summaryrefslogtreecommitdiff
path: root/cfengine/cf.services.harden
diff options
context:
space:
mode:
Diffstat (limited to 'cfengine/cf.services.harden')
-rw-r--r--cfengine/cf.services.harden66
1 files changed, 66 insertions, 0 deletions
diff --git a/cfengine/cf.services.harden b/cfengine/cf.services.harden
new file mode 100644
index 0000000..1953c88
--- /dev/null
+++ b/cfengine/cf.services.harden
@@ -0,0 +1,66 @@
+editfiles:
+ { /etc/aide/aide.conf
+ #
+ # Logs = p+n+u+g
+ #
+ # Debian rotates its logfiles, so ignore inode, number of inodes and growing size
+ #
+ BeginGroupIfNoLineMatching "^[[:blank:]]*Logs[[:blank:]]*=.*$"
+ Append "Logs = p+n+u+g # Added by cfengine"
+ EndGroup
+ LocateLineMatching "^[[:blank:]]*Logs[[:blank:]]*=.*$"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*Logs[[:blank:]]*=[[:blank:]][\+pug]*([[:blank:]]+(#.*)?)?"
+ ReplaceLineWith "Logs = p+u+g # Edited by cfengine"
+ EndGroup
+ #
+ # Devices = p+i+n+u+g+s+b+md5+sha1
+ #
+ # Ignore ctime - some devices change ctime when used (ttySx with hylafax)
+ #
+ BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*$"
+ Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine"
+ EndGroup
+ LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*$"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbcmd5sha1]*([[:blank:]]+(#.*)?)?"
+ ReplaceLineWith "Devices = p+i+n+u+g+s+b+c+md5+sha1 # Edited by cfengine"
+ EndGroup
+ #
+ # #/var/log/aide/...
+ # #/var/log/setuid...
+ #
+ # Treat these as regular logfiles - they are rotated as well
+ #
+ HashCommentLinesMatching "^/var/log/aide/.*"
+ HashCommentLinesMatching "^/var/log/setuid.*"
+ #
+ # #/var/log$ StaticDir
+ #
+ SetCommentStart "#"
+ SetCommentEnd ""
+# bug! CommentLinesMatching "^/var/log\$[[:blank:]]StaticDir.*"
+# LocateLineMatching "^/var/log\$[[:blank:]]StaticDir.*"
+# bug! CommentNLines "1"
+ LocateLineMatching "^/var/log\$[[:blank:]]StaticDir[[:blank:]]*"
+ ReplaceLineWith "#/var/log$ StaticDir"
+ CatchAbort
+ #
+ # !/dev/log
+ # !/dev/xconsole
+ # !/dev/core
+ #
+ LocateLineMatching "^[[:blank:]]*\!/dev/.*"
+ CatchAbort
+ BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*"
+ GotoLastLine
+ EndGroup
+ BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/log([[:blank:]]+(#.*)?)?"
+ InsertLine "!/dev/log # Added by cfengine"
+ EndGroup
+ DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine"
+ BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?"
+ InsertLine "!/dev/xconsole # Added by cfengine"
+ EndGroup
+ BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?"
+ InsertLine "!/dev/core # Added by cfengine"
+ EndGroup
+ }
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-16 12:12:30 +0000