tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow parsing of multiple profiles

This commit is contained in:
mboelen 2016-04-07 16:25:11 +02:00
parent 810c37287f
commit 066f562365
1 changed files with 170 additions and 166 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

336
include/profiles
View File

@ -22,207 +22,211 @@
# #
################################################################################# #################################################################################
# #
Display --indent 2 --text "- Checking profile file (${PROFILE})..." Display --indent 2 --text "- Checking profiles..."
logtext "Reading profile/configuration ${PROFILE}"
FIND=`grep '^config:' ${PROFILE} | sed 's/ /!space!/g'`
for I in ${FIND}; do
OPTION=`echo ${I} | cut -d ':' -f2`
VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'`
logtext "Profile option set: ${OPTION} (with value ${VALUE})" for PROFILE in ${PROFILES}; do
logtext "Reading profile/configuration ${PROFILE}"
FIND=`grep '^config:' ${PROFILE} | sed 's/ /!space!/g'`
for I in ${FIND}; do
OPTION=`echo ${I} | cut -d ':' -f2`
VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'`
case ${OPTION} in logtext "Profile option set: ${OPTION} (with value ${VALUE})"
# Define which compliance standards are enabled case ${OPTION} in
compliance_standards)
COMPLIANCE_STANDARDS_ENABLED=`echo ${VALUE} | tr ',' ' '`
for I in ${COMPLIANCE_STANDARDS_ENABLED}; do
case $I in
cis) COMPLIANCE_ENABLE_CIS=1 ; Debug "Compliance scanning for CIS Benchmarks is enabled" ;;
hipaa) COMPLIANCE_ENABLE_HIPAA=1 ; Debug "Compliance scanning for HIPAA is enabled" ;;
iso27001) COMPLIANCE_ENABLE_ISO27001=1 ; Debug "Compliance scanning for ISO27001 is enabled" ;;
pci-dss) COMPLIANCE_ENABLE_PCI_DSS=1 ; Debug "Compliance scanning for PCI DSS is enabled" ;;
*) logtext "Result: Unknown compliance standard configured" ;;
esac
done
;;
# Maximum number of WAITing connections # Define which compliance standards are enabled
connections_max_wait_state) compliance_standards)
OPTIONS_CONN_MAX_WAIT_STATE="${VALUE}" COMPLIANCE_STANDARDS_ENABLED=`echo ${VALUE} | tr ',' ' '`
;; for I in ${COMPLIANCE_STANDARDS_ENABLED}; do
case $I in
cis) COMPLIANCE_ENABLE_CIS=1 ; Debug "Compliance scanning for CIS Benchmarks is enabled" ;;
hipaa) COMPLIANCE_ENABLE_HIPAA=1 ; Debug "Compliance scanning for HIPAA is enabled" ;;
iso27001) COMPLIANCE_ENABLE_ISO27001=1 ; Debug "Compliance scanning for ISO27001 is enabled" ;;
pci-dss) COMPLIANCE_ENABLE_PCI_DSS=1 ; Debug "Compliance scanning for PCI DSS is enabled" ;;
*) logtext "Result: Unknown compliance standard configured" ;;
esac
done
;;
# Append something to URL for control information # Maximum number of WAITing connections
control_url_append) connections_max_wait_state)
CONTROL_URL_APPEND="${VALUE}" OPTIONS_CONN_MAX_WAIT_STATE="${VALUE}"
;; ;;
# Prepend an URL before control information link # Append something to URL for control information
control_url_prepend) control_url_append)
CONTROL_URL_PREPEND="${VALUE}" CONTROL_URL_APPEND="${VALUE}"
;; ;;
# Protocol to use for control information link # Prepend an URL before control information link
control_url_protocol) control_url_prepend)
CONTROL_URL_PROTOCOL="${VALUE}" CONTROL_URL_PREPEND="${VALUE}"
;; ;;
# Append something to URL for control information (only applies to CUST-*) # Protocol to use for control information link
custom_url_append) control_url_protocol)
CUSTOM_URL_APPEND="${VALUE}" CONTROL_URL_PROTOCOL="${VALUE}"
;; ;;
# Prepend an URL before control information link (only applies to CUST-*) # Append something to URL for control information (only applies to CUST-*)
custom_url_prepend) custom_url_append)
CUSTOM_URL_PREPEND="${VALUE}" CUSTOM_URL_APPEND="${VALUE}"
;; ;;
# Protocol to use for control information link # Prepend an URL before control information link (only applies to CUST-*)
custom_url_protocol) custom_url_prepend)
CUSTOM_URL_PROTOCOL="${VALUE}" CUSTOM_URL_PREPEND="${VALUE}"
;; ;;
# Do not check security repository in sources.list (Debian/Ubuntu) # Protocol to use for control information link
debian_skip_security_repository) custom_url_protocol)
OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY="${VALUE}" CUSTOM_URL_PROTOCOL="${VALUE}"
;; ;;
debug)
if [ "${VALUE}" = "yes" -o "${VALUE}" = "true" ]; then
DEBUG=1
fi
;;
# Skip FreeBSD port audit
freebsd_skip_portaudit)
logtext "Option set: Skip FreeBSD portaudit"
OPTION_FREEBSD_SKIP_PORTAUDIT="${VALUE}"
;;
# Lynis Enterprise: group name # Do not check security repository in sources.list (Debian/Ubuntu)
group) debian_skip_security_repository)
GROUP_NAME="${VALUE}" OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY="${VALUE}"
;; ;;
debug)
if [ "${VALUE}" = "yes" -o "${VALUE}" = "true" ]; then
DEBUG=1
fi
;;
# Lynis Enterprise license key # Skip FreeBSD port audit
license_key) freebsd_skip_portaudit)
LICENSE_KEY="${VALUE}" logtext "Option set: Skip FreeBSD portaudit"
report "license_key=${LICENSE_KEY}" OPTION_FREEBSD_SKIP_PORTAUDIT="${VALUE}"
;; ;;
# Do (not) log tests if they have an different operating system # Lynis Enterprise: group name
log_tests_incorrect_os) group)
logtext "Option set: No logging for incorrect OS" GROUP_NAME="${VALUE}"
if [ "${VALUE}" = "no" ]; then LOG_INCORRECT_OS=0; else LOG_INCORRECT_OS=1; fi ;;
;;
# What type of machine we are scanning (eg. desktop, server, server with storage) # Lynis Enterprise license key
machine_role) license_key)
MACHINE_ROLE="${VALUE}" LICENSE_KEY="${VALUE}"
;; report "license_key=${LICENSE_KEY}"
;;
# Define if any found NTP daemon instance is configured as a server or client # Do (not) log tests if they have an different operating system
ntpd_role) log_tests_incorrect_os)
NTPD_ROLE="${VALUE}" logtext "Option set: No logging for incorrect OS"
;; if [ "${VALUE}" = "no" ]; then LOG_INCORRECT_OS=0; else LOG_INCORRECT_OS=1; fi
;;
# How much seconds to wait between tests # What type of machine we are scanning (eg. desktop, server, server with storage)
pause_between_tests) machine_role)
TEST_PAUSE_TIME="${VALUE}" MACHINE_ROLE="${VALUE}"
;; ;;
# Profile name # Define if any found NTP daemon instance is configured as a server or client
profile_name) ntpd_role)
PROFILE_NAME="${VALUE}" NTPD_ROLE="${VALUE}"
;; ;;
# Inline tips about tool # How much seconds to wait between tests
show_tool_tips) pause_between_tests)
SHOW_TOOL_TIPS="${VALUE}" TEST_PAUSE_TIME="${VALUE}"
;; ;;
# Tests to always skip (useful for false positives or problematic tests) # Profile name
test_skip_always) profile_name)
TEST_SKIP_ALWAYS="${VALUE}" PROFILE_NAME="${VALUE}"
logtext "Tests to be skipped: ${VALUE}" ;;
;;
# Do not check the latest version on the internet # Inline tips about tool
skip_upgrade_test) show_tool_tips)
if [ "${VALUE}" = "yes" -o "${VALUE}" = "YES" ]; then SKIP_UPGRADE_TEST=1; else SKIP_UPGRADE_TEST=0; fi SHOW_TOOL_TIPS="${VALUE}"
;; ;;
# Define what kind of scan we are performing # Tests to always skip (useful for false positives or problematic tests)
test_scan_mode) test_skip_always)
if [ "${VALUE}" = "light" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="NO"; SCAN_TEST_HEAVY="NO"; fi TEST_SKIP_ALWAYS="${VALUE}"
if [ "${VALUE}" = "normal" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="NO"; fi logtext "Tests to be skipped: ${VALUE}"
if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi ;;
;;
# Server IP or hostname # Do not check the latest version on the internet
update_server_address) skip_upgrade_test)
UPDATE_SERVER_ADDRESS="${VALUE}" if [ "${VALUE}" = "yes" -o "${VALUE}" = "YES" ]; then SKIP_UPGRADE_TEST=1; else SKIP_UPGRADE_TEST=0; fi
;; ;;
# Protocol (http, https) # Define what kind of scan we are performing
update_server_protocol) test_scan_mode)
UPDATE_SERVER_PROTOCOL="${VALUE}" if [ "${VALUE}" = "light" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="NO"; SCAN_TEST_HEAVY="NO"; fi
;; if [ "${VALUE}" = "normal" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="NO"; fi
if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi
;;
# File path to tarball on server # Server IP or hostname
update_latest_version_download) update_server_address)
UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}" UPDATE_SERVER_ADDRESS="${VALUE}"
;; ;;
# File path to information file # Protocol (http, https)
update_latest_version_info) update_server_protocol)
UPDATE_LATEST_VERSION_INFO="${VALUE}" UPDATE_SERVER_PROTOCOL="${VALUE}"
;; ;;
# Local directory where lynis directory will be placed # File path to tarball on server
update_local_directory) update_latest_version_download)
UPDATE_LOCAL_DIRECTORY="${VALUE}" UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}"
;; ;;
# Local file to maintain current version # File path to information file
update_local_version_info) update_latest_version_info)
UPDATE_LOCAL_VERSION_INFO="${VALUE}" UPDATE_LATEST_VERSION_INFO="${VALUE}"
;; ;;
# Compression of uploads (enabled by default) # Local directory where lynis directory will be placed
upload_compressed) update_local_directory)
if [ "${VALUE}" = "0" ]; then COMPRESSED_UPLOADS=0; fi UPDATE_LOCAL_DIRECTORY="${VALUE}"
;; ;;
# Options during upload of data # Local file to maintain current version
upload_options) update_local_version_info)
UPLOAD_OPTIONS="${VALUE}" UPDATE_LOCAL_VERSION_INFO="${VALUE}"
;; ;;
# Proxy settings # Compression of uploads (enabled by default)
upload_proxy_port) upload_compressed)
UPLOAD_PROXY_PORT="${VALUE}" if [ "${VALUE}" = "0" ]; then COMPRESSED_UPLOADS=0; fi
;; ;;
upload_proxy_protocol)
UPLOAD_PROXY_PROTOCOL="${VALUE}"
;;
upload_proxy_server)
UPLOAD_PROXY_SERVER="${VALUE}"
;;
# Receiving system (IP address or hostname) # Options during upload of data
upload_server) upload_options)
UPLOAD_SERVER="${VALUE}" UPLOAD_OPTIONS="${VALUE}"
;; ;;
# Catch all bad options and bail out # Proxy settings
*) upload_proxy_port)
logtext "Unknown option ${OPTION} (with value: ${VALUE})" UPLOAD_PROXY_PORT="${VALUE}"
echo "Fatal error: found errors in profile" ;;
echo "Unknown option '${OPTION}' found (with value: ${VALUE})" upload_proxy_protocol)
ExitFatal UPLOAD_PROXY_PROTOCOL="${VALUE}"
;; ;;
upload_proxy_server)
UPLOAD_PROXY_SERVER="${VALUE}"
;;
esac # Receiving system (IP address or hostname)
upload_server)
UPLOAD_SERVER="${VALUE}"
;;
# Catch all bad options and bail out
*)
logtext "Unknown option ${OPTION} (with value: ${VALUE})"
echo "Fatal error: found errors in profile"
echo "Unknown option '${OPTION}' found (with value: ${VALUE})"
ExitFatal
;;
esac
done
done done
# #
################################################################################# #################################################################################