diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2002-03-09 15:37:55 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2002-03-09 15:37:55 +0000 |
| commit | 0536d54157200204e22991347219c3afd938e22b (patch) | |
| tree | 323774aec997295cdb6a9eb81b19d47a060a7849 | |
| parent | 19028a28147e14d675c24838c045aedb50c474a6 (diff) | |
cfengine: harden: Ignore all logfiles (Aide does not handle rotation) and correctly ignore /dev Ctime.
| -rw-r--r-- | cfengine/cf.services.harden | 43 |
1 files changed, 7 insertions, 36 deletions
diff --git a/cfengine/cf.services.harden b/cfengine/cf.services.harden index 18d80bd..50a0d08 100644 --- a/cfengine/cf.services.harden +++ b/cfengine/cf.services.harden @@ -2,50 +2,24 @@ editfiles: # AIDE section { /etc/aide/aide.conf # - # Logs = p+n+u+g - # - # Debian rotates its logfiles, so ignore inode, number of inodes and growing size - # - BeginGroupIfNoLineMatching "^[[:blank:]]*Logs[[:blank:]]*=.*$" - Append "Logs = p+n+u+g # Added by cfengine" - EndGroup - LocateLineMatching "^[[:blank:]]*Logs[[:blank:]]*=.*$" - BeginGroupIfNoLineMatching "^[[:blank:]]*Logs[[:blank:]]*=[[:blank:]][\+pug]*([[:blank:]]+(#.*)?)?" - ReplaceLineWith "Logs = p+u+g # Edited by cfengine" - EndGroup - # # Devices = p+i+n+u+g+s+b+md5+sha1 # # Ignore ctime - some devices change ctime when used (ttySx with hylafax) # - BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*$" + BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*" Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine" EndGroup - LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*$" - BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbcmd5sha1]*([[:blank:]]+(#.*)?)?" - ReplaceLineWith "Devices = p+i+n+u+g+s+b+c+md5+sha1 # Edited by cfengine" + LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*" + BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbmd5sha1]*([[:blank:]]+(#.*)?)?" + ReplaceLineWith "Devices = p+i+n+u+g+s+b+md5+sha1 # Edited by cfengine" EndGroup # - # #/var/log/aide/... - # #/var/log/setuid... + # #/var/log... # - # Treat these as regular logfiles - they are rotated as well + # Ignore logfiles - Aide can't handle rotation # - HashCommentLinesMatching "^/var/log/aide/.*" - HashCommentLinesMatching "^/var/log/setuid.*" + HashCommentLinesMatching "^/var/log.*" # - # #/var/log$ StaticDir - # - SetCommentStart "#" - SetCommentEnd "" -# bug! CommentLinesMatching "^/var/log\$[[:blank:]]StaticDir.*" -# LocateLineMatching "^/var/log\$[[:blank:]]StaticDir.*" -# bug! CommentNLines "1" - LocateLineMatching "^/var/log\$[[:blank:]]StaticDir[[:blank:]]*" - ReplaceLineWith "#/var/log$ StaticDir" - CatchAbort - # - # !/dev/log # !/dev/xconsole # !/dev/core # !/dev/ttyS* @@ -55,9 +29,6 @@ editfiles: BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*" GotoLastLine EndGroup - BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/log([[:blank:]]+(#.*)?)?" - InsertLine "!/dev/log # Added by cfengine" - EndGroup DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine" BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?" InsertLine "!/dev/xconsole # Added by cfengine" |