#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ###################################################################### # # Helper program to generate specific details such as host IDs # ###################################################################### # # How to use: # ------------ # Run: lynis generate <option> # ###################################################################### SAVEFILE=0 GENERATE_ARGS="hostids systemd-units" if [ $# -gt 0 ]; then case $1 in "hostids") if [ $# -gt 1 ]; then shift if [ $1 = "--save" ]; then SAVEFILE=1 fi fi # Generate random host IDs case "${OS}" in "AIX") # hexdump does not exist on AIX HOSTID=$(head -c20 < /dev/urandom | xxd -c 20 -p) HOSTID2=$(head -c32 < /dev/urandom | xxd -c 32 -p) ;; *) # xxd does not exist on FreeBSD # Note: hexdump may omit leading or trailing zeroes. # Take 100 characters as input, turn to hex, then take first 40/64. HOSTID=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c40) HOSTID2=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c64) ;; esac ${ECHOCMD} "Generated host identifiers" ${ECHOCMD} "- hostid: ${HOSTID}" ${ECHOCMD} "- hostid2: ${HOSTID2}" if [ ${SAVEFILE} -eq 1 ]; then FILE="${ROOTDIR}etc/lynis/hostids" if [ -f ${FILE} ]; then ${ECHOCMD} "Error: hostids file already exists (${FILE})" ${ECHOCMD} "Remove the file first and rerun command" ExitFatal else OUTPUT=$(touch ${FILE} 2> /dev/null) if [ $? -eq 0 ]; then ${ECHOCMD} "Created hostids file (${FILE})" echo "# generated using 'lynis generate hostids --save'" > ${FILE} echo "hostid=${HOSTID}" >> ${FILE} echo "hostid2=${HOSTID2}" >> ${FILE} else ExitFatal "Error: could not created hostids file (${FILE}). Issue with permissions?" fi fi fi ExitClean ;; "cronjob") ${ECHOCMD} "Not implemented yet" ;; "systemd-units") ${ECHOCMD} "" ${ECHOCMD} "${BG_BLUE}Step 1: create service unit (/etc/systemd/system/lynis.service)${NORMAL}" ${ECHOCMD} "" ${ECHOCMD} "#################################################################################" ${ECHOCMD} "#" ${ECHOCMD} "# Lynis service file for systemd" ${ECHOCMD} "#" ${ECHOCMD} "#################################################################################" ${ECHOCMD} "# Do not remove, so Lynis can provide a hint when a newer unit is available" ${ECHOCMD} "# Generator=lynis" ${ECHOCMD} "# Version=1" ${ECHOCMD} "#################################################################################" ${ECHOCMD} "" ${ECHOCMD} "[Unit]" ${ECHOCMD} "Description=Security audit and vulnerability scanner" ${ECHOCMD} "Documentation=https://cisofy.com/docs/" ${ECHOCMD} "" ${ECHOCMD} "[Service]" ${ECHOCMD} "Nice=19" ${ECHOCMD} "IOSchedulingClass=best-effort" ${ECHOCMD} "IOSchedulingPriority=7" ${ECHOCMD} "Type=simple" MYBINARY=$(which lynis 2>/dev/null) MOREOPTIONS="" if [ -n "${LICENSE_KEY}" ]; then MOREOPTIONS=" --upload" fi ${ECHOCMD} "ExecStart=${MYBINARY:-/path/to/lynis} audit system --cronjob${MOREOPTIONS}" ${ECHOCMD} "" ${ECHOCMD} "[Install]" ${ECHOCMD} "WantedBy=multi-user.target" ${ECHOCMD} "" ${ECHOCMD} "#################################################################################" ${ECHOCMD} "" ${ECHOCMD} "" ${ECHOCMD} "${BG_BLUE}Step 2: create timer unit (/etc/systemd/system/lynis.timer)${NORMAL}" ${ECHOCMD} "" ${ECHOCMD} "#################################################################################" ${ECHOCMD} "#" ${ECHOCMD} "# Lynis timer file for systemd" ${ECHOCMD} "#" ${ECHOCMD} "#################################################################################" ${ECHOCMD} "# Do not remove, so Lynis can provide a hint when a newer unit is available" ${ECHOCMD} "# Generator=lynis" ${ECHOCMD} "# Version=1" ${ECHOCMD} "#################################################################################" ${ECHOCMD} "" ${ECHOCMD} "[Unit]" ${ECHOCMD} "Description=Daily timer for the Lynis security audit and vulnerability scanner" ${ECHOCMD} "" ${ECHOCMD} "[Timer]" ${ECHOCMD} "OnCalendar=daily" ${ECHOCMD} "RandomizedDelaySec=1800" ${ECHOCMD} "Persistent=false" ${ECHOCMD} "" ${ECHOCMD} "[Install]" ${ECHOCMD} "WantedBy=timers.target" ${ECHOCMD} "" ${ECHOCMD} "#################################################################################" ${ECHOCMD} "" ${ECHOCMD} "" ${ECHOCMD} "${BG_BLUE}Step 3 - Enable the timer${NORMAL}" ${ECHOCMD} "" ${ECHOCMD} "Tell systemd you made changes: systemctl daemon-reload" ${ECHOCMD} "" ${ECHOCMD} "Enable and start the timer (so no reboot is needed): systemctl enable --now lynis.timer" ${ECHOCMD} "" ${ECHOCMD} "" ${ECHOCMD} "${BG_BLUE}Optional - Customize${NORMAL}" ${ECHOCMD} "" ${ECHOCMD} "Want to override the timer? Run: systemctl edit lynis.timer" ${ECHOCMD} "Note: set the timer by first resetting it, then set the preferred value" ${ECHOCMD} "" ${ECHOCMD} "[Timer]" ${ECHOCMD} "OnCalendar=" ${ECHOCMD} "OnCalendar=*-*-* 03:00:00" ${ECHOCMD} "" ;; *) ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis generate" ;; esac else ${ECHOCMD} "\n ${WHITE}Provide an additional argument${NORMAL}\n\n" for ITEM in ${GENERATE_ARGS}; do ${ECHOCMD} " lynis generate ${BROWN}${ITEM}${NORMAL}" done ${ECHOCMD} "\n" ${ECHOCMD} "" ${ECHOCMD} "Extended help about the generate command can be provided with: $0 show commands generate" fi ExitClean # The End