From 2bf6a5e038ca51ac5ca755e7ac83e404038f3bf3 Mon Sep 17 00:00:00 2001
From: Michael Boelen <michael.boelen@cisofy.com>
Date: Tue, 23 Jan 2018 15:01:02 +0100
Subject: Overhaul of default profile settings and parsing

---
 default.prf | 156 ++++++++++++++++++++++--------------------------------------
 1 file changed, 57 insertions(+), 99 deletions(-)

(limited to 'default.prf')

diff --git a/default.prf b/default.prf
index 93b54928..e1636145 100644
--- a/default.prf
+++ b/default.prf
@@ -33,6 +33,9 @@ colors=yes
 # Compressed uploads (set to zero when errors with uploading occur)
 compressed-uploads=yes
 
+# Debug mode (for debugging purposes, extra data logged to screen)
+#debug=yes
+
 # Show non-zero exit code when warnings are found
 error-on-warnings=no
 
@@ -89,18 +92,23 @@ upload-options=
 # Verbose output
 verbose=no
 
+
 #################################################################################
 #
-# SUGGESTION
-# ----------
+# Upgrade and updating
+# --------------------
 #
-# Do NOT make changes to this file, instead copy your preferred settings to
-# custom.prf and put it in the same directory as default.prf
+# The old settings to do automatic updating are deprecated. It is suggested to
+# use a package or deploy your the tarball via a custom script.
 #
-# To discover where your profiles are located:  lynis show profiles
+# The latest packages can be found at: https://packages.cisofy.com
 #
 #################################################################################
 
+# Skip Lynis upgrade availability test (default: no)
+#skip-upgrade-test=yes
+
+
 #################################################################################
 #
 # Plugins
@@ -142,27 +150,6 @@ plugin=systemd
 plugin=users
 
 
-#################################################################################
-#
-# Lynis Enterprise options
-#
-#################################################################################
-
-# Provide the name of the customer/client
-system-customer-name=
-
-# Provide tags (tags=db,production,ssn-1304)
-tags=
-
-
-
-#################################################################################
-#
-# Configuration (Old Style) - will be replaced in phases
-#
-#################################################################################
-
-
 #################################################################################
 #
 # Kernel options
@@ -302,14 +289,6 @@ openldap:slapd.conf:permissions:640-600:
 openldap:slapd.conf:owner:ldap-root:
 
 
-#################################################################################
-#
-# SSL certificates
-#
-#################################################################################
-
-# Locations where to search for SSL certificates
-ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
 
 
 #################################################################################
@@ -319,8 +298,7 @@ ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc
 #################################################################################
 
 # Ignore some stratum 16 hosts (for example when running as time source itself)
-#ntp:ignore_stratum_16_peer:127.0.0.1:
-#ntp:ignore_stratum_16_peer:1.2.3.4:
+#ntp-ignore-stratum-16-peer=127.0.0.1
 
 
 #################################################################################
@@ -368,90 +346,63 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
 # Scan for a program/binary in BINPATHs
 #scanbinary:Rootkit Hunter:rkhunter:
 
-
-#################################################################################
-#
-# Audit customizing
-# -----------------
-#
-# Most options can contain 'yes' or 'no'.
-#
-#################################################################################
-
 # Amount of connections in WAIT state before reporting it as a suggestion
-#config:connections_max_wait_state:5000:
-
-# Skip security repository check for Debian based systems
-#config:debian_skip_security_repository:yes:
+#connections-max-wait-state=5000
 
-# Debug mode (for debugging purposes, extra data logged to screen)
-#config:debug:yes:
-
-# Skip the FreeBSD portaudit test
-#config:freebsd_skip_portaudit:yes:
 
 # Ignore some specific home directories
 # One directory per line; directories will be skipped for home directory specific
 # checks, like file permissions, SSH and other configuration files
-#config:ignore_home_dir:/home/user:
+#ignore-home-dir=/home/user
 
 # Do not log tests with another guest operating system (default: yes)
-#config:log_tests_incorrect_os:no:
+#log-tests-incorrect-os=no
 
 # Define if available NTP daemon is configured as a server or client on the network
 # values: server or client (default: client)
-#config:ntpd_role:client:
+#ntpd-role=client
 
 # Allow promiscuous interfaces
 #   <option>:<promiscuous interface name>:<description>:
 #if_promisc:pflog0:pf log daemon interface:
 
-# Skip Lynis upgrade availability test (default: no)
-#config:skip_upgrade_test:yes:
+
+# The URL prefix and append to the URL for controls or your custom tests
+# Link will be formed as {control-url-protocol}://{control-url-prepend}CONTROL-ID{control-url-append}
+#control-url-protocol=https
+#control-url-prepend=cisofy.com/control/
+#control-url-append=/
 
 # The URL prefix and append to URL's for your custom tests
-# Link will be build with: {control_url_protocol}://{control_url_prepend}CONTROL-ID{control_url_append}
-#config:control_url_protocol:https:
-#config:control_url_prepend:cisofy.com/control/:
-#config:control_url_append:/:
-# The URL prefix and append to URL's for your custom tests
-#config:custom_url_protocol:https:
-#config:custom_url_prepend:your-domain.example.org/control-info/:
-#config:custom_url_append:/:
+#custom-url-protocol=https
+#custom-url-prepend=your-domain.example.org/control-info/
+#custom-url-append=/
+
 
 #################################################################################
 #
-# Automatic Updating
-# -------------------
-#
-# These settings can be used to create an option to do automatic updates.
-# By specifying local paths and your update server, the tool can do an update
-# check, compare versions and download a new version.
-#
-# If you installed Lynis as a package, then update via your package manager. See
-# https://packages.cisofy.com for more information.
+# Operating system specific
+# -------------------------
 #
 #################################################################################
 
-# Local directory (without slash at end) where lynis directory will be installed
-# Note: do not add full path to lynis, as subdirectory is part of tarball
-#config:update_local_directory:/usr/local:
-# Full path to local file. Change local path if Lynis is installed on a different place
-#config:update_local_version_info:/usr/local/lynis/client-version:
+# Skip the FreeBSD portaudit test
+#freebsd-skip-portaudit=yes
 
-# Download information
-# -----------------------------
-# Protocol to use: http, https
-#config:update_server_protocol:http:
+# Skip security repository check for Debian based systems
+#debian-skip-security-repository=yes
 
-# Address of update server
-#config:update_server_address:192.168.1.125:
 
-# Path to last stable release
-#config:update_latest_version_download:/files/lynis-latest.tar.gz:
 
-# Last part of URL (file to gather)
-#config:update_latest_version_info:/files/lynis-latest-version:
+#################################################################################
+#
+# SSL certificates
+#
+#################################################################################
+
+# Locations where to search for SSL certificates
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
+
 
 
 #################################################################################
@@ -467,18 +418,25 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
 
 # Proxy settings
 # Protocol (http, https, socks5)
-#config:upload_proxy_protocol:https:
+#proxy-protocol=https
+
 # Address
-#config:upload_proxy_server:1.2.3.4:
+#proxy-server=1.2.3.4
+
 # Port
-#config:upload_proxy_port:3128:
+#proxy-port=3128
 
-# Define groups
-#config:group:[group name]:
-#config:group:test:
+# Define group names to link to this system (preferably single words)
+#system-groups=groupname1,groupname2,groupname3
 
 # Define which compliance standards are audited and reported on. Disable this if not required.
-config:compliance_standards:cis,hipaa,iso27001,pci-dss:
+compliance-standards=cis,hipaa,iso27001,pci-dss
+
+# Provide the name of the customer/client
+#system-customer-name=mycustomer
+
+# Link one or more tags to a system
+#tags=db,production,ssn-1304
 
 
 
-- 
cgit v1.2.3