Update integrit handling to post-woody (giving up on bug#153420 and backport a newer integrit instead).

1 files changed, 17 insertions, 7 deletions

diff --git a/cfengine/cf.services.harden b/cfengine/cf.services.harden
index ebd5753..69ceeb1 100644
--- a/cfengine/cf.services.harden
+++ b/cfengine/cf.services.harden
@@ -55,7 +55,7 @@ editfiles:
 			InsertLine "!/dev/ttyS* # Added by cfengine"
 		EndGroup
 	}
-	## logcheck section
+	## integrit section
 	{ /etc/integrit/integrit.conf
 		#
 		# Uncomment suggested defaults
@@ -91,15 +91,25 @@ editfiles:
 		AppendIfNoSuchLine "!/usr/src"
 		AppendIfNoSuchLine "!/dev/cpu/mtrr"
 	}
-	{ /etc/cron.daily/integrit
+	{ /etc/integrit/integrit-debian.conf
 		#
-		# Uncomment defaults
+		# Make sure CONFIGS is set to /etc/integrit/integrit.conf
 		#
-		SetCommentStart "    # ! "
-		SetCommentEnd ""
-		UnCommentLinesMatching "    # ! if .*"
-		UnCommentLinesMatching "    # ! fi"
+		LocateLineMatching "^CONFIGS=.*"
+		BeginGroupIfNoLineMatching '^CONFIGS="/etc/integrit/integrit.conf"'
+			ReplaceLineWith 'CONFIGS="/etc/integrit/integrit.conf"'
+		EndGroup
 	}
+# BROKEN!!! See Debian bug#153420
+#	{ /etc/cron.daily/integrit
+#		#
+#		# Uncomment defaults
+#		#
+#		SetCommentStart "    # ! "
+#		SetCommentEnd ""
+#		UnCommentLinesMatching "    # ! if .*"
+#		UnCommentLinesMatching "    # ! fi"
+#	}
 
 	## logcheck section
 # FIXME: Put all files into $(LocalCommon)/logcheck/ignore.d.$(type)/local to support post-woody logcheck