diff options
author | Michael Boelen <michael.boelen@cisofy.com> | 2019-07-13 21:03:30 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2019-07-13 21:03:30 +0300 |
commit | 9f7e0775a57781ae6e7a247e71a149f25ef7a02d (patch) | |
tree | 3272cd985b763b7ae8761f9b8c1d691063593b05 /include/helper_generate | |
parent | 63a66a971cbf2ef98453ac77aacb27269132b10b (diff) |
New command: lynis generate systemd-units
Diffstat (limited to 'include/helper_generate')
-rw-r--r-- | include/helper_generate | 89 |
1 files changed, 88 insertions, 1 deletions
diff --git a/include/helper_generate b/include/helper_generate index bdcfb44d..8641be2d 100644 --- a/include/helper_generate +++ b/include/helper_generate @@ -29,7 +29,7 @@ ###################################################################### SAVEFILE=0 -GENERATE_ARGS="hostids" +GENERATE_ARGS="hostids systemd-units" if [ $# -gt 0 ]; then case $1 in @@ -71,6 +71,93 @@ if [ $# -gt 0 ]; then ExitClean ;; + + "cronjob") + ${ECHOCMD} "Not implemented yet" + ;; + + "systemd-units") + + ${ECHOCMD} "" + + ${ECHOCMD} "${BG_BLUE}Step 1: create service unit (/etc/systemd/system/lynis.service)${NORMAL}" + + ${ECHOCMD} "" + ${ECHOCMD} "#################################################################################" + ${ECHOCMD} "#" + ${ECHOCMD} "# Lynis service file for systemd" + ${ECHOCMD} "#" + ${ECHOCMD} "#################################################################################" + ${ECHOCMD} "" + ${ECHOCMD} "[Unit]" + ${ECHOCMD} "Description=Security audit and vulnerability scanner" + ${ECHOCMD} "Documentation=https://cisofy.com/docs/" + ${ECHOCMD} "" + ${ECHOCMD} "[Service]" + ${ECHOCMD} "Nice=19" + ${ECHOCMD} "IOSchedulingClass=best-effort" + ${ECHOCMD} "IOSchedulingPriority=7" + ${ECHOCMD} "Type=simple" + MYBINARY=$(which lynis 2>/dev/null) + MOREOPTIONS="" + if [ -n "${LICENSE_KEY}" ]; then + MOREOPTIONS=" --upload" + fi + ${ECHOCMD} "ExecStart=${MYBINARY:-/path/to/lynis} audit system --cronjob${MOREOPTIONS}" + ${ECHOCMD} "" + ${ECHOCMD} "[Install]" + ${ECHOCMD} "WantedBy=multi-user.target" + ${ECHOCMD} "" + ${ECHOCMD} "#################################################################################" + ${ECHOCMD} "" + ${ECHOCMD} "" + + ${ECHOCMD} "${BG_BLUE}Step 2: create timer unit (/etc/systemd/system/lynis.timer)${NORMAL}" + ${ECHOCMD} "" + + ${ECHOCMD} "#################################################################################" + ${ECHOCMD} "#" + ${ECHOCMD} "# Lynis timer file for systemd" + ${ECHOCMD} "#" + ${ECHOCMD} "#################################################################################" + ${ECHOCMD} "# Do not remove, so Lynis can provide advice if a newer unit is available" + ${ECHOCMD} "# Generator=lynis" + ${ECHOCMD} "# Version=1" + ${ECHOCMD} "#################################################################################" + ${ECHOCMD} "" + ${ECHOCMD} "[Unit]" + ${ECHOCMD} "Description=Daily timer for the Lynis security audit and vulnerability scanner" + ${ECHOCMD} "" + ${ECHOCMD} "[Timer]" + ${ECHOCMD} "OnCalendar=daily" + ${ECHOCMD} "RandomizedDelaySec=1800" + ${ECHOCMD} "Persistent=false" + ${ECHOCMD} "" + ${ECHOCMD} "[Install]" + ${ECHOCMD} "WantedBy=timers.target" + ${ECHOCMD} "" + ${ECHOCMD} "#################################################################################" + ${ECHOCMD} "" + ${ECHOCMD} "" + + ${ECHOCMD} "${BG_BLUE}Step 3 - Enable the timer${NORMAL}" + + ${ECHOCMD} "" + ${ECHOCMD} "Tell systemd you made changes: systemctl daemon-reload" + ${ECHOCMD} "" + ${ECHOCMD} "Enable and start the timer (so no reboot is needed): systemctl enable --now lynis.timer" + ${ECHOCMD} "" + ${ECHOCMD} "" + ${ECHOCMD} "${BG_BLUE}Optional - Customize${NORMAL}" + ${ECHOCMD} "" + ${ECHOCMD} "Want to override the timer? Run: systemctl edit lynis.timer" + ${ECHOCMD} "Note: set the timer by first resetting it, then set the preferred value" + ${ECHOCMD} "" + ${ECHOCMD} "[Timer]" + ${ECHOCMD} "OnCalendar=" + ${ECHOCMD} "OnCalendar=*-*-* 03:00:00" + ${ECHOCMD} "" + ;; *) ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis generate" ;; esac else |