Overhaul of default profile settings and parsing

This commit is contained in:
Michael Boelen 2018-01-23 15:01:02 +01:00
parent 6192cbd8fa
commit 2bf6a5e038
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
2 changed files with 71 additions and 108 deletions

View File

@ -33,6 +33,9 @@ colors=yes
# Compressed uploads (set to zero when errors with uploading occur) # Compressed uploads (set to zero when errors with uploading occur)
compressed-uploads=yes compressed-uploads=yes
# Debug mode (for debugging purposes, extra data logged to screen)
#debug=yes
# Show non-zero exit code when warnings are found # Show non-zero exit code when warnings are found
error-on-warnings=no error-on-warnings=no
@ -89,18 +92,23 @@ upload-options=
# Verbose output # Verbose output
verbose=no verbose=no
################################################################################# #################################################################################
# #
# SUGGESTION # Upgrade and updating
# ---------- # --------------------
# #
# Do NOT make changes to this file, instead copy your preferred settings to # The old settings to do automatic updating are deprecated. It is suggested to
# custom.prf and put it in the same directory as default.prf # use a package or deploy your the tarball via a custom script.
# #
# To discover where your profiles are located: lynis show profiles # The latest packages can be found at: https://packages.cisofy.com
# #
################################################################################# #################################################################################
# Skip Lynis upgrade availability test (default: no)
#skip-upgrade-test=yes
################################################################################# #################################################################################
# #
# Plugins # Plugins
@ -142,27 +150,6 @@ plugin=systemd
plugin=users plugin=users
#################################################################################
#
# Lynis Enterprise options
#
#################################################################################
# Provide the name of the customer/client
system-customer-name=
# Provide tags (tags=db,production,ssn-1304)
tags=
#################################################################################
#
# Configuration (Old Style) - will be replaced in phases
#
#################################################################################
################################################################################# #################################################################################
# #
# Kernel options # Kernel options
@ -302,14 +289,6 @@ openldap:slapd.conf:permissions:640-600:
openldap:slapd.conf:owner:ldap-root: openldap:slapd.conf:owner:ldap-root:
#################################################################################
#
# SSL certificates
#
#################################################################################
# Locations where to search for SSL certificates
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
################################################################################# #################################################################################
@ -319,8 +298,7 @@ ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc
################################################################################# #################################################################################
# Ignore some stratum 16 hosts (for example when running as time source itself) # Ignore some stratum 16 hosts (for example when running as time source itself)
#ntp:ignore_stratum_16_peer:127.0.0.1: #ntp-ignore-stratum-16-peer=127.0.0.1
#ntp:ignore_stratum_16_peer:1.2.3.4:
################################################################################# #################################################################################
@ -368,90 +346,63 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
# Scan for a program/binary in BINPATHs # Scan for a program/binary in BINPATHs
#scanbinary:Rootkit Hunter:rkhunter: #scanbinary:Rootkit Hunter:rkhunter:
#################################################################################
#
# Audit customizing
# -----------------
#
# Most options can contain 'yes' or 'no'.
#
#################################################################################
# Amount of connections in WAIT state before reporting it as a suggestion # Amount of connections in WAIT state before reporting it as a suggestion
#config:connections_max_wait_state:5000: #connections-max-wait-state=5000
# Skip security repository check for Debian based systems
#config:debian_skip_security_repository:yes:
# Debug mode (for debugging purposes, extra data logged to screen)
#config:debug:yes:
# Skip the FreeBSD portaudit test
#config:freebsd_skip_portaudit:yes:
# Ignore some specific home directories # Ignore some specific home directories
# One directory per line; directories will be skipped for home directory specific # One directory per line; directories will be skipped for home directory specific
# checks, like file permissions, SSH and other configuration files # checks, like file permissions, SSH and other configuration files
#config:ignore_home_dir:/home/user: #ignore-home-dir=/home/user
# Do not log tests with another guest operating system (default: yes) # Do not log tests with another guest operating system (default: yes)
#config:log_tests_incorrect_os:no: #log-tests-incorrect-os=no
# Define if available NTP daemon is configured as a server or client on the network # Define if available NTP daemon is configured as a server or client on the network
# values: server or client (default: client) # values: server or client (default: client)
#config:ntpd_role:client: #ntpd-role=client
# Allow promiscuous interfaces # Allow promiscuous interfaces
# <option>:<promiscuous interface name>:<description>: # <option>:<promiscuous interface name>:<description>:
#if_promisc:pflog0:pf log daemon interface: #if_promisc:pflog0:pf log daemon interface:
# Skip Lynis upgrade availability test (default: no)
#config:skip_upgrade_test:yes: # The URL prefix and append to the URL for controls or your custom tests
# Link will be formed as {control-url-protocol}://{control-url-prepend}CONTROL-ID{control-url-append}
#control-url-protocol=https
#control-url-prepend=cisofy.com/control/
#control-url-append=/
# The URL prefix and append to URL's for your custom tests # The URL prefix and append to URL's for your custom tests
# Link will be build with: {control_url_protocol}://{control_url_prepend}CONTROL-ID{control_url_append} #custom-url-protocol=https
#config:control_url_protocol:https: #custom-url-prepend=your-domain.example.org/control-info/
#config:control_url_prepend:cisofy.com/control/: #custom-url-append=/
#config:control_url_append:/:
# The URL prefix and append to URL's for your custom tests
#config:custom_url_protocol:https:
#config:custom_url_prepend:your-domain.example.org/control-info/:
#config:custom_url_append:/:
################################################################################# #################################################################################
# #
# Automatic Updating # Operating system specific
# ------------------- # -------------------------
#
# These settings can be used to create an option to do automatic updates.
# By specifying local paths and your update server, the tool can do an update
# check, compare versions and download a new version.
#
# If you installed Lynis as a package, then update via your package manager. See
# https://packages.cisofy.com for more information.
# #
################################################################################# #################################################################################
# Local directory (without slash at end) where lynis directory will be installed # Skip the FreeBSD portaudit test
# Note: do not add full path to lynis, as subdirectory is part of tarball #freebsd-skip-portaudit=yes
#config:update_local_directory:/usr/local:
# Full path to local file. Change local path if Lynis is installed on a different place
#config:update_local_version_info:/usr/local/lynis/client-version:
# Download information # Skip security repository check for Debian based systems
# ----------------------------- #debian-skip-security-repository=yes
# Protocol to use: http, https
#config:update_server_protocol:http:
# Address of update server
#config:update_server_address:192.168.1.125:
# Path to last stable release
#config:update_latest_version_download:/files/lynis-latest.tar.gz:
# Last part of URL (file to gather) #################################################################################
#config:update_latest_version_info:/files/lynis-latest-version: #
# SSL certificates
#
#################################################################################
# Locations where to search for SSL certificates
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
################################################################################# #################################################################################
@ -467,18 +418,25 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
# Proxy settings # Proxy settings
# Protocol (http, https, socks5) # Protocol (http, https, socks5)
#config:upload_proxy_protocol:https: #proxy-protocol=https
# Address
#config:upload_proxy_server:1.2.3.4:
# Port
#config:upload_proxy_port:3128:
# Define groups # Address
#config:group:[group name]: #proxy-server=1.2.3.4
#config:group:test:
# Port
#proxy-port=3128
# Define group names to link to this system (preferably single words)
#system-groups=groupname1,groupname2,groupname3
# Define which compliance standards are audited and reported on. Disable this if not required. # Define which compliance standards are audited and reported on. Disable this if not required.
config:compliance_standards:cis,hipaa,iso27001,pci-dss: compliance-standards=cis,hipaa,iso27001,pci-dss
# Provide the name of the customer/client
#system-customer-name=mycustomer
# Link one or more tags to a system
#tags=db,production,ssn-1304

View File

@ -188,6 +188,11 @@
HOSTID2="${VALUE}" HOSTID2="${VALUE}"
;; ;;
# Home directories to ignore during scans
ignore-home-dir)
Report "ignore-home-dir[]=${VALUE}"
;;
# Language # Language
language | lang) language | lang)
LogText "Language set via profile to '${VALUE}'" LogText "Language set via profile to '${VALUE}'"
@ -304,13 +309,6 @@
AddSetting "skip-plugins" "${SETTING_SKIP_PLUGINS}" "Skip plugins" AddSetting "skip-plugins" "${SETTING_SKIP_PLUGINS}" "Skip plugins"
;; ;;
# SSL paths
ssl-certificate-paths)
SSL_CERTIFICATE_PATHS="${VALUE}"
Debug "SSL paths set to ${SSL_CERTIFICATE_PATHS}"
AddSetting "ssl-certificate-paths" "${SSL_CERTIFICATE_PATHS}" "Paths for SSL certificates"
;;
# Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest) # Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest)
skip-test) skip-test)
STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]') STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
@ -323,6 +321,13 @@
Debug "Skip upgrade test set to ${SKIP_UPGRADE_TEST}" Debug "Skip upgrade test set to ${SKIP_UPGRADE_TEST}"
;; ;;
# SSL paths
ssl-certificate-paths)
SSL_CERTIFICATE_PATHS="${VALUE}"
Debug "SSL paths set to ${SSL_CERTIFICATE_PATHS}"
AddSetting "ssl-certificate-paths" "${SSL_CERTIFICATE_PATHS}" "Paths for SSL certificates"
;;
# Set strict mode for development and quality purposes # Set strict mode for development and quality purposes
strict) strict)
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && SET_STRICT=1 FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && SET_STRICT=1