New option to disable plugins via profile

1 files changed, 44 insertions, 70 deletions

diff --git a/default.prf b/default.prf
index ef474b1f..d460a682 100644
--- a/default.prf
+++ b/default.prf
@@ -9,11 +9,11 @@
 #################################################################################
 #
 #
-# SUGGESTION
+# WARNING
 # ----------
 #
-# Do NOT make changes to this file, instead copy your preferred settings to
-# custom.prf and put it in the same directory as default.prf
+# Do NOT make changes to this file. Instead, copy only your changes into
+# the file custom.prf and put it in the same directory as default.prf
 #
 # To discover where your profiles are located: lynis show profiles
 #
@@ -22,9 +22,6 @@
 #
 # All empty lines or with the # prefix will be skipped
 #
-# More information about this plugin can be found in the documentation:
-# https://cisofy.com/documentation/lynis/
-#
 #################################################################################
 
 # Use colored output
@@ -42,19 +39,26 @@ error-on-warnings=no
 # Use Lynis in your own language (by default auto-detected)
 language=
 
-# Lynis Enterprise license key
-license-key=
+# Log tests from another guest operating system (default: yes)
+#log-tests-incorrect-os=yes
+
+# Define if available NTP daemon is configured as a server or client on the network
+# values: server or client (default: client)
+#ntpd-role=client
 
 # Defines the role of the system (personal, workstation or server)
 machine-role=server
 
+# Ignore some stratum 16 hosts (for example when running as time source itself)
+#ntp-ignore-stratum-16-peer=127.0.0.1
+
 # Profile name, will be used as title/description
 profile-name=Default Audit Template
 
 # Number of seconds to pause between every test (0 is no pause)
 pause-between-tests=0
 
-# Enable quick mode (no waiting for keypresses, same as --quick option)
+# Quick mode (no waiting for keypresses)
 quick=no
 
 # Refresh software repositories to help detecting vulnerable packages
@@ -76,18 +80,14 @@ skip-plugins=no
 #skip-test=SSH-7408:loglevel
 #skip-test=SSH-7408:permitrootlogin
 
-# Scan type - how deep the audit should be (light, normal or full)
-test-scan-mode=full
-
-# Upload data to central server
-upload=no
+# Skip Lynis upgrade availability test (default: no)
+#skip-upgrade-test=yes
 
-# The hostname/IP address to receive the data
-upload-server=
+# Locations where to search for SSL certificates
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
 
-# Provide options to cURL (or other upload tool) when uploading data.
-# upload-options=--insecure   --> use HTTPS, but skip certificate check (e.g. self-signed)
-upload-options=
+# Scan type - how deep the audit should be (light, normal or full)
+test-scan-mode=full
 
 # Verbose output
 verbose=no
@@ -95,22 +95,6 @@ verbose=no
 
 #################################################################################
 #
-# Upgrade and updating
-# --------------------
-#
-# The old settings to do automatic updating are deprecated. It is suggested to
-# use a package or deploy your the tarball via a custom script.
-#
-# The latest packages can be found at: https://packages.cisofy.com
-#
-#################################################################################
-
-# Skip Lynis upgrade availability test (default: no)
-#skip-upgrade-test=yes
-
-
-#################################################################################
-#
 # Plugins
 # ---------------
 # Define which plugins are enabled
@@ -119,10 +103,11 @@ verbose=no
 # - Nothing happens if plugin isn't available
 # - There is no order in execution of plugins
 # - See documentation about how to use plugins and phases
+# - Some are for Lynis Enterprise users only
 #
 #################################################################################
 
-# Lynis Plugins (some are for Lynis Enterprise users only)
+# Lynis plugins to enable
 plugin=authentication
 plugin=compliance
 plugin=configuration
@@ -149,17 +134,22 @@ plugin=system-integrity
 plugin=systemd
 plugin=users
 
+# Disable a particular plugin (will overrule an enabled plugin)
+#disable-plugin=authentication
 
 #################################################################################
 #
 # Kernel options
 # ---------------
-# sysctl:<sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:
+# configdate=, followed by:
 #
-# Sysctl key       = name
-# Expected value   = value of sysctl key
-# Hardening points = Number of hardening points. For most keys 1 HP will be suitable
-# Description      = Text description of key
+# - Type                     = Set to 'sysctl'
+# - Setting                  = value of sysctl key (e.g. kernel.sysrq)
+# - Expected value           = Preferred value for key (e.g. 0)
+# - Hardening Points         = Number of hardening points (typically 1 point per key) (1)
+# - Description              = Textual description about the sysctl key(Disable magic SysRQ)
+# - Related file or command  = For example, sysctl -a to retrieve more details
+# - Solution field           = Specifies more details or where to find them (url:URL, text:TEXT, or -)
 #
 #################################################################################
 
@@ -290,18 +280,6 @@ openldap:slapd.conf:permissions:640-600:
 openldap:slapd.conf:owner:ldap-root:
 
 
-
-
-#################################################################################
-#
-# NTP options
-#
-#################################################################################
-
-# Ignore some stratum 16 hosts (for example when running as time source itself)
-#ntp-ignore-stratum-16-peer=127.0.0.1
-
-
 #################################################################################
 #
 # File/directories permissions (currently not used yet)
@@ -356,12 +334,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
 # checks, like file permissions, SSH and other configuration files
 #ignore-home-dir=/home/user
 
-# Do not log tests with another guest operating system (default: yes)
-#log-tests-incorrect-os=no
-
-# Define if available NTP daemon is configured as a server or client on the network
-# values: server or client (default: client)
-#ntpd-role=client
 
 # Allow promiscuous interfaces
 #   <option>:<promiscuous interface name>:<description>:
@@ -397,17 +369,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
 
 #################################################################################
 #
-# SSL certificates
-#
-#################################################################################
-
-# Locations where to search for SSL certificates
-ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
-
-
-
-#################################################################################
-#
 # Lynis Enterprise options
 # -----------------
 #
@@ -423,6 +384,9 @@ ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc
 #hostid=40-char-hash
 #hostid2=64-char-hash
 
+# Lynis Enterprise license key
+license-key=
+
 # Proxy settings
 # Protocol (http, https, socks5)
 #proxy-protocol=https
@@ -443,6 +407,16 @@ compliance-standards=cis,hipaa,iso27001,pci-dss
 # Provide the name of the customer/client
 #system-customer-name=mycustomer
 
+# Upload data to central server
+upload=no
+
+# The hostname/IP address to receive the data
+upload-server=
+
+# Provide options to cURL (or other upload tool) when uploading data.
+# upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates)
+upload-options=
+
 # Link one or more tags to a system
 #tags=db,production,ssn-1304