path: root/default.prf

#################################################################################
#
#
# Lynis - Scan Profile (default)
#
# This is the default profile and contains default values.
#
#
#################################################################################
#
#
# SUGGESTION
# ----------
#
# Do NOT make changes to this file, instead copy your preferred settings to
# custom.prf and put it in the same directory as default.prf
#
# To discover where your profiles are located: lynis show profiles
#
#
#################################################################################
#
# All empty lines or with the # prefix will be skipped
#
# More information about this plugin can be found in the documentation:
# https://cisofy.com/documentation/lynis/
#
#################################################################################

# Compressed uploads (set to zero when errors with uploading occur)
compressed-uploads=yes

# Show non-zero exit code when warnings are found
error-on-warnings=no

# Use Lynis in your own language (by default auto-detected)
language=

# Lynis Enterprise license key
license-key=

# Defines the role of the system (desktop, server)
machine-role=server

# Profile name, will be used as title/description
profile-name=Default Audit Template

# Number of seconds to pause between every test (0 is no pause)
pause-between-tests=0

# Enable quick mode (no waiting for keypresses, same as --quick option)
quick=no

# Refresh software repositories to help detecting vulnerable packages
refresh-repositories=yes

# Show solution for findings
show-report-solution=yes

# Show inline tips about the tool
show-tool-tips=yes

# Skip plugins
skip-plugins=no

# Skip a test (one per line)
#skip-test=SSH-7408

# Skip a particular option within a test (when applicable)
#skip-test=SSH-7408:loglevel
#skip-test=SSH-7408:permitrootlogin

# Scan type - how deep the audit should be (light, normal or full)
test-scan-mode=full

# The hostname/IP address to receive the data
upload-server=

# Provide options to cURL (or other upload tool) when uploading data.
# upload-options=--insecure   --> use HTTPS, but skip certificate check (e.g. self-signed)
upload-options=

# Verbose output
verbose=no

#################################################################################
#
# SUGGESTION
# ----------
#
# Do NOT make changes to this file, instead copy your preferred settings to
# custom.prf and put it in the same directory as default.prf
#
# To discover where your profiles are located:  lynis show profiles
#
#################################################################################

#################################################################################
#
# Plugins
# ---------------
# Define which plugins are enabled
#
# Notes:
# - Nothing happens if plugin isn't available
# - There is no order in execution of plugins
# - See documentation about how to use plugins and phases
#
#################################################################################

# Lynis Plugins (some are for Lynis Enterprise users only)
plugin=compliance
plugin=configuration
plugin=control-panels
plugin=crypto
plugin=dns
plugin=docker
plugin=file-integrity
plugin=file-systems
plugin=firewalls
plugin=forensics
plugin=intrusion-detection
plugin=intrusion-prevention
plugin=kernel
plugin=malware
plugin=memory
plugin=nginx
plugin=pam
plugin=processes
plugin=security-modules
plugin=software
plugin=system-integrity
plugin=systemd
plugin=users




#################################################################################
#
# Configuration (Old Style) - will be replaced in phases
#
#################################################################################


#################################################################################
#
# Kernel options
# ---------------
# sysctl:<sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:
#
# Sysctl key       = name
# Expected value   = value of sysctl key
# Hardening points = Number of hardening points. For most keys 1 HP will be suitable
# Description      = Text description of key
#
#################################################################################

# Config
# - Type (sysctl)
# - Setting (kernel.sysrq)
# - Expected value (0)
# - Hardening Points (1)
# - Description (Disable magic SysRQ)
# - Related file or command (sysctl -a)
# - Solution field (url:URL, text:TEXT, or -)

# Processes
config-data=sysctl;security.bsd.see_other_gids;0;1;Groups only see their own processes;sysctl -a;-;category:security;
config-data=sysctl;security.bsd.see_other_uids;0;1;Users only see their own processes;sysctl -a;-;category:security;
config-data=sysctl;security.bsd.stack_guard_page;1;1;Enable stack smashing protection (SSP)/ProPolice to defend against possible buffer overflows;-;category:security;
config-data=sysctl;security.bsd.unprivileged_proc_debug;0;1;Unprivileged processes can not use process debugging;sysctl -a;-;category:security;
config-data=sysctl;security.bsd.unprivileged_read_msgbuf;0;1;Unprivileged processes can not read the kernel message buffer;sysctl -a;-;category:security;

# Kernel
#config-data=sysctl;kern.randompid=2345;Randomize PID numbers with a specific modulus;sysctl -a;-;category:security;
config-data=sysctl;kern.sugid_coredump;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.core_setuid_ok;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.core_uses_pid;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.ctrl-alt-del;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.exec-shield-randomize;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.use-nx;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;

# Network
config-data=sysctl;net.inet.ip.linklocal.in.allowbadttl;0;
config-data=sysctl;net.inet.tcp.always_keepalive;0;1;Disable TCP keep alive detection for dead peers as the keepalive can be spoofed;-;category:security;
#config-data=sysctl;net.inet.tcp.fast_finwait2_recycle;1;1;Recycle FIN/WAIT states more quickly (DoS mitigation step, with risk of false RST);-;category:security;
config-data=sysctl;net.inet.tcp.nolocaltimewait;1;1;Remove the TIME_WAIT state for loopback interface;-;category:security;
config-data=sysctl;net.inet.tcp.path_mtu_discovery;0;1;Disable MTU discovery as many hosts drop the ICMP type 3 packets;-;category:security;
config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security;
config-data=sysctl;net.inet.tcp.icmp_may_rst;0;1;ICMP may not send RST to avoid spoofed ICMP/UDP floods;-;category:security;
config-data=sysctl;net.inet.icmp.drop_redirect;1;1;Do not allow redirected ICMP packets;-;category:security;
config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
config-data=sysctl;net.inet.icmp.timestamp;0;1;Disable timestamps;-;category:security;
config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.inet.ip.check_interface;1;1;Verify that a packet arrived on the right interface;-;category:security;
config-data=sysctl;net.inet.ip.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
config-data=sysctl;net.inet.ip.process_options;0;1;Ignore any IP options in the incoming packets;-;category:security;
config-data=sysctl;net.inet.ip.random_id;1;1;Use a random IP id to each packet leaving the system;-;category:security;
config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic when delivered to closed TCP port;-;category:security;
config-data=sysctl;net.inet.tcp.drop_synfin;1;1;SYN/FIN packets will be dropped on initial connection;-;category:security;
config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic when delivered to closed UDP port;-;category:security;
config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
config-data=sysctl;net.inet6.ip6.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
config-data=sysctl;net.inet6.ip6.fw.enable;1;1;Enable filtering;-;category:security;
config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security;
config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do not relay BOOTP packets;-;category:security;
config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do not relay ARP packets;-;category:security;
config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce ingress/egress filtering for packets;-;category:security;
config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets directed to broadcast address;-;category:security;
config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
#config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security;
config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security;
config-data=sysctl;net.ipv4.tcp_timestamps;0;1;Do not use TCP time stamps;-;category:security;
config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;

# Other
config-data=sysctl;hw.kbd.keymap_restrict_change;4;1;Disable changing the keymap by non-privileged users;-;category:security;
#sysctl;kern.securelevel;1^2^3;1;FreeBSD security level;
#security.jail.jailed; 0
#security.jail.jail_max_af_ips; 255
#security.jail.mount_allowed; 0
#security.jail.chflags_allowed; 0
#security.jail.allow_raw_sockets; 0
#security.jail.enforce_statfs; 2
#security.jail.sysvipc_allowed; 0
#security.jail.socket_unixiproute_only; 1
#security.jail.set_hostname_allowed; 1
#security.bsd.suser_enabled; 1
#security.bsd.unprivileged_proc_debug; 1
#security.bsd.conservative_signals; 1
#security.bsd.unprivileged_read_msgbuf; 1
#security.bsd.unprivileged_get_quota; 0
config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other groups;-;category:security;
config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;


#################################################################################
#
# Apache options
# columns: (1)apache : (2)option : (3)value
#
#################################################################################

apache:ServerTokens:Prod:


#################################################################################
#
# OpenLDAP options
# columns: (1)openldap : (2)file : (3)option : (4)expected value(s)
#
#################################################################################

openldap:slapd.conf:permissions:640-600:
openldap:slapd.conf:owner:ldap-root:


#################################################################################
#
# SSL certificates
#
#################################################################################

# Locations where to search for SSL certificates
ssl-certificate-paths=/etc/letsencrypt:/etc/pki:/etc/ssl:/usr/local/share/ca-certificates:/var/www:/srv/www


#################################################################################
#
# NTP options
#
#################################################################################

# Ignore some stratum 16 hosts (for example when running as time source itself)
#ntp:ignore_stratum_16_peer:127.0.0.1:
#ntp:ignore_stratum_16_peer:1.2.3.4:


#################################################################################
#
# File/directories permissions (currently not used yet)
#
#################################################################################

# Scan for exact file name match
#[scanfiles]
#scanfile:/etc/rc.conf:FreeBSD configuration:

# Scan for exact directory name match
#[scandirs]
#scandir:/etc:/etc directory:


#################################################################################
#
# permfile
# ---------------
# permfile:file name:file permissions:owner:group:action:
# Action = NOTICE or WARN
# Examples:
# permfile:/etc/test1.dat:600:root:wheel:NOTICE:
# permfile:/etc/test1.dat:640:root:-:WARN:
#
#################################################################################

#permfile:/etc/inetd.conf:rw-------:root:-:WARN:
#permfile:/etc/fstab:rw-r--r--:root:-:WARN:
permfile:/etc/lilo.conf:rw-------:root:-:WARN:


#################################################################################
#
# permdir
# ---------------
# permdir:directory name:file permissions:owner:group:action when permissions are different:
#
#################################################################################

permdir:/root/.ssh:rwx------:root:-:WARN:

# Scan for a program/binary in BINPATHs
#scanbinary:Rootkit Hunter:rkhunter:


#################################################################################
#
# Audit customizing
# -----------------
#
# Most options can contain 'yes' or 'no'.
#
#################################################################################

# Amount of connections in WAIT state before reporting it as a suggestion
#config:connections_max_wait_state:5000:

# Skip security repository check for Debian based systems
#config:debian_skip_security_repository:yes:

# Debug mode (for debugging purposes, extra data logged to screen)
#config:debug:yes:

# Skip the FreeBSD portaudit test
#config:freebsd_skip_portaudit:yes:

# Ignore some specific home directories
# One directory per line; directories will be skipped for home directory specific
# checks, like file permissions, SSH and other configuration files
#config:ignore_home_dir:/home/user:

# Do not log tests with another guest operating system (default: yes)
#config:log_tests_incorrect_os:no:

# Define if available NTP daemon is configured as a server or client on the network
# values: server or client (default: client)
#config:ntpd_role:client:

# Allow promiscuous interfaces
#   <option>:<promiscuous interface name>:<description>:
#if_promisc:pflog0:pf log daemon interface:

# Skip Lynis upgrade availability test (default: no)
#config:skip_upgrade_test:yes:

# The URL prefix and append to URL's for your custom tests
# Link will be build with: {control_url_protocol}://{control_url_prepend}CONTROL-ID{control_url_append}
#config:control_url_protocol:https:
#config:control_url_prepend:cisofy.com/control/:
#config:control_url_append:/:
# The URL prefix and append to URL's for your custom tests
#config:custom_url_protocol:https:
#config:custom_url_prepend:your-domain.example.org/control-info/:
#config:custom_url_append:/:

#################################################################################
#
# Automatic Updating
# -------------------
#
# These settings are required when using the lynis update functionality.
# By specifying local paths and your update server, the tool can do an update
# check, compare versions and download a new version.
#
#################################################################################

# Local directory (without slash at end) where lynis directory will be installed
# Note: do not add full path to lynis, as subdirectory is part of tarball
#config:update_local_directory:/usr/local:
# Full path to local file. Change local path if Lynis is installed on a different place
#config:update_local_version_info:/usr/local/lynis/client-version:

# Download information
# -----------------------------
# Protocol to use: http, https
#config:update_server_protocol:http:

# Address of update server
#config:update_server_address:192.168.1.125:

# Path to last stable release
#config:update_latest_version_download:/files/lynis-latest.tar.gz:

# Last part of URL (file to gather)
#config:update_latest_version_info:/files/lynis-latest-version:


#################################################################################
#
# Lynis Enterprise options
# -----------------
#
#################################################################################


# Proxy settings
# Protocol (http, https, socks5)
#config:upload_proxy_protocol:https:
# Address
#config:upload_proxy_server:1.2.3.4:
# Port
#config:upload_proxy_port:3128:

# Define groups
#config:group:[group name]:
#config:group:test:

# Define which compliance standards are audited and reported on. Disable this if not required.
config:compliance_standards:cis,hipaa,iso27001,pci-dss:



#EOF