path: root/cfengine/cf.services.harden

editfiles:
    # AIDE section
    { /etc/aide/aide.conf
        #
        # Devices = p+i+n+u+g+s+b+md5+sha1
        #
        # Ignore ctime - some devices change ctime when used (ttySx with hylafax)
        #
        BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*"
            Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine"
        EndGroup
        LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*"
        BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbmd5sha1]*([[:blank:]]+(#.*)?)?"
            ReplaceLineWith "Devices = p+i+n+u+g+s+b+md5+sha1 # Edited by cfengine"
        EndGroup
        #
        # #/var/log...
        #
        # Ignore logfiles - Aide can't handle rotation
        #
        HashCommentLinesMatching "^/var/log.*"
        #
        # !/dev/xconsole
        # !/dev/core
        # !/dev/ttyS*
        #
        LocateLineMatching "^[[:blank:]]*\!/dev/.*"
        CatchAbort
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*"
            GotoLastLine
        EndGroup
        DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine"
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/xconsole # Added by cfengine"
        EndGroup
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/core # Added by cfengine"
        EndGroup
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/ttyS\*([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/ttyS* # Added by cfengine"
        EndGroup
    }
    ## logcheck section
    #{ /etc/aide/aide.conf
    #}
    { /etc/integrit/integrit.conf
        #
        # Uncomment suggested defaults
        #
        SetCommentStart "# "
        SetCommentEnd ""
        UnCommentLinesMatching "^# root=/"
        UnCommentLinesMatching "^# known=/var/lib/integrit/.*"
        UnCommentLinesMatching "^# current=/var/lib/integrit/.*"
        UnCommentLinesMatching "^# !/cdrom"
        UnCommentLinesMatching "^# !/dev"
        UnCommentLinesMatching "^# !/etc"
        UnCommentLinesMatching "^# !/floppy"
        UnCommentLinesMatching "^# !/home"
        UnCommentLinesMatching "^# !/lost\+found"
        UnCommentLinesMatching "^# !/mnt"
        UnCommentLinesMatching "^# !/proc"
        UnCommentLinesMatching "^# !/root"
        UnCommentLinesMatching "^# !/tmp"
        UnCommentLinesMatching "^# !/var"
        UnCommentLinesMatching "^# =/usr/include"
        UnCommentLinesMatching "^# =/usr/X11R6/include"
        UnCommentLinesMatching "^# =/usr/doc"
        UnCommentLinesMatching "^# =/usr/info"
        UnCommentLinesMatching "^# =/usr/share"
        UnCommentLinesMatching "^# =/usr/X11R6/man"
        UnCommentLinesMatching "^# =/usr/X11R6/lib/X11/fonts"
        UnCommentLinesMatching "^# !/usr/local"
        UnCommentLinesMatching "^# !/usr/src"
        AppendIfNoSuchLine "!/initrd"
        AppendIfNoSuchLine "!/.journal"
        AppendIfNoSuchLine "!/usr/local"
        AppendIfNoSuchLine "!/usr/src"
        AppendIfNoSuchLine "!/dev/cpu/mtrr"
    }
    { /etc/cron.daily/integrit
        #
        # Uncomment defaults
        #
        SetCommentStart "    # ! "
        SetCommentEnd ""
        UnCommentLinesMatching "    # ! if .*"
        UnCommentLinesMatching "    # ! fi"
    }