Sync all scripts from website downloads — 352 scripts total
Includes updated JS challenge scripts with Claude-User whitelist, same-site referer bypass, Blackbox-Exporter allowed bot, and all new exporters, cheat sheets, and automation scripts.
This commit is contained in:
@@ -0,0 +1,383 @@
|
||||
#!/bin/bash
|
||||
################################################################################
|
||||
# Script Name: lynis-metrics-exporter.sh
|
||||
# Version: 1.01
|
||||
# Description: Prometheus exporter for Lynis security auditing — hardening
|
||||
# index, test pass/fail/skip counts, warnings, suggestions,
|
||||
# component scores, and scan metadata
|
||||
#
|
||||
# Author: Phil Connor
|
||||
# Contact: contact@mylinux.work
|
||||
# Website: https://mylinux.work
|
||||
# License: MIT
|
||||
#
|
||||
# Prerequisites:
|
||||
# - Lynis installed (lynis command available)
|
||||
# - Root/sudo access (Lynis requires root for full audit)
|
||||
# - awk, grep
|
||||
#
|
||||
# Usage:
|
||||
# # Output to stdout
|
||||
# sudo ./lynis-metrics-exporter.sh
|
||||
#
|
||||
# # Textfile collector mode
|
||||
# sudo ./lynis-metrics-exporter.sh --textfile
|
||||
#
|
||||
# # HTTP server mode
|
||||
# sudo ./lynis-metrics-exporter.sh --http -p 9194
|
||||
#
|
||||
# Metrics Exported:
|
||||
# - lynis_up - Exporter status (1=up, 0=down)
|
||||
# - lynis_exporter_info{version} - Exporter version info
|
||||
# - lynis_hardening_index - Overall hardening score (0-100)
|
||||
# - lynis_tests_performed - Total tests run
|
||||
# - lynis_tests_passed - Tests passed
|
||||
# - lynis_tests_failed - Tests failed
|
||||
# - lynis_tests_skipped - Tests skipped
|
||||
# - lynis_warnings_total - Total warnings
|
||||
# - lynis_suggestions_total - Total suggestions
|
||||
# - lynis_plugins_enabled - Enabled plugins count
|
||||
# - lynis_vulnerable_packages - Packages with known vulnerabilities
|
||||
# - lynis_firewall_active - Firewall detected and active (1/0)
|
||||
# - lynis_malware_scanner - Malware scanner present (1/0)
|
||||
# - lynis_scan_duration_seconds - Lynis audit duration
|
||||
# - lynis_exporter_duration_seconds - Script execution time
|
||||
# - lynis_exporter_last_run_timestamp - Last run timestamp
|
||||
#
|
||||
# Configuration:
|
||||
# Default HTTP port: 9194
|
||||
# Textfile directory: /var/lib/node_exporter
|
||||
# Lynis report: /var/log/lynis-report.dat
|
||||
#
|
||||
################################################################################
|
||||
|
||||
# ============================================================================
|
||||
# CONFIGURATION VARIABLES
|
||||
# ============================================================================
|
||||
|
||||
TEXTFILE_DIR="/var/lib/node_exporter"
|
||||
OUTPUT_FILE=""
|
||||
HTTP_MODE=false
|
||||
HTTP_PORT=9194
|
||||
LYNIS_REPORT="/var/log/lynis-report.dat"
|
||||
RUN_AUDIT=false
|
||||
EXPORTER_VERSION="1.0"
|
||||
|
||||
# ============================================================================
|
||||
# HELPER FUNCTIONS
|
||||
# ============================================================================
|
||||
|
||||
show_usage() {
|
||||
cat <<EOF
|
||||
Usage: $0 [OPTIONS]
|
||||
|
||||
Export Lynis security audit results as Prometheus metrics.
|
||||
|
||||
MODES:
|
||||
--textfile Write to node_exporter textfile collector
|
||||
--http Run HTTP server on port $HTTP_PORT
|
||||
|
||||
OPTIONS:
|
||||
-p, --port HTTP port (default: $HTTP_PORT)
|
||||
-o, --output Output file path
|
||||
--report PATH Path to lynis-report.dat (default: $LYNIS_REPORT)
|
||||
--run-audit Run lynis audit before exporting (slow, use with cron)
|
||||
|
||||
EXAMPLES:
|
||||
sudo $0 --textfile
|
||||
sudo $0 --textfile --run-audit
|
||||
sudo $0 --http --port 9194
|
||||
sudo $0 --report /var/log/lynis-report.dat
|
||||
|
||||
EOF
|
||||
exit 0
|
||||
}
|
||||
|
||||
parse_args() {
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case $1 in
|
||||
-h|--help) show_usage ;;
|
||||
--textfile) OUTPUT_FILE="$TEXTFILE_DIR/lynis.prom"; shift ;;
|
||||
--http) HTTP_MODE=true; shift ;;
|
||||
-p|--port) HTTP_PORT="$2"; shift 2 ;;
|
||||
-o|--output) OUTPUT_FILE="$2"; shift 2 ;;
|
||||
--report) LYNIS_REPORT="$2"; shift 2 ;;
|
||||
--run-audit) RUN_AUDIT=true; shift ;;
|
||||
*) echo "Unknown option: $1" >&2; exit 1 ;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
prom_escape() {
|
||||
local val="$1"
|
||||
val="${val//\\/\\\\}"
|
||||
val="${val//\"/\\\"}"
|
||||
val="${val//$'\n'/}"
|
||||
echo "$val"
|
||||
}
|
||||
|
||||
get_report_value() {
|
||||
local key="$1"
|
||||
grep "^${key}=" "$LYNIS_REPORT" 2>/dev/null | head -1 | cut -d'=' -f2-
|
||||
}
|
||||
|
||||
count_report_key() {
|
||||
local key="$1"
|
||||
grep -c "^${key}" "$LYNIS_REPORT" 2>/dev/null || true
|
||||
}
|
||||
|
||||
# ============================================================================
|
||||
# METRIC GENERATION
|
||||
# ============================================================================
|
||||
|
||||
generate_metrics() {
|
||||
local script_start
|
||||
script_start=$(date +%s)
|
||||
|
||||
# Run audit if requested
|
||||
if [ "$RUN_AUDIT" = true ]; then
|
||||
lynis audit system --quick --no-colors --quiet 2>/dev/null
|
||||
fi
|
||||
|
||||
# Check if report exists
|
||||
if [ ! -f "$LYNIS_REPORT" ]; then
|
||||
cat <<EOF
|
||||
# HELP lynis_up Lynis exporter status
|
||||
# TYPE lynis_up gauge
|
||||
lynis_up 0
|
||||
EOF
|
||||
return
|
||||
fi
|
||||
|
||||
cat <<EOF
|
||||
# HELP lynis_up Lynis exporter status
|
||||
# TYPE lynis_up gauge
|
||||
lynis_up 1
|
||||
|
||||
# HELP lynis_exporter_info Exporter version information
|
||||
# TYPE lynis_exporter_info gauge
|
||||
lynis_exporter_info{version="$EXPORTER_VERSION"} 1
|
||||
EOF
|
||||
|
||||
echo ""
|
||||
|
||||
# ========================================================================
|
||||
# HARDENING INDEX
|
||||
# ========================================================================
|
||||
|
||||
local hardening_index
|
||||
hardening_index=$(get_report_value "hardening_index")
|
||||
hardening_index=${hardening_index:-0}
|
||||
|
||||
cat <<EOF
|
||||
# HELP lynis_hardening_index Overall hardening score (0-100)
|
||||
# TYPE lynis_hardening_index gauge
|
||||
lynis_hardening_index $hardening_index
|
||||
EOF
|
||||
|
||||
echo ""
|
||||
|
||||
# ========================================================================
|
||||
# TEST RESULTS
|
||||
# ========================================================================
|
||||
|
||||
local tests_performed tests_skipped
|
||||
tests_performed=$(get_report_value "tests_performed")
|
||||
tests_performed=${tests_performed:-0}
|
||||
|
||||
local warnings suggestions
|
||||
warnings=$(count_report_key "warning\[\]")
|
||||
suggestions=$(count_report_key "suggestion\[\]")
|
||||
|
||||
# Count pass/fail from report
|
||||
local tests_category_count
|
||||
tests_category_count=$(grep -c "^test_result=" "$LYNIS_REPORT" 2>/dev/null || true)
|
||||
|
||||
local tests_passed tests_failed
|
||||
tests_passed=$(grep "^test_result=OK" "$LYNIS_REPORT" 2>/dev/null | wc -l)
|
||||
tests_failed=$(grep "^test_result=WARNING\|^test_result=SUGGESTION\|^test_result=DIFFERENT\|^test_result=WEAK" "$LYNIS_REPORT" 2>/dev/null | wc -l)
|
||||
local tests_skipped_count
|
||||
tests_skipped_count=$(grep -c "^test_skipped=" "$LYNIS_REPORT" 2>/dev/null || true)
|
||||
|
||||
cat <<EOF
|
||||
# HELP lynis_tests_performed Total tests performed
|
||||
# TYPE lynis_tests_performed gauge
|
||||
lynis_tests_performed $tests_performed
|
||||
|
||||
# HELP lynis_tests_passed Tests passed
|
||||
# TYPE lynis_tests_passed gauge
|
||||
lynis_tests_passed $tests_passed
|
||||
|
||||
# HELP lynis_tests_failed Tests failed or with findings
|
||||
# TYPE lynis_tests_failed gauge
|
||||
lynis_tests_failed $tests_failed
|
||||
|
||||
# HELP lynis_tests_skipped Tests skipped
|
||||
# TYPE lynis_tests_skipped gauge
|
||||
lynis_tests_skipped $tests_skipped_count
|
||||
|
||||
# HELP lynis_warnings_total Total warnings
|
||||
# TYPE lynis_warnings_total gauge
|
||||
lynis_warnings_total $warnings
|
||||
|
||||
# HELP lynis_suggestions_total Total suggestions
|
||||
# TYPE lynis_suggestions_total gauge
|
||||
lynis_suggestions_total $suggestions
|
||||
EOF
|
||||
|
||||
echo ""
|
||||
|
||||
# ========================================================================
|
||||
# SECURITY CHECKS
|
||||
# ========================================================================
|
||||
|
||||
local firewall_active=0
|
||||
local malware_scanner=0
|
||||
local vulnerable_packages=0
|
||||
|
||||
if get_report_value "firewall_active" | grep -qi "1\|yes\|true" 2>/dev/null; then
|
||||
firewall_active=1
|
||||
fi
|
||||
|
||||
if get_report_value "malware_scanner_installed" | grep -qi "1\|yes\|true" 2>/dev/null; then
|
||||
malware_scanner=1
|
||||
fi
|
||||
|
||||
vulnerable_packages=$(get_report_value "vulnerable_packages_found")
|
||||
vulnerable_packages=${vulnerable_packages:-0}
|
||||
|
||||
local plugins_enabled
|
||||
plugins_enabled=$(get_report_value "plugins_enabled")
|
||||
plugins_enabled=${plugins_enabled:-0}
|
||||
|
||||
cat <<EOF
|
||||
# HELP lynis_firewall_active Firewall detected and active
|
||||
# TYPE lynis_firewall_active gauge
|
||||
lynis_firewall_active $firewall_active
|
||||
|
||||
# HELP lynis_malware_scanner Malware scanner installed
|
||||
# TYPE lynis_malware_scanner gauge
|
||||
lynis_malware_scanner $malware_scanner
|
||||
|
||||
# HELP lynis_vulnerable_packages Packages with known vulnerabilities
|
||||
# TYPE lynis_vulnerable_packages gauge
|
||||
lynis_vulnerable_packages $vulnerable_packages
|
||||
|
||||
# HELP lynis_plugins_enabled Enabled Lynis plugins
|
||||
# TYPE lynis_plugins_enabled gauge
|
||||
lynis_plugins_enabled $plugins_enabled
|
||||
EOF
|
||||
|
||||
echo ""
|
||||
|
||||
# ========================================================================
|
||||
# SCAN METADATA
|
||||
# ========================================================================
|
||||
|
||||
local lynis_version
|
||||
lynis_version=$(get_report_value "lynis_version")
|
||||
|
||||
if [ -n "$lynis_version" ]; then
|
||||
cat <<EOF
|
||||
# HELP lynis_version_info Lynis version information
|
||||
# TYPE lynis_version_info gauge
|
||||
lynis_version_info{version="$lynis_version"} 1
|
||||
EOF
|
||||
echo ""
|
||||
fi
|
||||
|
||||
# ========================================================================
|
||||
# EXPORTER RUNTIME
|
||||
# ========================================================================
|
||||
|
||||
local script_end script_duration
|
||||
script_end=$(date +%s)
|
||||
script_duration=$((script_end - script_start))
|
||||
|
||||
cat <<EOF
|
||||
# HELP lynis_exporter_duration_seconds Time to generate all metrics
|
||||
# TYPE lynis_exporter_duration_seconds gauge
|
||||
lynis_exporter_duration_seconds $script_duration
|
||||
|
||||
# HELP lynis_exporter_last_run_timestamp Unix timestamp of last successful run
|
||||
# TYPE lynis_exporter_last_run_timestamp gauge
|
||||
lynis_exporter_last_run_timestamp $script_end
|
||||
EOF
|
||||
}
|
||||
|
||||
# ============================================================================
|
||||
# HTTP SERVER MODE
|
||||
# ============================================================================
|
||||
|
||||
run_http_server() {
|
||||
echo "Starting Lynis exporter on port $HTTP_PORT..." >&2
|
||||
|
||||
if ! command -v nc >/dev/null 2>&1; then
|
||||
echo "ERROR: netcat (nc) required for HTTP mode" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
while true; do
|
||||
{
|
||||
read -r request
|
||||
if [[ "$request" =~ ^GET\ /metrics ]]; then
|
||||
echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain; version=0.0.4\r\n\r"
|
||||
generate_metrics
|
||||
else
|
||||
echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r"
|
||||
cat <<EOF
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head><title>Lynis Exporter v$EXPORTER_VERSION</title></head>
|
||||
<body>
|
||||
<h1>Lynis Prometheus Exporter v$EXPORTER_VERSION</h1>
|
||||
<p><a href="/metrics">Metrics</a></p>
|
||||
</body>
|
||||
</html>
|
||||
EOF
|
||||
fi
|
||||
} | nc -l -p "$HTTP_PORT" -q 1 2>/dev/null
|
||||
done
|
||||
}
|
||||
|
||||
# ============================================================================
|
||||
# MAIN EXECUTION
|
||||
# ============================================================================
|
||||
|
||||
main() {
|
||||
parse_args "$@"
|
||||
|
||||
if [ "$HTTP_MODE" = true ]; then
|
||||
run_http_server
|
||||
elif [ -n "$OUTPUT_FILE" ]; then
|
||||
local output_dir
|
||||
output_dir="$(dirname "$OUTPUT_FILE")"
|
||||
mkdir -p "$output_dir"
|
||||
|
||||
local temp_file
|
||||
temp_file=$(mktemp "${output_dir}/.lynis_metrics.XXXXXX")
|
||||
|
||||
if ! generate_metrics > "$temp_file" 2>/dev/null; then
|
||||
rm -f "$temp_file"
|
||||
echo "ERROR: Failed to generate metrics" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
local file_lines
|
||||
file_lines=$(wc -l < "$temp_file" 2>/dev/null || echo 0)
|
||||
|
||||
if [ "$file_lines" -lt 5 ]; then
|
||||
rm -f "$temp_file"
|
||||
echo "ERROR: Metrics file too small ($file_lines lines)" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
chmod 644 "$temp_file"
|
||||
mv -f "$temp_file" "$OUTPUT_FILE"
|
||||
echo "Metrics written to $OUTPUT_FILE ($file_lines lines)" >&2
|
||||
else
|
||||
generate_metrics
|
||||
fi
|
||||
}
|
||||
|
||||
main "$@"
|
||||
Reference in New Issue
Block a user