search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.47k stars 1.49k forks source link

Lynis 2.3.1 - cronjob output attachment is "noname" and base64 #250

Closed hbokh closed 8 years ago

hbokh commented 8 years ago

Using this cronjob for Lynis on the first of every month:

#!/bin/sh

AUDITOR="automated"
DATE=$(date +%Y%m%d)
HOST=$(hostname)
RECEIVER="user@example.com"
LOG_DIR="/var/log/lynis"
REPORT="$LOG_DIR/report-${HOST}.${DATE}"
DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"

cd /usr/local/lynis

# Run Lynis
./lynis audit system --auditor "${AUDITOR}" --cronjob > ${REPORT}

# Optional step: Move report file if it exists
if [ -f /var/log/lynis-report.dat ]; then
    mv /var/log/lynis-report.dat ${DATA}
fi

cat /var/log/lynis/report-${HOST}.${DATE} | mailx -s Lynis-report_$HOST $RECEIVER

the attached report used to be ASCII plain text, but with Lynix 2.3.1 it is a base64 attachment named noname. Some of the SMTP-headers:

User-Agent: Heirloom mailx 12.5 6/20/10
MIME-Version: 1.0
Content-Type: application/octet-stream
Content-Transfer-Encoding: base64

Difference on the files in directory var/log/lynis/, with file-command:

Lynis 2.2.0 reports: report-host0123.20160701: ASCII text

Lynis 2.3.1 reports: report-host0123.20160801: ASCII text, with escape sequences

How do I get to see the reports as plain ASCII-text again like in v 2.2.0 or before?

mboelen commented 8 years ago

The format of the report has not changed. There is no toggle to change it in any way.

Looking at the script: Your DATA variable specifies a file ending with ".txt". Your cat command uses a different file (without .txt). So that might be incorrect for the mail command.

Tip: run a diff against both files to see what is different in the files. That might give also a clue why the file command found escape sequences.

hbokh commented 8 years ago

Thanks Michael, it's been a long while since we discussed lynis! :-) Anyway, the output of v2.3.1 still has escape sequences in the "Suggestions"-sections, where v2.2.0 does not. A regular diff won't show these differences, but vim does.

  Suggestions (4):
  ----------------------------
  * Delete accounts which are no longer used [AUTH-9288]
      ^[[0;37mhttps://cisofy.com/controls/AUTH-9288/

  * Check iptables rules to see which rules are currently not used [FIRE-4513]
      ^[[0;37mhttps://cisofy.com/controls/FIRE-4513/

  * Check what deleted files are still in use and why. [LOGG-2190]
      ^[[0;37mhttps://cisofy.com/controls/LOGG-2190/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
      ^[[0;37mhttps://cisofy.com/controls/KRNL-6000/

If I delete these ^[[0;37m and do the cat | mailx-thing on that edited file, I receive what I want in plain ASCII-text. So my impression is v2.3.1 is behaving differently regarding the non-colored --cronjob-option (I did not change the crontab-script).

hbokh commented 8 years ago

FYI Running like this makes no difference - still esc. seq. in the report:

./lynis audit system --auditor "${AUDITOR}" --cronjob --no-colors > ${REPORT}

mboelen commented 8 years ago

Ah, that escape sequence reveals also the cause. It actually already has been solved for upcoming release, so that will also solve this issue.

A new function RemoveColors will handle coloring for non-colored display now: https://github.com/CISOfy/lynis/blob/master/CHANGELOG.md#functions

We will push out a new release soon (expected delivery is this week).

mboelen commented 8 years ago

Closing this issue, as GitHub version has already the changes.

hbokh commented 8 years ago

Confirm solved in 2.3.2. Hartelijk dank!