#!/usr/bin/env bash
# Author:	Oliver Ladner <oli@lugh.ch>
# License:	GPLv2
#
# This tool scans a Debian-based system for threats in programs,
# configurations, permissions etc. and calculates a score to
# compare different systems.
#
# This script runs noninteractive, so you can rely on these return
# codes:
# 0	script run ok, nothing serious found
# 1	OS detection failed
# 2	script run ok, critical stuff found
#
# Requirements:
# -

H_VERSION="0.0.1"

showhelp() {
cat << EOF
Usage: $(basename $0) [OPTION]...

 -h|--help		This information
 -m|--no-md5		Don't check MD5 sums of packages
 -s|--no-ssh		No SSH-related checks
 -v|--verbose		Be verbose
 -V|--version		Show version
 --force-debian		If OS detection fails, assume Debian
 --force-ubuntu		If OS detection fails, assume Ubuntu
EOF
}

# Argument handling
while [ $# -gt 0 ]; do
	case $1 in
		-h|--help) showhelp; exit; shift 1 ;;
		-V|--version) echo $(basename $0) $H_VERSION; exit; shift 1 ;;
		-v|--verbose) verb=echo; shift 1 ;;
		-m|--no-md5) md5=false; shift 1 ;;
		-s|--no-ssh) ssh=false; shift 1 ;;
		*) showhelp; exit ;;
	esac
done

DEBIANCODES=([3]=woody/sarge [4]=etch [5]=lenny [6]=squeeze [7]=wheezy)

# Debian is missing lsb_release command
if [[ $(which lsb_release) ]]; then
	H_DISTRO=$(lsb_release -s -i)
	H_RELEASE=$(lsb_release -s -r)
	H_CODE=$(lsb_release -s -c)
# FIXME probably a strange check for Debian
elif [[ $(grep -c '^[[:digit:]]' /etc/debian_version) > 0 ]]; then
	H_DISTRO=$(awk -F': ' '/Vendor:/ {print $2}' /etc/dpkg/origins/debian)
	H_RELEASE=$(cat /etc/debian_version)
	H_CODE=${DEBIANCODES[$(echo $H_RELEASE | cut -b1)]}
else
	echo "Not a Debian-based, please install the package lsb-release and send" .
		  " the output of 'lsb_release -a' if available to info@lugh.ch."
	exit 1
fi

H_KERNEL=$(uname -r)
H_ARCH=$(uname -m)

check_md5() {
	# http://kemovitra.blogspot.com/2010/07/checking-integrity-of-debianubuntu.html
		if [ $md5 ]; then
			MD5SUMS="not run"
		else
			if [ $H_DISTRO == "Debian" ]; then
				$verb "Copying all /var/lib/dpkg/info/*.md5sums to shared memory..."
				TEMPMD5=$(mktemp -t)
				cat /var/lib/dpkg/info/*.md5sums | sort > $TEMPMD5 && cd /
				$verb "Running md5sum, searching for 'FAILED' files..."
				MD5SUMS=$(md5sum -c $TEMPMD5 2>&1 | grep ': FAILED' | awk -F':' {'print "/"$1'} && rm $TEMPMD5)
			else
				MD5SUMS="Check not supported on $H_DISTRO"
			fi
		fi
}

check_ssh() {
		if [[ $(grep -i -c 'PermitRootLogin.*yes' /etc/ssh/ss*conf*) > 0 ]]; then
			SSHD="Root login enabled!"
		else
			SSHD="root login disabled"
		fi
}

check_md5
check_ssh

# Output
#-------
column -t -s':' -c 80 << EOF
Distribution:$H_DISTRO
Release/Codename:$H_RELEASE ($H_CODE)
Kernel/Architecture:$H_KERNEL ($H_ARCH)
 
# MD5 CHECK
Packages with wrong MD5 hashes
$MD5SUMS
# SSH daemon settings
$SSHD
EOF

# /usr/bin/printf "\u00A9 2010 Oliver Ladner\n" #unicode ausgabe

# Define default return code
exit 0

# vim: ts=3:sw=3