From 007faf47c35ad4606af8d1340674c46b09079fd5 Mon Sep 17 00:00:00 2001
From: Michael Boelen <michael.boelen@cisofy.com>
Date: Sun, 7 Jul 2019 18:46:23 +0200
Subject: Cleanup of default profile and migration of permdir/permfile

---
 default.prf | 118 ++++++++++++++++++++----------------------------------------
 1 file changed, 39 insertions(+), 79 deletions(-)

(limited to 'default.prf')

diff --git a/default.prf b/default.prf
index b9011d0e..98f3e20d 100644
--- a/default.prf
+++ b/default.prf
@@ -36,6 +36,9 @@ colors=yes
 # Compressed uploads (set to zero when errors with uploading occur)
 compressed-uploads=yes
 
+# Amount of connections in WAIT state before reporting it as a suggestion
+#connections-max-wait-state=5000
+
 # Debug mode (for debugging purposes, extra data logged to screen)
 #debug=yes
 
@@ -265,100 +268,58 @@ config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes ar
 config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;
 
 
-#################################################################################
-#
-# Apache options
-# columns: (1)apache : (2)option : (3)value
-#
-#################################################################################
-
-apache:ServerTokens:Prod:
-
-
-#################################################################################
-#
-# OpenLDAP options
-# columns: (1)openldap : (2)file : (3)option : (4)expected value(s)
-#
-#################################################################################
-
-openldap:slapd.conf:permissions:640-600:
-openldap:slapd.conf:owner:ldap-root:
-
-
-#################################################################################
-#
-# File/directories permissions (currently not used yet)
-#
-#################################################################################
-
-# Scan for exact file name match
-#[scanfiles]
-#scanfile:/etc/rc.conf:FreeBSD configuration:
-
-# Scan for exact directory name match
-#[scandirs]
-#scandir:/etc:/etc directory:
-
-
 #################################################################################
 #
 # permfile
 # ---------------
-# permfile:file name:file permissions:owner:group:action:
+# permfile=file name:file permissions:owner:group:action:
 # Action = NOTICE or WARN
 # Examples:
-# permfile:/etc/test1.dat:600:root:wheel:NOTICE:
-# permfile:/etc/test1.dat:640:root:-:WARN:
+# permfile=/etc/test1.dat:600:root:wheel:NOTICE:
+# permfile=/etc/test1.dat:640:root:-:WARN:
 #
 #################################################################################
 
-#permfile:/etc/inetd.conf:rw-------:root:-:WARN:
-#permfile:/etc/fstab:rw-r--r--:root:-:WARN:
-permfile:/etc/lilo.conf:rw-------:root:-:WARN:
-permfile:/boot/grub2/grub.cfg:rw-------:root:root:WARN:
-permfile:/boot/grub/grub.cfg:rw-------:root:root:WARN:
-permfile:/boot/grub2/user.cfg:rw-------:root:root:WARN:
-permfile:/etc/motd:rw-r--r--:root:root:WARN:
-permfile:/etc/issue:rw-r--r--:root:root:WARN:
-permfile:/etc/issue.net:rw-r--r--:root:root:WARN:
-permfile:/etc/hosts.allow:rw-r--r--:root:root:WARN:
-permfile:/etc/hosts.deny:rw-r--r--:root:root:WARN:
-permfile:/etc/crontab:rw-------:root:-:WARN:
-permfile:/etc/cron.allow:rw-------:root:-:WARN:
-permfile:/etc/cron.deny:rw-------:root:-:WARN:
-permfile:/etc/at.allow:rw-------:root:-:WARN:
-permfile:/etc/at.deny:rw-------:root:-:WARN:
-permfile:/etc/ssh/sshd_config:rw-------:root:-:WARN:
-permfile:/etc/passwd:rw-r--r--:root:-:WARN:
-permfile:/etc/shadow:---------:root:-:WARN:
-permfile:/etc/group:rw-r--r--:root:-:WARN:
-permfile:/etc/gshadow:---------:root:-:WARN:
-permfile:/etc/passwd-:rw-r--r--:root:-:WARN:
-permfile:/etc/shadow-:---------:root:-:WARN:
-permfile:/etc/group-:rw-r--r--:root:-:WARN:
-permfile:/etc/gshadow-:---------:root:-:WARN:
+#permfile=/etc/inetd.conf:rw-------:root:-:WARN:
+#permfile=/etc/fstab:rw-r--r--:root:-:WARN:
+permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN:
+permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN:
+permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN:
+permfile=/etc/at.allow:rw-------:root:-:WARN:
+permfile=/etc/at.deny:rw-------:root:-:WARN:
+permfile=/etc/cron.allow:rw-------:root:-:WARN:
+permfile=/etc/cron.deny:rw-------:root:-:WARN:
+permfile=/etc/crontab:rw-------:root:-:WARN:
+permfile=/etc/group:rw-r--r--:root:-:WARN:
+permfile=/etc/group-:rw-r--r--:root:-:WARN:
+permfile=/etc/gshadow:---------:root:-:WARN:
+permfile=/etc/gshadow-:---------:root:-:WARN:
+permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN:
+permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN:
+permfile=/etc/issue:rw-r--r--:root:root:WARN:
+permfile=/etc/issue.net:rw-r--r--:root:root:WARN:
+permfile=/etc/lilo.conf:rw-------:root:-:WARN:
+permfile=/etc/motd:rw-r--r--:root:root:WARN:
+permfile=/etc/passwd:rw-r--r--:root:-:WARN:
+permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
+permfile=/etc/shadow:---------:root:-:WARN:
+permfile=/etc/shadow-:---------:root:-:WARN:
+permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
 
 #################################################################################
 #
 # permdir
 # ---------------
-# permdir:directory name:file permissions:owner:group:action when permissions are different:
+# permdir=directory name:file permissions:owner:group:action when permissions are different:
 #
 #################################################################################
 
-permdir:/root/.ssh:rwx------:root:-:WARN:
-permdir:/etc/cron.hourly:rwx------:root:root:WARN:
-permdir:/etc/cron.daily:rwx------:root:root:WARN:
-permdir:/etc/cron.weekly:rwx------:root:root:WARN:
-permdir:/etc/cron.monthly:rwx------:root:root:WARN:
-permdir:/etc/cron.d:rwx------:root:root:WARN:
-
-# Scan for a program/binary in BINPATHs
-#scanbinary:Rootkit Hunter:rkhunter:
-
-# Amount of connections in WAIT state before reporting it as a suggestion
-#connections-max-wait-state=5000
+permdir=/root/.ssh:rwx------:root:-:WARN:
+permdir=/etc/cron.d:rwx------:root:root:WARN:
+permdir=/etc/cron.daily:rwx------:root:root:WARN:
+permdir=/etc/cron.hourly:rwx------:root:root:WARN:
+permdir=/etc/cron.weekly:rwx------:root:root:WARN:
+permdir=/etc/cron.monthly:rwx------:root:root:WARN:
 
 
 # Ignore some specific home directories
@@ -402,7 +363,7 @@ permdir:/etc/cron.d:rwx------:root:root:WARN:
 #################################################################################
 #
 # Lynis Enterprise options
-# -----------------
+# ------------------------
 #
 #################################################################################
 
@@ -453,5 +414,4 @@ upload-options=
 #tags=db,production,ssn-1304
 
 
-
 #EOF
-- 
cgit v1.2.3