################################################################################# # # Lynis - Scan Profile (default) # # This is the default profile and contains default values. You are encouraged to # copy this file and use it's base for custom audit profiles. # # All empty lines or with the # prefix will be skipped # # More information about this plugin can be found in the documentation: # https://cisofy.com/documentation/lynis/ # ################################################################################# [configuration] # Profile name, will be used as title/description config:profile_name:Default Audit Template: # Number of seconds to pause between every test (0 is no pause) config:pause_between_tests:0: # Show inline tips about the tool config:show_tool_tips:1: ################################################################################# # # Testing options # --------------- # ################################################################################# # ** Scan type ** # # Description: How deep the audit should be # Values: light, normal or full (default) # # config:test_scan_mode:full: # ** Skip one or more specific tests ** # (always ignores scan mode and will make sure the test is skipped) # # config:test_skip_always:AAAA-1234 BBBB-5678 CCCC-9012: # ** Define machine role ** # # Description: defines the role of the system # Values: desktop, server (default) # #config:machine_role:server: ################################################################################# # # Plugins # --------------- # Define which plugins are enabled # # Notes: # - Nothing happens if plugin isn't available # - There is no order in execution of plugins # - See documentation about how to use plugins and phases # ################################################################################# # Lynis Plugins (some are for Lynis Enterprise users only) plugin=compliance plugin=configuration plugin=control-panels plugin=crypto plugin=dns plugin=docker plugin=file-integrity plugin=file-systems plugin=firewalls plugin=forensics plugin=intrusion-detection plugin=intrusion-prevention plugin=kernel plugin=malware plugin=memory plugin=nginx plugin=pam plugin=processes plugin=security-modules plugin=software plugin=system-integrity plugin=systemd plugin=users ################################################################################# # # Kernel options # --------------- # sysctl:<sysctl Key>:<Expected Value>:<Hardening Points>:<Description>: # # Sysctl key = name # Expected value = value of sysctl key # Hardening points = Number of hardening points. For most keys 1 HP will be suitable # Description = Text description of key # ################################################################################# # Processes #sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value: sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups: sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users: # Kernel sysctl:kern.sugid_coredump:0:1:XXX: sysctl:kernel.core_setuid_ok:0:1:XXX: sysctl:kernel.core_uses_pid:1:1:XXX: sysctl:kernel.ctrl-alt-del:0:1:XXX: sysctl:kernel.exec-shield-randomize:1:1:XXX: sysctl:kernel.exec-shield:1:1:XXX: sysctl:kernel.kptr_restrict:1:1:Restrict access to kernel symbols: sysctl:kernel.sysrq:0:1:Disable magic SysRQ: sysctl:kernel.use-nx:0:1:XXX: # Network sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address: sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic: sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic: sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects: sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets: sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing: sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source: sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing: sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets: sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets: sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source: sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address: sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore #sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic: sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack: sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps: sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects: sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: [security] #sysctl:kern.securelevel:1^2^3:1:FreeBSD security level: #security.jail.jailed: 0 #security.jail.jail_max_af_ips: 255 #security.jail.mount_allowed: 0 #security.jail.chflags_allowed: 0 #security.jail.allow_raw_sockets: 0 #security.jail.enforce_statfs: 2 #security.jail.sysvipc_allowed: 0 #security.jail.socket_unixiproute_only: 1 #security.jail.set_hostname_allowed: 1 #security.bsd.suser_enabled: 1 #security.bsd.unprivileged_proc_debug: 1 #security.bsd.conservative_signals: 1 #security.bsd.unprivileged_read_msgbuf: 1 #security.bsd.hardlink_check_gid: 0 #security.bsd.hardlink_check_uid: 0 #security.bsd.unprivileged_get_quota: 0 ################################################################################# # # Apache options # columns: (1)apache : (2)option : (3)value # ################################################################################# apache:ServerTokens:Prod: ################################################################################# # # OpenLDAP options # columns: (1)openldap : (2)file : (3)option : (4)expected value(s) # ################################################################################# openldap:slapd.conf:permissions:640-600: openldap:slapd.conf:owner:ldap-root: ################################################################################# # # SSL certificates # ################################################################################# # Locations where to search for SSL certificates ssl:certificates:/etc/letsencrypt /etc/pki /etc/ssl /usr/local/share/ca-certificates /var/www /srv/www: ################################################################################# # # NTP options # ################################################################################# # Ignore some stratum 16 hosts (for example when running as time source itself) #ntp:ignore_stratum_16_peer:127.0.0.1: #ntp:ignore_stratum_16_peer:1.2.3.4: ################################################################################# # # File/directories permissions (currently not used yet) # ################################################################################# # Scan for exact file name match #[scanfiles] #scanfile:/etc/rc.conf:FreeBSD configuration: # Scan for exact directory name match #[scandirs] #scandir:/etc:/etc directory: ################################################################################# # # permfile # --------------- # permfile:file name:file permissions:owner:group:action: # Action = NOTICE or WARN # Examples: # permfile:/etc/test1.dat:600:root:wheel:NOTICE: # permfile:/etc/test1.dat:640:root:-:WARN: # ################################################################################# #permfile:/etc/inetd.conf:rw-------:root:-:WARN: #permfile:/etc/fstab:rw-r--r--:root:-:WARN: permfile:/etc/lilo.conf:rw-------:root:-:WARN: ################################################################################# # # permdir # --------------- # permdir:directory name:file permissions:owner:group:action when permissions are different: # ################################################################################# permdir:/root/.ssh:rwx------:root:-:WARN: # Scan for a program/binary in BINPATHs #scanbinary:Rootkit Hunter:rkhunter: ################################################################################# # # Audit customizing # ----------------- # # Most options can contain 'yes' or 'no'. # ################################################################################# # Amount of connections in WAIT state before reporting it as a suggestion #config:connections_max_wait_state:5000: # Skip security repository check for Debian based systems #config:debian_skip_security_repository:yes: # Debug mode (for debugging purposes, extra data logged to screen) #config:debug:yes: # Skip the FreeBSD portaudit test #config:freebsd_skip_portaudit:yes: # Ignore some specific home directories # One directory per line; directories will be skipped for home directory specific # checks, like file permissions, SSH and other configuration files #config:ignore_home_dir:/home/user: # Do not log tests with another guest operating system (default: yes) #config:log_tests_incorrect_os:no: # Define if available NTP daemon is configured as a server or client on the network # values: server or client (default: client) #config:ntpd_role:client: # Allow promiscuous interfaces # <option>:<promiscuous interface name>:<description>: #if_promisc:pflog0:pf log daemon interface: # Skip Lynis upgrade availability test (default: no) #config:skip_upgrade_test:yes: # The URL prefix and append to URL's for your custom tests # Link will be build with: {control_url_protocol}://{control_url_prepend}CONTROL-ID{control_url_append} #config:control_url_protocol:https: #config:control_url_prepend:cisofy.com/control/: #config:control_url_append:/: # The URL prefix and append to URL's for your custom tests #config:custom_url_protocol:https: #config:custom_url_prepend:your-domain.example.org/control-info/: #config:custom_url_append:/: ################################################################################# # # Automatic Updating # ------------------- # # These settings are required when using the lynis update functionality. # By specifying local paths and your update server, the tool can do an update # check, compare versions and download a new version. # ################################################################################# # Local directory (without slash at end) where lynis directory will be installed # Note: do not add full path to lynis, as subdirectory is part of tarball #config:update_local_directory:/usr/local: # Full path to local file. Change local path if Lynis is installed on a different place #config:update_local_version_info:/usr/local/lynis/client-version: # Download information # ----------------------------- # Protocol to use: http, https #config:update_server_protocol:http: # Address of update server #config:update_server_address:192.168.1.125: # Path to last stable release #config:update_latest_version_download:/files/lynis-latest.tar.gz: # Last part of URL (file to gather) #config:update_latest_version_info:/files/lynis-latest-version: ################################################################################# # # Lynis Enterprise options # ----------------- # ################################################################################# # Add your Lynis Enterprise license key here #config:license_key:[Your license key]: # Compressed uploads (set to zero when errors with uploading occur) #config:upload_compressed:1: # The hostname/IP address to receive the data #config:upload_server:portal.cisofy.com: # Provide options to cURL when uploading data. Common options include: # -k or --insecure --> use HTTPS, but skip certificate check (e.g. self-signed) #config:upload_options:-k: # Proxy settings # Protocol (http, https, socks5) #config:upload_proxy_protocol:https: # Address #config:upload_proxy_server:1.2.3.4: # Port #config:upload_proxy_port:3128: # Define groups #config:group:[group name]: #config:group:test: # Define which compliance standards are audited and reported on. Disable this if not required. config:compliance_standards:cis,hipaa,iso27001,pci-dss: ################################################################################# # # Configuration (New Style) # ################################################################################# # Show non-zero exit code when warnings are found (default: no) #error-on-warnings=yes # Enable quick mode (no waiting for keypresses, same as --quick option) #quick=yes # Skip plugins (default: no) #skip-plugins=yes # Skip a test (one per line) #skip-test=SSH-7408 # Skip a particular option within a test (when applicable) #skip-test=SSH-7408:loglevel #skip-test=SSH-7408:permitrootlogin ################################################################################# # # SUGGESTION # ---------- # # Do NOT make changes to this file, instead copy your preferred settings to # custom.prf and put it in the same directory as default.prf # # To discover where your profiles are located: lynis show profiles # ################################################################################# #EOF