Cleanup of default profile and migration of permdir/permfile

2025-07-24 06:14:33 +02:00 · 2019-07-07 18:46:23 +02:00 · 2019-07-07 18:46:23 +02:00 · 007faf47c3
commit 007faf47c3
parent 3c7576f36b
2 changed files with 40 additions and 80 deletions
--- a/default.prf
+++ b/default.prf
@ -36,6 +36,9 @@ colors=yes
 # Compressed uploads (set to zero when errors with uploading occur)
 compressed-uploads=yes

+# Amount of connections in WAIT state before reporting it as a suggestion
+#connections-max-wait-state=5000
+
 # Debug mode (for debugging purposes, extra data logged to screen)
 #debug=yes

@ -265,100 +268,58 @@ config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes ar
 config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;


-#################################################################################
-#
-# Apache options
-# columns: (1)apache : (2)option : (3)value
-#
-#################################################################################
-
-apache:ServerTokens:Prod:
-
-
-#################################################################################
-#
-# OpenLDAP options
-# columns: (1)openldap : (2)file : (3)option : (4)expected value(s)
-#
-#################################################################################
-
-openldap:slapd.conf:permissions:640-600:
-openldap:slapd.conf:owner:ldap-root:
-
-
-#################################################################################
-#
-# File/directories permissions (currently not used yet)
-#
-#################################################################################
-
-# Scan for exact file name match
-#[scanfiles]
-#scanfile:/etc/rc.conf:FreeBSD configuration:
-
-# Scan for exact directory name match
-#[scandirs]
-#scandir:/etc:/etc directory:
-
-
 #################################################################################
 #
 # permfile
 # ---------------
-# permfile:file name:file permissions:owner:group:action:
+# permfile=file name:file permissions:owner:group:action:
 # Action = NOTICE or WARN
 # Examples:
-# permfile:/etc/test1.dat:600:root:wheel:NOTICE:
-# permfile:/etc/test1.dat:640:root:-:WARN:
+# permfile=/etc/test1.dat:600:root:wheel:NOTICE:
+# permfile=/etc/test1.dat:640:root:-:WARN:
 #
 #################################################################################

-#permfile:/etc/inetd.conf:rw-------:root:-:WARN:
-#permfile:/etc/fstab:rw-r--r--:root:-:WARN:
-permfile:/etc/lilo.conf:rw-------:root:-:WARN:
-permfile:/boot/grub2/grub.cfg:rw-------:root:root:WARN:
-permfile:/boot/grub/grub.cfg:rw-------:root:root:WARN:
-permfile:/boot/grub2/user.cfg:rw-------:root:root:WARN:
-permfile:/etc/motd:rw-r--r--:root:root:WARN:
-permfile:/etc/issue:rw-r--r--:root:root:WARN:
-permfile:/etc/issue.net:rw-r--r--:root:root:WARN:
-permfile:/etc/hosts.allow:rw-r--r--:root:root:WARN:
-permfile:/etc/hosts.deny:rw-r--r--:root:root:WARN:
-permfile:/etc/crontab:rw-------:root:-:WARN:
-permfile:/etc/cron.allow:rw-------:root:-:WARN:
-permfile:/etc/cron.deny:rw-------:root:-:WARN:
-permfile:/etc/at.allow:rw-------:root:-:WARN:
-permfile:/etc/at.deny:rw-------:root:-:WARN:
-permfile:/etc/ssh/sshd_config:rw-------:root:-:WARN:
-permfile:/etc/passwd:rw-r--r--:root:-:WARN:
-permfile:/etc/shadow:---------:root:-:WARN:
-permfile:/etc/group:rw-r--r--:root:-:WARN:
-permfile:/etc/gshadow:---------:root:-:WARN:
-permfile:/etc/passwd-:rw-r--r--:root:-:WARN:
-permfile:/etc/shadow-:---------:root:-:WARN:
-permfile:/etc/group-:rw-r--r--:root:-:WARN:
-permfile:/etc/gshadow-:---------:root:-:WARN:
+#permfile=/etc/inetd.conf:rw-------:root:-:WARN:
+#permfile=/etc/fstab:rw-r--r--:root:-:WARN:
+permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN:
+permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN:
+permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN:
+permfile=/etc/at.allow:rw-------:root:-:WARN:
+permfile=/etc/at.deny:rw-------:root:-:WARN:
+permfile=/etc/cron.allow:rw-------:root:-:WARN:
+permfile=/etc/cron.deny:rw-------:root:-:WARN:
+permfile=/etc/crontab:rw-------:root:-:WARN:
+permfile=/etc/group:rw-r--r--:root:-:WARN:
+permfile=/etc/group-:rw-r--r--:root:-:WARN:
+permfile=/etc/gshadow:---------:root:-:WARN:
+permfile=/etc/gshadow-:---------:root:-:WARN:
+permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN:
+permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN:
+permfile=/etc/issue:rw-r--r--:root:root:WARN:
+permfile=/etc/issue.net:rw-r--r--:root:root:WARN:
+permfile=/etc/lilo.conf:rw-------:root:-:WARN:
+permfile=/etc/motd:rw-r--r--:root:root:WARN:
+permfile=/etc/passwd:rw-r--r--:root:-:WARN:
+permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
+permfile=/etc/shadow:---------:root:-:WARN:
+permfile=/etc/shadow-:---------:root:-:WARN:
+permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:

 #################################################################################
 #
 # permdir
 # ---------------
-# permdir:directory name:file permissions:owner:group:action when permissions are different:
+# permdir=directory name:file permissions:owner:group:action when permissions are different:
 #
 #################################################################################

-permdir:/root/.ssh:rwx------:root:-:WARN:
-permdir:/etc/cron.hourly:rwx------:root:root:WARN:
-permdir:/etc/cron.daily:rwx------:root:root:WARN:
-permdir:/etc/cron.weekly:rwx------:root:root:WARN:
-permdir:/etc/cron.monthly:rwx------:root:root:WARN:
-permdir:/etc/cron.d:rwx------:root:root:WARN:
-
-# Scan for a program/binary in BINPATHs
-#scanbinary:Rootkit Hunter:rkhunter:
-
-# Amount of connections in WAIT state before reporting it as a suggestion
-#connections-max-wait-state=5000
+permdir=/root/.ssh:rwx------:root:-:WARN:
+permdir=/etc/cron.d:rwx------:root:root:WARN:
+permdir=/etc/cron.daily:rwx------:root:root:WARN:
+permdir=/etc/cron.hourly:rwx------:root:root:WARN:
+permdir=/etc/cron.weekly:rwx------:root:root:WARN:
+permdir=/etc/cron.monthly:rwx------:root:root:WARN:


 # Ignore some specific home directories
@ -402,7 +363,7 @@ permdir:/etc/cron.d:rwx------:root:root:WARN:
 #################################################################################
 #
 # Lynis Enterprise options
-# -----------------
+# ------------------------
 #
 #################################################################################

@ -453,5 +414,4 @@ upload-options=
 #tags=db,production,ssn-1304


-
 #EOF
--- a/include/tests_file_permissions
+++ b/include/tests_file_permissions
@ -34,7 +34,7 @@
        LogText "Test: Checking file permissions"
        for PROFILE in ${PROFILES}; do
            LogText "Using profile ${PROFILE} for baseline."
-            FIND=$(${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | ${CUTBINARY} -d: -f2)
+            FIND=$(${EGREPBINARY} '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2)
            for I in ${FIND}; do
                LogText "Checking ${I}"
                CheckFilePermissions ${I}