#!/usr/bin/env bash
# Author:  Oliver Ladner <oli@lugh.ch>
# License: LGPL
#
# This tool scans a Debian-based system for threats in programs,
# configurations, permissions etc. and calculates a score to
# compare different systems.
#
# This script runs noninteractive, so you can rely on these return
# codes:
# 0	script run ok, nothing serious found
# 1	OS detection failed/wrong distribution
# 2	script run ok, critical stuff found
#
# Requirements:
# -

H_VERSION="0.0.1"

showhelp() {
cat << EOF
Usage: $(basename $0) [OPTION]...

 -h|--help		This information
 -m|--no-md5		Don't check MD5 sums of packages
 -s|--no-ssh		No SSH-related checks
 -v|--verbose		Be verbose
 -V|--version		Show version
 --force-debian		If OS detection fails, assume Debian
 --force-ubuntu		If OS detection fails, assume Ubuntu
EOF
}

# Argument handling
while [ $# -gt 0 ]; do
	case $1 in
		-h|--help) showhelp; exit; shift 1 ;;
		-V|--version) echo $(basename $0) $H_VERSION; exit; shift 1 ;;
		-v|--verbose) verb=true; shift 1 ;;
		-m|--no-md5) md5=false; shift 1 ;;
		-s|--no-ssh) ssh=false; shift 1 ;;
		*) showhelp; exit ;;
	esac
done

DEBIANCODES=([3]=woody/sarge [4]=etch [5]=lenny [6]=squeeze [7]=wheezy)

# Debian is missing lsb_release command
if [[ $(which lsb_release) ]]; then
	H_DISTRO=$(lsb_release -s -i)
	H_RELEASE=$(lsb_release -s -r)
	H_CODE=$(lsb_release -s -c)
# FIXME probably a strange check for Debian
elif [[ $(grep -c '^[[:digit:]]' /etc/debian_version) > 0 ]]; then
	H_DISTRO=$(awk -F': ' '/Vendor:/ {print $2}' /etc/dpkg/origins/debian)
	H_RELEASE=$(cat /etc/debian_version)
	H_CODE=${DEBIANCODES[$(echo $H_RELEASE | cut -b1)]}
else
	echo "Not a Debian-based distribution, please install the package lsb-release and send" .
		  " the output of 'lsb_release -a' to info@lugh.ch."
	exit 1
fi

H_KERNEL=$(uname -r)
H_ARCH=$(uname -m)

msg() {
if [[ "$verb" ]]; then
	echo $1
fi	
}

check_md5() {
	# http://kemovitra.blogspot.com/2010/07/checking-integrity-of-debianubuntu.html
		if [ $md5 ]; then
			echo "not run"
		else
				msg "Copying /var/lib/dpkg/info/*.md5sums to temporary file..."
				TEMPMD5=$(mktemp -t)
				cat /var/lib/dpkg/info/*.md5sums | sort > $TEMPMD5 && cd /
				msg "Running md5sum, searching for 'FAILED' files..."
				md5sum -c $TEMPMD5 2>&1 | grep ': FAILED' | awk -F':' {'print "/"$1'} && rm $TEMPMD5
			fi
}

check_ssh() {
	ssh_config_regex="/etc/ssh/ssh*conf*"
		if [ $ssh ]; then
			SSHD="not run"
		else
			msg "Searching files $ssh_config_regex for PermitRootLogin yes..."
			if [[ $(grep -i -c 'PermitRootLogin.*yes' $ssh_config_regex) > 0 ]]; then
				echo "Root login enabled!"
			else
				echo "root login disabled"
			fi
		fi
}

#check_dummy() {
#	echo "this is a dummy check"
#	msg "debug text of dummy_check..."
#}


#column -t -s':' -c 80 << EOF
echo "Distribution: $H_DISTRO"
echo "Release/Codename: $H_RELEASE ($H_CODE)"
echo "Kernel/Architecture: $H_KERNEL ($H_ARCH)"
 
echo -n "md5 check: "
check_md5
echo -n "SSH check: "
check_ssh

# /usr/bin/printf "\u00A9 2010 Oliver Ladner\n" #unicode ausgabe

# Define default return code
exit 0

# vim: ts=3:sw=3