-
Notifications
You must be signed in to change notification settings - Fork 24
/
main.yml
40 lines (40 loc) · 3.53 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
##### MONITORING UTILITIES #####
# setup lynis security audit tool (yes/no)
setup_lynis: yes
# list of strings to extract from lynis reports and forward by mail
# Example: lynis_report_regex: 'warning|suggestion|manual'
lynis_report_regex: 'warning'
# list of lynis tests to ignore/skip (https://cisofy.com/lynis/controls/)
lynis_skip_tests:
- "CUST-0285" # Install libpam-usb to enable multi-factor authentication for PAM sessions (we don't use multi-factor auth for SSH)
- "CUST-0830" # Install debian-goodies so that you can run checkrestart (needrestart is used instead)
- "BOOT-5122" # Password on GRUB bootloader to prevent altering boot configuration (access protected by physical security/hoster/hypervisor console password)
- "AUTH-9286" # Configure minimum/maximum password age in /etc/login.defs (we don't enforce password aging)
- "AUTH-9308" # No password set for single mode (access protected by physical security/hoster/hypervisor console password)
- "FILE-6310" # place /tmp on a separated partition (root partition free disk space is monitored by netdata)
- "TIME-3120" # Check ntpq peers output for unreliable ntp peers (we use a NTP pool, correct NTP peers will be selected automatically)
- "CONT-8104" # Run 'docker info' to see warnings applicable to Docker daemon (no swap support)
- "AUTH-9283" # logins without password are denied by PAM and SSH (nodiscc.xsrv.common)
- "BANN-7126" # legal banner for local logins is not needed
- "BANN-7130" # legal banner for ssh logins is not needed
- "LOGG-2190" # open file descriptors on deleted files is normal behavior
- "SSH-7408:Port" # changing ssh listen port from 22 does not mitigate the risk, not a security measure, can also be set to a non-standard port in NAT
- "SSH-7408:ClientAliveCountMax" # 3 is an acceptable value, nodiscc.xsrv.common sets the value to 3
- "SSH-7408:Compression" # any of yes/delayed/no can be considered secure since 2018 (pre-authentication compression never enabled)
- "SSH-7408:MaxAuthTries" # 5 is an acceptable value (nodiscc.xsrv.common), lowering it may cause login failures from systems where more than 3 ssh private keys are available
- "SSH-7408:MaxSessions" # 10 is an acceptable values, SSH connection multiplexing cannot be abused/cause performance issues unless the user is authenticated
- "PHP-2376" # allow_url_fopen is used legitimately by several applications in file_get_contents() to fetch remote files
- "HRDN-7230" # malware/rootkit detection software is inefficient when run on a compromised host
- "HRDN-7222" # having compilers installed is an acceptable risk, /usr/bin/as installed by needrestart->binutils dependency
- "USB-1000" # Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft (access protected by physical security/hoster/hypervisor console password)
- "NETW-3015" # promiscuous interfaces are used legitimately by some programs (libvirt), and setting the promiscuous flag requires root anyway
- "KRNL-5830" # let needrestart/netdata send alarms when reboot is required
- "PKGS-7392" # let debsecan handle reporting of vulnerable packages
- "MALW-3280" # commercial antivirus software not required, non-free software not recommended, causes https://github.com/CISOfy/lynis/issues/1420
# when to verify installed package files against MD5 checksums (daily/weekly/monthly/never)
debsums_cron_check: "daily"
# base path to index with duc disk usage analyzer
duc_index_path: "/"
# list of directories/mountpoints on which to perform bonnie++ disk benchmarks
bonnie_benchmark_paths:
- /var