2014-08-26 17:33:55 +02:00
#################################################################################
#
2016-07-05 17:26:27 +02:00
#
2019-07-07 16:19:10 +02:00
# Lynis - Default scan profile
2016-07-05 16:49:50 +02:00
#
2016-07-05 17:26:27 +02:00
#
#################################################################################
#
#
2019-07-07 16:19:10 +02:00
# This profile provides Lynis with most of its initial values to perform a
# system audit.
#
#
# WARNINGS
2016-07-05 17:26:27 +02:00
# ----------
#
2019-07-03 15:39:26 +02:00
# Do NOT make changes to this file. Instead, copy only your changes into
# the file custom.prf and put it in the same directory as default.prf
2016-07-05 17:26:27 +02:00
#
# To discover where your profiles are located: lynis show profiles
#
#
2019-07-07 16:19:10 +02:00
# Lynis performs a strict check on profiles to avoid the inclusion of
# possibly harmful injections. See include/profiles for details.
#
#
2016-07-05 17:26:27 +02:00
#################################################################################
2014-11-29 16:20:53 +01:00
#
2014-08-26 17:33:55 +02:00
# All empty lines or with the # prefix will be skipped
#
#################################################################################
2017-02-16 10:27:54 +01:00
# Use colored output
colors=yes
2016-07-05 19:57:43 +02:00
# Compressed uploads (set to zero when errors with uploading occur)
compressed-uploads=yes
2016-07-05 17:26:27 +02:00
2019-07-07 18:46:23 +02:00
# Amount of connections in WAIT state before reporting it as a suggestion
#connections-max-wait-state=5000
2018-01-23 15:01:02 +01:00
# Debug mode (for debugging purposes, extra data logged to screen)
#debug=yes
2016-07-05 17:26:27 +02:00
# Show non-zero exit code when warnings are found
error-on-warnings=no
2016-07-12 20:32:15 +02:00
# Use Lynis in your own language (by default auto-detected)
language=
2016-07-05 17:26:27 +02:00
2019-07-03 15:39:26 +02:00
# Log tests from another guest operating system (default: yes)
#log-tests-incorrect-os=yes
# Define if available NTP daemon is configured as a server or client on the network
# values: server or client (default: client)
#ntpd-role=client
2016-07-05 19:57:43 +02:00
2016-10-26 12:35:47 +02:00
# Defines the role of the system (personal, workstation or server)
2016-07-05 17:26:27 +02:00
machine-role=server
2019-07-03 15:39:26 +02:00
# Ignore some stratum 16 hosts (for example when running as time source itself)
#ntp-ignore-stratum-16-peer=127.0.0.1
2014-08-26 17:33:55 +02:00
# Profile name, will be used as title/description
2016-07-05 16:49:50 +02:00
profile-name=Default Audit Template
2014-08-26 17:33:55 +02:00
# Number of seconds to pause between every test (0 is no pause)
2016-07-05 16:49:50 +02:00
pause-between-tests=0
2014-08-26 17:33:55 +02:00
2019-07-12 14:38:52 +02:00
# Quick mode (do not wait for keypresses)
quick=yes
2014-08-26 17:33:55 +02:00
2016-08-11 10:01:29 +02:00
# Refresh software repositories to help detecting vulnerable packages
refresh-repositories=yes
2016-09-24 15:51:05 +02:00
# Show solution for findings
show-report-solution=yes
2016-07-05 17:26:27 +02:00
# Show inline tips about the tool
show-tool-tips=yes
# Skip plugins
skip-plugins=no
# Skip a test (one per line)
#skip-test=SSH-7408
# Skip a particular option within a test (when applicable)
#skip-test=SSH-7408:loglevel
#skip-test=SSH-7408:permitrootlogin
2019-07-03 15:39:26 +02:00
# Skip Lynis upgrade availability test (default: no)
#skip-upgrade-test=yes
2017-02-21 15:40:06 +01:00
2019-07-08 15:08:56 +02:00
# Locations where to search for SSL certificates (separate paths with a colon)
2020-04-24 23:06:58 +02:00
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
2019-07-08 15:08:56 +02:00
ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
2020-03-27 10:25:31 +01:00
ssl-certificate-include-packages=no
2016-07-05 19:57:43 +02:00
2019-07-03 15:39:26 +02:00
# Scan type - how deep the audit should be (light, normal or full)
test-scan-mode=full
2016-07-05 19:57:43 +02:00
# Verbose output
verbose=no
2014-08-26 17:33:55 +02:00
2018-01-23 15:01:02 +01:00
2014-08-26 17:33:55 +02:00
#################################################################################
#
# Plugins
# ---------------
2014-11-11 19:04:54 +01:00
# Define which plugins are enabled
2014-11-25 14:20:21 +01:00
#
# Notes:
# - Nothing happens if plugin isn't available
# - There is no order in execution of plugins
# - See documentation about how to use plugins and phases
2019-07-03 15:39:26 +02:00
# - Some are for Lynis Enterprise users only
2014-08-26 17:33:55 +02:00
#
#################################################################################
2014-10-03 18:31:24 +02:00
2019-07-03 15:39:26 +02:00
# Lynis plugins to enable
2017-02-14 20:06:02 +01:00
plugin=authentication
2014-10-03 18:31:24 +02:00
plugin=compliance
2015-04-16 20:01:23 +02:00
plugin=configuration
2014-08-26 19:28:14 +02:00
plugin=control-panels
2014-11-11 19:04:54 +01:00
plugin=crypto
plugin=dns
2014-08-26 17:33:55 +02:00
plugin=docker
plugin=file-integrity
2014-10-30 18:07:58 +01:00
plugin=file-systems
2014-08-26 17:33:55 +02:00
plugin=firewalls
2014-11-29 16:20:53 +01:00
plugin=forensics
2017-12-08 09:37:55 +01:00
plugin=hardware
2014-11-29 16:20:53 +01:00
plugin=intrusion-detection
plugin=intrusion-prevention
2014-11-11 19:04:54 +01:00
plugin=kernel
2014-11-29 16:20:53 +01:00
plugin=malware
2014-11-11 19:04:54 +01:00
plugin=memory
plugin=nginx
2015-10-01 12:00:44 +02:00
plugin=pam
2014-08-26 17:33:55 +02:00
plugin=processes
2014-11-11 19:04:54 +01:00
plugin=security-modules
2014-08-26 17:33:55 +02:00
plugin=software
plugin=system-integrity
2014-11-25 14:20:21 +01:00
plugin=systemd
2014-11-11 19:04:54 +01:00
plugin=users
2014-08-26 17:33:55 +02:00
2019-07-03 15:39:26 +02:00
# Disable a particular plugin (will overrule an enabled plugin)
#disable-plugin=authentication
2014-11-25 14:20:21 +01:00
2014-08-26 17:33:55 +02:00
#################################################################################
#
2014-11-29 16:20:53 +01:00
# Kernel options
2014-08-26 17:33:55 +02:00
# ---------------
2020-06-11 16:46:55 +02:00
# config-data=, followed by:
2014-08-26 17:33:55 +02:00
#
2019-07-03 15:39:26 +02:00
# - Type = Set to 'sysctl'
# - Setting = value of sysctl key (e.g. kernel.sysrq)
# - Expected value = Preferred value for key (e.g. 0)
# - Hardening Points = Number of hardening points (typically 1 point per key) (1)
# - Description = Textual description about the sysctl key(Disable magic SysRQ)
# - Related file or command = For example, sysctl -a to retrieve more details
# - Solution field = Specifies more details or where to find them (url:URL, text:TEXT, or -)
2014-08-26 17:33:55 +02:00
#
#################################################################################
2016-08-18 14:35:20 +02:00
# Config
# - Type (sysctl)
# - Setting (kernel.sysrq)
# - Expected value (0)
# - Hardening Points (1)
# - Description (Disable magic SysRQ)
# - Related file or command (sysctl -a)
# - Solution field (url:URL, text:TEXT, or -)
2016-04-13 16:08:57 +02:00
# Processes
2016-10-05 09:50:34 +02:00
config-data=sysctl;security.bsd.see_other_gids;0;1;Groups only see their own processes;sysctl -a;-;category:security;
config-data=sysctl;security.bsd.see_other_uids;0;1;Users only see their own processes;sysctl -a;-;category:security;
config-data=sysctl;security.bsd.stack_guard_page;1;1;Enable stack smashing protection (SSP)/ProPolice to defend against possible buffer overflows;-;category:security;
config-data=sysctl;security.bsd.unprivileged_proc_debug;0;1;Unprivileged processes can not use process debugging;sysctl -a;-;category:security;
config-data=sysctl;security.bsd.unprivileged_read_msgbuf;0;1;Unprivileged processes can not read the kernel message buffer;sysctl -a;-;category:security;
2014-08-26 17:33:55 +02:00
2016-04-13 16:08:57 +02:00
# Kernel
2017-05-03 09:20:35 +02:00
config-data=sysctl;fs.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
2020-05-23 18:49:13 +02:00
config-data=sysctl;fs.protected_fifos;2;1;Restrict FIFO special device creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
2017-05-03 09:20:35 +02:00
config-data=sysctl;fs.protected_hardlinks;1;1;Restrict hardlink creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
2020-05-23 18:49:13 +02:00
config-data=sysctl;fs.protected_regular;2;1;Restrict regular files creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
2017-05-03 09:20:35 +02:00
config-data=sysctl;fs.protected_symlinks;1;1;Restrict symlink following behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
2016-10-05 09:50:34 +02:00
#config-data=sysctl;kern.randompid=2345;Randomize PID numbers with a specific modulus;sysctl -a;-;category:security;
config-data=sysctl;kern.sugid_coredump;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.core_setuid_ok;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.core_uses_pid;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.ctrl-alt-del;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
2017-06-14 14:06:04 +02:00
config-data=sysctl;kernel.dmesg_restrict;1;1;Restrict use of dmesg;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
2016-10-05 09:50:34 +02:00
config-data=sysctl;kernel.exec-shield-randomize;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
2016-08-18 14:35:20 +02:00
config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
2016-08-18 14:52:15 +02:00
config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
2020-05-23 18:49:13 +02:00
config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.perf_event_paranoid;3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
2016-09-13 17:26:44 +02:00
config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
2016-10-05 09:50:34 +02:00
config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
2016-08-18 14:35:20 +02:00
config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
2020-05-23 18:49:13 +02:00
config-data=sysctl;kernel.unprivileged_bpf_disabled;1;1;Restrict BPF for unprivileged users;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
2016-10-05 09:50:34 +02:00
config-data=sysctl;kernel.use-nx;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
2018-01-23 15:09:59 +01:00
config-data=sysctl;kernel.yama.ptrace_scope;1|2|3;1;Disable process tracing for everyone;-;category:security;
2014-08-26 17:33:55 +02:00
2016-04-13 16:08:57 +02:00
# Network
2020-05-23 18:49:13 +02:00
config-data=sysctl;net.core.bpf_jit_harden;2;1;Hardened BPF JIT compilation;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
2016-10-05 09:50:34 +02:00
config-data=sysctl;net.inet.ip.linklocal.in.allowbadttl;0;
config-data=sysctl;net.inet.tcp.always_keepalive;0;1;Disable TCP keep alive detection for dead peers as the keepalive can be spoofed;-;category:security;
#config-data=sysctl;net.inet.tcp.fast_finwait2_recycle;1;1;Recycle FIN/WAIT states more quickly (DoS mitigation step, with risk of false RST);-;category:security;
config-data=sysctl;net.inet.tcp.nolocaltimewait;1;1;Remove the TIME_WAIT state for loopback interface;-;category:security;
config-data=sysctl;net.inet.tcp.path_mtu_discovery;0;1;Disable MTU discovery as many hosts drop the ICMP type 3 packets;-;category:security;
2016-08-18 14:35:20 +02:00
config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security;
2016-10-05 09:50:34 +02:00
config-data=sysctl;net.inet.tcp.icmp_may_rst;0;1;ICMP may not send RST to avoid spoofed ICMP/UDP floods;-;category:security;
2016-10-15 15:15:40 +02:00
config-data=sysctl;net.inet.icmp.drop_redirect;1;1;Do not allow redirected ICMP packets;-;category:security;
2016-08-18 14:35:20 +02:00
config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
2016-10-05 09:50:34 +02:00
config-data=sysctl;net.inet.icmp.timestamp;0;1;Disable timestamps;-;category:security;
2016-08-18 14:35:20 +02:00
config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security;
2016-10-05 09:50:34 +02:00
config-data=sysctl;net.inet.ip.check_interface;1;1;Verify that a packet arrived on the right interface;-;category:security;
config-data=sysctl;net.inet.ip.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
config-data=sysctl;net.inet.ip.process_options;0;1;Ignore any IP options in the incoming packets;-;category:security;
config-data=sysctl;net.inet.ip.random_id;1;1;Use a random IP id to each packet leaving the system;-;category:security;
2016-08-18 14:35:20 +02:00
config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
2016-10-05 09:50:34 +02:00
config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic when delivered to closed TCP port;-;category:security;
config-data=sysctl;net.inet.tcp.drop_synfin;1;1;SYN/FIN packets will be dropped on initial connection;-;category:security;
config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic when delivered to closed UDP port;-;category:security;
2016-08-18 14:35:20 +02:00
config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
2016-10-05 09:50:34 +02:00
config-data=sysctl;net.inet6.ip6.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
config-data=sysctl;net.inet6.ip6.fw.enable;1;1;Enable filtering;-;category:security;
2016-08-18 14:35:20 +02:00
config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security;
config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do not relay BOOTP packets;-;category:security;
config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do not relay ARP packets;-;category:security;
config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce ingress/egress filtering for packets;-;category:security;
config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets directed to broadcast address;-;category:security;
config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
#config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security;
config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security;
2018-01-11 10:19:16 +01:00
config-data=sysctl;net.ipv4.tcp_timestamps;0|1;1;Disable TCP time stamps or enable them with different offsets;-;category:security;
2016-08-18 14:35:20 +02:00
config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
2014-08-26 17:33:55 +02:00
2016-10-05 09:50:34 +02:00
# Other
2020-05-23 18:49:13 +02:00
config-data=sysctl;dev.tty.ldisc_autoload;0;1;Disable loading of TTY line disciplines;-;category:security;
2016-10-05 09:50:34 +02:00
config-data=sysctl;hw.kbd.keymap_restrict_change;4;1;Disable changing the keymap by non-privileged users;-;category:security;
2016-08-18 14:35:20 +02:00
#sysctl;kern.securelevel;1^2^3;1;FreeBSD security level;
#security.jail.jailed; 0
#security.jail.jail_max_af_ips; 255
#security.jail.mount_allowed; 0
#security.jail.chflags_allowed; 0
#security.jail.allow_raw_sockets; 0
#security.jail.enforce_statfs; 2
#security.jail.sysvipc_allowed; 0
#security.jail.socket_unixiproute_only; 1
#security.jail.set_hostname_allowed; 1
#security.bsd.suser_enabled; 1
#security.bsd.unprivileged_proc_debug; 1
#security.bsd.conservative_signals; 1
#security.bsd.unprivileged_read_msgbuf; 1
#security.bsd.unprivileged_get_quota; 0
2016-10-05 09:50:34 +02:00
config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other groups;-;category:security;
config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;
2014-08-26 17:33:55 +02:00
#################################################################################
#
# permfile
# ---------------
2019-07-07 18:46:23 +02:00
# permfile=file name:file permissions:owner:group:action:
2014-08-26 17:33:55 +02:00
# Action = NOTICE or WARN
# Examples:
2019-07-07 18:46:23 +02:00
# permfile=/etc/test1.dat:600:root:wheel:NOTICE:
# permfile=/etc/test1.dat:640:root:-:WARN:
2014-08-26 17:33:55 +02:00
#
#################################################################################
2019-07-07 18:46:23 +02:00
#permfile=/etc/inetd.conf:rw-------:root:-:WARN:
#permfile=/etc/fstab:rw-r--r--:root:-:WARN:
permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN:
2019-07-26 11:59:19 +02:00
permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN:
2019-07-07 18:46:23 +02:00
permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN:
permfile=/etc/at.allow:rw-------:root:-:WARN:
permfile=/etc/at.deny:rw-------:root:-:WARN:
permfile=/etc/cron.allow:rw-------:root:-:WARN:
permfile=/etc/cron.deny:rw-------:root:-:WARN:
permfile=/etc/crontab:rw-------:root:-:WARN:
permfile=/etc/group:rw-r--r--:root:-:WARN:
permfile=/etc/group-:rw-r--r--:root:-:WARN:
permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN:
permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN:
permfile=/etc/issue:rw-r--r--:root:root:WARN:
permfile=/etc/issue.net:rw-r--r--:root:root:WARN:
permfile=/etc/lilo.conf:rw-------:root:-:WARN:
permfile=/etc/motd:rw-r--r--:root:root:WARN:
permfile=/etc/passwd:rw-r--r--:root:-:WARN:
permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
2020-06-20 17:08:56 +02:00
permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN:
2020-06-20 17:45:34 +02:00
permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN:
2020-06-20 17:08:56 +02:00
permfile=/root/.rhosts:rw-------:root:root:WARN:
permfile=/root/.rlogin:rw-------:root:root:WARN:
2020-06-20 17:45:34 +02:00
permfile=/root/.shosts:rw-------:root:root:WARN:
2014-08-26 17:33:55 +02:00
2019-09-14 13:20:26 +02:00
# These permissions differ by OS
#permfile=/etc/gshadow:---------:root:-:WARN:
#permfile=/etc/gshadow-:---------:root:-:WARN:
#permfile=/etc/shadow:---------:root:-:WARN:
#permfile=/etc/shadow-:---------:root:-:WARN:
2014-08-26 17:33:55 +02:00
#################################################################################
#
# permdir
# ---------------
2019-07-07 18:46:23 +02:00
# permdir=directory name:file permissions:owner:group:action when permissions are different:
2014-08-26 17:33:55 +02:00
#
#################################################################################
2019-07-07 18:46:23 +02:00
permdir=/root/.ssh:rwx------:root:-:WARN:
permdir=/etc/cron.d:rwx------:root:root:WARN:
permdir=/etc/cron.daily:rwx------:root:root:WARN:
permdir=/etc/cron.hourly:rwx------:root:root:WARN:
permdir=/etc/cron.weekly:rwx------:root:root:WARN:
permdir=/etc/cron.monthly:rwx------:root:root:WARN:
2014-08-26 17:33:55 +02:00
# Ignore some specific home directories
# One directory per line; directories will be skipped for home directory specific
# checks, like file permissions, SSH and other configuration files
2018-01-23 15:01:02 +01:00
#ignore-home-dir=/home/user
2014-08-26 17:33:55 +02:00
# Allow promiscuous interfaces
# <option>:<promiscuous interface name>:<description>:
#if_promisc:pflog0:pf log daemon interface:
2018-01-23 15:01:02 +01:00
# The URL prefix and append to the URL for controls or your custom tests
# Link will be formed as {control-url-protocol}://{control-url-prepend}CONTROL-ID{control-url-append}
#control-url-protocol=https
#control-url-prepend=cisofy.com/control/
#control-url-append=/
2014-08-26 17:33:55 +02:00
2015-01-30 18:08:41 +01:00
# The URL prefix and append to URL's for your custom tests
2018-01-23 15:01:02 +01:00
#custom-url-protocol=https
#custom-url-prepend=your-domain.example.org/control-info/
#custom-url-append=/
2015-01-30 18:08:41 +01:00
2015-04-30 01:23:18 +02:00
#################################################################################
#
2018-01-23 15:01:02 +01:00
# Operating system specific
# -------------------------
2016-11-08 09:03:17 +01:00
#
2015-04-30 01:23:18 +02:00
#################################################################################
2018-01-23 15:01:02 +01:00
# Skip the FreeBSD portaudit test
#freebsd-skip-portaudit=yes
2015-04-30 01:23:18 +02:00
2018-01-23 15:01:02 +01:00
# Skip security repository check for Debian based systems
#debian-skip-security-repository=yes
2015-04-30 01:23:18 +02:00
2014-08-26 17:33:55 +02:00
#################################################################################
#
2015-12-21 11:37:27 +01:00
# Lynis Enterprise options
2019-07-07 18:46:23 +02:00
# ------------------------
2014-08-26 17:33:55 +02:00
#
#################################################################################
2017-11-25 16:11:04 +01:00
# Allow this system to be purged when it is outdated (default: not defined).
# This is useful for ephemeral systems which are short-lived.
#allow-auto-purge=yes
2015-03-17 14:54:11 +01:00
2018-02-16 19:29:08 +01:00
# Sometimes it might be useful to override the host identifiers.
# Use only hexadecimal values (0-9, a-f), with 40 and 64 characters in length.
#
#hostid=40-char-hash
#hostid2=64-char-hash
2019-07-03 15:39:26 +02:00
# Lynis Enterprise license key
license-key=
2016-01-07 12:57:24 +01:00
# Proxy settings
# Protocol (http, https, socks5)
2018-01-23 15:01:02 +01:00
#proxy-protocol=https
2018-03-03 14:39:25 +01:00
# Proxy server
#proxy-server=10.0.1.250
2018-01-23 15:01:02 +01:00
2018-03-03 14:39:25 +01:00
# Define proxy port to use
2018-01-23 15:01:02 +01:00
#proxy-port=3128
2016-01-07 12:57:24 +01:00
2018-03-03 14:39:25 +01:00
# Define the group names to link to this system (preferably single words). Default setting: append
2018-03-03 14:42:54 +01:00
# To clear groups before assignment, add 'action:clear' as last groupname
2018-01-23 15:01:02 +01:00
#system-groups=groupname1,groupname2,groupname3
2014-08-26 17:33:55 +02:00
2015-10-01 12:00:44 +02:00
# Define which compliance standards are audited and reported on. Disable this if not required.
2018-01-23 15:01:02 +01:00
compliance-standards=cis,hipaa,iso27001,pci-dss
# Provide the name of the customer/client
#system-customer-name=mycustomer
2019-07-03 15:39:26 +02:00
# Upload data to central server
upload=no
# The hostname/IP address to receive the data
upload-server=
# Provide options to cURL (or other upload tool) when uploading data.
# upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates)
upload-options=
2018-01-23 15:01:02 +01:00
# Link one or more tags to a system
#tags=db,production,ssn-1304
2015-10-01 12:00:44 +02:00
2016-07-05 16:49:50 +02:00
2015-10-01 12:00:44 +02:00
#EOF