lynis/default.prf

#################################################################################
#
# Lynis - Scan Profile (default)
#
# This is the default profile and contains default values. You are encouraged to
# copy this file and use it's base for custom audit profiles.
#
# All empty lines or with the # prefix will be skipped
#
# More information about this plugin can be found in the documentation:
# https://cisofy.com/documentation/lynis/
#
#################################################################################

[configuration]
# Profile name, will be used as title/description
config:profile_name:Default Audit Template:

# Number of seconds to pause between every test (0 is no pause)
config:pause_between_tests:0:

# Show inline tips about the tool
config:show_tool_tips:1:


#################################################################################
#
# Testing options
# ---------------
#
#################################################################################

# ** Scan type **
#
# Description: How deep the audit should be
# Values: light, normal or full (default)
#
# config:test_scan_mode:full:


# ** Skip one or more specific tests **
# (always ignores scan mode and will make sure the test is skipped)
#
# config:test_skip_always:AAAA-1234 BBBB-5678 CCCC-9012:


# ** Define machine role **
#
# Description: defines the role of the system
# Values: desktop, server (default)
#
#config:machine_role:server:


#################################################################################
#
# Plugins
# ---------------
# Define which plugins are enabled
#
# Notes:
# - Nothing happens if plugin isn't available
# - There is no order in execution of plugins
# - See documentation about how to use plugins and phases
#
#################################################################################

# Lynis Plugins (some are for Lynis Enterprise users only)
plugin=compliance
plugin=control-panels
plugin=crypto
plugin=dns
plugin=docker
plugin=file-integrity
plugin=file-systems
plugin=firewalls
plugin=forensics
plugin=intrusion-detection
plugin=intrusion-prevention
plugin=kernel
plugin=malware
plugin=memory
plugin=nginx
plugin=processes
plugin=security-modules
plugin=software
plugin=system-integrity
plugin=systemd
plugin=users


#################################################################################
#
# Kernel options
# ---------------
# sysctl:<sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:
#
# Sysctl key       = name
# Expected value   = value of sysctl key
# Hardening points = Number of hardening points. For most keys 1 HP will be suitable
# Description      = Text description of key
#
#################################################################################

[processes]
#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value:
sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups:
sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users:

[kernel]
sysctl:kern.sugid_coredump:0:1:XXX:
sysctl:kernel.core_setuid_ok:0:1:XXX:
sysctl:kernel.core_uses_pid:1:1:XXX:
sysctl:kernel.ctrl-alt-del:0:1:XXX:
sysctl:kernel.exec-shield-randomize:1:1:XXX:
sysctl:kernel.exec-shield:1:1:XXX:
sysctl:kernel.kptr_restrict:1:1:Restrict access to kernel symbols:
sysctl:kernel.sysrq:0:1:Disable magic SysRQ:
sysctl:kernel.use-nx:0:1:XXX:

[network]
sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:
sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: 
sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:
sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic:
sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic:
sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects:
sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing:
sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets:
sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing:
sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing:
sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets:
sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets:
sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing:
sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address:
sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore
#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic:
sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:
sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:
sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:
sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: 
sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: 

[security]
#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:
#security.jail.jailed: 0
#security.jail.jail_max_af_ips: 255
#security.jail.mount_allowed: 0
#security.jail.chflags_allowed: 0
#security.jail.allow_raw_sockets: 0
#security.jail.enforce_statfs: 2
#security.jail.sysvipc_allowed: 0
#security.jail.socket_unixiproute_only: 1
#security.jail.set_hostname_allowed: 1
#security.bsd.suser_enabled: 1
#security.bsd.unprivileged_proc_debug: 1
#security.bsd.conservative_signals: 1
#security.bsd.unprivileged_read_msgbuf: 1
#security.bsd.hardlink_check_gid: 0
#security.bsd.hardlink_check_uid: 0
#security.bsd.unprivileged_get_quota: 0


#################################################################################
#
# Apache options
# columns: (1)apache : (2)option : (3)value
#
#################################################################################

apache:ServerTokens:Prod:


#################################################################################
#
# OpenLDAP options
# columns: (1)openldap : (2)file : (3)option : (4)expected value(s)
#
#################################################################################

openldap:slapd.conf:permissions:640-600:
openldap:slapd.conf:owner:ldap-root:


#################################################################################
#
# SSL certificates
#
#################################################################################

# Locations where to search for SSL certificates
ssl:certificates:/etc/pki /etc/ssl /usr/local/share/ca-certificates /var/www /srv/www:


#################################################################################
#
# NTP options
#
#################################################################################

# Ignore some stratum 16 hosts (for example when running as time source itself)
#ntp:ignore_stratum_16_peer:127.0.0.1:
#ntp:ignore_stratum_16_peer:1.2.3.4:


#################################################################################
#
# File/directories permissions (currently not used yet)
#
#################################################################################

# Scan for exact file name match
#[scanfiles]
#scanfile:/etc/rc.conf:FreeBSD configuration:

# Scan for exact directory name match
#[scandirs]
#scandir:/etc:/etc directory:


#################################################################################
#
# permfile
# ---------------
# permfile:file name:file permissions:owner:group:action:
# Action = NOTICE or WARN
# Examples:
# permfile:/etc/test1.dat:600:root:wheel:NOTICE:
# permfile:/etc/test1.dat:640:root:-:WARN:
#
#################################################################################

#permfile:/etc/inetd.conf:rw-------:root:-:WARN:
#permfile:/etc/fstab:rw-r--r--:root:-:WARN:
permfile:/etc/lilo.conf:rw-------:root:-:WARN:


#################################################################################
#
# permdir
# ---------------
# permdir:directory name:file permissions:owner:group:action when permissions are different:
#
#################################################################################

permdir:/root/.ssh:rwx------:root:-:WARN:

# Scan for a program/binary in BINPATHs
#scanbinary:Rootkit Hunter:rkhunter:


#################################################################################
#
# Audit customizing
# -----------------
#
# Most options can contain 'yes' or 'no'.
#
#################################################################################

# Amount of connections in WAIT state before reporting it as a warning
#config:connections_max_wait_state:50:

# Skip security repository check for Debian based systems
#config:debian_skip_security_repository:yes:

# Debug mode (for debugging purposes, extra data logged to screen)
#config:debug:yes:

# Skip the FreeBSD portaudit test
#config:freebsd_skip_portaudit:yes:

# Ignore some specific home directories
# One directory per line; directories will be skipped for home directory specific
# checks, like file permissions, SSH and other configuration files
#config:ignore_home_dir:/home/user:

# Do not log tests with another guest operating system (default: yes)
#config:log_tests_incorrect_os:no:

# Define if available NTP daemon is configured as a server or client on the network
# values: server or client (default: client)
#config:ntpd_role:client:

# Allow promiscuous interfaces
#   <option>:<promiscuous interface name>:<description>:
#if_promisc:pflog0:pf log daemon interface:

# Skip Lynis upgrade availability test (default: no)
#config:skip_upgrade_test:yes:

# The URL prefix and append to URL's for your custom tests
# Link will be build with: {control_url_prepend}CONTROL-ID{control_url_append}
#config:control_url_prepend:https://cisofy.com/control/:
#config:control_url_append:/:
#config:custom_url_prepend:https://your-domain.example.org/control-info/:
#config:custom_url_append:/:

#################################################################################
#
# Lynis Enterprise
# -----------------
#
#################################################################################

# Add your Lynis Enterprise license key here
#config:license_key:[Your license key]:
# The hostname/IP address to receive the data
#config:upload_server:cisofy.com:
# Options to cURL
#config:upload_options:-k:
#config:group:[group name]:
#config:group:test:

#EOF
Initial import 2014-08-26 17:33:55 +02:00			`#################################################################################`
			`#`
Changed copyright line and links 2014-12-03 23:18:39 +01:00			`# Lynis - Scan Profile (default)`
Initial import 2014-08-26 17:33:55 +02:00			`#`
Changed copyright line and links 2014-12-03 23:18:39 +01:00			`# This is the default profile and contains default values. You are encouraged to`
			`# copy this file and use it's base for custom audit profiles.`
Textual improvements 2014-11-29 16:20:53 +01:00			`#`
Initial import 2014-08-26 17:33:55 +02:00			`# All empty lines or with the # prefix will be skipped`
			`#`
Changed copyright line and links 2014-12-03 23:18:39 +01:00			`# More information about this plugin can be found in the documentation:`
			`# https://cisofy.com/documentation/lynis/`
Initial import 2014-08-26 17:33:55 +02:00			`#`
			`#################################################################################`

			`[configuration]`
			`# Profile name, will be used as title/description`
			`config:profile_name:Default Audit Template:`

			`# Number of seconds to pause between every test (0 is no pause)`
			`config:pause_between_tests:0:`

			`# Show inline tips about the tool`
			`config:show_tool_tips:1:`


			`#################################################################################`
			`#`
			`# Testing options`
			`# ---------------`
			`#`
			`#################################################################################`

Textual improvements 2014-11-29 16:20:53 +01:00			`# Scan type `
			`#`
			`# Description: How deep the audit should be`
			`# Values: light, normal or full (default)`
Initial import 2014-08-26 17:33:55 +02:00			`#`
Textual improvements 2014-11-29 16:20:53 +01:00			`# config:test_scan_mode:full:`
Initial import 2014-08-26 17:33:55 +02:00

			`# Skip one or more specific tests `
			`# (always ignores scan mode and will make sure the test is skipped)`
			`#`
			`# config:test_skip_always:AAAA-1234 BBBB-5678 CCCC-9012:`


Textual improvements 2014-11-29 16:20:53 +01:00			`# Define machine role `
			`#`
			`# Description: defines the role of the system`
			`# Values: desktop, server (default)`
Initial import 2014-08-26 17:33:55 +02:00			`#`
			`#config:machine_role:server:`


			`#################################################################################`
			`#`
			`# Plugins`
			`# ---------------`
Added /srv/www as SSL certificate search path and enabled several plugins by default 2014-11-11 19:04:54 +01:00			`# Define which plugins are enabled`
Added systemd plugin to list 2014-11-25 14:20:21 +01:00			`#`
			`# Notes:`
			`# - Nothing happens if plugin isn't available`
			`# - There is no order in execution of plugins`
			`# - See documentation about how to use plugins and phases`
Initial import 2014-08-26 17:33:55 +02:00			`#`
			`#################################################################################`
Added default plugins like compliance, cleanup of uncommented examples 2014-10-03 18:31:24 +02:00
Added systemd plugin to list 2014-11-25 14:20:21 +01:00			`# Lynis Plugins (some are for Lynis Enterprise users only)`
Added default plugins like compliance, cleanup of uncommented examples 2014-10-03 18:31:24 +02:00			`plugin=compliance`
Added new plugins and text adjustment to README.md 2014-08-26 19:28:14 +02:00			`plugin=control-panels`
Added /srv/www as SSL certificate search path and enabled several plugins by default 2014-11-11 19:04:54 +01:00			`plugin=crypto`
			`plugin=dns`
Initial import 2014-08-26 17:33:55 +02:00			`plugin=docker`
			`plugin=file-integrity`
Rename of file systems plugin 2014-10-30 18:07:58 +01:00			`plugin=file-systems`
Initial import 2014-08-26 17:33:55 +02:00			`plugin=firewalls`
Textual improvements 2014-11-29 16:20:53 +01:00			`plugin=forensics`
			`plugin=intrusion-detection`
			`plugin=intrusion-prevention`
Added /srv/www as SSL certificate search path and enabled several plugins by default 2014-11-11 19:04:54 +01:00			`plugin=kernel`
Textual improvements 2014-11-29 16:20:53 +01:00			`plugin=malware`
Added /srv/www as SSL certificate search path and enabled several plugins by default 2014-11-11 19:04:54 +01:00			`plugin=memory`
			`plugin=nginx`
Initial import 2014-08-26 17:33:55 +02:00			`plugin=processes`
Added /srv/www as SSL certificate search path and enabled several plugins by default 2014-11-11 19:04:54 +01:00			`plugin=security-modules`
Initial import 2014-08-26 17:33:55 +02:00			`plugin=software`
			`plugin=system-integrity`
Added systemd plugin to list 2014-11-25 14:20:21 +01:00			`plugin=systemd`
Added /srv/www as SSL certificate search path and enabled several plugins by default 2014-11-11 19:04:54 +01:00			`plugin=users`
Initial import 2014-08-26 17:33:55 +02:00
Added systemd plugin to list 2014-11-25 14:20:21 +01:00
Initial import 2014-08-26 17:33:55 +02:00			`#################################################################################`
			`#`
Textual improvements 2014-11-29 16:20:53 +01:00			`# Kernel options`
Initial import 2014-08-26 17:33:55 +02:00			`# ---------------`
Textual improvements 2014-11-29 16:20:53 +01:00			`# sysctl:<sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:`
Initial import 2014-08-26 17:33:55 +02:00			`#`
			`# Sysctl key = name`
			`# Expected value = value of sysctl key`
			`# Hardening points = Number of hardening points. For most keys 1 HP will be suitable`
			`# Description = Text description of key`
			`#`
			`#################################################################################`

			`[processes]`
			`#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value:`
			`sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups:`
			`sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users:`

			`[kernel]`
			`sysctl:kern.sugid_coredump:0:1:XXX:`
			`sysctl:kernel.core_setuid_ok:0:1:XXX:`
			`sysctl:kernel.core_uses_pid:1:1:XXX:`
			`sysctl:kernel.ctrl-alt-del:0:1:XXX:`
			`sysctl:kernel.exec-shield-randomize:1:1:XXX:`
			`sysctl:kernel.exec-shield:1:1:XXX:`
Added /srv/www as SSL certificate search path and enabled several plugins by default 2014-11-11 19:04:54 +01:00			`sysctl:kernel.kptr_restrict:1:1:Restrict access to kernel symbols:`
Initial import 2014-08-26 17:33:55 +02:00			`sysctl:kernel.sysrq:0:1:Disable magic SysRQ:`
			`sysctl:kernel.use-nx:0:1:XXX:`

			`[network]`
			`sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:`
			`sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:`
			`sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing:`
			`sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:`
			`sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:`
			`sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:`
			`sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic:`
			`sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic:`
			`sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:`
			`sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects:`
			`sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:`
			`sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing:`
			`sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets:`
			`sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing:`
			`sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source:`
			`sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing:`
			`sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets:`
			`sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets:`
			`sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects:`
			`sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:`
			`sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing:`
			`sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source:`
			`sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address:`
			`sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore`
			`#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic:`
			`sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:`
			`sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:`
			`sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:`
			`sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:`
			`sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing:`
			`sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:`
			`sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing:`

			`[security]`
			`#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:`
			`#security.jail.jailed: 0`
			`#security.jail.jail_max_af_ips: 255`
			`#security.jail.mount_allowed: 0`
			`#security.jail.chflags_allowed: 0`
			`#security.jail.allow_raw_sockets: 0`
			`#security.jail.enforce_statfs: 2`
			`#security.jail.sysvipc_allowed: 0`
			`#security.jail.socket_unixiproute_only: 1`
			`#security.jail.set_hostname_allowed: 1`
			`#security.bsd.suser_enabled: 1`
			`#security.bsd.unprivileged_proc_debug: 1`
			`#security.bsd.conservative_signals: 1`
			`#security.bsd.unprivileged_read_msgbuf: 1`
			`#security.bsd.hardlink_check_gid: 0`
			`#security.bsd.hardlink_check_uid: 0`
			`#security.bsd.unprivileged_get_quota: 0`


			`#################################################################################`
			`#`
			`# Apache options`
			`# columns: (1)apache : (2)option : (3)value`
			`#`
			`#################################################################################`

			`apache:ServerTokens:Prod:`


			`#################################################################################`
			`#`
			`# OpenLDAP options`
			`# columns: (1)openldap : (2)file : (3)option : (4)expected value(s)`
			`#`
			`#################################################################################`

			`openldap:slapd.conf:permissions:640-600:`
			`openldap:slapd.conf:owner:ldap-root:`


			`#################################################################################`
			`#`
			`# SSL certificates`
			`#`
			`#################################################################################`

			`# Locations where to search for SSL certificates`
Added /srv/www as SSL certificate search path and enabled several plugins by default 2014-11-11 19:04:54 +01:00			`ssl:certificates:/etc/pki /etc/ssl /usr/local/share/ca-certificates /var/www /srv/www:`
Initial import 2014-08-26 17:33:55 +02:00

			`#################################################################################`
			`#`
			`# NTP options`
			`#`
			`#################################################################################`

			`# Ignore some stratum 16 hosts (for example when running as time source itself)`
			`#ntp:ignore_stratum_16_peer:127.0.0.1:`
			`#ntp:ignore_stratum_16_peer:1.2.3.4:`


			`#################################################################################`
			`#`
			`# File/directories permissions (currently not used yet)`
			`#`
			`#################################################################################`

			`# Scan for exact file name match`
			`#[scanfiles]`
			`#scanfile:/etc/rc.conf:FreeBSD configuration:`

			`# Scan for exact directory name match`
			`#[scandirs]`
			`#scandir:/etc:/etc directory:`


			`#################################################################################`
			`#`
			`# permfile`
			`# ---------------`
			`# permfile:file name:file permissions:owner:group:action:`
			`# Action = NOTICE or WARN`
			`# Examples:`
			`# permfile:/etc/test1.dat:600:root:wheel:NOTICE:`
			`# permfile:/etc/test1.dat:640:root:-:WARN:`
			`#`
			`#################################################################################`

			`#permfile:/etc/inetd.conf:rw-------:root:-:WARN:`
			`#permfile:/etc/fstab:rw-r--r--:root:-:WARN:`
			`permfile:/etc/lilo.conf:rw-------:root:-:WARN:`


			`#################################################################################`
			`#`
			`# permdir`
			`# ---------------`
			`# permdir:directory name:file permissions:owner:group:action when permissions are different:`
			`#`
			`#################################################################################`

			`permdir:/root/.ssh:rwx------:root:-:WARN:`

			`# Scan for a program/binary in BINPATHs`
			`#scanbinary:Rootkit Hunter:rkhunter:`


			`#################################################################################`
			`#`
			`# Audit customizing`
			`# -----------------`
			`#`
			`# Most options can contain 'yes' or 'no'.`
			`#`
			`#################################################################################`

			`# Amount of connections in WAIT state before reporting it as a warning`
			`#config:connections_max_wait_state:50:`

			`# Skip security repository check for Debian based systems`
			`#config:debian_skip_security_repository:yes:`

			`# Debug mode (for debugging purposes, extra data logged to screen)`
			`#config:debug:yes:`

			`# Skip the FreeBSD portaudit test`
			`#config:freebsd_skip_portaudit:yes:`

			`# Ignore some specific home directories`
			`# One directory per line; directories will be skipped for home directory specific`
			`# checks, like file permissions, SSH and other configuration files`
			`#config:ignore_home_dir:/home/user:`

			`# Do not log tests with another guest operating system (default: yes)`
			`#config:log_tests_incorrect_os:no:`

			`# Define if available NTP daemon is configured as a server or client on the network`
			`# values: server or client (default: client)`
			`#config:ntpd_role:client:`

			`# Allow promiscuous interfaces`
			`# <option>:<promiscuous interface name>:<description>:`
			`#if_promisc:pflog0:pf log daemon interface:`

			`# Skip Lynis upgrade availability test (default: no)`
			`#config:skip_upgrade_test:yes:`

Added control_url_prepend, control_url_append, custom_url_prepend, custom_url_append 2015-01-30 18:08:41 +01:00			`# The URL prefix and append to URL's for your custom tests`
			`# Link will be build with: {control_url_prepend}CONTROL-ID{control_url_append}`
			`#config:control_url_prepend:https://cisofy.com/control/:`
			`#config:control_url_append:/:`
			`#config:custom_url_prepend:https://your-domain.example.org/control-info/:`
			`#config:custom_url_append:/:`

Initial import 2014-08-26 17:33:55 +02:00			`#################################################################################`
			`#`
			`# Lynis Enterprise`
			`# -----------------`
			`#`
			`#################################################################################`

			`# Add your Lynis Enterprise license key here`
			`#config:license_key:[Your license key]:`
Allow overriding of upload/license server for Enterprise suite 2015-02-03 18:27:37 +01:00			`# The hostname/IP address to receive the data`
			`#config:upload_server:cisofy.com:`
			`# Options to cURL`
			`#config:upload_options:-k:`
Initial import 2014-08-26 17:33:55 +02:00			`#config:group:[group name]:`
			`#config:group:test:`

			`#EOF`