From c0ae2e217b7f1fb0171017ce5afb8eb8898470db Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 Aug 2014 17:33:55 +0200 Subject: Initial import --- default.prf | 293 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 293 insertions(+) create mode 100644 default.prf (limited to 'default.prf') diff --git a/default.prf b/default.prf new file mode 100644 index 00000000..dd93b3f7 --- /dev/null +++ b/default.prf @@ -0,0 +1,293 @@ +################################################################################# +# +# Lynis scan profile +# +# This is the default profile and is used as a baseline when testing systems and +# applications. Since there are generally no "best" options, Lynis will assume +# some default values. +# +# All empty lines or with the # prefix will be skipped +# +# This is the default profile and contains default values. You are encouraged to +# copy this file and use it's base for custom audit profiles. +# +################################################################################# + +[configuration] +# Profile name, will be used as title/description +config:profile_name:Default Audit Template: + +# Number of seconds to pause between every test (0 is no pause) +config:pause_between_tests:0: + +# Show inline tips about the tool +config:show_tool_tips:1: + + +################################################################################# +# +# Testing options +# --------------- +# +################################################################################# + +# ** Scan type (how deep test has to be, light, normal or full) ** +# +# config:test_scan_mode:light|normal|full: + + +# ** Skip one or more specific tests ** +# (always ignores scan mode and will make sure the test is skipped) +# +# config:test_skip_always:AAAA-1234 BBBB-5678 CCCC-9012: + + +# ** Define the role(s) of a machine ** +# Values: desktop|server (default: server) +# +#config:machine_role:server: + + +################################################################################# +# +# Plugins +# --------------- +# Define which plugins are enabled (nothing happens if plugin isn't available) +# +################################################################################# +# plugin=security_malware +# plugin=security_rootkit +# plugin=fileperms +plugin=docker +plugin=file-integrity +plugin=files +plugin=filesystems +plugin=firewalls +plugin=processes +plugin=software +plugin=system-integrity + +################################################################################# +# +# Sysctl options +# --------------- +# sysctl::::: +# +# Sysctl key = name +# Expected value = value of sysctl key +# Hardening points = Number of hardening points. For most keys 1 HP will be suitable +# Description = Text description of key +# +################################################################################# + +[processes] +#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value: +sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups: +sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users: + +[kernel] +sysctl:kern.sugid_coredump:0:1:XXX: +sysctl:kernel.core_setuid_ok:0:1:XXX: +sysctl:kernel.core_uses_pid:1:1:XXX: +sysctl:kernel.ctrl-alt-del:0:1:XXX: +sysctl:kernel.exec-shield-randomize:1:1:XXX: +sysctl:kernel.exec-shield:1:1:XXX: +sysctl:kernel.sysrq:0:1:Disable magic SysRQ: +sysctl:kernel.use-nx:0:1:XXX: + +[network] +sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address: +sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: +sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: +sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing: +sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic: +sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic: +sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: +sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects: +sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing: +sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets: +sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing: +sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source: +sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing: +sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets: +sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets: +sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing: +sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source: +sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address: +sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore +#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic: +sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack: +sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps: +sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects: +sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: +sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: +sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: + +[security] +#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level: +#security.jail.jailed: 0 +#security.jail.jail_max_af_ips: 255 +#security.jail.mount_allowed: 0 +#security.jail.chflags_allowed: 0 +#security.jail.allow_raw_sockets: 0 +#security.jail.enforce_statfs: 2 +#security.jail.sysvipc_allowed: 0 +#security.jail.socket_unixiproute_only: 1 +#security.jail.set_hostname_allowed: 1 +#security.bsd.suser_enabled: 1 +#security.bsd.unprivileged_proc_debug: 1 +#security.bsd.conservative_signals: 1 +#security.bsd.unprivileged_read_msgbuf: 1 +#security.bsd.hardlink_check_gid: 0 +#security.bsd.hardlink_check_uid: 0 +#security.bsd.unprivileged_get_quota: 0 + + + +################################################################################# +# +# Apache options +# columns: (1)apache : (2)option : (3)value +# +################################################################################# + +apache:ServerTokens:Prod: + + +################################################################################# +# +# OpenLDAP options +# columns: (1)openldap : (2)file : (3)option : (4)expected value(s) +# +################################################################################# + +openldap:slapd.conf:permissions:640-600: +openldap:slapd.conf:owner:ldap-root: + + +################################################################################# +# +# SSL certificates +# +################################################################################# + +# Locations where to search for SSL certificates +ssl:certificates:/etc/pki /etc/ssl /usr/local/share/ca-certificates /var/www: + + +################################################################################# +# +# NTP options +# +################################################################################# + +# Ignore some stratum 16 hosts (for example when running as time source itself) +#ntp:ignore_stratum_16_peer:127.0.0.1: +#ntp:ignore_stratum_16_peer:1.2.3.4: + + +################################################################################# +# +# File/directories permissions (currently not used yet) +# +################################################################################# + +# Scan for exact file name match +#[scanfiles] +#scanfile:/etc/rc.conf:FreeBSD configuration: + +# Scan for exact directory name match +#[scandirs] +#scandir:/etc:/etc directory: + + +################################################################################# +# +# permfile +# --------------- +# permfile:file name:file permissions:owner:group:action: +# Action = NOTICE or WARN +# Examples: +# permfile:/etc/test1.dat:600:root:wheel:NOTICE: +# permfile:/etc/test1.dat:640:root:-:WARN: +# +################################################################################# + +#permfile:/etc/inetd.conf:rw-------:root:-:WARN: +#permfile:/etc/fstab:rw-r--r--:root:-:WARN: +permfile:/etc/lilo.conf:rw-------:root:-:WARN: + + +################################################################################# +# +# permdir +# --------------- +# permdir:directory name:file permissions:owner:group:action when permissions are different: +# +################################################################################# + +permdir:/root/.ssh:rwx------:root:-:WARN: + +# Scan for a program/binary in BINPATHs +#scanbinary:Rootkit Hunter:rkhunter: + + +################################################################################# +# +# Audit customizing +# ----------------- +# +# Most options can contain 'yes' or 'no'. +# +################################################################################# + +# Amount of connections in WAIT state before reporting it as a warning +#config:connections_max_wait_state:50: + +# Skip security repository check for Debian based systems +#config:debian_skip_security_repository:yes: + +# Debug mode (for debugging purposes, extra data logged to screen) +#config:debug:yes: + +# Skip the FreeBSD portaudit test +#config:freebsd_skip_portaudit:yes: + +# Ignore some specific home directories +# One directory per line; directories will be skipped for home directory specific +# checks, like file permissions, SSH and other configuration files +#config:ignore_home_dir:/home/user: + +# Do not log tests with another guest operating system (default: yes) +#config:log_tests_incorrect_os:no: + +# Define if available NTP daemon is configured as a server or client on the network +# values: server or client (default: client) +#config:ntpd_role:client: + +# Allow promiscuous interfaces +#