#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Category: Boot and services
#
#################################################################################
#
    InsertSection "Boot and services"
#
#################################################################################
#
    BOOT_LOADER="unknown"
    BOOT_LOADER_FOUND=0
    GRUB_VERSION=0
    SERVICE_MANAGER="unknown"
#
#################################################################################
#
    # Test        : BOOT-5102
    # Description : Check for AIX boot device
    # Notes       : The AIX bootstrap is called as software ROS. Bootstrap contains IPL (Initial Program loader)
    Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --description "Check for AIX boot device"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: Query bootinfo for AIX boot device"
        if [ -x /usr/sbin/bootinfo ]; then
            FIND=`/usr/sbin/bootinfo -b`
            if [ ! "${FIND}" = "" ]; then
                logtext "Result: found boot device ${FIND}"
                Display --indent 2 --text "- Checking boot device (bootinfo)" --result FOUND --color GREEN
                BOOT_LOADER="ROS"
                BOOT_LOADER_FOUND=1
              else
                logtext "Result: no data received from bootinfo, most likely boot device not found"
                #Display --indent 4 --text "- Checking boot device (bootinfo)" --result "NOT FOUND" --color YELLOW
                #ReportSuggestion ${TEST_NO}  "Only use root (not sudo account) to query properly boot device"
            fi
        fi
    fi

#
#################################################################################
#
    # Test        : BOOT-5104
    # Description : Determine service manager
    # Notes       :
    # initscripts     - Used by Arch before
    # systemd         - Common option with more Linux distros implementing it
    # upstart         - Used by Debian/Ubuntu
    Register --test-no BOOT-5104 --weight L --network NO --description "Determine service manager"
    if [ ${SKIPTEST} -eq 0 ]; then
        case ${OS} in
            "Linux")
                if [ -f /proc/1/cmdline ]; then
                    FILE=`cat /proc/1/cmdline | grep "^/" | awk '{ print $1 }'`
                    if [ ! "${FILE}" = "" ]; then
                        if [ -L ${FILE} ]; then
                            ShowSymlinkPath ${FILE}
                            if [ -f ${sFILE} ]; then
                                 SHORTNAME=`echo ${sFILE} | awk -F/ '{ print $NF }'`
                                 case ${SHORTNAME} in
                                     upstart)
                                           SERVICE_MANAGER="upstart"
                                     ;;
                                     systemd)
                                           SERVICE_MANAGER="systemd"
                                     ;;
                                     *)
                                           logtext "Found ${SHORTNAME} but unclear what service manager this is"
                                     ;;
                                 esac
                               else
                                 logtext "Result: Could not find linked file ${sFILE}"
                            fi
                          else
                            FIND=`echo ${FILE} | grep "/systemd"`
                            if [ ! "${FIND}" = "" ]; then
                                SERVICE_MANAGER="systemd"
                            fi
                        fi
                      else
                        logtext "Result: /proc/1/cmdline does not link to a binary on disk"
                    fi
                fi
                # Continue testing if we didn't find it yet
                if [ "${SERVICE_MANAGER}" = "unknown" ]; then
                    if [ -f /usr/bin/init-openrc ]; then SERVICE_MANAGER="openrc"; fi
                fi
            ;;
            "DragonFly"|"NetBSD")
                if [ -x /sbin/init -a -d /etc/rc.d -a -f /etc/rc ]; then
                    SERVICE_MANAGER="bsdrc"
                fi
            ;;
            *)
                logtext "Result: unknown service manager"
        esac
        if [ "${SERVICE_MANAGER}" = "unknown" ]; then
            Display --indent 2 --text "- Service Manager" --result "UNKNOWN" --color YELLOW
          else
            Display --indent 2 --text "- Service Manager" --result "${SERVICE_MANAGER}" --color GREEN
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5121
    # Description : Check for GRUB boot loader
    Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)"
        if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then
            FOUND=1
            BOOT_LOADER="GRUB"
            BOOT_LOADER_FOUND=1
            GRUB_VERSION=1
            Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN
            if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
        fi

        # GRUB2 configuration file
        if [ -f /boot/grub/grub.cfg -o -f /boot/grub2/grub.cfg ]; then
            FOUND=1
            BOOT_LOADER="GRUB2"
            BOOT_LOADER_FOUND=1
            GRUB_VERSION=2
            Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN
            if [ -f /boot/grub/grub.cfg ]; then
                GRUBCONFFILE="/boot/grub/grub.cfg"
            elif [ -f /boot/grub2/grub.cfg ]; then
                GRUBCONFFILE="/boot/grub2/grub.cfg"
            fi
            logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})"
        fi

        # Some OSes like Gentoo do not have /boot mounted by default
        if [ -d /boot ]; then
            if [ "`ls /boot/* 2> /dev/null`" = "" -a ! "${GRUB2INSTALLBINARY}" = "" ]; then
                BOOT_LOADER_FOUND=1
                logtext "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
                Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW
                ReportManual "${TEST_NO}:01"
            fi
        fi

        if [ ${FOUND} -eq 0 ]; then
            logtext "Result: no GRUB configuration file found."
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5122
    # Description : Check for GRUB boot loader configuration
    if [ ! "${GRUBCONFFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for GRUB boot password"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
        FileIsReadable ${GRUBCONFFILE}
        if [ ${CANREAD} -eq 1 ]; then
            FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
            FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
            FIND3=`cat ${GRUBCONFFILE} | grep 'set superusers' | grep -v '^#'`
            FIND4=`cat ${GRUBCONFFILE} | grep 'password_pbkdf2' | grep -v '^#'`
            # GRUB1: MD5 or SHA1
            if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
                FOUND=1
              # GRUB2: Superusers and password should be defined
              elif [ ! "${FIND3}" = "" -a ! "${FIND4}" = "" ]; then
                FOUND=1
            fi
            if [ ${FOUND} -eq 1 ]; then
                Display --indent 4 --text "- Checking for password protection" --result OK --color GREEN
                logtext "Result: GRUB has password protection."
                AddHP 4 4
              else
                Display --indent 4 --text "- Checking for password protection" --result WARNING --color RED
                logtext "Result: Didn't find hashed password line in GRUB boot file!"
                ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
                AddHP 0 2
            fi
          else
                logtext "Result: Can not read ${GRUBCONFFILE} (no permission)"
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5124
    # Description : Check for FreeBSD boot loader
    Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot loader presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then
            logtext "Result: found boot1, boot2 and loader files in /boot"
            Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN
            BOOT_LOADER="FreeBSD"
            BOOT_LOADER_FOUND=1
          else
            logtext "Result: Not all expected files found in /boot"
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5126
    # Description : Check for NetBSD boot loader
    Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --description "Check for NetBSD boot loader presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then
            logtext "Result: found NetBSD secondary bootstrap"
            Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN
            BOOT_LOADER="NetBSD"
            BOOT_LOADER_FOUND=1
          else
            logtext "Result: NetBSD secondary bootstrap not found"
            ReportException "${TEST_NO}:1" "No boot loader found on NetBSD"
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5139
    # Description : Check for LILO boot loader
    # Notes       : password= or password =
    Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        LILOCONFFILE="/etc/lilo.conf"
        logtext "Test: checking for presence LILO configuration file"
        if [ -f ${LILOCONFFILE} ]; then
            FileIsReadable ${LILOCONFFILE}
            if [ ${CANREAD} -eq 1 ]; then
                BOOT_LOADER="LILO"
                BOOT_LOADER_FOUND=1
                Display --indent 2 --text "- Checking presence LILO" --result "OK" --color GREEN
                logtext "Checking password option LILO"
                FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"`
                if [ "${FIND}" = "" ]; then
                    Display --indent 4 --text "- Password option presence " --result "WARNING" --color RED
                    logtext "Result: no password set for LILO. Bootloader is unprotected to"
                    logtext "dropping to single user mode or unauthorized access to devices/data."
                    ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
                    ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader"
                    AddHP 0 2
                  else
                    Display --indent 4 --text "- Password option presence " --result "OK" --color GREEN
                    logtext "Result: LILO password option set"
                    AddHP 4 4
                fi
              else
                logtext "Result: can not read ${LILOCONFFILE} (no permission)"
            fi
          else
            logtext "Result: LILO configuration file not found"
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5142
    # Description : Check for SILO boot loader
    Register --test-no BOOT-5142 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ -f /etc/silo.conf ]; then
            logtext "Result: Found SILO configuration file (/etc/silo.conf)"
            Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN
            BOOT_LOADER="SILO"
            BOOT_LOADER_FOUND=1
          else
            logtext "Result: no SILO configuration file found."
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5144
    # Description : Check for SILO boot loader consistency
    # Notes       : To be tested on Gentoo
#    Register --test-no BOOT-5144 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)"
#    if [ ${SKIPTEST} -eq 0 ]; then
#        if [ -f /etc/silo.conf -a -x /sbin/silo ]; then
#            FIND=`/sbin/silo | grep "appears to be valid"`
#            if [ ! "${FIND}" = "" ]; then
#                logtext "Result: Found SILO configuration file (/etc/silo.conf)"
#                Display --indent 6 --text "- Checking SILO consistency" --result OK --color GREEN
#              else
#                logtext "Result: no positive result received from silo binary"
#                ReportWarning ${TEST_NO} "Possible issue with boot loader (SILO)"
#                Display --indent 6 --text "- Checking SILO consistency" --result WARNING --color RED
#            fi
#        fi
#    fi
#
#################################################################################
#
    # Test        : BOOT-5155
    # Description : Check for YABOOT boot loader
    Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: Check for /etc/yaboot.conf"
        if [ -f /etc/yaboot.conf ]; then
            logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
            Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN
            BOOT_LOADER="YABOOT"
            BOOT_LOADER_FOUND=1
          else
            logtext "Result: no YABOOT configuration file found."
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5159
    # Description : Check for OpenBSD boot loader
    # More info   : Only OpenBSD
    Register --test-no BOOT-5159 --os OpenBSD --weight L --network NO --description "Check for OpenBSD boot loader presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        # Boot files
        # /usr/mdec/biosboot: first stage bootstrap
        # /boot             : second stage bootstrap
        if [ -f /usr/mdec/biosboot -a -f /boot ]; then
            FOUND=1
        fi
        # Configuration file
        if [ -f /etc/boot.conf ]; then
            FOUND=1
            Display --indent 2 --text "- Checking /etc/boot.conf" --result "FOUND" --color GREEN
            FIND=`grep '^boot' /etc/boot.conf`
            if [ "${FIND}" = "" ]; then
                Display --indent 4 --text "- Checking boot option" --result WARNING --color RED
                #ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
                ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password"
              else
                Display --indent 4 --text "- Checking boot option" --result OK --color GREEN
                logtext "Ok, boot option is enabled."
            fi
          else
            Display --indent 2 --text "- Checking /etc/boot.conf" --result "NOT FOUND" --color YELLOW
            logtext "Result: no /etc/boot.conf found. When using the default boot loader, physical"
            logtext "access to the server can be used to possibly enter single user mode."
            ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time."
        fi
        if [ ${FOUND} -eq 1 ]; then
            logtext "Result: found OpenBSD boot loader"
            BOOT_LOADER="OpenBSD"
            BOOT_LOADER_FOUND=1
        fi


    fi
#
#################################################################################
#
    if [ ${BOOT_LOADER_FOUND} -eq 0 ]; then
        # Your boot loader is not detected. Want to help supporting it, see the README
        ReportException "BOOTLOADER" "No boot loader found"
        Display --indent 4 --text "- Boot loader" --result "NONE FOUND" --color RED
    fi
#
#################################################################################
#
    # Test        : BOOT-5165
    # Description : Check for FreeBSD boot services
    Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot services"
    if [ ${SKIPTEST} -eq 0 ]; then
        # FreeBSD (Read /etc/rc.conf file for enabled services)
        logtext "Searching for services at startup (rc.conf)"
        FIND=`egrep -v -i '^#|none' /etc/rc.conf | egrep -i '_enable.*(yes|on|1)' | sort | awk -F= '{ print $1 }' | sed 's/_enable//'`
        N=0
        for I in ${FIND}; do
            logtext "Found service (rc.conf): ${I}"
            report "boottask[]=${I}"
            N=`expr ${N} + 1`
        done
        Display --indent 2 --text "- Checking services at startup (rc.conf)" --result "DONE" --color GREEN
        Display --indent 6 --text "Result: found $N services/options set"
        logtext "Found $N services/options to run at startup"
    fi
#
#################################################################################
#
    # Test        : BOOT-5177
    # Description : Check for Linux boot services (systemd and chkconfig)
    # Notes       : We skip using chkconfig if systemd is being used.
    Register --test-no BOOT-5177 --os Linux --weight L --network NO --description "Check for Linux boot and running services"
    if [ ${SKIPTEST} -eq 0 ]; then
        CHECKED=0
        logtext "Test: checking presence systemctl binary"
        # Determine if we have systemctl on board
        if [ ! "${SYSTEMCTLBINARY}" = "" ]; then
            logtext "Result: systemctl binary found, trying that to discover information"
            # Running services
            logtext "Searching for running services (systemctl services only)"
            FIND=`${SYSTEMCTLBINARY} --full --type=service | awk '{ if ($4=="running") { print $1 } }' | awk -F. '{ print $1 }'`
            N=0
            report "running_service_tool=systemctl"
            for I in ${FIND}; do
                logtext "Found running service: ${I}"
                report "running_service[]=${I}"
                N=`expr ${N} + 1`
            done
            logtext "Note: Run systemctl --full --type=service to see all services"
            Display --indent 2 --text "- Check running services (systemctl)" --result "DONE" --color GREEN
            Display --indent 8 --text "Result: found $N running services"
            logtext "Result: Found $N enabled services"

            # Services at boot
            logtext "Searching for enabled services (systemctl services only)"
            FIND=`${SYSTEMCTLBINARY} list-unit-files --type=service | awk '{ if ($2=="enabled") { print $1 } }' | awk -F. '{ print $1 }'`
            N=0
            report "boot_service_tool=systemctl"
            for I in ${FIND}; do
                logtext "Found enabled service at boot: ${I}"
                report "boot_service[]=${I}"
                N=`expr ${N} + 1`
            done
            logtext "Note: Run systemctl list-unit-files --type=service to see all services"
            Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "DONE" --color GREEN
            Display --indent 8 --text "Result: found $N enabled services"
            logtext "Result: Found $N running services"

          else
            logtext "Result: systemctl binary not found, checking chkconfig binary"
            if [ ! "${CHKCONFIGBINARY}" = "" ]; then
                logtext "Result: chkconfig binary found, trying that to discover information"
                logtext "Searching for services at startup (chkconfig, runlevel 3 and 5)"
                FIND=`${CHKCONFIGBINARY} --list | egrep '3:on|5:on' | awk '{ print $1 }'`
                N=0
                report "boot_service_tool=chkconfig"
                for I in ${FIND}; do
                    logtext "Found service (at boot, runlevel 3 or 5): ${I}"
                    report "boot_service[]=${I}"
                    N=`expr ${N} + 1`
                done
                logtext "Suggestion: Run chkconfig --list to see all services and disable unneeded services"
                Display --indent 2 --text "- Check services at startup (chkconfig)" --result "DONE" --color GREEN
                Display --indent 8 --text "Result: found $N services"
                logtext "Result: Found $N services at startup"
              else
                logtext "Result: both systemctl and chkconfig not found. Skipping this test"
            fi
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5180
    # Description : Check for Linux boot services (Debian style)
    if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Runlevel check
        sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"`
        if [ ! "${sRUNLEVEL}" = "" ]; then
            FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort`
            if [ ! "${FIND}" = "" ]; then
                N=0
                for I in ${FIND}; do
                    logtext "Found service (at boot, runlevel 2): ${I}"
                    N=`expr ${N} + 1`
                done
                Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE
                Display --indent 4 --text "Result: found $N services"
                logtext "Found $N services"
            fi
          else
            ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5184
    # Description : Check world writable startup scripts
    Register --test-no BOOT-5184 --os Linux --weight L --network NO --description "Check permissions for boot files/scripts"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        CHECKDIRS="/etc/init.d /etc/rc.d /etc/rcS.d"

        logtext "Result: checking /etc/init.d scripts for writable bit"
        for I in ${CHECKDIRS}; do
            logtext "Test: checking if directory ${I} exists"
            if [ -d ${I} ]; then
                logtext "Result: directory ${I} found"
                logtext "Test: checking for available files in directory"
                FIND=`find ${I} -type f -print`
                if [ ! "${FIND}" = "" ]; then
                    logtext "Result: found files in directory, checking permissions now"
                    for J in ${FIND}; do
                        logtext "Test: checking permissions of file ${J}"
                        IsWorldWritable ${J}
                        if [ $? -eq 1 ]; then
                            logtext "Result: warning, file ${J} is world writable"
                            FOUND=1
                          else
                            logtext "Result: good, file ${J} not world writable"
                        fi
                    done
                  else
                    logtext "Result: found no files in directory."
                fi
              else
                logtext "Result: directory ${I} not found. Skipping.."
            fi
        done

        # /etc/rc[0-6].d
        for NO in 0 1 2 3 4 5 6; do
            logtext "Test: Checking /etc/rc${NO}.d scripts for writable bit"
            if [ -d /etc/rc${NO}.d ]; then
                FIND=`find /etc/rc${NO}.d -type f -print`
                for I in ${FIND}; do
                    IsWorldWritable ${I}
                    if [ $? -eq 1 ]; then
                        logtext "Result: warning, file ${I} is world writable"
                        FOUND=1
                      else
                        logtext "Result: good, file ${I} not world writable"
                    fi
                done
            fi
        done

        # Other files
        CHECKFILES="/etc/rc /etc/rc.local /etc/rc.d/rc.sysinit"
        for I in ${CHECKFILES}; do
            if [ -f ${I} ]; then
                logtext "Test: Checking ${I} file for writable bit"
                IsWorldWritable ${I}
                if [ $? -eq 1 ]; then
                    ReportWarning ${TEST_NO} "H" "Found writable startup script ${I}"
                    FOUND=1
                    logtext "Result: warning, file ${I} is world writable"
                  else
                    logtext "Result: good, file ${I} not world writable"
                fi
            fi
        done

        # Check results
        if [ ${FOUND} -eq 1 ]; then
            Display --indent 2 --text "- Check startup files (permissions)" --result "WARNING" --color RED
            ReportWarning ${TEST_NO} "H" "Found world writable startup scripts"
            logtext "Result: found one or more scripts which are possibly writable by other users"
            AddHP 0 3
          else
            Display --indent 2 --text "- Check startup files (permissions)" --result "OK" --color GREEN
            AddHP 3 3
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5202
    # Description : Check uptime of system
    Register --test-no BOOT-5202 --weight L --network NO --description "Check uptime of system"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        FIND=""
        case "${OS}" in
            Linux)
                # Idle time, not real uptime
                if [ -f /proc/uptime ]; then
                    FIND=`cat /proc/uptime | cut -d ' ' -f1 | cut -d '.' -f1`
                  else
                    Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
                    ReportException "${TEST_NO}:1" "No uptime test available for this operating system (/proc/uptime missing)"
                fi
                ;;

             DragonFly|FreeBSD|MacOS)
                if [ ! "${SYSCTLBINARY}" = "" ]; then
                    FIND=`${SYSCTLBINARY} kern.boottime | awk '{ print $5 }' | sed -e 's/,//' | grep "[0-9]"`
                  else
                    Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
                    ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
                fi
                ;;

             NetBSD|OpenBSD)
                if [ ! "${SYSCTLBINARY}" = "" ]; then
                    TIME_BOOT=`${SYSCTLBINARY} -n kern.boottime`
                    TIME_NOW=`date "+%s"`
                    logtext "Boot time: ${TIME_BOOT}"
                    logtext "Current time: ${TIME_NOW}"
                    if [ ! "${TIME_BOOT}" = "" -a ! "${TIME_NOW}" = "" ]; then
                        UPTIME_IN_SECS=`expr ${TIME_NOW} - ${TIME_BOOT}`
                      else
                        ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime"
                    fi
                  else
                    Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
                    ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
                fi
                ;;

            Solaris)
                if [ ! "${KSTATBINARY}" = "" ]; then
                    FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | grep "^unix" | awk '{print $2}' | cut -d "." -f1`
                  else
                    Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
                    ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)"
                fi
                ;;

            *)
                Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW

                # Want to help improving Lynis? Share your operating system and a way to determine the uptime (in seconds)
                ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system"
                ;;
        esac
        if [ ! "${FIND}" = "" ]; then
            UPTIME_IN_SECS="${FIND}"
            UPTIME_IN_DAYS=`expr ${UPTIME_IN_SECS} / 60 / 60 / 24`
            logtext "Uptime (in seconds): ${UPTIME_IN_SECS}"
            logtext "Uptime (in days): ${UPTIME_IN_DAYS}"
            report "uptime_in_seconds=${UPTIME_IN_SECS}"
            report "uptime_in_days=${UPTIME_IN_DAYS}"
          else
            logtext "Result: no uptime information available"
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5260
    # Description : Check single user mode for systemd
    Register --test-no BOOT-5260 --weight L --network NO --description "Check single user mode for systemd"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check if file exists
        logtext "Test: Searching /usr/lib/systemd/system/rescue.service"
         if [ -f /usr/lib/systemd/system/rescue.service ]; then
             logtext "Result: file /usr/lib/systemd/system/rescue.service"
             logtext "Test: checking presence sulogin for single user mode"
             FIND=`egrep "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service`
             if [ ! "${FIND}" = "" ]; then
                 FOUND=1
                 logtext "Result: found sulogin, so single user is protected"
                 AddHP 3 3
               else
                 logtext "Result: did not find sulogin in rescue.service"
                 AddHP 1 3
                 Display --indent 2 --text "- Checking sulogin in rescue.service" --result "NOT FOUND" --color YELLOW
                 ReportSuggestion "${TEST_NO}" "Protect rescue.service by using sulogin"
             fi
           else
             logtext "Result: file /usr/lib/systemd/system/rescue.service does not exist"
         fi
    fi
#
#################################################################################
#

report "boot_loader=${BOOT_LOADER}"
report "service_manager=${SERVICE_MANAGER}"

wait_for_keypress

#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
