tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

New option to disable plugins via profile

This commit is contained in:
Michael Boelen 2019-07-03 15:39:26 +02:00
parent 1f0c31fcad
commit ade3117307
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
4 changed files with 61 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
default.prf
View File

@ -9,11 +9,11 @@
################################################################################# #################################################################################
# #
# #
# SUGGESTION # WARNING
# ---------- # ----------
# #
# Do NOT make changes to this file, instead copy your preferred settings to # Do NOT make changes to this file. Instead, copy only your changes into
# custom.prf and put it in the same directory as default.prf # the file custom.prf and put it in the same directory as default.prf
# #
# To discover where your profiles are located: lynis show profiles # To discover where your profiles are located: lynis show profiles
# #
@ -22,9 +22,6 @@
# #
# All empty lines or with the # prefix will be skipped # All empty lines or with the # prefix will be skipped
# #
# More information about this plugin can be found in the documentation:
# https://cisofy.com/documentation/lynis/
#
################################################################################# #################################################################################
# Use colored output # Use colored output
@ -42,19 +39,26 @@ error-on-warnings=no
# Use Lynis in your own language (by default auto-detected) # Use Lynis in your own language (by default auto-detected)
language= language=
# Lynis Enterprise license key # Log tests from another guest operating system (default: yes)
license-key= #log-tests-incorrect-os=yes
# Define if available NTP daemon is configured as a server or client on the network
# values: server or client (default: client)
#ntpd-role=client
# Defines the role of the system (personal, workstation or server) # Defines the role of the system (personal, workstation or server)
machine-role=server machine-role=server
# Ignore some stratum 16 hosts (for example when running as time source itself)
#ntp-ignore-stratum-16-peer=127.0.0.1
# Profile name, will be used as title/description # Profile name, will be used as title/description
profile-name=Default Audit Template profile-name=Default Audit Template
# Number of seconds to pause between every test (0 is no pause) # Number of seconds to pause between every test (0 is no pause)
pause-between-tests=0 pause-between-tests=0
# Enable quick mode (no waiting for keypresses, same as --quick option) # Quick mode (no waiting for keypresses)
quick=no quick=no
# Refresh software repositories to help detecting vulnerable packages # Refresh software repositories to help detecting vulnerable packages
@ -76,39 +80,19 @@ skip-plugins=no
#skip-test=SSH-7408:loglevel #skip-test=SSH-7408:loglevel
#skip-test=SSH-7408:permitrootlogin #skip-test=SSH-7408:permitrootlogin
# Skip Lynis upgrade availability test (default: no)
#skip-upgrade-test=yes
# Locations where to search for SSL certificates
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
# Scan type - how deep the audit should be (light, normal or full) # Scan type - how deep the audit should be (light, normal or full)
test-scan-mode=full test-scan-mode=full
# Upload data to central server
upload=no
# The hostname/IP address to receive the data
upload-server=
# Provide options to cURL (or other upload tool) when uploading data.
# upload-options=--insecure --> use HTTPS, but skip certificate check (e.g. self-signed)
upload-options=
# Verbose output # Verbose output
verbose=no verbose=no
#################################################################################
#
# Upgrade and updating
# --------------------
#
# The old settings to do automatic updating are deprecated. It is suggested to
# use a package or deploy your the tarball via a custom script.
#
# The latest packages can be found at: https://packages.cisofy.com
#
#################################################################################
# Skip Lynis upgrade availability test (default: no)
#skip-upgrade-test=yes
################################################################################# #################################################################################
# #
# Plugins # Plugins
@ -119,10 +103,11 @@ verbose=no
# - Nothing happens if plugin isn't available # - Nothing happens if plugin isn't available
# - There is no order in execution of plugins # - There is no order in execution of plugins
# - See documentation about how to use plugins and phases # - See documentation about how to use plugins and phases
# - Some are for Lynis Enterprise users only
# #
################################################################################# #################################################################################
# Lynis Plugins (some are for Lynis Enterprise users only) # Lynis plugins to enable
plugin=authentication plugin=authentication
plugin=compliance plugin=compliance
plugin=configuration plugin=configuration
@ -149,17 +134,22 @@ plugin=system-integrity
plugin=systemd plugin=systemd
plugin=users plugin=users
# Disable a particular plugin (will overrule an enabled plugin)
#disable-plugin=authentication
################################################################################# #################################################################################
# #
# Kernel options # Kernel options
# --------------- # ---------------
# sysctl:<sysctl Key>:<Expected Value>:<Hardening Points>:<Description>: # configdate=, followed by:
# #
# Sysctl key = name # - Type = Set to 'sysctl'
# Expected value = value of sysctl key # - Setting = value of sysctl key (e.g. kernel.sysrq)
# Hardening points = Number of hardening points. For most keys 1 HP will be suitable # - Expected value = Preferred value for key (e.g. 0)
# Description = Text description of key # - Hardening Points = Number of hardening points (typically 1 point per key) (1)
# - Description = Textual description about the sysctl key(Disable magic SysRQ)
# - Related file or command = For example, sysctl -a to retrieve more details
# - Solution field = Specifies more details or where to find them (url:URL, text:TEXT, or -)
# #
################################################################################# #################################################################################
@ -290,18 +280,6 @@ openldap:slapd.conf:permissions:640-600:
openldap:slapd.conf:owner:ldap-root: openldap:slapd.conf:owner:ldap-root:
#################################################################################
#
# NTP options
#
#################################################################################
# Ignore some stratum 16 hosts (for example when running as time source itself)
#ntp-ignore-stratum-16-peer=127.0.0.1
################################################################################# #################################################################################
# #
# File/directories permissions (currently not used yet) # File/directories permissions (currently not used yet)
@ -356,12 +334,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
# checks, like file permissions, SSH and other configuration files # checks, like file permissions, SSH and other configuration files
#ignore-home-dir=/home/user #ignore-home-dir=/home/user
# Do not log tests with another guest operating system (default: yes)
#log-tests-incorrect-os=no
# Define if available NTP daemon is configured as a server or client on the network
# values: server or client (default: client)
#ntpd-role=client
# Allow promiscuous interfaces # Allow promiscuous interfaces
# <option>:<promiscuous interface name>:<description>: # <option>:<promiscuous interface name>:<description>:
@ -395,17 +367,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
#################################################################################
#
# SSL certificates
#
#################################################################################
# Locations where to search for SSL certificates
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
################################################################################# #################################################################################
# #
# Lynis Enterprise options # Lynis Enterprise options
@ -423,6 +384,9 @@ ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc
#hostid=40-char-hash #hostid=40-char-hash
#hostid2=64-char-hash #hostid2=64-char-hash
# Lynis Enterprise license key
license-key=
# Proxy settings # Proxy settings
# Protocol (http, https, socks5) # Protocol (http, https, socks5)
#proxy-protocol=https #proxy-protocol=https
@ -443,6 +407,16 @@ compliance-standards=cis,hipaa,iso27001,pci-dss
# Provide the name of the customer/client # Provide the name of the customer/client
#system-customer-name=mycustomer #system-customer-name=mycustomer
# Upload data to central server
upload=no
# The hostname/IP address to receive the data
upload-server=
# Provide options to cURL (or other upload tool) when uploading data.
# upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates)
upload-options=
# Link one or more tags to a system # Link one or more tags to a system
#tags=db,production,ssn-1304 #tags=db,production,ssn-1304

1
include/consts
View File

@ -96,6 +96,7 @@ unset LANG
DEBSECANBINARY="" DEBSECANBINARY=""
DEBSUMSBINARY="" DEBSUMSBINARY=""
DEVELOPER_MODE=0 DEVELOPER_MODE=0
DISABLED_PLUGINS=""
DISCOVERED_BINARIES="" DISCOVERED_BINARIES=""
DMIDECODEBINARY="" DMIDECODEBINARY=""
DNFBINARY="" DNFBINARY=""

5
include/profiles
View File

@ -239,6 +239,11 @@
LogText "Plugin '${VALUE}' enabled according profile (${PROFILE})" LogText "Plugin '${VALUE}' enabled according profile (${PROFILE})"
;; ;;
disable-plugin)
LogText "Plugin '${VALUE}' disabled according profile (${PROFILE})"
DISABLED_PLUGINS="${DISABLED_PLUGINS} ${VALUE}"
;;
# Plugin directory # Plugin directory
plugindir | plugin-dir) plugindir | plugin-dir)
if IsEmpty "${PLUGINDIR}"; then if IsEmpty "${PLUGINDIR}"; then

9
lynis
View File

@ -851,9 +851,18 @@ ${NORMAL}
LogText "Action: checking plugin status in profile: ${PROFILE}" LogText "Action: checking plugin status in profile: ${PROFILE}"
FIND3=$(grep "^plugin=${FIND2}" ${PROFILE}) FIND3=$(grep "^plugin=${FIND2}" ${PROFILE})
if [ ! -z "${FIND3}" ]; then if [ ! -z "${FIND3}" ]; then
FOUND=0
for I in ${DISABLED_PLUGINS}; do
if [ "${I}" = "${FIND2}" ]; then
FOUND=1
LogText "Result: plugin ${FIND2} is specifically disabled"
fi
done
if [ ${FOUND} -eq 0 ]; then
LogText "Result: plugin enabled in profile (${PROFILE})" LogText "Result: plugin enabled in profile (${PROFILE})"
PLUGIN_ENABLED_STATE=1 PLUGIN_ENABLED_STATE=1
fi fi
fi
done done
if [ ${PLUGIN_ENABLED_STATE} -eq 1 ]; then if [ ${PLUGIN_ENABLED_STATE} -eq 1 ]; then
LogText "Result: plugin ${FIND2} is enabled" LogText "Result: plugin ${FIND2} is enabled"