control: logcheck = ( /etc/logcheck ) # type viser om maskinen er workstation eller server. Bruges til at linke de rigtige steder # hen i logcheck Standalone_xenux:: type = ( workstation ) !Standalone_xenux:: type = ( server ) editfiles: # AIDE section { /etc/aide/aide.conf # # Devices = p+i+n+u+g+s+b+md5+sha1 # # Ignore ctime - some devices change ctime when used (ttySx with hylafax) # BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*" Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine" EndGroup LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*" BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbmd5sha1]*([[:blank:]]+(#.*)?)?" ReplaceLineWith "Devices = p+i+n+u+g+s+b+md5+sha1 # Edited by cfengine" EndGroup # # #/var/log... # # Ignore logfiles - Aide can't handle rotation # HashCommentLinesMatching "^/var/log.*" # # !/dev/xconsole # !/dev/core # !/dev/ttyS* # LocateLineMatching "^[[:blank:]]*\!/dev/.*" CatchAbort BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*" GotoLastLine EndGroup DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine" BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?" InsertLine "!/dev/xconsole # Added by cfengine" EndGroup BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?" InsertLine "!/dev/core # Added by cfengine" EndGroup BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/ttyS\*([[:blank:]]+(#.*)?)?" InsertLine "!/dev/ttyS* # Added by cfengine" EndGroup } ## logcheck section #{ /etc/aide/aide.conf #} { /etc/integrit/integrit.conf # # Uncomment suggested defaults # SetCommentStart "# " SetCommentEnd "" UnCommentLinesMatching "^# root=/" UnCommentLinesMatching "^# known=/var/lib/integrit/.*" UnCommentLinesMatching "^# current=/var/lib/integrit/.*" UnCommentLinesMatching "^# !/cdrom" UnCommentLinesMatching "^# !/dev" UnCommentLinesMatching "^# !/etc" UnCommentLinesMatching "^# !/floppy" UnCommentLinesMatching "^# !/home" UnCommentLinesMatching "^# !/lost\+found" UnCommentLinesMatching "^# !/mnt" UnCommentLinesMatching "^# !/proc" UnCommentLinesMatching "^# !/root" UnCommentLinesMatching "^# !/tmp" UnCommentLinesMatching "^# !/var" UnCommentLinesMatching "^# =/usr/include" UnCommentLinesMatching "^# =/usr/X11R6/include" UnCommentLinesMatching "^# =/usr/doc" UnCommentLinesMatching "^# =/usr/info" UnCommentLinesMatching "^# =/usr/share" UnCommentLinesMatching "^# =/usr/X11R6/man" UnCommentLinesMatching "^# =/usr/X11R6/lib/X11/fonts" UnCommentLinesMatching "^# !/usr/local" UnCommentLinesMatching "^# !/usr/src" AppendIfNoSuchLine "!/initrd" AppendIfNoSuchLine "!/.journal" AppendIfNoSuchLine "!/usr/local" AppendIfNoSuchLine "!/usr/src" AppendIfNoSuchLine "!/dev/cpu/mtrr" } { /etc/cron.daily/integrit # # Uncomment defaults # SetCommentStart " # ! " SetCommentEnd "" UnCommentLinesMatching " # ! if .*" UnCommentLinesMatching " # ! fi" } links: NameServer:: $(logcheck)/ignore.d/local-bind -> $(LocalCommon)/logcheck/ignore.d.$(type)/bind $(logcheck)/violations.ignore.d/local-bind -> $(LocalCommon)/logcheck/violations.ignore.d/bind FileServer:: $(logcheck)/ignore.d/local-samba -> $(LocalCommon)/logcheck/ignore.d.$(type)/samba $(logcheck)/ignore.d/local-netatalk -> $(LocalCommon)/logcheck/ignore.d.$(type)/netatalk $(logcheck)/violations.ignore.d/local-samba -> $(LocalCommon)/logcheck/violations.ignore.d/samba DHCPServer:: $(logcheck)/ignore.d/local-dhcp -> $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp $(logcheck)/ignore.d/local-dhcp3-common -> $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp3-common WWWServer:: FTPServer:: $(logcheck)/ignore.d/local-proftpd -> $(LocalCommon)/logcheck/ignore.d.$(type)/proftpd $(logcheck)/violations.ignore.d/local-proftpd -> $(LocalCommon)/logcheck/violations.ignore.d/proftpd IMAPServer:: $(logcheck)/ignore.d/local-uw-imap -> $(LocalCommon)/logcheck/ignore.d.$(type)/uw-imap any:: # Sættes alt efter om det er server eller workstation. Pakken peger på workstation $(logcheck)/ignore.d ->! $(logcheck)/ignore.d.$(type) $(logcheck)/logcheck.ignore ->! $(logcheck)/logcheck.ignore.$(type) $(logcheck)/ignore.d/local-ssh -> $(LocalCommon)/logcheck/ignore.d.$(type)/ssh $(logcheck)/ignore.d/local-postfix -> $(LocalCommon)/logcheck/ignore.d.$(type)/postfix $(logcheck)/violations.ignore.d/local-ssh -> $(LocalCommon)/logcheck/violations.ignore.d/ssh $(logcheck)/violations.ignore.d/local-postfix -> $(LocalCommon)/logcheck/violations.ignore.d/postfix