#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2013-2016, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Parameter checks # ################################################################################# # # Check number of parameters submitted (at least one is needed) PARAMCOUNT=$# while [ $# -ge 1 ]; do case $1 in # Helpers first audit) CHECK_BINARIES=0 RUN_HELPERS=1 HELPER="audit" SKIP_PLUGINS=1 RUN_TESTS=0 if [ ! $2 = "" ]; then case $2 in "dockerfile") if [ "$3" = "" ]; then echo "${RED}Error: ${WHITE}Missing file name or URL${NORMAL}" echo "Example: $0 audit dockerfile /root/Dockerfile" ExitFatal else shift; shift HELPER_PARAMS="$1 $2 $3" HELPER="audit_dockerfile" break fi ;; "system") if [ "$3" = "remote" ]; then shift if [ "$3" = "" ]; then echo "${RED}Error: ${WHITE}Missing remote location${NORMAL}" echo "Example: $0 audit system remote 192.168.1.100" ExitFatal else REMOTE_TARGET="$3" shift; shift; shift # shift out first three arguments EXTRA_PARAMS="" if [ ! "$1" = "" ]; then EXTRA_PARAMS=" $@"; fi # --quick is added to be non-interactive REMOTE_COMMAND="./lynis audit system --quick${EXTRA_PARAMS}" echo "" echo " How to perform a remote scan:" echo " =============================" echo " Target : ${REMOTE_TARGET}" echo " Command : ${REMOTE_COMMAND}" HELPER="system_remote_scan" HELPER_PARAMS="$@" CHECK_BINARIES=0 QUIET=1 RUN_HELPERS=1 SKIP_PLUGINS=1 RUN_TESTS=0 SHOW_PROGRAM_DETAILS=0 break fi fi CHECK=1 CHECK_BINARIES=1 HELPER="" SKIP_PLUGINS=0 RUN_TESTS=1 shift ;; esac else echo "${RED}Error: ${WHITE}Need a target to audit${NORMAL}" echo " " echo "Examples:" echo "lynis audit dockerfile" echo "lynis audit system" ExitFatal fi ;; # Configure Lynis configure) CHECK_BINARIES=0 RUN_HELPERS=1 QUIET=1 SKIP_PLUGINS=1 RUN_TESTS=0 SHOW_PROGRAM_DETAILS=0 if [ $# -gt 0 ]; then shift; fi HELPER="configure" HELPER_PARAMS="$@" break ;; # Show Lynis details show) CHECK_BINARIES=0 RUN_HELPERS=1 HELPER="show" RUN_TESTS=0 SKIP_PLUGINS=1 SHOW_TOOL_TIPS=0 QUIET=1 SHOW_PROGRAM_DETAILS=0 shift HELPER_PARAMS="$1 $2" break ;; update) CHECK_BINARIES=0 RUN_HELPERS=1 HELPER="update" QUIET=1 SKIP_PLUGINS=1 RUN_TESTS=0 SHOW_PROGRAM_DETAILS=0 if [ ! $2 = "" ]; then shift HELPER_PARAMS="$1 $2" break else echo "${RED}Error: ${WHITE}Need a target for update${NORMAL}" echo " " echo "Examples:" echo "lynis update check" echo "lynis update info" echo "lynis update release" ExitFatal fi ;; # Assign auditor to report --auditor) shift AUDITORNAME=$1 ;; # Perform tests (deprecated, use audit system) --check-all | --checkall | -c) # echo "Usage of option -c is deprecated. Please use: lynis audit system [options]" CHECK=1 ;; # Cronjob support --cronjob | --cron) CRONJOB=1 CHECK=1; QUICKMODE=1; COLORS=0; NEVERBREAK=1 # Use some defaults (-c, -Q, no colors) RemoveColors ;; # Perform tests with additional debugging information on screen --debug) DEBUG=1 ;; # Developer mode (more details when creating tests) --developer) DEVELOPER_MODE=1 ;; # Display all available options with short alias --dump-options | --dumpoptions) OPTIONS="--auditor --check-all_(-c) --config --cronjob_(--cron) --debug --help_(-h) --info --license-key --log-file --manpage_(--man) --no-colors --no-log --pentest --profile --plugins-dir --quiet_(-q) --quick_(-Q) --report-file --reverse-colors --tests --tests-category --upload --version_(-V) --view-categories" for I in ${OPTIONS}; do echo "${I}" | tr '_' ' ' done ExitClean ;; # View help --help | -h | "-?") VIEWHELP=1 ;; # View program/database information --check-update | --check-updates | --info) echo "This option is deprecated" echo "Use: lynis update info" ExitClean ;; # License key for Lynis Enterprise --license-key) shift LICENSE_KEY=$1 ;; # Adjust default logfile location --logfile | --log-file) shift LOGFILE=$1 ;; # Don't use colors --no-colors | --nocolors) COLORS=0 RemoveColors ;; # Disable logging --no-log | --nolog) LOGFILE="/dev/null" ;; --pen-test | --pentest) PENTESTINGMODE=1 ;; # Define a custom profile file --profile) shift SEARCH_PROFILES=$1 ;; # Define a custom plugin directory --plugindir | --plugin-dir | --plugins-dir) shift PLUGINDIR=$1 LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'` if [ "${LASTCHAR}" = "/" ]; then echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}" ExitCustom 65 fi if [ ! -d ${PLUGINDIR} ]; then echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}" ExitCustom 66 fi ;; # Quiet mode --quiet | -q) QUIET=1 QUICKMODE=1 # Run non-interactive ;; # Non-interactive mode --quick | -Q) QUICKMODE=1 ;; # Define alternative report file --report-file) shift REPORTFILE=$1 ;; # Strip the colors which aren't clearly visible on light backgrounds --reverse-colors) BLUE="${NORMAL}"; SECTION="${NORMAL}"; NOTICE="${NORMAL}"; CYAN="${NORMAL}"; GREEN="${NORMAL}"; YELLOW="${NORMAL}"; WHITE="${NORMAL}"; PURPLE="${NORMAL}"; ;; # Skip execution of plugins --skip-plugins | --no-plugins) SKIP_PLUGINS=1 ;; # Only scan these tests --tests) shift TESTS_TO_PERFORM=$1 ;; # Scan one or more categories only --tests-category) shift TESTS_CATEGORY_TO_PERFORM=$1 ;; # Lynis Enterprise: upload data to central node --upload) UPLOAD_DATA=1 ;; --verbose) VERBOSE=1 ;; # Version number --version | -V) echo "${PROGRAM_VERSION}" exit 0 ;; --view-categories | --list-categories | --show-categories) ViewCategories exit 0 ;; # View man page --view-manpage | --man-page | --manpage | --man) if [ -f lynis.8 ]; then nroff -man lynis.8 exit 0 else echo "Error: man page file not found (lynis.8)" echo "If you are running an installed version of Lynis, use 'man lynis'" exit 1 fi ;; # Warnings --warnings-only | --show-warnings-only) SHOW_WARNINGS_ONLY=1 QUICKMODE=1 QUIET=1 ;; # Drop out when using wrong option(s) *) # Wrong option used, we bail out later WRONGOPTION=1 WRONGOPTION_value=$1 ;; esac shift done #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com