summaryrefslogtreecommitdiff
path: root/cfengine/cf.services.harden
blob: 590af5bd0be047948f281ceb9ac9e58cb7396394 (plain)
  1. control:
  2.     AddInstallable = ( install_logcheck )
  3. logcheck = ( /etc/logcheck )
  4. # $type indicates machine type (workstation or server). Used for logcheck paths
  5. Standalone|LtspServer:: type = ( workstation )
  6. !(Standalone|LtspServer):: type = ( server )
  7. groups:
  8. install_logcheck = ( '/usr/bin/test ! -e /usr/sbin/logcheck' )
  9. #Define classes according to the installed MTA
  10. runs_postfix = ( '/usr/bin/test -e /usr/sbin/postfix' )
  11. editfiles:
  12. # AIDE section
  13. { /etc/aide/aide.conf
  14. #
  15. # Devices = p+i+n+u+g+s+b+md5+sha1
  16. #
  17. # Ignore ctime - some devices change ctime when used (ttySx with hylafax)
  18. #
  19. BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*"
  20. Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine"
  21. EndGroup
  22. LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*"
  23. BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbmd5sha1]*([[:blank:]]+(#.*)?)?"
  24. ReplaceLineWith "Devices = p+i+n+u+g+s+b+md5+sha1 # Edited by cfengine"
  25. EndGroup
  26. #
  27. # #/var/log...
  28. #
  29. # Ignore logfiles - Aide can't handle rotation
  30. #
  31. HashCommentLinesMatching "^/var/log.*"
  32. #
  33. # !/dev/xconsole
  34. # !/dev/core
  35. # !/dev/ttyS*
  36. #
  37. LocateLineMatching "^[[:blank:]]*\!/dev/.*"
  38. CatchAbort
  39. BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*"
  40. GotoLastLine
  41. EndGroup
  42. DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine"
  43. BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?"
  44. InsertLine "!/dev/xconsole # Added by cfengine"
  45. EndGroup
  46. BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?"
  47. InsertLine "!/dev/core # Added by cfengine"
  48. EndGroup
  49. BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/ttyS\*([[:blank:]]+(#.*)?)?"
  50. InsertLine "!/dev/ttyS* # Added by cfengine"
  51. EndGroup
  52. }
  53. ## integrit section
  54. { /etc/integrit/integrit.conf
  55. #
  56. # Uncomment suggested defaults
  57. #
  58. SetCommentStart "# "
  59. SetCommentEnd ""
  60. UnCommentLinesMatching "^# root=/"
  61. UnCommentLinesMatching "^# known=/var/lib/integrit/.*"
  62. UnCommentLinesMatching "^# current=/var/lib/integrit/.*"
  63. UnCommentLinesMatching "^# !/cdrom"
  64. UnCommentLinesMatching "^# !/dev"
  65. UnCommentLinesMatching "^# !/etc"
  66. UnCommentLinesMatching "^# !/floppy"
  67. UnCommentLinesMatching "^# !/home"
  68. UnCommentLinesMatching "^# !/lost\+found"
  69. UnCommentLinesMatching "^# !/mnt"
  70. UnCommentLinesMatching "^# !/proc"
  71. UnCommentLinesMatching "^# !/root"
  72. UnCommentLinesMatching "^# !/tmp"
  73. UnCommentLinesMatching "^# !/var"
  74. UnCommentLinesMatching "^# =/usr/include"
  75. UnCommentLinesMatching "^# =/usr/X11R6/include"
  76. UnCommentLinesMatching "^# =/usr/doc"
  77. UnCommentLinesMatching "^# =/usr/info"
  78. UnCommentLinesMatching "^# =/usr/share"
  79. UnCommentLinesMatching "^# =/usr/X11R6/man"
  80. UnCommentLinesMatching "^# =/usr/X11R6/lib/X11/fonts"
  81. UnCommentLinesMatching "^# !/usr/local"
  82. UnCommentLinesMatching "^# !/usr/src"
  83. AppendIfNoSuchLine "!/initrd"
  84. AppendIfNoSuchLine "!/.journal"
  85. AppendIfNoSuchLine "!/usr/local"
  86. AppendIfNoSuchLine "!/usr/src"
  87. AppendIfNoSuchLine "!/dev/cpu/mtrr"
  88. }
  89. { /etc/integrit/integrit.debian.conf
  90. #
  91. # Make sure CONFIGS is set to /etc/integrit/integrit.conf
  92. #
  93. LocateLineMatching "^CONFIGS=.*"
  94. BeginGroupIfNoLineMatching '^CONFIGS="/etc/integrit/integrit.conf"'
  95. ReplaceLineWith 'CONFIGS="/etc/integrit/integrit.conf"'
  96. EndGroup
  97. }
  98. # BROKEN!!! See Debian bug#153420
  99. # { /etc/cron.daily/integrit
  100. # #
  101. # # Uncomment defaults
  102. # #
  103. # SetCommentStart " # ! "
  104. # SetCommentEnd ""
  105. # UnCommentLinesMatching " # ! if .*"
  106. # UnCommentLinesMatching " # ! fi"
  107. # }
  108. ## logcheck section
  109. # FIXME: Put all files into $(LocalCommon)/logcheck/ignore.d.$(type)/local to support post-woody logcheck
  110. copy:
  111. #The linktype is necessary for links to be replaced with files.
  112. any::
  113. $(LocalCommon)/logcheck/ignore.d.$(type)/local dest=$(logcheck)/ignore.d.$(type)/local linktype=copy
  114. $(LocalCommon)/logcheck/violations.ignore.d/local dest=$(logcheck)/violations.ignore.d/local linktype=copy
  115. # NameServer::
  116. # $(LocalCommon)/logcheck/ignore.d.$(type)/bind dest=$(logcheck)/ignore.d/local-bind linktype=copy
  117. # $(LocalCommon)/logcheck/violations.ignore.d/bind dest=$(logcheck)/violations.ignore.d/local-bind linktype=copy
  118. #
  119. # FileServer::
  120. # $(LocalCommon)/logcheck/ignore.d.$(type)/samba dest=$(logcheck)/ignore.d/local-samba linktype=copy
  121. # $(LocalCommon)/logcheck/ignore.d.$(type)/netatalk dest=$(logcheck)/ignore.d/local-netatalk linktype=copy
  122. # $(LocalCommon)/logcheck/violations.ignore.d/samba dest=$(logcheck)/violations.ignore.d/local-samba linktype=copy
  123. #
  124. # DHCPServer::
  125. # $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp dest=$(logcheck)/ignore.d/local-dhcp linktype=copy
  126. # $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp3-common dest=$(logcheck)/ignore.d/local-dhcp3-common linktype=copy
  127. #
  128. # WWWServer::
  129. #
  130. # FTPServer::
  131. # $(LocalCommon)/logcheck/ignore.d.$(type)/proftpd dest=$(logcheck)/ignore.d/local-proftpd linktype=copy
  132. # $(LocalCommon)/logcheck/violations.ignore.d/proftpd dest=$(logcheck)/violations.ignore.d/local-proftpd linktype=copy
  133. #
  134. # IMAPServer::
  135. # $(LocalCommon)/logcheck/ignore.d.$(type)/uw-imap dest=$(logcheck)/ignore.d/local-uw-imap linktype=copy
  136. #
  137. # SpamAssServer::
  138. # $(LocalCommon)/logcheck/ignore.d.$(type)/spamassassin dest=$(logcheck)/ignore.d/local-spamassassin linktype=copy
  139. #
  140. # runs_postfix::
  141. # $(LocalCommon)/logcheck/ignore.d.$(type)/postfix dest=$(logcheck)/ignore.d/local-postfix linktype=copy
  142. # $(LocalCommon)/logcheck/violations.ignore.d/postfix dest=$(logcheck)/violations.ignore.d/local-postfix linktype=copy
  143. #
  144. # any::
  145. # $(LocalCommon)/logcheck/ignore.d.$(type)/ssh dest=$(logcheck)/ignore.d/local-ssh linktype=copy
  146. # $(LocalCommon)/logcheck/violations.ignore.d/ssh dest=$(logcheck)/violations.ignore.d/local-ssh linktype=copy
  147. #
  148. ##links:
  149. ## any::
  150. ## # Set logcheck machine type (workstation or server)
  151. ## $(logcheck)/ignore.d ->! $(logcheck)/ignore.d.$(type)
  152. ## $(logcheck)/logcheck.ignore ->! $(logcheck)/logcheck.ignore.$(type)
  153. shellcommands:
  154. install_logcheck::
  155. # Install logcheck if not installed already
  156. "/usr/bin/yes no | /usr/bin/apt-get -q=2 install logcheck"