#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
######################################################################
#
# Helper program to generate specific details such as host IDs
#
######################################################################
#
# How to use:
# ------------
# Run: lynis generate <option>
#
######################################################################
SAVEFILE=0
GENERATE_ARGS="hostids systemd-units"
if [ $# -gt 0 ]; then
case $1 in
"hostids")
if [ $# -gt 1 ]; then
shift
if [ $1 = "--save" ]; then
SAVEFILE=1
fi
fi
# Generate random host IDs
case "${OS}" in
"AIX")
# hexdump does not exist on AIX
HOSTID=$(head -c20 < /dev/urandom | xxd -c 20 -p)
HOSTID2=$(head -c32 < /dev/urandom | xxd -c 32 -p)
;;
*)
# xxd does not exist on FreeBSD
# Note: hexdump may omit leading or trailing zeroes.
# Take 100 characters as input, turn to hex, then take first 40/64.
HOSTID=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c40)
HOSTID2=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c64)
;;
esac
${ECHOCMD} "Generated host identifiers"
${ECHOCMD} "- hostid: ${HOSTID}"
${ECHOCMD} "- hostid2: ${HOSTID2}"
if [ ${SAVEFILE} -eq 1 ]; then
FILE="${ROOTDIR}etc/lynis/hostids"
if [ -f ${FILE} ]; then
${ECHOCMD} "Error: hostids file already exists (${FILE})"
${ECHOCMD} "Remove the file first and rerun command"
ExitFatal
else
OUTPUT=$(touch ${FILE} 2> /dev/null)
if [ $? -eq 0 ]; then
${ECHOCMD} "Created hostids file (${FILE})"
echo "# generated using 'lynis generate hostids --save'" > ${FILE}
echo "hostid=${HOSTID}" >> ${FILE}
echo "hostid2=${HOSTID2}" >> ${FILE}
else
ExitFatal "Error: could not created hostids file (${FILE}). Issue with permissions?"
fi
fi
fi
ExitClean
;;
"cronjob")
${ECHOCMD} "Not implemented yet"
;;
"systemd-units")
${ECHOCMD} ""
${ECHOCMD} "${BG_BLUE}Step 1: create service unit (/etc/systemd/system/lynis.service)${NORMAL}"
${ECHOCMD} ""
${ECHOCMD} "#################################################################################"
${ECHOCMD} "#"
${ECHOCMD} "# Lynis service file for systemd"
${ECHOCMD} "#"
${ECHOCMD} "#################################################################################"
${ECHOCMD} "# Do not remove, so Lynis can provide a hint when a newer unit is available"
${ECHOCMD} "# Generator=lynis"
${ECHOCMD} "# Version=1"
${ECHOCMD} "#################################################################################"
${ECHOCMD} ""
${ECHOCMD} "[Unit]"
${ECHOCMD} "Description=Security audit and vulnerability scanner"
${ECHOCMD} "Documentation=https://cisofy.com/docs/"
${ECHOCMD} ""
${ECHOCMD} "[Service]"
${ECHOCMD} "Nice=19"
${ECHOCMD} "IOSchedulingClass=best-effort"
${ECHOCMD} "IOSchedulingPriority=7"
${ECHOCMD} "Type=simple"
MYBINARY=$(which lynis 2>/dev/null)
MOREOPTIONS=""
if [ -n "${LICENSE_KEY}" ]; then
MOREOPTIONS=" --upload"
fi
${ECHOCMD} "ExecStart=${MYBINARY:-/path/to/lynis} audit system --cronjob${MOREOPTIONS}"
${ECHOCMD} ""
${ECHOCMD} "[Install]"
${ECHOCMD} "WantedBy=multi-user.target"
${ECHOCMD} ""
${ECHOCMD} "#################################################################################"
${ECHOCMD} ""
${ECHOCMD} ""
${ECHOCMD} "${BG_BLUE}Step 2: create timer unit (/etc/systemd/system/lynis.timer)${NORMAL}"
${ECHOCMD} ""
${ECHOCMD} "#################################################################################"
${ECHOCMD} "#"
${ECHOCMD} "# Lynis timer file for systemd"
${ECHOCMD} "#"
${ECHOCMD} "#################################################################################"
${ECHOCMD} "# Do not remove, so Lynis can provide a hint when a newer unit is available"
${ECHOCMD} "# Generator=lynis"
${ECHOCMD} "# Version=1"
${ECHOCMD} "#################################################################################"
${ECHOCMD} ""
${ECHOCMD} "[Unit]"
${ECHOCMD} "Description=Daily timer for the Lynis security audit and vulnerability scanner"
${ECHOCMD} ""
${ECHOCMD} "[Timer]"
${ECHOCMD} "OnCalendar=daily"
${ECHOCMD} "RandomizedDelaySec=1800"
${ECHOCMD} "Persistent=false"
${ECHOCMD} ""
${ECHOCMD} "[Install]"
${ECHOCMD} "WantedBy=timers.target"
${ECHOCMD} ""
${ECHOCMD} "#################################################################################"
${ECHOCMD} ""
${ECHOCMD} ""
${ECHOCMD} "${BG_BLUE}Step 3 - Enable the timer${NORMAL}"
${ECHOCMD} ""
${ECHOCMD} "Tell systemd you made changes: systemctl daemon-reload"
${ECHOCMD} ""
${ECHOCMD} "Enable and start the timer (so no reboot is needed): systemctl enable --now lynis.timer"
${ECHOCMD} ""
${ECHOCMD} ""
${ECHOCMD} "${BG_BLUE}Optional - Customize${NORMAL}"
${ECHOCMD} ""
${ECHOCMD} "Want to override the timer? Run: systemctl edit lynis.timer"
${ECHOCMD} "Note: set the timer by first resetting it, then set the preferred value"
${ECHOCMD} ""
${ECHOCMD} "[Timer]"
${ECHOCMD} "OnCalendar="
${ECHOCMD} "OnCalendar=*-*-* 03:00:00"
${ECHOCMD} ""
;;
*) ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis generate" ;;
esac
else
${ECHOCMD} "\n ${WHITE}Provide an additional argument${NORMAL}\n\n"
for ITEM in ${GENERATE_ARGS}; do
${ECHOCMD} " lynis generate ${BROWN}${ITEM}${NORMAL}"
done
${ECHOCMD} "\n"
${ECHOCMD} ""
${ECHOCMD} "Extended help about the generate command can be provided with: $0 show commands generate"
fi
ExitClean
# The End