mirror of https://github.com/CISOfy/lynis.git
New option to disable plugins via profile
This commit is contained in:
parent
1f0c31fcad
commit
ade3117307
114
default.prf
114
default.prf
|
@ -9,11 +9,11 @@
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
# SUGGESTION
|
# WARNING
|
||||||
# ----------
|
# ----------
|
||||||
#
|
#
|
||||||
# Do NOT make changes to this file, instead copy your preferred settings to
|
# Do NOT make changes to this file. Instead, copy only your changes into
|
||||||
# custom.prf and put it in the same directory as default.prf
|
# the file custom.prf and put it in the same directory as default.prf
|
||||||
#
|
#
|
||||||
# To discover where your profiles are located: lynis show profiles
|
# To discover where your profiles are located: lynis show profiles
|
||||||
#
|
#
|
||||||
|
@ -22,9 +22,6 @@
|
||||||
#
|
#
|
||||||
# All empty lines or with the # prefix will be skipped
|
# All empty lines or with the # prefix will be skipped
|
||||||
#
|
#
|
||||||
# More information about this plugin can be found in the documentation:
|
|
||||||
# https://cisofy.com/documentation/lynis/
|
|
||||||
#
|
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
|
||||||
# Use colored output
|
# Use colored output
|
||||||
|
@ -42,19 +39,26 @@ error-on-warnings=no
|
||||||
# Use Lynis in your own language (by default auto-detected)
|
# Use Lynis in your own language (by default auto-detected)
|
||||||
language=
|
language=
|
||||||
|
|
||||||
# Lynis Enterprise license key
|
# Log tests from another guest operating system (default: yes)
|
||||||
license-key=
|
#log-tests-incorrect-os=yes
|
||||||
|
|
||||||
|
# Define if available NTP daemon is configured as a server or client on the network
|
||||||
|
# values: server or client (default: client)
|
||||||
|
#ntpd-role=client
|
||||||
|
|
||||||
# Defines the role of the system (personal, workstation or server)
|
# Defines the role of the system (personal, workstation or server)
|
||||||
machine-role=server
|
machine-role=server
|
||||||
|
|
||||||
|
# Ignore some stratum 16 hosts (for example when running as time source itself)
|
||||||
|
#ntp-ignore-stratum-16-peer=127.0.0.1
|
||||||
|
|
||||||
# Profile name, will be used as title/description
|
# Profile name, will be used as title/description
|
||||||
profile-name=Default Audit Template
|
profile-name=Default Audit Template
|
||||||
|
|
||||||
# Number of seconds to pause between every test (0 is no pause)
|
# Number of seconds to pause between every test (0 is no pause)
|
||||||
pause-between-tests=0
|
pause-between-tests=0
|
||||||
|
|
||||||
# Enable quick mode (no waiting for keypresses, same as --quick option)
|
# Quick mode (no waiting for keypresses)
|
||||||
quick=no
|
quick=no
|
||||||
|
|
||||||
# Refresh software repositories to help detecting vulnerable packages
|
# Refresh software repositories to help detecting vulnerable packages
|
||||||
|
@ -76,39 +80,19 @@ skip-plugins=no
|
||||||
#skip-test=SSH-7408:loglevel
|
#skip-test=SSH-7408:loglevel
|
||||||
#skip-test=SSH-7408:permitrootlogin
|
#skip-test=SSH-7408:permitrootlogin
|
||||||
|
|
||||||
|
# Skip Lynis upgrade availability test (default: no)
|
||||||
|
#skip-upgrade-test=yes
|
||||||
|
|
||||||
|
# Locations where to search for SSL certificates
|
||||||
|
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
|
||||||
|
|
||||||
# Scan type - how deep the audit should be (light, normal or full)
|
# Scan type - how deep the audit should be (light, normal or full)
|
||||||
test-scan-mode=full
|
test-scan-mode=full
|
||||||
|
|
||||||
# Upload data to central server
|
|
||||||
upload=no
|
|
||||||
|
|
||||||
# The hostname/IP address to receive the data
|
|
||||||
upload-server=
|
|
||||||
|
|
||||||
# Provide options to cURL (or other upload tool) when uploading data.
|
|
||||||
# upload-options=--insecure --> use HTTPS, but skip certificate check (e.g. self-signed)
|
|
||||||
upload-options=
|
|
||||||
|
|
||||||
# Verbose output
|
# Verbose output
|
||||||
verbose=no
|
verbose=no
|
||||||
|
|
||||||
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# Upgrade and updating
|
|
||||||
# --------------------
|
|
||||||
#
|
|
||||||
# The old settings to do automatic updating are deprecated. It is suggested to
|
|
||||||
# use a package or deploy your the tarball via a custom script.
|
|
||||||
#
|
|
||||||
# The latest packages can be found at: https://packages.cisofy.com
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
|
|
||||||
# Skip Lynis upgrade availability test (default: no)
|
|
||||||
#skip-upgrade-test=yes
|
|
||||||
|
|
||||||
|
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Plugins
|
# Plugins
|
||||||
|
@ -119,10 +103,11 @@ verbose=no
|
||||||
# - Nothing happens if plugin isn't available
|
# - Nothing happens if plugin isn't available
|
||||||
# - There is no order in execution of plugins
|
# - There is no order in execution of plugins
|
||||||
# - See documentation about how to use plugins and phases
|
# - See documentation about how to use plugins and phases
|
||||||
|
# - Some are for Lynis Enterprise users only
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
|
||||||
# Lynis Plugins (some are for Lynis Enterprise users only)
|
# Lynis plugins to enable
|
||||||
plugin=authentication
|
plugin=authentication
|
||||||
plugin=compliance
|
plugin=compliance
|
||||||
plugin=configuration
|
plugin=configuration
|
||||||
|
@ -149,17 +134,22 @@ plugin=system-integrity
|
||||||
plugin=systemd
|
plugin=systemd
|
||||||
plugin=users
|
plugin=users
|
||||||
|
|
||||||
|
# Disable a particular plugin (will overrule an enabled plugin)
|
||||||
|
#disable-plugin=authentication
|
||||||
|
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Kernel options
|
# Kernel options
|
||||||
# ---------------
|
# ---------------
|
||||||
# sysctl:<sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:
|
# configdate=, followed by:
|
||||||
#
|
#
|
||||||
# Sysctl key = name
|
# - Type = Set to 'sysctl'
|
||||||
# Expected value = value of sysctl key
|
# - Setting = value of sysctl key (e.g. kernel.sysrq)
|
||||||
# Hardening points = Number of hardening points. For most keys 1 HP will be suitable
|
# - Expected value = Preferred value for key (e.g. 0)
|
||||||
# Description = Text description of key
|
# - Hardening Points = Number of hardening points (typically 1 point per key) (1)
|
||||||
|
# - Description = Textual description about the sysctl key(Disable magic SysRQ)
|
||||||
|
# - Related file or command = For example, sysctl -a to retrieve more details
|
||||||
|
# - Solution field = Specifies more details or where to find them (url:URL, text:TEXT, or -)
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
|
||||||
|
@ -290,18 +280,6 @@ openldap:slapd.conf:permissions:640-600:
|
||||||
openldap:slapd.conf:owner:ldap-root:
|
openldap:slapd.conf:owner:ldap-root:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# NTP options
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
|
|
||||||
# Ignore some stratum 16 hosts (for example when running as time source itself)
|
|
||||||
#ntp-ignore-stratum-16-peer=127.0.0.1
|
|
||||||
|
|
||||||
|
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# File/directories permissions (currently not used yet)
|
# File/directories permissions (currently not used yet)
|
||||||
|
@ -356,12 +334,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
|
||||||
# checks, like file permissions, SSH and other configuration files
|
# checks, like file permissions, SSH and other configuration files
|
||||||
#ignore-home-dir=/home/user
|
#ignore-home-dir=/home/user
|
||||||
|
|
||||||
# Do not log tests with another guest operating system (default: yes)
|
|
||||||
#log-tests-incorrect-os=no
|
|
||||||
|
|
||||||
# Define if available NTP daemon is configured as a server or client on the network
|
|
||||||
# values: server or client (default: client)
|
|
||||||
#ntpd-role=client
|
|
||||||
|
|
||||||
# Allow promiscuous interfaces
|
# Allow promiscuous interfaces
|
||||||
# <option>:<promiscuous interface name>:<description>:
|
# <option>:<promiscuous interface name>:<description>:
|
||||||
|
@ -395,17 +367,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# SSL certificates
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
|
|
||||||
# Locations where to search for SSL certificates
|
|
||||||
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Lynis Enterprise options
|
# Lynis Enterprise options
|
||||||
|
@ -423,6 +384,9 @@ ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc
|
||||||
#hostid=40-char-hash
|
#hostid=40-char-hash
|
||||||
#hostid2=64-char-hash
|
#hostid2=64-char-hash
|
||||||
|
|
||||||
|
# Lynis Enterprise license key
|
||||||
|
license-key=
|
||||||
|
|
||||||
# Proxy settings
|
# Proxy settings
|
||||||
# Protocol (http, https, socks5)
|
# Protocol (http, https, socks5)
|
||||||
#proxy-protocol=https
|
#proxy-protocol=https
|
||||||
|
@ -443,6 +407,16 @@ compliance-standards=cis,hipaa,iso27001,pci-dss
|
||||||
# Provide the name of the customer/client
|
# Provide the name of the customer/client
|
||||||
#system-customer-name=mycustomer
|
#system-customer-name=mycustomer
|
||||||
|
|
||||||
|
# Upload data to central server
|
||||||
|
upload=no
|
||||||
|
|
||||||
|
# The hostname/IP address to receive the data
|
||||||
|
upload-server=
|
||||||
|
|
||||||
|
# Provide options to cURL (or other upload tool) when uploading data.
|
||||||
|
# upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates)
|
||||||
|
upload-options=
|
||||||
|
|
||||||
# Link one or more tags to a system
|
# Link one or more tags to a system
|
||||||
#tags=db,production,ssn-1304
|
#tags=db,production,ssn-1304
|
||||||
|
|
||||||
|
|
|
@ -96,6 +96,7 @@ unset LANG
|
||||||
DEBSECANBINARY=""
|
DEBSECANBINARY=""
|
||||||
DEBSUMSBINARY=""
|
DEBSUMSBINARY=""
|
||||||
DEVELOPER_MODE=0
|
DEVELOPER_MODE=0
|
||||||
|
DISABLED_PLUGINS=""
|
||||||
DISCOVERED_BINARIES=""
|
DISCOVERED_BINARIES=""
|
||||||
DMIDECODEBINARY=""
|
DMIDECODEBINARY=""
|
||||||
DNFBINARY=""
|
DNFBINARY=""
|
||||||
|
|
|
@ -239,6 +239,11 @@
|
||||||
LogText "Plugin '${VALUE}' enabled according profile (${PROFILE})"
|
LogText "Plugin '${VALUE}' enabled according profile (${PROFILE})"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
disable-plugin)
|
||||||
|
LogText "Plugin '${VALUE}' disabled according profile (${PROFILE})"
|
||||||
|
DISABLED_PLUGINS="${DISABLED_PLUGINS} ${VALUE}"
|
||||||
|
;;
|
||||||
|
|
||||||
# Plugin directory
|
# Plugin directory
|
||||||
plugindir | plugin-dir)
|
plugindir | plugin-dir)
|
||||||
if IsEmpty "${PLUGINDIR}"; then
|
if IsEmpty "${PLUGINDIR}"; then
|
||||||
|
|
13
lynis
13
lynis
|
@ -851,8 +851,17 @@ ${NORMAL}
|
||||||
LogText "Action: checking plugin status in profile: ${PROFILE}"
|
LogText "Action: checking plugin status in profile: ${PROFILE}"
|
||||||
FIND3=$(grep "^plugin=${FIND2}" ${PROFILE})
|
FIND3=$(grep "^plugin=${FIND2}" ${PROFILE})
|
||||||
if [ ! -z "${FIND3}" ]; then
|
if [ ! -z "${FIND3}" ]; then
|
||||||
LogText "Result: plugin enabled in profile (${PROFILE})"
|
FOUND=0
|
||||||
PLUGIN_ENABLED_STATE=1
|
for I in ${DISABLED_PLUGINS}; do
|
||||||
|
if [ "${I}" = "${FIND2}" ]; then
|
||||||
|
FOUND=1
|
||||||
|
LogText "Result: plugin ${FIND2} is specifically disabled"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ${FOUND} -eq 0 ]; then
|
||||||
|
LogText "Result: plugin enabled in profile (${PROFILE})"
|
||||||
|
PLUGIN_ENABLED_STATE=1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if [ ${PLUGIN_ENABLED_STATE} -eq 1 ]; then
|
if [ ${PLUGIN_ENABLED_STATE} -eq 1 ]; then
|
||||||
|
|
Loading…
Reference in New Issue