mirror of https://github.com/CISOfy/lynis.git
408 lines
13 KiB
Bash
408 lines
13 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2013-2016, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Parameter checks
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Check number of parameters submitted (at least one is needed)
|
|
PARAMCOUNT=$#
|
|
while [ $# -ge 1 ]; do
|
|
case $1 in
|
|
# Helpers first
|
|
audit)
|
|
CHECK_BINARIES=0
|
|
RUN_HELPERS=1
|
|
HELPER="audit"
|
|
SKIP_PLUGINS=1
|
|
RUN_TESTS=0
|
|
if [ $# -gt 1 ]; then
|
|
case $2 in
|
|
"dockerfile")
|
|
if [ "$3" = "" ]; then
|
|
echo "${RED}Error: ${WHITE}Missing file name or URL${NORMAL}"
|
|
echo "Example: $0 audit dockerfile /root/Dockerfile"
|
|
ExitFatal
|
|
else
|
|
shift; shift
|
|
HELPER_PARAMS="$1 $2 $3"
|
|
HELPER="audit_dockerfile"
|
|
break
|
|
fi
|
|
;;
|
|
"system")
|
|
if [ $# -gt 2 ]; then
|
|
if [ "$3" = "remote" ]; then
|
|
shift
|
|
if [ "$3" = "" ]; then
|
|
echo "${RED}Error: ${WHITE}Missing remote location${NORMAL}"
|
|
echo "Example: $0 audit system remote 192.168.1.100"
|
|
ExitFatal
|
|
else
|
|
REMOTE_TARGET="$3"
|
|
shift; shift; shift # shift out first three arguments
|
|
EXTRA_PARAMS=""
|
|
if [ ! "$1" = "" ]; then EXTRA_PARAMS=" $@"; fi
|
|
# --quick is added to be non-interactive
|
|
REMOTE_COMMAND="./lynis audit system --quick${EXTRA_PARAMS}"
|
|
echo ""
|
|
echo " How to perform a remote scan:"
|
|
echo " ============================="
|
|
echo " Target : ${REMOTE_TARGET}"
|
|
echo " Command : ${REMOTE_COMMAND}"
|
|
HELPER="system_remote_scan"
|
|
HELPER_PARAMS="$@"
|
|
CHECK_BINARIES=0
|
|
QUIET=1
|
|
RUN_HELPERS=1
|
|
SKIP_PLUGINS=1
|
|
RUN_TESTS=0
|
|
SHOW_PROGRAM_DETAILS=0
|
|
break
|
|
fi
|
|
fi
|
|
fi
|
|
CHECK=1
|
|
CHECK_BINARIES=1
|
|
HELPER=""
|
|
SKIP_PLUGINS=0
|
|
RUN_TESTS=1
|
|
shift
|
|
|
|
;;
|
|
esac
|
|
else
|
|
echo "${RED}Error: ${WHITE}Need a target to audit${NORMAL}"
|
|
echo " "
|
|
echo "Examples:"
|
|
echo "lynis audit dockerfile"
|
|
echo "lynis audit system"
|
|
ExitFatal
|
|
fi
|
|
;;
|
|
|
|
# Configure Lynis
|
|
configure)
|
|
CHECK_BINARIES=0
|
|
RUN_HELPERS=1
|
|
QUIET=1
|
|
SKIP_PLUGINS=1
|
|
RUN_TESTS=0
|
|
SHOW_PROGRAM_DETAILS=0
|
|
if [ $# -gt 0 ]; then shift; fi
|
|
HELPER="configure"
|
|
HELPER_PARAMS="$@"
|
|
break
|
|
;;
|
|
|
|
# Show Lynis details
|
|
show)
|
|
CHECK_BINARIES=0
|
|
HELPER="show"
|
|
QUIET=1
|
|
RUN_HELPERS=1
|
|
RUN_TESTS=0
|
|
RUN_UPDATE_CHECK=0
|
|
SKIP_PLUGINS=1
|
|
LOGTEXT=0
|
|
SHOW_TOOL_TIPS=0
|
|
SHOW_PROGRAM_DETAILS=0
|
|
shift; HELPER_PARAMS="$@"
|
|
break
|
|
;;
|
|
|
|
update)
|
|
CHECK_BINARIES=0
|
|
RUN_HELPERS=1
|
|
HELPER="update"
|
|
QUIET=1
|
|
SKIP_PLUGINS=1
|
|
RUN_TESTS=0
|
|
SHOW_PROGRAM_DETAILS=0
|
|
if [ ! $2 = "" ]; then
|
|
shift
|
|
HELPER_PARAMS="$1 $2"
|
|
break
|
|
else
|
|
echo "${RED}Error: ${WHITE}Need a target for update${NORMAL}"
|
|
echo " "
|
|
echo "Examples:"
|
|
echo "lynis update check"
|
|
echo "lynis update info"
|
|
echo "lynis update release"
|
|
ExitFatal
|
|
fi
|
|
;;
|
|
|
|
# Assign auditor to report
|
|
--auditor)
|
|
shift
|
|
AUDITORNAME=$1
|
|
;;
|
|
|
|
# Binary directories (useful for incident response)
|
|
--bindirs | --bin-dirs)
|
|
if [ $# -gt 1 ]; then
|
|
shift
|
|
DIRS="$1"
|
|
for DIR in $1; do
|
|
if [ ! -d ${DIR} ]; then
|
|
echo "Invalid bindir '${DIR}' provided (does not exist)"
|
|
exit 1
|
|
fi
|
|
done
|
|
BIN_PATHS="${DIRS}"
|
|
else
|
|
echo "Need one or more directories (e.g. \"/mnt/cert/bin /mnt/cert/sbin\")"
|
|
exit 1
|
|
fi
|
|
;;
|
|
|
|
# Perform tests (deprecated, use audit system)
|
|
--check-all | --checkall | -c)
|
|
DisplayToolTip "Usage of option -c is deprecated. Please use: lynis audit system [options]"
|
|
CHECK=1
|
|
;;
|
|
|
|
# Cronjob support
|
|
--cron-job | --cronjob | --cron)
|
|
CRONJOB=1
|
|
CHECK=1; QUICKMODE=1; COLORS=0; NEVERBREAK=1 # Use some defaults (-c, -Q, no colors)
|
|
RemoveColors
|
|
;;
|
|
|
|
# Perform tests with additional debugging information on screen
|
|
--debug)
|
|
DEBUG=1
|
|
;;
|
|
|
|
# Developer mode (more details when creating tests)
|
|
--developer)
|
|
DEVELOPER_MODE=1
|
|
;;
|
|
|
|
# Display all available options with short alias
|
|
--dump-options | --dumpoptions)
|
|
OPTIONS="--auditor
|
|
--check-all_(-c) --config --cronjob_(--cron)
|
|
--debug
|
|
--help_(-h)
|
|
--info
|
|
--license-key --log-file
|
|
--manpage_(--man)
|
|
--no-colors --no-log
|
|
--pentest --profile --plugins-dir
|
|
--quiet_(-q) --quick_(-Q)
|
|
--report-file --reverse-colors
|
|
--tests
|
|
--upload
|
|
--version_(-V)"
|
|
for I in ${OPTIONS}; do
|
|
echo "${I}" | tr '_' ' '
|
|
done
|
|
ExitClean
|
|
;;
|
|
|
|
# View help
|
|
--help | -h | "-?")
|
|
VIEWHELP=1
|
|
;;
|
|
|
|
# View program/database information
|
|
--check-update | --check-updates | --info)
|
|
echo "This option is deprecated"
|
|
echo "Use: lynis update info"
|
|
ExitClean
|
|
;;
|
|
|
|
# License key for Lynis Enterprise
|
|
--license-key)
|
|
shift
|
|
LICENSE_KEY=$1
|
|
;;
|
|
|
|
# Adjust default logfile location
|
|
--logfile | --log-file)
|
|
shift
|
|
LOGFILE=$1
|
|
;;
|
|
|
|
# Don't use colors
|
|
--no-colors | --nocolors)
|
|
COLORS=0
|
|
RemoveColors
|
|
;;
|
|
|
|
# Disable logging
|
|
--no-log | --nolog)
|
|
LOGFILE="/dev/null"
|
|
;;
|
|
|
|
--pen-test | --pentest)
|
|
PENTESTINGMODE=1
|
|
;;
|
|
|
|
# Define a custom profile file
|
|
--profile)
|
|
shift
|
|
SEARCH_PROFILES=$1
|
|
;;
|
|
|
|
# Define a custom plugin directory
|
|
--plugindir | --plugin-dir | --plugins-dir)
|
|
shift
|
|
PLUGINDIR=$1
|
|
LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'`
|
|
if [ "${LASTCHAR}" = "/" ]; then
|
|
echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}"
|
|
ExitCustom 65
|
|
fi
|
|
if [ ! -d ${PLUGINDIR} ]; then
|
|
echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}"
|
|
ExitCustom 66
|
|
fi
|
|
;;
|
|
|
|
# Quiet mode
|
|
--quiet | -q)
|
|
QUIET=1
|
|
QUICKMODE=1 # Run non-interactive
|
|
;;
|
|
|
|
# Non-interactive mode
|
|
--quick | -Q)
|
|
QUICKMODE=1
|
|
;;
|
|
|
|
# Define alternative report file
|
|
--report-file)
|
|
shift
|
|
REPORTFILE=$1
|
|
;;
|
|
|
|
# Strip the colors which aren't clearly visible on light backgrounds
|
|
--reverse-colors)
|
|
BLUE="${NORMAL}";
|
|
SECTION="${NORMAL}";
|
|
NOTICE="${NORMAL}";
|
|
CYAN="${NORMAL}";
|
|
GREEN="${NORMAL}";
|
|
YELLOW="${NORMAL}";
|
|
WHITE="${NORMAL}";
|
|
PURPLE="${NORMAL}";
|
|
;;
|
|
|
|
# Root directory (useful for forensics)
|
|
--rootdir | --root-dir)
|
|
if [ $# -gt 1 ]; then
|
|
shift
|
|
if [ -d $1 ]; then
|
|
ROOTDIR="$1"
|
|
else
|
|
echo "Invalid rootdir provided (does not exist)"
|
|
exit 1
|
|
fi
|
|
else
|
|
echo "Need a root directory (e.g. /mnt/forensics)"
|
|
exit 1
|
|
fi
|
|
;;
|
|
|
|
# Skip execution of plugins
|
|
--skip-plugins | --no-plugins)
|
|
SKIP_PLUGINS=1
|
|
;;
|
|
|
|
# Only scan these tests
|
|
--tests)
|
|
shift
|
|
TESTS_TO_PERFORM=$1
|
|
;;
|
|
|
|
# Scan one or more tests from just one category (e.g. security)
|
|
--tests-from-category)
|
|
shift
|
|
TEST_CATEGORY_TO_CHECK=$1
|
|
;;
|
|
|
|
# Scan one or more tests from just on group
|
|
--tests-from-group | --tests-from-groups | --test-from-group | --test-from-group)
|
|
shift
|
|
TEST_GROUP_TO_CHECK=$1
|
|
;;
|
|
|
|
# Lynis Enterprise: upload data to central node
|
|
--upload)
|
|
UPLOAD_DATA=1
|
|
;;
|
|
|
|
--verbose)
|
|
VERBOSE=1
|
|
;;
|
|
|
|
# Version number
|
|
--version | -V)
|
|
echo "${PROGRAM_VERSION}"
|
|
exit 0
|
|
;;
|
|
|
|
# View man page
|
|
--view-manpage | --man-page | --manpage | --man)
|
|
if [ -f lynis.8 ]; then
|
|
nroff -man lynis.8
|
|
exit 0
|
|
else
|
|
echo "Error: man page file not found (lynis.8)"
|
|
echo "If you are running an installed version of Lynis, use 'man lynis'"
|
|
exit 1
|
|
fi
|
|
;;
|
|
|
|
--wait)
|
|
QUICKMODE=0
|
|
;;
|
|
|
|
# Warnings
|
|
--warnings-only | --show-warnings-only)
|
|
SHOW_WARNINGS_ONLY=1
|
|
QUICKMODE=1
|
|
QUIET=1
|
|
;;
|
|
|
|
--tests-category | --tests-categories | --view-categories | --list-categories | --show-categories)
|
|
echo "Error: Deprecated option ($1)"
|
|
exit 1
|
|
;;
|
|
|
|
# Drop out when using wrong option(s)
|
|
*)
|
|
# Wrong option used, we bail out later
|
|
WRONGOPTION=1
|
|
WRONGOPTION_value=$1
|
|
;;
|
|
|
|
esac
|
|
shift
|
|
|
|
done
|
|
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|