################################################################################# # # Lynis - Scan Profile (default) # # This is the default profile and contains default values. You are encouraged to # copy this file and use it's base for custom audit profiles. # # All empty lines or with the # prefix will be skipped # # More information about this plugin can be found in the documentation: # https://cisofy.com/documentation/lynis/ # ################################################################################# [configuration] # Profile name, will be used as title/description config:profile_name:Default Audit Template: # Number of seconds to pause between every test (0 is no pause) config:pause_between_tests:0: # Show inline tips about the tool config:show_tool_tips:1: ################################################################################# # # Testing options # --------------- # ################################################################################# # ** Scan type ** # # Description: How deep the audit should be # Values: light, normal or full (default) # # config:test_scan_mode:full: # ** Skip one or more specific tests ** # (always ignores scan mode and will make sure the test is skipped) # # config:test_skip_always:AAAA-1234 BBBB-5678 CCCC-9012: # ** Define machine role ** # # Description: defines the role of the system # Values: desktop, server (default) # #config:machine_role:server: ################################################################################# # # Plugins # --------------- # Define which plugins are enabled # # Notes: # - Nothing happens if plugin isn't available # - There is no order in execution of plugins # - See documentation about how to use plugins and phases # ################################################################################# # Lynis Plugins (some are for Lynis Enterprise users only) plugin=compliance plugin=configuration plugin=control-panels plugin=crypto plugin=dns plugin=docker plugin=file-integrity plugin=file-systems plugin=firewalls plugin=forensics plugin=intrusion-detection plugin=intrusion-prevention plugin=kernel plugin=malware plugin=memory plugin=nginx plugin=pam plugin=processes plugin=security-modules plugin=software plugin=system-integrity plugin=systemd plugin=users ################################################################################# # # Kernel options # --------------- # sysctl::::: # # Sysctl key = name # Expected value = value of sysctl key # Hardening points = Number of hardening points. For most keys 1 HP will be suitable # Description = Text description of key # ################################################################################# # Processes #sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value: sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups: sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users: # Kernel sysctl:kern.sugid_coredump:0:1:XXX: sysctl:kernel.core_setuid_ok:0:1:XXX: sysctl:kernel.core_uses_pid:1:1:XXX: sysctl:kernel.ctrl-alt-del:0:1:XXX: sysctl:kernel.exec-shield-randomize:1:1:XXX: sysctl:kernel.exec-shield:1:1:XXX: sysctl:kernel.kptr_restrict:1:1:Restrict access to kernel symbols: sysctl:kernel.sysrq:0:1:Disable magic SysRQ: sysctl:kernel.use-nx:0:1:XXX: # Network sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address: sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic: sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic: sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects: sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets: sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing: sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source: sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing: sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets: sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets: sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source: sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address: sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore #sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic: sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack: sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps: sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects: sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: [security] #sysctl:kern.securelevel:1^2^3:1:FreeBSD security level: #security.jail.jailed: 0 #security.jail.jail_max_af_ips: 255 #security.jail.mount_allowed: 0 #security.jail.chflags_allowed: 0 #security.jail.allow_raw_sockets: 0 #security.jail.enforce_statfs: 2 #security.jail.sysvipc_allowed: 0 #security.jail.socket_unixiproute_only: 1 #security.jail.set_hostname_allowed: 1 #security.bsd.suser_enabled: 1 #security.bsd.unprivileged_proc_debug: 1 #security.bsd.conservative_signals: 1 #security.bsd.unprivileged_read_msgbuf: 1 #security.bsd.hardlink_check_gid: 0 #security.bsd.hardlink_check_uid: 0 #security.bsd.unprivileged_get_quota: 0 ################################################################################# # # Apache options # columns: (1)apache : (2)option : (3)value # ################################################################################# apache:ServerTokens:Prod: ################################################################################# # # OpenLDAP options # columns: (1)openldap : (2)file : (3)option : (4)expected value(s) # ################################################################################# openldap:slapd.conf:permissions:640-600: openldap:slapd.conf:owner:ldap-root: ################################################################################# # # SSL certificates # ################################################################################# # Locations where to search for SSL certificates ssl:certificates:/etc/letsencrypt /etc/pki /etc/ssl /usr/local/share/ca-certificates /var/www /srv/www: ################################################################################# # # NTP options # ################################################################################# # Ignore some stratum 16 hosts (for example when running as time source itself) #ntp:ignore_stratum_16_peer:127.0.0.1: #ntp:ignore_stratum_16_peer:1.2.3.4: ################################################################################# # # File/directories permissions (currently not used yet) # ################################################################################# # Scan for exact file name match #[scanfiles] #scanfile:/etc/rc.conf:FreeBSD configuration: # Scan for exact directory name match #[scandirs] #scandir:/etc:/etc directory: ################################################################################# # # permfile # --------------- # permfile:file name:file permissions:owner:group:action: # Action = NOTICE or WARN # Examples: # permfile:/etc/test1.dat:600:root:wheel:NOTICE: # permfile:/etc/test1.dat:640:root:-:WARN: # ################################################################################# #permfile:/etc/inetd.conf:rw-------:root:-:WARN: #permfile:/etc/fstab:rw-r--r--:root:-:WARN: permfile:/etc/lilo.conf:rw-------:root:-:WARN: ################################################################################# # # permdir # --------------- # permdir:directory name:file permissions:owner:group:action when permissions are different: # ################################################################################# permdir:/root/.ssh:rwx------:root:-:WARN: # Scan for a program/binary in BINPATHs #scanbinary:Rootkit Hunter:rkhunter: ################################################################################# # # Audit customizing # ----------------- # # Most options can contain 'yes' or 'no'. # ################################################################################# # Amount of connections in WAIT state before reporting it as a suggestion #config:connections_max_wait_state:5000: # Skip security repository check for Debian based systems #config:debian_skip_security_repository:yes: # Debug mode (for debugging purposes, extra data logged to screen) #config:debug:yes: # Skip the FreeBSD portaudit test #config:freebsd_skip_portaudit:yes: # Ignore some specific home directories # One directory per line; directories will be skipped for home directory specific # checks, like file permissions, SSH and other configuration files #config:ignore_home_dir:/home/user: # Do not log tests with another guest operating system (default: yes) #config:log_tests_incorrect_os:no: # Define if available NTP daemon is configured as a server or client on the network # values: server or client (default: client) #config:ntpd_role:client: # Allow promiscuous interfaces #