path: root/cfengine/cf.services.harden

editfiles:
    # AIDE section
    { /etc/aide/aide.conf
        #
        # Logs = p+n+u+g
        #
        # Debian rotates its logfiles, so ignore inode, number of inodes and growing size
        #
        BeginGroupIfNoLineMatching "^[[:blank:]]*Logs[[:blank:]]*=.*$"
            Append "Logs = p+n+u+g # Added by cfengine"
        EndGroup
        LocateLineMatching "^[[:blank:]]*Logs[[:blank:]]*=.*$"
        BeginGroupIfNoLineMatching "^[[:blank:]]*Logs[[:blank:]]*=[[:blank:]][\+pug]*([[:blank:]]+(#.*)?)?"
            ReplaceLineWith "Logs = p+u+g # Edited by cfengine"
        EndGroup
        #
        # Devices = p+i+n+u+g+s+b+md5+sha1
        #
        # Ignore ctime - some devices change ctime when used (ttySx with hylafax)
        #
        BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*$"
            Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine"
        EndGroup
        LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*$"
        BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbcmd5sha1]*([[:blank:]]+(#.*)?)?"
            ReplaceLineWith "Devices = p+i+n+u+g+s+b+c+md5+sha1 # Edited by cfengine"
        EndGroup
        #
        # #/var/log/aide/...
        # #/var/log/setuid...
        #
        # Treat these as regular logfiles - they are rotated as well
        #
        HashCommentLinesMatching "^/var/log/aide/.*"
        HashCommentLinesMatching "^/var/log/setuid.*"
        #
        # #/var/log$ StaticDir
        #
        SetCommentStart "#"
        SetCommentEnd ""
# bug!      CommentLinesMatching "^/var/log\$[[:blank:]]StaticDir.*"
#       LocateLineMatching "^/var/log\$[[:blank:]]StaticDir.*"
# bug!      CommentNLines "1"
        LocateLineMatching "^/var/log\$[[:blank:]]StaticDir[[:blank:]]*"
        ReplaceLineWith "#/var/log$ StaticDir"
        CatchAbort
        #
        # !/dev/log
        # !/dev/xconsole
        # !/dev/core
        # !/dev/ttyS*
        #
        LocateLineMatching "^[[:blank:]]*\!/dev/.*"
        CatchAbort
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*"
            GotoLastLine
        EndGroup
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/log([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/log # Added by cfengine"
        EndGroup
        DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine"
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/xconsole # Added by cfengine"
        EndGroup
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/core # Added by cfengine"
        EndGroup
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/ttyS\*([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/ttyS* # Added by cfengine"
        EndGroup
    }
    ## logcheck section
    #{ /etc/aide/aide.conf
    #}