mirror of https://github.com/CISOfy/lynis.git
191 lines
7.2 KiB
Bash
191 lines
7.2 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2020, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
######################################################################
|
|
#
|
|
# Helper program to generate specific details such as host IDs
|
|
#
|
|
######################################################################
|
|
#
|
|
# How to use:
|
|
# ------------
|
|
# Run: lynis generate <option>
|
|
#
|
|
######################################################################
|
|
|
|
SAVEFILE=0
|
|
GENERATE_ARGS="hostids systemd-units"
|
|
|
|
if [ $# -gt 0 ]; then
|
|
case $1 in
|
|
"hostids")
|
|
|
|
if [ $# -gt 1 ]; then
|
|
shift
|
|
if [ $1 = "--save" ]; then
|
|
SAVEFILE=1
|
|
fi
|
|
fi
|
|
|
|
# Generate random host IDs
|
|
case "${OS}" in
|
|
"AIX")
|
|
# hexdump does not exist on AIX
|
|
HOSTID=$(head -c20 < /dev/urandom | xxd -c 20 -p)
|
|
HOSTID2=$(head -c32 < /dev/urandom | xxd -c 32 -p)
|
|
;;
|
|
*)
|
|
# xxd does not exist on FreeBSD
|
|
HOSTID=$(head -c20 < /dev/urandom | hexdump -ve '"%.2x"')
|
|
HOSTID2=$(head -c32 < /dev/urandom | hexdump -ve '"%.2x"')
|
|
;;
|
|
esac
|
|
|
|
${ECHOCMD} "Generated host identifiers"
|
|
${ECHOCMD} "- hostid: ${HOSTID}"
|
|
${ECHOCMD} "- hostid2: ${HOSTID2}"
|
|
|
|
if [ ${SAVEFILE} -eq 1 ]; then
|
|
FILE="${ROOTDIR}etc/lynis/hostids"
|
|
if [ -f ${FILE} ]; then
|
|
${ECHOCMD} "Error: hostids file already exists (${FILE})"
|
|
${ECHOCMD} "Remove the file first and rerun command"
|
|
ExitFatal
|
|
else
|
|
OUTPUT=$(touch ${FILE} 2> /dev/null)
|
|
if [ $? -eq 0 ]; then
|
|
${ECHOCMD} "Created hostids file (${FILE})"
|
|
echo "# generated using 'lynis generate hostids --save'" > ${FILE}
|
|
echo "hostid=${HOSTID}" >> ${FILE}
|
|
echo "hostid2=${HOSTID2}" >> ${FILE}
|
|
else
|
|
ExitFatal "Error: could not created hostids file (${FILE}). Issue with permissions?"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
ExitClean
|
|
;;
|
|
|
|
"cronjob")
|
|
${ECHOCMD} "Not implemented yet"
|
|
;;
|
|
|
|
"systemd-units")
|
|
|
|
${ECHOCMD} ""
|
|
|
|
${ECHOCMD} "${BG_BLUE}Step 1: create service unit (/etc/systemd/system/lynis.service)${NORMAL}"
|
|
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "#################################################################################"
|
|
${ECHOCMD} "#"
|
|
${ECHOCMD} "# Lynis service file for systemd"
|
|
${ECHOCMD} "#"
|
|
${ECHOCMD} "#################################################################################"
|
|
${ECHOCMD} "# Do not remove, so Lynis can provide a hint when a newer unit is available"
|
|
${ECHOCMD} "# Generator=lynis"
|
|
${ECHOCMD} "# Version=1"
|
|
${ECHOCMD} "#################################################################################"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "[Unit]"
|
|
${ECHOCMD} "Description=Security audit and vulnerability scanner"
|
|
${ECHOCMD} "Documentation=https://cisofy.com/docs/"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "[Service]"
|
|
${ECHOCMD} "Nice=19"
|
|
${ECHOCMD} "IOSchedulingClass=best-effort"
|
|
${ECHOCMD} "IOSchedulingPriority=7"
|
|
${ECHOCMD} "Type=simple"
|
|
MYBINARY=$(which lynis 2>/dev/null)
|
|
MOREOPTIONS=""
|
|
if [ -n "${LICENSE_KEY}" ]; then
|
|
MOREOPTIONS=" --upload"
|
|
fi
|
|
${ECHOCMD} "ExecStart=${MYBINARY:-/path/to/lynis} audit system --cronjob${MOREOPTIONS}"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "[Install]"
|
|
${ECHOCMD} "WantedBy=multi-user.target"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "#################################################################################"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} ""
|
|
|
|
${ECHOCMD} "${BG_BLUE}Step 2: create timer unit (/etc/systemd/system/lynis.timer)${NORMAL}"
|
|
${ECHOCMD} ""
|
|
|
|
${ECHOCMD} "#################################################################################"
|
|
${ECHOCMD} "#"
|
|
${ECHOCMD} "# Lynis timer file for systemd"
|
|
${ECHOCMD} "#"
|
|
${ECHOCMD} "#################################################################################"
|
|
${ECHOCMD} "# Do not remove, so Lynis can provide a hint when a newer unit is available"
|
|
${ECHOCMD} "# Generator=lynis"
|
|
${ECHOCMD} "# Version=1"
|
|
${ECHOCMD} "#################################################################################"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "[Unit]"
|
|
${ECHOCMD} "Description=Daily timer for the Lynis security audit and vulnerability scanner"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "[Timer]"
|
|
${ECHOCMD} "OnCalendar=daily"
|
|
${ECHOCMD} "RandomizedDelaySec=1800"
|
|
${ECHOCMD} "Persistent=false"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "[Install]"
|
|
${ECHOCMD} "WantedBy=timers.target"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "#################################################################################"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} ""
|
|
|
|
${ECHOCMD} "${BG_BLUE}Step 3 - Enable the timer${NORMAL}"
|
|
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "Tell systemd you made changes: systemctl daemon-reload"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "Enable and start the timer (so no reboot is needed): systemctl enable --now lynis.timer"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "${BG_BLUE}Optional - Customize${NORMAL}"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "Want to override the timer? Run: systemctl edit lynis.timer"
|
|
${ECHOCMD} "Note: set the timer by first resetting it, then set the preferred value"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "[Timer]"
|
|
${ECHOCMD} "OnCalendar="
|
|
${ECHOCMD} "OnCalendar=*-*-* 03:00:00"
|
|
${ECHOCMD} ""
|
|
;;
|
|
*) ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis generate" ;;
|
|
esac
|
|
else
|
|
${ECHOCMD} "\n ${WHITE}Provide an additional argument${NORMAL}\n\n"
|
|
for ITEM in ${GENERATE_ARGS}; do
|
|
${ECHOCMD} " lynis generate ${BROWN}${ITEM}${NORMAL}"
|
|
done
|
|
${ECHOCMD} "\n"
|
|
${ECHOCMD} ""
|
|
${ECHOCMD} "Extended help about the generate command can be provided with: $0 show commands generate"
|
|
fi
|
|
|
|
|
|
ExitClean
|
|
|
|
# The End
|