Added systemd service script and timer (as replacement for cronjob)

2014-10-02 15:15:19 +02:00 · 2014-10-02 15:15:19 +02:00 · 231582ac53
parent 52fe3b68ba
commit 231582ac53
10 changed files with 46 additions and 114 deletions
--- a/dev/TODO
+++ b/dev/TODO
@ -1,114 +0,0 @@
-
-================================================================================
-
-  Lynis - To Do
-
-================================================================================
-
-  Author:                   Michael Boelen (michael@rootkit.nl)
-  Description:              Security and system auditing tool
-  Website:                  http://www.rootkit.nl/projects/lynis.html
-  Support policy:           See section 'Support' (README file)
-  Documentation:            See web site, README, FAQ and CHANGELOG file
-
-================================================================================
-
-
-[+] Open issues
-------------------------------
-
-
-[+] Project
-------------------------------
- 
-
-[+] General
-------------------------------
-  - Activate warning when default profile is being used
-  - Add list of manual audit items, depending on performed tests
-  - Replace awk instances with ${AWKBINARY}
-
-
-[+] Forensics
-------------------------------
-  - Add MD5/SHA1 database
-
-
-[+] Generic Tests
-------------------------------
-  - NFS: Check if there is no localhost line in the /etc/export file
-  - Check /etc/crontab entries (permissions, locations)
-  - Search for all setuid/setgid files and compare against baseline
-  - Skel: Red Hat files are hidden, check with ls -al?
-  - Add MacOS X test for /tmp dir (or redirect location of symlink)
-  - Samba: make sure it does listen only at one interface (not at WAN)
-  - Cleanup some tests by combining options (like NETW-3006)
-  - Check for latest versions of programs
-  - Check if multiple users have group '0'
-  - When using --quiet, use long warnings instead of default lines
-  - Don't show section headers when using --tests
-  - Show Last logon dates for user accounts
-  - Show passwords 30 days or older / trivial passwords / password shadowing
-  - Show duplicate usernames, UIDs and GIDs
-  - System wide policies including: default files creation mask, login timeout intervals, lockout durations...
-  - Permissions on selected sensitive files / directories
-
-
-[+] Applications
-------------------------------
-  - Debian/Ubuntu: check if apt-listbugs is installed
-
-[+] Databases
-------------------------------
-  - Warn if MySQL is running on a network interface
-  - Check for empty root login
-  - Check Oracle things (tm)
-
-
-[+] Programming languages/interfaces
-------------------------------
-  - Paranoid option: set binaries to 750 for perl, python, ruby, cc, gcc, *cc* etc
-
-
-[+] DNS
-------------------------------
-  - Bind: check if version is disabled  
-
-
-[+] Firewalls
-------------------------------
-  - iptables: show chain numbers when rules are unused
-
-
-[+] Shell/interface/X
-------------------------------
-  - Check for autolog or timeoutd package
-
-
-[+] MTA
-------------------------------
-  - Sendmail: check banner, check file permissions of configuration files
-  - Exim: check banner
-  - SMTP (if running): check if a version shows up in banner
-
-
-[+] Printers/spools
-------------------------------
-  - Printcap consistency check for Linux/Solaris/MacOS
-  
-
-[+] Tomcat
-------------------------------
-  - Check if iptables has rules for port 8080, 8009, 8443
-  - Check if /WEB-INF/ and /META-INF/ are denied in httpd.conf
-
-[+] Reporting
-------------------------------
-  - Add possibility to mail directly (instead of log to file)
-  - Find audit templates for reporting (direct post to webserver?)
-  - Allow bonus points, however check a maximum index score of 100
-
-
-================================================================================
- Lynis - Copyright 2007-2013, Michael Boelen - The Netherlands
- http://www.rootkit.nl
--- a/extras/README
+++ b/extras/README
--- a/extras/bash_completion.d/lynis
+++ b/extras/bash_completion.d/lynis
--- a/extras/build-lynis.sh
+++ b/extras/build-lynis.sh
--- a/extras/check-lynis.sh
+++ b/extras/check-lynis.sh
--- a/extras/files.dat
+++ b/extras/files.dat
--- a/extras/lynis.spec
+++ b/extras/lynis.spec
--- a/extras/openbsd/+CONTENTS
+++ b/extras/openbsd/+CONTENTS
--- a/extras/systemd/lynis.service
+++ b/extras/systemd/lynis.service
@ -0,0 +1,23 @@
+#################################################################################
+#
+# Lynis service file for systemd
+#
+#################################################################################
+#
+# - Adjust path to link to location where Lynis binary is installed
+# - Place this file together with the timer file in systemd directory
+# - Run: systemctl enable lynis.service
+#
+#################################################################################
+
+[Unit]
+Description=Lynis security audit and vulnerability scan
+
+[Service]
+Nice=19
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+Type=simple
+ExecStart=/path/to/lynis -c --cronjob
+
+#EOF
--- a/extras/systemd/lynis.timer
+++ b/extras/systemd/lynis.timer
@ -0,0 +1,23 @@
+#################################################################################
+#
+# Lynis timer file for systemd
+#
+#################################################################################
+#
+# - Place this file together with the service file in systemd directory
+# - Run: systemctl enable lynis.timer
+#        systemctl start lynis.service
+#
+#################################################################################
+
+[Unit]
+Description=Daily run for Lynis security audit and vulnerability scan
+
+[Timer]
+OnCalendar=daily
+Persistent=false
+
+[Install]
+WantedBy=timers.target
+
+#EOF