1;   	 SAMHAINBINARY=${J}; 	logtext "Found ${J}";	fi
      J=${I}"/sestatus";    	if [ -f ${J} ]; then SESTATUSFOUND=1;    SESTATUSBINARY=${J}; 	logtext "Found ${J}";	fi
      J=${I}"/slocate";    	if [ -f ${J} ]; then logtext "Found ${J}"; LOCATEFOUND=1;	 LOCATEBINARY=${J};     fi
      J=${I}"/smbd";    	if [ -f ${J} ]; then SMBDFOUND=1;    	 SMBDBINARY=${J}; 	SMBDVERSION=`${J} -V | grep "^Version" | awk '{ print $2 }'`;  		logtext "Found ${J} (version ${SMBDVERSION})";			fi      
      J=${I}"/sockstat";   	if [ -f ${J} ]; then logtext "Found ${J}"; SOCKSTATFOUND=1;	 SOCKSTATBINARY=${J};   fi
      J=${I}"/squid";   	if [ -f ${J} ]; then logtext "Found ${J}"; SQUIDFOUND=1;	 SQUIDBINARY=${J};   fi
      J=${I}"/stat"; 		if [ -f ${J} ]; then logtext "Found ${J}"; STATFOUND=1;	   	 STATBINARY=${J};       fi
      J=${I}"/sshd"; 		if [ -f ${J} ]; then SSHDFOUND=1;	 SSHDBINARY=${J};	SSHDVERSION=`${J} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | xargs`; logtext "Found ${J} (version ${SSHDVERSION})";		fi
      J=${I}"/strings"; 	if [ -f ${J} ]; then logtext "Found ${J}"; STRINGSFOUND=1; 	 STRINGSBINARY=${J};    fi
      J=${I}"/syslog-ng";	if [ -x ${J} ]; then SYSLOGNGFOUND=1;	 SYSLOGNGBINARY=${J};	SYSLOGNGVERSION=`${J} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'`		logtext "Found ${J} (version ${SYSLOGNGVERSION})";		fi
      J=${I}"/tripwire";    	if [ -f ${J} ]; then TRIPWIREFOUND=1;    TRIPWIREBINARY=${J}; 	logtext "Found ${J}";	fi
      J=${I}"/vmtoolsd";    	if [ -f ${J} ]; then VMWARETOOLSFOUND=1; VMWARETOOLSDBINARY=${J};	fi
      J=${I}"/wget";    	if [ -f ${J} ]; then WGETFOUND=1;    	 WGETBINARY=${J}; 	WGETVERSION=`${J} -V | grep "^GNU Wget" | awk '{ print $3 }'`;  		logtext "Found ${J} (version ${WGETVERSION})";			fi
    done

#
#################################################################################
#
# Other binaries to test for:
# sysctl
# tune2fs
#
#################################################################################
#

wait_for_keypress

#
#================================================================================
# Lynis - Copyright 2007-2013, Michael Boelen - www.rootkit.nl - The Netherlands
