Overhaul of default profile settings and parsing

default.prf

@@ -33,6 +33,9 @@ colors=yes
 # Compressed uploads (set to zero when errors with uploading occur)
 compressed-uploads=yes
 
+# Debug mode (for debugging purposes, extra data logged to screen)
+#debug=yes
+
 # Show non-zero exit code when warnings are found
 error-on-warnings=no
 
@@ -89,18 +92,23 @@ upload-options=
 # Verbose output
 verbose=no
 
+
 #################################################################################
 #
-# SUGGESTION
+# Upgrade and updating
-# ----------
+# --------------------
 #
-# Do NOT make changes to this file, instead copy your preferred settings to
+# The old settings to do automatic updating are deprecated. It is suggested to
-# custom.prf and put it in the same directory as default.prf
+# use a package or deploy your the tarball via a custom script.
 #
-# To discover where your profiles are located:  lynis show profiles
+# The latest packages can be found at: https://packages.cisofy.com
 #
 #################################################################################
 
+# Skip Lynis upgrade availability test (default: no)
+#skip-upgrade-test=yes
+
+
 #################################################################################
 #
 # Plugins
@@ -142,27 +150,6 @@ plugin=systemd
 plugin=users
 
 
-#################################################################################
-#
-# Lynis Enterprise options
-#
-#################################################################################
-
-# Provide the name of the customer/client
-system-customer-name=
-
-# Provide tags (tags=db,production,ssn-1304)
-tags=
-
-
-
-#################################################################################
-#
-# Configuration (Old Style) - will be replaced in phases
-#
-#################################################################################
-
-
 #################################################################################
 #
 # Kernel options
@@ -302,14 +289,6 @@ openldap:slapd.conf:permissions:640-600:
 openldap:slapd.conf:owner:ldap-root:
 
 
-#################################################################################
-#
-# SSL certificates
-#
-#################################################################################
-
-# Locations where to search for SSL certificates
-ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
 
 
 #################################################################################
@@ -319,8 +298,7 @@ ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc
 #################################################################################
 
 # Ignore some stratum 16 hosts (for example when running as time source itself)
-#ntp:ignore_stratum_16_peer:127.0.0.1:
+#ntp-ignore-stratum-16-peer=127.0.0.1
-#ntp:ignore_stratum_16_peer:1.2.3.4:
 
 
 #################################################################################
@@ -368,90 +346,63 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
 # Scan for a program/binary in BINPATHs
 #scanbinary:Rootkit Hunter:rkhunter:
 
-
-#################################################################################
-#
-# Audit customizing
-# -----------------
-#
-# Most options can contain 'yes' or 'no'.
-#
-#################################################################################
-
 # Amount of connections in WAIT state before reporting it as a suggestion
-#config:connections_max_wait_state:5000:
+#connections-max-wait-state=5000
 
-# Skip security repository check for Debian based systems
-#config:debian_skip_security_repository:yes:
-
-# Debug mode (for debugging purposes, extra data logged to screen)
-#config:debug:yes:
-
-# Skip the FreeBSD portaudit test
-#config:freebsd_skip_portaudit:yes:
 
 # Ignore some specific home directories
 # One directory per line; directories will be skipped for home directory specific
 # checks, like file permissions, SSH and other configuration files
-#config:ignore_home_dir:/home/user:
+#ignore-home-dir=/home/user
 
 # Do not log tests with another guest operating system (default: yes)
-#config:log_tests_incorrect_os:no:
+#log-tests-incorrect-os=no
 
 # Define if available NTP daemon is configured as a server or client on the network
 # values: server or client (default: client)
-#config:ntpd_role:client:
+#ntpd-role=client
 
 # Allow promiscuous interfaces
 #   <option>:<promiscuous interface name>:<description>:
 #if_promisc:pflog0:pf log daemon interface:
 
-# Skip Lynis upgrade availability test (default: no)
+
-#config:skip_upgrade_test:yes:
+# The URL prefix and append to the URL for controls or your custom tests
+# Link will be formed as {control-url-protocol}://{control-url-prepend}CONTROL-ID{control-url-append}
+#control-url-protocol=https
+#control-url-prepend=cisofy.com/control/
+#control-url-append=/
 
 # The URL prefix and append to URL's for your custom tests
-# Link will be build with: {control_url_protocol}://{control_url_prepend}CONTROL-ID{control_url_append}
+#custom-url-protocol=https
-#config:control_url_protocol:https:
+#custom-url-prepend=your-domain.example.org/control-info/
-#config:control_url_prepend:cisofy.com/control/:
+#custom-url-append=/
-#config:control_url_append:/:
+
-# The URL prefix and append to URL's for your custom tests
-#config:custom_url_protocol:https:
-#config:custom_url_prepend:your-domain.example.org/control-info/:
-#config:custom_url_append:/:
 
 #################################################################################
 #
-# Automatic Updating
+# Operating system specific
-# -------------------
+# -------------------------
-#
-# These settings can be used to create an option to do automatic updates.
-# By specifying local paths and your update server, the tool can do an update
-# check, compare versions and download a new version.
-#
-# If you installed Lynis as a package, then update via your package manager. See
-# https://packages.cisofy.com for more information.
 #
 #################################################################################
 
-# Local directory (without slash at end) where lynis directory will be installed
+# Skip the FreeBSD portaudit test
-# Note: do not add full path to lynis, as subdirectory is part of tarball
+#freebsd-skip-portaudit=yes
-#config:update_local_directory:/usr/local:
-# Full path to local file. Change local path if Lynis is installed on a different place
-#config:update_local_version_info:/usr/local/lynis/client-version:
 
-# Download information
+# Skip security repository check for Debian based systems
-# -----------------------------
+#debian-skip-security-repository=yes
-# Protocol to use: http, https
-#config:update_server_protocol:http:
 
-# Address of update server
-#config:update_server_address:192.168.1.125:
 
-# Path to last stable release
-#config:update_latest_version_download:/files/lynis-latest.tar.gz:
 
-# Last part of URL (file to gather)
+#################################################################################
-#config:update_latest_version_info:/files/lynis-latest-version:
+#
+# SSL certificates
+#
+#################################################################################
+
+# Locations where to search for SSL certificates
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
+
 
 
 #################################################################################
@@ -467,18 +418,25 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
 
 # Proxy settings
 # Protocol (http, https, socks5)
-#config:upload_proxy_protocol:https:
+#proxy-protocol=https
-# Address
-#config:upload_proxy_server:1.2.3.4:
-# Port
-#config:upload_proxy_port:3128:
 
-# Define groups
+# Address
-#config:group:[group name]:
+#proxy-server=1.2.3.4
-#config:group:test:
+
+# Port
+#proxy-port=3128
+
+# Define group names to link to this system (preferably single words)
+#system-groups=groupname1,groupname2,groupname3
 
 # Define which compliance standards are audited and reported on. Disable this if not required.
-config:compliance_standards:cis,hipaa,iso27001,pci-dss:
+compliance-standards=cis,hipaa,iso27001,pci-dss
+
+# Provide the name of the customer/client
+#system-customer-name=mycustomer
+
+# Link one or more tags to a system
+#tags=db,production,ssn-1304
 
 
 

include/profiles

@@ -188,6 +188,11 @@
                     HOSTID2="${VALUE}"
                 ;;
 
+                # Home directories to ignore during scans
+                ignore-home-dir)
+                    Report "ignore-home-dir[]=${VALUE}"
+                ;;
+
                 # Language
                 language | lang)
                     LogText "Language set via profile to '${VALUE}'"
@@ -304,13 +309,6 @@
                     AddSetting "skip-plugins" "${SETTING_SKIP_PLUGINS}" "Skip plugins"
                 ;;
 
-                # SSL paths
-                ssl-certificate-paths)
-                    SSL_CERTIFICATE_PATHS="${VALUE}"
-                    Debug "SSL paths set to ${SSL_CERTIFICATE_PATHS}"
-                    AddSetting "ssl-certificate-paths" "${SSL_CERTIFICATE_PATHS}" "Paths for SSL certificates"
-                ;;
-
                 # Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest)
                 skip-test)
                     STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
@@ -323,6 +321,13 @@
                     Debug "Skip upgrade test set to ${SKIP_UPGRADE_TEST}"
                 ;;
 
+                # SSL paths
+                ssl-certificate-paths)
+                    SSL_CERTIFICATE_PATHS="${VALUE}"
+                    Debug "SSL paths set to ${SSL_CERTIFICATE_PATHS}"
+                    AddSetting "ssl-certificate-paths" "${SSL_CERTIFICATE_PATHS}" "Paths for SSL certificates"
+                ;;
+
                 # Set strict mode for development and quality purposes
                 strict)
                     FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && SET_STRICT=1