tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Overhaul of default profile settings and parsing

This commit is contained in:
Michael Boelen 2018-01-23 15:01:02 +01:00
parent 6192cbd8fa
commit 2bf6a5e038
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
2 changed files with 71 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

160
default.prf
View File

@ -33,6 +33,9 @@ colors=yes
# Compressed uploads (set to zero when errors with uploading occur)
compressed-uploads=yes
# Debug mode (for debugging purposes, extra data logged to screen)
#debug=yes
# Show non-zero exit code when warnings are found
error-on-warnings=no
@ -89,18 +92,23 @@ upload-options=
# Verbose output
verbose=no
#################################################################################
#
# SUGGESTION
# ----------
# Upgrade and updating
# --------------------
#
# Do NOT make changes to this file, instead copy your preferred settings to
# custom.prf and put it in the same directory as default.prf
# The old settings to do automatic updating are deprecated. It is suggested to
# use a package or deploy your the tarball via a custom script.
#
# To discover where your profiles are located: lynis show profiles
# The latest packages can be found at: https://packages.cisofy.com
#
#################################################################################
# Skip Lynis upgrade availability test (default: no)
#skip-upgrade-test=yes
#################################################################################
#
# Plugins
@ -142,27 +150,6 @@ plugin=systemd
plugin=users
#################################################################################
#
# Lynis Enterprise options
#
#################################################################################
# Provide the name of the customer/client
system-customer-name=
# Provide tags (tags=db,production,ssn-1304)
tags=
#################################################################################
#
# Configuration (Old Style) - will be replaced in phases
#
#################################################################################
#################################################################################
#
# Kernel options
@ -302,14 +289,6 @@ openldap:slapd.conf:permissions:640-600:
openldap:slapd.conf:owner:ldap-root:
#################################################################################
#
# SSL certificates
#
#################################################################################
# Locations where to search for SSL certificates
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
#################################################################################
@ -319,8 +298,7 @@ ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc
#################################################################################
# Ignore some stratum 16 hosts (for example when running as time source itself)
#ntp:ignore_stratum_16_peer:127.0.0.1:
#ntp:ignore_stratum_16_peer:1.2.3.4:
#ntp-ignore-stratum-16-peer=127.0.0.1
#################################################################################
@ -368,90 +346,63 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
# Scan for a program/binary in BINPATHs
#scanbinary:Rootkit Hunter:rkhunter:
#################################################################################
#
# Audit customizing
# -----------------
#
# Most options can contain 'yes' or 'no'.
#
#################################################################################
# Amount of connections in WAIT state before reporting it as a suggestion
#config:connections_max_wait_state:5000:
#connections-max-wait-state=5000
# Skip security repository check for Debian based systems
#config:debian_skip_security_repository:yes:
# Debug mode (for debugging purposes, extra data logged to screen)
#config:debug:yes:
# Skip the FreeBSD portaudit test
#config:freebsd_skip_portaudit:yes:
# Ignore some specific home directories
# One directory per line; directories will be skipped for home directory specific
# checks, like file permissions, SSH and other configuration files
#config:ignore_home_dir:/home/user:
#ignore-home-dir=/home/user
# Do not log tests with another guest operating system (default: yes)
#config:log_tests_incorrect_os:no:
#log-tests-incorrect-os=no
# Define if available NTP daemon is configured as a server or client on the network
# values: server or client (default: client)
#config:ntpd_role:client:
#ntpd-role=client
# Allow promiscuous interfaces
# <option>:<promiscuous interface name>:<description>:
#if_promisc:pflog0:pf log daemon interface:
# Skip Lynis upgrade availability test (default: no)
#config:skip_upgrade_test:yes:
# The URL prefix and append to the URL for controls or your custom tests
# Link will be formed as {control-url-protocol}://{control-url-prepend}CONTROL-ID{control-url-append}
#control-url-protocol=https
#control-url-prepend=cisofy.com/control/
#control-url-append=/
# The URL prefix and append to URL's for your custom tests
# Link will be build with: {control_url_protocol}://{control_url_prepend}CONTROL-ID{control_url_append}
#config:control_url_protocol:https:
#config:control_url_prepend:cisofy.com/control/:
#config:control_url_append:/:
# The URL prefix and append to URL's for your custom tests
#config:custom_url_protocol:https:
#config:custom_url_prepend:your-domain.example.org/control-info/:
#config:custom_url_append:/:
#custom-url-protocol=https
#custom-url-prepend=your-domain.example.org/control-info/
#custom-url-append=/
#################################################################################
#
# Automatic Updating
# -------------------
#
# These settings can be used to create an option to do automatic updates.
# By specifying local paths and your update server, the tool can do an update
# check, compare versions and download a new version.
#
# If you installed Lynis as a package, then update via your package manager. See
# https://packages.cisofy.com for more information.
# Operating system specific
# -------------------------
#
#################################################################################
# Local directory (without slash at end) where lynis directory will be installed
# Note: do not add full path to lynis, as subdirectory is part of tarball
#config:update_local_directory:/usr/local:
# Full path to local file. Change local path if Lynis is installed on a different place
#config:update_local_version_info:/usr/local/lynis/client-version:
# Skip the FreeBSD portaudit test
#freebsd-skip-portaudit=yes
# Download information
# -----------------------------
# Protocol to use: http, https
#config:update_server_protocol:http:
# Skip security repository check for Debian based systems
#debian-skip-security-repository=yes
# Address of update server
#config:update_server_address:192.168.1.125:
# Path to last stable release
#config:update_latest_version_download:/files/lynis-latest.tar.gz:
# Last part of URL (file to gather)
#config:update_latest_version_info:/files/lynis-latest-version:
#################################################################################
#
# SSL certificates
#
#################################################################################
# Locations where to search for SSL certificates
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
#################################################################################
@ -467,18 +418,25 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
# Proxy settings
# Protocol (http, https, socks5)
#config:upload_proxy_protocol:https:
# Address
#config:upload_proxy_server:1.2.3.4:
# Port
#config:upload_proxy_port:3128:
#proxy-protocol=https
# Define groups
#config:group:[group name]:
#config:group:test:
# Address
#proxy-server=1.2.3.4
# Port
#proxy-port=3128
# Define group names to link to this system (preferably single words)
#system-groups=groupname1,groupname2,groupname3
# Define which compliance standards are audited and reported on. Disable this if not required.
config:compliance_standards:cis,hipaa,iso27001,pci-dss:
compliance-standards=cis,hipaa,iso27001,pci-dss
# Provide the name of the customer/client
#system-customer-name=mycustomer
# Link one or more tags to a system
#tags=db,production,ssn-1304

19
include/profiles
View File

@ -188,6 +188,11 @@
HOSTID2="${VALUE}"
;;
# Home directories to ignore during scans
ignore-home-dir)
Report "ignore-home-dir[]=${VALUE}"
;;
# Language
language | lang)
LogText "Language set via profile to '${VALUE}'"
@ -304,13 +309,6 @@
AddSetting "skip-plugins" "${SETTING_SKIP_PLUGINS}" "Skip plugins"
;;
# SSL paths
ssl-certificate-paths)
SSL_CERTIFICATE_PATHS="${VALUE}"
Debug "SSL paths set to ${SSL_CERTIFICATE_PATHS}"
AddSetting "ssl-certificate-paths" "${SSL_CERTIFICATE_PATHS}" "Paths for SSL certificates"
;;
# Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest)
skip-test)
STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
@ -323,6 +321,13 @@
Debug "Skip upgrade test set to ${SKIP_UPGRADE_TEST}"
;;
# SSL paths
ssl-certificate-paths)
SSL_CERTIFICATE_PATHS="${VALUE}"
Debug "SSL paths set to ${SSL_CERTIFICATE_PATHS}"
AddSetting "ssl-certificate-paths" "${SSL_CERTIFICATE_PATHS}" "Paths for SSL certificates"
;;
# Set strict mode for development and quality purposes
strict)
FIND=$(echo "${VALUE}" | egrep "^(1|true|yes)") && SET_STRICT=1