cfengine/cf.services.harden



control:
    AddInstallable = ( install_logcheck )

    logcheck = ( /etc/logcheck )

    # type viser om maskinen er workstation eller server. Bruges til at linke de rigtige steder
    # hen i logcheck
    Standalone_xenux:: type = ( workstation )
    !Standalone_xenux:: type = ( server )

groups:
    install_logcheck = ( '/usr/sbin/test ! -e /usr/sbin/logcheck' )

editfiles:
    # AIDE section
    { /etc/aide/aide.conf
        #
        # Devices = p+i+n+u+g+s+b+md5+sha1
        #
        # Ignore ctime - some devices change ctime when used (ttySx with hylafax)
        #
        BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*"
            Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine"
        EndGroup
        LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*"
        BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbmd5sha1]*([[:blank:]]+(#.*)?)?"
            ReplaceLineWith "Devices = p+i+n+u+g+s+b+md5+sha1 # Edited by cfengine"
        EndGroup
        #
        # #/var/log...
        #
        # Ignore logfiles - Aide can't handle rotation
        #
        HashCommentLinesMatching "^/var/log.*"
        #
        # !/dev/xconsole
        # !/dev/core
        # !/dev/ttyS*
        #
        LocateLineMatching "^[[:blank:]]*\!/dev/.*"
        CatchAbort
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*"
            GotoLastLine
        EndGroup
        DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine"
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/xconsole # Added by cfengine"
        EndGroup
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/core # Added by cfengine"
        EndGroup
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/ttyS\*([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/ttyS* # Added by cfengine"
        EndGroup
    }
    ## logcheck section
    #{ /etc/aide/aide.conf
    #}
    { /etc/integrit/integrit.conf
        #
        # Uncomment suggested defaults
        #
        SetCommentStart "# "
        SetCommentEnd ""
        UnCommentLinesMatching "^# root=/"
        UnCommentLinesMatching "^# known=/var/lib/integrit/.*"
        UnCommentLinesMatching "^# current=/var/lib/integrit/.*"
        UnCommentLinesMatching "^# !/cdrom"
        UnCommentLinesMatching "^# !/dev"
        UnCommentLinesMatching "^# !/etc"
        UnCommentLinesMatching "^# !/floppy"
        UnCommentLinesMatching "^# !/home"
        UnCommentLinesMatching "^# !/lost\+found"
        UnCommentLinesMatching "^# !/mnt"
        UnCommentLinesMatching "^# !/proc"
        UnCommentLinesMatching "^# !/root"
        UnCommentLinesMatching "^# !/tmp"
        UnCommentLinesMatching "^# !/var"
        UnCommentLinesMatching "^# =/usr/include"
        UnCommentLinesMatching "^# =/usr/X11R6/include"
        UnCommentLinesMatching "^# =/usr/doc"
        UnCommentLinesMatching "^# =/usr/info"
        UnCommentLinesMatching "^# =/usr/share"
        UnCommentLinesMatching "^# =/usr/X11R6/man"
        UnCommentLinesMatching "^# =/usr/X11R6/lib/X11/fonts"
        UnCommentLinesMatching "^# !/usr/local"
        UnCommentLinesMatching "^# !/usr/src"
        AppendIfNoSuchLine "!/initrd"
        AppendIfNoSuchLine "!/.journal"
        AppendIfNoSuchLine "!/usr/local"
        AppendIfNoSuchLine "!/usr/src"
        AppendIfNoSuchLine "!/dev/cpu/mtrr"
    }
    { /etc/cron.daily/integrit
        #
        # Uncomment defaults
        #
        SetCommentStart "    # ! "
        SetCommentEnd ""
        UnCommentLinesMatching "    # ! if .*"
        UnCommentLinesMatching "    # ! fi"
    }

links:
    NameServer::
        $(logcheck)/ignore.d/local-bind -> $(LocalCommon)/logcheck/ignore.d.$(type)/bind
        $(logcheck)/violations.ignore.d/local-bind -> $(LocalCommon)/logcheck/violations.ignore.d/bind

    FileServer::
        $(logcheck)/ignore.d/local-samba -> $(LocalCommon)/logcheck/ignore.d.$(type)/samba
        $(logcheck)/ignore.d/local-netatalk -> $(LocalCommon)/logcheck/ignore.d.$(type)/netatalk
        $(logcheck)/violations.ignore.d/local-samba -> $(LocalCommon)/logcheck/violations.ignore.d/samba

    DHCPServer::
        $(logcheck)/ignore.d/local-dhcp -> $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp
        $(logcheck)/ignore.d/local-dhcp3-common -> $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp3-common

    WWWServer::

    FTPServer::
        $(logcheck)/ignore.d/local-proftpd -> $(LocalCommon)/logcheck/ignore.d.$(type)/proftpd
        $(logcheck)/violations.ignore.d/local-proftpd -> $(LocalCommon)/logcheck/violations.ignore.d/proftpd

    IMAPServer::
        $(logcheck)/ignore.d/local-uw-imap -> $(LocalCommon)/logcheck/ignore.d.$(type)/uw-imap

    any::
        # Sættes alt efter om det er server eller workstation. Pakken peger på workstation
        $(logcheck)/ignore.d ->! $(logcheck)/ignore.d.$(type)
        $(logcheck)/logcheck.ignore ->! $(logcheck)/logcheck.ignore.$(type)

        $(logcheck)/ignore.d/local-ssh -> $(LocalCommon)/logcheck/ignore.d.$(type)/ssh
        $(logcheck)/ignore.d/local-postfix -> $(LocalCommon)/logcheck/ignore.d.$(type)/postfix

        $(logcheck)/violations.ignore.d/local-ssh -> $(LocalCommon)/logcheck/violations.ignore.d/ssh
        $(logcheck)/violations.ignore.d/local-postfix -> $(LocalCommon)/logcheck/violations.ignore.d/postfix

shellcommands:
    install_logcheck::
        #Installerer logcheck hvis ikke allerede er
        "/usr/bin/yes no | /usr/bin/apt-get -q=2 install logcheck"