CloudyScripts 1.6.1 → 1.7.27

data/lib/audit/checks/LOCAL_NMAP.check

@@ -0,0 +1,97 @@
+ID:  LOCAL_NMAP
+Name: Run local nmap for fingerprinting purposes
+Description: >
+   Extract all information from the /etc/passwd file
+   and export it as key/value pairs.
+Depends: [HAS_TAR, HAS_UNAME, HAS_HOSTNAME, HAS_FILE_DOWNLOADER, MAYBE_HAS_SUPERUSER]
+Imports: [SHADOW_FILE, PASSWD_FILE, CAT, CUT, RUN_AS_SUPERUSER]
+Script: |
+   TMP_NMAP_LIGHT_TEXT_OUTPUT="${AUDIT_DIRECTORY}/nmap_light.log"
+   TMP_NMAP_LIGHT_XML_OUTPUT="${AUDIT_DIRECTORY}/nmap_light.xml"
+   TMP_NMAP_LIGHT_NONROOT_PARAMS="-vv -p 0-65535 -Pn -sV --version-light -script=default,ssh2-enum-algos,ssh-hostkey --host-timeout 2m"
+   TMP_NMAP_LIGHT_ROOT_PARAMS="-O --osscan-limit"
+      
+   TMP_NMAP_THOROUGH_TEXT_OUTPUT="${AUDIT_DIRECTORY}/nmap_thorough.log"
+   TMP_NMAP_THOROUGH_XML_OUTPUT="${AUDIT_DIRECTORY}/nmap_thorough.xml"
+   TMP_NMAP_THOROUGH_NONROOT_PARAMS="-vv -p 0-65535 -Pn -sV --version-all -script=default,ssh2-enum-algos,ssh-hostkey --host-timeout 5m"
+   TMP_NMAP_THOROUGH_ROOT_PARAMS="-O --osscan-guess"
+   
+   TMP_NMAP="" # this is the path of the nmap program that will be started
+   TMP_NMAP_DIR="" # nmap directory is used to delete copied nmap
+   TMP_NMAP_LIGHT_EXIT_CODE=1
+   TMP_NMAP_THOROUGH_EXIT_CODE=1
+   TMP_ARCH=$( ${UNAME} -m )
+   
+   # download nmap and unpack it
+   case "${TMP_ARCH}" in
+   i686)
+      TMP_NMAP_ARCHIVE="nmap-5.51-x86-tmp.tar.bz2"
+      ${DOWNLOAD_FILE} "/tmp/${TMP_NMAP_ARCHIVE}" "http://home.in.tum.de/zaddach/var/${TMP_NMAP_ARCHIVE}" 2>/dev/null 1>/dev/null
+      if [ ! -f "/tmp/${TMP_NMAP_ARCHIVE}" ]
+      then
+         script_error_message "Downloading of NMap archive ${TMP_NMAP_ARCHIVE} failed"
+      else
+         ${TAR} xjf "/tmp/${TMP_NMAP_ARCHIVE}" -C /
+         TMP_NMAP_DIR="/tmp/nmap-5.51-x86"
+         TMP_NMAP="/tmp/nmap-5.51-x86/bin/nmap"
+      fi
+      ;;
+   x86_64)
+      TMP_NMAP_ARCHIVE="nmap-5.51-x64-tmp.tar.bz2"
+      ${DOWNLOAD_FILE} "/tmp/${TMP_NMAP_ARCHIVE}" "http://home.in.tum.de/zaddach/var/${TMP_NMAP_ARCHIVE}" 2>/dev/null 1>/dev/null
+      if [ ! -f "/tmp/${TMP_NMAP_ARCHIVE}" ]
+      then
+         script_error_message "Downloading of NMap archive ${TMP_NMAP_ARCHIVE} failed"
+      else
+         ${TAR} xjf "/tmp/${TMP_NMAP_ARCHIVE}" -C /
+         TMP_NMAP_DIR="/tmp/nmap-5.51-x64"
+         TMP_NMAP="/tmp/nmap-5.51-x64/bin/nmap"
+      fi
+      ;;
+   *)
+      script_error_message "Unknown architecture ${TMP_ARCH}"
+      ;;
+   esac
+   
+   # if an nmap was installed
+   if [ ! "${TMP_NMAP}" = "" ]
+   then
+      if [ "${HAS_SUPERUSER}" = "yes" ]
+      then
+         # if superuser possible, execute nmap with superuser rights
+         ${RUN_AS_SUPERUSER} ${TMP_NMAP} -oX "${TMP_NMAP_LIGHT_XML_OUTPUT}" -oN "${TMP_NMAP_LIGHT_TEXT_OUTPUT}" ${TMP_NMAP_LIGHT_NONROOT_PARAMS} ${TMP_NMAP_LIGHT_ROOT_PARAMS} $( ${HOSTNAME} ) 2>/dev/null 1>/dev/null
+         TMP_NMAP_LIGHT_EXIT_CODE=$?
+         ${RUN_AS_SUPERUSER} ${TMP_NMAP} -oX "${TMP_NMAP_THOROUGH_XML_OUTPUT}" -oN "${TMP_NMAP_THOROUGH_TEXT_OUTPUT}" ${TMP_NMAP_THOROUGH_NONROOT_PARAMS} ${TMP_NMAP_THOROUGH_ROOT_PARAMS} $( ${HOSTNAME} ) 2>/dev/null 1>/dev/null
+         TMP_NMAP_THOROUGH_EXIT_CODE=$?
+      else
+         ${TMP_NMAP} -oX "${TMP_NMAP_LIGHT_XML_OUTPUT}" -oN "${TMP_NMAP_LIGHT_TEXT_OUTPUT}" ${TMP_NMAP_LIGHT_NONROOT_PARAMS} $( ${HOSTNAME} ) 2>/dev/null 1>/dev/null
+         TMP_NMAP_LIGHT_EXIT_CODE=$?
+         ${TMP_NMAP} -oX "${TMP_NMAP_THOROUGH_XML_OUTPUT}" -oN "${TMP_NMAP_THOROUGH_TEXT_OUTPUT}" ${TMP_NMAP_THOROUGH_NONROOT_PARAMS} $( ${HOSTNAME} ) 2>/dev/null 1>/dev/null
+         TMP_NMAP_THOROUGH_EXIT_CODE=$?
+      fi
+   
+      script_attach_file "${TMP_NMAP_LIGHT_TEXT_OUTPUT}"
+      script_attach_file "${TMP_NMAP_LIGHT_XML_OUTPUT}"
+      script_attach_file "${TMP_NMAP_THOROUGH_TEXT_OUTPUT}"
+      script_attach_file "${TMP_NMAP_THOROUGH_XML_OUTPUT}"
+   
+      # if nmap directory was set, remove the installed nmap
+      if [ ! "${TMP_NMAP_DIR}" = "" ]
+      then
+         rm -Rf "${TMP_NMAP_DIR}"
+      fi
+
+      # and also delete the archive that we downloaded
+      if [ ! "${TMP_NMAP_ARCHIVE}" = "" ] && [ -f "/tmp/${TMP_NMAP_ARCHIVE}" ]
+      then
+         rm -f "/tmp/${TMP_NMAP_ARCHIVE}"
+      fi
+   fi
+   
+   if [ ${TMP_NMAP_LIGHT_EXIT_CODE} -eq 0 ] && [ ${TMP_NMAP_THOROUGH_EXIT_CODE} -eq 0 ]
+   then
+      #both nmaps finished with exit code 0, script suceeded
+      ! false
+   else
+      false
+   fi

data/lib/audit/checks/LOGGED_USERS.check

@@ -0,0 +1,28 @@
+ID: LOGGED_USERS
+Name: List logged-in users
+Depends: [HAS_AWK, HAS_WHO, HAS_BASE]
+Imports: [AWK, WHO, SED]
+Description: List all users that are currently logged in using who.
+Script: |
+   IFS=$( printf "\n+" ); IFS=${IFS%+}
+   TMP_OUTPUT=$( ${WHO} -u -p )
+
+   for TMP_LINE in ${TMP_OUTPUT}
+   do
+      TMP_USER=$( echo ${TMP_LINE} | ${AWK} '{ print $1 }' )
+      TMP_TERMINAL=$( echo ${TMP_LINE} | ${AWK} '{ print $2 }' )
+      TMP_DATE=$( echo ${TMP_LINE} | ${AWK} '{ print $3 }' )
+      TMP_TIME=$( echo ${TMP_LINE} | ${AWK} '{ print $4 }' )
+      TMP_IDLE=$( echo ${TMP_LINE} | ${AWK} '{ print $5 }' )
+      TMP_PID=$( echo ${TMP_LINE} | ${AWK} '{ print $6 }' )
+      TMP_COMMENT=$( echo ${TMP_LINE} | ${AWK} '{ print $7 }' )
+
+
+      script_data "logins.who.${TMP_USER}.line.{${TMP_TERMINAL}}.login_date" "${TMP_DATE}"
+      script_data "logins.who.${TMP_USER}.line.{${TMP_TERMINAL}}.login_time" "${TMP_TIME}"
+      script_data "logins.who.${TMP_USER}.line.{${TMP_TERMINAL}}.idle" "${TMP_IDLE}"
+      script_data "logins.who.${TMP_USER}.line.{${TMP_TERMINAL}}.pid" "${TMP_PID}"
+      script_data "logins.who.${TMP_USER}.line.{${TMP_TERMINAL}}.comment" "${TMP_COMMENT}"
+   done
+   ! false
+   

data/lib/audit/checks/LYNIS_AUTH.group

@@ -0,0 +1,9 @@
+ID: LYNIS_AUTH
+Children: 
+   - LYNIS_AUTH_9204
+   - LYNIS_AUTH_9208
+   - LYNIS_AUTH_9216
+   - LYNIS_AUTH_9222
+   - LYNIS_AUTH_9226
+   - LYNIS_AUTH_9228
+   - LYNIS_AUTH_9252

data/lib/audit/checks/LYNIS_AUTH_9204.check

@@ -0,0 +1,43 @@
+ID: LYNIS_AUTH_9204
+Name: Check users with UID zero (0)
+Depends: [FIND_PASSWD_FILE, HAS_GREP]
+Exports: [GROUPS]
+Imports: [HEAD, SED]
+Description: >
+   Check that there is only one user with UID 0. Only the 'root' account
+   should have this UID, as you are able to do everything you want on a
+   system if you have UID 0. If you want to allow multiple accounts to 
+   administrate your machine, consider using sudo.
+Script: |
+   TMP_COUNTER=1
+   for TMP_LINE in $(${GREP} -E "^[^:]*:[^:]*:0:" "${PASSWD_FILE}" )
+   do
+      TMP_USER=$(echo ${TMP_LINE} | ${CUT} -d: -f1)
+      TMP_UID=$(echo ${TMP_LINE} | ${CUT} -d: -f3)
+      TMP_GID=$(echo ${TMP_LINE} | ${CUT} -d: -f4)
+
+      script_info_message "User ${TMP_USER} [${TMP_UID}] has root rights"
+
+      if [ ! "${TMP_USER}" = "root" ]
+      then
+         script_data "errors.users.duplicate_root.${TMP_COUNTER}.name" "${TMP_USER}"
+         script_data "errors.users.duplicate_root.${TMP_COUNTER}.uid" "${TMP_UID}"
+         script_data "errors.users.duplicate_root.${TMP_COUNTER}.gid" "${TMP_GID}"
+      fi
+
+      TMP_COUNTER=$(( ${TMP_COUNTER} + 1 ))
+   done
+
+   if [ ${TMP_COUNTER} = 1 ]
+   then
+      script_error_message "No administrator accounts found"
+      false
+   elif [ ${TMP_COUNTER} = 2 ]
+   then
+      script_info_message "No accounts found with UID 0 other than root"
+      ! false
+   else
+      script_error_message "Multiple users with UID 0 found in passwd file"
+      false
+   fi
+         

data/lib/audit/checks/LYNIS_AUTH_9208.check

@@ -0,0 +1,35 @@
+ID: LYNIS_AUTH_9208
+Name: Check non unique user ids
+Depends: [FIND_PASSWD_FILE, HAS_GREP, HAS_CUT, HAS_CAT]
+Imports: [PASSWD_FILE, GREP, CUT, CAT]
+Description: >
+   Check that each user has a unique UID. Having several
+   accounts with the same UID is not meaningful. as only the
+   UID is ised internally to distinguish between users.
+Script: |
+   TMP_RESULT=""
+
+   TMP_DUPLICATE_UIDS=$( ${GREP} -v "^$" "${PASSWD_FILE}" | ${SED} -e 's/^[^:]*:[^:]*:\([^:]*\):.*$/\1/' | ${SORT} | ${UNIQ} -d )
+   IFS=$( printf ' \t\n+' ); IFS=${IFS%+}
+   for TMP_UID in $( echo ${TMP_DUPLICATE_UIDS} )
+   do
+      TMP_USERNAME_NUM=1
+      IFS=$( printf '\n+' ); IFS=${IFS%+}
+      for TMP_LINE in $(${GREP} -E "^[^:]*:[^:]*:${TMP_UID}:" "${PASSWD_FILE}" )
+      do
+         TMP_USER=$(echo ${TMP_LINE} | ${CUT} -d: -f1)
+         TMP_RESULT="${TMP_RESULT}I"
+
+         script_error_message "User ${TMP_USER} does not have a unique UID"
+
+         #TODO: UID is not a unique key here, as there may also be 3 users with the same UID ...
+         script_data "errors.users.duplicate_uid.${TMP_UID}.names.${TMP_USERNAME_NUM}" "${TMP_USER}"
+
+         TMP_USERNAME_NUM=$(( ${TMP_USERNAME_NUM} + 1 ))
+      done
+      IFS=$( printf ' \t\n+' ); IFS=${IFS%+}
+   done
+
+   # only succeed check if no users with same uid were found
+   [ "${TMP_DUPLICATE_UIDS}" = "" ]
+         

data/lib/audit/checks/LYNIS_AUTH_9216.check

@@ -0,0 +1,24 @@
+ID: LYNIS_AUTH_9216
+Name: Check /etc/group and shadow group files with grpck tool
+Depends: [HAS_SUPERUSER, HAS_GROUPCHECK]
+Imports: [PASSWD_FILE, GREP, CUT, CAT]
+Description: >
+   Run grpck program to verify integrity of group
+   and gshadow files.
+Script: |
+   TMP_GROUPCHECK_RESULT=$(${RUN_AS_SUPERUSER} ${GROUPCHECK})
+    
+   if [ "${TMP_GROUPCHECK_RESULT}" = "" ]
+   then
+      ! false
+   else
+      IFS=$( printf '\n+' ); IFS=${IFS%+}
+      TMP_COUNTER=1
+      for TMP_LINE in $(echo "${TMP_GROUPCHECK_RESULT}")
+      do
+         script_error_message "grpck reported error: ${TMP_LINE}"
+         script_data "errors.users.grpck.${TMP_COUNTER}" "${TMP_LINE}"
+         TMP_COUNTER=$(( ${TMP_COUNTER} + 1 ))
+      done
+      false
+   fi     

data/lib/audit/checks/LYNIS_AUTH_9222.check

@@ -0,0 +1,25 @@
+ID: LYNIS_AUTH_9222
+Name: Check non unique group names
+Depends: [HAS_GREP, HAS_CUT, HAS_SORT, HAS_UNIQ, FIND_GROUP_FILE, HAS_TR]
+Imports: [GREP, CUT, SORT, UNIQ, GROUP_FILE, TR]
+Severity: low
+Description: >
+   Check that each group name is defined only once in /etc/groups.
+   If a group name is defined multiple times this does not necessarily 
+   mean an error, but you should verify that this is intended.
+Script: |
+   TMP_DUPLICATE_GIDS=$(${GREP} -v '^$' ${GROUP_FILE} | ${CUT} -d: -f3 | ${SORT} | ${UNIQ} -d)
+    
+   if [ "${TMP_DUPLICATE_GIDS}" = "" ]
+   then
+      script_info_message "no duplicate group ids"
+      ! false
+   else
+      IFS=$( printf '\n+' ); IFS=${IFS%+}
+      for TMP_GID in $(echo ${TMP_DUPLICATE_GIDS})
+      do
+         TMP_GROUPNAMES=$(${GROUP} -E "^[^:]*:[^:]*:${TMP_GID}:" ${GROUP_FILE} | ${CUT} -d: -f1 | ${SORT} | ${UNIQ} | ${TR} '\n' ' ')
+         script_error_message "The group id ${TMP_GID} is defined multiple times for groups: ${TMP_GROUPNAMES}"
+      done
+      false
+   fi

data/lib/audit/checks/LYNIS_AUTH_9226.check

@@ -0,0 +1,24 @@
+ID: LYNIS_AUTH_9226
+Name: Check non unique group names
+Depends: [HAS_GREP, HAS_CUT, HAS_SORT, HAS_UNIQ, FIND_GROUP_FILE]
+Imports: [GREP, CUT, SORT, UNIQ, GROUP_FILE]
+Severity: low
+Description: >
+   Check that each group name is defined only once in /etc/groups.
+   If a group name is defined multiple times this does not necessarily 
+   mean an error, but you should verify that this is intended.
+Script: |
+   TMP_DUPLICATE_GROUPS=$(${GREP} -v '^$' ${GROUP_FILE} | ${CUT} -d: -f1 | ${SORT} | ${UNIQ} -d)
+    
+   if [ "${TMP_DUPLICATE_GROUPS}" = "" ]
+   then
+      script_info_message "no duplicate groups"
+      ! false
+   else
+      IFS=$( printf '\n+' ); IFS=${IFS%+}
+      for TMP_LINE in $(echo ${TMP_DUPLICATE_GROUPS})
+      do
+         script_error_message "The group ${TMP_LINE} is defined multiple times in ${GROUP_FILE}"
+      done
+      false
+   fi

data/lib/audit/checks/LYNIS_AUTH_9228.check

@@ -0,0 +1,24 @@
+ID: LYNIS_AUTH_9228
+Name: Check Linux password file consistency pwck tool
+Depends: [HAS_SUPERUSER, HAS_PASSWD_CHECK, HAS_GREP]
+Imports: [RUN_AS_SUPERUSER, PASSWD_CHECK, GREP]
+Description: >
+   Run pwck program to verify integrity of passwd and shadow files.
+Script: |
+   TMP_PWCHECK_RESULT=$(${RUN_AS_SUPERUSER} ${PASSWD_CHECK})
+       
+   if [ "${TMP_PWCHECK_RESULT}" = "" ]
+   then
+      script_info_message "Password and shadow file ok"
+      ! false
+   else
+      IFS=$( printf '\n+' ); IFS=${IFS%+}
+      TMP_COUNTER=1
+      for TMP_LINE in $(echo "${TMP_PWCHECK_RESULT}" | ${GREP} -v "pwck:")
+      do
+         script_error_message "pwck reported error: ${TMP_LINE}"
+         script_data "errors.users.pwck.${TMP_COUNTER}" "${TMP_LINE}"
+         TMP_COUNTER=$(( ${TMP_COUNTER} + 1 ))
+      done
+      false
+   fi

data/lib/audit/checks/LYNIS_AUTH_9252.check

@@ -0,0 +1,19 @@
+ID: LYNIS_AUTH_9252
+Name: Check for sudoers file permissions
+Depends: [HAS_STAT, FIND_SUDOERS_FILE]
+Imports: [STAT, SUDOERS_FILE]
+Severity: low
+Description: >
+   Check that each group name is defined only once in /etc/groups.
+   If a group name is defined multiple times this does not necessarily 
+   mean an error, but you should verify that this is intended.
+Script: |
+   TMP_PERMS=$( ${STAT} -c '%a' ${SUDOERS_FILE} )
+
+   if [ "${TMP_PERMS}" = "440" ] || [ "${TMP_PERMS}" = "660" ] || [ "${TMP_PERMS}" = "600" ]
+   then
+      script_info_message "Sudoers file ${SUDOERS_FILE} permissions ok"
+   else
+      script_error_message "Permissions (${TMP_PERMS}) of ${SUDOERS_FILE} may be too loose"
+      false
+   fi

data/lib/audit/checks/MAYBE_HAS_BZIP2.check

@@ -0,0 +1,17 @@
+ID: MAYBE_HAS_BZIP2
+Name: Check for bzip2
+Depends: [HAS_BASE]
+Exports: [BZIP2]
+Imports: [HEAD, SED]
+Description: Find the bzip2 program and export it to BZIP2.
+Script: |
+   if echo "test" | bzip2 --version 2>/dev/null 1>/dev/null
+   then 
+      BZIP2=bzip2
+      TMP_BZIP2_NAME=$(echo "test" | ${BZIP2} --version 2>&1 1>/dev/null | ${HEAD} -1 | ${SED} -e 's/^\(.*\) Version \(.*\)$/\1/')
+      TMP_BZIP2_VERSION=$(echo "test" | ${BZIP2} --version 2>&1 1>/dev/null | ${HEAD} -1 | ${SED} -e 's/^\(.*\) Version \(.*\)$/\2/')
+      script_program_name "${TMP_BZIP2_NAME}" "${TMP_BZIP2_VERSION}"
+   else 
+      script_message "bzip2 not found"
+   fi
+   ! false

data/lib/audit/checks/MAYBE_HAS_CURL.check

@@ -0,0 +1,17 @@
+ID: MAYBE_HAS_CURL
+Name: Check for curl program
+Depends: [HAS_BASE]
+Imports: [HEAD, SED]
+Description: Find the curl program and export it to CURL, but do not fail if it is not installed.
+Script: |
+   if curl --version 2>/dev/null 1>/dev/null
+   then 
+      CURL=curl
+      TMP_CURL_NAME=$(${CURL} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z ]\+\)[[:blank:]]\([0-9.]\+\)[[:blank:]].*$/\1/')
+      TMP_CURL_VERSION=$(${CURL} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)[[:blank:]].*$/\2/')
+      script_program_name "${TMP_CURL_NAME}" "${TMP_CURL_VERSION}"
+   else 
+      CURL=""
+      script_error_message "not found"
+   fi
+   ! false

data/lib/audit/checks/MAYBE_HAS_DU.check

@@ -0,0 +1,17 @@
+ID: MAYBE_HAS_DU
+Name: Check for du program
+Depends: [HAS_BASE]
+Imports: [HEAD, SED]
+Description: Find the du program and export it to DU.
+Script: |
+   if du --version 2>/dev/null 1>/dev/null
+   then 
+      DU=du
+      TMP_DU_NAME=$(${DU} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)/\1/')
+      TMP_DU_VERSION=$(${DU} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)/\2/')
+      script_program_name "${TMP_DU_NAME}" "${TMP_DU_VERSION}"
+   else
+      DU="" 
+      script_error_message "du not found"
+   fi
+   ! false

data/lib/audit/checks/MAYBE_HAS_HOSTNAME.check

@@ -0,0 +1,17 @@
+ID: MAYBE_HAS_HOSTNAME
+Name: Check for hostname program
+Depends: [HAS_BASE]
+Imports: [HEAD, SED]
+Description: Find the hostname program and export it to HOSTNAME, but do not fail if it is not installed.
+Script: |
+   if hostname --version 2>/dev/null 1>/dev/null
+   then 
+      HOSTNAME=hostname
+      TMP_HOSTNAME_NAME=$(${HOSTNAME} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)/\1/')
+      TMP_HOSTNAME_VERSION=$(${HOSTNAME} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)/\2/')
+      script_program_name "${TMP_HOSTNAME_NAME}" "${TMP_HOSTNAME_VERSION}"
+   else 
+      HOSTNAME=""
+      script_error_message "not found"
+   fi
+   ! false

data/lib/audit/checks/MAYBE_HAS_ID.check

@@ -0,0 +1,17 @@
+ID: MAYBE_HAS_ID
+Name: Check for id program
+Depends: [HAS_BASE]
+Imports: [HEAD, SED]
+Description: Find the id program and export it to ID, but do not fail if it is not installed.
+Script: |
+   if id --version 2>/dev/null 1>/dev/null
+   then 
+      ID=id
+      TMP_ID_NAME=$(${ID} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)/\1/')
+      TMP_ID_VERSION=$(${ID} --version | ${HEAD} -1 | ${SED} -e 's/\([A-Za-z() ]\+\)[[:blank:]]\([0-9.]\+\)/\2/')
+      script_program_name "${TMP_ID_NAME}" "${TMP_ID_VERSION}"
+   else 
+      ID=""
+      script_error_message "not found"
+   fi
+   ! false

data/lib/audit/checks/MAYBE_HAS_LSB_RELEASE.check

@@ -0,0 +1,15 @@
+ID: MAYBE_HAS_LSB_RELEASE
+Name: Check for lsb_release program
+Depends: [HAS_BASE]
+Imports: [HEAD, SED]
+Description: Find the lsb_release program and export it to LSB_RELEASE.
+Script: |
+   lsb_release 2>/dev/null 1>/dev/null
+   if ! [ "$?" = 127 ]
+   then 
+      LSB_RELEASE="lsb_release -s"
+      script_program_name "lsb_release" "unknown"
+   else 
+      script_warn_message "lsb_release not found"
+   fi
+   ! false