#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
#
# Website  : https://cisofy.com
# Blog     : http://linux-audit.com
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
######################################################################
#
# Helper program to generate specific details such as host IDs
#
######################################################################
#
# How to use:
# ------------
# Run: lynis generate <option>
#
######################################################################

SAVEFILE=0
GENERATE_ARGS="hostids systemd-units"

if [ $# -gt 0 ]; then
    case $1 in
        "hostids")

            if [ $# -gt 1 ]; then
                shift
                if [ $1 = "--save" ]; then
                    SAVEFILE=1
                fi
            fi

            # Generate random host IDs
            case "${OS}" in
                "AIX")
                    # hexdump does not exist on AIX
                    HOSTID=$(head -c20 < /dev/urandom | xxd -c 20 -p)
                    HOSTID2=$(head -c32 < /dev/urandom | xxd -c 32 -p)
                ;;
                *)
                    # xxd does not exist on FreeBSD
                    # Note: hexdump may omit leading or trailing zeroes.
                    # Take 100 characters as input, turn to hex, then take first 40/64.
                    HOSTID=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c40)
                    HOSTID2=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c64)
                ;;
            esac

            ${ECHOCMD} "Generated host identifiers"
            ${ECHOCMD} "- hostid: ${HOSTID}"
            ${ECHOCMD} "- hostid2: ${HOSTID2}"

            if [ ${SAVEFILE} -eq 1 ]; then
                FILE="${ROOTDIR}etc/lynis/hostids"
                if [ -f ${FILE} ]; then
                    ${ECHOCMD} "Error: hostids file already exists (${FILE})"
                    ${ECHOCMD} "Remove the file first and rerun command"
                    ExitFatal
                else
                    OUTPUT=$(touch ${FILE} 2> /dev/null)
                    if [ $? -eq 0 ]; then
                        ${ECHOCMD} "Created hostids file (${FILE})"
                        echo "# generated using 'lynis generate hostids --save'" > ${FILE}
                        echo "hostid=${HOSTID}" >> ${FILE}
                        echo "hostid2=${HOSTID2}" >> ${FILE}
                    else
                        ExitFatal "Error: could not created hostids file (${FILE}). Issue with permissions?"
                    fi
                fi
            fi

            ExitClean
            ;;

        "cronjob")
            ${ECHOCMD} "Not implemented yet"
            ;;

        "systemd-units")

            ${ECHOCMD} ""

            ${ECHOCMD} "${BG_BLUE}Step 1: create service unit (/etc/systemd/system/lynis.service)${NORMAL}"

            ${ECHOCMD} ""
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} "#"
            ${ECHOCMD} "# Lynis service file for systemd"
            ${ECHOCMD} "#"
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} "# Do not remove, so Lynis can provide a hint when a newer unit is available"
            ${ECHOCMD} "# Generator=lynis"
            ${ECHOCMD} "# Version=1"
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Unit]"
            ${ECHOCMD} "Description=Security audit and vulnerability scanner"
            ${ECHOCMD} "Documentation=https://cisofy.com/docs/"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Service]"
            ${ECHOCMD} "Nice=19"
            ${ECHOCMD} "IOSchedulingClass=best-effort"
            ${ECHOCMD} "IOSchedulingPriority=7"
            ${ECHOCMD} "Type=simple"
            MYBINARY=$(which lynis 2>/dev/null)
            MOREOPTIONS=""
            if [ -n "${LICENSE_KEY}" ]; then
                MOREOPTIONS=" --upload"
            fi
            ${ECHOCMD} "ExecStart=${MYBINARY:-/path/to/lynis} audit system --cronjob${MOREOPTIONS}"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Install]"
            ${ECHOCMD} "WantedBy=multi-user.target"
            ${ECHOCMD} ""
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} ""
            ${ECHOCMD} ""

            ${ECHOCMD} "${BG_BLUE}Step 2: create timer unit (/etc/systemd/system/lynis.timer)${NORMAL}"
            ${ECHOCMD} ""

            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} "#"
            ${ECHOCMD} "# Lynis timer file for systemd"
            ${ECHOCMD} "#"
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} "# Do not remove, so Lynis can provide a hint when a newer unit is available"
            ${ECHOCMD} "# Generator=lynis"
            ${ECHOCMD} "# Version=1"
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Unit]"
            ${ECHOCMD} "Description=Daily timer for the Lynis security audit and vulnerability scanner"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Timer]"
            ${ECHOCMD} "OnCalendar=daily"
            ${ECHOCMD} "RandomizedDelaySec=1800"
            ${ECHOCMD} "Persistent=false"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Install]"
            ${ECHOCMD} "WantedBy=timers.target"
            ${ECHOCMD} ""
            ${ECHOCMD} "#################################################################################"
            ${ECHOCMD} ""
            ${ECHOCMD} ""

            ${ECHOCMD} "${BG_BLUE}Step 3 - Enable the timer${NORMAL}"

            ${ECHOCMD} ""
            ${ECHOCMD} "Tell systemd you made changes: systemctl daemon-reload"
            ${ECHOCMD} ""
            ${ECHOCMD} "Enable and start the timer (so no reboot is needed): systemctl enable --now lynis.timer"
            ${ECHOCMD} ""
            ${ECHOCMD} ""
            ${ECHOCMD} "${BG_BLUE}Optional - Customize${NORMAL}"
            ${ECHOCMD} ""
            ${ECHOCMD} "Want to override the timer? Run: systemctl edit lynis.timer"
            ${ECHOCMD} "Note: set the timer by first resetting it, then set the preferred value"
            ${ECHOCMD} ""
            ${ECHOCMD} "[Timer]"
            ${ECHOCMD} "OnCalendar="
            ${ECHOCMD} "OnCalendar=*-*-* 03:00:00"
            ${ECHOCMD} ""
            ;;
        *)                      ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis generate" ;;
    esac
else
    ${ECHOCMD} "\n  ${WHITE}Provide an additional argument${NORMAL}\n\n"
    for ITEM in ${GENERATE_ARGS}; do
        ${ECHOCMD} "    lynis generate ${BROWN}${ITEM}${NORMAL}"
    done
    ${ECHOCMD} "\n"
    ${ECHOCMD} ""
    ${ECHOCMD} "Extended help about the generate command can be provided with: $0 show commands generate"
fi


ExitClean

# The End