#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2013-2016, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Read profile/template # ################################################################################# # for PROFILE in ${PROFILES}; do LogText "Reading profile/configuration ${PROFILE}" FIND=`egrep "^config:|^[a-z-].*=" ${PROFILE} | sed 's/ /!space!/g'` for I in ${FIND}; do if ContainsString "config:" "${I}"; then # Old style configuration OPTION=`echo ${I} | cut -d ':' -f2` VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'` else OPTION=`echo ${I} | cut -d '=' -f1` VALUE=`echo ${I} | cut -d '=' -f2 | sed 's/!space!/ /g'` fi Debug "Profile option set: ${OPTION} (with value ${VALUE})" case ${OPTION} in # Define which compliance standards are enabled compliance_standards | check-compliance) COMPLIANCE_STANDARDS_ENABLED=`echo ${VALUE} | tr ',' ' '` for I in ${COMPLIANCE_STANDARDS_ENABLED}; do case $I in cis) COMPLIANCE_ENABLE_CIS=1 ; Debug "Compliance scanning for CIS Benchmarks is enabled" ;; hipaa) COMPLIANCE_ENABLE_HIPAA=1 ; Debug "Compliance scanning for HIPAA is enabled" ;; iso27001) COMPLIANCE_ENABLE_ISO27001=1 ; Debug "Compliance scanning for ISO27001 is enabled" ;; pci-dss) COMPLIANCE_ENABLE_PCI_DSS=1 ; Debug "Compliance scanning for PCI DSS is enabled" ;; *) LogText "Result: Unknown compliance standard configured" ;; esac done ;; # Check for a specific value check-value) STRING=$(echo ${VALUE} | tr -d "[" | tr -d "]" | sed "s/, /,/g") CHECK_VALUE_ARRAY="${CHECK_OPTION_ARRAY} ${STRING}" ;; # Maximum number of WAITing connections connections_max_wait_state) OPTIONS_CONN_MAX_WAIT_STATE="${VALUE}" AddSetting "connections-max-wait-state" "${OPTIONS_CONN_MAX_WAIT_STATE}" "Connections (max-wait-state)" ;; # Append something to URL for control information control_url_append) CONTROL_URL_APPEND="${VALUE}" AddSetting "control-url-append" "${CONTROL_URL_APPEND}" "Control URL (append)" ;; # Prepend an URL before control information link control_url_prepend) CONTROL_URL_PREPEND="${VALUE}" AddSetting "control-url-prepend" "${CONTROL_URL_PREPEND}" "Control URL (prepend)" ;; # Protocol to use for control information link control_url_protocol) CONTROL_URL_PROTOCOL="${VALUE}" AddSetting "control-url-protocol" "${CONTROL_URL_PREPEND}" "Control URL (protocol)" ;; # Append something to URL for control information (only applies to CUST-*) custom-url-append | custom_url_append) CUSTOM_URL_APPEND="${VALUE}" AddSetting "custom-url-append" "${CUSTOM_URL_APPEND}" "Custom URL (append)" ;; # Prepend an URL before control information link (only applies to CUST-*) custom-url-prepend | custom_url_prepend) CUSTOM_URL_PREPEND="${VALUE}" AddSetting "custom-url-prepend" "${CUSTOM_URL_PREPEND}" "Custom URL (prepend)" ;; # Protocol to use for control information link custom-url-protocol | custom_url_protocol) CUSTOM_URL_PROTOCOL="${VALUE}" AddSetting "custom-url-protocol" "${CUSTOM_URL_PREPEND}" "Custom URL (protocol)" ;; # Do not check security repository in sources.list (Debian/Ubuntu) debian_skip_security_repository) OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY="${VALUE}" ;; debug) FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && DEBUG=1 Debug "Debug mode set to ${DEBUG}" AddSetting "debug" "${DEBUG}" "Debugging mode" ;; # Development mode (--developer) developer-mode) FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && DEVELOPER_MODE=1 Debug "Developer mode set to ${DEVELOPER_MODE}" AddSetting "developer" "${DEVELOPER_MODE}" "Developer mode" ;; # Show non-zero exit code when errors are found error-on-warnings) FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && ERROR_ON_WARNINGS=1 Debug "Exit with different code on warnings is set to ${ERROR_ON_WARNINGS}" AddSetting "error-on-warnings" "${ERROR_ON_WARNINGS}" "Use non-zero exit code if one or more warnings were found" ;; # Skip FreeBSD port audit freebsd_skip_portaudit) LogText "Option set: Skip FreeBSD portaudit" OPTION_FREEBSD_SKIP_PORTAUDIT="${VALUE}" ;; # Lynis Enterprise: group name group) GROUP_NAME="${VALUE}" AddSetting "group" "${GROUP_NAME}" "Group" ;; # Language language | lang) LogText "Language set via profile to ${VALUE}" LANGUAGE="${VALUE}" AddSetting "language" "${LANGUAGE}" "Language" ;; # Lynis Enterprise license key license_key | license-key) LICENSE_KEY="${VALUE}" Report "license_key=${LICENSE_KEY}" AddSetting "license-key" "${LICENSE_KEY}" "License key" ;; # Do (not) log tests if they have an different operating system log_tests_incorrect_os) LogText "Option set: No logging for incorrect OS" if [ "${VALUE}" = "no" ]; then LOG_INCORRECT_OS=0; else LOG_INCORRECT_OS=1; fi ;; # What type of machine we are scanning (eg. desktop, server, server with storage) machine-role | machine_role) MACHINE_ROLE="${VALUE}" AddSetting "machine-role" "${MACHINE_ROLE}" "Machine role (server or desktop)" ;; # Define if any found NTP daemon instance is configured as a server or client ntpd-role | ntpd_role) NTPD_ROLE="${VALUE}" AddSetting "ntpd-role" "${NTPD_ROLE}" "NTP role (server or client)" ;; # How much seconds to wait between tests pause_between_tests | pause-between-tests) TEST_PAUSE_TIME="${VALUE}" AddSetting "pause-between-tests" "${TEST_PAUSE_TIME}" "Pause between tests" ;; # Plugin plugin) LogText "Plugin ${VALUE} enabled according profile ${PROFILE}" ;; # Plugin directory plugindir | plugin-dir) if [ "${PLUGINDIR}" = "" ]; then PLUGINDIR="${VALUE}" else LogText "Plugin directory was already set to ${PLUGINDIR} before (most likely as a program argument), not overwriting" fi AddSetting "plugin-dir" "${PLUGINDIR}" "Plugin directory" ;; # Profile name profile-name | profile_name) PROFILE_NAME="${VALUE}" ;; # Quick (no waiting for keypresses) quick) FIND=`echo "${VALUE}" | egrep "^(1|yes)"` && QUICKMODE=1 Debug "Quickmode set to ${QUICKMODE}" ;; # Inline tips about tool (default enabled) show_tool_tips | show-tool-tips) FIND=`echo "${VALUE}" | egrep "^(1|false|no)"` && SHOW_TOOL_TIPS=0 Debug "Show tool tips set to ${SHOW_TOOL_TIPS}" ;; # Show warnings only show-warnings-only) QUIET=1 QUICKMODE=1 FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && SHOW_WARNINGS_ONLY=1 Debug "Show warnings only set to ${SHOW_WARNINGS_ONLY}" ;; # Skip plugins skip-plugins) FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && RUN_PLUGINS=0 Debug "Run plugins is set to ${RUN_PLUGINS}" AddSetting "run-plugins" "${RUN_PLUGINS}" "Run plugins" ;; # SSL paths ssl-certificate-paths) SSL_CERTIFICATE_PATHS="${VALUE}" Debug "SSL paths set to ${SSL_CERTIFICATE_PATHS}" AddSetting "ssl-certificate-paths" "${SSL_CERTIFICATE_PATHS}" "Paths for SSL certificates" ;; # Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest) skip-test) STRING=`echo ${VALUE} | tr '[:upper:]' '[:lower:]'` SKIP_TESTS="${SKIP_TESTS} ${STRING}" ;; # Tests to always skip (useful for false positives or problematic tests) test_skip_always) TEST_SKIP_ALWAYS="${VALUE}" LogText "Tests to be skipped: ${VALUE}" ;; # Do not check the latest version on the internet skip_upgrade_test | skip-upgrade-test) FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && SKIP_UPGRADE_TEST=1 Debug "Skip upgrade test set to ${SKIP_UPGRADE_TEST}" AddSetting "skip-upgrade-test" "${SKIP_UPGRADE_TEST}" "Skip upgrade test" ;; # Define what kind of scan we are performing test_scan_mode | test-scan-mode) if [ "${VALUE}" = "light" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="NO"; SCAN_TEST_HEAVY="NO"; fi if [ "${VALUE}" = "normal" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="NO"; fi if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi ;; # Server IP or hostname update_server_address) UPDATE_SERVER_ADDRESS="${VALUE}" AddSetting "update-server-address" "${UPDATE_SERVER_ADDRESS}" "Update server (address)" ;; # Protocol (http, https) update_server_protocol) UPDATE_SERVER_PROTOCOL="${VALUE}" AddSetting "update-server-protocol" "${UPDATE_SERVER_PROTOCOL}" "Update server (protocol)" ;; # File path to tarball on server update_latest_version_download) UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}" AddSetting "update-latest-version-download" "${UPDATE_LATEST_VERSION_DOWNLOAD}" "Update information: file path to latest update" ;; # File path to information file update_latest_version_info) UPDATE_LATEST_VERSION_INFO="${VALUE}" AddSetting "update-latest-version-info" "${UPDATE_LATEST_VERSION_INFO}" "Update information: file path to information file" ;; # Local directory where lynis directory will be placed update_local_directory) UPDATE_LOCAL_DIRECTORY="${VALUE}" AddSetting "update-local-directory" "${UPDATE_LOCAL_DIRECTORY}" "Update information: local directory for updates" ;; # Local file to maintain current version update_local_version_info) UPDATE_LOCAL_VERSION_INFO="${VALUE}" AddSetting "update-local-version-info" "${UPDATE_LOCAL_VERSION_INFO}" "Update information: local file for latest release" ;; # Compression of uploads (enabled by default) upload_compressed | compressed-uploads) if [ "${VALUE}" = "0" ]; then COMPRESSED_UPLOADS=0; fi AddSetting "compressed-uploads" "${COMPRESSED_UPLOADS}" "Compressed uploads" ;; # Options during upload of data upload_options | upload-options) UPLOAD_OPTIONS="${VALUE}" AddSetting "upload-options" "${UPLOAD_OPTIONS}" "Upload options" ;; # Proxy settings upload_proxy_port | proxy-port | upload-proxy-port) UPLOAD_PROXY_PORT="${VALUE}" AddSetting "upload-proxy-port" "${UPLOAD_PROXY_PORT}" "Proxy port" ;; upload_proxy_protocol | proxy-protocol) UPLOAD_PROXY_PROTOCOL="${VALUE}" AddSetting "upload-proxy-protocol" "${UPLOAD_PROXY_PROTOCOL}" "Proxy protocol" ;; upload_proxy_server | proxy-server) UPLOAD_PROXY_SERVER="${VALUE}" AddSetting "upload-proxy-server" "${UPLOAD_PROXY_PORT}" "Proxy server" ;; # Receiving system (IP address or hostname) upload_server | upload-server) UPLOAD_SERVER="${VALUE}" AddSetting "upload-server" "${UPLOAD_SERVER}" "Upload server (ip or hostname)" ;; # Specify an alternative upload tool upload-tool) if [ -f "${VALUE}" ]; then UPLOAD_TOOL="${VALUE}"; fi AddSetting "upload-tool" "${UPLOAD_TOOL}" "Upload tool" ;; # Specify arguments for an alternative upload tool upload-tool-arguments) UPLOAD_TOOL_ARGS="${VALUE}" AddSetting "upload-tool-arguments" "${UPLOAD_TOOL_ARGS}" "Upload tool (arguments)" ;; # Verbose output (--verbose) verbose) FIND=`echo "${VALUE}" | egrep "^(1|true|yes)"` && VERBOSE=1 Debug "Verbose set to ${VERBOSE}" AddSetting "verbose" "${VERBOSE}" "Verbose output" ;; # Catch all bad options and bail out *) LogText "Unknown option ${OPTION} (with value: ${VALUE})" ${ECHOCMD} "" ${ECHOCMD} "${RED}Error${NORMAL}: found one or more errors in profile ${PROFILE}" ${ECHOCMD} "${WHITE}Details${NORMAL}: Unknown option '${YELLOW}${OPTION}${NORMAL}' found (with value: ${VALUE})" ${ECHOCMD} "" ExitFatal ;; esac done done # ################################################################################# # LogText "Skip tests: ${SKIP_TESTS}" # ################################################################################# # # Add group name to report if [ ! "${GROUP_NAME}" = "" ]; then Report "group=${GROUP_NAME}" fi # ################################################################################# # # Set default values (only if not configured in profile) if [ "${MACHINE_ROLE}" = "" ]; then MACHINE_ROLE="server" LogText "Set option to default value: MACHINE_ROLE --> ${MACHINE_ROLE}" fi if [ "${NTPD_ROLE}" = "" ]; then NTPD_ROLE="client" LogText "Set option to default value: NTPD_ROLE --> ${NTPD_ROLE}" fi # ################################################################################# # Display --indent 2 --text "- Checking profiles..." --result "DONE" --color GREEN LogTextBreak #================================================================================ # Lynis - Copyright 2007-2016, Michael Boelen - CISOfy, https://cisofy.com