lynis/include/parameters

408 lines
13 KiB
Bash

#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Parameter checks
#
#################################################################################
#
# Check number of parameters submitted (at least one is needed)
PARAMCOUNT=$#
while [ $# -ge 1 ]; do
case $1 in
# Helpers first
audit)
CHECK_BINARIES=0
RUN_HELPERS=1
HELPER="audit"
SKIP_PLUGINS=1
RUN_TESTS=0
if [ $# -gt 1 ]; then
case $2 in
"dockerfile")
if [ "$3" = "" ]; then
echo "${RED}Error: ${WHITE}Missing file name or URL${NORMAL}"
echo "Example: $0 audit dockerfile /root/Dockerfile"
ExitFatal
else
shift; shift
HELPER_PARAMS="$1 $2 $3"
HELPER="audit_dockerfile"
break
fi
;;
"system")
if [ $# -gt 2 ]; then
if [ "$3" = "remote" ]; then
shift
if [ "$3" = "" ]; then
echo "${RED}Error: ${WHITE}Missing remote location${NORMAL}"
echo "Example: $0 audit system remote 192.168.1.100"
ExitFatal
else
REMOTE_TARGET="$3"
shift; shift; shift # shift out first three arguments
EXTRA_PARAMS=""
if [ ! "$1" = "" ]; then EXTRA_PARAMS=" $@"; fi
# --quick is added to be non-interactive
REMOTE_COMMAND="./lynis audit system --quick${EXTRA_PARAMS}"
echo ""
echo " How to perform a remote scan:"
echo " ============================="
echo " Target : ${REMOTE_TARGET}"
echo " Command : ${REMOTE_COMMAND}"
HELPER="system_remote_scan"
HELPER_PARAMS="$@"
CHECK_BINARIES=0
QUIET=1
RUN_HELPERS=1
SKIP_PLUGINS=1
RUN_TESTS=0
SHOW_PROGRAM_DETAILS=0
break
fi
fi
fi
CHECK=1
CHECK_BINARIES=1
HELPER=""
SKIP_PLUGINS=0
RUN_TESTS=1
shift
;;
esac
else
echo "${RED}Error: ${WHITE}Need a target to audit${NORMAL}"
echo " "
echo "Examples:"
echo "lynis audit dockerfile"
echo "lynis audit system"
ExitFatal
fi
;;
# Configure Lynis
configure)
CHECK_BINARIES=0
RUN_HELPERS=1
QUIET=1
SKIP_PLUGINS=1
RUN_TESTS=0
SHOW_PROGRAM_DETAILS=0
if [ $# -gt 0 ]; then shift; fi
HELPER="configure"
HELPER_PARAMS="$@"
break
;;
# Show Lynis details
show)
CHECK_BINARIES=0
HELPER="show"
QUIET=1
RUN_HELPERS=1
RUN_TESTS=0
RUN_UPDATE_CHECK=0
SKIP_PLUGINS=1
LOGTEXT=0
SHOW_TOOL_TIPS=0
SHOW_PROGRAM_DETAILS=0
shift; HELPER_PARAMS="$@"
break
;;
update)
CHECK_BINARIES=0
RUN_HELPERS=1
HELPER="update"
QUIET=1
SKIP_PLUGINS=1
RUN_TESTS=0
SHOW_PROGRAM_DETAILS=0
if [ ! $2 = "" ]; then
shift
HELPER_PARAMS="$1 $2"
break
else
echo "${RED}Error: ${WHITE}Need a target for update${NORMAL}"
echo " "
echo "Examples:"
echo "lynis update check"
echo "lynis update info"
echo "lynis update release"
ExitFatal
fi
;;
# Assign auditor to report
--auditor)
shift
AUDITORNAME=$1
;;
# Binary directories (useful for incident response)
--bindirs | --bin-dirs)
if [ $# -gt 1 ]; then
shift
DIRS="$1"
for DIR in $1; do
if [ ! -d ${DIR} ]; then
echo "Invalid bindir '${DIR}' provided (does not exist)"
exit 1
fi
done
BIN_PATHS="${DIRS}"
else
echo "Need one or more directories (e.g. \"/mnt/cert/bin /mnt/cert/sbin\")"
exit 1
fi
;;
# Perform tests (deprecated, use audit system)
--check-all | --checkall | -c)
DisplayToolTip "Usage of option -c is deprecated. Please use: lynis audit system [options]"
CHECK=1
;;
# Cronjob support
--cron-job | --cronjob | --cron)
CRONJOB=1
CHECK=1; QUICKMODE=1; COLORS=0; NEVERBREAK=1 # Use some defaults (-c, -Q, no colors)
RemoveColors
;;
# Perform tests with additional debugging information on screen
--debug)
DEBUG=1
;;
# Developer mode (more details when creating tests)
--developer)
DEVELOPER_MODE=1
;;
# Display all available options with short alias
--dump-options | --dumpoptions)
OPTIONS="--auditor
--check-all_(-c) --config --cronjob_(--cron)
--debug
--help_(-h)
--info
--license-key --log-file
--manpage_(--man)
--no-colors --no-log
--pentest --profile --plugins-dir
--quiet_(-q) --quick_(-Q)
--report-file --reverse-colors
--tests
--upload
--version_(-V)"
for I in ${OPTIONS}; do
echo "${I}" | tr '_' ' '
done
ExitClean
;;
# View help
--help | -h | "-?")
VIEWHELP=1
;;
# View program/database information
--check-update | --check-updates | --info)
echo "This option is deprecated"
echo "Use: lynis update info"
ExitClean
;;
# License key for Lynis Enterprise
--license-key)
shift
LICENSE_KEY=$1
;;
# Adjust default logfile location
--logfile | --log-file)
shift
LOGFILE=$1
;;
# Don't use colors
--no-colors | --nocolors)
COLORS=0
RemoveColors
;;
# Disable logging
--no-log | --nolog)
LOGFILE="/dev/null"
;;
--pen-test | --pentest)
PENTESTINGMODE=1
;;
# Define a custom profile file
--profile)
shift
SEARCH_PROFILES=$1
;;
# Define a custom plugin directory
--plugindir | --plugin-dir | --plugins-dir)
shift
PLUGINDIR=$1
LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'`
if [ "${LASTCHAR}" = "/" ]; then
echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}"
ExitCustom 65
fi
if [ ! -d ${PLUGINDIR} ]; then
echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}"
ExitCustom 66
fi
;;
# Quiet mode
--quiet | -q)
QUIET=1
QUICKMODE=1 # Run non-interactive
;;
# Non-interactive mode
--quick | -Q)
QUICKMODE=1
;;
# Define alternative report file
--report-file)
shift
REPORTFILE=$1
;;
# Strip the colors which aren't clearly visible on light backgrounds
--reverse-colors)
BLUE="${NORMAL}";
SECTION="${NORMAL}";
NOTICE="${NORMAL}";
CYAN="${NORMAL}";
GREEN="${NORMAL}";
YELLOW="${NORMAL}";
WHITE="${NORMAL}";
PURPLE="${NORMAL}";
;;
# Root directory (useful for forensics)
--rootdir | --root-dir)
if [ $# -gt 1 ]; then
shift
if [ -d $1 ]; then
ROOTDIR="$1"
else
echo "Invalid rootdir provided (does not exist)"
exit 1
fi
else
echo "Need a root directory (e.g. /mnt/forensics)"
exit 1
fi
;;
# Skip execution of plugins
--skip-plugins | --no-plugins)
SKIP_PLUGINS=1
;;
# Only scan these tests
--tests)
shift
TESTS_TO_PERFORM=$1
;;
# Scan one or more tests from just one category (e.g. security)
--tests-from-category)
shift
TEST_CATEGORY_TO_CHECK=$1
;;
# Scan one or more tests from just on group
--tests-from-group | --tests-from-groups | --test-from-group | --test-from-group)
shift
TEST_GROUP_TO_CHECK=$1
;;
# Lynis Enterprise: upload data to central node
--upload)
UPLOAD_DATA=1
;;
--verbose)
VERBOSE=1
;;
# Version number
--version | -V)
echo "${PROGRAM_VERSION}"
exit 0
;;
# View man page
--view-manpage | --man-page | --manpage | --man)
if [ -f lynis.8 ]; then
nroff -man lynis.8
exit 0
else
echo "Error: man page file not found (lynis.8)"
echo "If you are running an installed version of Lynis, use 'man lynis'"
exit 1
fi
;;
--wait)
QUICKMODE=0
;;
# Warnings
--warnings-only | --show-warnings-only)
SHOW_WARNINGS_ONLY=1
QUICKMODE=1
QUIET=1
;;
--tests-category | --tests-categories | --view-categories | --list-categories | --show-categories)
echo "Error: Deprecated option ($1)"
exit 1
;;
# Drop out when using wrong option(s)
*)
# Wrong option used, we bail out later
WRONGOPTION=1
WRONGOPTION_value=$1
;;
esac
shift
done
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com