diff --git a/default.prf b/default.prf index c97e55f5..713070f7 100644 --- a/default.prf +++ b/default.prf @@ -308,6 +308,38 @@ permdir:/root/.ssh:rwx------:root:-:WARN: #config:custom_url_prepend:https://your-domain.example.org/control-info/: #config:custom_url_append:/: +################################################################################# +# +# Automatic Updating +# ------------------- +# +# These settings are required when using the lynis update functionality. +# By specifying local paths and your update server, the tool can do an update +# check, compare versions and download a new version. +# +################################################################################# + +# Local directory (without slash at end) where lynis directory will be installed +# Note: do not add full path to lynis, as subdirectory is part of tarball +#config:update_local_directory:/usr/local: +# Full path to local file. Change local path if Lynis is installed on a different place +#config:update_local_version_info:/usr/local/lynis/client-version: + +# Download information +# ----------------------------- +# Protocol to use: http, https +#config:update_server_protocol:http: + +# Address of update server +#config:update_server_address:192.168.1.125: + +# Path to last stable release +#config:update_latest_version_download:/files/lynis-latest.tar.gz: + +# Last part of URL (file to gather) +#config:update_latest_version_info:/files/lynis-latest-version: + + ################################################################################# # # Lynis Enterprise diff --git a/include/binaries b/include/binaries index 844027d3..a8fb6425 100644 --- a/include/binaries +++ b/include/binaries @@ -78,7 +78,6 @@ N=`expr ${N} + 1` BINARY="${SCANDIR}/${I}" DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} " - logtext "Binary: ${BINARY}" # Optimized, much quicker (limited file access needed) case ${I} in aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;; @@ -145,7 +144,7 @@ openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;; pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;; perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;; - php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language) - ${BINARY} (version ${PHPVERSION})" ;; + php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language intrepreter) - ${BINARY} (version ${PHPVERSION})" ;; pkg_admin) PKGADMINBINARY="${BINARY}"; logtext " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;; postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;; postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;; @@ -154,6 +153,7 @@ ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;; puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;; puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;; + python) PYTHONBINARY="${BINARY}"; logtext " Found known binary: python (programming language intepreter) - ${BINARY}" ;; readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;; rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;; rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; logtext " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;; diff --git a/include/consts b/include/consts index 077628f9..6c4ad85a 100644 --- a/include/consts +++ b/include/consts @@ -129,6 +129,7 @@ unset LANG SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW="" SESTATUSBINARY="" SERVICE_MANAGER="" + SHOW_PROGRAM_DETAILS=1 SHOW_REPORT=1 SKIPPED_TESTS_ROOTONLY="" SSHKEYSCANBINARY="" @@ -166,7 +167,6 @@ unset LANG TOTAL_TESTS=0 # Total amount of tests (counter) UPLOAD_DATA=0 # Upload of data to central node VIEWHELP=0 # Show help - VIEWUPDATEINFO=0 # View program/database version WRONGOPTION=0 # A wrong option is used # ################################################################################# diff --git a/include/functions b/include/functions index 1dc1c1d9..04ccfe13 100644 --- a/include/functions +++ b/include/functions @@ -778,6 +778,8 @@ NGINX_ACCESS_LOG_DISABLED=1 else if [ ! "${VALUE}" = "" ]; then + # If multiple values follow, select first one + VALUE=`echo ${VALUE} | awk '{ print $1 }'` if [ ! -f ${VALUE} ]; then logtext "Result: could not find referenced log file ${VALUE} in nginx configuration" NGINX_ACCESS_LOG_MISSING=1 diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index 3c481914..13174e40 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -4,7 +4,6 @@ if [ $# -eq 0 ]; then Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}" Display --text " "; Display --text " " - ExitFatal else FILE=`echo $1 | egrep "^http|https"` @@ -18,7 +17,7 @@ if [ $# -eq 0 ]; then if [ -f ${TMP_FILE} ]; then rm -f ${TMP_FILE} fi - Dislpay --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}" + Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}" ExitFatal fi else diff --git a/include/helper_update b/include/helper_update new file mode 100644 index 00000000..60529c4b --- /dev/null +++ b/include/helper_update @@ -0,0 +1,266 @@ +#!/bin/sh + +###################################################################### +# +# Helper program to support automatic updates of Lynis +# +###################################################################### +# +# Options: +# --------- +# 1) lynis update info - Show version information (external) +# 2) lynis update release - Check and install new release (internal) +# +# How to use: +# ------------ +# Run option 1 to know about current and latest release information. +# Run option 2 to query internal server for possible upgrade of Lynis. +# +# Steps for updating to new release: +# 1) Run Lynis with: lynis update release +# 2) Lynis will use this helper and check the profile +# 3) The configured web server will be queried (lynis-latest-version) +# 4) The contents of this file will be compared with a local file +# 5) If there is a difference, download package +# 6) Check paths and extract files +# 7) Quit program +# +# Suggested documentation if you want to use this functionality: +# https://cisofy.com/documentation/lynis/upgrading/ +# +###################################################################### + +LOCAL_VERSION="-" +SERVER_VERSION="" +PERFORM_UPGRADE=0 + +WGET_EXISTS=`which wget 2> /dev/null` +CURL_EXISTS=`which curl 2> /dev/null` +FETCH_EXISTS=`which fetch 2> /dev/null` + +# Update version +if [ "$1" = "release" ]; then + + if [ "${UPDATE_SERVER_PROTOCOL}" = "" ] ; then + Display --indent 2 --text "Error: Unknown protocol, please specify (http, https) in profile (update_server_protocol)" + ExitFatal + fi + + if [ "${UPDATE_SERVER_ADDRESS}" = "" ] ; then + Display --indent 2 --text "Error: Unknown download address, please specify in profile (update_server_address)" + ExitFatal + fi + + if [ "${UPDATE_LATEST_VERSION_DOWNLOAD}" = "" ] ; then + Display --indent 2 --text "Error: No URL to latest download has been specifiedrsion on the server, please specify in profile (update_latest_version_download)" + ExitFatal + fi + + if [ "${UPDATE_LATEST_VERSION_INFO}" = "" ] ; then + Display --indent 2 --text "Error: No URL has been specified to know the latest version on the server, please specify in profile (update_latest_version_info)" + ExitFatal + fi + + if [ "${UPDATE_LOCAL_DIRECTORY}" = "" ] ; then + Display --indent 2 --text "Error: No local directory has been specified to store Lynis files. Please specify in profile (update_local_directory)" + ExitFatal + else + if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then + Display --indent 2 --text "Error: Directory ${UPDATE_LOCAL_DIRECTORY} does not exist" + ExitFatal + fi + fi + + if [ "${UPDATE_LOCAL_VERSION_INFO}" = "" ] ; then + Display --indent 2 --text "Error: No data file has been specified to determine local Lynis version, please specify in profile (update_local_version_info)" + ExitFatal + fi + + if [ ! -f ${UPDATE_LOCAL_VERSION_INFO} ]; then + Display --indent 2 --text "Note: local data file ${UPDATE_LOCAL_VERSION_INFO} does not exist. It will be created after updating. (update_local_version_info)" + else + LOCAL_VERSION=`cat ${UPDATE_LOCAL_VERSION_INFO}` + fi + + # Normal update + FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_INFO}" + TMP_FILE=`mktemp /tmp/audit.XXXXXXXXXX` + if [ "${TMP_FILE}" = "" ]; then + Display --indent 2 --text "Could not create a temporary file in /tmp with mktemp. Aborting.." + ExitFatal + fi + Display --indent 2 --text "${CYAN}[Phase 1] Downloading details${NORMAL}" + if [ ! "${WGET_EXISTS}" = "" ]; then + logtext "Using wget to download release information" + LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}" + wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null + EXIT_CODE=$? + elif [ ! "${CURL_EXISTS}" = "" ]; then + logtext "Using curl to download release information" + LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}" + curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null + EXIT_CODE=$? + else + Display --indent 2 --text "No download tool available to perform download" + ExitFatal + fi + + if [ ! "${TMP_FILE}" = "" ]; then + if [ -f ${TMP_FILE} ]; then + SERVER_VERSION=`cat ${TMP_FILE}` + rm -f ${TMP_FILE} + fi + else + Display --indent 2 --text "Temporary file variable is empty, which is unexpected. Aborting.." + ExitFatal + fi + + # Determine if downloading meta data was successful + if [ ${EXIT_CODE} -eq 0 ]; then + if [ "${SERVER_VERSION}" = "" ]; then + Display --indent 2 --text "No version found on the server. Aborting.." + ExitFatal + else + Display --indent 2 --text "Version found on server: ${SERVER_VERSION}" + Display --indent 2 --text "Local version found: ${LOCAL_VERSION}" + fi + else + Display --indent 2 --text "${RED}Error: ${WHITE}Download utility returned an unexpected error code.${NORMAL} Aborting.." + Display --indent 2 --text "Error code: ${EXIT_CODE}" + Display --indent 2 --text "Suggested command: ${LAST_COMMAND_HELP}" + ExitFatal + fi + +#========================================================================================================================================== + + Display --indent 2 --text " " + Display --indent 2 --text "${CYAN}[Phase 2] Compare results${NORMAL}" + if [ ! "${LOCAL_VERSION}" = "${SERVER_VERSION}" ]; then + Display --indent 2 --text "Different version available, moving to upgrade phase" + PERFORM_UPGRADE=1 + else + Display --indent 2 --text "${GREEN}No upgrade needed${NORMAL}" + fi + + # Go to phase 3 if upgrade is needed + if [ ${PERFORM_UPGRADE} -eq 1 ]; then + FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_DOWNLOAD}" + Display --indent 2 --text " " + Display --indent 2 --text "[Phase 3] Downloading latest release" + Display --indent 2 --text "Download location: ${FULLPATH}" + if [ ! "${WGET_EXISTS}" = "" ]; then + logtext "Using wget to download latest release" + LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}" + wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null + EXIT_CODE=$? + elif [ ! "${CURL_EXISTS}" = "" ]; then + logtext "Using curl to download latest release" + LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}" + curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null + EXIT_CODE=$? + fi + if [ ${EXIT_CODE} -eq 0 ]; then + if [ -f ${TMP_FILE} ]; then + Display --indent 2 --text "Download successful" + # Extract the file to the related path, with 'lynis' appended + # Note: by default the tarball includes 'lynis' as directory + if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then + Display --indent 2 --text "Error: directory ${UPDATE_LOCAL_DIRECTORY} does not exist" + ExitFatal + fi + Display --indent 2 --text "Extracting latest version to path ${UPDATE_LOCAL_DIRECTORY}" + if [ ! -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then + Display --indent 2 --text "Creating 'lynis' directory in ${UPDATE_LOCAL_DIRECTORY}" + mkdir ${UPDATE_LOCAL_DIRECTORY}/lynis + if [ $? -gt 0 ]; then + Display --indent 2 --text "Error: could not create directory ${UPDATE_LOCAL_DIRECTORY}/lynis" + ExitFatal + fi + fi + if [ -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then + Display --indent 2 --text "Extracting files to ${UPDATE_LOCAL_DIRECTORY}" + tar xzf ${TMP_FILE} -C ${UPDATE_LOCAL_DIRECTORY} + if [ $? -eq 0 ]; then + # Check if we can find the Lynis binary (in the created 'lynis' directory) + if [ -f ${UPDATE_LOCAL_DIRECTORY}/lynis/lynis ]; then + # If version was downloaded, update local version + echo ${SERVER_VERSION} > ${UPDATE_LOCAL_VERSION_INFO} + else + Display --indent 2 --text "Error: could not find downloaded file on disk" + fi + else + Display --indent 2 --text "Error: File extraction failed" + ExitFatal + fi + else + Display --indent 2 --text "Error: could not find lynis directory" + fi + else + Display --indent 2 --text "Error: could not find downloaded file on disk" + ExitFatal + fi + else + Display --indent 2 --text "Error: could not download latest release" + Display --indent 2 --text "Suggestion: ${LAST_COMMAND_HELP}" + ExitFatal + fi + fi + + # Removing temp file + logtext "Action: Removing temporary file ${TMP_FILE}" + if [ "${TMP_FILE}" = "" ]; then + if [ -f ${TMP_FILE} ]; then + rm -f ${TMP_FILE} + fi + fi + + Display --indent 2 --text " " + Display --indent 2 --text "Done" + Display --indent 2 --text " " + ExitClean + +# Update check +elif [ "$1" = "info" ]; then + + # CV - Current Version + PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'` + PROGRAM_LV=0 + + CheckUpdates + + # Reset everything if we can't determine our current version or the latest + # available version (due lack of internet connectivity for example) + if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then + # Set both to safe values + PROGRAM_AC=0; PROGRAM_LV=0 + fi + + echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} ==" + echo "" + echo " Version : ${PROGRAM_version}" + echo -n " Status : " + if [ ${PROGRAM_LV} -eq 0 ]; then + echo "${RED}Unknown${NORMAL}"; + elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then + echo "${YELLOW}Outdated${NORMAL}"; + echo " Current version : ${PROGRAM_AC}" + echo " Latest version : ${PROGRAM_LV}" + else + echo "${GREEN}Up-to-date${NORMAL}" + fi + echo " Release date : ${PROGRAM_releasedate}" + echo " Update location : ${PROGRAM_website}" + echo ""; echo "" + echo "${PROGRAM_copyright}" + echo "" + + # Quit program + ExitClean + +else + Display --indent 2 --text "${RED}Error: ${WHITE}Unknown parameter $1.${NORMAL} Aborting.." + ExitFatal +fi + + +# The End diff --git a/include/parameters b/include/parameters index 790fa2f8..2cd372f8 100644 --- a/include/parameters +++ b/include/parameters @@ -23,6 +23,7 @@ PARAMCOUNT=$# while [ $# -ge 1 ]; do case $1 in + # Helpers first audit) CHECK_BINARIES=0 RUN_HELPERS=1 @@ -63,6 +64,28 @@ #break ;; + # Helpers first + update) + CHECK_BINARIES=0 + RUN_HELPERS=1 + HELPER="update" + RUN_PLUGINS=0 + RUN_TESTS=0 + SHOW_PROGRAM_DETAILS=0 + if [ ! $2 = "" ]; then + shift + HELPER_PARAMS="$1 $2" + break + else + Display --text "${RED}Error: ${WHITE}Need a target for update${NORMAL}" + Display --text " " + Display --text "Examples:" + Display --text "lynis update info" + Display --text "lynis update release" + ExitFatal + fi + ;; + # Assign auditor to report --auditor) shift @@ -102,7 +125,9 @@ # View program/database information --check-update | --check-updates | --info) - VIEWUPDATEINFO=1 + echo "This option is deprecated" + echo "Use: lynis update info" + ExitClean ;; # License key for Lynis Enterprise diff --git a/include/profiles b/include/profiles index fea8d412..93176716 100644 --- a/include/profiles +++ b/include/profiles @@ -147,6 +147,36 @@ if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi ;; + # Server IP or hostname + update_server_address) + UPDATE_SERVER_ADDRESS="${VALUE}" + ;; + + # Protocol (http, https) + update_server_protocol) + UPDATE_SERVER_PROTOCOL="${VALUE}" + ;; + + # File path to tarball on server + update_latest_version_download) + UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}" + ;; + + # File path to information file + update_latest_version_info) + UPDATE_LATEST_VERSION_INFO="${VALUE}" + ;; + + # Local directory where lynis directory will be placed + update_local_directory) + UPDATE_LOCAL_DIRECTORY="${VALUE}" + ;; + + # Local file to maintain current version + update_local_version_info) + UPDATE_LOCAL_VERSION_INFO="${VALUE}" + ;; + # Options during upload of data upload_options) UPLOAD_OPTIONS="${VALUE}" diff --git a/include/tests_accounting b/include/tests_accounting index 4228ff28..2b5e5048 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -226,7 +226,7 @@ if [ -f /etc/ld.so.preload ]; then logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed" FIND=`grep ${FILE} /etc/ld.so.preload` - if [ !"${FIND}" = "" ]; then + if [ ! "${FIND}" = "" ]; then logtext "Result: found snoopy in ld.so.preload" logtext "Output: ${FIND}" Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN diff --git a/lynis b/lynis index 2e07e5f0..46740486 100755 --- a/lynis +++ b/lynis @@ -23,7 +23,7 @@ # Program information PROGRAM_name="Lynis" PROGRAM_version="2.1.1" - PROGRAM_releasedate="19 April 2015" + PROGRAM_releasedate="29 April 2015" PROGRAM_author="CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" @@ -134,7 +134,7 @@ echo "" echo " Why do I see this error?" echo " -------------------------------" - echo " This error is a protection mechanism, to prevent root user from executing user created files." + echo " This is a protection mechanism, to prevent the root user from executing user created files." echo ""; echo "" echo " What can I do?" echo " ---------------------" @@ -226,55 +226,6 @@ # CV - Current Version PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'` PROGRAM_LV=0 - #DB_MALWARE_CV=`grep "^#version=" ${DBDIR}/malware.db | cut -d '=' -f2` - #DB_FILEPERMS_CV=`grep "^#version=" ${DBDIR}/fileperms.db | cut -d '=' -f2` - - # Number of signatures - #DB_MALWARE_IC=`grep -v "^#" ${DBDIR}/malware.db | wc -l | tr -s ' ' | tr -d ' '` - - if [ ${VIEWUPDATEINFO} -eq 1 ]; then - - CheckUpdates - - # Reset everything if we can't determine our current version or the latest - # available version (due lack of internet connectivity for example) - if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then - # Set both to safe values - PROGRAM_AC=0; PROGRAM_LV=0 - #DB_MALWARE_LV=0; DB_MALWARE_CV=0 - #DB_FILEPERMS_LV=0; DB_FILEPERMS_CV=0 - fi - - echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="; echo "" - echo " Version : ${PROGRAM_version}" - echo -n " Status : " - if [ ${PROGRAM_LV} -eq 0 ]; then - echo "${RED}Unknown${NORMAL}"; - elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then - echo "${YELLOW}Outdated${NORMAL}"; - echo " Current version : ${PROGRAM_AC}" - echo " Latest version : ${PROGRAM_LV}" - else - echo "${GREEN}Up-to-date${NORMAL}" - fi - echo " Release date : ${PROGRAM_releasedate}" - echo " Update location : ${PROGRAM_website}" -# echo "" -# echo " == ${WHITE}Plugins${NORMAL} ==" -# echo "" -# echo " == ${WHITE}Databases${NORMAL} ==" -# echo " Current Latest Status" -# echo " -----------------------------------------------------------------------------" -# echo -n " Malware : ${DB_MALWARE_CV} ${DB_MALWARE_LV} " -# if [ ${DB_MALWARE_LV} -gt ${DB_MALWARE_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi -# echo -n " File perms : ${DB_FILEPERMS_CV} ${DB_FILEPERMS_LV} " -# if [ ${DB_FILEPERMS_LV} -gt ${DB_FILEPERMS_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi - echo ""; echo "" - echo "${PROGRAM_copyright}"; echo "" - - # Quit program - ExitClean - fi # ################################################################################# # @@ -394,8 +345,11 @@ echo " audit system : Perform security scan" echo " audit dockerfile : Analyze Dockerfile" echo "" + echo " ${GREEN}update${NORMAL}" + echo " update info : Show update details" + echo " update release : Update Lynis release" + echo "" echo "" - echo " ${WHITE}Scan options:${NORMAL}" echo " --auditor \"\" : Auditor name" echo " --dump-options : See all available options" @@ -412,7 +366,6 @@ echo " --reverse-colors : Optimize color display for light backgrounds" echo "" echo " ${WHITE}Misc options:${NORMAL}" - echo " --check-update : Check for updates" echo " --debug : Debug logging to screen" echo " --view-manpage (--man) : View man page" echo " --version (-V) : Display version number and quit" @@ -529,7 +482,7 @@ # ################################################################################# # - if [ ${QUIET} -eq 0 ]; then + if [ ${QUIET} -eq 0 -a ${SHOW_PROGRAM_DETAILS} -eq 1 ]; then echo "" echo " ---------------------------------------------------" echo " Program version: ${PROGRAM_version}" @@ -834,12 +787,12 @@ ################################################################################# # if [ ${RUN_HELPERS} -eq 1 ]; then - InsertPluginSection "Audit Module" if [ ! "${HELPER}" = "" ]; then logtext "Helper tool is $HELPER" if [ -f ${INCLUDEDIR}/helper_${HELPER} ]; then SafePerms ${INCLUDEDIR}/helper_${HELPER} logtext "Running helper tool ${HELPER} with params: ${HELPER_PARAMS}" + InsertPluginSection "Helper: ${HELPER}" . ${INCLUDEDIR}/helper_${HELPER} ${HELPER_PARAMS} else echo "Error, could not find helper" diff --git a/lynis.8 b/lynis.8 index 38be837d..8de5135f 100644 --- a/lynis.8 +++ b/lynis.8 @@ -1,4 +1,4 @@ -.TH Lynis 8 "30 January 2015" "1.17" "Unix System Administrator's Manual" +.TH Lynis 8 "30 April 2015" "1.18" "Unix System Administrator's Manual" .SH "NAME" @@ -16,13 +16,13 @@ Lynis \fP\- Run an system and security audit on the system .fi .SH "DESCRIPTION" -\fBLynis\fP is an auditing tool for Unix (specialists). It checks the system -and software configuration and logs all the found information into a log file -for debugging purposes, and in a report file suitable to create fancy looking -auditing reports. -\fBLynis\fP can be run as a cronjob, or from the command line. It needs to have -full access to the system, so running it as root (or with sudo rights) is -required. +\fBLynis\fP is a security auditing tool for Linux and Unix systems. It checks +the system and software configurations, to determine any improvements. +All details are logged in a log file. Findings and other data is stored in a +report file, which can be used to create auditing reports. +\fBLynis\fP can be run as a cronjob, or from the command line. Lynis prefers +root permissions (or sudo), so it can access all parts of the system, however it +not required (see pentest mode). .PP The following system areas may be checked: .IP @@ -30,7 +30,7 @@ The following system areas may be checked: .IP \- Configuration files .IP -\- Common files by software packages +\- Files part of software packages .IP \- Directories and files related to logging and auditing .SH "OPTIONS" @@ -39,7 +39,6 @@ The following system areas may be checked: .B \-\-auditor Define the name of the auditor/pen-tester. When a full name is used, add double quotes, like "Your Name". - .TP .B \-\-checkall (or \-c) \fBLynis\fP performs a full check of the system, printing out the results of @@ -48,9 +47,6 @@ each test to stdout. Additional information will be saved into a log file .IP In case the outcome of a scan needs to be automated, use the report file. .TP -.B \-\-check\-update (or \-\-info) -Show program, database and update information. -.TP .B \-\-cronjob Perform automatic scan with cron safe options (no colors, no questions, no breaks). @@ -115,14 +111,33 @@ with others. When running Lynis without any parameters, help will be shown and the program will exit. .RE .PP + +.SH "HELPERS" +Lynis has special helpers to do certain tasks. This way the framework of Lynis is +used, while at the same time storing most of the functionality in a separated +file. This speeds up execution and keeps the code clean. +.TP +.B audit +Run audit on the system or on other targets +.TP +.B update +Run updater utility +.TP +To use a helper, run Lynis followed by the helper name +.RE +.PP .SH "BUGS" -Discovered a bug? Please report them via e-mail (lynis-dev@cisofy.com) or via GitHub: https://github.com/CISOfy/Lynis +Discovered a bug? Please report them via GitHub: https://github.com/CISOfy/lynis +.RE +.PP +.SH "Documentation" +Supporting documentation can be found via https://cisofy.com/documentation/lynis/ .RE .PP .SH "LICENSING" -Lynis is licensed with the GPL v3 license and under development by CISOfy and Michael Boelen. Plugins have their own license. +Lynis is licensed as GPL v3, written by Michael Boelen and supported by CISOfy. Plugins may have their own license. .RE .PP .SH "CONTACT INFORMATION" -Support and project related questions are addressed via https://cisofy.com/support/. +Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com.