Add new CFengine script to adjust default Debian config to sane working condition.

1 files changed, 51 insertions, 0 deletions

diff --git a/integrit/integrit.cf b/integrit/integrit.cf
new file mode 100755
index 0000000..4c86fe6
--- /dev/null
+++ b/integrit/integrit.cf
@@ -0,0 +1,51 @@
+#! /usr/bin/cfengine -qf
+
+control:
+	OutputPrefix	= ("${cf_prefix}")
+	actionsequence	= ( editfiles )
+
+editfiles:
+	{ /etc/integrit/integrit.conf
+		#
+		# Uncomment suggested defaults
+		#
+		SetCommentStart "# "
+		SetCommentEnd ""
+		UnCommentLinesMatching "^# root=/"
+		UnCommentLinesMatching "^# known=/var/lib/integrit/.*"
+		UnCommentLinesMatching "^# current=/var/lib/integrit/.*"
+		UnCommentLinesMatching "^# !/cdrom"
+		UnCommentLinesMatching "^# !/dev"
+		UnCommentLinesMatching "^# !/etc"
+		UnCommentLinesMatching "^# !/floppy"
+		UnCommentLinesMatching "^# !/home"
+		UnCommentLinesMatching "^# !/lost\+found"
+		UnCommentLinesMatching "^# !/mnt"
+		UnCommentLinesMatching "^# !/proc"
+		UnCommentLinesMatching "^# !/root"
+		UnCommentLinesMatching "^# !/tmp"
+		UnCommentLinesMatching "^# !/var"
+		UnCommentLinesMatching "^# =/usr/include"
+		UnCommentLinesMatching "^# =/usr/X11R6/include"
+		UnCommentLinesMatching "^# =/usr/doc"
+		UnCommentLinesMatching "^# =/usr/info"
+		UnCommentLinesMatching "^# =/usr/share"
+		UnCommentLinesMatching "^# =/usr/X11R6/man"
+		UnCommentLinesMatching "^# =/usr/X11R6/lib/X11/fonts"
+		UnCommentLinesMatching "^# !/usr/local"
+		UnCommentLinesMatching "^# !/usr/src"
+		AppendIfNoSuchLine "!/initrd"
+		AppendIfNoSuchLine "!/.journal"
+		AppendIfNoSuchLine "!/usr/local"
+		AppendIfNoSuchLine "!/usr/src"
+		AppendIfNoSuchLine "!/dev/cpu/mtrr"
+	}
+	{ /etc/integrit/integrit.debian.conf
+		#
+		# Make sure CONFIGS is set to /etc/integrit/integrit.conf
+		#
+		LocateLineMatching "^CONFIGS=.*"
+		BeginGroupIfNoLineMatching '^CONFIGS="/etc/integrit/integrit.conf"'
+			ReplaceLineWith 'CONFIGS="/etc/integrit/integrit.conf"'
+		EndGroup
+	}