#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2013-2016, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Read profile/template # ################################################################################# # Display --indent 2 --text "- Checking profile file (${PROFILE})..." logtext "Reading profile/configuration ${PROFILE}" FIND=`grep '^config:' ${PROFILE} | sed 's/ /!space!/g'` for I in ${FIND}; do OPTION=`echo ${I} | cut -d ':' -f2` VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'` logtext "Profile option set: ${OPTION} (with value ${VALUE})" case ${OPTION} in # Define which compliance standards are enabled compliance_standards) COMPLIANCE_STANDARDS_ENABLED=`echo ${VALUE} | tr ',' ' '` for I in ${COMPLIANCE_STANDARDS_ENABLED}; do case $I in cis) COMPLIANCE_ENABLE_CIS=1 ; Debug "Compliance scanning for CIS Benchmarks is enabled" ;; hipaa) COMPLIANCE_ENABLE_HIPAA=1 ; Debug "Compliance scanning for HIPAA is enabled" ;; iso27001) COMPLIANCE_ENABLE_ISO27001=1 ; Debug "Compliance scanning for ISO27001 is enabled" ;; pci-dss) COMPLIANCE_ENABLE_PCI_DSS=1 ; Debug "Compliance scanning for PCI DSS is enabled" ;; *) logtext "Result: Unknown compliance standard configured" ;; esac done ;; # Maximum number of WAITing connections connections_max_wait_state) OPTIONS_CONN_MAX_WAIT_STATE="${VALUE}" ;; # Append something to URL for control information control_url_append) CONTROL_URL_APPEND="${VALUE}" ;; # Prepend an URL before control information link control_url_prepend) CONTROL_URL_PREPEND="${VALUE}" ;; # Protocol to use for control information link control_url_protocol) CONTROL_URL_PROTOCOL="${VALUE}" ;; # Append something to URL for control information (only applies to CUST-*) custom_url_append) CUSTOM_URL_APPEND="${VALUE}" ;; # Prepend an URL before control information link (only applies to CUST-*) custom_url_prepend) CUSTOM_URL_PREPEND="${VALUE}" ;; # Protocol to use for control information link custom_url_protocol) CUSTOM_URL_PROTOCOL="${VALUE}" ;; # Do not check security repository in sources.list (Debian/Ubuntu) debian_skip_security_repository) OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY="${VALUE}" ;; debug) if [ "${VALUE}" = "yes" -o "${VALUE}" = "true" ]; then DEBUG=1 fi ;; # Skip FreeBSD port audit freebsd_skip_portaudit) logtext "Option set: Skip FreeBSD portaudit" OPTION_FREEBSD_SKIP_PORTAUDIT="${VALUE}" ;; # Lynis Enterprise: group name group) GROUP_NAME="${VALUE}" ;; # Lynis Enterprise license key license_key) LICENSE_KEY="${VALUE}" report "license_key=${LICENSE_KEY}" ;; # Do (not) log tests if they have an different operating system log_tests_incorrect_os) logtext "Option set: No logging for incorrect OS" if [ "${VALUE}" = "no" ]; then LOG_INCORRECT_OS=0; else LOG_INCORRECT_OS=1; fi ;; # What type of machine we are scanning (eg. desktop, server, server with storage) machine_role) MACHINE_ROLE="${VALUE}" ;; # Define if any found NTP daemon instance is configured as a server or client ntpd_role) NTPD_ROLE="${VALUE}" ;; # How much seconds to wait between tests pause_between_tests) TEST_PAUSE_TIME="${VALUE}" ;; # Profile name profile_name) PROFILE_NAME="${VALUE}" ;; # Inline tips about tool show_tool_tips) SHOW_TOOL_TIPS="${VALUE}" ;; # Tests to always skip (useful for false positives or problematic tests) test_skip_always) TEST_SKIP_ALWAYS="${VALUE}" logtext "Tests to be skipped: ${VALUE}" ;; # Do not check the latest version on the internet skip_upgrade_test) if [ "${VALUE}" = "yes" -o "${VALUE}" = "YES" ]; then SKIP_UPGRADE_TEST=1; else SKIP_UPGRADE_TEST=0; fi ;; # Define what kind of scan we are performing test_scan_mode) if [ "${VALUE}" = "light" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="NO"; SCAN_TEST_HEAVY="NO"; fi if [ "${VALUE}" = "normal" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="NO"; fi if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi ;; # Server IP or hostname update_server_address) UPDATE_SERVER_ADDRESS="${VALUE}" ;; # Protocol (http, https) update_server_protocol) UPDATE_SERVER_PROTOCOL="${VALUE}" ;; # File path to tarball on server update_latest_version_download) UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}" ;; # File path to information file update_latest_version_info) UPDATE_LATEST_VERSION_INFO="${VALUE}" ;; # Local directory where lynis directory will be placed update_local_directory) UPDATE_LOCAL_DIRECTORY="${VALUE}" ;; # Local file to maintain current version update_local_version_info) UPDATE_LOCAL_VERSION_INFO="${VALUE}" ;; # Compression of uploads (enabled by default) upload_compressed) if [ "${VALUE}" = "0" ]; then COMPRESSED_UPLOADS=0; fi ;; # Options during upload of data upload_options) UPLOAD_OPTIONS="${VALUE}" ;; # Proxy settings upload_proxy_port) UPLOAD_PROXY_PORT="${VALUE}" ;; upload_proxy_protocol) UPLOAD_PROXY_PROTOCOL="${VALUE}" ;; upload_proxy_server) UPLOAD_PROXY_SERVER="${VALUE}" ;; # Receiving system (IP address or hostname) upload_server) UPLOAD_SERVER="${VALUE}" ;; # Catch all bad options and bail out *) logtext "Unknown option ${OPTION} (with value: ${VALUE})" echo "Fatal error: found errors in profile" echo "Unknown option '${OPTION}' found (with value: ${VALUE})" ExitFatal ;; esac done # ################################################################################# # # Add group name to report if [ ! "${GROUP_NAME}" = "" ]; then report "group=${GROUP_NAME}" fi # ################################################################################# # # Set default values (only if not configured in profile) if [ "${MACHINE_ROLE}" = "" ]; then MACHINE_ROLE="server" logtext "Set option to default value: MACHINE_ROLE --> ${MACHINE_ROLE}" fi if [ "${NTPD_ROLE}" = "" ]; then NTPD_ROLE="client" logtext "Set option to default value: NTPD_ROLE --> ${NTPD_ROLE}" fi # ################################################################################# # logtextbreak #================================================================================ # Lynis - Copyright 2007-2016, Michael Boelen - CISOfy, https://cisofy.com