#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Read profile/template
#
#################################################################################
#
Display --indent 2 --text "- Checking profiles..."
for PROFILE in ${PROFILES}; do
LogText "Reading profile/configuration ${PROFILE}"
FIND=`egrep "^config:|^[a-z-].*=" ${PROFILE} | sed 's/ /!space!/g'`
for I in ${FIND}; do
if ContainsString "config:" "${I}"; then
# Old style configuration
OPTION=`echo ${I} | cut -d ':' -f2`
VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'`
else
OPTION=`echo ${I} | cut -d '=' -f1`
VALUE=`echo ${I} | cut -d '=' -f2 | sed 's/!space!/ /g'`
fi
Debug "Profile option set: ${OPTION} (with value ${VALUE})"
case ${OPTION} in
# Define which compliance standards are enabled
compliance_standards | check-compliance)
COMPLIANCE_STANDARDS_ENABLED=`echo ${VALUE} | tr ',' ' '`
for I in ${COMPLIANCE_STANDARDS_ENABLED}; do
case $I in
cis) COMPLIANCE_ENABLE_CIS=1 ; Debug "Compliance scanning for CIS Benchmarks is enabled" ;;
hipaa) COMPLIANCE_ENABLE_HIPAA=1 ; Debug "Compliance scanning for HIPAA is enabled" ;;
iso27001) COMPLIANCE_ENABLE_ISO27001=1 ; Debug "Compliance scanning for ISO27001 is enabled" ;;
pci-dss) COMPLIANCE_ENABLE_PCI_DSS=1 ; Debug "Compliance scanning for PCI DSS is enabled" ;;
*) LogText "Result: Unknown compliance standard configured" ;;
esac
done
;;
# Maximum number of WAITing connections
connections_max_wait_state)
OPTIONS_CONN_MAX_WAIT_STATE="${VALUE}"
;;
# Append something to URL for control information
control_url_append)
CONTROL_URL_APPEND="${VALUE}"
;;
# Prepend an URL before control information link
control_url_prepend)
CONTROL_URL_PREPEND="${VALUE}"
;;
# Protocol to use for control information link
control_url_protocol)
CONTROL_URL_PROTOCOL="${VALUE}"
;;
# Append something to URL for control information (only applies to CUST-*)
custom_url_append)
CUSTOM_URL_APPEND="${VALUE}"
;;
# Prepend an URL before control information link (only applies to CUST-*)
custom_url_prepend)
CUSTOM_URL_PREPEND="${VALUE}"
;;
# Protocol to use for control information link
custom_url_protocol)
CUSTOM_URL_PROTOCOL="${VALUE}"
;;
# Do not check security repository in sources.list (Debian/Ubuntu)
debian_skip_security_repository)
OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY="${VALUE}"
;;
debug)
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && DEBUG=1
Debug "Debug mode set to ${DEBUG}"
;;
# Development mode (--developer)
developer-mode)
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && DEVELOPER_MODE=1
Debug "Developer mode set to ${DEVELOPER_MODE}"
;;
# Show non-zero exit code when errors are found
error-on-warnings)
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && ERROR_ON_WARNINGS=1
Debug "Exit with different code on warnings is set to ${ERROR_ON_WARNINGS}"
;;
# Skip FreeBSD port audit
freebsd_skip_portaudit)
LogText "Option set: Skip FreeBSD portaudit"
OPTION_FREEBSD_SKIP_PORTAUDIT="${VALUE}"
;;
# Lynis Enterprise: group name
group)
GROUP_NAME="${VALUE}"
;;
# Lynis Enterprise license key
license_key | license-key)
LICENSE_KEY="${VALUE}"
Report "license_key=${LICENSE_KEY}"
;;
# Do (not) log tests if they have an different operating system
log_tests_incorrect_os)
LogText "Option set: No logging for incorrect OS"
if [ "${VALUE}" = "no" ]; then LOG_INCORRECT_OS=0; else LOG_INCORRECT_OS=1; fi
;;
# What type of machine we are scanning (eg. desktop, server, server with storage)
machine_role)
MACHINE_ROLE="${VALUE}"
;;
# Define if any found NTP daemon instance is configured as a server or client
ntpd_role)
NTPD_ROLE="${VALUE}"
;;
# How much seconds to wait between tests
pause_between_tests | pause-between-tests)
TEST_PAUSE_TIME="${VALUE}"
;;
# Plugin
plugin)
LogText "Plugin ${VALUE} enabled according profile ${PROFILE}"
;;
# Plugin directory
plugindir | plugin-dir)
if [ "${PLUGINDIR}" = "" ]; then
PLUGINDIR="${VALUE}"
else
LogText "Plugin directory was already set to ${PLUGINDIR} before (most likely as a program argument), not overwriting"
fi
;;
# Profile name
profile_name)
PROFILE_NAME="${VALUE}"
;;
# Quick (no waiting for keypresses)
quick)
FIND=`echo "${VALUE}" | egrep "^(1|yes)"` && QUICKMODE=1
Debug "Quickmode set to ${QUICKMODE}"
;;
# Inline tips about tool (default enabled)
show_tool_tips | show-tool-tips)
FIND=`echo "${VALUE}" | egrep "^(1|false|no)"` && SHOW_TOOL_TIPS=0
Debug "Show tool tips set to ${SHOW_TOOL_TIPS}"
;;
# Show warnings only
show-warnings-only)
QUIET=1
QUICKMODE=1
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && SHOW_WARNINGS_ONLY=1
Debug "Show warnings only set to ${SHOW_WARNINGS_ONLY}"
;;
# Skip plugins
skip-plugins)
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && RUN_PLUGINS=0
Debug "Run plugins is set to ${RUN_PLUGINS}"
;;
# Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest)
skip-test)
STRING=`echo ${VALUE} | tr '[:upper:]' '[:lower:]'`
SKIP_TESTS="${SKIP_TESTS} ${STRING}"
;;
# Tests to always skip (useful for false positives or problematic tests)
test_skip_always)
TEST_SKIP_ALWAYS="${VALUE}"
LogText "Tests to be skipped: ${VALUE}"
;;
# Do not check the latest version on the internet
skip_upgrade_test | skip-upgrade-test)
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && SKIP_UPGRADE_TEST=1
Debug "Skip upgrade test set to ${SKIP_UPGRADE_TEST}"
;;
# Define what kind of scan we are performing
test_scan_mode | test-scan-mode)
if [ "${VALUE}" = "light" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="NO"; SCAN_TEST_HEAVY="NO"; fi
if [ "${VALUE}" = "normal" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="NO"; fi
if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi
;;
# Server IP or hostname
update_server_address)
UPDATE_SERVER_ADDRESS="${VALUE}"
;;
# Protocol (http, https)
update_server_protocol)
UPDATE_SERVER_PROTOCOL="${VALUE}"
;;
# File path to tarball on server
update_latest_version_download)
UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}"
;;
# File path to information file
update_latest_version_info)
UPDATE_LATEST_VERSION_INFO="${VALUE}"
;;
# Local directory where lynis directory will be placed
update_local_directory)
UPDATE_LOCAL_DIRECTORY="${VALUE}"
;;
# Local file to maintain current version
update_local_version_info)
UPDATE_LOCAL_VERSION_INFO="${VALUE}"
;;
# Compression of uploads (enabled by default)
upload_compressed | compressed-uploads)
if [ "${VALUE}" = "0" ]; then COMPRESSED_UPLOADS=0; fi
;;
# Options during upload of data
upload_options | upload-options)
UPLOAD_OPTIONS="${VALUE}"
;;
# Proxy settings
upload_proxy_port | proxy-port)
UPLOAD_PROXY_PORT="${VALUE}"
;;
upload_proxy_protocol | proxy-protocol)
UPLOAD_PROXY_PROTOCOL="${VALUE}"
;;
upload_proxy_server | proxy-server)
UPLOAD_PROXY_SERVER="${VALUE}"
;;
# Receiving system (IP address or hostname)
upload_server | upload-server)
UPLOAD_SERVER="${VALUE}"
;;
# Verbose output (--verbose)
verbose)
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && VERBOSE=1
Debug "Verbose set to ${VERBOSE}"
;;
# Catch all bad options and bail out
*)
LogText "Unknown option ${OPTION} (with value: ${VALUE})"
echo "Fatal error: found errors in profile ${PROFILE}"
echo "Unknown option '${OPTION}' found (with value: ${VALUE})"
ExitFatal
;;
esac
done
done
#
#################################################################################
#
LogText "Skip tests: ${SKIP_TESTS}"
#
#################################################################################
#
# Add group name to report
if [ ! "${GROUP_NAME}" = "" ]; then
Report "group=${GROUP_NAME}"
fi
#
#################################################################################
#
# Set default values (only if not configured in profile)
if [ "${MACHINE_ROLE}" = "" ]; then
MACHINE_ROLE="server"
LogText "Set option to default value: MACHINE_ROLE --> ${MACHINE_ROLE}"
fi
if [ "${NTPD_ROLE}" = "" ]; then
NTPD_ROLE="client"
LogText "Set option to default value: NTPD_ROLE --> ${NTPD_ROLE}"
fi
#
#################################################################################
#
LogTextBreak
#================================================================================
# Lynis - Copyright 2007-2016, Michael Boelen - CISOfy, https://cisofy.com