cfengine/cf.services.harden



editfiles:
    # AIDE section
    { /etc/aide/aide.conf
        #
        # Logs = p+n+u+g
        #
        # Debian rotates its logfiles, so ignore inode, number of inodes and growing size
        #
        BeginGroupIfNoLineMatching "^[[:blank:]]*Logs[[:blank:]]*=.*$"
            Append "Logs = p+n+u+g # Added by cfengine"
        EndGroup
        LocateLineMatching "^[[:blank:]]*Logs[[:blank:]]*=.*$"
        BeginGroupIfNoLineMatching "^[[:blank:]]*Logs[[:blank:]]*=[[:blank:]][\+pug]*([[:blank:]]+(#.*)?)?"
            ReplaceLineWith "Logs = p+u+g # Edited by cfengine"
        EndGroup
        #
        # Devices = p+i+n+u+g+s+b+md5+sha1
        #
        # Ignore ctime - some devices change ctime when used (ttySx with hylafax)
        #
        BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*$"
            Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine"
        EndGroup
        LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*$"
        BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbcmd5sha1]*([[:blank:]]+(#.*)?)?"
            ReplaceLineWith "Devices = p+i+n+u+g+s+b+c+md5+sha1 # Edited by cfengine"
        EndGroup
        #
        # #/var/log/aide/...
        # #/var/log/setuid...
        #
        # Treat these as regular logfiles - they are rotated as well
        #
        HashCommentLinesMatching "^/var/log/aide/.*"
        HashCommentLinesMatching "^/var/log/setuid.*"
        #
        # #/var/log$ StaticDir
        #
        SetCommentStart "#"
        SetCommentEnd ""
# bug!      CommentLinesMatching "^/var/log\$[[:blank:]]StaticDir.*"
#       LocateLineMatching "^/var/log\$[[:blank:]]StaticDir.*"
# bug!      CommentNLines "1"
        LocateLineMatching "^/var/log\$[[:blank:]]StaticDir[[:blank:]]*"
        ReplaceLineWith "#/var/log$ StaticDir"
        CatchAbort
        #
        # !/dev/log
        # !/dev/xconsole
        # !/dev/core
        # !/dev/ttyS*
        #
        LocateLineMatching "^[[:blank:]]*\!/dev/.*"
        CatchAbort
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*"
            GotoLastLine
        EndGroup
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/log([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/log # Added by cfengine"
        EndGroup
        DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine"
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/xconsole # Added by cfengine"
        EndGroup
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/core # Added by cfengine"
        EndGroup
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/ttyS\*([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/ttyS* # Added by cfengine"
        EndGroup
    }
    ## logcheck section
    #{ /etc/aide/aide.conf
    #}
    { /etc/integrit/integrit.conf
        #
        # Uncomment suggested defaults
        #
#       SetCommentStart "#"
#       SetCommentEnd ""
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*root=.*"
        ReplaceLineWith "root=/"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*known=.*"
        ReplaceLineWith "known=/var/lib/integrit/known.cdb"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*current=.*"
        ReplaceLineWith "current=/var/lib/integrit/current.cdb"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/cdrom"
        ReplaceLineWith "!/cdrom"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/dev"
        ReplaceLineWith "!/dev"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/etc"
        ReplaceLineWith "!/etc"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/floppy"
        ReplaceLineWith "!/floppy"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/home"
        ReplaceLineWith "!/home"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/lost\+found"
        ReplaceLineWith "!/lost+found"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/mnt"
        ReplaceLineWith "!/mnt"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/proc"
        ReplaceLineWith "!/proc"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/root"
        ReplaceLineWith "!/root"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/tmp"
        ReplaceLineWith "!/tmp"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/var"
        ReplaceLineWith "!/var"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*=/usr/include"
        ReplaceLineWith "=/usr/include"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*=/usr/X11R6/include"
        ReplaceLineWith "=/usr/X11R6/include"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*=/usr/doc"
        ReplaceLineWith "=/usr/doc"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*=/usr/info"
        ReplaceLineWith "=/usr/info"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*=/usr/share"
        ReplaceLineWith "=/usr/share"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*=/usr/X11R6/man"
        ReplaceLineWith "=/usr/X11R6/man"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*=/usr/X11R6/lib/X11/fonts"
        ReplaceLineWith "=/usr/X11R6/lib/X11/fonts"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/usr/local"
        ReplaceLineWith "!/usr/local"
        ResetSearch "1"
        LocateLineMatching "^#[[:blank:]]*!/usr/src"
        ReplaceLineWith "!/usr/src"
    }
    { /etc/cron.daily/integrit
        #
        # Uncomment defaults
        #
#       SetCommentStart "# ! "
#       SetCommentEnd ""
        ResetSearch "1"
        LocateLineMatching '^[[:blank:]]*\#[[:blank:]]*\# ! if \[ "$\(echo "$output".*'
        ReplaceLineWith '    if [ "$\(echo "$output" | egrep -v "^integrit: ")" ]; then'
        ResetSearch "1"
        LocateLineMatching "^[[:blank:]]*#[[:blank:]]*# ! fi"
        ReplaceLineWith "    fi"
    }