# Lynis scan profile
# This is the default profile and is used as a baseline when testing systems and
# applications. Since there are generally no "best" options, Lynis will assume
# some default values.
# All empty lines or with the # prefix will be skipped
# This is the default profile and contains default values. You are encouraged to
# copy this file and use it's base for custom audit profiles.

# Profile name, will be used as title/description
config:profile_name:Default Audit Template:

# Number of seconds to pause between every test (0 is no pause)

# Show inline tips about the tool

# Testing options
# ---------------

# ** Scan type (how deep test has to be, light, normal or full) **
# config:test_scan_mode:light|normal|full:

# ** Skip one or more specific tests **
# (always ignores scan mode and will make sure the test is skipped)
# config:test_skip_always:AAAA-1234 BBBB-5678 CCCC-9012:

# ** Define the role(s) of a machine **
# Values: desktop|server (default: server)

# Plugins
# ---------------
# Define which plugins are enabled (nothing happens if plugin isn't available)
# plugin=security_malware
# plugin=security_rootkit
# plugin=fileperms

# Sysctl options
# ---------------
# sysctl:<Sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:
# Sysctl key       = name
# Expected value   = value of sysctl key
# Hardening points = Number of hardening points. For most keys 1 HP will be suitable
# Description      = Text description of key

#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value:
sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups:
sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users:

sysctl:kernel.sysrq:0:1:Disable magic SysRQ:

sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:
sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: 
sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:
sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic:
sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic:
sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects:
sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing:
sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets:
sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing:
sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing:
sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets:
sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets:
sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing:
sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address:
#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic:
sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:
sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:
sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:
sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: 
sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: 

#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:
#security.jail.jailed: 0
#security.jail.jail_max_af_ips: 255
#security.jail.mount_allowed: 0
#security.jail.chflags_allowed: 0
#security.jail.allow_raw_sockets: 0
#security.jail.enforce_statfs: 2
#security.jail.sysvipc_allowed: 0
#security.jail.socket_unixiproute_only: 1
#security.jail.set_hostname_allowed: 1
#security.bsd.suser_enabled: 1
#security.bsd.unprivileged_proc_debug: 1
#security.bsd.conservative_signals: 1
#security.bsd.unprivileged_read_msgbuf: 1
#security.bsd.hardlink_check_gid: 0
#security.bsd.hardlink_check_uid: 0
#security.bsd.unprivileged_get_quota: 0

# Apache options
# columns: (1)apache : (2)option : (3)value


# OpenLDAP options
# columns: (1)openldap : (2)file : (3)option : (4)expected value(s)


# SSL certificates

# Locations where to search for SSL certificates
ssl:certificates:/etc/pki /etc/ssl /usr/local/share/ca-certificates /var/www:

# NTP options

# Ignore some stratum 16 hosts (for example when running as time source itself)

# File/directories permissions (currently not used yet)

# Scan for exact file name match
#scanfile:/etc/rc.conf:FreeBSD configuration:

# Scan for exact directory name match
#scandir:/etc:/etc directory:

# permfile
# ---------------
# permfile:file name:file permissions:owner:group:action:
# Action = NOTICE or WARN
# Examples:
# permfile:/etc/test1.dat:600:root:wheel:NOTICE:
# permfile:/etc/test1.dat:640:root:-:WARN:


# permdir
# ---------------
# permdir:directory name:file permissions:owner:group:action when permissions are different:


# Scan for a program/binary in BINPATHs
#scanbinary:Rootkit Hunter:rkhunter:

# Audit customizing
# -----------------
# Most options can contain 'yes' or 'no'.

# Amount of connections in WAIT state before reporting it as a warning

# Skip security repository check for Debian based systems

# Debug mode (for debugging purposes, extra data logged to screen)

# Skip the FreeBSD portaudit test

# Ignore some specific home directories
# One directory per line; directories will be skipped for home directory specific
# checks, like file permissions, SSH and other configuration files

# Do not log tests with another guest operating system (default: yes)

# Define if available NTP daemon is configured as a server or client on the network
# values: server or client (default: client)

# Allow promiscuous interfaces
#   <option>:<promiscuous interface name>:<description>:
#if_promisc:pflog0:pf log daemon interface:

# Skip Lynis upgrade availability test (default: no)

# Lynis Enterprise
# -----------------

# Add your Lynis Enterprise license key here
#config:license_key:[Your license key]:
#config:group:[group name]: