tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-26 07:15:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup of default profile and migration of permdir/permfile

Browse Source
This commit is contained in:
Michael Boelen 2019-07-07 18:46:23 +02:00
parent 3c7576f36b
commit 007faf47c3
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
2 changed files with 40 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
default.prf
View File

@ -36,6 +36,9 @@ colors=yes
# Compressed uploads (set to zero when errors with uploading occur) # Compressed uploads (set to zero when errors with uploading occur)
compressed-uploads=yes compressed-uploads=yes
# Amount of connections in WAIT state before reporting it as a suggestion
#connections-max-wait-state=5000
# Debug mode (for debugging purposes, extra data logged to screen) # Debug mode (for debugging purposes, extra data logged to screen)
#debug=yes #debug=yes
@ -265,100 +268,58 @@ config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes ar
config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security; config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;
#################################################################################
#
# Apache options
# columns: (1)apache : (2)option : (3)value
#
#################################################################################
apache:ServerTokens:Prod:
#################################################################################
#
# OpenLDAP options
# columns: (1)openldap : (2)file : (3)option : (4)expected value(s)
#
#################################################################################
openldap:slapd.conf:permissions:640-600:
openldap:slapd.conf:owner:ldap-root:
#################################################################################
#
# File/directories permissions (currently not used yet)
#
#################################################################################
# Scan for exact file name match
#[scanfiles]
#scanfile:/etc/rc.conf:FreeBSD configuration:
# Scan for exact directory name match
#[scandirs]
#scandir:/etc:/etc directory:
################################################################################# #################################################################################
# #
# permfile # permfile
# --------------- # ---------------
# permfile:file name:file permissions:owner:group:action: # permfile=file name:file permissions:owner:group:action:
# Action = NOTICE or WARN # Action = NOTICE or WARN
# Examples: # Examples:
# permfile:/etc/test1.dat:600:root:wheel:NOTICE: # permfile=/etc/test1.dat:600:root:wheel:NOTICE:
# permfile:/etc/test1.dat:640:root:-:WARN: # permfile=/etc/test1.dat:640:root:-:WARN:
# #
################################################################################# #################################################################################
#permfile:/etc/inetd.conf:rw-------:root:-:WARN: #permfile=/etc/inetd.conf:rw-------:root:-:WARN:
#permfile:/etc/fstab:rw-r--r--:root:-:WARN: #permfile=/etc/fstab:rw-r--r--:root:-:WARN:
permfile:/etc/lilo.conf:rw-------:root:-:WARN: permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN:
permfile:/boot/grub2/grub.cfg:rw-------:root:root:WARN: permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN:
permfile:/boot/grub/grub.cfg:rw-------:root:root:WARN: permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN:
permfile:/boot/grub2/user.cfg:rw-------:root:root:WARN: permfile=/etc/at.allow:rw-------:root:-:WARN:
permfile:/etc/motd:rw-r--r--:root:root:WARN: permfile=/etc/at.deny:rw-------:root:-:WARN:
permfile:/etc/issue:rw-r--r--:root:root:WARN: permfile=/etc/cron.allow:rw-------:root:-:WARN:
permfile:/etc/issue.net:rw-r--r--:root:root:WARN: permfile=/etc/cron.deny:rw-------:root:-:WARN:
permfile:/etc/hosts.allow:rw-r--r--:root:root:WARN: permfile=/etc/crontab:rw-------:root:-:WARN:
permfile:/etc/hosts.deny:rw-r--r--:root:root:WARN: permfile=/etc/group:rw-r--r--:root:-:WARN:
permfile:/etc/crontab:rw-------:root:-:WARN: permfile=/etc/group-:rw-r--r--:root:-:WARN:
permfile:/etc/cron.allow:rw-------:root:-:WARN: permfile=/etc/gshadow:---------:root:-:WARN:
permfile:/etc/cron.deny:rw-------:root:-:WARN: permfile=/etc/gshadow-:---------:root:-:WARN:
permfile:/etc/at.allow:rw-------:root:-:WARN: permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN:
permfile:/etc/at.deny:rw-------:root:-:WARN: permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN:
permfile:/etc/ssh/sshd_config:rw-------:root:-:WARN: permfile=/etc/issue:rw-r--r--:root:root:WARN:
permfile:/etc/passwd:rw-r--r--:root:-:WARN: permfile=/etc/issue.net:rw-r--r--:root:root:WARN:
permfile:/etc/shadow:---------:root:-:WARN: permfile=/etc/lilo.conf:rw-------:root:-:WARN:
permfile:/etc/group:rw-r--r--:root:-:WARN: permfile=/etc/motd:rw-r--r--:root:root:WARN:
permfile:/etc/gshadow:---------:root:-:WARN: permfile=/etc/passwd:rw-r--r--:root:-:WARN:
permfile:/etc/passwd-:rw-r--r--:root:-:WARN: permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
permfile:/etc/shadow-:---------:root:-:WARN: permfile=/etc/shadow:---------:root:-:WARN:
permfile:/etc/group-:rw-r--r--:root:-:WARN: permfile=/etc/shadow-:---------:root:-:WARN:
permfile:/etc/gshadow-:---------:root:-:WARN: permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
################################################################################# #################################################################################
# #
# permdir # permdir
# --------------- # ---------------
# permdir:directory name:file permissions:owner:group:action when permissions are different: # permdir=directory name:file permissions:owner:group:action when permissions are different:
# #
################################################################################# #################################################################################
permdir:/root/.ssh:rwx------:root:-:WARN: permdir=/root/.ssh:rwx------:root:-:WARN:
permdir:/etc/cron.hourly:rwx------:root:root:WARN: permdir=/etc/cron.d:rwx------:root:root:WARN:
permdir:/etc/cron.daily:rwx------:root:root:WARN: permdir=/etc/cron.daily:rwx------:root:root:WARN:
permdir:/etc/cron.weekly:rwx------:root:root:WARN: permdir=/etc/cron.hourly:rwx------:root:root:WARN:
permdir:/etc/cron.monthly:rwx------:root:root:WARN: permdir=/etc/cron.weekly:rwx------:root:root:WARN:
permdir:/etc/cron.d:rwx------:root:root:WARN: permdir=/etc/cron.monthly:rwx------:root:root:WARN:
# Scan for a program/binary in BINPATHs
#scanbinary:Rootkit Hunter:rkhunter:
# Amount of connections in WAIT state before reporting it as a suggestion
#connections-max-wait-state=5000
# Ignore some specific home directories # Ignore some specific home directories
@ -402,7 +363,7 @@ permdir:/etc/cron.d:rwx------:root:root:WARN:
################################################################################# #################################################################################
# #
# Lynis Enterprise options # Lynis Enterprise options
# ----------------- # ------------------------
# #
################################################################################# #################################################################################
@ -453,5 +414,4 @@ upload-options=
#tags=db,production,ssn-1304 #tags=db,production,ssn-1304
#EOF #EOF

2
include/tests_file_permissions
View File

@ -34,7 +34,7 @@
LogText "Test: Checking file permissions" LogText "Test: Checking file permissions"
for PROFILE in ${PROFILES}; do for PROFILE in ${PROFILES}; do
LogText "Using profile ${PROFILE} for baseline." LogText "Using profile ${PROFILE} for baseline."
FIND=$(${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | ${CUTBINARY} -d: -f2) FIND=$(${EGREPBINARY} '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2)
for I in ${FIND}; do for I in ${FIND}; do
LogText "Checking ${I}" LogText "Checking ${I}"
CheckFilePermissions ${I} CheckFilePermissions ${I}