diff options
| -rw-r--r-- | cfengine/cf.services.harden | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/cfengine/cf.services.harden b/cfengine/cf.services.harden index 7f29992..83b0e83 100644 --- a/cfengine/cf.services.harden +++ b/cfengine/cf.services.harden @@ -72,3 +72,92 @@ editfiles: ## logcheck section #{ /etc/aide/aide.conf #} + { /etc/integrit/integrit.conf + # + # Uncomment suggested defaults + # +# SetCommentStart "#" +# SetCommentEnd "" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*root=.*" + ReplaceLineWith "root=/" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*known=.*" + ReplaceLineWith "known=/var/lib/integrit/known.cdb" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*current=.*" + ReplaceLineWith "current=/var/lib/integrit/current.cdb" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/cdrom" + ReplaceLineWith "!/cdrom" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/dev" + ReplaceLineWith "!/dev" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/etc" + ReplaceLineWith "!/etc" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/floppy" + ReplaceLineWith "!/floppy" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/home" + ReplaceLineWith "!/home" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/lost+found" + ReplaceLineWith "!/lost+found" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/mnt" + ReplaceLineWith "!/mnt" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/proc" + ReplaceLineWith "!/proc" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/root" + ReplaceLineWith "!/root" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/tmp" + ReplaceLineWith "!/tmp" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/var" + ReplaceLineWith "!/var" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*=/usr/include" + ReplaceLineWith "=/usr/include" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*=/usr/X11R6/include" + ReplaceLineWith "=/usr/X11R6/include" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*=/usr/doc" + ReplaceLineWith "=/usr/doc" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*=/usr/info" + ReplaceLineWith "=/usr/info" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*=/usr/share" + ReplaceLineWith "=/usr/share" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*=/usr/X11R6/man" + ReplaceLineWith "=/usr/X11R6/man" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*=/usr/X11R6/lib/X11/fonts" + ReplaceLineWith "=/usr/X11R6/lib/X11/fonts" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/usr/local" + ReplaceLineWith "!/usr/local" + ResetSearch "1" + LocateLineMatching "^#[[:blank:]]*!/usr/src" + ReplaceLineWith "!/usr/src" + } + { /etc/cron.daily/integrit + # + # Uncomment defaults + # +# SetCommentStart "# ! " +# SetCommentEnd "" + ResetSearch "1" + LocateLineMatching "^[[:blank:]]*#[[:blank:]]*# ! if [ \"\$(echo \"$output\".*" + ReplaceLineWith " if [ \"\$(echo \"$output\" | egrep -v '^integrit: ')\" ]; then" + ResetSearch "1" + LocateLineMatching "^[[:blank:]]*#[[:blank:]]*# ! fi" + ReplaceLineWith " fi" + } |