mirror of https://github.com/CISOfy/lynis.git
365 lines
12 KiB
Plaintext
365 lines
12 KiB
Plaintext
#################################################################################
|
|
#
|
|
# Lynis - Scan Profile (default)
|
|
#
|
|
# This is the default profile and contains default values. You are encouraged to
|
|
# copy this file and use it's base for custom audit profiles.
|
|
#
|
|
# All empty lines or with the # prefix will be skipped
|
|
#
|
|
# More information about this plugin can be found in the documentation:
|
|
# https://cisofy.com/documentation/lynis/
|
|
#
|
|
#################################################################################
|
|
|
|
[configuration]
|
|
# Profile name, will be used as title/description
|
|
config:profile_name:Default Audit Template:
|
|
|
|
# Number of seconds to pause between every test (0 is no pause)
|
|
config:pause_between_tests:0:
|
|
|
|
# Show inline tips about the tool
|
|
config:show_tool_tips:1:
|
|
|
|
|
|
#################################################################################
|
|
#
|
|
# Testing options
|
|
# ---------------
|
|
#
|
|
#################################################################################
|
|
|
|
# ** Scan type **
|
|
#
|
|
# Description: How deep the audit should be
|
|
# Values: light, normal or full (default)
|
|
#
|
|
# config:test_scan_mode:full:
|
|
|
|
|
|
# ** Skip one or more specific tests **
|
|
# (always ignores scan mode and will make sure the test is skipped)
|
|
#
|
|
# config:test_skip_always:AAAA-1234 BBBB-5678 CCCC-9012:
|
|
|
|
|
|
# ** Define machine role **
|
|
#
|
|
# Description: defines the role of the system
|
|
# Values: desktop, server (default)
|
|
#
|
|
#config:machine_role:server:
|
|
|
|
|
|
#################################################################################
|
|
#
|
|
# Plugins
|
|
# ---------------
|
|
# Define which plugins are enabled
|
|
#
|
|
# Notes:
|
|
# - Nothing happens if plugin isn't available
|
|
# - There is no order in execution of plugins
|
|
# - See documentation about how to use plugins and phases
|
|
#
|
|
#################################################################################
|
|
|
|
# Lynis Plugins (some are for Lynis Enterprise users only)
|
|
plugin=compliance
|
|
plugin=configuration
|
|
plugin=control-panels
|
|
plugin=crypto
|
|
plugin=dns
|
|
plugin=docker
|
|
plugin=file-integrity
|
|
plugin=file-systems
|
|
plugin=firewalls
|
|
plugin=forensics
|
|
plugin=intrusion-detection
|
|
plugin=intrusion-prevention
|
|
plugin=kernel
|
|
plugin=malware
|
|
plugin=memory
|
|
plugin=nginx
|
|
plugin=processes
|
|
plugin=security-modules
|
|
plugin=software
|
|
plugin=system-integrity
|
|
plugin=systemd
|
|
plugin=users
|
|
|
|
|
|
#################################################################################
|
|
#
|
|
# Kernel options
|
|
# ---------------
|
|
# sysctl:<sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:
|
|
#
|
|
# Sysctl key = name
|
|
# Expected value = value of sysctl key
|
|
# Hardening points = Number of hardening points. For most keys 1 HP will be suitable
|
|
# Description = Text description of key
|
|
#
|
|
#################################################################################
|
|
|
|
[processes]
|
|
#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value:
|
|
sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups:
|
|
sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users:
|
|
|
|
[kernel]
|
|
sysctl:kern.sugid_coredump:0:1:XXX:
|
|
sysctl:kernel.core_setuid_ok:0:1:XXX:
|
|
sysctl:kernel.core_uses_pid:1:1:XXX:
|
|
sysctl:kernel.ctrl-alt-del:0:1:XXX:
|
|
sysctl:kernel.exec-shield-randomize:1:1:XXX:
|
|
sysctl:kernel.exec-shield:1:1:XXX:
|
|
sysctl:kernel.kptr_restrict:1:1:Restrict access to kernel symbols:
|
|
sysctl:kernel.sysrq:0:1:Disable magic SysRQ:
|
|
sysctl:kernel.use-nx:0:1:XXX:
|
|
|
|
[network]
|
|
sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:
|
|
sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
|
|
sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing:
|
|
sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:
|
|
sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:
|
|
sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:
|
|
sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic:
|
|
sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic:
|
|
sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
|
|
sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects:
|
|
sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
|
|
sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing:
|
|
sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets:
|
|
sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing:
|
|
sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
|
|
sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing:
|
|
sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets:
|
|
sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets:
|
|
sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects:
|
|
sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
|
|
sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing:
|
|
sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
|
|
sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address:
|
|
sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore
|
|
#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic:
|
|
sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:
|
|
sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:
|
|
sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:
|
|
sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
|
|
sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing:
|
|
sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
|
|
sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing:
|
|
|
|
[security]
|
|
#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:
|
|
#security.jail.jailed: 0
|
|
#security.jail.jail_max_af_ips: 255
|
|
#security.jail.mount_allowed: 0
|
|
#security.jail.chflags_allowed: 0
|
|
#security.jail.allow_raw_sockets: 0
|
|
#security.jail.enforce_statfs: 2
|
|
#security.jail.sysvipc_allowed: 0
|
|
#security.jail.socket_unixiproute_only: 1
|
|
#security.jail.set_hostname_allowed: 1
|
|
#security.bsd.suser_enabled: 1
|
|
#security.bsd.unprivileged_proc_debug: 1
|
|
#security.bsd.conservative_signals: 1
|
|
#security.bsd.unprivileged_read_msgbuf: 1
|
|
#security.bsd.hardlink_check_gid: 0
|
|
#security.bsd.hardlink_check_uid: 0
|
|
#security.bsd.unprivileged_get_quota: 0
|
|
|
|
|
|
#################################################################################
|
|
#
|
|
# Apache options
|
|
# columns: (1)apache : (2)option : (3)value
|
|
#
|
|
#################################################################################
|
|
|
|
apache:ServerTokens:Prod:
|
|
|
|
|
|
#################################################################################
|
|
#
|
|
# OpenLDAP options
|
|
# columns: (1)openldap : (2)file : (3)option : (4)expected value(s)
|
|
#
|
|
#################################################################################
|
|
|
|
openldap:slapd.conf:permissions:640-600:
|
|
openldap:slapd.conf:owner:ldap-root:
|
|
|
|
|
|
#################################################################################
|
|
#
|
|
# SSL certificates
|
|
#
|
|
#################################################################################
|
|
|
|
# Locations where to search for SSL certificates
|
|
ssl:certificates:/etc/pki /etc/ssl /usr/local/share/ca-certificates /var/www /srv/www:
|
|
|
|
|
|
#################################################################################
|
|
#
|
|
# NTP options
|
|
#
|
|
#################################################################################
|
|
|
|
# Ignore some stratum 16 hosts (for example when running as time source itself)
|
|
#ntp:ignore_stratum_16_peer:127.0.0.1:
|
|
#ntp:ignore_stratum_16_peer:1.2.3.4:
|
|
|
|
|
|
#################################################################################
|
|
#
|
|
# File/directories permissions (currently not used yet)
|
|
#
|
|
#################################################################################
|
|
|
|
# Scan for exact file name match
|
|
#[scanfiles]
|
|
#scanfile:/etc/rc.conf:FreeBSD configuration:
|
|
|
|
# Scan for exact directory name match
|
|
#[scandirs]
|
|
#scandir:/etc:/etc directory:
|
|
|
|
|
|
#################################################################################
|
|
#
|
|
# permfile
|
|
# ---------------
|
|
# permfile:file name:file permissions:owner:group:action:
|
|
# Action = NOTICE or WARN
|
|
# Examples:
|
|
# permfile:/etc/test1.dat:600:root:wheel:NOTICE:
|
|
# permfile:/etc/test1.dat:640:root:-:WARN:
|
|
#
|
|
#################################################################################
|
|
|
|
#permfile:/etc/inetd.conf:rw-------:root:-:WARN:
|
|
#permfile:/etc/fstab:rw-r--r--:root:-:WARN:
|
|
permfile:/etc/lilo.conf:rw-------:root:-:WARN:
|
|
|
|
|
|
#################################################################################
|
|
#
|
|
# permdir
|
|
# ---------------
|
|
# permdir:directory name:file permissions:owner:group:action when permissions are different:
|
|
#
|
|
#################################################################################
|
|
|
|
permdir:/root/.ssh:rwx------:root:-:WARN:
|
|
|
|
# Scan for a program/binary in BINPATHs
|
|
#scanbinary:Rootkit Hunter:rkhunter:
|
|
|
|
|
|
#################################################################################
|
|
#
|
|
# Audit customizing
|
|
# -----------------
|
|
#
|
|
# Most options can contain 'yes' or 'no'.
|
|
#
|
|
#################################################################################
|
|
|
|
# Amount of connections in WAIT state before reporting it as a suggestion
|
|
#config:connections_max_wait_state:5000:
|
|
|
|
# Skip security repository check for Debian based systems
|
|
#config:debian_skip_security_repository:yes:
|
|
|
|
# Debug mode (for debugging purposes, extra data logged to screen)
|
|
#config:debug:yes:
|
|
|
|
# Skip the FreeBSD portaudit test
|
|
#config:freebsd_skip_portaudit:yes:
|
|
|
|
# Ignore some specific home directories
|
|
# One directory per line; directories will be skipped for home directory specific
|
|
# checks, like file permissions, SSH and other configuration files
|
|
#config:ignore_home_dir:/home/user:
|
|
|
|
# Do not log tests with another guest operating system (default: yes)
|
|
#config:log_tests_incorrect_os:no:
|
|
|
|
# Define if available NTP daemon is configured as a server or client on the network
|
|
# values: server or client (default: client)
|
|
#config:ntpd_role:client:
|
|
|
|
# Allow promiscuous interfaces
|
|
# <option>:<promiscuous interface name>:<description>:
|
|
#if_promisc:pflog0:pf log daemon interface:
|
|
|
|
# Skip Lynis upgrade availability test (default: no)
|
|
#config:skip_upgrade_test:yes:
|
|
|
|
# The URL prefix and append to URL's for your custom tests
|
|
# Link will be build with: {control_url_prepend}CONTROL-ID{control_url_append}
|
|
#config:control_url_prepend:https://cisofy.com/control/:
|
|
#config:control_url_append:/:
|
|
#config:custom_url_prepend:https://your-domain.example.org/control-info/:
|
|
#config:custom_url_append:/:
|
|
|
|
#################################################################################
|
|
#
|
|
# Automatic Updating
|
|
# -------------------
|
|
#
|
|
# These settings are required when using the lynis update functionality.
|
|
# By specifying local paths and your update server, the tool can do an update
|
|
# check, compare versions and download a new version.
|
|
#
|
|
#################################################################################
|
|
|
|
# Local directory (without slash at end) where lynis directory will be installed
|
|
# Note: do not add full path to lynis, as subdirectory is part of tarball
|
|
#config:update_local_directory:/usr/local:
|
|
# Full path to local file. Change local path if Lynis is installed on a different place
|
|
#config:update_local_version_info:/usr/local/lynis/client-version:
|
|
|
|
# Download information
|
|
# -----------------------------
|
|
# Protocol to use: http, https
|
|
#config:update_server_protocol:http:
|
|
|
|
# Address of update server
|
|
#config:update_server_address:192.168.1.125:
|
|
|
|
# Path to last stable release
|
|
#config:update_latest_version_download:/files/lynis-latest.tar.gz:
|
|
|
|
# Last part of URL (file to gather)
|
|
#config:update_latest_version_info:/files/lynis-latest-version:
|
|
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis Enterprise
|
|
# -----------------
|
|
#
|
|
#################################################################################
|
|
|
|
# Add your Lynis Enterprise license key here
|
|
#config:license_key:[Your license key]:
|
|
# The hostname/IP address to receive the data
|
|
#config:upload_server:portal.cisofy.com:
|
|
|
|
# Provide options to cURL when uploading data. Common options include:
|
|
# -k or --insecure --> use HTTPS, but skip certificate check (e.g. self-signed)
|
|
# --proxy [http://]proxyserver:8080 --> use HTTP/HTTPS proxy
|
|
# --socks5 proxyserver:8080 --> use SOCKS proxy
|
|
#config:upload_options:-k:
|
|
|
|
# Define groups
|
|
#config:group:[group name]:
|
|
#config:group:test:
|
|
|
|
#EOF |