################################################################################# # # # Lynis - Default scan profile # # ################################################################################# # # # This profile provides Lynis with most of its initial values to perform a # system audit. # # # WARNINGS # ---------- # # Do NOT make changes to this file. Instead, copy only your changes into # the file custom.prf and put it in the same directory as default.prf # # To discover where your profiles are located: lynis show profiles # # # Lynis performs a strict check on profiles to avoid the inclusion of # possibly harmful injections. See include/profiles for details. # # ################################################################################# # # All empty lines or with the # prefix will be skipped # ################################################################################# # Use colored output colors=yes # Compressed uploads (set to zero when errors with uploading occur) compressed-uploads=yes # Amount of connections in WAIT state before reporting it as a suggestion #connections-max-wait-state=5000 # Debug mode (for debugging purposes, extra data logged to screen) #debug=yes # Show non-zero exit code when warnings are found error-on-warnings=no # Use Lynis in your own language (by default auto-detected) language= # Log tests from another guest operating system (default: yes) #log-tests-incorrect-os=yes # Define if available NTP daemon is configured as a server or client on the network # values: server or client (default: client) #ntpd-role=client # Defines the role of the system (personal, workstation or server) machine-role=server # Ignore some stratum 16 hosts (for example when running as time source itself) #ntp-ignore-stratum-16-peer=127.0.0.1 # Profile name, will be used as title/description profile-name=Default Audit Template # Number of seconds to pause between every test (0 is no pause) pause-between-tests=0 # Quick mode (do not wait for keypresses) quick=yes # Refresh software repositories to help detecting vulnerable packages refresh-repositories=yes # Show solution for findings show-report-solution=yes # Show inline tips about the tool show-tool-tips=yes # Skip plugins skip-plugins=no # Skip a test (one per line) #skip-test=SSH-7408 # Skip a particular option within a test (when applicable) #skip-test=SSH-7408:loglevel #skip-test=SSH-7408:permitrootlogin # Skip Lynis upgrade availability test (default: no) #skip-upgrade-test=yes # Locations where to search for SSL certificates (separate paths with a colon) ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive: ssl-certificate-include-packages=no # Scan type - how deep the audit should be (light, normal or full) test-scan-mode=full # Verbose output verbose=no ################################################################################# # # Plugins # --------------- # Define which plugins are enabled # # Notes: # - Nothing happens if plugin isn't available # - There is no order in execution of plugins # - See documentation about how to use plugins and phases # - Some are for Lynis Enterprise users only # ################################################################################# # Lynis plugins to enable plugin=authentication plugin=compliance plugin=configuration plugin=control-panels plugin=crypto plugin=dns plugin=docker plugin=file-integrity plugin=file-systems plugin=firewalls plugin=forensics plugin=hardware plugin=intrusion-detection plugin=intrusion-prevention plugin=kernel plugin=malware plugin=memory plugin=nginx plugin=pam plugin=processes plugin=security-modules plugin=software plugin=system-integrity plugin=systemd plugin=users # Disable a particular plugin (will overrule an enabled plugin) #disable-plugin=authentication ################################################################################# # # Kernel options # --------------- # config-data=, followed by: # # - Type = Set to 'sysctl' # - Setting = value of sysctl key (e.g. kernel.sysrq) # - Expected value = Preferred value for key (e.g. 0) # - Hardening Points = Number of hardening points (typically 1 point per key) (1) # - Description = Textual description about the sysctl key(Disable magic SysRQ) # - Related file or command = For example, sysctl -a to retrieve more details # - Solution field = Specifies more details or where to find them (url:URL, text:TEXT, or -) # ################################################################################# # Config # - Type (sysctl) # - Setting (kernel.sysrq) # - Expected value (0) # - Hardening Points (1) # - Description (Disable magic SysRQ) # - Related file or command (sysctl -a) # - Solution field (url:URL, text:TEXT, or -) # Processes config-data=sysctl;security.bsd.see_other_gids;0;1;Groups only see their own processes;sysctl -a;-;category:security; config-data=sysctl;security.bsd.see_other_uids;0;1;Users only see their own processes;sysctl -a;-;category:security; config-data=sysctl;security.bsd.stack_guard_page;1;1;Enable stack smashing protection (SSP)/ProPolice to defend against possible buffer overflows;-;category:security; config-data=sysctl;security.bsd.unprivileged_proc_debug;0;1;Unprivileged processes can not use process debugging;sysctl -a;-;category:security; config-data=sysctl;security.bsd.unprivileged_read_msgbuf;0;1;Unprivileged processes can not read the kernel message buffer;sysctl -a;-;category:security; # Kernel config-data=sysctl;fs.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security; config-data=sysctl;fs.protected_fifos;2;1;Restrict FIFO special device creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security; config-data=sysctl;fs.protected_hardlinks;1;1;Restrict hardlink creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security; config-data=sysctl;fs.protected_regular;2;1;Restrict regular files creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security; config-data=sysctl;fs.protected_symlinks;1;1;Restrict symlink following behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security; #config-data=sysctl;kern.randompid=2345;Randomize PID numbers with a specific modulus;sysctl -a;-;category:security; config-data=sysctl;kern.sugid_coredump;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.core_setuid_ok;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.core_uses_pid;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.ctrl-alt-del;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.dmesg_restrict;1;1;Restrict use of dmesg;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.exec-shield-randomize;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.perf_event_paranoid;3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.unprivileged_bpf_disabled;1;1;Restrict BPF for unprivileged users;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.use-nx;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.yama.ptrace_scope;1|2|3;1;Disable process tracing for everyone;-;category:security; # Network config-data=sysctl;net.core.bpf_jit_harden;2;1;Hardened BPF JIT compilation;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;net.inet.ip.linklocal.in.allowbadttl;0; config-data=sysctl;net.inet.tcp.always_keepalive;0;1;Disable TCP keep alive detection for dead peers as the keepalive can be spoofed;-;category:security; #config-data=sysctl;net.inet.tcp.fast_finwait2_recycle;1;1;Recycle FIN/WAIT states more quickly (DoS mitigation step, with risk of false RST);-;category:security; config-data=sysctl;net.inet.tcp.nolocaltimewait;1;1;Remove the TIME_WAIT state for loopback interface;-;category:security; config-data=sysctl;net.inet.tcp.path_mtu_discovery;0;1;Disable MTU discovery as many hosts drop the ICMP type 3 packets;-;category:security; config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security; config-data=sysctl;net.inet.tcp.icmp_may_rst;0;1;ICMP may not send RST to avoid spoofed ICMP/UDP floods;-;category:security; config-data=sysctl;net.inet.icmp.drop_redirect;1;1;Do not allow redirected ICMP packets;-;category:security; config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security; config-data=sysctl;net.inet.icmp.timestamp;0;1;Disable timestamps;-;category:security; config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security; config-data=sysctl;net.inet.ip.check_interface;1;1;Verify that a packet arrived on the right interface;-;category:security; config-data=sysctl;net.inet.ip.forwarding;0;1;Do not allow forwarding of traffic;-;category:security; config-data=sysctl;net.inet.ip.process_options;0;1;Ignore any IP options in the incoming packets;-;category:security; config-data=sysctl;net.inet.ip.random_id;1;1;Use a random IP id to each packet leaving the system;-;category:security; config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security; config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security; config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security; config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic when delivered to closed TCP port;-;category:security; config-data=sysctl;net.inet.tcp.drop_synfin;1;1;SYN/FIN packets will be dropped on initial connection;-;category:security; config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic when delivered to closed UDP port;-;category:security; config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security; config-data=sysctl;net.inet6.ip6.forwarding;0;1;Do not allow forwarding of traffic;-;category:security; config-data=sysctl;net.inet6.ip6.fw.enable;1;1;Enable filtering;-;category:security; config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security; config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security; config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security; config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do not relay BOOTP packets;-;category:security; config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable IP source routing;-;category:security; config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security; config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable IP source routing;-;category:security; config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do not relay ARP packets;-;category:security; config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce ingress/egress filtering for packets;-;category:security; config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security; config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security; config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security; config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security; config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets directed to broadcast address;-;category:security; config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security; #config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security; config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security; config-data=sysctl;net.ipv4.tcp_timestamps;0|1;1;Disable TCP time stamps or enable them with different offsets;-;category:security; config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security; config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security; config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security; config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security; config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security; # Other config-data=sysctl;dev.tty.ldisc_autoload;0;1;Disable loading of TTY line disciplines;-;category:security; config-data=sysctl;hw.kbd.keymap_restrict_change;4;1;Disable changing the keymap by non-privileged users;-;category:security; #sysctl;kern.securelevel;1^2^3;1;FreeBSD security level; #security.jail.jailed; 0 #security.jail.jail_max_af_ips; 255 #security.jail.mount_allowed; 0 #security.jail.chflags_allowed; 0 #security.jail.allow_raw_sockets; 0 #security.jail.enforce_statfs; 2 #security.jail.sysvipc_allowed; 0 #security.jail.socket_unixiproute_only; 1 #security.jail.set_hostname_allowed; 1 #security.bsd.suser_enabled; 1 #security.bsd.unprivileged_proc_debug; 1 #security.bsd.conservative_signals; 1 #security.bsd.unprivileged_read_msgbuf; 1 #security.bsd.unprivileged_get_quota; 0 config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other groups;-;category:security; config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security; ################################################################################# # # permfile # --------------- # permfile=file name:file permissions:owner:group:action: # Action = NOTICE or WARN # Examples: # permfile=/etc/test1.dat:600:root:wheel:NOTICE: # permfile=/etc/test1.dat:640:root:-:WARN: # ################################################################################# #permfile=/etc/inetd.conf:rw-------:root:-:WARN: #permfile=/etc/fstab:rw-r--r--:root:-:WARN: permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN: permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN: permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN: permfile=/etc/at.allow:rw-------:root:-:WARN: permfile=/etc/at.deny:rw-------:root:-:WARN: permfile=/etc/cron.allow:rw-------:root:-:WARN: permfile=/etc/cron.deny:rw-------:root:-:WARN: permfile=/etc/crontab:rw-------:root:-:WARN: permfile=/etc/group:rw-r--r--:root:-:WARN: permfile=/etc/group-:rw-r--r--:root:-:WARN: permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN: permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN: permfile=/etc/issue:rw-r--r--:root:root:WARN: permfile=/etc/issue.net:rw-r--r--:root:root:WARN: permfile=/etc/lilo.conf:rw-------:root:-:WARN: permfile=/etc/motd:rw-r--r--:root:root:WARN: permfile=/etc/passwd:rw-r--r--:root:-:WARN: permfile=/etc/passwd-:rw-r--r--:root:-:WARN: permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN: permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN: permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN: permfile=/root/.rhosts:rw-------:root:root:WARN: permfile=/root/.rlogin:rw-------:root:root:WARN: permfile=/root/.shosts:rw-------:root:root:WARN: # These permissions differ by OS #permfile=/etc/gshadow:---------:root:-:WARN: #permfile=/etc/gshadow-:---------:root:-:WARN: #permfile=/etc/shadow:---------:root:-:WARN: #permfile=/etc/shadow-:---------:root:-:WARN: ################################################################################# # # permdir # --------------- # permdir=directory name:file permissions:owner:group:action when permissions are different: # ################################################################################# permdir=/root/.ssh:rwx------:root:-:WARN: permdir=/etc/cron.d:rwx------:root:root:WARN: permdir=/etc/cron.daily:rwx------:root:root:WARN: permdir=/etc/cron.hourly:rwx------:root:root:WARN: permdir=/etc/cron.weekly:rwx------:root:root:WARN: permdir=/etc/cron.monthly:rwx------:root:root:WARN: # Ignore some specific home directories # One directory per line; directories will be skipped for home directory specific # checks, like file permissions, SSH and other configuration files #ignore-home-dir=/home/user # Allow promiscuous interfaces #