mirror of
https://github.com/CISOfy/lynis.git
synced 2025-04-08 17:15:25 +02:00
b595cc0fb5
* Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
426 lines
14 KiB
Bash
426 lines
14 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2017, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Parameter checks
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Check number of parameters submitted (at least one is needed)
|
|
PARAMCOUNT=$#
|
|
while [ $# -ge 1 ]; do
|
|
case $1 in
|
|
# Helpers first
|
|
audit)
|
|
CHECK_BINARIES=0
|
|
RUN_HELPERS=1
|
|
HELPER="audit"
|
|
SKIP_PLUGINS=1
|
|
RUN_TESTS=0
|
|
if [ $# -gt 1 ]; then
|
|
case $2 in
|
|
"dockerfile")
|
|
if [ "$3" = "" ]; then
|
|
echo "${RED}Error: ${WHITE}Missing file name or URL${NORMAL}"
|
|
echo "Example: $0 audit dockerfile /root/Dockerfile"
|
|
ExitFatal
|
|
else
|
|
shift; shift
|
|
HELPER_PARAMS="$1"
|
|
HELPER="audit_dockerfile"
|
|
break
|
|
fi
|
|
;;
|
|
"system")
|
|
if [ $# -gt 2 ]; then
|
|
if [ "$3" = "remote" ]; then
|
|
shift
|
|
if [ "$3" = "" ]; then
|
|
echo "${RED}Error: ${WHITE}Missing remote location${NORMAL}"
|
|
echo "Example: $0 audit system remote 192.168.1.100"
|
|
ExitFatal
|
|
else
|
|
REMOTE_TARGET="$3"
|
|
shift; shift; shift # shift out first three arguments
|
|
EXTRA_PARAMS=""
|
|
if [ ! "$1" = "" ]; then EXTRA_PARAMS=" $@"; fi
|
|
# --quick is added to be non-interactive
|
|
REMOTE_COMMAND="./lynis audit system --quick${EXTRA_PARAMS}"
|
|
echo ""
|
|
echo " How to perform a remote scan:"
|
|
echo " ============================="
|
|
echo " Target : ${REMOTE_TARGET}"
|
|
echo " Command : ${REMOTE_COMMAND}"
|
|
HELPER="system_remote_scan"
|
|
HELPER_PARAMS="$@"
|
|
CHECK_BINARIES=0
|
|
QUIET=1
|
|
RUN_HELPERS=1
|
|
SKIP_PLUGINS=1
|
|
RUN_TESTS=0
|
|
SHOW_PROGRAM_DETAILS=0
|
|
break
|
|
fi
|
|
fi
|
|
fi
|
|
CHECK=1
|
|
CHECK_BINARIES=1
|
|
HELPER=""
|
|
SKIP_PLUGINS=0
|
|
RUN_TESTS=1
|
|
shift
|
|
|
|
;;
|
|
esac
|
|
else
|
|
echo "${RED}Error: ${WHITE}Need a target to audit${NORMAL}"
|
|
echo " "
|
|
echo "Examples:"
|
|
echo "lynis audit dockerfile"
|
|
echo "lynis audit system"
|
|
ExitFatal
|
|
fi
|
|
;;
|
|
|
|
# Configure Lynis
|
|
configure)
|
|
CHECK_BINARIES=0
|
|
RUN_HELPERS=1
|
|
QUIET=1
|
|
SKIP_PLUGINS=1
|
|
RUN_TESTS=0
|
|
SHOW_PROGRAM_DETAILS=0
|
|
if [ $# -gt 0 ]; then shift; fi
|
|
HELPER="configure"
|
|
HELPER_PARAMS="$@"
|
|
break
|
|
;;
|
|
|
|
# Show Lynis details
|
|
show)
|
|
CHECK_BINARIES=0
|
|
HELPER="show"
|
|
LOGTEXT=0
|
|
QUIET=1
|
|
RUN_HELPERS=1
|
|
RUN_TESTS=0
|
|
RUN_UPDATE_CHECK=0
|
|
SKIP_PLUGINS=1
|
|
SHOW_PROGRAM_DETAILS=0
|
|
SHOW_TOOL_TIPS=0
|
|
shift; HELPER_PARAMS="$@"
|
|
break
|
|
;;
|
|
|
|
update)
|
|
CHECK_BINARIES=0
|
|
RUN_HELPERS=1
|
|
HELPER="update"
|
|
QUIET=1
|
|
SKIP_PLUGINS=1
|
|
RUN_TESTS=0
|
|
RUN_UPDATE_CHECK=0
|
|
SHOW_PROGRAM_DETAILS=0
|
|
SHOW_TOOL_TIPS=0
|
|
if [ $# -gt 1 ]; then
|
|
shift
|
|
HELPER_PARAMS="$1"
|
|
break
|
|
else
|
|
echo "${RED}Error: ${WHITE}Need a target for update${NORMAL}"
|
|
echo " "
|
|
echo "Examples:"
|
|
echo "lynis update check"
|
|
echo "lynis update info"
|
|
ExitFatal
|
|
fi
|
|
;;
|
|
|
|
# Perform just the upload
|
|
"upload-only" | "only-upload")
|
|
CHECK_BINARIES=1
|
|
CREATE_REPORT_FILE=0
|
|
#QUIET=1
|
|
LOGTEXT=0
|
|
RUN_HELPERS=0
|
|
RUN_TESTS=0
|
|
RUN_UPDATE_CHECK=0
|
|
SKIP_PLUGINS=1
|
|
SHOW_REPORT=0
|
|
SHOW_TOOL_TIPS=0
|
|
SHOW_PROGRAM_DETAILS=0
|
|
UPLOAD_DATA=1
|
|
if [ $# -gt 1 ]; then echo "No other parameters or options are allowed when using 'upload-only' command"; ExitFatal; fi
|
|
;;
|
|
|
|
# Assign auditor to report
|
|
--auditor)
|
|
shift
|
|
AUDITORNAME=$1
|
|
;;
|
|
|
|
# Binary directories (useful for incident response)
|
|
--bindirs | --bin-dirs)
|
|
if [ $# -gt 1 ]; then
|
|
shift
|
|
DIRS="$1"
|
|
for DIR in $1; do
|
|
if [ ! -d ${DIR} ]; then
|
|
echo "Invalid bindir '${DIR}' provided (does not exist)"
|
|
exit 1
|
|
fi
|
|
done
|
|
BIN_PATHS="${DIRS}"
|
|
else
|
|
echo "Need one or more directories (e.g. \"/mnt/cert/bin /mnt/cert/sbin\")"
|
|
exit 1
|
|
fi
|
|
;;
|
|
|
|
# Perform tests (deprecated, use audit system)
|
|
--check-all | --checkall | -c)
|
|
DisplayToolTip "Usage of option -c is deprecated. Please use: lynis audit system [options]"
|
|
CHECK=1
|
|
;;
|
|
|
|
# Cronjob support
|
|
--cron-job | --cronjob | --cron)
|
|
CRONJOB=1
|
|
CHECK=1; QUICKMODE=1; COLORS=0; NEVERBREAK=1 # Use some defaults (-c, -Q, no colors)
|
|
RemoveColors
|
|
;;
|
|
|
|
# Perform tests with additional debugging information on screen
|
|
--debug)
|
|
DEBUG=1
|
|
;;
|
|
|
|
# Developer mode (more details when creating tests)
|
|
--developer)
|
|
DEVELOPER_MODE=1
|
|
;;
|
|
|
|
# Display all available options with short alias
|
|
--dump-options | --dumpoptions)
|
|
OPTIONS="--auditor
|
|
--check-all_(-c) --cronjob_(--cron)
|
|
--debug
|
|
--help_(-h)
|
|
--info
|
|
--license-key --log-file
|
|
--manpage_(--man)
|
|
--no-colors --no-log
|
|
--pentest --profile --plugins-dir
|
|
--quiet_(-q) --quick_(-Q)
|
|
--report-file --reverse-colors
|
|
--tests
|
|
--upload
|
|
--version_(-V)"
|
|
for I in ${OPTIONS}; do
|
|
echo "${I}" | tr '_' ' '
|
|
done
|
|
ExitClean
|
|
;;
|
|
|
|
# View help
|
|
--help | -h | "-?")
|
|
VIEWHELP=1
|
|
;;
|
|
|
|
# View program/database information
|
|
--check-update | --check-updates | --info)
|
|
echo "This option is deprecated"
|
|
echo "Use: lynis update info"
|
|
ExitClean
|
|
;;
|
|
|
|
# License key for Lynis Enterprise
|
|
--license-key)
|
|
shift
|
|
LICENSE_KEY=$1
|
|
;;
|
|
|
|
# Adjust default logfile location
|
|
--logfile | --log-file)
|
|
shift
|
|
LOGFILE=$1
|
|
;;
|
|
|
|
# Don't use colors
|
|
--no-colors | --nocolors)
|
|
COLORS=0
|
|
RemoveColors
|
|
;;
|
|
|
|
# Disable logging
|
|
--no-log | --nolog)
|
|
LOGFILE="/dev/null"
|
|
;;
|
|
|
|
--pen-test | --pentest)
|
|
PENTESTINGMODE=1
|
|
;;
|
|
|
|
# Define a custom profile file
|
|
--profile)
|
|
shift
|
|
SEARCH_PROFILES=$1
|
|
;;
|
|
|
|
# Define a custom plugin directory
|
|
--plugindir | --plugin-dir | --plugins-dir)
|
|
shift
|
|
PLUGINDIR=$1
|
|
LASTCHAR=$(echo $1 | awk '{ print substr($0, length($0))}')
|
|
if [ "${LASTCHAR}" = "/" ]; then
|
|
echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}"
|
|
ExitCustom 65
|
|
fi
|
|
if [ ! -d ${PLUGINDIR} ]; then
|
|
echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}"
|
|
ExitCustom 66
|
|
fi
|
|
;;
|
|
|
|
# Quiet mode
|
|
--quiet | -q)
|
|
QUIET=1
|
|
QUICKMODE=1 # Run non-interactive
|
|
;;
|
|
|
|
# Non-interactive mode
|
|
--quick | -Q)
|
|
QUICKMODE=1
|
|
;;
|
|
|
|
# Define alternative report file
|
|
--report-file)
|
|
shift
|
|
REPORTFILE=$1
|
|
;;
|
|
|
|
# Strip the colors which aren't clearly visible on light backgrounds
|
|
--reverse-colors)
|
|
BLUE="${NORMAL}";
|
|
SECTION="${NORMAL}";
|
|
NOTICE="${NORMAL}";
|
|
CYAN="${NORMAL}";
|
|
GREEN="${NORMAL}";
|
|
YELLOW="${NORMAL}";
|
|
WHITE="${NORMAL}";
|
|
PURPLE="${NORMAL}";
|
|
;;
|
|
|
|
# Root directory (useful for forensics)
|
|
--rootdir | --root-dir)
|
|
if [ $# -gt 1 ]; then
|
|
shift
|
|
if [ -d $1 ]; then
|
|
ROOTDIR="$1"
|
|
else
|
|
echo "Invalid rootdir provided (does not exist)"
|
|
exit 1
|
|
fi
|
|
else
|
|
echo "Need a root directory (e.g. /mnt/forensics)"
|
|
exit 1
|
|
fi
|
|
;;
|
|
|
|
# Skip execution of plugins
|
|
--skip-plugins | --no-plugins)
|
|
SKIP_PLUGINS=1
|
|
;;
|
|
|
|
# Only scan these tests
|
|
--tests)
|
|
shift
|
|
TESTS_TO_PERFORM=$1
|
|
;;
|
|
|
|
# Scan one or more tests from just one category (e.g. security)
|
|
--tests-from-category)
|
|
shift
|
|
TEST_CATEGORY_TO_CHECK=$1
|
|
;;
|
|
|
|
# Scan one or more tests from just on group
|
|
--tests-from-group | --tests-from-groups | --test-from-group | --test-from-group)
|
|
shift
|
|
TEST_GROUP_TO_CHECK=$1
|
|
;;
|
|
|
|
# Lynis Enterprise: upload data to central node
|
|
--upload)
|
|
UPLOAD_DATA=1
|
|
;;
|
|
|
|
--verbose)
|
|
VERBOSE=1
|
|
;;
|
|
|
|
# Version number
|
|
--version | -V)
|
|
echo "${PROGRAM_VERSION}"
|
|
exit 0
|
|
;;
|
|
|
|
# View man page
|
|
--view-manpage | --man-page | --manpage | --man)
|
|
if [ -f lynis.8 ]; then
|
|
nroff -man lynis.8
|
|
exit 0
|
|
else
|
|
echo "Error: man page file not found (lynis.8)"
|
|
echo "If you are running an installed version of Lynis, use 'man lynis'"
|
|
exit 1
|
|
fi
|
|
;;
|
|
|
|
--wait)
|
|
QUICKMODE=0
|
|
;;
|
|
|
|
# Warnings
|
|
--warnings-only | --show-warnings-only)
|
|
SHOW_WARNINGS_ONLY=1
|
|
QUICKMODE=1
|
|
QUIET=1
|
|
;;
|
|
|
|
--tests-category | --tests-categories | --view-categories | --list-categories | --show-categories)
|
|
echo "Error: Deprecated option ($1)"
|
|
exit 1
|
|
;;
|
|
|
|
# Drop out when using wrong option(s)
|
|
*)
|
|
# Wrong option used, we bail out later
|
|
WRONGOPTION=1
|
|
WRONGOPTION_value=$1
|
|
;;
|
|
|
|
esac
|
|
shift
|
|
|
|
done
|
|
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|