summaryrefslogtreecommitdiff
path: root/cfengine/cf.services.harden
blob: b00d5e5f8242474c60f9989354aa271adfb7c296 (plain) 
    

  1. control:
    2. 

  2.     AddInstallable = ( install_logcheck )
    3. 

  3. 

  4.     logcheck = ( /etc/logcheck )
    5. 

  5. 

  6.     # $type indicates machine type (workstation or server). Used for logcheck paths
    7. 

  7.     Standalone|LtspServer:: type = ( workstation )
    8. 

  8.     !(Standalone|LtspServer):: type = ( server )
    9. 

  9. 

  10. groups:
    11. 

  11.     install_logcheck = ( '/usr/bin/test ! -e /usr/sbin/logcheck' )
    12. 

  12. 

  13.     #Define classes according to the installed MTA
    14. 

  14.     runs_postfix = ( '/usr/bin/test -e /usr/sbin/postfix' )
    15. 

  15. 

  16. editfiles:
    17. 

  17.     # AIDE section
    18. 

  18.     { /etc/aide/aide.conf
    19. 

  19.         #
    20. 

  20.         # Devices = p+i+n+u+g+s+b+md5+sha1
    21. 

  21.         #
    22. 

  22.         # Ignore ctime - some devices change ctime when used (ttySx with hylafax)
    23. 

  23.         #
    24. 

  24.         BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*"
    25. 

  25.             Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine"
    26. 

  26.         EndGroup
    27. 

  27.         LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*"
    28. 

  28.         BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbmd5sha1]*([[:blank:]]+(#.*)?)?"
    29. 

  29.             ReplaceLineWith "Devices = p+i+n+u+g+s+b+md5+sha1 # Edited by cfengine"
    30. 

  30.         EndGroup
    31. 

  31.         #
    32. 

  32.         # #/var/log...
    33. 

  33.         #
    34. 

  34.         # Ignore logfiles - Aide can't handle rotation
    35. 

  35.         #
    36. 

  36.         HashCommentLinesMatching "^/var/log.*"
    37. 

  37.         #
    38. 

  38.         # !/dev/xconsole
    39. 

  39.         # !/dev/core
    40. 

  40.         # !/dev/ttyS*
    41. 

  41.         #
    42. 

  42.         LocateLineMatching "^[[:blank:]]*\!/dev/.*"
    43. 

  43.         CatchAbort
    44. 

  44.         BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*"
    45. 

  45.             GotoLastLine
    46. 

  46.         EndGroup
    47. 

  47.         DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine"
    48. 

  48.         BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?"
    49. 

  49.             InsertLine "!/dev/xconsole # Added by cfengine"
    50. 

  50.         EndGroup
    51. 

  51.         BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?"
    52. 

  52.             InsertLine "!/dev/core # Added by cfengine"
    53. 

  53.         EndGroup
    54. 

  54.         BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/ttyS\*([[:blank:]]+(#.*)?)?"
    55. 

  55.             InsertLine "!/dev/ttyS* # Added by cfengine"
    56. 

  56.         EndGroup
    57. 

  57.     }
    58. 

  58.     ## integrit section
    59. 

  59.     { /etc/integrit/integrit.conf
    60. 

  60.         #
    61. 

  61.         # Uncomment suggested defaults
    62. 

  62.         #
    63. 

  63.         SetCommentStart "# "
    64. 

  64.         SetCommentEnd ""
    65. 

  65.         UnCommentLinesMatching "^# root=/"
    66. 

  66.         UnCommentLinesMatching "^# known=/var/lib/integrit/.*"
    67. 

  67.         UnCommentLinesMatching "^# current=/var/lib/integrit/.*"
    68. 

  68.         UnCommentLinesMatching "^# !/cdrom"
    69. 

  69.         UnCommentLinesMatching "^# !/dev"
    70. 

  70.         UnCommentLinesMatching "^# !/etc"
    71. 

  71.         UnCommentLinesMatching "^# !/floppy"
    72. 

  72.         UnCommentLinesMatching "^# !/home"
    73. 

  73.         UnCommentLinesMatching "^# !/lost\+found"
    74. 

  74.         UnCommentLinesMatching "^# !/mnt"
    75. 

  75.         UnCommentLinesMatching "^# !/proc"
    76. 

  76.         UnCommentLinesMatching "^# !/root"
    77. 

  77.         UnCommentLinesMatching "^# !/tmp"
    78. 

  78.         UnCommentLinesMatching "^# !/var"
    79. 

  79.         UnCommentLinesMatching "^# =/usr/include"
    80. 

  80.         UnCommentLinesMatching "^# =/usr/X11R6/include"
    81. 

  81.         UnCommentLinesMatching "^# =/usr/doc"
    82. 

  82.         UnCommentLinesMatching "^# =/usr/info"
    83. 

  83.         UnCommentLinesMatching "^# =/usr/share"
    84. 

  84.         UnCommentLinesMatching "^# =/usr/X11R6/man"
    85. 

  85.         UnCommentLinesMatching "^# =/usr/X11R6/lib/X11/fonts"
    86. 

  86.         UnCommentLinesMatching "^# !/usr/local"
    87. 

  87.         UnCommentLinesMatching "^# !/usr/src"
    88. 

  88.         AppendIfNoSuchLine "!/initrd"
    89. 

  89.         AppendIfNoSuchLine "!/.journal"
    90. 

  90.         AppendIfNoSuchLine "!/usr/local"
    91. 

  91.         AppendIfNoSuchLine "!/usr/src"
    92. 

  92.         AppendIfNoSuchLine "!/dev/cpu/mtrr"
    93. 

  93.         AppendIfNoSuchLine "!/sys"
    94. 

  94.         AppendIfNoSuchLine "!/media"
    95. 

  95.     }
    96. 

  96.     { /etc/integrit/integrit.debian.conf
    97. 

  97.         #
    98. 

  98.         # Make sure CONFIGS is set to /etc/integrit/integrit.conf
    99. 

  99.         #
    100. 

  100.         LocateLineMatching "^CONFIGS=.*"
    101. 

  101.         BeginGroupIfNoLineMatching '^CONFIGS="/etc/integrit/integrit.conf"'
    102. 

  102.             ReplaceLineWith 'CONFIGS="/etc/integrit/integrit.conf"'
    103. 

  103.         EndGroup
    104. 

  104.     }
    105. 

  105. # BROKEN!!! See Debian bug#153420
    106. 

  106. #   { /etc/cron.daily/integrit
    107. 

  107. #       #
    108. 

  108. #       # Uncomment defaults
    109. 

  109. #       #
    110. 

  110. #       SetCommentStart "    # ! "
    111. 

  111. #       SetCommentEnd ""
    112. 

  112. #       UnCommentLinesMatching "    # ! if .*"
    113. 

  113. #       UnCommentLinesMatching "    # ! fi"
    114. 

  114. #   }
    115. 

  115. 

  116.     ## logcheck section
    117. 

  117. copy:
    118. 

  118.     #The linktype is necessary for links to be replaced with files.
    119. 

  119.     any::
    120. 

  120.         $(LocalCommon)/logcheck/ignore.d.server/local dest=$(logcheck)/ignore.d.server/local linktype=copy
    121. 

  121.         $(LocalCommon)/logcheck/ignore.d.workstation/local dest=$(logcheck)/ignore.d.workstation/local linktype=copy
    122. 

  122.         $(LocalCommon)/logcheck/violations.ignore.d/local dest=$(logcheck)/violations.ignore.d/local linktype=copy
    123. 

  123. #   NameServer::
    124. 

  124. #       $(LocalCommon)/logcheck/ignore.d.$(type)/bind dest=$(logcheck)/ignore.d/local-bind linktype=copy
    125. 

  125. #       $(LocalCommon)/logcheck/violations.ignore.d/bind dest=$(logcheck)/violations.ignore.d/local-bind linktype=copy
    126. 

  126. #
    127. 

  127. #   FileServer::
    128. 

  128. #       $(LocalCommon)/logcheck/ignore.d.$(type)/samba dest=$(logcheck)/ignore.d/local-samba linktype=copy
    129. 

  129. #       $(LocalCommon)/logcheck/ignore.d.$(type)/netatalk dest=$(logcheck)/ignore.d/local-netatalk linktype=copy
    130. 

  130. #       $(LocalCommon)/logcheck/violations.ignore.d/samba dest=$(logcheck)/violations.ignore.d/local-samba linktype=copy
    131. 

  131. #
    132. 

  132. #   DHCPServer::
    133. 

  133. #       $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp dest=$(logcheck)/ignore.d/local-dhcp linktype=copy
    134. 

  134. #       $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp3-common dest=$(logcheck)/ignore.d/local-dhcp3-common linktype=copy
    135. 

  135. #
    136. 

  136. #   WWWServer::
    137. 

  137. #
    138. 

  138. #   FTPServer::
    139. 

  139. #       $(LocalCommon)/logcheck/ignore.d.$(type)/proftpd dest=$(logcheck)/ignore.d/local-proftpd linktype=copy
    140. 

  140. #       $(LocalCommon)/logcheck/violations.ignore.d/proftpd dest=$(logcheck)/violations.ignore.d/local-proftpd linktype=copy
    141. 

  141. #
    142. 

  142. #   IMAPServer::
    143. 

  143. #       $(LocalCommon)/logcheck/ignore.d.$(type)/uw-imap dest=$(logcheck)/ignore.d/local-uw-imap linktype=copy
    144. 

  144. #
    145. 

  145. #   SpamAssServer::
    146. 

  146. #       $(LocalCommon)/logcheck/ignore.d.$(type)/spamassassin dest=$(logcheck)/ignore.d/local-spamassassin linktype=copy
    147. 

  147. #
    148. 

  148. #   runs_postfix::
    149. 

  149. #       $(LocalCommon)/logcheck/ignore.d.$(type)/postfix dest=$(logcheck)/ignore.d/local-postfix linktype=copy
    150. 

  150. #       $(LocalCommon)/logcheck/violations.ignore.d/postfix dest=$(logcheck)/violations.ignore.d/local-postfix linktype=copy
    151. 

  151. #
    152. 

  152. #   any::
    153. 

  153. #       $(LocalCommon)/logcheck/ignore.d.$(type)/ssh dest=$(logcheck)/ignore.d/local-ssh linktype=copy
    154. 

  154. #       $(LocalCommon)/logcheck/violations.ignore.d/ssh dest=$(logcheck)/violations.ignore.d/local-ssh linktype=copy
    155. 

  155.         
    156. 

  156. shellcommands:
    157. 

  157.     install_logcheck::
    158. 

  158.         # Install logcheck if not installed already
    159. 

  159. #BAD!!!     "/usr/bin/yes no | /usr/bin/apt-get -q=2 install logcheck"
    160.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-27 09:11:15 +0000