#!/usr/bin/env bash # Scantide Linux Local Device Check # Version: 0.18-draft-version-feed-check set -u OUTDIR="${OUTDIR:-./scantide-linux-report}" SCRIPT_VERSION="0.18" VERSION_FEED_URL="${VERSION_FEED_URL:-https://www.scantide.com/helpfiles/ScantideLAN-version.json}" SCANTIDE_CVE_API="${SCANTIDE_CVE_API:-https://www.scantide.com/cve_api.php}" SCANTIDE_LIFECYCLE_API="${SCANTIDE_LIFECYCLE_API:-https://www.scantide.com/lifecycle_api.php}" SCANTIDE_API_KEY="${SCANTIDE_API_KEY:-}" SCANTIDE_EMAIL="${SCANTIDE_EMAIL:-}" USE_SCANTIDE_API=true USE_SCANTIDE_LIFECYCLE=true DEEP_SCAN=false CVE_TIMEOUT=90 LIFECYCLE_TIMEOUT=60 VERSION_TIMEOUT=10 CHECK_VERSION=true TS="$(date '+%Y%m%d_%H%M%S')" HOST="$(hostname -f 2>/dev/null || hostname)" REPORT="$OUTDIR/ScantideLinuxLocalCheck_$TS.html" PKGFILE="$OUTDIR/packages_$TS.txt" SERVICEFILE="$OUTDIR/service_inventory_for_cve_$TS.txt" CVE_PAYLOAD="$OUTDIR/cve_payload_$TS.json" CVE_RESPONSE="$OUTDIR/cve_response_$TS.json" CVE_RAW="$OUTDIR/scantide_cve_api_raw_$TS.txt" LIFECYCLE_PAYLOAD="$OUTDIR/lifecycle_payload_$TS.json" LIFECYCLE_RESPONSE="$OUTDIR/lifecycle_response_$TS.json" LIFECYCLE_RAW="$OUTDIR/scantide_lifecycle_api_raw_$TS.txt" FINDINGS="$OUTDIR/findings_$TS.tsv" CONTAINERFILE="$OUTDIR/container_inventory_$TS.txt" CONTAINER_TSV="$OUTDIR/container_inventory_$TS.tsv" PORTFILE="$OUTDIR/listening_ports_$TS.tsv" ROLEFILE="$OUTDIR/server_roles_$TS.txt" HARDENING_RAW="$OUTDIR/hardening_evidence_$TS.txt" PLATFORMFILE="$OUTDIR/platform_inventory_$TS.txt" QUICKACTIONS="$OUTDIR/quick_actions_$TS.tsv" VERSIONFILE="$OUTDIR/version_check_$TS.txt" VERSIONJSON="$OUTDIR/version_feed_$TS.json" while [ "$#" -gt 0 ]; do case "$1" in --deep) DEEP_SCAN=true shift ;; --no-api) USE_SCANTIDE_API=false USE_SCANTIDE_LIFECYCLE=false shift ;; --no-cve) USE_SCANTIDE_API=false shift ;; --no-lifecycle) USE_SCANTIDE_LIFECYCLE=false shift ;; --no-version-check) CHECK_VERSION=false shift ;; --api-key=*) SCANTIDE_API_KEY="${1#*=}" shift ;; --api-key) if [ "${2:-}" = "" ]; then echo "Missing value after --api-key" >&2 exit 2 fi SCANTIDE_API_KEY="$2" shift 2 ;; --email=*) SCANTIDE_EMAIL="${1#*=}" shift ;; --email) if [ "${2:-}" = "" ]; then echo "Missing value after --email" >&2 exit 2 fi SCANTIDE_EMAIL="$2" shift 2 ;; -h|--help) echo "Usage: sudo ./scantide-linux-localcheck.sh [--deep] [--no-api] [--no-cve] [--no-lifecycle] [--no-version-check] [--api-key KEY|--api-key=KEY] [--email EMAIL|--email=EMAIL]" exit 0 ;; *) echo "Unknown argument: $1" >&2 echo "Use --help for usage." >&2 exit 2 ;; esac done mkdir -p "$OUTDIR" log(){ echo "[$(date '+%H:%M:%S')] $1"; } cmd_exists(){ command -v "$1" >/dev/null 2>&1; } check_linux_version_feed() { VERSION_FEED_STATUS="Not checked" VERSION_FEED_REMOTE="" VERSION_FEED_MINIMUM="" VERSION_FEED_RELEASED="" VERSION_FEED_WARNING="" if command -v curl >/dev/null 2>&1; then VERSION_FETCH_TOOL="curl" elif command -v wget >/dev/null 2>&1; then VERSION_FETCH_TOOL="wget" else VERSION_FEED_STATUS="Skipped: curl/wget unavailable" VERSION_FEED_WARNING="Could not check Linux script version because neither curl nor wget is available." return fi tmp_feed="$OUTDIR/scantide_version_feed_$TS.json" if [ "${VERSION_FETCH_TOOL:-}" = "curl" ]; then curl -fsSL --max-time 12 "$VERSION_FEED_URL" -o "$tmp_feed" 2>/dev/null || true elif [ "${VERSION_FETCH_TOOL:-}" = "wget" ]; then wget -q --timeout=12 "$VERSION_FEED_URL" -O "$tmp_feed" 2>/dev/null || true fi if [ ! -s "$tmp_feed" ]; then VERSION_FEED_STATUS="Unavailable" VERSION_FEED_WARNING="Could not fetch Scantide version feed. Scan continues, but update status is unknown." return fi if cmd_exists python3; then parsed="$(python3 - "$tmp_feed" <<'PY' import json, sys p=sys.argv[1] try: d=json.load(open(p, "r", encoding="utf-8")) except Exception: print("|||") raise SystemExit remote = str(d.get("linuxLocalCheckVersion") or d.get("linux",{}).get("version") or "") minimum = str(d.get("minimumRecommendedLinuxLocalCheckVersion") or d.get("linux",{}).get("minimumRecommendedVersion") or remote) released = str(d.get("linuxLocalCheckReleased") or d.get("linux",{}).get("released") or d.get("released") or "") url = str(d.get("linuxLocalCheckUrl") or d.get("linux",{}).get("downloadUrl") or "") print(remote + "|" + minimum + "|" + released + "|" + url) PY )" VERSION_FEED_REMOTE="$(printf '%s' "$parsed" | cut -d'|' -f1)" VERSION_FEED_MINIMUM="$(printf '%s' "$parsed" | cut -d'|' -f2)" VERSION_FEED_RELEASED="$(printf '%s' "$parsed" | cut -d'|' -f3)" VERSION_FEED_DOWNLOAD="$(printf '%s' "$parsed" | cut -d'|' -f4)" else VERSION_FEED_REMOTE="$(grep -E '"linuxLocalCheckVersion"\s*:' "$tmp_feed" | head -1 | sed -E 's/.*"linuxLocalCheckVersion"\s*:\s*"([^"]+)".*/\1/')" VERSION_FEED_MINIMUM="$(grep -E '"minimumRecommendedLinuxLocalCheckVersion"\s*:' "$tmp_feed" | head -1 | sed -E 's/.*"minimumRecommendedLinuxLocalCheckVersion"\s*:\s*"([^"]+)".*/\1/')" VERSION_FEED_RELEASED="$(grep -E '"linuxLocalCheckReleased"|"released"\s*:' "$tmp_feed" | head -1 | sed -E 's/.*:\s*"([^"]+)".*/\1/')" VERSION_FEED_DOWNLOAD="$(grep -E '"linuxLocalCheckUrl"\s*:' "$tmp_feed" | head -1 | sed -E 's/.*"linuxLocalCheckUrl"\s*:\s*"([^"]+)".*/\1/')" fi [ -z "${VERSION_FEED_MINIMUM:-}" ] && VERSION_FEED_MINIMUM="$VERSION_FEED_REMOTE" if [ -z "${VERSION_FEED_REMOTE:-}" ]; then VERSION_FEED_STATUS="Feed missing Linux version" VERSION_FEED_WARNING="The online version feed was fetched, but it does not contain linuxLocalCheckVersion. Scan continues, but update status is unknown." return fi compare_versions() { # returns -1 if $1 < $2, 0 if equal, 1 if $1 > $2 python3 - "$1" "$2" <<'PY' 2>/dev/null || echo 0 import sys, re def parts(v): return [int(x) for x in re.findall(r'\d+', v)[:6]] a=parts(sys.argv[1]); b=parts(sys.argv[2]) n=max(len(a),len(b)); a+= [0]*(n-len(a)); b += [0]*(n-len(b)) print(-1 if ab else 0) PY } cmp_remote="$(compare_versions "$SCRIPT_VERSION" "$VERSION_FEED_REMOTE")" cmp_min="$(compare_versions "$SCRIPT_VERSION" "$VERSION_FEED_MINIMUM")" if [ "$cmp_remote" = "0" ]; then VERSION_FEED_STATUS="Current" elif [ "$cmp_remote" = "-1" ]; then VERSION_FEED_STATUS="Update available" VERSION_FEED_WARNING="This Linux local check script is older than the online Linux version feed. Local: $SCRIPT_VERSION, online: $VERSION_FEED_REMOTE." else VERSION_FEED_STATUS="Newer than feed" VERSION_FEED_WARNING="This Linux local check script is newer than the online Linux version feed. Local: $SCRIPT_VERSION, online: $VERSION_FEED_REMOTE. Verify that the published version feed is updated." fi if [ "$cmp_min" = "-1" ]; then VERSION_FEED_WARNING="This Linux local check script is below the minimum recommended Linux version. Local: $SCRIPT_VERSION, minimum recommended: $VERSION_FEED_MINIMUM." fi } html_escape(){ sed 's/&/\&/g; s//\>/g'; } json_escape(){ printf '%s' "$1" | sed 's/\\/\\\\/g; s/"/\\"/g; s/ / /g'; } run_timeout() { local seconds="$1" shift if cmd_exists timeout; then timeout "$seconds" "$@" 2>&1; else "$@" 2>&1; fi } version_base() { printf '%s' "$1" | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1 } version_compare_state() { local local_v remote_v local_v="$(version_base "$1")" remote_v="$(version_base "$2")" if [ -z "$local_v" ] || [ -z "$remote_v" ]; then echo "unknown" return fi if [ "$local_v" = "$remote_v" ]; then echo "current" return fi if printf '%s %s ' "$local_v" "$remote_v" | sort -V | head -1 | grep -qx "$local_v"; then echo "older" else echo "newer" fi } json_get_field() { local file="$1" local key="$2" if [ ! -s "$file" ]; then return; fi if cmd_exists python3; then python3 - "$file" "$key" <<'PY_JSON_GET' import json, sys try: data=json.load(open(sys.argv[1], encoding='utf-8')) value=data for part in sys.argv[2].split('.'): if isinstance(value, dict): value=value.get(part, '') else: value='' break if isinstance(value, (dict, list)): print(json.dumps(value, ensure_ascii=False)) elif value is None: print('') else: print(str(value)) except Exception: print('') PY_JSON_GET else grep -E '"'"$key"'"[[:space:]]*:' "$file" | head -1 | sed -E 's/^.*:[[:space:]]*"?([^",}]*)"?.*$/\1/' fi } check_scantide_version_feed() { : > "$VERSIONFILE" { echo "local_script_version $SCRIPT_VERSION" echo "version_feed_url $VERSION_FEED_URL" } >> "$VERSIONFILE" if [ "$CHECK_VERSION" != "true" ]; then echo "status skipped" >> "$VERSIONFILE" echo "message Version check skipped by --no-version-check." >> "$VERSIONFILE" return fi if ! cmd_exists curl && ! cmd_exists wget; then echo "status unavailable" >> "$VERSIONFILE" echo "message Version check could not run because neither curl nor wget is available." >> "$VERSIONFILE" return fi local fetch_ok="false" if cmd_exists curl; then if curl --max-time "$VERSION_TIMEOUT" -fsSL "$VERSION_FEED_URL" -o "$VERSIONJSON" 2>/dev/null; then fetch_ok="true" fi elif cmd_exists wget; then if wget -q -T "$VERSION_TIMEOUT" "$VERSION_FEED_URL" -O "$VERSIONJSON" 2>/dev/null; then fetch_ok="true" fi fi if [ "$fetch_ok" != "true" ] || [ ! -s "$VERSIONJSON" ]; then echo "status failed" >> "$VERSIONFILE" echo "message Could not fetch Scantide version feed. Scan will continue." >> "$VERSIONFILE" return fi local remote_version released product family localcheck_url lifecycle_api_version lifecycle_api_url linux_url linux_sha state message critical breaking remote_version="$(json_get_field "$VERSIONJSON" version)" released="$(json_get_field "$VERSIONJSON" released)" product="$(json_get_field "$VERSIONJSON" product)" family="$(json_get_field "$VERSIONJSON" family)" localcheck_url="$(json_get_field "$VERSIONJSON" localCheckUrl)" lifecycle_api_version="$(json_get_field "$VERSIONJSON" serverLifecycleApiVersion)" lifecycle_api_url="$(json_get_field "$VERSIONJSON" lifecycleApiUrl)" critical="$(json_get_field "$VERSIONJSON" critical)" breaking="$(json_get_field "$VERSIONJSON" breaking)" # Future-proof optional Linux-specific fields. The current shared PowerShell feed may not contain these yet. linux_url="$(json_get_field "$VERSIONJSON" linuxLocalCheckUrl)" linux_sha="$(json_get_field "$VERSIONJSON" sha256.linuxLocalCheck)" state="$(version_compare_state "$SCRIPT_VERSION" "$remote_version")" case "$state" in current) message="Local Linux script is aligned with the Scantide family feed version." ;; older) message="A newer Scantide family version is available. Use --update support when the feed exposes linuxLocalCheckUrl, or download the latest published Linux script manually." ;; newer) message="Local Linux script is newer than the public feed. This is normal for preview/test builds." ;; *) message="Could not compare local and remote versions." ;; esac { echo "status $state" echo "message $message" echo "remote_version $remote_version" echo "released $released" echo "product $product" echo "family $family" echo "critical $critical" echo "breaking $breaking" echo "localCheckUrl $localcheck_url" echo "linuxLocalCheckUrl $linux_url" echo "linuxLocalCheckSha256 $linux_sha" echo "serverLifecycleApiVersion $lifecycle_api_version" echo "lifecycleApiUrl $lifecycle_api_url" } >> "$VERSIONFILE" } version_value() { local key="$1" [ -s "$VERSIONFILE" ] || return awk -F '\t' -v k="$key" '$1==k{print $2; exit}' "$VERSIONFILE" } render_version_check_html() { local status cls msg status="${VERSION_FEED_STATUS:-Not checked}" msg="${VERSION_FEED_WARNING:-The installed Scantide Auditor Linux script matches the online Linux version feed.}" cls="source-warn" case "$status" in Current|"Newer than feed") cls="source-ok" ;; "Update available"|"Feed missing Linux version"|"Unavailable"|"Skipped:"*) cls="source-warn" ;; *) cls="source-warn" ;; esac echo "" echo "" echo "" echo "" echo "" echo "" echo "" echo "" echo "" echo "
ItemValue
status$(printf '%s' "$status" | html_escape)
message$(printf '%s' "$msg" | html_escape)
localLinuxScriptVersion$(printf '%s' "$SCRIPT_VERSION" | html_escape)
onlineLinuxScriptVersion$(printf '%s' "${VERSION_FEED_REMOTE:-Unknown}" | html_escape)
minimumRecommendedLinuxScriptVersion$(printf '%s' "${VERSION_FEED_MINIMUM:-Unknown}" | html_escape)
released$(printf '%s' "${VERSION_FEED_RELEASED:-Unknown}" | html_escape)
linuxLocalCheckUrl$(printf '%s' "${VERSION_FEED_DOWNLOAD:-}" | html_escape)
versionFeedUrl$(printf '%s' "$VERSION_FEED_URL" | html_escape)
" } clean_version() { local text="$1" text="${text#*:}" text="${text%%-*}" text="${text%%+*}" text="${text%%~*}" if echo "$text" | grep -Eq '[0-9]+(\.[0-9]+){1,3}'; then echo "$text" | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1 else echo "$text" fi } add_finding() { local severity="$1" local area="$2" local title="$3" local evidence="$4" local recommendation="$5" printf "%s\t%s\t%s\t%s\t%s\n" "$severity" "$area" "$title" "$evidence" "$recommendation" >> "$FINDINGS" } add_service() { local product="$1" local version="$2" local source="$3" version="$(clean_version "$version")" [ -z "$product" ] && return [ -z "$version" ] && return [ "$version" = "unknown" ] && return printf "%s\t%s\t%s\n" "$product" "$version" "$source" >> "$SERVICEFILE" } add_hardening_evidence() { local title="$1" local command_text="$2" local output_text="$3" { echo "### $title" echo "Command: $command_text" echo "$output_text" echo "" } >> "$HARDENING_RAW" } collect_container_inventory() { : > "$CONTAINERFILE" : > "$CONTAINER_TSV" printf "engine\tname\timage\tstatus\tports\n" >> "$CONTAINER_TSV" if cmd_exists docker; then echo "### Docker containers" >> "$CONTAINERFILE" docker ps -a --format 'table {{.Names}}\t{{.Image}}\t{{.Status}}\t{{.Ports}}' 2>&1 >> "$CONTAINERFILE" || true docker ps -a --format '{{.Names}}\t{{.Image}}\t{{.Status}}\t{{.Ports}}' 2>/dev/null | while IFS="$(printf '\t')" read -r name image status ports rest; do [ -z "${name:-}" ] && continue printf "Docker\t%s\t%s\t%s\t%s\n" "$name" "$image" "$status" "$ports" >> "$CONTAINER_TSV" done echo "" >> "$CONTAINERFILE" echo "### Docker images" >> "$CONTAINERFILE" docker images --format 'table {{.Repository}}\t{{.Tag}}\t{{.ID}}\t{{.CreatedSince}}\t{{.Size}}' 2>&1 >> "$CONTAINERFILE" || true echo "" >> "$CONTAINERFILE" fi if cmd_exists podman; then echo "### Podman containers" >> "$CONTAINERFILE" podman ps -a --format 'table {{.Names}}\t{{.Image}}\t{{.Status}}\t{{.Ports}}' 2>&1 >> "$CONTAINERFILE" || true podman ps -a --format '{{.Names}}\t{{.Image}}\t{{.Status}}\t{{.Ports}}' 2>/dev/null | while IFS="$(printf '\t')" read -r name image status ports rest; do [ -z "${name:-}" ] && continue printf "Podman\t%s\t%s\t%s\t%s\n" "$name" "$image" "$status" "$ports" >> "$CONTAINER_TSV" done echo "" >> "$CONTAINERFILE" echo "### Podman images" >> "$CONTAINERFILE" podman images --format 'table {{.Repository}}\t{{.Tag}}\t{{.ID}}\t{{.Created}}\t{{.Size}}' 2>&1 >> "$CONTAINERFILE" || true echo "" >> "$CONTAINERFILE" fi if [ ! -s "$CONTAINERFILE" ]; then echo "No Docker or Podman container inventory captured." > "$CONTAINERFILE" fi } collect_listening_ports() { : > "$PORTFILE" printf "proto\tlocal_address\tport\tprocess\tpid\tuser\trisk_note\n" >> "$PORTFILE" if ! cmd_exists ss; then return fi ss -H -tulpen 2>/dev/null | while IFS= read -r line; do proto="$(printf '%s' "$line" | awk '{print $1}')" local_field="$(printf '%s' "$line" | awk '{print $5}')" users_field="$(printf '%s' "$line" | grep -Eo 'users:\(.*' || true)" # Split address and port. Handles 0.0.0.0:22, [::]:22 and *:80. port="$(printf '%s' "$local_field" | sed -E 's/^.*:([0-9]+)$/\1/')" addr="$(printf '%s' "$local_field" | sed -E 's/:([0-9]+)$//' | sed 's/^\[//;s/\]$//')" process="$(printf '%s' "$users_field" | grep -Eo '"[^"]+"' | head -1 | tr -d '"')" pid="$(printf '%s' "$users_field" | grep -Eo 'pid=[0-9]+' | head -1 | cut -d= -f2)" user="$(printf '%s' "$line" | grep -Eo 'uid:[0-9]+' | head -1 | cut -d: -f2)" [ -z "$port" ] && continue [ "$addr" = "*" ] && addr="0.0.0.0" [ -z "$process" ] && process="unknown" [ -z "$pid" ] && pid="" [ -z "$user" ] && user="" risk="" case "$port" in 21|23|25|110|143|389|6379|9200|9300|11211|27017|3306|5432|5900|5901|10000) risk="Review exposure: service is commonly sensitive or abused if Internet-facing." ;; 22) risk="SSH: expected on many servers, but should be restricted and hardened." ;; 80|443|8080|8443) risk="Web service: verify TLS, headers, exposure and patching." ;; esac printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\n" "$proto" "$addr" "$port" "$process" "$pid" "$user" "$risk" >> "$PORTFILE" done } collect_platform_inventory() { : > "$PLATFORMFILE" virt="unknown" virt_detail="" platform_label="Unknown / Bare Metal" if [ -f /.dockerenv ]; then virt="container" platform_label="Docker/LXC-style Container" virt_detail="/.dockerenv present" elif cmd_exists systemd-detect-virt; then virt="$(systemd-detect-virt 2>/dev/null || true)" virt_detail="systemd-detect-virt=$virt" case "$virt" in vmware) platform_label="VMware Virtual Machine" ;; oracle) platform_label="VirtualBox Virtual Machine" ;; microsoft|hyperv) platform_label="Hyper-V / Microsoft Virtual Machine" ;; kvm|qemu) platform_label="KVM/QEMU Virtual Machine" ;; xen) platform_label="Xen Virtual Machine" ;; lxc|lxc-libvirt|systemd-nspawn|docker|podman) platform_label="Linux Container" ;; none|"") platform_label="Physical or undetected virtualization" ;; *) platform_label="$virt virtualized platform" ;; esac fi if [ "$platform_label" = "Physical or undetected virtualization" ] || [ "$platform_label" = "Unknown / Bare Metal" ]; then if cmd_exists lscpu && lscpu 2>/dev/null | grep -qi 'Hypervisor vendor'; then hv="$(lscpu 2>/dev/null | awk -F: '/Hypervisor vendor/{gsub(/^ +/,"",$2); print $2; exit}')" [ -n "$hv" ] && platform_label="$hv Virtual Machine" && virt_detail="lscpu Hypervisor vendor=$hv" fi fi if cmd_exists vmware-toolbox-cmd || cmd_exists vmtoolsd || pkg_version open-vm-tools >/dev/null 2>&1; then vt="$( (vmware-toolbox-cmd -v 2>/dev/null || vmtoolsd -v 2>&1 || pkg_version open-vm-tools) | head -1 )" [ -n "$vt" ] && virt_detail="$virt_detail; VMware Tools/open-vm-tools detected: $vt" fi printf "platform_label\t%s\n" "$platform_label" >> "$PLATFORMFILE" printf "virtualization\t%s\n" "$virt" >> "$PLATFORMFILE" printf "evidence\t%s\n" "$virt_detail" >> "$PLATFORMFILE" } platform_value() { local key="$1" [ -s "$PLATFORMFILE" ] && awk -F '\t' -v k="$key" '$1==k{print $2; exit}' "$PLATFORMFILE" } port_listens() { local port="$1" [ -s "$PORTFILE" ] && awk -F '\t' -v p="$port" 'NR>1 && $3==p {found=1} END{exit found?0:1}' "$PORTFILE" } port_evidence() { local ports="$1" local out="" for p in $ports; do if port_listens "$p"; then out="$out TCP/$p listening;" fi done printf '%s' "$out" } service_summary_counts() { [ ! -s "$SERVICEFILE" ] && return web=0; mail=0; data=0; proxy=0; net=0; vpn=0; security=0; containers=0; admin=0; virt=0 while IFS="$(printf '\t')" read -r product version source; do case "$product" in "Apache HTTP Server"|nginx|PHP|Caddy|Lighttpd|phpMyAdmin) web=$((web+1)) ;; Postfix|Exim|OpenSMTPD|Dovecot) mail=$((mail+1)) ;; Redis|MySQL|MariaDB|PostgreSQL|MongoDB|Memcached|Elasticsearch|RabbitMQ) data=$((data+1)) ;; Squid|HAProxy|Varnish|Traefik) proxy=$((proxy+1)) ;; BIND|dnsmasq|"ISC DHCP Server") net=$((net+1)) ;; OpenVPN|WireGuard|strongSwan) vpn=$((vpn+1)) ;; Fail2ban|ClamAV) security=$((security+1)) ;; Docker|Podman|containerd|runc|"Kubernetes kubelet"|kubectl) containers=$((containers+1)) ;; Webmin|Cockpit|Grafana|"Zabbix Agent"|"Prometheus Node Exporter") admin=$((admin+1)) ;; QEMU|libvirt|"VMware Tools") virt=$((virt+1)) ;; esac done < "$SERVICEFILE" echo "$web $mail $data $proxy $net $vpn $security $containers $admin $virt" } render_services_summary_html() { vals="$(service_summary_counts)" if [ -z "$vals" ]; then echo "
No service summary available.
" return fi IFS="$(printf '\t')" read -r web mail data proxy net vpn security containers admin virt <CategoryCountMeaning" echo "Web/Application$webWeb servers, PHP/runtime or web admin apps." echo "Mail$mailSMTP/IMAP/POP components." echo "Database/Cache$dataDatabases, caches and message/search services." echo "Proxy/Load Balancer$proxyProxy, cache or load-balancing components." echo "DNS/DHCP$netNetwork name/addressing services." echo "VPN$vpnVPN/tunnel components." echo "Security/Monitoring$securitySecurity agents and local monitoring components." echo "Containers$containersContainer runtime/orchestration components." echo "Admin/Monitoring UI$adminWeb or agent-based admin/monitoring tools." echo "Virtualization/Guest Tools$virtHypervisor, virtualization or guest-agent tooling." echo "" } detect_server_roles() { : > "$ROLEFILE" has_service() { [ -s "$SERVICEFILE" ] && awk -F '\t' -v s="$1" 'tolower($1)==tolower(s){found=1} END{exit found?0:1}' "$SERVICEFILE" } add_role() { local role="$1" local confidence="$2" local evidence="$3" local score="$4" printf "%s\t%s\t%s\t%s\n" "$role" "$confidence" "$evidence" "$score" >> "$ROLEFILE" } # Role confidence is based on detected software plus listening ports. if has_service "Apache HTTP Server" || has_service "nginx" || has_service "PHP" || has_service "Caddy" || has_service "Lighttpd"; then ev="Detected web/runtime components:" score=0 for svc in "Apache HTTP Server" nginx PHP Caddy Lighttpd; do has_service "$svc" && ev="$ev $svc;" && score=$((score+2)); done pe="$(port_evidence '80 443 8080 8443 8000 9000')" [ -n "$pe" ] && ev="$ev Ports: $pe" && score=$((score+3)) conf="Medium"; [ "$score" -ge 5 ] && conf="High" add_role "Web / Application Server" "$conf" "$ev" "$score" fi if has_service "Postfix" || has_service "Exim" || has_service "OpenSMTPD" || has_service "Dovecot"; then ev="Detected mail components:" score=0 for svc in Postfix Exim OpenSMTPD Dovecot; do has_service "$svc" && ev="$ev $svc;" && score=$((score+2)); done pe="$(port_evidence '25 465 587 110 143 993 995')" [ -n "$pe" ] && ev="$ev Ports: $pe" && score=$((score+3)) conf="Medium"; [ "$score" -ge 5 ] && conf="High" add_role "Mail Server" "$conf" "$ev" "$score" fi if has_service "Squid" || has_service "HAProxy" || has_service "Varnish" || has_service "Traefik"; then ev="Detected proxy/load-balancer components:" score=0 for svc in Squid HAProxy Varnish Traefik; do has_service "$svc" && ev="$ev $svc;" && score=$((score+2)); done pe="$(port_evidence '80 443 3128 8080 8443 6081')" [ -n "$pe" ] && ev="$ev Ports: $pe" && score=$((score+3)) conf="Medium"; [ "$score" -ge 5 ] && conf="High" add_role "Proxy / Cache / Load Balancer" "$conf" "$ev" "$score" fi if has_service "Redis" || has_service "MySQL" || has_service "MariaDB" || has_service "PostgreSQL" || has_service "MongoDB" || has_service "Memcached" || has_service "Elasticsearch"; then ev="Detected data services:" score=0 for svc in Redis MySQL MariaDB PostgreSQL MongoDB Memcached Elasticsearch; do has_service "$svc" && ev="$ev $svc;" && score=$((score+2)); done pe="$(port_evidence '6379 3306 5432 27017 11211 9200 9300')" [ -n "$pe" ] && ev="$ev Ports: $pe" && score=$((score+3)) conf="Medium"; [ "$score" -ge 5 ] && conf="High" add_role "Database / Cache Server" "$conf" "$ev" "$score" fi if has_service "Docker" || has_service "Podman" || has_service "containerd" || has_service "Kubernetes kubelet"; then ev="Detected container components:" score=0 for svc in Docker Podman containerd "Kubernetes kubelet"; do has_service "$svc" && ev="$ev $svc;" && score=$((score+2)); done pe="$(port_evidence '2375 2376 6443 10250')" [ -n "$pe" ] && ev="$ev Ports: $pe" && score=$((score+3)) conf="Medium"; [ "$score" -ge 5 ] && conf="High" add_role "Container Host" "$conf" "$ev" "$score" fi if has_service "BIND" || has_service "dnsmasq" || has_service "ISC DHCP Server"; then ev="Detected DNS/DHCP components:" score=0 for svc in BIND dnsmasq "ISC DHCP Server"; do has_service "$svc" && ev="$ev $svc;" && score=$((score+2)); done pe="$(port_evidence '53 67 68')" [ -n "$pe" ] && ev="$ev Ports: $pe" && score=$((score+3)) conf="Medium"; [ "$score" -ge 5 ] && conf="High" add_role "DNS / DHCP Server" "$conf" "$ev" "$score" fi if has_service "OpenVPN" || has_service "WireGuard" || has_service "strongSwan"; then ev="Detected VPN components:" score=0 for svc in OpenVPN WireGuard strongSwan; do has_service "$svc" && ev="$ev $svc;" && score=$((score+2)); done pe="$(port_evidence '1194 51820 500 4500')" [ -n "$pe" ] && ev="$ev Ports: $pe" && score=$((score+3)) conf="Medium"; [ "$score" -ge 5 ] && conf="High" add_role "VPN Server" "$conf" "$ev" "$score" fi if has_service "Samba" || has_service "NFS" || has_service "CUPS"; then ev="Detected file/print services:" score=0 for svc in Samba NFS CUPS; do has_service "$svc" && ev="$ev $svc;" && score=$((score+2)); done pe="$(port_evidence '139 445 2049 631')" [ -n "$pe" ] && ev="$ev Ports: $pe" && score=$((score+3)) conf="Medium"; [ "$score" -ge 5 ] && conf="High" add_role "File / Print Server" "$conf" "$ev" "$score" fi if has_service "Webmin" || has_service "Cockpit" || has_service "Grafana" || has_service "Zabbix Agent" || has_service "Prometheus Node Exporter"; then ev="Detected admin/monitoring components:" score=0 for svc in Webmin Cockpit Grafana "Zabbix Agent" "Prometheus Node Exporter"; do has_service "$svc" && ev="$ev $svc;" && score=$((score+2)); done pe="$(port_evidence '10000 9090 3000 9100 10050')" [ -n "$pe" ] && ev="$ev Ports: $pe" && score=$((score+3)) conf="Medium"; [ "$score" -ge 5 ] && conf="High" add_role "Admin / Monitoring Node" "$conf" "$ev" "$score" fi # VMware/open-vm-tools is platform context, not a business/server role. # It is shown under Platform / Virtualization and Software Inventory instead. # Scantide-like SaaS/application platform role when several components combine. if (has_service "Apache HTTP Server" || has_service nginx) && has_service PHP && (has_service Redis || has_service HAProxy || has_service Postfix); then add_role "Likely SaaS / Web Platform" "High" "Combined application stack detected: web server + PHP + supporting service such as Redis/HAProxy/Postfix." "10" fi if [ ! -s "$ROLEFILE" ]; then echo "General Linux Server\tLow\tNo strong role-specific service combination was detected.\t1" > "$ROLEFILE" fi } render_listening_ports_html() { if [ ! -s "$PORTFILE" ]; then echo "
No parsed listening-port inventory was available. Raw ss output is shown below if available.
" cmd_exists ss && echo "
$(ss -tulpen 2>&1 | html_escape)
" return fi echo "" tail -n +2 "$PORTFILE" | while IFS="$(printf '\t')" read -r proto addr port process pid user risk; do [ -z "${port:-}" ] && continue badge="source-ok" [ -n "${risk:-}" ] && badge="source-warn" echo "" done echo "
ProtoAddressPortProcessPIDUser/UIDComment
$(printf '%s' "$proto" | html_escape)$(printf '%s' "$addr" | html_escape)$(printf '%s' "$port" | html_escape)$(printf '%s' "$process" | html_escape)$(printf '%s' "$pid" | html_escape)$(printf '%s' "$user" | html_escape)$(printf '%s' "${risk:-Expected/unknown}" | html_escape)
" } render_container_inventory_html() { if [ ! -s "$CONTAINER_TSV" ] || [ "$(wc -l < "$CONTAINER_TSV" | tr -d ' ')" -le 1 ]; then echo "
No Docker or Podman containers were detected.
" return fi echo "" tail -n +2 "$CONTAINER_TSV" | while IFS="$(printf '\t')" read -r engine name image status ports; do [ -z "${name:-}" ] && continue badge="source-ok" printf '%s' "$ports" | grep -Eq '0\.0\.0\.0|::|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' && badge="source-warn" echo "" done echo "
EngineNameImageStatusPorts
$(printf '%s' "$engine" | html_escape)$(printf '%s' "$name" | html_escape)$(printf '%s' "$image" | html_escape)$(printf '%s' "$status" | html_escape)$(printf '%s' "${ports:-none}" | html_escape)
" } primary_role() { if [ -s "$ROLEFILE" ]; then awk -F '\t' '$1 !~ /^(VMware Guest|Virtual Machine|Container Host|Physical Server|Platform Context)$/ {print}' "$ROLEFILE" | sort -t "$(printf '\t')" -k4,4nr | head -1 | awk -F '\t' '{print $1}' else echo "Unknown" fi } primary_role_confidence() { if [ -s "$ROLEFILE" ]; then awk -F '\t' '$1 !~ /^(VMware Guest|Virtual Machine|Container Host|Physical Server|Platform Context)$/ {print}' "$ROLEFILE" | sort -t "$(printf '\t')" -k4,4nr | head -1 | awk -F '\t' '{print $2}' else echo "Unknown" fi } render_server_roles_html() { if [ ! -s "$ROLEFILE" ]; then echo "
No role detection was performed.
" return fi echo "" sort -t "$(printf '\t')" -k4,4nr "$ROLEFILE" | while IFS="$(printf '\t')" read -r role confidence evidence score; do [ -z "${role:-}" ] && continue cls="source-warn" [ "$confidence" = "High" ] && cls="source-ok" [ "$confidence" = "Low" ] && cls="source-warn" echo "" done echo "
Likely roleConfidenceEvidence
$(printf '%s' "$role" | html_escape)$(printf '%s' "$confidence" | html_escape)$(printf '%s' "$evidence" | html_escape)
" } render_quick_actions_html() { if [ ! -s "$QUICKACTIONS" ]; then echo "
No quick actions generated by the current rule set.
" return fi echo "" sort -t "$(printf '\t')" -k1,1n "$QUICKACTIONS" | while IFS="$(printf '\t')" read -r prio action reason; do [ -z "${action:-}" ] && continue echo "" done echo "
PriorityActionReason
$(printf '%s' "$prio" | html_escape)$(printf '%s' "$action" | html_escape)$(printf '%s' "$reason" | html_escape)
" } detect_distro() { DISTRO_NAME="Unknown Linux" DISTRO_ID="unknown" DISTRO_FAMILY="unknown" DISTRO_VERSION_ID="" DISTRO_VERSION_CODENAME="" if [ -f /etc/os-release ]; then . /etc/os-release DISTRO_NAME="${PRETTY_NAME:-${NAME:-Unknown Linux}}" DISTRO_ID="${ID:-unknown}" DISTRO_FAMILY="${ID_LIKE:-$DISTRO_ID}" DISTRO_VERSION_ID="${VERSION_ID:-}" DISTRO_VERSION_CODENAME="${VERSION_CODENAME:-}" fi } collect_packages() { case "$DISTRO_ID" in ubuntu|debian|linuxmint) cmd_exists dpkg-query && run_timeout 60 dpkg-query -W -f='${binary:Package}\t${Version}\n' > "$PKGFILE" 2>/dev/null || true ;; fedora|rhel|centos|rocky|almalinux|ol) cmd_exists rpm && run_timeout 60 rpm -qa --qf '%{NAME}\t%{VERSION}-%{RELEASE}\n' > "$PKGFILE" 2>/dev/null || true ;; alpine) cmd_exists apk && run_timeout 60 apk info -vv | awk '{print $1 "\t" $2}' > "$PKGFILE" 2>/dev/null || true ;; esac } pkg_version() { local pkg="$1" [ -s "$PKGFILE" ] && awk -F '\t' -v p="$pkg" '$1 == p {print $2; exit}' "$PKGFILE" } build_service_inventory() { : > "$SERVICEFILE" add_service "Linux kernel" "$(uname -r)" "uname -r" detect_cmd_version() { local product="$1" local cmd="$2" local source="$3" local pattern="${4:-[0-9]+(\.[0-9]+){1,3}}" if cmd_exists "$cmd"; then v="$("$cmd" --version 2>&1 | grep -Eo "$pattern" | head -1)" add_service "$product" "$v" "$source" fi } # Web servers / web admin if cmd_exists apache2; then v="$(apache2 -v 2>/dev/null | grep -Eo 'Apache/[0-9.]+' | head -1 | cut -d/ -f2)" add_service "Apache HTTP Server" "$v" "apache2 -v" elif cmd_exists httpd; then v="$(httpd -v 2>/dev/null | grep -Eo 'Apache/[0-9.]+' | head -1 | cut -d/ -f2)" add_service "Apache HTTP Server" "$v" "httpd -v" fi if cmd_exists nginx; then v="$(nginx -v 2>&1 | grep -Eo 'nginx/[0-9.]+' | cut -d/ -f2)" add_service "nginx" "$v" "nginx -v" fi detect_cmd_version "Lighttpd" "lighttpd" "lighttpd -v" detect_cmd_version "Caddy" "caddy" "caddy version" detect_cmd_version "Webmin" "webmin" "webmin --version" detect_cmd_version "Cockpit" "cockpit-bridge" "cockpit-bridge --version" # PHP / web apps if cmd_exists php; then v="$(php -v 2>/dev/null | head -1 | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1)" add_service "PHP" "$v" "php -v" fi if [ -d /usr/share/phpmyadmin ] || [ -d /var/www/html/phpmyadmin ]; then v="$(pkg_version phpmyadmin)" add_service "phpMyAdmin" "$v" "phpmyadmin package/path" fi # TLS / SSH if cmd_exists openssl; then v="$(openssl version 2>/dev/null | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1)" add_service "OpenSSL" "$v" "openssl version" fi if cmd_exists ssh; then v="$(ssh -V 2>&1 | grep -Eo 'OpenSSH_[0-9]+(\.[0-9]+){1,3}' | sed 's/OpenSSH_//' | head -1)" add_service "OpenSSH" "$v" "ssh -V" fi # Mail: SMTP / IMAP / POP if cmd_exists postconf; then v="$(postconf -h mail_version 2>/dev/null | head -1)" add_service "Postfix" "$v" "postconf mail_version" fi if cmd_exists exim || cmd_exists exim4; then eximcmd="$(command -v exim 2>/dev/null || command -v exim4 2>/dev/null)" v="$("$eximcmd" -bV 2>/dev/null | head -1 | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1)" add_service "Exim" "$v" "exim -bV" fi if cmd_exists smtpd; then v="$(smtpd -h 2>&1 | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1)" add_service "OpenSMTPD" "$v" "smtpd" fi if cmd_exists dovecot; then v="$(dovecot --version 2>/dev/null | head -1)" add_service "Dovecot" "$v" "dovecot --version" fi # FTP detect_cmd_version "vsftpd" "vsftpd" "vsftpd --version" detect_cmd_version "ProFTPD" "proftpd" "proftpd --version" detect_cmd_version "Pure-FTPd" "pure-ftpd" "pure-ftpd --version" # Databases / caches if cmd_exists redis-server; then v="$(redis-server --version 2>/dev/null | grep -Eo 'v=[0-9]+(\.[0-9]+){1,3}' | cut -d= -f2 | head -1)" add_service "Redis" "$v" "redis-server --version" fi if cmd_exists mysqld; then v="$(mysqld --version 2>/dev/null | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1)" add_service "MySQL" "$v" "mysqld --version" fi if cmd_exists mariadbd; then v="$(mariadbd --version 2>/dev/null | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1)" add_service "MariaDB" "$v" "mariadbd --version" elif cmd_exists mysql && mysql --version 2>/dev/null | grep -qi mariadb; then v="$(mysql --version 2>/dev/null | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1)" add_service "MariaDB" "$v" "mysql --version" fi if cmd_exists postgres; then v="$(postgres --version 2>/dev/null | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1)" add_service "PostgreSQL" "$v" "postgres --version" elif cmd_exists psql; then v="$(psql --version 2>/dev/null | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1)" add_service "PostgreSQL" "$v" "psql --version" fi detect_cmd_version "MongoDB" "mongod" "mongod --version" detect_cmd_version "Memcached" "memcached" "memcached -h" detect_cmd_version "Elasticsearch" "elasticsearch" "elasticsearch --version" detect_cmd_version "RabbitMQ" "rabbitmqctl" "rabbitmqctl version" # DNS / DHCP if cmd_exists named; then v="$(named -v 2>/dev/null | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1)" add_service "BIND" "$v" "named -v" elif cmd_exists dig; then v="$(dig -v 2>/dev/null | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1)" add_service "BIND" "$v" "dig -v" fi detect_cmd_version "dnsmasq" "dnsmasq" "dnsmasq --version" detect_cmd_version "ISC DHCP Server" "dhcpd" "dhcpd --version" # Proxy / load balancer if cmd_exists haproxy; then v="$(haproxy -v 2>/dev/null | head -1 | grep -Eo 'version [0-9]+(\.[0-9]+){1,3}' | awk '{print $2}')" add_service "HAProxy" "$v" "haproxy -v" fi if cmd_exists squid; then v="$(squid -v 2>/dev/null | head -1 | grep -Eo 'Version [0-9]+(\.[0-9]+){1,3}' | awk '{print $2}')" add_service "Squid" "$v" "squid -v" fi detect_cmd_version "Varnish" "varnishd" "varnishd -V" detect_cmd_version "Traefik" "traefik" "traefik version" # Containers / virtualization detect_cmd_version "Docker" "docker" "docker --version" detect_cmd_version "Podman" "podman" "podman --version" detect_cmd_version "containerd" "containerd" "containerd --version" detect_cmd_version "runc" "runc" "runc --version" detect_cmd_version "Kubernetes kubelet" "kubelet" "kubelet --version" detect_cmd_version "kubectl" "kubectl" "kubectl version" detect_cmd_version "QEMU" "qemu-system-x86_64" "qemu-system-x86_64 --version" detect_cmd_version "libvirt" "libvirtd" "libvirtd --version" # VMware Tools / open-vm-tools if cmd_exists vmware-toolbox-cmd; then v="$(vmware-toolbox-cmd -v 2>/dev/null | grep -Eo '[0-9]+(\.[0-9]+){1,4}' | head -1)" add_service "VMware Tools" "$v" "vmware-toolbox-cmd -v" elif cmd_exists vmtoolsd; then v="$(vmtoolsd -v 2>&1 | grep -Eo '[0-9]+(\.[0-9]+){1,4}' | head -1)" [ -z "$v" ] && v="$(pkg_version open-vm-tools)" add_service "VMware Tools" "$v" "vmtoolsd -v / open-vm-tools package" else v="$(pkg_version open-vm-tools)" [ -n "$v" ] && add_service "VMware Tools" "$v" "open-vm-tools package" fi # Runtimes / languages detect_cmd_version "Node.js" "node" "node --version" detect_cmd_version "npm" "npm" "npm --version" detect_cmd_version "Python" "python3" "python3 --version" detect_cmd_version "Ruby" "ruby" "ruby --version" detect_cmd_version "Go" "go" "go version" detect_cmd_version "Rust" "rustc" "rustc --version" if cmd_exists perl; then v="$(perl -e 'printf "%vd\n",$^V' 2>/dev/null)" add_service "Perl" "$v" "perl version" fi if cmd_exists java; then v="$(java -version 2>&1 | head -1 | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -1)" add_service "Java" "$v" "java -version" fi # VPN / security / monitoring detect_cmd_version "OpenVPN" "openvpn" "openvpn --version" detect_cmd_version "WireGuard" "wg" "wg" detect_cmd_version "strongSwan" "ipsec" "ipsec version" detect_cmd_version "Fail2ban" "fail2ban-client" "fail2ban-client version" detect_cmd_version "ClamAV" "clamscan" "clamscan --version" detect_cmd_version "Zabbix Agent" "zabbix_agentd" "zabbix_agentd --version" detect_cmd_version "Prometheus Node Exporter" "node_exporter" "node_exporter --version" detect_cmd_version "Grafana" "grafana-server" "grafana-server -v" # Print / file services detect_cmd_version "CUPS" "cupsd" "cupsd -v" detect_cmd_version "Samba" "smbd" "smbd --version" detect_cmd_version "NFS" "rpc.nfsd" "rpc.nfsd --version" if [ -s "$SERVICEFILE" ]; then awk -F '\t' '!seen[$1]++ {print}' "$SERVICEFILE" > "$SERVICEFILE.tmp" mv "$SERVICEFILE.tmp" "$SERVICEFILE" fi } build_cve_payload() { { printf '{' printf '"api_key":"%s",' "$(json_escape "$SCANTIDE_API_KEY")" printf '"email":"%s",' "$(json_escape "$SCANTIDE_EMAIL")" printf '"allow_remote_nvd":true,' printf '"mode":"local_batch",' printf '"client_mode":"local_batch",' printf '"source":"linux-local-service-inventory",' printf '"os":"%s",' "$(json_escape "$DISTRO_NAME")" printf '"host":"%s",' "$(json_escape "$HOST")" printf '"queries":[' first=1 while IFS="$(printf '\t')" read -r product version source; do [ -z "${product:-}" ] && continue [ -z "${version:-}" ] && continue [ "$first" -eq 0 ] && printf ',' first=0 printf '{"product":"%s","version":"%s"}' "$(json_escape "$product")" "$(json_escape "$version")" done < "$SERVICEFILE" printf ']}' } > "$CVE_PAYLOAD" } run_scantide_cve_api() { if [ "$USE_SCANTIDE_API" != "true" ]; then return fi if [ ! -s "$SERVICEFILE" ] || ! cmd_exists curl; then return fi build_cve_payload HTTP_STATUS="$(curl --http1.1 --max-time "$CVE_TIMEOUT" -sS \ -o "$CVE_RESPONSE" \ -w "%{http_code}" \ -X POST "$SCANTIDE_CVE_API" \ -H "Content-Type: application/json; charset=utf-8" \ -H "X-API-Key: $SCANTIDE_API_KEY" \ -H "User-Agent: ScantideLinuxLocalCheck/0.9-Bash" \ --data-binary @"$CVE_PAYLOAD" \ 2>"$OUTDIR/cve_curl_error_$TS.txt")" { echo "HTTP Status: $HTTP_STATUS" echo "" echo "Payload:" cat "$CVE_PAYLOAD" echo "" echo "" echo "Response:" if [ -s "$CVE_RESPONSE" ]; then cat "$CVE_RESPONSE" else echo "No response body." cat "$OUTDIR/cve_curl_error_$TS.txt" 2>/dev/null fi } > "$CVE_RAW" } build_lifecycle_payload() { { printf '{' printf '"api_key":"%s",' "$(json_escape "$SCANTIDE_API_KEY")" printf '"email":"%s",' "$(json_escape "$SCANTIDE_EMAIL")" printf '"platform":"linux",' printf '"os_family":"linux",' printf '"source":"linux-local-service-inventory",' printf '"os":"%s",' "$(json_escape "$DISTRO_NAME")" printf '"distro_id":"%s",' "$(json_escape "$DISTRO_ID")" printf '"host":"%s",' "$(json_escape "$HOST")" printf '"items":[' first=1 # OS lifecycle item. Use short distro product names that match the Linux lifecycle catalog. os_product="" case "$DISTRO_ID" in ubuntu) os_product="Ubuntu" ;; debian) os_product="Debian" ;; rhel) os_product="Red Hat Enterprise Linux" ;; rocky) os_product="Rocky Linux" ;; almalinux) os_product="AlmaLinux" ;; centos) os_product="CentOS Stream" ;; ol) os_product="Oracle Linux" ;; fedora) os_product="Fedora" ;; sles|suse|opensuse*) os_product="SUSE Linux Enterprise Server" ;; amzn|amazon) os_product="Amazon Linux" ;; alpine) os_product="Alpine Linux" ;; esac if [ -n "$os_product" ] && [ -n "$DISTRO_VERSION_ID" ]; then printf '{"product":"%s","version":"%s","platform":"linux","os":"%s","source":"/etc/os-release"}' \ "$(json_escape "$os_product")" \ "$(json_escape "$DISTRO_VERSION_ID")" \ "$(json_escape "$DISTRO_NAME")" first=0 fi while IFS="$(printf '\t')" read -r product version source; do [ -z "${product:-}" ] && continue [ -z "${version:-}" ] && continue [ "$first" -eq 0 ] && printf ',' first=0 printf '{"product":"%s","version":"%s","platform":"linux","os":"%s","source":"%s"}' \ "$(json_escape "$product")" \ "$(json_escape "$version")" \ "$(json_escape "$DISTRO_NAME")" \ "$(json_escape "$source")" done < "$SERVICEFILE" printf ']}' } > "$LIFECYCLE_PAYLOAD" } run_scantide_lifecycle_api() { if [ "$USE_SCANTIDE_LIFECYCLE" != "true" ]; then return fi if ! cmd_exists curl; then return fi build_lifecycle_payload LIFECYCLE_HTTP_STATUS="$(curl --http1.1 --max-time "$LIFECYCLE_TIMEOUT" -sS \ -o "$LIFECYCLE_RESPONSE" \ -w "%{http_code}" \ -X POST "$SCANTIDE_LIFECYCLE_API" \ -H "Content-Type: application/json; charset=utf-8" \ -H "X-API-Key: $SCANTIDE_API_KEY" \ -H "X-Scantide-Email: $SCANTIDE_EMAIL" \ -H "User-Agent: ScantideLinuxLocalCheck/0.10-Bash" \ --data-binary @"$LIFECYCLE_PAYLOAD" \ 2>"$OUTDIR/lifecycle_curl_error_$TS.txt")" { echo "HTTP Status: $LIFECYCLE_HTTP_STATUS" echo "" echo "Payload:" cat "$LIFECYCLE_PAYLOAD" echo "" echo "" echo "Response:" if [ -s "$LIFECYCLE_RESPONSE" ]; then cat "$LIFECYCLE_RESPONSE" else echo "No response body." cat "$OUTDIR/lifecycle_curl_error_$TS.txt" 2>/dev/null fi } > "$LIFECYCLE_RAW" } render_lifecycle_table_html() { if [ ! -s "$LIFECYCLE_RESPONSE" ] || ! cmd_exists python3; then echo "
Lifecycle result table could not be rendered. Raw evidence is available under Raw / Evidence.
" return fi python3 - "$LIFECYCLE_RESPONSE" <<'PY_RENDER_LIFECYCLE' import json, sys, html path = sys.argv[1] try: data = json.load(open(path, "r", encoding="utf-8")) except Exception as e: print("
Could not parse lifecycle JSON: %s
" % html.escape(str(e))) sys.exit(0) items = data.get("results") or data.get("items") or data.get("data") or [] summary = data.get("summary") or {} platform = data.get("platform_selected") or "" files = data.get("catalog_files") or [] def esc(x): return html.escape("" if x is None else str(x)) def sev_class(sev): sev = (sev or "Info").lower() if sev == "critical": return "sev-critical" if sev == "high": return "sev-high" if sev == "medium": return "sev-medium" if sev == "low": return "sev-low" return "sev-info" def status_class(status): s = (status or "").lower() if s in ("end_of_support", "unsupported", "unsupported_major_version", "eol"): return "cve-high" if s in ("update_available", "outdated", "legacy_review", "extended_support"): return "cve-review" if s in ("current", "supported"): return "cve-suppressed" return "cve-review" print("
Lifecycle API: platform_selected=%s | catalog_files=%s | summary=%s
" % ( esc(platform), esc(", ".join(map(str, files))), esc(summary) )) print("") print("") for r in items: product = r.get("product", "") version = r.get("installed_version") or r.get("version") or r.get("normalized_version") or "" matched = r.get("matched_product") or "" category = r.get("category") or "" status = r.get("status_label") or r.get("status") or "Unknown" raw_status = r.get("status") or "" severity = r.get("severity") or "Info" latest = r.get("latest_version") or "" eol = r.get("eol_date") or "" latest_eol = [] if latest: latest_eol.append("Latest: " + str(latest)) if eol: latest_eol.append("EOL: " + str(eol)) evidence = r.get("evidence") or "" rec = r.get("recommended_action") or "" source = r.get("source_label") or r.get("source_strategy") or "" confidence = r.get("source_confidence") or "" conf_class = "source-warn" if str(confidence).lower() == "high": conf_class = "source-ok" elif str(confidence).lower() in ("low", "unknown", ""): conf_class = "source-warn" source_html = esc(source) if confidence: source_html += "
%s confidence" % (conf_class, esc(confidence)) print("") print("" % esc(product)) print("" % esc(version)) print("" % esc(matched)) print("" % esc(category)) print("" % (status_class(raw_status), esc(status), esc(raw_status))) print("" % (sev_class(severity), esc(severity))) print("" % esc(" | ".join(latest_eol) if latest_eol else "")) print("" % esc(evidence)) print("" % esc(rec)) print("" % source_html) print("") print("
ProductInstalledMatched productCategoryStatusSeverityLatest / EOLEvidenceRecommendationSource
%s%s%s%s%s
%s		%s%s%s%s%s
") PY_RENDER_LIFECYCLE } render_cve_table_html() { if [ ! -s "$CVE_RESPONSE" ] || ! cmd_exists python3; then echo "
CVE result table could not be rendered. Raw evidence is available under Raw / Evidence.
" return fi python3 - "$CVE_RESPONSE" <<'PY_RENDER_CVE' import json, sys, html path = sys.argv[1] try: data = json.load(open(path, "r", encoding="utf-8")) except Exception as e: print("
Could not parse CVE JSON: %s
" % html.escape(str(e))) sys.exit(0) items = data.get("results") or data.get("items") or data.get("data") or [] def esc(x): return html.escape("" if x is None else str(x)) def sev_class(sev): sev = (sev or "Info").lower() if sev == "critical": return "sev-critical" if sev == "high": return "sev-high" if sev == "medium": return "sev-medium" if sev == "low": return "sev-low" return "sev-info" print("") print("") for r in items: product = r.get("product", "") version = r.get("version", "") total = int(r.get("total_cves") or 0) highest = r.get("highest_severity") or "Info" score = r.get("highest_score") or 0 match_status = r.get("match_status") or "" sw = r.get("software_status") or {} msg = sw.get("message") or "" if total > 0: label = "Review-only candidate (%d)" % total flag_class = "cve-review" evidence = "Review only: service/version match needs distro advisory confirmation" elif sw: label = sw.get("warning_level") or "Review" flag_class = "cve-review" if label != "LOW" else "cve-suppressed" evidence = msg else: label = "No CVE match" flag_class = "cve-suppressed" evidence = "No confirmed version match returned" top = [] for c in (r.get("top_cves") or [])[:5]: cid = c.get("cve_id", "") sev = c.get("severity", "") cvss = c.get("cvss_score") or c.get("score") or "" top.append("%s (%s %s)" % (cid, sev, cvss)) top_text = "
".join(esc(x) for x in top) if top else "None" status = "OK" source_class = "source-ok" if total > 0: status = "Review" source_class = "source-warn" elif sw and (sw.get("warning_level") or "").upper() in ("HIGH", "REVIEW", "UNKNOWN"): status = "Review" source_class = "source-warn" print("") print("" % esc(product)) print("" % esc(version)) print("" % (flag_class, esc(label))) print("" % (esc(evidence), esc(match_status))) print("" % (sev_class(highest), esc(highest), esc(score))) print("" % top_text) print("" % (source_class, esc(status))) print("") print("
ProductVersionCVE ReviewEvidence statusHighest riskTop CVEs / candidatesScantide CVE
%s%s%s%s
match_status=%s		%s %s%s%s
") PY_RENDER_CVE } evaluate_findings() { : > "$FINDINGS" : > "$HARDENING_RAW" if [ "$(id -u)" -ne 0 ]; then add_finding "Medium" "Scan Scope" "Linux check was not run as root" "Some local checks may be incomplete." "Re-run with sudo for complete visibility." fi if cmd_exists ufw; then UFW_OUT="$(ufw status verbose 2>&1 || true)" add_hardening_evidence "UFW status" "ufw status verbose" "$UFW_OUT" if printf '%s' "$UFW_OUT" | grep -qi "inactive"; then add_finding "Medium" "Firewall" "UFW is inactive" "Host firewall is not active according to ufw." "Enable UFW or verify that an upstream firewall intentionally provides filtering." fi fi if cmd_exists iptables; then IPT_OUT="$(iptables -L -n 2>&1 || true)" add_hardening_evidence "iptables policy" "iptables -L -n" "$IPT_OUT" if printf '%s' "$IPT_OUT" | grep -q "Chain INPUT (policy ACCEPT"; then add_finding "Medium" "Firewall" "iptables INPUT policy is ACCEPT" "Default INPUT policy accepts traffic." "Use explicit firewall policy or document external firewall dependency." fi fi if [ -f /etc/ssh/sshd_config ]; then SSH_HIGHLIGHTS="$(grep -Ei 'PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|PermitEmptyPasswords|X11Forwarding|AllowUsers|AllowGroups|Port' /etc/ssh/sshd_config 2>/dev/null || true)" add_hardening_evidence "SSH hardening highlights" "grep sshd_config" "$SSH_HIGHLIGHTS" if grep -Eiq '^\s*PermitRootLogin\s+yes' /etc/ssh/sshd_config; then add_finding "High" "SSH Hardening" "SSH root login is enabled" "PermitRootLogin yes" "Set PermitRootLogin no and use named admin accounts with sudo." fi if grep -Eiq '^\s*PasswordAuthentication\s+yes' /etc/ssh/sshd_config; then add_finding "Medium" "SSH Hardening" "SSH password authentication is enabled" "PasswordAuthentication yes" "Prefer SSH keys and set PasswordAuthentication no where practical." fi if grep -Eiq '^\s*PermitEmptyPasswords\s+yes' /etc/ssh/sshd_config; then add_finding "High" "SSH Hardening" "SSH empty passwords are allowed" "PermitEmptyPasswords yes" "Set PermitEmptyPasswords no." fi fi if cmd_exists apache2ctl || cmd_exists apachectl; then APACHE_CMD="$(command -v apache2ctl 2>/dev/null || command -v apachectl 2>/dev/null || true)" APACHE_OUT="$($APACHE_CMD -t -D DUMP_RUN_CFG 2>&1 || true)" add_hardening_evidence "Apache runtime config" "$APACHE_CMD -t -D DUMP_RUN_CFG" "$APACHE_OUT" APACHE_TOKENS="$(grep -RihE '^\s*ServerTokens\s+' /etc/apache2 /etc/httpd 2>/dev/null | tail -1 | awk '{print tolower($2)}' || true)" APACHE_SIG="$(grep -RihE '^\s*ServerSignature\s+' /etc/apache2 /etc/httpd 2>/dev/null | tail -1 | awk '{print tolower($2)}' || true)" [ -z "$APACHE_TOKENS" ] && APACHE_TOKENS="default" [ -z "$APACHE_SIG" ] && APACHE_SIG="default" if [ "$APACHE_TOKENS" != "prod" ]; then add_finding "Low" "Apache Hardening" "Apache ServerTokens is not set to Prod" "ServerTokens=$APACHE_TOKENS" "Set ServerTokens Prod to reduce banner detail." fi if [ "$APACHE_SIG" != "off" ]; then add_finding "Low" "Apache Hardening" "Apache ServerSignature is not Off" "ServerSignature=$APACHE_SIG" "Set ServerSignature Off to avoid verbose error-page signatures." fi fi if cmd_exists nginx; then NGINX_CONF="$(nginx -T 2>&1 || true)" add_hardening_evidence "Nginx config dump" "nginx -T" "$(printf '%s' "$NGINX_CONF" | head -300)" if ! printf '%s' "$NGINX_CONF" | grep -Eiq 'server_tokens\s+off\s*;'; then add_finding "Low" "Nginx Hardening" "Nginx server_tokens is not clearly disabled" "server_tokens off was not found in nginx -T output." "Set server_tokens off; in the http/server context." fi fi if cmd_exists redis-server || cmd_exists redis-cli; then REDIS_CONF="" for f in /etc/redis/redis.conf /etc/redis.conf; do [ -f "$f" ] && REDIS_CONF="$f" && break done if [ -n "$REDIS_CONF" ]; then REDIS_RELEVANT="$(grep -Ei '^\s*(bind|protected-mode|requirepass|aclfile|port)\b' "$REDIS_CONF" 2>/dev/null || true)" add_hardening_evidence "Redis config highlights" "grep redis.conf" "$REDIS_RELEVANT" if ! printf '%s' "$REDIS_RELEVANT" | grep -Eiq '^\s*protected-mode\s+yes'; then add_finding "High" "Redis Hardening" "Redis protected-mode is not clearly enabled" "protected-mode yes was not found." "Enable protected-mode and restrict bind/listen addresses." fi if ! printf '%s' "$REDIS_RELEVANT" | grep -Eiq '^\s*(requirepass|aclfile)\b'; then add_finding "Medium" "Redis Hardening" "Redis authentication is not clearly configured" "No requirepass or aclfile setting found in redis.conf highlights." "Configure Redis ACLs/authentication and limit network exposure." fi fi fi if cmd_exists ss && ss -tulpen 2>/dev/null | grep -E 'redis-server.*(0\.0\.0\.0|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):6379' >/dev/null; then add_finding "High" "Exposed Services" "Redis appears reachable on a non-loopback address" "Redis is listening on TCP 6379 outside localhost." "Restrict Redis to localhost/private trusted hosts, require authentication, and firewall the port." fi if [ -S /var/run/docker.sock ]; then DOCKER_SOCK_LS="$(ls -l /var/run/docker.sock 2>/dev/null || true)" add_hardening_evidence "Docker socket" "ls -l /var/run/docker.sock" "$DOCKER_SOCK_LS" if printf '%s' "$DOCKER_SOCK_LS" | grep -Eq 'srw.rw.rw.'; then add_finding "Critical" "Docker Hardening" "Docker socket appears world-writable" "$DOCKER_SOCK_LS" "Restrict docker.sock permissions immediately. Access to docker.sock is effectively root-equivalent." elif printf '%s' "$DOCKER_SOCK_LS" | grep -q ' docker '; then add_finding "Medium" "Docker Hardening" "Docker socket grants root-equivalent access to docker group" "$DOCKER_SOCK_LS" "Review docker group membership and treat it as privileged/root-equivalent access." fi fi } build_quick_actions() { : > "$QUICKACTIONS" prio=1 if [ -s "$FINDINGS" ]; then awk -F '\t' '$1=="Critical" || $1=="High" || $1=="Medium" {print $1 "\t" $3 "\t" $5}' "$FINDINGS" | head -8 | while IFS="$(printf '\t')" read -r sev title rec; do [ -z "$title" ] && continue case "$sev" in Critical) weight=1 ;; High) weight=2 ;; Medium) weight=3 ;; *) weight=4 ;; esac printf "%s\t%s\t%s\n" "$weight" "$title" "$rec" >> "$QUICKACTIONS" done fi if [ -s "$LIFECYCLE_RESPONSE" ] && cmd_exists python3; then python3 - "$LIFECYCLE_RESPONSE" >> "$QUICKACTIONS" <<'PY_QUICK_ACTIONS' import json, sys try: data=json.load(open(sys.argv[1], encoding='utf-8')) except Exception: sys.exit(0) items=data.get('results') or data.get('items') or data.get('data') or [] for r in items: st=(r.get('status') or '').lower() sev=(r.get('severity') or '').lower() if st in ('end_of_support','unsupported_major_version','update_available','extended_support','legacy_review') or sev in ('critical','high'): product=r.get('product') or r.get('matched_product') or 'software' version=r.get('installed_version') or r.get('normalized_version') or '' rec=r.get('recommended_action') or r.get('evidence') or 'Review lifecycle status.' weight='2' if st in ('end_of_support','unsupported_major_version') else '4' print(f"{weight}\tReview lifecycle for {product} {version}\t{rec}") PY_QUICK_ACTIONS fi if [ ! -s "$QUICKACTIONS" ]; then printf "9\tReview report evidence\tNo urgent quick actions were generated, but review exposed services, lifecycle and CVE sections.\n" > "$QUICKACTIONS" fi } sev_badge() { local sev="$1" case "$sev" in Critical) echo "sev-critical" ;; High) echo "sev-high" ;; Medium) echo "sev-medium" ;; Low) echo "sev-low" ;; *) echo "sev-info" ;; esac } render_findings_table() { if [ ! -s "$FINDINGS" ]; then echo "
No local findings generated by the current rule set.
" >> "$REPORT" return fi echo "" >> "$REPORT" while IFS="$(printf '\t')" read -r sev area title evidence rec; do cls="$(sev_badge "$sev")" echo "" >> "$REPORT" done < "$FINDINGS" echo "
SeverityAreaFinding / EvidenceRecommendation
$(printf '%s' "$sev" | html_escape)$(printf '%s' "$area" | html_escape)$(printf '%s' "$title" | html_escape)
$(printf '%s' "$evidence" | html_escape)		$(printf '%s' "$rec" | html_escape)
" >> "$REPORT" } detect_distro check_linux_version_feed log "Starting Scantide Linux local check on $HOST" log "Checking Scantide version feed" check_scantide_version_feed log "Collecting packages" collect_packages log "Building service inventory" build_service_inventory log "Collecting container inventory" collect_container_inventory log "Collecting listening ports" collect_listening_ports log "Collecting platform inventory" collect_platform_inventory log "Detecting likely server roles" detect_server_roles log "Running CVE API" run_scantide_cve_api log "Running lifecycle API" run_scantide_lifecycle_api log "Evaluating local findings" evaluate_findings log "Building quick actions" build_quick_actions PKGCOUNT=0 SERVICECOUNT=0 FINDINGCOUNT=0 HTTP_STATUS_DISPLAY="Not run" LIFECYCLE_STATUS_DISPLAY="Not run" LIFECYCLE_FINDINGS=0 VERSION_STATUS_DISPLAY="${VERSION_FEED_STATUS:-Not checked}" VERSION_STATUS_CLASS="warn" [ -s "$PKGFILE" ] && PKGCOUNT="$(wc -l < "$PKGFILE" | tr -d ' ')" [ -s "$SERVICEFILE" ] && SERVICECOUNT="$(wc -l < "$SERVICEFILE" | tr -d ' ')" [ -s "$FINDINGS" ] && FINDINGCOUNT="$(wc -l < "$FINDINGS" | tr -d ' ')" [ -s "$CVE_RAW" ] && HTTP_STATUS_DISPLAY="$(grep -m1 '^HTTP Status:' "$CVE_RAW" | cut -d: -f2- | xargs)" [ -s "$LIFECYCLE_RAW" ] && LIFECYCLE_STATUS_DISPLAY="$(grep -m1 '^HTTP Status:' "$LIFECYCLE_RAW" | cut -d: -f2- | xargs)" case "$VERSION_STATUS_DISPLAY" in Current|"Newer than feed") VERSION_STATUS_CLASS="ok" ;; Unavailable|"Feed missing Linux version"|"Update available") VERSION_STATUS_CLASS="warn" ;; *) VERSION_STATUS_CLASS="warn" ;; esac HTTP_STATUS_CLASS="warn" LIFECYCLE_STATUS_CLASS="warn" case "$HTTP_STATUS_DISPLAY" in 200) HTTP_STATUS_CLASS="ok" ;; "Not run") HTTP_STATUS_CLASS="warn" ;; *) HTTP_STATUS_CLASS="risk" ;; esac case "$LIFECYCLE_STATUS_DISPLAY" in 200) LIFECYCLE_STATUS_CLASS="ok" ;; "Not run") LIFECYCLE_STATUS_CLASS="warn" ;; *) LIFECYCLE_STATUS_CLASS="risk" ;; esac if [ -s "$LIFECYCLE_RESPONSE" ] && cmd_exists python3; then LIFECYCLE_FINDINGS="$(python3 - "$LIFECYCLE_RESPONSE" <<'PY_COUNT_LIFE' import json, sys try: d=json.load(open(sys.argv[1], encoding='utf-8')) s=d.get('summary') or {} print(s.get('findings', 0)) except Exception: print(0) PY_COUNT_LIFE )" fi CRITICAL_FINDINGS=0 HIGH_FINDINGS=0 MEDIUM_FINDINGS=0 LOW_FINDINGS=0 if [ -s "$FINDINGS" ]; then CRITICAL_FINDINGS="$(awk -F ' ' '$1=="Critical"{c++} END{print c+0}' "$FINDINGS")" HIGH_FINDINGS="$(awk -F ' ' '$1=="High"{c++} END{print c+0}' "$FINDINGS")" MEDIUM_FINDINGS="$(awk -F ' ' '$1=="Medium"{c++} END{print c+0}' "$FINDINGS")" LOW_FINDINGS="$(awk -F ' ' '$1=="Low"{c++} END{print c+0}' "$FINDINGS")" fi SCORE_PENALTY=$((CRITICAL_FINDINGS*25 + HIGH_FINDINGS*15 + MEDIUM_FINDINGS*8 + LOW_FINDINGS*3 + LIFECYCLE_FINDINGS*3)) SECURITY_SCORE=$((100 - SCORE_PENALTY)) [ "$SECURITY_SCORE" -lt 0 ] && SECURITY_SCORE=0 SCORE_CLASS="ok" [ "$SECURITY_SCORE" -lt 80 ] && SCORE_CLASS="warn" [ "$SECURITY_SCORE" -lt 60 ] && SCORE_CLASS="risk" CONTAINERCOUNT=0 PORTCOUNT=0 ROLECOUNT=0 [ -s "$PORTFILE" ] && PORTCOUNT="$(( $(wc -l < "$PORTFILE" | tr -d ' ') - 1 ))" && [ "$PORTCOUNT" -lt 0 ] && PORTCOUNT=0 [ -s "$ROLEFILE" ] && ROLECOUNT="$(wc -l < "$ROLEFILE" | tr -d ' ')" if [ -s "$CONTAINER_TSV" ]; then CONTAINERCOUNT="$(( $(wc -l < "$CONTAINER_TSV" | tr -d ' ') - 1 ))" [ "$CONTAINERCOUNT" -lt 0 ] && CONTAINERCOUNT=0 fi PLATFORM_LABEL="$(platform_value platform_label)" [ -z "$PLATFORM_LABEL" ] && PLATFORM_LABEL="Unknown" PRIMARY_ROLE="$(primary_role)" PRIMARY_ROLE_CONFIDENCE="$(primary_role_confidence)" [ -z "$PRIMARY_ROLE" ] && PRIMARY_ROLE="General Linux Server" [ -z "$PRIMARY_ROLE_CONFIDENCE" ] && PRIMARY_ROLE_CONFIDENCE="Low" cat > "$REPORT" < Scantide Linux Local Check

Scantide Linux Local Security Check

Host: $HOST | Distro: $DISTRO_NAME | Generated: $(date '+%Y-%m-%d %H:%M:%S') | v$SCRIPT_VERSION
Scanner Version
$VERSION_STATUS_DISPLAY
Local $SCRIPT_VERSION
Security Score
$SECURITY_SCORE
0-100 local posture
Primary Role
$PRIMARY_ROLE
$PRIMARY_ROLE_CONFIDENCE confidence
Platform
$PLATFORM_LABEL
Virtualization / host context
Local Findings
$FINDINGCOUNT
Service CVE Checks
$SERVICECOUNT
Service/runtime inventory
Lifecycle Findings
$LIFECYCLE_FINDINGS
Linux lifecycle catalog
Packages
$PKGCOUNT
Evidence only
Containers
$CONTAINERCOUNT
Docker/Podman inventory
Listening Ports
$PORTCOUNT
ss parsed inventory
Likely Roles
$ROLECOUNT
Detected server roles
CVE API
$HTTP_STATUS_DISPLAY
HTTP status
Lifecycle API
$LIFECYCLE_STATUS_DISPLAY
HTTP status
Root Context
$([ "$(id -u)" -eq 0 ] && echo "Yes" || echo "No")
Kernel
$(uname -r | cut -d- -f1)
$(uname -r)

Important Disclaimer

Read this first: Scantide Linux Local Check is an assessment and awareness tool. It is not an EDR, antivirus, patch manager, or compliance certification. CVE matches are review leads based on detected service/runtime versions. Linux distributions often backport security fixes, so apparent CVEs must be confirmed against distro advisory data before being treated as confirmed.
EOF echo "

Linux Script Version Check

" >> "$REPORT" if [ -n "${VERSION_FEED_WARNING:-}" ]; then echo "
Version warning: $(printf '%s' "$VERSION_FEED_WARNING" | html_escape)
" >> "$REPORT" else echo "
Version status: $(printf '%s' "$VERSION_FEED_STATUS" | html_escape)
" >> "$REPORT" fi echo "
Local Linux script$(printf '%s' "$SCRIPT_VERSION" | html_escape)Online Linux script$(printf '%s' "${VERSION_FEED_REMOTE:-Unknown}" | html_escape)
Minimum recommended Linux script$(printf '%s' "${VERSION_FEED_MINIMUM:-Unknown}" | html_escape)Released$(printf '%s' "${VERSION_FEED_RELEASED:-Unknown}" | html_escape)
Feed URL$(printf '%s' "$VERSION_FEED_URL" | html_escape)
" >> "$REPORT" echo "
" >> "$REPORT" echo "
" >> "$REPORT" echo "

System Overview

" >> "$REPORT" echo "" >> "$REPORT" echo "" >> "$REPORT" echo "" >> "$REPORT" echo "" >> "$REPORT" echo "" >> "$REPORT" echo "
Host$HOSTDistro$DISTRO_NAME
Kernel$(uname -r)Architecture$(uname -m)
Root$([ "$(id -u)" -eq 0 ] && echo Yes || echo No)Deep scan$DEEP_SCAN
Platform$PLATFORM_LABELPrimary role$PRIMARY_ROLE ($PRIMARY_ROLE_CONFIDENCE)
Script version$SCRIPT_VERSIONVersion feed status$VERSION_STATUS_DISPLAY
" >> "$REPORT" echo "

Scantide Version Check

The Linux local check reuses the Scantide Auditor version feed. If the shared feed later exposes linuxLocalCheckUrl and a SHA256 value, the Linux runner can use those fields for safe update/download workflows.
" >> "$REPORT" render_version_check_html >> "$REPORT" echo "
" >> "$REPORT" echo "

Quick Actions

Top actions are generated from high/medium local findings and lifecycle review items. This gives the admin a short fix list before digging into evidence.
" >> "$REPORT" render_quick_actions_html >> "$REPORT" echo "
" >> "$REPORT" echo "

Likely Server Role Detection

Roles are inferred from detected application/network services and boosted by listening-port evidence. Virtualization/guest tools are shown as platform context, not as the server's primary business role.
" >> "$REPORT" render_server_roles_html >> "$REPORT" echo "
" >> "$REPORT" echo "

Platform / Virtualization

Shows whether this appears to be a physical server, VM, container or guest system. VMware Tools/open-vm-tools is also included in software inventory when detected.
" >> "$REPORT" [ -s "$PLATFORMFILE" ] && while IFS="$(printf ' ')" read -r k v; do echo "" >> "$REPORT"; done < "$PLATFORMFILE" echo "
$(printf '%s' "$k" | html_escape)$(printf '%s' "$v" | html_escape)
" >> "$REPORT" echo "

Services Summary

Summarizes detected service categories so the report quickly explains what the server appears to do.
" >> "$REPORT" render_services_summary_html >> "$REPORT" echo "
" >> "$REPORT" echo "

Scantide Linux Security Score

Score starts at 100 and subtracts weighted points for local findings and lifecycle review items. It is a quick triage signal, not a compliance grade.
Score$SECURITY_SCOREPenalty$SCORE_PENALTY
Critical$CRITICAL_FINDINGSHigh$HIGH_FINDINGS
Medium$MEDIUM_FINDINGSLow$LOW_FINDINGS
Lifecycle review items$LIFECYCLE_FINDINGSContainers$CONTAINERCOUNT
" >> "$REPORT" echo "

System Information

" >> "$REPORT" cmd_exists lscpu && echo "
CPU information
$(lscpu 2>&1 | html_escape)
" >> "$REPORT" cmd_exists free && echo "
Memory information
$(free -h 2>&1 | html_escape)
" >> "$REPORT" cmd_exists df && echo "
Disk usage
$(df -h 2>&1 | html_escape)
" >> "$REPORT" echo "
" >> "$REPORT" echo "

Executive Findings

" >> "$REPORT" render_findings_table echo "
" >> "$REPORT" echo "
" >> "$REPORT" echo "

Service Inventory Used For CVE Checks

This is preferred over raw package inventory. It uses actual service/runtime binaries such as apache2 -v, php -v, openssl version and ssh -V.
" >> "$REPORT" if [ -s "$SERVICEFILE" ]; then while IFS="$(printf '\t')" read -r product version source; do echo "" >> "$REPORT" done < "$SERVICEFILE" else echo "" >> "$REPORT" fi echo "
ProductVersionSource
$(printf '%s' "$product" | html_escape)$(printf '%s' "$version" | html_escape)$(printf '%s' "$source" | html_escape)
No service inventory captured.
" >> "$REPORT" echo "

Installed Software CVE Review

What this means: Linux CVE checks are conservative. Backend CVE matches are shown as review evidence unless confirmed by distro advisory data. Ancient or broad product-name CVEs should not be treated as confirmed without exact affected-version validation.
" >> "$REPORT" render_cve_table_html >> "$REPORT" echo "
" >> "$REPORT" echo "
" >> "$REPORT" echo "

Linux Lifecycle Review

What this means: Lifecycle checks are separate from CVE checks. The Linux scanner sends OS, kernel and detected service/runtime versions with platform=linux, so the API loads the Linux lifecycle catalog instead of the Windows/user-app catalog.
" >> "$REPORT" render_lifecycle_table_html >> "$REPORT" echo "
" >> "$REPORT" echo "
" >> "$REPORT" echo "

Listening Ports

A listening port is not automatically bad, but it should be expected, patched and scoped by firewall policy. Sensitive ports are marked for exposure review.
" >> "$REPORT" render_listening_ports_html >> "$REPORT" echo "
" >> "$REPORT" echo "

Container Inventory

Shows Docker/Podman containers when available. Container images can carry their own lifecycle/CVE risk and should be reviewed separately from the host OS.
" >> "$REPORT" render_container_inventory_html >> "$REPORT" echo "
Raw container evidence
" >> "$REPORT"
[ -s "$CONTAINERFILE" ] && cat "$CONTAINERFILE" | html_escape >> "$REPORT" || echo "No container inventory captured." >> "$REPORT"
echo "
" >> "$REPORT" echo "

Firewall

" >> "$REPORT" cmd_exists ufw && echo "
UFW status
$(ufw status verbose 2>&1 | html_escape)
" >> "$REPORT" cmd_exists nft && echo "
nftables ruleset
$(nft list ruleset 2>&1 | html_escape)
" >> "$REPORT" cmd_exists iptables && echo "
iptables rules
$(iptables -L -n -v 2>&1 | html_escape)
" >> "$REPORT" echo "
" >> "$REPORT" echo "

SSH Hardening

" >> "$REPORT" if [ -f /etc/ssh/sshd_config ]; then echo "
sshd_config highlights
$(grep -Ei 'PermitRootLogin|PasswordAuthentication|PermitEmptyPasswords|X11Forwarding|Port' /etc/ssh/sshd_config 2>/dev/null | html_escape)
" >> "$REPORT" else echo "
No sshd_config found.
" >> "$REPORT" fi echo "
" >> "$REPORT" echo "

Service Hardening Evidence

Collected configuration highlights for SSH, Apache, Nginx, Redis and Docker where available.
Show hardening evidence
" >> "$REPORT"
[ -s "$HARDENING_RAW" ] && cat "$HARDENING_RAW" | html_escape >> "$REPORT" || echo "No hardening evidence captured." >> "$REPORT"
echo "
" >> "$REPORT" echo "
" >> "$REPORT" echo "

Version Feed Evidence

Show version feed raw JSON
" >> "$REPORT"
[ -s "$VERSIONJSON" ] && cat "$VERSIONJSON" | html_escape >> "$REPORT" || echo "No version feed JSON captured." >> "$REPORT"
echo "
" >> "$REPORT" echo "

Raw CVE API Evidence

Show raw CVE API payload/response
" >> "$REPORT"
[ -s "$CVE_RAW" ] && head -2000 "$CVE_RAW" | html_escape >> "$REPORT" || echo "No CVE raw evidence." >> "$REPORT"
echo "
" >> "$REPORT" echo "

Raw Lifecycle API Evidence

Show raw lifecycle API payload/response
" >> "$REPORT"
[ -s "$LIFECYCLE_RAW" ] && head -2000 "$LIFECYCLE_RAW" | html_escape >> "$REPORT" || echo "No lifecycle raw evidence." >> "$REPORT"
echo "
" >> "$REPORT" echo "

Parsed Listening Port Inventory

Show parsed listening-port TSV
" >> "$REPORT"
[ -s "$PORTFILE" ] && cat "$PORTFILE" | html_escape >> "$REPORT" || echo "No parsed port inventory." >> "$REPORT"
echo "
" >> "$REPORT" echo "

Installed Package Inventory

Package inventory is included as evidence, but CVE checks use service/runtime inventory to reduce false positives.
Show first 500 installed packages
" >> "$REPORT"
[ -s "$PKGFILE" ] && head -500 "$PKGFILE" | html_escape >> "$REPORT" || echo "No package inventory." >> "$REPORT"
echo "
" >> "$REPORT" echo "

Local Risk Indicators

" >> "$REPORT" if [ "$DEEP_SCAN" = true ]; then echo "

SUID binaries

$(find / -xdev -perm -4000 -type f 2>/dev/null | head -300 | html_escape)
" >> "$REPORT" echo "

World-writable directories

$(find / -xdev -type d -perm -0002 2>/dev/null | head -300 | html_escape)
" >> "$REPORT" else echo "
Fast mode. Use --deep for fuller filesystem checks.
" >> "$REPORT" echo "

SUID binaries in common paths

$(find /usr/bin /usr/sbin /bin /sbin /usr/local/bin -xdev -perm -4000 -type f 2>/dev/null | head -150 | html_escape)
" >> "$REPORT" fi echo "
" >> "$REPORT" cat >> "$REPORT" <<'EOF'
EOF log "Done" echo "Report created: $REPORT" echo "Package inventory: $PKGFILE" echo "Service CVE inventory: $SERVICEFILE" echo "CVE payload: $CVE_PAYLOAD" echo "CVE raw output: $CVE_RAW" echo "Lifecycle payload: $LIFECYCLE_PAYLOAD" echo "Lifecycle raw output: $LIFECYCLE_RAW" echo "Container inventory: $CONTAINERFILE" echo "Container table: $CONTAINER_TSV" echo "Listening ports: $PORTFILE" echo "Detected roles: $ROLEFILE" echo "Platform inventory: $PLATFORMFILE" echo "Quick actions: $QUICKACTIONS" echo "Hardening evidence: $HARDENING_RAW"