#!/bin/sh
#Copyright 2014-2016, William Stearns <william.l.stearns@gmail.com>
#Released under the GPL

#Generic Retrieve ATtRibutes - pull system details back over ssh or via syslog.
#Format:
#   Record_type,YYYYMMDD,HHMMSS,primary_ip,hostname,{record specific CSV fields}

#Place in /etc/cron.daily/ on Linux, /etc/periodic/daily/ on Freebsd
#If running as non-root, you'll almost certainly need NOPASSWD sudo access for the following
#commands; add this (minus "#", and placing the user account name at the left) to /etc/sudoers:

#user_running_as	ALL=(root) NOPASSWD:/bin/passwd -S *,/usr/bin/passwd -S *,/bin/yum check-update,/usr/bin/yum check-update,/usr/sbin/dmidecode,/usr/bin/grep -q ^[a-zA-Z0-9_][a-zA-Z0-9_]*\:.LOCKED. /etc/master.passwd,/usr/sbin/lsof -nP +c 0 -iTCP -sTCP\:LISTEN,/usr/sbin/lsof -nP +c 0 -iUDP,/bin/grep \[es\]\[cs\]\[dh\]\[s-\]\[ard\]\[s-\]\[as\] /root/.ssh/authorized_keys /root/.ssh/authorized_keys2 /home/*/.ssh/authorized_keys /home/*/.ssh/authorized_keys2 /Users/*/.ssh/authorized_keys /Users/*/.ssh/authorized_keys2,/usr/bin/grep \[es\]\[cs\]\[dh\]\[s-\]\[ard\]\[s-\]\[as\] /root/.ssh/authorized_keys /root/.ssh/authorized_keys2 /home/*/.ssh/authorized_keys /home/*/.ssh/authorized_keys2 /Users/*/.ssh/authorized_keys /Users/*/.ssh/authorized_keys2,/sbin/lshw,/usr/bin/lshw,/usr/sbin/lshw

#Note, this should be a regex of "^username:*LOCKED*", but sudoers will not let us use
#single quotes, double quotes or asterisk.  This is enough to safely match.  Same for
#the grep statement.

#If these are running from cron, you'll also need to add this line to /etc/sudoers
#(again, no '#' and put the username in for "user_running_as"):
#Defaults:user_running_as !requiretty

#Requires: awk cat curl date egrep grep head hostname netstat passwd sed sort tr

#Strongly suggested packages to install:
# dmidecode lshw

#Params:
# --nosudo : don't use sudo at all; forces $Want... to be blank.
#	(As a side note we also force these to be blank if neither /bin/sudo nor /usr/bin/sudo exists)
# --nologger : don't use logger to save these lines to syslog as well as print them on stdout

GratrVersion='1.1.7'


AddServiceNames () {
	while read Port ; do
		echo "${Port},`grep \"[[:space:]]$Port\" /etc/services | awk '{print $1}' | head -n 1`"
	done
}


BinExists () {
	type "$1" 2>/dev/null | egrep -q '( is /| is a tracked alias for /|is hashed \(/)'
	#return code is the one from the egrep, returns true if $1 executable exists, else false.
}

UseLogger=''
if BinExists logger ; then
	UseLogger='true'
fi

if [ -x /usr/sbin/lsof ]; then
	LsofPath='/usr/sbin/lsof'
elif [ -x /sbin/lsof ]; then
	LsofPath='/sbin/lsof'
fi



Show () {
#Sole parameter: "$1" holds the code used for this record type.  It shows up in the first column of csv output.
	RawLines="`cat`"
	if [ -n "$RawLines" ]; then
		echo "$RawLines" | sed -e "s/^/$1,$BestIP,$MyHostname,$NowDate,$NowTime,/"
		if [ "$UseLogger" = 'true' ]; then
			echo "$RawLines" | sed -e "s/^/$1,$BestIP,$MyHostname,$NowDate,$NowTime,/" | logger -t gratr
		fi
	else
		echo "no data recorded" | sed -e "s/^/$1,$BestIP,$MyHostname,$NowDate,$NowTime,/"
		if [ "$UseLogger" = 'true' ]; then
			echo "no data recorded" | sed -e "s/^/$1,$BestIP,$MyHostname,$NowDate,$NowTime,/" | logger -t gratr
		fi
	fi
}


#======== Collect basic info needed to run the script ========
export PATH="/sbin:/usr/sbin:$PATH"

NowDate=`date +%Y%m%d`
NowTime=`date +%H%M%S`

while [ -n "$1" ]; do
	case "$1" in
	--nosudo)
		NoSudo='yes'
		;;
	--nologger)
		UseLogger=''
		;;
	*)
		echo "Unrecognized param $1 , exiting"
		exit 1
		;;
	esac
	shift
done

if [ "$NoSudo" = 'yes' ]; then
	#Don't try to use sudo if user asked us not to
	WantRoot=''
	WantNonRoot=''
	if [ "$EUID" = "0" ]; then
		CanRoot='true'
	else
		CanRoot='false'
	fi
elif [ ! -e /bin/sudo -a ! -e /usr/bin/sudo ]; then
	#Don't try to use sudo if there's no sudo binary
	WantRoot=''
	WantNonRoot=''
	if [ "$EUID" = "0" ]; then
		CanRoot='true'
	else
		CanRoot='false'
	fi
elif [ "$EUID" = "0" ]; then
	#Script is running as root, so we don't need to do anything to run commands as root...
	WantRoot=" "
	#...and do need a prefix to run commands as nobody (a non-root user available on most OS's)
	WantNonRoot="`which sudo 2>/dev/null` -n -u nobody "
	CanRoot='true'
else
	#Script is NOT running as root, so we need a prefix to run commands as root...
	WantRoot="`which sudo 2>/dev/null` -n "
	#...and do NOT need a prefix to run commands as the current non-root user
	WantNonRoot=" "
	CanRoot='true'
fi


#FIXME - extract IPv6 too
MyIps="`$WantNonRoot ifconfig </dev/null | grep 'inet ' | egrep -v '(inet addr:127\.|inet 127\.)' | sed -e 's/^.*inet addr://' -e 's/^.*inet \([0-9]\)/\1/' -e 's/ .*//'`"
#Following returns how many real IPs are assigned to this system
#We have to throw away whitespace for the original bourne shell so we use tr -d whitespace
case `echo "$MyIps" | egrep -v '(^10\.|^192\.168\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.)' | wc -l | tr -d ' \t'` in
0)	#No real IPs, use the first reserved IP
	BestIP="`echo \"$MyIps\" | egrep '(^10\.|^192\.168\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.)' | sort | head -n 1`"
	;;
1)	#One real IP, use it
	BestIP="`echo \"$MyIps\" | egrep -v '(^10\.|^192\.168\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.)'`"
	;;
*)	#Multiple real IP's, use the sorted first one
	BestIP="`echo \"$MyIps\" | egrep -v '(^10\.|^192\.168\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.)' | sort | head -n 1`"
	;;
esac

MyHostname="`$WantNonRoot hostname -s </dev/null`"


#======== Figure out what platform we're on

OS_CLASS='unknown'
DISTRIB_ID='unknown'
DISTRIB_RELEASE='unknown'
DISTRIB_ARCH='unknown'
PACKAGECLASS='unknown'
INSTALLTOOL='unknown'

if BinExists rpm && $WantNonRoot rpm -q rockstor-release </dev/null >/dev/null 2>&1 ; then
	OS_CLASS='linux'
	DISTRIB_ID=`$WantNonRoot rpm -q rockstor-release --queryformat='%{name}' </dev/null 2>/dev/null | sed -e 's/-release//' | tr A-Z a-z`
	DISTRIB_RELEASE=`$WantNonRoot rpm -q rockstor-release --queryformat='%{version}' </dev/null 2>/dev/null`
	PACKAGECLASS='rpm'
	if BinExists yum ; then
		INSTALLTOOL='yum'
	else
		INSTALLTOOL='rpm'
	fi
elif BinExists rpm && $WantNonRoot rpm -q fedora-release </dev/null >/dev/null 2>&1 ; then
	OS_CLASS='linux'
	DISTRIB_ID=`$WantNonRoot rpm -q fedora-release --queryformat='%{name}' </dev/null 2>/dev/null | sed -e 's/-release//' | tr A-Z a-z`
	DISTRIB_RELEASE=`$WantNonRoot rpm -q fedora-release --queryformat='%{version}' </dev/null 2>/dev/null`
	PACKAGECLASS='rpm'
	if BinExists yum ; then
		INSTALLTOOL='yum'
	else
		INSTALLTOOL='rpm'
	fi
elif BinExists rpm && $WantNonRoot rpm -q centos-release >/dev/null 2>&1 ; then
	#Do centos first; older versions may also have advertised redhat-release
	OS_CLASS='linux'
	DISTRIB_ID=`$WantNonRoot rpm -q centos-release --queryformat='%{name}' </dev/null 2>/dev/null | sed -e 's/-release//' | tr A-Z a-z`
	DISTRIB_RELEASE=`$WantNonRoot rpm -q centos-release --queryformat='%{version}' </dev/null 2>/dev/null`
	PACKAGECLASS='rpm'
	if BinExists yum ; then
		INSTALLTOOL='yum'
	else
		INSTALLTOOL='rpm'
	fi
elif BinExists rpm && $WantNonRoot rpm -q sl-release >/dev/null 2>&1 ; then
	#Likewise, scientific linux looks a lot like redhat; check for sl before redhat
	OS_CLASS='linux'
	DISTRIB_ID=`$WantNonRoot rpm -q sl-release --queryformat='%{name}' </dev/null 2>/dev/null | sed -e 's/-release//' | tr A-Z a-z`
	DISTRIB_RELEASE=`$WantNonRoot rpm -q sl-release --queryformat='%{version}' </dev/null 2>/dev/null | sed -e 's/Server$//'`
	PACKAGECLASS='rpm'
	if BinExists yum ; then
		INSTALLTOOL='yum'
	else
		INSTALLTOOL='rpm'
	fi
elif BinExists rpm && $WantNonRoot rpm -q redhat-release >/dev/null 2>&1 ; then
	OS_CLASS='linux'
	DISTRIB_ID=`$WantNonRoot rpm -q redhat-release --queryformat='%{name}' </dev/null 2>/dev/null | sed -e 's/-release//' | tr A-Z a-z`
	DISTRIB_RELEASE=`$WantNonRoot rpm -q redhat-release --queryformat='%{version}' </dev/null 2>/dev/null | sed -e 's/Server$//'`
	PACKAGECLASS='rpm'
	if BinExists yum ; then
		INSTALLTOOL='yum'
	else
		INSTALLTOOL='rpm'
	fi
elif [ -s /etc/system-release -a `$WantNonRoot cat /etc/system-release </dev/null 2>/dev/null | grep -ic amazon` -gt 0 ]; then
	OS_CLASS='linux'
	DISTRIB_ID='amazon'
	DISTRIB_RELEASE=`$WantNonRoot rpm -q system-release --queryformat='%{version}' </dev/null 2>/dev/null`
	PACKAGECLASS='rpm'
	if BinExists yum ; then
		INSTALLTOOL='yum'
	else
		INSTALLTOOL='rpm'
	fi
elif [ -s /etc/linuxmint/info -a `$WantNonRoot cat /etc/linuxmint/info </dev/null 2>/dev/null | grep -ic 'DESCRIPTION="Linux Mint'` -gt 0 ]; then
	#Check for this before Debian or Ubuntu as it's a derivative of both
	OS_CLASS='linux'
	DISTRIB_ID='linuxmint'
	DISTRIB_RELEASE="`grep '^RELEASE=' /etc/linuxmint/info | sed -e 's/RELEASE=//'`"
	PACKAGECLASS='deb'
	if BinExists apt-get ; then
		INSTALLTOOL='apt-get'
	fi
elif [ -s /etc/lsb-release -a `$WantNonRoot cat /etc/lsb-release </dev/null 2>/dev/null | grep -ic 'DISTRIB_ID=Ubuntu'` -gt 0 ]; then
	#Check for this before /etc/debian_version ; Ubuntu has both, Debian only has /etc/debian_version
	OS_CLASS='linux'
	DISTRIB_ID="`grep '^DISTRIB_ID=' /etc/lsb-release | sed -e 's/DISTRIB_ID=//' | tr A-Z a-z`"
	DISTRIB_RELEASE="`grep '^DISTRIB_RELEASE=' /etc/lsb-release | sed -e 's/DISTRIB_RELEASE=//'`"
	PACKAGECLASS='deb'
	if BinExists apt-get ; then
		INSTALLTOOL='apt-get'
	fi
elif [ -f /etc/debian_version -a -f /opt/vyatta/etc/motd.tail -a `grep -ai 'VyOS' /opt/vyatta/etc/motd.tail | wc -l` -gt 0 ]; then
	OS_CLASS='linux'
	DISTRIB_ID='vyos'
	DISTRIB_RELEASE="`cat /opt/vyatta/etc/version | sed -e 's/^Version: *//'`"
	PACKAGECLASS='deb'
	if BinExists apt-get ; then
		INSTALLTOOL='apt-get'
	fi
elif [ -f /etc/debian_version ]; then
	OS_CLASS='linux'
	DISTRIB_ID='debian'
	DISTRIB_RELEASE="`cat /etc/debian_version`"
	PACKAGECLASS='deb'
	if BinExists apt-get ; then
		INSTALLTOOL='apt-get'
	fi
elif [ -f /etc/gentoo-release ]; then
	OS_CLASS='linux'
	DISTRIB_ID='gentoo'
	DISTRIB_RELEASE="`sed -e 's/.* release //' /etc/gentoo-release`"
	PACKAGECLASS='tar'
	if BinExists emerge ; then
		INSTALLTOOL='emerge'
	fi
elif [ `$WantNonRoot uname -a </dev/null | grep -ic ' freebsd '` -gt 0 ]; then
	OS_CLASS='freebsd'
	DISTRIB_ID='freebsd'
	DISTRIB_RELEASE="`$WantNonRoot uname -r </dev/null`"
elif [ `$WantNonRoot uname -a </dev/null | grep -ic ' Darwin Kernel Version '` -gt 0 ]; then
	OS_CLASS='macos'
	DISTRIB_ID='macos'
	if BinExists sw_vers ; then
		DISTRIB_RELEASE="`$WantNonRoot sw_vers -productVersion </dev/null`"
	fi
	#system_profiler -detailLevel full [-xml]   contains installed software listings
elif [ `$WantNonRoot uname -a </dev/null | grep -ic 'linux'` -gt 0 ]; then
	OS_CLASS='linux'
fi

if BinExists uname ; then
	DISTRIB_ARCH="`uname -m`"
elif BinExists rpm ; then
	DISTRIB_ARCH=`$WantNonRoot rpm -q rpm --queryformat='%{arch}' </dev/null 2>/dev/null`
fi

BaseOS="$OS_CLASS,$DISTRIB_ID,$DISTRIB_RELEASE,$DISTRIB_ARCH,$PACKAGECLASS,$INSTALLTOOL"







#======== NowDate, NowTime, BestIP, and MyHostname need to be set above this line; the "Show" function used below requires all of these to be set. ========


#======== Show gratr version
echo "$GratrVersion" | Show 'gratr_version'


#======== #Show operating system
echo "$BaseOS" | Show 'os'

if [ -r /proc/uptime ]; then
	$WantNonRoot cat /proc/uptime | echo $(( `awk '{print $1}' | sed -e 's/\..*//'` / 86400 )) | Show os_uptime
elif BinExists uptime ; then
	$WantNonRoot uptime | sed -e 's/.* \([0-9][0-9]*\) days.*/\1/' | Show os_uptime
fi



#======== Get a list of users with at least a potentially usable shell.  Show raw password line and account details
#We're using "getent passwd" instead of "cat /etc/passwd" as getent includes all /etc/passwd lines but also includes
#lines for all ldap-based accounts.
( if [ -x /usr/bin/getent ]; then
	$WantNonRoot getent passwd </dev/null
else
	$WantNonRoot cat /etc/passwd </dev/null 2>/dev/null
fi ) \
 | egrep -v '(:/sbin/nologin$|:/bin/sync$|:/sbin/shutdown$|:/sbin/halt$|:/bin/false$|:/usr/bin/false$|:/usr/sbin/nologin|^#)' \
 | while IFS=: read user pass uid gid gecos homedir shell ; do

	#echo "$user" >&2

	show_passwd_info='false'

	case "$BaseOS" in
	linux*)
		#Available on Linux, not macos or freebsd.  If the command fails or wrong OS we get an empty string, which is what we want.
		passwd_details="`$WantRoot passwd -S \"$user\" </dev/null 2>/dev/null`"
		;;
	*)
		passwd_details=''
		;;
	esac

	#FIXME - $WantRoot for '['
	#If the account has SSH keys we'll display it whether it's locked or not.
	if [ -e "${homedir}/.ssh/authorized_keys" -o  -e "${homedir}/.ssh/authorized_keys2" ]; then
		show_passwd_info='true'
		#Show the comment fields from all ssh keys
		#The test and echo approach doesn't work as a non-root account.  We've replaced this with a single global grep for all homedir specs - see after this loop.
		#echo "$user,SSH keys `cat ${homedir}/.ssh/authorized_keys ${homedir}/.ssh/authorized_keys2 2>/dev/null| sed -e 's/[[:space:]][[:space:]]*$//' -e 's/.*[[:space:]]//' -e 's/.*=$/No key comment/' | tr '\n\r' ' '`" | Show 'acct_ssh_key'
	fi

	case "$BaseOS" in
	linux*)
		case `echo "$passwd_details" | awk '{print $2}'` in
		'L'|'LK')	#Account locked
			:
			;;
		*)		#Account unlocked
			show_passwd_info='true'
			;;
		esac
		;;
	freebsd*)
		#If we can read /etc/master.passwd (possibly with sudo) then we can try to limit who we show to just the unlocked accounts...
		if [ -r /etc/master.passwd ] || [ "$CanRoot" = "true" ]; then
			if echo "$user" | grep -q '^[a-zA-Z0-9_][a-zA-Z0-9_]*$' ; then
				#This is a valid user account with no special characters, so we can safely drop it on a command line without quotes
				#Note, this should be a regex of "^username:*LOCKED*", but sudoers will not let us use 
				#single quotes, double quotes or asterisk.  This is enough to safely match.
				if $WantRoot grep -q ^$user:.LOCKED. /etc/master.passwd </dev/null ; then
					:
				else
					show_passwd_info='true'
				fi
			else
				#The user account has characters other than alphanumeric and underscore, so we won't try to put it on a sudo command line without quotes
				show_passwd_info='true'
			fi
		#...otherwise we'll just show all accounts (all locked and all unlocked accounts)
		else
			show_passwd_info='true'
		fi
		;;
	#Uncomment this as we get the ability to detect locked accounts on macos
	#macos*)
	#	show_passwd_info='true'
	#	;;
	*)
		show_passwd_info='true'
		;;
	esac

	#Now we show all _unlocked_ linux accounts and _all_ non-linux accounts (can't identify locked accounts on non-linux yet)
	if [ "$show_passwd_info" = "true" ]; then
		#Show the raw password line
		#FIXME - check sed; "$.*" ?
		echo "$user:`echo \"$pass\" | sed -e 's/$.*/(hidden)/'`:$uid:$gid:$gecos:$homedir:$shell" | tr , _ | Show 'acct_passwd'
		if [ -n "$passwd_details" ]; then
			echo "$passwd_details" | tr , _ | Show acct_detail
		fi

		#FIXME - add to sudoers list above
		if $WantRoot grep -q '[es][cs][dh][s-][ard][s-][as]' ~$user/.ssh/authorized_keys ~$user/.ssh/authorized_keys2 2>/dev/null ; then
			:
		else
			echo "$user" | Show acct_keyless_active_accounts
		fi

		#ADDME - perhaps add a "count of key lines = wc -l" for both key files
	fi

	#FIXME - add to sudoers list above
	PermOut="`$WantRoot ls -ald ${homedir}/ ${homedir}/.ssh/ ${homedir}/.ssh/authorized_keys ${homedir}/.ssh/authorized_keys2 2>/dev/null | awk '{print $1 " " $3 " " $9}' | grep -v '^....------[^ ]* '$user`"
	if [ -n "$PermOut" ]; then
		echo "$PermOut" | Show acct_bad_key_perms
	#else
	#	echo "__ $user has good perms" >&2
	fi
done


#Grep is looking for lines starting with "ssh-dss", "ssh-rsa", or "ecdsa-sha2-nistp".
key_data="`$WantRoot grep '[es][cs][dh][s-][ard][s-][as]' /root/.ssh/authorized_keys /root/.ssh/authorized_keys2 /home/*/.ssh/authorized_keys /home/*/.ssh/authorized_keys2 /Users/*/.ssh/authorized_keys /Users/*/.ssh/authorized_keys2 2>/dev/null \
 | sed -e 's/[[:space:]][[:space:]]*$//' -e 's@^/root/.ssh/.*[[:space:]]@root,SSH keys @' -e 's@^/home/\([^/]*\)/.ssh/.*[[:space:]]@\1,SSH keys @' -e 's@^/Users/\([^/]*\)/.ssh/.*[[:space:]]@\1,SSH keys @' -e 's@^\(.*,SSH keys \).*=$@\1 No key comment@'`"
if [ -n "$key_data" ]; then
	echo "$key_data" | Show 'acct_ssh_key'
fi

#======== Last login times
if BinExists lastlog ; then
	$WantNonRoot lastlog </dev/null | egrep -v '(Never logged in|^Username)' | sort | Show acct_lastlog
fi


#======== Root equivalent users and groups
$WantNonRoot grep -h '^[^:][^:]*:[^:][^:]*:0:' /etc/passwd </dev/null | Show acct_uid0_acct
$WantNonRoot grep -h ':0:' /etc/group </dev/null | Show acct_gid0_group


#======== List available patches
if [ -x /usr/lib/update-notifier/apt-check ]; then		#Ubuntu (and possibly debian as well), part of the "update-notifier-common" package
	#We have to add an "echo" because apt-check forgets to include a trailing linefeed
	( $WantNonRoot /usr/lib/update-notifier/apt-check -p 2>&1 </dev/null ; echo ) \
	 | Show 'pkg_patch_avail'
	#Perhaps 'apt-get -s dist-upgrade | grep "^Inst" | grep -i securi' to limit to security patches
	#Looks more promising, unconfirmed (package name is "unattended-upgrades"):
	#sudo unattended-upgrade --dry-run -d 2>&1 >/dev/null | grep 'Checking' | awk '{ print $2 }'
elif [ -x /usr/sbin/pkg_version ]; then				#Freebsd
	#Second sed expression replaces any commas (in package version numbers) except for those before or after '<' with an underscore
	$WantNonRoot /usr/sbin/pkg_version -vIL'=' </dev/null \
	 | sed -e 's/[[:space:]][[:space:]]*\([<>\?\*!]\)[[:space:]][[:space:]]*/,\1,/' -e 's/\([^<]\),\([^<]\)/\1_\2/g' \
	 | Show 'pkg_patch_avail'
elif [ -x /bin/yum -o -x /usr/bin/yum ]; then			#Most RPM-based distros
	#FIXME - do we want to be using "," as a separator in a CSV output?
	$WantRoot yum check-update </dev/null 2>/dev/null \
	 | egrep -v '(^Obsoleting Packages|^Loaded plugins|Loading mirror speeds|^$|packages excluded due to|Excluding Packages in global exclude list|^Finished$|Determining fastest mirrors)' \
	 | egrep -v '^[[:space:]]' \
	 | sed -e 's/[[:space:]][[:space:]]*$//' -e 's/[[:space:]][[:space:]]*/,/g' \
	 | Show 'pkg_patch_avail'
else
	echo "Unknown package software for $BaseOS" | Show _fail
fi


#======== Test if running under any virtualization environments
if BinExists dmidecode ]; then
	dmidecode_spn="`$WantRoot /usr/sbin/dmidecode -s system-product-name </dev/null 2>/dev/null`"
	dmidecode_sm="`$WantRoot /usr/sbin/dmidecode -s system-manufacturer </dev/null 2>/dev/null`"
fi

if [ "$dmidecode_spn" = "VirtualBox" ]; then
	echo 'virtualbox,VirtualBox virtual machine' | Show 'hw_virt'
elif [ "$dmidecode_spn" = "VMware Virtual Platform" ]; then
	echo 'vmware,VMware virtual machine' | Show 'hw_virt'
elif [ "$dmidecode_spn" = "KVM" ]; then
	echo 'qemu_kvm,Qemu on KVM virtual machine' | Show 'hw_virt'
elif [ "$dmidecode_spn" = "Bochs" ]; then
	echo 'qemu_bochs,Qemu on Bochs virtual machine' | Show 'hw_virt'
elif [ "$dmidecode_sm" = "VMware, Inc." ]; then
	echo 'vmware,VMware virtual machine' | Show 'hw_virt'
elif [ "$dmidecode_sm" = "Xen" ]; then
	echo 'xen,Xen virtual machine' | Show 'hw_virt'
elif [ "$dmidecode_sm" = "KVM" ]; then
	echo 'kvm,KVM virtual machine' | Show 'hw_virt'
elif [ "$dmidecode_sm" = "VirtualBox" ]; then
	echo 'virtualbox,VirtualBox virtual machine' | Show 'hw_virt'
elif [ -x /usr/bin/lspci -a `$WantNonRoot /usr/bin/lspci </dev/null 2>/dev/null | grep -ic vmware` -gt 0 ]; then
	echo 'vmware,VMware virtual machine' | Show 'hw_virt'
elif [ -x /bin/ps -a `$WantNonRoot /bin/ps auwx </dev/null 2>/dev/null | egrep -c '\[xenbus\]$'` -gt 0 ]; then
	echo 'xen,Xen virtual machine' | Show 'hw_virt'
#FIXME - following test is slightly fragile in that dmesg may not display this early boot-time message if
#a lot of other system messages fill the dmesg buffer
elif [ -x /usr/bin/dmesg -a `$WantNonRoot /usr/bin/dmesg </dev/null 2>/dev/null | grep -ic 'kernel on Xen'` -gt 0 ]; then
	echo 'xen,Xen virtual machine' | Show 'hw_virt'
elif [ -x /sbin/dmesg -a `$WantNonRoot /sbin/dmesg </dev/null 2>/dev/null | grep -ic 'VBOXAPIC'` -gt 0 ]; then
	echo 'virtualbox,VirtualBox virtual machine' | Show 'hw_virt'
elif [ -x /usr/sbin/dmidecode -a `$WantRoot /usr/sbin/dmidecode </dev/null 2>/dev/null | grep -ic VirtualBox` -gt 0 ]; then
	echo 'virtualbox,VirtualBox virtual machine' | Show 'hw_virt'
else
	echo 'none,No virtualization detected assuming bare metal hardware' | Show 'hw_virt'
fi
#freebsd: /sbin/sysctl dev.acpi.0.%desc returns ^VBOX under virtualbox    , but NOT macos



#======== Show all listening TCP and UDP ports
if [ -n "$LsofPath" ]; then
	lsof_out="`$WantRoot $LsofPath -nP +c 0 -iTCP -sTCP:LISTEN </dev/null 2>/dev/null`"
	echo "$lsof_out" | awk '{print $9 "/tcp," $1 "," $3}' | grep -v '^NAME' | sed -e 's/^\*://' -e 's/^[0-9][0-9\.]*://' -e 's/^\[[0-9a-f:][0-9a-f:]*\]://' | sort -un | Show net_port_listen
	if [ `echo "$lsof_out" | grep '^sshd' | awk '{print $9}' | sed -e 's/.*://' | sort -u | wc -l` -gt 0 ]; then
		#Warning: this can be multiple ports if sshd is on multiple ports
		#Because we only use this below for ssh_keyscan, we'll use "head -n 1" to pick the first
		ssh_port=`echo "$lsof_out" | grep '^sshd' | awk '{print $9}' | sed -e 's/.*://' | sort -u | head -n 1`
	else
		ssh_port=22
	fi
	$WantRoot $LsofPath -nP +c 0 -iUDP </dev/null 2>/dev/null | awk '{print $9 "/udp," $1 "," $3}' | egrep -v '(^NAME|^\*:\*|->)' | sed -e 's/^\*://' -e 's/^[0-9][0-9\.]*://' -e 's/^\[[0-9a-f:][0-9a-f:]*\]://' | sort -un | Show net_port_listen
else
	#FIXME - if running as root, run with "-p" and format output with it, otherwise leave off -p.  Don't use "$Want..."
	#If ( we are already root or $WantRoot is set ) run with $WantRoot ... -p and show prog
	#otherwise leave -p off
	$WantNonRoot netstat -an </dev/null \
	 | egrep '(^udp|^tcp.*LISTEN)' \
	 | awk '{print $4 "/" $1}' \
	 | sed -e 's@.*[^0-9]\([0-9][0-9]*/\)@\1@' -e 's/tcp[46]/tcp/' -e 's/udp[46]/udp/' \
	 | sort -u \
	 | grep -v '^\*\.\*/' \
	 | AddServiceNames \
	 | Show 'net_port_listen'
fi



#======== All Ips
echo "$MyIps" | Show net_ip_addrs



#======== All mac addresses
ifconfig | grep '^[[:space:]][[:space:]]*ether[[:space:]]' | awk '{print $2}' | sort -u | Show net_mac_addrs




#======== DNS servers
if [ -r /etc/resolv.conf ]; then
	$WantNonRoot grep '^nameserver' /etc/resolv.conf </dev/null | sed -e 's/^nameserver[[:space:]][[:space:]]*//' -e 's/[[:space:]][[:space:]]*#.*//' | Show net_dns_servers
fi


#======== Syslog servers
if [ -r /etc/syslog.conf ] || [ -r /etc/rsyslog.conf ]; then
	$WantNonRoot cat /etc/syslog.conf /etc/rsyslog.conf </dev/null 2>/dev/null | sed -e 's/#.*//' | grep '@' | sed -e 's/.*@//' | Show net_syslog_servers
fi
#FIXME - add syslog-ng too


#======== NTP servers
if [ -r /etc/ntp.conf ]; then
	$WantNonRoot grep '^server[[:space:]]' /etc/ntp.conf </dev/null | awk '{print $2}' | sort -u | Show net_ntp_servers
fi


#======== Public IP
if BinExists nc ; then
	Public_IP=`echo 'GET / HTTP/1.0\nHost: icanhazip.com\n\n' | nc icanhazip.com 80 | tail -1`
elif BinExists netcat ; then
	Public_IP=`echo 'GET / HTTP/1.0\nHost: icanhazip.com\n\n' | netcat icanhazip.com 80 | tail -1`
elif BinExists curl ; then
	Public_IP=`http_proxy='' $WantNonRoot curl -s checkip.dyndns.org </dev/null | sed -e 's/.*Current IP Address: //' -e 's/<.*$//'`
elif BinExists wget ; then
	Public_IP=`http_proxy='' $WantNonRoot wget -q -O - checkip.dyndns.org </dev/null | sed -e 's/.*Current IP Address: //' -e 's/<.*$//'`
else
	Public_IP="$BestIP"
fi
echo "$Public_IP" | Show net_ip_public
if BinExists dig ; then
	$WantNonRoot dig +short -x "$Public_IP" | Show net_ip_public_hostname
fi

#======== Hardware
if [ -x /bin/free ]; then
	$WantNonRoot echo $(( (`/bin/free </dev/null | grep '^Mem:' | awk '{print $2}'` + 512) / 1024 )) | Show hw_ram		#free displays in kilobytes, so /1024 to get M
	$WantNonRoot echo $(( (`/bin/free </dev/null | grep '^Swap:' | awk '{print $2}'` + 512) / 1024 )) | Show hw_swap
	$WantNonRoot echo $(( ( ( `/bin/free </dev/null | grep '^Mem:' | awk '{print $3}'` + `/bin/free </dev/null | grep '^Swap:' | awk '{print $3}'`) + 512) / 1024 )) | Show vm_used
elif [ -x /usr/bin/free ]; then
	$WantNonRoot echo $(( (`/usr/bin/free </dev/null | grep '^Mem:' | awk '{print $2}'` + 512) / 1024 )) | Show hw_ram		#free displays in kilobytes, so /1024 to get M
	$WantNonRoot echo $(( (`/usr/bin/free </dev/null | grep '^Swap:' | awk '{print $2}'` + 512) / 1024 )) | Show hw_swap
	$WantNonRoot echo $(( ( ( `/usr/bin/free </dev/null | grep '^Mem:' | awk '{print $3}'` + `/usr/bin/free </dev/null | grep '^Swap:' | awk '{print $3}'`) + 512) / 1024 )) | Show vm_used
elif [ -x /sbin/sysctl ]; then
	#freebsd
	if [ -n "`$WantNonRoot /sbin/sysctl -n hw.realmem </dev/null 2>/dev/null`" ]; then
		echo $(( `$WantNonRoot /sbin/sysctl -n hw.realmem </dev/null 2>/dev/null` / 1048576 )) | Show hw_ram		#in bytes, so divide by 1048576 to get M
	fi
	if [ -e /proc/sys/vm/swap_total ]; then
		:
		#$WantNonRoot /sbin/sysctl vm.swap_total and do math
	fi
elif [ -x /usr/sbin/sysctl ]; then
	#macos
	if [ -n "`$WantNonRoot/usr/sbin/sysctl -n hw.memsize </dev/null 2>/dev/null`" ]; then
		echo $(( `$WantNonRoot/usr/sbin/sysctl -n hw.memsize </dev/null 2>/dev/null` / 1048576 )) | Show hw_ram		#in bytes, so divide by 1048576 to get M
	fi
	$WantNonRoot /usr/sbin/sysctl vm.swapusage | sed -e 's/.*total = //' -e 's/\.[0-9][0-9]M .*//' | Show hw_swap			#: total = 3072.00M  used = 1977.00M  free = 1095.00M  (encrypted)
	$WantNonRoot /usr/sbin/sysctl vm.swapusage | sed -e 's/.*used = //' -e 's/\.[0-9][0-9]M .*//' | Show swap_used			#: total = 3072.00M  used = 1977.00M  free = 1095.00M  (encrypted)
fi

if [ -r /proc/cpuinfo ]; then										#linux
	$WantNonRoot cat /proc/cpuinfo </dev/null | grep '^processor' | wc -l | Show hw_cpu_cores
	$WantNonRoot cat /proc/cpuinfo </dev/null | grep '^model name' | sed -e 's/^model name[[:space:]][[:space:]]*: //' -e 's/[[:space:]][[:space:]]*/ /g' | sort -u | Show hw_cpu_desc
elif [ -x /sbin/sysctl ]; then										#freebsd
	$WantNonRoot /sbin/sysctl -n hw.ncpu | Show hw_cpu_cores
	$WantNonRoot /sbin/sysctl -n hw.model | Show hw_cpu_desc
elif [ -x /usr/sbin/sysctl ]; then										#macos
	$WantNonRoot /usr/sbin/sysctl -n hw.physicalcpu | Show hw_cpu_cores
	$WantNonRoot /usr/sbin/sysctl -n machdep.cpu.brand_string | Show hw_cpu_desc
	#$WantNonRoot /usr/sbin/sysctl -n hw.cpufrequency_max | Show hw_cpu_freqmax	#Spits out in Hz, divide to clean up
fi

if BinExists dmidecode ; then
	#For at least dell hardware, on linux (does not _appear_ to be dell specific)
	#On dell, this should also be the service tag
	$WantRoot /usr/sbin/dmidecode -s system-serial-number </dev/null 2>/dev/null | Show hw_serial_number
	$WantRoot /usr/sbin/dmidecode -s system-manufacturer </dev/null 2>/dev/null | Show hw_manufacturer
	$WantRoot /usr/sbin/dmidecode -s system-product-name </dev/null 2>/dev/null | Show hw_product_name
	$WantRoot /usr/sbin/dmidecode -s chassis-asset-tag </dev/null 2>/dev/null | Show hw_chassis_asset_tag

	#Look into lshw -short as well, sample output below
fi

if BinExists lshw ; then
	lshw_out="`$WantRoot lshw -short </dev/null 2>/dev/null`"
	echo "$lshw_out" | grep '[[:space:]]disk[[:space:]]' | grep -v 'dev/cdrom' | sed -e 's/^.*[[:space:]]disk[[:space:]]*//' | Show hw_disks
	mem_string=`echo "$lshw_out" | grep '[[:space:]]memory[[:space:]].*System [Mm]emory' | sed -e 's/^[0-9/\.a-fA-F]*[[:space:]]*memory[[:space:]]*//'`
	case "$mem_string" in
	*GiB\ System\ [Mm]emory)
		echo $(( `echo "$mem_string" | sed -e 's/GiB System [Mm]emory//'` * 1024 )) | Show hw_ram
		;;
	*MiB\ System\ [Mm]emory)
		echo "$mem_string" | sed -e 's/MiB System [Mm]emory//' | Show hw_ram
		;;
	'')
		:		#not able to parse ram from lshw
		;;
	*)
		echo "raw: $mem_string" | Show hw_ram
		;;
	esac
fi

#Reliably unique ID for this system
if [ -s /var/lib/dbus/machine-id ]; then
	cat /var/lib/dbus/machine-id | Show hw_uuid
elif [ -n "`$WantNonRoot /sbin/sysctl -n kern.hostuuid </dev/null 2>/dev/null`" ]; then
	$WantNonRoot /sbin/sysctl -n kern.hostuuid </dev/null 2>/dev/null | Show hw_uuid
fi

#======== SSH host key fingerprints
if BinExists ssh-keygen ; then
	for Key in `ls -A1 /etc/ssh/ssh_host_*.pub /etc/ssh_host_*.pub 2>/dev/null` ; do
		ssh-keygen -l -f "$Key" 2>/dev/null | Show svc_ssh_host_key
		KeyOut=`ssh-keygen -r "$MyHostname" -f "$Key" </dev/null 2>/dev/null | grep -v '^export_dns_rr: unsupported'`
		if [ -n "$KeyOut" ]; then
			echo "$KeyOut" | Show svc_ssh_sshfp
		fi
		#If one wants the "generic" format ("TYPE44..."), add "-g" to the above command line
		#Include corresponding record for IP/rev.ip.ip-addr as well?
	done
fi

if BinExists ssh-keyscan ; then
	keyscan_out=`ssh-keyscan -t rsa,dsa -p "$ssh_port" "$BestIP" 2>/dev/null`
	echo "$keyscan_out" | sed -e "s/^\([^ ][^ ]*\) \(.*\)$/\[\1\]:$ssh_port \2/" | Show svc_ssh_known_hosts
	echo "$keyscan_out" | sed -e "s/^\([^ ][^ ]*\) \(.*\)$/\[$MyHostname\]:$ssh_port \2/" | Show svc_ssh_known_hosts
	if [ "$Public_IP" != "$BestIP" ]; then
		#Cant fix: No way to tell what the externally visible ssh port is, if any at all.  Guess at the internal port.
		echo "$keyscan_out" | sed -e "s/^\([^ ][^ ]*\) \(.*\)$/\[$Public_IP\]:$ssh_port \2/" | Show svc_ssh_known_hosts
	fi
fi


#======== Yubikey-enabled services
YubiPam=''
cd /etc/pam.d/
for PamFile in * ; do
	if $WantNonRoot grep -q '^auth[[:space:]][[:space:]]*sufficient[[:space:]][[:space:]]*pam_yubico.so' "$PamFile" ; then
		YubiPam="$YubiPam $PamFile"
		if $WantNonRoot grep -q '^auth[[:space:]][[:space:]]*requisite[[:space:]][[:space:]]*pam_deny.so' "$PamFile" ; then
			YubiPam="$YubiPam(!PW)"
		fi
	fi
done
cd - >/dev/null 2>&1

if [ -n "$YubiPam" ]; then
	echo "$YubiPam" | sed -e 's/^[[:space:]]//' | Show conf_yubipam
fi


#======== Free space
$WantNonRoot df -h `mount | egrep -v '(^none on |type tmpfs|type devtmpfs|type devpts|type sysfs|type proc|type cgroup|on /Volumes/MobileBackups|hosts on /net|devfs on /dev|^map auto_home|type mqueue|type debugfs|type binfmt_misc|type fusectl|type hugetlbfs|type configfs|type fuse|on /proc/sys/fs|type rpc_pipefs|type securityfs)' | awk '{print $3}'` | grep -v '^Filesystem' | awk '{print $NF ":" $4 ":" $5}' | Show disk_free_space

#Format:
#/ 26G 78%
#/boot 71M 85%
#/home 42G 95%