cfbs add lynis@0.1.0
CFEngine policy to automate the installation, running, and reporting of CISOfy's lynis system audits.
Inventories:
From the root of a repository clone make install.
The policy will be installed into services/cfengine-lynis.
Ensure the policy is included in inputs. For example, it can be included via augments if you are running the MPF:
{
"inputs" : [ "services/cfengine-lynis/main.cf" ]
}Ensure the policy actuated.
If the class services_autorun is defined and you are running the MPF it will
be automatically actuated.
It can be appended to the main bundlesequence via augments if you are running
the MPF:
{
"vars" : {
"control_common_bundlesequence_end": [ "lynis:main" ]
}
}
Or you can actuate it with a methods promise from your existing policy.
bundle agent example
{
methods:
"CISOfy Lynis"
usebundle => lynis:main;
}Install with cpm (the unofficial cfengine package|policy manager).
cpm install cfengine-lynis
When the policy is run with the inform_mode class defined it will report the
findings.
R: bundle lynis_inventory: SSH-7408 sshd option AllowTcpForwarding. AllowTcpForwarding prefers NO over YES R: bundle lynis_inventory: SSH-7408 sshd optio/cfenginen ClientAliveCountMax. ClientAliveCountMax prefers 2 over 3 R: bundle lynis_inventory: SSH-7408 sshd option Compression. Compression prefers NO over DELAYED R: bundle lynis_inventory: SSH-7408 sshd option LogLevel. LogLevel prefers VERBOSE over INFO R: bundle lynis_inventory: SSH-7408 sshd option MaxAuthTries. MaxAuthTries prefers 2 over 6 R: bundle lynis_inventory: SSH-7408 sshd option MaxSessions. MaxSessions prefers 2 over 10 R: bundle lynis_inventory: SSH-7408 sshd option PermitRootLogin. PermitRootLogin prefers NO over YES R: bundle lynis_inventory: SSH-7408 sshd option Port. Port prefers over 22 R: bundle lynis_inventory: SSH-7408 sshd option TCPKeepAlive. TCPKeepAlive prefers NO over YES R: bundle lynis_inventory: SSH-7408 sshd option X11Forwarding. X11Forwarding prefers NO over YES R: bundle lynis_inventory: KRNL-6000 Restrict use of dmesg. kernel.dmesg_restrict prefers 1 over 0 R: bundle lynis_inventory: KRNL-6000 Restrict access to kernel symbols. kernel.kptr_restrict prefers 2 over 1 R: bundle lynis_inventory: KRNL-6000 Disable/Ignore ICMP routing redirects. net.ipv4.conf.all.accept_redirects prefers 0 over 1 R: bundle lynis_inventory: KRNL-6000 Log all packages for which the host does not have a path back to the source. net.ipv4.conf.all.log_martians prefers 1 over 0 R: bundle lynis_inventory: KRNL-6000 Enforce ingress/egress filtering for packets. net.ipv4.conf.all.rp_filter prefers 1 over 0 R: bundle lynis_inventory: KRNL-6000 Disable/Ignore ICMP routing redirects. net.ipv4.conf.all.send_redirects prefers 0 over 1 R: bundle lynis_inventory: KRNL-6000 Disable/Ignore ICMP routing redirects. net.ipv4.conf.default.accept_redirects prefers 0 over 1 R: bundle lynis_inventory: KRNL-6000 Log all packages for which the host does not have a path back to the source. net.ipv4.conf.default.log_martians prefers 1 over 0 R: bundle lynis_inventory: KRNL-6000 Do not use TCP time stamps. net.ipv4.tcp_timestamps prefers 0 over 1 R: bundle lynis_inventory: KRNL-6000 Disable/Ignore ICMP routing redirects. net.ipv6.conf.all.accept_redirects prefers 0 over 1 R: bundle lynis_inventory: KRNL-6000 Disable/Ignore ICMP routing redirects. net.ipv6.conf.default.accept_redirects prefers 0 over 1
CFEngine Enterprise will automatically collect and report on inventoried variables.
This module has no dependencies