diff options
-rw-r--r-- | default.prf | 114 | ||||
-rw-r--r-- | include/consts | 1 | ||||
-rw-r--r-- | include/profiles | 5 | ||||
-rwxr-xr-x | lynis | 13 |
4 files changed, 61 insertions, 72 deletions
diff --git a/default.prf b/default.prf index ef474b1f..d460a682 100644 --- a/default.prf +++ b/default.prf @@ -9,11 +9,11 @@ ################################################################################# # # -# SUGGESTION +# WARNING # ---------- # -# Do NOT make changes to this file, instead copy your preferred settings to -# custom.prf and put it in the same directory as default.prf +# Do NOT make changes to this file. Instead, copy only your changes into +# the file custom.prf and put it in the same directory as default.prf # # To discover where your profiles are located: lynis show profiles # @@ -22,9 +22,6 @@ # # All empty lines or with the # prefix will be skipped # -# More information about this plugin can be found in the documentation: -# https://cisofy.com/documentation/lynis/ -# ################################################################################# # Use colored output @@ -42,19 +39,26 @@ error-on-warnings=no # Use Lynis in your own language (by default auto-detected) language= -# Lynis Enterprise license key -license-key= +# Log tests from another guest operating system (default: yes) +#log-tests-incorrect-os=yes + +# Define if available NTP daemon is configured as a server or client on the network +# values: server or client (default: client) +#ntpd-role=client # Defines the role of the system (personal, workstation or server) machine-role=server +# Ignore some stratum 16 hosts (for example when running as time source itself) +#ntp-ignore-stratum-16-peer=127.0.0.1 + # Profile name, will be used as title/description profile-name=Default Audit Template # Number of seconds to pause between every test (0 is no pause) pause-between-tests=0 -# Enable quick mode (no waiting for keypresses, same as --quick option) +# Quick mode (no waiting for keypresses) quick=no # Refresh software repositories to help detecting vulnerable packages @@ -76,18 +80,14 @@ skip-plugins=no #skip-test=SSH-7408:loglevel #skip-test=SSH-7408:permitrootlogin -# Scan type - how deep the audit should be (light, normal or full) -test-scan-mode=full - -# Upload data to central server -upload=no +# Skip Lynis upgrade availability test (default: no) +#skip-upgrade-test=yes -# The hostname/IP address to receive the data -upload-server= +# Locations where to search for SSL certificates +ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www -# Provide options to cURL (or other upload tool) when uploading data. -# upload-options=--insecure --> use HTTPS, but skip certificate check (e.g. self-signed) -upload-options= +# Scan type - how deep the audit should be (light, normal or full) +test-scan-mode=full # Verbose output verbose=no @@ -95,22 +95,6 @@ verbose=no ################################################################################# # -# Upgrade and updating -# -------------------- -# -# The old settings to do automatic updating are deprecated. It is suggested to -# use a package or deploy your the tarball via a custom script. -# -# The latest packages can be found at: https://packages.cisofy.com -# -################################################################################# - -# Skip Lynis upgrade availability test (default: no) -#skip-upgrade-test=yes - - -################################################################################# -# # Plugins # --------------- # Define which plugins are enabled @@ -119,10 +103,11 @@ verbose=no # - Nothing happens if plugin isn't available # - There is no order in execution of plugins # - See documentation about how to use plugins and phases +# - Some are for Lynis Enterprise users only # ################################################################################# -# Lynis Plugins (some are for Lynis Enterprise users only) +# Lynis plugins to enable plugin=authentication plugin=compliance plugin=configuration @@ -149,17 +134,22 @@ plugin=system-integrity plugin=systemd plugin=users +# Disable a particular plugin (will overrule an enabled plugin) +#disable-plugin=authentication ################################################################################# # # Kernel options # --------------- -# sysctl:<sysctl Key>:<Expected Value>:<Hardening Points>:<Description>: +# configdate=, followed by: # -# Sysctl key = name -# Expected value = value of sysctl key -# Hardening points = Number of hardening points. For most keys 1 HP will be suitable -# Description = Text description of key +# - Type = Set to 'sysctl' +# - Setting = value of sysctl key (e.g. kernel.sysrq) +# - Expected value = Preferred value for key (e.g. 0) +# - Hardening Points = Number of hardening points (typically 1 point per key) (1) +# - Description = Textual description about the sysctl key(Disable magic SysRQ) +# - Related file or command = For example, sysctl -a to retrieve more details +# - Solution field = Specifies more details or where to find them (url:URL, text:TEXT, or -) # ################################################################################# @@ -290,18 +280,6 @@ openldap:slapd.conf:permissions:640-600: openldap:slapd.conf:owner:ldap-root: - - -################################################################################# -# -# NTP options -# -################################################################################# - -# Ignore some stratum 16 hosts (for example when running as time source itself) -#ntp-ignore-stratum-16-peer=127.0.0.1 - - ################################################################################# # # File/directories permissions (currently not used yet) @@ -356,12 +334,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN: # checks, like file permissions, SSH and other configuration files #ignore-home-dir=/home/user -# Do not log tests with another guest operating system (default: yes) -#log-tests-incorrect-os=no - -# Define if available NTP daemon is configured as a server or client on the network -# values: server or client (default: client) -#ntpd-role=client # Allow promiscuous interfaces # <option>:<promiscuous interface name>:<description>: @@ -397,17 +369,6 @@ permdir:/root/.ssh:rwx------:root:-:WARN: ################################################################################# # -# SSL certificates -# -################################################################################# - -# Locations where to search for SSL certificates -ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www - - - -################################################################################# -# # Lynis Enterprise options # ----------------- # @@ -423,6 +384,9 @@ ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc #hostid=40-char-hash #hostid2=64-char-hash +# Lynis Enterprise license key +license-key= + # Proxy settings # Protocol (http, https, socks5) #proxy-protocol=https @@ -443,6 +407,16 @@ compliance-standards=cis,hipaa,iso27001,pci-dss # Provide the name of the customer/client #system-customer-name=mycustomer +# Upload data to central server +upload=no + +# The hostname/IP address to receive the data +upload-server= + +# Provide options to cURL (or other upload tool) when uploading data. +# upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates) +upload-options= + # Link one or more tags to a system #tags=db,production,ssn-1304 diff --git a/include/consts b/include/consts index 207cde8c..0bbde60c 100644 --- a/include/consts +++ b/include/consts @@ -96,6 +96,7 @@ unset LANG DEBSECANBINARY="" DEBSUMSBINARY="" DEVELOPER_MODE=0 + DISABLED_PLUGINS="" DISCOVERED_BINARIES="" DMIDECODEBINARY="" DNFBINARY="" diff --git a/include/profiles b/include/profiles index eba67427..2840ed3b 100644 --- a/include/profiles +++ b/include/profiles @@ -239,6 +239,11 @@ LogText "Plugin '${VALUE}' enabled according profile (${PROFILE})" ;; + disable-plugin) + LogText "Plugin '${VALUE}' disabled according profile (${PROFILE})" + DISABLED_PLUGINS="${DISABLED_PLUGINS} ${VALUE}" + ;; + # Plugin directory plugindir | plugin-dir) if IsEmpty "${PLUGINDIR}"; then @@ -851,8 +851,17 @@ ${NORMAL} LogText "Action: checking plugin status in profile: ${PROFILE}" FIND3=$(grep "^plugin=${FIND2}" ${PROFILE}) if [ ! -z "${FIND3}" ]; then - LogText "Result: plugin enabled in profile (${PROFILE})" - PLUGIN_ENABLED_STATE=1 + FOUND=0 + for I in ${DISABLED_PLUGINS}; do + if [ "${I}" = "${FIND2}" ]; then + FOUND=1 + LogText "Result: plugin ${FIND2} is specifically disabled" + fi + done + if [ ${FOUND} -eq 0 ]; then + LogText "Result: plugin enabled in profile (${PROFILE})" + PLUGIN_ENABLED_STATE=1 + fi fi done if [ ${PLUGIN_ENABLED_STATE} -eq 1 ]; then |