diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2017-01-26 14:30:08 +0100 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2017-01-26 14:30:08 +0100 |
| commit | e042b7bced715a9d0d6c660df453b1b68f263316 (patch) | |
| tree | 13f1bcd2f7cccf87718d92b5fc9a112d4c3ea455 /cfengine/cf.services.harden | |
| parent | c778483fbd7829e2d41157ae6be2d7f1eef709f5 (diff) | |
Drop ancient unused files.
Diffstat (limited to 'cfengine/cf.services.harden')
| -rw-r--r-- | cfengine/cf.services.harden | 159 |
1 files changed, 0 insertions, 159 deletions
diff --git a/cfengine/cf.services.harden b/cfengine/cf.services.harden deleted file mode 100644 index b00d5e5..0000000 --- a/cfengine/cf.services.harden +++ /dev/null @@ -1,159 +0,0 @@ -control: - AddInstallable = ( install_logcheck ) - - logcheck = ( /etc/logcheck ) - - # $type indicates machine type (workstation or server). Used for logcheck paths - Standalone|LtspServer:: type = ( workstation ) - !(Standalone|LtspServer):: type = ( server ) - -groups: - install_logcheck = ( '/usr/bin/test ! -e /usr/sbin/logcheck' ) - - #Define classes according to the installed MTA - runs_postfix = ( '/usr/bin/test -e /usr/sbin/postfix' ) - -editfiles: - # AIDE section - { /etc/aide/aide.conf - # - # Devices = p+i+n+u+g+s+b+md5+sha1 - # - # Ignore ctime - some devices change ctime when used (ttySx with hylafax) - # - BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*" - Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine" - EndGroup - LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*" - BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbmd5sha1]*([[:blank:]]+(#.*)?)?" - ReplaceLineWith "Devices = p+i+n+u+g+s+b+md5+sha1 # Edited by cfengine" - EndGroup - # - # #/var/log... - # - # Ignore logfiles - Aide can't handle rotation - # - HashCommentLinesMatching "^/var/log.*" - # - # !/dev/xconsole - # !/dev/core - # !/dev/ttyS* - # - LocateLineMatching "^[[:blank:]]*\!/dev/.*" - CatchAbort - BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*" - GotoLastLine - EndGroup - DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine" - BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?" - InsertLine "!/dev/xconsole # Added by cfengine" - EndGroup - BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?" - InsertLine "!/dev/core # Added by cfengine" - EndGroup - BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/ttyS\*([[:blank:]]+(#.*)?)?" - InsertLine "!/dev/ttyS* # Added by cfengine" - EndGroup - } - ## integrit section - { /etc/integrit/integrit.conf - # - # Uncomment suggested defaults - # - SetCommentStart "# " - SetCommentEnd "" - UnCommentLinesMatching "^# root=/" - UnCommentLinesMatching "^# known=/var/lib/integrit/.*" - UnCommentLinesMatching "^# current=/var/lib/integrit/.*" - UnCommentLinesMatching "^# !/cdrom" - UnCommentLinesMatching "^# !/dev" - UnCommentLinesMatching "^# !/etc" - UnCommentLinesMatching "^# !/floppy" - UnCommentLinesMatching "^# !/home" - UnCommentLinesMatching "^# !/lost\+found" - UnCommentLinesMatching "^# !/mnt" - UnCommentLinesMatching "^# !/proc" - UnCommentLinesMatching "^# !/root" - UnCommentLinesMatching "^# !/tmp" - UnCommentLinesMatching "^# !/var" - UnCommentLinesMatching "^# =/usr/include" - UnCommentLinesMatching "^# =/usr/X11R6/include" - UnCommentLinesMatching "^# =/usr/doc" - UnCommentLinesMatching "^# =/usr/info" - UnCommentLinesMatching "^# =/usr/share" - UnCommentLinesMatching "^# =/usr/X11R6/man" - UnCommentLinesMatching "^# =/usr/X11R6/lib/X11/fonts" - UnCommentLinesMatching "^# !/usr/local" - UnCommentLinesMatching "^# !/usr/src" - AppendIfNoSuchLine "!/initrd" - AppendIfNoSuchLine "!/.journal" - AppendIfNoSuchLine "!/usr/local" - AppendIfNoSuchLine "!/usr/src" - AppendIfNoSuchLine "!/dev/cpu/mtrr" - AppendIfNoSuchLine "!/sys" - AppendIfNoSuchLine "!/media" - } - { /etc/integrit/integrit.debian.conf - # - # Make sure CONFIGS is set to /etc/integrit/integrit.conf - # - LocateLineMatching "^CONFIGS=.*" - BeginGroupIfNoLineMatching '^CONFIGS="/etc/integrit/integrit.conf"' - ReplaceLineWith 'CONFIGS="/etc/integrit/integrit.conf"' - EndGroup - } -# BROKEN!!! See Debian bug#153420 -# { /etc/cron.daily/integrit -# # -# # Uncomment defaults -# # -# SetCommentStart " # ! " -# SetCommentEnd "" -# UnCommentLinesMatching " # ! if .*" -# UnCommentLinesMatching " # ! fi" -# } - - ## logcheck section -copy: - #The linktype is necessary for links to be replaced with files. - any:: - $(LocalCommon)/logcheck/ignore.d.server/local dest=$(logcheck)/ignore.d.server/local linktype=copy - $(LocalCommon)/logcheck/ignore.d.workstation/local dest=$(logcheck)/ignore.d.workstation/local linktype=copy - $(LocalCommon)/logcheck/violations.ignore.d/local dest=$(logcheck)/violations.ignore.d/local linktype=copy -# NameServer:: -# $(LocalCommon)/logcheck/ignore.d.$(type)/bind dest=$(logcheck)/ignore.d/local-bind linktype=copy -# $(LocalCommon)/logcheck/violations.ignore.d/bind dest=$(logcheck)/violations.ignore.d/local-bind linktype=copy -# -# FileServer:: -# $(LocalCommon)/logcheck/ignore.d.$(type)/samba dest=$(logcheck)/ignore.d/local-samba linktype=copy -# $(LocalCommon)/logcheck/ignore.d.$(type)/netatalk dest=$(logcheck)/ignore.d/local-netatalk linktype=copy -# $(LocalCommon)/logcheck/violations.ignore.d/samba dest=$(logcheck)/violations.ignore.d/local-samba linktype=copy -# -# DHCPServer:: -# $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp dest=$(logcheck)/ignore.d/local-dhcp linktype=copy -# $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp3-common dest=$(logcheck)/ignore.d/local-dhcp3-common linktype=copy -# -# WWWServer:: -# -# FTPServer:: -# $(LocalCommon)/logcheck/ignore.d.$(type)/proftpd dest=$(logcheck)/ignore.d/local-proftpd linktype=copy -# $(LocalCommon)/logcheck/violations.ignore.d/proftpd dest=$(logcheck)/violations.ignore.d/local-proftpd linktype=copy -# -# IMAPServer:: -# $(LocalCommon)/logcheck/ignore.d.$(type)/uw-imap dest=$(logcheck)/ignore.d/local-uw-imap linktype=copy -# -# SpamAssServer:: -# $(LocalCommon)/logcheck/ignore.d.$(type)/spamassassin dest=$(logcheck)/ignore.d/local-spamassassin linktype=copy -# -# runs_postfix:: -# $(LocalCommon)/logcheck/ignore.d.$(type)/postfix dest=$(logcheck)/ignore.d/local-postfix linktype=copy -# $(LocalCommon)/logcheck/violations.ignore.d/postfix dest=$(logcheck)/violations.ignore.d/local-postfix linktype=copy -# -# any:: -# $(LocalCommon)/logcheck/ignore.d.$(type)/ssh dest=$(logcheck)/ignore.d/local-ssh linktype=copy -# $(LocalCommon)/logcheck/violations.ignore.d/ssh dest=$(logcheck)/violations.ignore.d/local-ssh linktype=copy - -shellcommands: - install_logcheck:: - # Install logcheck if not installed already -#BAD!!! "/usr/bin/yes no | /usr/bin/apt-get -q=2 install logcheck" |