New option to disable plugins via profile

2019-07-03 15:39:26 +02:00 · 2019-07-03 15:39:26 +02:00 · ade3117307
parent 1f0c31fcad
commit ade3117307
4 changed files with 61 additions and 72 deletions
--- a/default.prf
+++ b/default.prf
@ -9,11 +9,11 @@
 #################################################################################
 #
 #
-# SUGGESTION
+# WARNING
 # ----------
 #
-# Do NOT make changes to this file, instead copy your preferred settings to
-# custom.prf and put it in the same directory as default.prf
+# Do NOT make changes to this file. Instead, copy only your changes into
+# the file custom.prf and put it in the same directory as default.prf
 #
 # To discover where your profiles are located: lynis show profiles
 #
@ -22,9 +22,6 @@
 #
 # All empty lines or with the # prefix will be skipped
 #
-# More information about this plugin can be found in the documentation:
-# https://cisofy.com/documentation/lynis/
-#
 #################################################################################

 # Use colored output
@ -42,19 +39,26 @@ error-on-warnings=no
 # Use Lynis in your own language (by default auto-detected)
 language=

-# Lynis Enterprise license key
-license-key=
+# Log tests from another guest operating system (default: yes)
+#log-tests-incorrect-os=yes
+
+# Define if available NTP daemon is configured as a server or client on the network
+# values: server or client (default: client)
+#ntpd-role=client

 # Defines the role of the system (personal, workstation or server)
 machine-role=server

+# Ignore some stratum 16 hosts (for example when running as time source itself)
+#ntp-ignore-stratum-16-peer=127.0.0.1
+
 # Profile name, will be used as title/description
 profile-name=Default Audit Template

 # Number of seconds to pause between every test (0 is no pause)
 pause-between-tests=0

-# Enable quick mode (no waiting for keypresses, same as --quick option)
+# Quick mode (no waiting for keypresses)
 quick=no

 # Refresh software repositories to help detecting vulnerable packages
@ -76,39 +80,19 @@ skip-plugins=no
 #skip-test=SSH-7408:loglevel
 #skip-test=SSH-7408:permitrootlogin

+# Skip Lynis upgrade availability test (default: no)
+#skip-upgrade-test=yes
+
+# Locations where to search for SSL certificates
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
+
 # Scan type - how deep the audit should be (light, normal or full)
 test-scan-mode=full

-# Upload data to central server
-upload=no
-
-# The hostname/IP address to receive the data
-upload-server=
-
-# Provide options to cURL (or other upload tool) when uploading data.
-# upload-options=--insecure   --> use HTTPS, but skip certificate check (e.g. self-signed)
-upload-options=
-
 # Verbose output
 verbose=no


-#################################################################################
-#
-# Upgrade and updating
-# --------------------
-#
-# The old settings to do automatic updating are deprecated. It is suggested to
-# use a package or deploy your the tarball via a custom script.
-#
-# The latest packages can be found at: https://packages.cisofy.com
-#
-#################################################################################
-
-# Skip Lynis upgrade availability test (default: no)
-#skip-upgrade-test=yes
-
-
 #################################################################################
 #
 # Plugins
@ -119,10 +103,11 @@ verbose=no
 # - Nothing happens if plugin isn't available
 # - There is no order in execution of plugins
 # - See documentation about how to use plugins and phases
+# - Some are for Lynis Enterprise users only
 #
 #################################################################################

-# Lynis Plugins (some are for Lynis Enterprise users only)
+# Lynis plugins to enable
 plugin=authentication
 plugin=compliance
 plugin=configuration
@ -149,17 +134,22 @@ plugin=system-integrity
 plugin=systemd
 plugin=users

+# Disable a particular plugin (will overrule an enabled plugin)
+#disable-plugin=authentication

 #################################################################################
 #
 # Kernel options
 # ---------------
-# sysctl:<sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:
+# configdate=, followed by:
 #
-# Sysctl key       = name
-# Expected value   = value of sysctl key
-# Hardening points = Number of hardening points. For most keys 1 HP will be suitable
-# Description      = Text description of key
+# - Type                     = Set to 'sysctl'
+# - Setting                  = value of sysctl key (e.g. kernel.sysrq)
+# - Expected value           = Preferred value for key (e.g. 0)
+# - Hardening Points         = Number of hardening points (typically 1 point per key) (1)
+# - Description              = Textual description about the sysctl key(Disable magic SysRQ)
+# - Related file or command  = For example, sysctl -a to retrieve more details
+# - Solution field           = Specifies more details or where to find them (url:URL, text:TEXT, or -)
 #
 #################################################################################

@ -290,18 +280,6 @@ openldap:slapd.conf:permissions:640-600:
 openldap:slapd.conf:owner:ldap-root:


-
-
-#################################################################################
-#
-# NTP options
-#
-#################################################################################
-
-# Ignore some stratum 16 hosts (for example when running as time source itself)
-#ntp-ignore-stratum-16-peer=127.0.0.1
-
-
 #################################################################################
 #
 # File/directories permissions (currently not used yet)
@ -356,12 +334,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
 # checks, like file permissions, SSH and other configuration files
 #ignore-home-dir=/home/user

-# Do not log tests with another guest operating system (default: yes)
-#log-tests-incorrect-os=no
-
-# Define if available NTP daemon is configured as a server or client on the network
-# values: server or client (default: client)
-#ntpd-role=client

 # Allow promiscuous interfaces
 #   <option>:<promiscuous interface name>:<description>:
@ -395,17 +367,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN:



-#################################################################################
-#
-# SSL certificates
-#
-#################################################################################
-
-# Locations where to search for SSL certificates
-ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
-
-
-
 #################################################################################
 #
 # Lynis Enterprise options
@ -423,6 +384,9 @@ ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc
 #hostid=40-char-hash
 #hostid2=64-char-hash

+# Lynis Enterprise license key
+license-key=
+
 # Proxy settings
 # Protocol (http, https, socks5)
 #proxy-protocol=https
@ -443,6 +407,16 @@ compliance-standards=cis,hipaa,iso27001,pci-dss
 # Provide the name of the customer/client
 #system-customer-name=mycustomer

+# Upload data to central server
+upload=no
+
+# The hostname/IP address to receive the data
+upload-server=
+
+# Provide options to cURL (or other upload tool) when uploading data.
+# upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates)
+upload-options=
+
 # Link one or more tags to a system
 #tags=db,production,ssn-1304

--- a/include/consts
+++ b/include/consts
@ -96,6 +96,7 @@ unset LANG
    DEBSECANBINARY=""
    DEBSUMSBINARY=""
    DEVELOPER_MODE=0
+    DISABLED_PLUGINS=""
    DISCOVERED_BINARIES=""
    DMIDECODEBINARY=""
    DNFBINARY=""
--- a/include/profiles
+++ b/include/profiles
@ -239,6 +239,11 @@
                    LogText "Plugin '${VALUE}' enabled according profile (${PROFILE})"
                ;;

+                disable-plugin)
+                    LogText "Plugin '${VALUE}' disabled according profile (${PROFILE})"
+                    DISABLED_PLUGINS="${DISABLED_PLUGINS} ${VALUE}"
+                ;;
+
                # Plugin directory
                plugindir | plugin-dir)
                    if IsEmpty "${PLUGINDIR}"; then
--- a/13
+++ b/13
@ -851,8 +851,17 @@ ${NORMAL}
                            LogText "Action: checking plugin status in profile: ${PROFILE}"
                            FIND3=$(grep "^plugin=${FIND2}" ${PROFILE})
                            if [ ! -z "${FIND3}" ]; then
-                                LogText "Result: plugin enabled in profile (${PROFILE})"
-                                PLUGIN_ENABLED_STATE=1
+                                FOUND=0
+                                for I in ${DISABLED_PLUGINS}; do
+                                    if [ "${I}" = "${FIND2}" ]; then
+                                        FOUND=1
+                                        LogText "Result: plugin ${FIND2} is specifically disabled"
+                                    fi
+                                done
+                                if [ ${FOUND} -eq 0 ]; then
+                                    LogText "Result: plugin enabled in profile (${PROFILE})"
+                                    PLUGIN_ENABLED_STATE=1
+                                fi
                            fi
                        done
                        if [ ${PLUGIN_ENABLED_STATE} -eq 1 ]; then