control: AddInstallable = ( install_logcheck ) logcheck = ( /etc/logcheck ) # $type indicates machine type (workstation or server). Used for logcheck paths Standalone|LtspServer:: type = ( workstation ) !(Standalone|LtspServer):: type = ( server ) groups: install_logcheck = ( '/usr/bin/test ! -e /usr/sbin/logcheck' ) #Define classes according to the installed MTA runs_postfix = ( '/usr/bin/test -e /usr/sbin/postfix' ) editfiles: # AIDE section { /etc/aide/aide.conf # # Devices = p+i+n+u+g+s+b+md5+sha1 # # Ignore ctime - some devices change ctime when used (ttySx with hylafax) # BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*" Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine" EndGroup LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*" BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbmd5sha1]*([[:blank:]]+(#.*)?)?" ReplaceLineWith "Devices = p+i+n+u+g+s+b+md5+sha1 # Edited by cfengine" EndGroup # # #/var/log... # # Ignore logfiles - Aide can't handle rotation # HashCommentLinesMatching "^/var/log.*" # # !/dev/xconsole # !/dev/core # !/dev/ttyS* # LocateLineMatching "^[[:blank:]]*\!/dev/.*" CatchAbort BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*" GotoLastLine EndGroup DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine" BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?" InsertLine "!/dev/xconsole # Added by cfengine" EndGroup BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?" InsertLine "!/dev/core # Added by cfengine" EndGroup BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/ttyS\*([[:blank:]]+(#.*)?)?" InsertLine "!/dev/ttyS* # Added by cfengine" EndGroup } ## integrit section { /etc/integrit/integrit.conf # # Uncomment suggested defaults # SetCommentStart "# " SetCommentEnd "" UnCommentLinesMatching "^# root=/" UnCommentLinesMatching "^# known=/var/lib/integrit/.*" UnCommentLinesMatching "^# current=/var/lib/integrit/.*" UnCommentLinesMatching "^# !/cdrom" UnCommentLinesMatching "^# !/dev" UnCommentLinesMatching "^# !/etc" UnCommentLinesMatching "^# !/floppy" UnCommentLinesMatching "^# !/home" UnCommentLinesMatching "^# !/lost\+found" UnCommentLinesMatching "^# !/mnt" UnCommentLinesMatching "^# !/proc" UnCommentLinesMatching "^# !/root" UnCommentLinesMatching "^# !/tmp" UnCommentLinesMatching "^# !/var" UnCommentLinesMatching "^# =/usr/include" UnCommentLinesMatching "^# =/usr/X11R6/include" UnCommentLinesMatching "^# =/usr/doc" UnCommentLinesMatching "^# =/usr/info" UnCommentLinesMatching "^# =/usr/share" UnCommentLinesMatching "^# =/usr/X11R6/man" UnCommentLinesMatching "^# =/usr/X11R6/lib/X11/fonts" UnCommentLinesMatching "^# !/usr/local" UnCommentLinesMatching "^# !/usr/src" AppendIfNoSuchLine "!/initrd" AppendIfNoSuchLine "!/.journal" AppendIfNoSuchLine "!/usr/local" AppendIfNoSuchLine "!/usr/src" AppendIfNoSuchLine "!/dev/cpu/mtrr" AppendIfNoSuchLine "!/sys" AppendIfNoSuchLine "!/media" } { /etc/integrit/integrit.debian.conf # # Make sure CONFIGS is set to /etc/integrit/integrit.conf # LocateLineMatching "^CONFIGS=.*" BeginGroupIfNoLineMatching '^CONFIGS="/etc/integrit/integrit.conf"' ReplaceLineWith 'CONFIGS="/etc/integrit/integrit.conf"' EndGroup } # BROKEN!!! See Debian bug#153420 # { /etc/cron.daily/integrit # # # # Uncomment defaults # # # SetCommentStart " # ! " # SetCommentEnd "" # UnCommentLinesMatching " # ! if .*" # UnCommentLinesMatching " # ! fi" # } ## logcheck section copy: #The linktype is necessary for links to be replaced with files. any:: $(LocalCommon)/logcheck/ignore.d.server/local dest=$(logcheck)/ignore.d.server/local linktype=copy $(LocalCommon)/logcheck/ignore.d.workstation/local dest=$(logcheck)/ignore.d.workstation/local linktype=copy $(LocalCommon)/logcheck/violations.ignore.d/local dest=$(logcheck)/violations.ignore.d/local linktype=copy # NameServer:: # $(LocalCommon)/logcheck/ignore.d.$(type)/bind dest=$(logcheck)/ignore.d/local-bind linktype=copy # $(LocalCommon)/logcheck/violations.ignore.d/bind dest=$(logcheck)/violations.ignore.d/local-bind linktype=copy # # FileServer:: # $(LocalCommon)/logcheck/ignore.d.$(type)/samba dest=$(logcheck)/ignore.d/local-samba linktype=copy # $(LocalCommon)/logcheck/ignore.d.$(type)/netatalk dest=$(logcheck)/ignore.d/local-netatalk linktype=copy # $(LocalCommon)/logcheck/violations.ignore.d/samba dest=$(logcheck)/violations.ignore.d/local-samba linktype=copy # # DHCPServer:: # $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp dest=$(logcheck)/ignore.d/local-dhcp linktype=copy # $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp3-common dest=$(logcheck)/ignore.d/local-dhcp3-common linktype=copy # # WWWServer:: # # FTPServer:: # $(LocalCommon)/logcheck/ignore.d.$(type)/proftpd dest=$(logcheck)/ignore.d/local-proftpd linktype=copy # $(LocalCommon)/logcheck/violations.ignore.d/proftpd dest=$(logcheck)/violations.ignore.d/local-proftpd linktype=copy # # IMAPServer:: # $(LocalCommon)/logcheck/ignore.d.$(type)/uw-imap dest=$(logcheck)/ignore.d/local-uw-imap linktype=copy # # SpamAssServer:: # $(LocalCommon)/logcheck/ignore.d.$(type)/spamassassin dest=$(logcheck)/ignore.d/local-spamassassin linktype=copy # # runs_postfix:: # $(LocalCommon)/logcheck/ignore.d.$(type)/postfix dest=$(logcheck)/ignore.d/local-postfix linktype=copy # $(LocalCommon)/logcheck/violations.ignore.d/postfix dest=$(logcheck)/violations.ignore.d/local-postfix linktype=copy # # any:: # $(LocalCommon)/logcheck/ignore.d.$(type)/ssh dest=$(logcheck)/ignore.d/local-ssh linktype=copy # $(LocalCommon)/logcheck/violations.ignore.d/ssh dest=$(logcheck)/violations.ignore.d/local-ssh linktype=copy shellcommands: install_logcheck:: # Install logcheck if not installed already #BAD!!! "/usr/bin/yes no | /usr/bin/apt-get -q=2 install logcheck"