mirror of https://github.com/CISOfy/lynis.git
333 lines
13 KiB
Bash
333 lines
13 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2013-2016, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Read profile/template
|
|
#
|
|
#################################################################################
|
|
#
|
|
Display --indent 2 --text "- Checking profiles..."
|
|
|
|
for PROFILE in ${PROFILES}; do
|
|
LogText "Reading profile/configuration ${PROFILE}"
|
|
FIND=`egrep "^config:|^[a-z-].*=" ${PROFILE} | sed 's/ /!space!/g'`
|
|
for I in ${FIND}; do
|
|
if ContainsString "config:" "${I}"; then
|
|
# Old style configuration
|
|
OPTION=`echo ${I} | cut -d ':' -f2`
|
|
VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'`
|
|
else
|
|
OPTION=`echo ${I} | cut -d '=' -f1`
|
|
VALUE=`echo ${I} | cut -d '=' -f2 | sed 's/!space!/ /g'`
|
|
fi
|
|
Debug "Profile option set: ${OPTION} (with value ${VALUE})"
|
|
|
|
case ${OPTION} in
|
|
|
|
# Define which compliance standards are enabled
|
|
compliance_standards | check-compliance)
|
|
COMPLIANCE_STANDARDS_ENABLED=`echo ${VALUE} | tr ',' ' '`
|
|
for I in ${COMPLIANCE_STANDARDS_ENABLED}; do
|
|
case $I in
|
|
cis) COMPLIANCE_ENABLE_CIS=1 ; Debug "Compliance scanning for CIS Benchmarks is enabled" ;;
|
|
hipaa) COMPLIANCE_ENABLE_HIPAA=1 ; Debug "Compliance scanning for HIPAA is enabled" ;;
|
|
iso27001) COMPLIANCE_ENABLE_ISO27001=1 ; Debug "Compliance scanning for ISO27001 is enabled" ;;
|
|
pci-dss) COMPLIANCE_ENABLE_PCI_DSS=1 ; Debug "Compliance scanning for PCI DSS is enabled" ;;
|
|
*) LogText "Result: Unknown compliance standard configured" ;;
|
|
esac
|
|
done
|
|
;;
|
|
|
|
# Check for a specific value
|
|
check-value)
|
|
STRING=$(echo ${VALUE} | tr -d "[" | tr -d "]" | sed "s/, /,/g")
|
|
CHECK_VALUE_ARRAY="${CHECK_OPTION_ARRAY} ${STRING}"
|
|
;;
|
|
# Maximum number of WAITing connections
|
|
connections_max_wait_state)
|
|
OPTIONS_CONN_MAX_WAIT_STATE="${VALUE}"
|
|
;;
|
|
|
|
# Append something to URL for control information
|
|
control_url_append)
|
|
CONTROL_URL_APPEND="${VALUE}"
|
|
;;
|
|
|
|
# Prepend an URL before control information link
|
|
control_url_prepend)
|
|
CONTROL_URL_PREPEND="${VALUE}"
|
|
;;
|
|
|
|
# Protocol to use for control information link
|
|
control_url_protocol)
|
|
CONTROL_URL_PROTOCOL="${VALUE}"
|
|
;;
|
|
|
|
# Append something to URL for control information (only applies to CUST-*)
|
|
custom_url_append)
|
|
CUSTOM_URL_APPEND="${VALUE}"
|
|
;;
|
|
|
|
# Prepend an URL before control information link (only applies to CUST-*)
|
|
custom_url_prepend)
|
|
CUSTOM_URL_PREPEND="${VALUE}"
|
|
;;
|
|
|
|
# Protocol to use for control information link
|
|
custom_url_protocol)
|
|
CUSTOM_URL_PROTOCOL="${VALUE}"
|
|
;;
|
|
|
|
# Do not check security repository in sources.list (Debian/Ubuntu)
|
|
debian_skip_security_repository)
|
|
OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY="${VALUE}"
|
|
;;
|
|
debug)
|
|
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && DEBUG=1
|
|
Debug "Debug mode set to ${DEBUG}"
|
|
;;
|
|
|
|
# Development mode (--developer)
|
|
developer-mode)
|
|
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && DEVELOPER_MODE=1
|
|
Debug "Developer mode set to ${DEVELOPER_MODE}"
|
|
;;
|
|
|
|
# Show non-zero exit code when errors are found
|
|
error-on-warnings)
|
|
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && ERROR_ON_WARNINGS=1
|
|
Debug "Exit with different code on warnings is set to ${ERROR_ON_WARNINGS}"
|
|
;;
|
|
|
|
# Skip FreeBSD port audit
|
|
freebsd_skip_portaudit)
|
|
LogText "Option set: Skip FreeBSD portaudit"
|
|
OPTION_FREEBSD_SKIP_PORTAUDIT="${VALUE}"
|
|
;;
|
|
|
|
# Lynis Enterprise: group name
|
|
group)
|
|
GROUP_NAME="${VALUE}"
|
|
;;
|
|
|
|
# Lynis Enterprise license key
|
|
license_key | license-key)
|
|
LICENSE_KEY="${VALUE}"
|
|
Report "license_key=${LICENSE_KEY}"
|
|
;;
|
|
|
|
# Do (not) log tests if they have an different operating system
|
|
log_tests_incorrect_os)
|
|
LogText "Option set: No logging for incorrect OS"
|
|
if [ "${VALUE}" = "no" ]; then LOG_INCORRECT_OS=0; else LOG_INCORRECT_OS=1; fi
|
|
;;
|
|
|
|
# What type of machine we are scanning (eg. desktop, server, server with storage)
|
|
machine_role)
|
|
MACHINE_ROLE="${VALUE}"
|
|
;;
|
|
|
|
# Define if any found NTP daemon instance is configured as a server or client
|
|
ntpd_role)
|
|
NTPD_ROLE="${VALUE}"
|
|
;;
|
|
|
|
# How much seconds to wait between tests
|
|
pause_between_tests | pause-between-tests)
|
|
TEST_PAUSE_TIME="${VALUE}"
|
|
;;
|
|
|
|
# Plugin
|
|
plugin)
|
|
LogText "Plugin ${VALUE} enabled according profile ${PROFILE}"
|
|
;;
|
|
|
|
# Plugin directory
|
|
plugindir | plugin-dir)
|
|
if [ "${PLUGINDIR}" = "" ]; then
|
|
PLUGINDIR="${VALUE}"
|
|
else
|
|
LogText "Plugin directory was already set to ${PLUGINDIR} before (most likely as a program argument), not overwriting"
|
|
fi
|
|
;;
|
|
|
|
# Profile name
|
|
profile_name)
|
|
PROFILE_NAME="${VALUE}"
|
|
;;
|
|
|
|
# Quick (no waiting for keypresses)
|
|
quick)
|
|
FIND=`echo "${VALUE}" | egrep "^(1|yes)"` && QUICKMODE=1
|
|
Debug "Quickmode set to ${QUICKMODE}"
|
|
;;
|
|
|
|
# Inline tips about tool (default enabled)
|
|
show_tool_tips | show-tool-tips)
|
|
FIND=`echo "${VALUE}" | egrep "^(1|false|no)"` && SHOW_TOOL_TIPS=0
|
|
Debug "Show tool tips set to ${SHOW_TOOL_TIPS}"
|
|
;;
|
|
|
|
# Show warnings only
|
|
show-warnings-only)
|
|
QUIET=1
|
|
QUICKMODE=1
|
|
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && SHOW_WARNINGS_ONLY=1
|
|
Debug "Show warnings only set to ${SHOW_WARNINGS_ONLY}"
|
|
;;
|
|
|
|
# Skip plugins
|
|
skip-plugins)
|
|
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && RUN_PLUGINS=0
|
|
Debug "Run plugins is set to ${RUN_PLUGINS}"
|
|
;;
|
|
|
|
# Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest)
|
|
skip-test)
|
|
STRING=`echo ${VALUE} | tr '[:upper:]' '[:lower:]'`
|
|
SKIP_TESTS="${SKIP_TESTS} ${STRING}"
|
|
;;
|
|
|
|
# Tests to always skip (useful for false positives or problematic tests)
|
|
test_skip_always)
|
|
TEST_SKIP_ALWAYS="${VALUE}"
|
|
LogText "Tests to be skipped: ${VALUE}"
|
|
;;
|
|
|
|
# Do not check the latest version on the internet
|
|
skip_upgrade_test | skip-upgrade-test)
|
|
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && SKIP_UPGRADE_TEST=1
|
|
Debug "Skip upgrade test set to ${SKIP_UPGRADE_TEST}"
|
|
;;
|
|
|
|
# Define what kind of scan we are performing
|
|
test_scan_mode | test-scan-mode)
|
|
if [ "${VALUE}" = "light" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="NO"; SCAN_TEST_HEAVY="NO"; fi
|
|
if [ "${VALUE}" = "normal" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="NO"; fi
|
|
if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi
|
|
;;
|
|
|
|
# Server IP or hostname
|
|
update_server_address)
|
|
UPDATE_SERVER_ADDRESS="${VALUE}"
|
|
;;
|
|
|
|
# Protocol (http, https)
|
|
update_server_protocol)
|
|
UPDATE_SERVER_PROTOCOL="${VALUE}"
|
|
;;
|
|
|
|
# File path to tarball on server
|
|
update_latest_version_download)
|
|
UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}"
|
|
;;
|
|
|
|
# File path to information file
|
|
update_latest_version_info)
|
|
UPDATE_LATEST_VERSION_INFO="${VALUE}"
|
|
;;
|
|
|
|
# Local directory where lynis directory will be placed
|
|
update_local_directory)
|
|
UPDATE_LOCAL_DIRECTORY="${VALUE}"
|
|
;;
|
|
|
|
# Local file to maintain current version
|
|
update_local_version_info)
|
|
UPDATE_LOCAL_VERSION_INFO="${VALUE}"
|
|
;;
|
|
|
|
# Compression of uploads (enabled by default)
|
|
upload_compressed | compressed-uploads)
|
|
if [ "${VALUE}" = "0" ]; then COMPRESSED_UPLOADS=0; fi
|
|
;;
|
|
|
|
# Options during upload of data
|
|
upload_options | upload-options)
|
|
UPLOAD_OPTIONS="${VALUE}"
|
|
;;
|
|
|
|
# Proxy settings
|
|
upload_proxy_port | proxy-port)
|
|
UPLOAD_PROXY_PORT="${VALUE}"
|
|
;;
|
|
upload_proxy_protocol | proxy-protocol)
|
|
UPLOAD_PROXY_PROTOCOL="${VALUE}"
|
|
;;
|
|
upload_proxy_server | proxy-server)
|
|
UPLOAD_PROXY_SERVER="${VALUE}"
|
|
;;
|
|
|
|
# Receiving system (IP address or hostname)
|
|
upload_server | upload-server)
|
|
UPLOAD_SERVER="${VALUE}"
|
|
;;
|
|
|
|
# Verbose output (--verbose)
|
|
verbose)
|
|
FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && VERBOSE=1
|
|
Debug "Verbose set to ${VERBOSE}"
|
|
;;
|
|
|
|
# Catch all bad options and bail out
|
|
*)
|
|
LogText "Unknown option ${OPTION} (with value: ${VALUE})"
|
|
echo "Fatal error: found errors in profile ${PROFILE}"
|
|
echo "Unknown option '${OPTION}' found (with value: ${VALUE})"
|
|
ExitFatal
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
done
|
|
#
|
|
#################################################################################
|
|
#
|
|
LogText "Skip tests: ${SKIP_TESTS}"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Add group name to report
|
|
if [ ! "${GROUP_NAME}" = "" ]; then
|
|
Report "group=${GROUP_NAME}"
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Set default values (only if not configured in profile)
|
|
if [ "${MACHINE_ROLE}" = "" ]; then
|
|
MACHINE_ROLE="server"
|
|
LogText "Set option to default value: MACHINE_ROLE --> ${MACHINE_ROLE}"
|
|
fi
|
|
|
|
if [ "${NTPD_ROLE}" = "" ]; then
|
|
NTPD_ROLE="client"
|
|
LogText "Set option to default value: NTPD_ROLE --> ${NTPD_ROLE}"
|
|
fi
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
LogTextBreak
|
|
|
|
#================================================================================
|
|
# Lynis - Copyright 2007-2016, Michael Boelen - CISOfy, https://cisofy.com
|