summaryrefslogtreecommitdiff
path: root/cfengine/cf.services.harden
blob: e8678fde59b5ea1ffd063005d45e574369186c8a (plain) 
    

  1. control:
    2. 

  2.     AddInstallable = ( install_logcheck )
    3. 

  3. 

  4.     logcheck = ( /etc/logcheck )
    5. 

  5. 

  6.     # $type indicates machine type (workstation or server). Used for logcheck paths
    7. 

  7.     Standalone:: type = ( workstation )
    8. 

  8.     !Standalone:: type = ( server )
    9. 

  9. 

  10. groups:
    11. 

  11.     install_logcheck = ( '/usr/bin/test ! -e /usr/sbin/logcheck' )
    12. 

  12. 

  13.     #Define classes according to the installed MTA
    14. 

  14.     runs_postfix = ( '/usr/bin/test -e /usr/sbin/postfix' )
    15. 

  15. 

  16. editfiles:
    17. 

  17.     # AIDE section
    18. 

  18.     { /etc/aide/aide.conf
    19. 

  19.         #
    20. 

  20.         # Devices = p+i+n+u+g+s+b+md5+sha1
    21. 

  21.         #
    22. 

  22.         # Ignore ctime - some devices change ctime when used (ttySx with hylafax)
    23. 

  23.         #
    24. 

  24.         BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*"
    25. 

  25.             Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine"
    26. 

  26.         EndGroup
    27. 

  27.         LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*"
    28. 

  28.         BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbmd5sha1]*([[:blank:]]+(#.*)?)?"
    29. 

  29.             ReplaceLineWith "Devices = p+i+n+u+g+s+b+md5+sha1 # Edited by cfengine"
    30. 

  30.         EndGroup
    31. 

  31.         #
    32. 

  32.         # #/var/log...
    33. 

  33.         #
    34. 

  34.         # Ignore logfiles - Aide can't handle rotation
    35. 

  35.         #
    36. 

  36.         HashCommentLinesMatching "^/var/log.*"
    37. 

  37.         #
    38. 

  38.         # !/dev/xconsole
    39. 

  39.         # !/dev/core
    40. 

  40.         # !/dev/ttyS*
    41. 

  41.         #
    42. 

  42.         LocateLineMatching "^[[:blank:]]*\!/dev/.*"
    43. 

  43.         CatchAbort
    44. 

  44.         BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*"
    45. 

  45.             GotoLastLine
    46. 

  46.         EndGroup
    47. 

  47.         DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine"
    48. 

  48.         BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?"
    49. 

  49.             InsertLine "!/dev/xconsole # Added by cfengine"
    50. 

  50.         EndGroup
    51. 

  51.         BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?"
    52. 

  52.             InsertLine "!/dev/core # Added by cfengine"
    53. 

  53.         EndGroup
    54. 

  54.         BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/ttyS\*([[:blank:]]+(#.*)?)?"
    55. 

  55.             InsertLine "!/dev/ttyS* # Added by cfengine"
    56. 

  56.         EndGroup
    57. 

  57.     }
    58. 

  58.     ## logcheck section
    59. 

  59.     { /etc/integrit/integrit.conf
    60. 

  60.         #
    61. 

  61.         # Uncomment suggested defaults
    62. 

  62.         #
    63. 

  63.         SetCommentStart "# "
    64. 

  64.         SetCommentEnd ""
    65. 

  65.         UnCommentLinesMatching "^# root=/"
    66. 

  66.         UnCommentLinesMatching "^# known=/var/lib/integrit/.*"
    67. 

  67.         UnCommentLinesMatching "^# current=/var/lib/integrit/.*"
    68. 

  68.         UnCommentLinesMatching "^# !/cdrom"
    69. 

  69.         UnCommentLinesMatching "^# !/dev"
    70. 

  70.         UnCommentLinesMatching "^# !/etc"
    71. 

  71.         UnCommentLinesMatching "^# !/floppy"
    72. 

  72.         UnCommentLinesMatching "^# !/home"
    73. 

  73.         UnCommentLinesMatching "^# !/lost\+found"
    74. 

  74.         UnCommentLinesMatching "^# !/mnt"
    75. 

  75.         UnCommentLinesMatching "^# !/proc"
    76. 

  76.         UnCommentLinesMatching "^# !/root"
    77. 

  77.         UnCommentLinesMatching "^# !/tmp"
    78. 

  78.         UnCommentLinesMatching "^# !/var"
    79. 

  79.         UnCommentLinesMatching "^# =/usr/include"
    80. 

  80.         UnCommentLinesMatching "^# =/usr/X11R6/include"
    81. 

  81.         UnCommentLinesMatching "^# =/usr/doc"
    82. 

  82.         UnCommentLinesMatching "^# =/usr/info"
    83. 

  83.         UnCommentLinesMatching "^# =/usr/share"
    84. 

  84.         UnCommentLinesMatching "^# =/usr/X11R6/man"
    85. 

  85.         UnCommentLinesMatching "^# =/usr/X11R6/lib/X11/fonts"
    86. 

  86.         UnCommentLinesMatching "^# !/usr/local"
    87. 

  87.         UnCommentLinesMatching "^# !/usr/src"
    88. 

  88.         AppendIfNoSuchLine "!/initrd"
    89. 

  89.         AppendIfNoSuchLine "!/.journal"
    90. 

  90.         AppendIfNoSuchLine "!/usr/local"
    91. 

  91.         AppendIfNoSuchLine "!/usr/src"
    92. 

  92.         AppendIfNoSuchLine "!/dev/cpu/mtrr"
    93. 

  93.     }
    94. 

  94.     { /etc/cron.daily/integrit
    95. 

  95.         #
    96. 

  96.         # Uncomment defaults
    97. 

  97.         #
    98. 

  98.         SetCommentStart "    # ! "
    99. 

  99.         SetCommentEnd ""
    100. 

  100.         UnCommentLinesMatching "    # ! if .*"
    101. 

  101.         UnCommentLinesMatching "    # ! fi"
    102. 

  102.     }
    103. 

  103. 

  104.     ## logcheck section
    105. 

  105. # FIXME: Put all files into $(LocalCommon)/logcheck/ignore.d.$(type)/local to support post-woody logcheck
    106. 

  106. copy:
    107. 

  107.     #The linktype is necessary for links to be replaced with files.
    108. 

  108.     any::
    109. 

  109.         $(LocalCommon)/logcheck/ignore.d.$(type)/local dest=$(logcheck)/ignore.d/local linktype=copy
    110. 

  110.         $(LocalCommon)/logcheck/violations.ignore.d/local dest=$(logcheck)/violations.ignore.d/local linktype=copy
    111. 

  111. #   NameServer::
    112. 

  112. #       $(LocalCommon)/logcheck/ignore.d.$(type)/bind dest=$(logcheck)/ignore.d/local-bind linktype=copy
    113. 

  113. #       $(LocalCommon)/logcheck/violations.ignore.d/bind dest=$(logcheck)/violations.ignore.d/local-bind linktype=copy
    114. 

  114. #
    115. 

  115. #   FileServer::
    116. 

  116. #       $(LocalCommon)/logcheck/ignore.d.$(type)/samba dest=$(logcheck)/ignore.d/local-samba linktype=copy
    117. 

  117. #       $(LocalCommon)/logcheck/ignore.d.$(type)/netatalk dest=$(logcheck)/ignore.d/local-netatalk linktype=copy
    118. 

  118. #       $(LocalCommon)/logcheck/violations.ignore.d/samba dest=$(logcheck)/violations.ignore.d/local-samba linktype=copy
    119. 

  119. #
    120. 

  120. #   DHCPServer::
    121. 

  121. #       $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp dest=$(logcheck)/ignore.d/local-dhcp linktype=copy
    122. 

  122. #       $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp3-common dest=$(logcheck)/ignore.d/local-dhcp3-common linktype=copy
    123. 

  123. #
    124. 

  124. #   WWWServer::
    125. 

  125. #
    126. 

  126. #   FTPServer::
    127. 

  127. #       $(LocalCommon)/logcheck/ignore.d.$(type)/proftpd dest=$(logcheck)/ignore.d/local-proftpd linktype=copy
    128. 

  128. #       $(LocalCommon)/logcheck/violations.ignore.d/proftpd dest=$(logcheck)/violations.ignore.d/local-proftpd linktype=copy
    129. 

  129. #
    130. 

  130. #   IMAPServer::
    131. 

  131. #       $(LocalCommon)/logcheck/ignore.d.$(type)/uw-imap dest=$(logcheck)/ignore.d/local-uw-imap linktype=copy
    132. 

  132. #
    133. 

  133. #   SpamAssServer::
    134. 

  134. #       $(LocalCommon)/logcheck/ignore.d.$(type)/spamassassin dest=$(logcheck)/ignore.d/local-spamassassin linktype=copy
    135. 

  135. #
    136. 

  136. #   runs_postfix::
    137. 

  137. #       $(LocalCommon)/logcheck/ignore.d.$(type)/postfix dest=$(logcheck)/ignore.d/local-postfix linktype=copy
    138. 

  138. #       $(LocalCommon)/logcheck/violations.ignore.d/postfix dest=$(logcheck)/violations.ignore.d/local-postfix linktype=copy
    139. 

  139. #
    140. 

  140. #   any::
    141. 

  141. #       $(LocalCommon)/logcheck/ignore.d.$(type)/ssh dest=$(logcheck)/ignore.d/local-ssh linktype=copy
    142. 

  142. #       $(LocalCommon)/logcheck/violations.ignore.d/ssh dest=$(logcheck)/violations.ignore.d/local-ssh linktype=copy
    143. 

  143. #
    144. 

  144. ##links:
    145. 

  145. ##  any::
    146. 

  146. ##      # Set logcheck machine type (workstation or server)
    147. 

  147. ##      $(logcheck)/ignore.d ->! $(logcheck)/ignore.d.$(type)
    148. 

  148. ##      $(logcheck)/logcheck.ignore ->! $(logcheck)/logcheck.ignore.$(type)
    149. 

  149.         
    150. 

  150. shellcommands:
    151. 

  151.     install_logcheck::
    152. 

  152.         # Install logcheck if not installed already
    153. 

  153.         "/usr/bin/yes no | /usr/bin/apt-get -q=2 install logcheck"
    154.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 23:46:32 +0000