Initial import

1 files changed, 293 insertions, 0 deletions

diff --git a/default.prf b/default.prf
new file mode 100644
index 00000000..dd93b3f7
--- /dev/null
+++ b/default.prf
@@ -0,0 +1,293 @@
+#################################################################################
+#
+# Lynis scan profile
+#
+# This is the default profile and is used as a baseline when testing systems and
+# applications. Since there are generally no "best" options, Lynis will assume
+# some default values.
+# 
+# All empty lines or with the # prefix will be skipped
+#
+# This is the default profile and contains default values. You are encouraged to
+# copy this file and use it's base for custom audit profiles.
+#
+#################################################################################
+
+[configuration]
+# Profile name, will be used as title/description
+config:profile_name:Default Audit Template:
+
+# Number of seconds to pause between every test (0 is no pause)
+config:pause_between_tests:0:
+
+# Show inline tips about the tool
+config:show_tool_tips:1:
+
+
+#################################################################################
+#
+# Testing options
+# ---------------
+#
+#################################################################################
+
+# ** Scan type (how deep test has to be, light, normal or full) **
+#
+# config:test_scan_mode:light|normal|full:
+
+
+# ** Skip one or more specific tests **
+# (always ignores scan mode and will make sure the test is skipped)
+#
+# config:test_skip_always:AAAA-1234 BBBB-5678 CCCC-9012:
+
+
+# ** Define the role(s) of a machine **
+# Values: desktop|server (default: server)
+#
+#config:machine_role:server:
+
+
+#################################################################################
+#
+# Plugins
+# ---------------
+# Define which plugins are enabled (nothing happens if plugin isn't available)
+#
+#################################################################################
+# plugin=security_malware
+# plugin=security_rootkit
+# plugin=fileperms
+plugin=docker
+plugin=file-integrity
+plugin=files
+plugin=filesystems
+plugin=firewalls
+plugin=processes
+plugin=software
+plugin=system-integrity
+
+#################################################################################
+#
+# Sysctl options
+# ---------------
+# sysctl:<Sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:
+#
+# Sysctl key       = name
+# Expected value   = value of sysctl key
+# Hardening points = Number of hardening points. For most keys 1 HP will be suitable
+# Description      = Text description of key
+#
+#################################################################################
+
+[processes]
+#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value:
+sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups:
+sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users:
+
+[kernel]
+sysctl:kern.sugid_coredump:0:1:XXX:
+sysctl:kernel.core_setuid_ok:0:1:XXX:
+sysctl:kernel.core_uses_pid:1:1:XXX:
+sysctl:kernel.ctrl-alt-del:0:1:XXX:
+sysctl:kernel.exec-shield-randomize:1:1:XXX:
+sysctl:kernel.exec-shield:1:1:XXX:
+sysctl:kernel.sysrq:0:1:Disable magic SysRQ:
+sysctl:kernel.use-nx:0:1:XXX:
+
+[network]
+sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:
+sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
+sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: 
+sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:
+sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:
+sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:
+sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic:
+sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic:
+sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
+sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects:
+sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
+sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing:
+sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets:
+sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing:
+sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
+sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing:
+sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets:
+sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets:
+sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects:
+sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
+sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing:
+sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
+sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address:
+sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore
+#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic:
+sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:
+sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:
+sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:
+sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
+sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: 
+sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
+sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: 
+
+[security]
+#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:
+#security.jail.jailed: 0
+#security.jail.jail_max_af_ips: 255
+#security.jail.mount_allowed: 0
+#security.jail.chflags_allowed: 0
+#security.jail.allow_raw_sockets: 0
+#security.jail.enforce_statfs: 2
+#security.jail.sysvipc_allowed: 0
+#security.jail.socket_unixiproute_only: 1
+#security.jail.set_hostname_allowed: 1
+#security.bsd.suser_enabled: 1
+#security.bsd.unprivileged_proc_debug: 1
+#security.bsd.conservative_signals: 1
+#security.bsd.unprivileged_read_msgbuf: 1
+#security.bsd.hardlink_check_gid: 0
+#security.bsd.hardlink_check_uid: 0
+#security.bsd.unprivileged_get_quota: 0
+
+
+
+#################################################################################
+#
+# Apache options
+# columns: (1)apache : (2)option : (3)value
+#
+#################################################################################
+
+apache:ServerTokens:Prod:
+
+
+#################################################################################
+#
+# OpenLDAP options
+# columns: (1)openldap : (2)file : (3)option : (4)expected value(s)
+#
+#################################################################################
+
+openldap:slapd.conf:permissions:640-600:
+openldap:slapd.conf:owner:ldap-root:
+
+
+#################################################################################
+#
+# SSL certificates
+#
+#################################################################################
+
+# Locations where to search for SSL certificates
+ssl:certificates:/etc/pki /etc/ssl /usr/local/share/ca-certificates /var/www:
+
+
+#################################################################################
+#
+# NTP options
+#
+#################################################################################
+
+# Ignore some stratum 16 hosts (for example when running as time source itself)
+#ntp:ignore_stratum_16_peer:127.0.0.1:
+#ntp:ignore_stratum_16_peer:1.2.3.4:
+
+
+#################################################################################
+#
+# File/directories permissions (currently not used yet)
+#
+#################################################################################
+
+# Scan for exact file name match
+#[scanfiles]
+#scanfile:/etc/rc.conf:FreeBSD configuration:
+
+# Scan for exact directory name match
+#[scandirs]
+#scandir:/etc:/etc directory:
+
+
+#################################################################################
+#
+# permfile
+# ---------------
+# permfile:file name:file permissions:owner:group:action:
+# Action = NOTICE or WARN
+# Examples:
+# permfile:/etc/test1.dat:600:root:wheel:NOTICE:
+# permfile:/etc/test1.dat:640:root:-:WARN:
+#
+#################################################################################
+
+#permfile:/etc/inetd.conf:rw-------:root:-:WARN:
+#permfile:/etc/fstab:rw-r--r--:root:-:WARN:
+permfile:/etc/lilo.conf:rw-------:root:-:WARN:
+
+
+#################################################################################
+#
+# permdir
+# ---------------
+# permdir:directory name:file permissions:owner:group:action when permissions are different:
+#
+#################################################################################
+
+permdir:/root/.ssh:rwx------:root:-:WARN:
+
+# Scan for a program/binary in BINPATHs
+#scanbinary:Rootkit Hunter:rkhunter:
+
+
+#################################################################################
+#
+# Audit customizing
+# -----------------
+#
+# Most options can contain 'yes' or 'no'.
+#
+#################################################################################
+
+# Amount of connections in WAIT state before reporting it as a warning
+#config:connections_max_wait_state:50:
+
+# Skip security repository check for Debian based systems
+#config:debian_skip_security_repository:yes:
+
+# Debug mode (for debugging purposes, extra data logged to screen)
+#config:debug:yes:
+
+# Skip the FreeBSD portaudit test
+#config:freebsd_skip_portaudit:yes:
+
+# Ignore some specific home directories
+# One directory per line; directories will be skipped for home directory specific
+# checks, like file permissions, SSH and other configuration files
+#config:ignore_home_dir:/home/user:
+
+# Do not log tests with another guest operating system (default: yes)
+#config:log_tests_incorrect_os:no:
+
+# Define if available NTP daemon is configured as a server or client on the network
+# values: server or client (default: client)
+#config:ntpd_role:client:
+
+# Allow promiscuous interfaces
+#   <option>:<promiscuous interface name>:<description>:
+#if_promisc:pflog0:pf log daemon interface:
+
+# Skip Lynis upgrade availability test (default: no)
+#config:skip_upgrade_test:yes:
+
+#################################################################################
+#
+# Lynis Enterprise
+# -----------------
+#
+#################################################################################
+
+# Add your Lynis Enterprise license key here
+#config:license_key:[Your license key]:
+#config:group:[group name]:
+#config:group:test:
+
+#EOF