path: root/cfengine/cf.services.harden

control:
    AddInstallable = ( install_logcheck )

    logcheck = ( /etc/logcheck )

    # type viser om maskinen er workstation eller server. Bruges til at linke de rigtige steder
    # hen i logcheck
    Standalone_xenux:: type = ( workstation )
    !Standalone_xenux:: type = ( server )

groups:
    install_logcheck = ( '/usr/bin/test ! -e /usr/sbin/logcheck' )

    #Define classes according to the installed MTA
    runs_postfix = ( '/usr/bin/test -e /usr/sbin/postfix' )

editfiles:
    # AIDE section
    { /etc/aide/aide.conf
        #
        # Devices = p+i+n+u+g+s+b+md5+sha1
        #
        # Ignore ctime - some devices change ctime when used (ttySx with hylafax)
        #
        BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*"
            Append "Devices = p+i+n+u+g+s+b+md5+sha1 # Added by cfengine"
        EndGroup
        LocateLineMatching "^[[:blank:]]*Devices[[:blank:]]*=.*"
        BeginGroupIfNoLineMatching "^[[:blank:]]*Devices[[:blank:]]*=[[:blank:]][\+pinugsbmd5sha1]*([[:blank:]]+(#.*)?)?"
            ReplaceLineWith "Devices = p+i+n+u+g+s+b+md5+sha1 # Edited by cfengine"
        EndGroup
        #
        # #/var/log...
        #
        # Ignore logfiles - Aide can't handle rotation
        #
        HashCommentLinesMatching "^/var/log.*"
        #
        # !/dev/xconsole
        # !/dev/core
        # !/dev/ttyS*
        #
        LocateLineMatching "^[[:blank:]]*\!/dev/.*"
        CatchAbort
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/.*"
            GotoLastLine
        EndGroup
        DeleteLinesMatching "^\!/dev/xconlsole # Added by cfengine"
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/xconsole([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/xconsole # Added by cfengine"
        EndGroup
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/core([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/core # Added by cfengine"
        EndGroup
        BeginGroupIfNoLineMatching "^[[:blank:]]*\!/dev/ttyS\*([[:blank:]]+(#.*)?)?"
            InsertLine "!/dev/ttyS* # Added by cfengine"
        EndGroup
    }
    ## logcheck section
    #{ /etc/aide/aide.conf
    #}
    { /etc/integrit/integrit.conf
        #
        # Uncomment suggested defaults
        #
        SetCommentStart "# "
        SetCommentEnd ""
        UnCommentLinesMatching "^# root=/"
        UnCommentLinesMatching "^# known=/var/lib/integrit/.*"
        UnCommentLinesMatching "^# current=/var/lib/integrit/.*"
        UnCommentLinesMatching "^# !/cdrom"
        UnCommentLinesMatching "^# !/dev"
        UnCommentLinesMatching "^# !/etc"
        UnCommentLinesMatching "^# !/floppy"
        UnCommentLinesMatching "^# !/home"
        UnCommentLinesMatching "^# !/lost\+found"
        UnCommentLinesMatching "^# !/mnt"
        UnCommentLinesMatching "^# !/proc"
        UnCommentLinesMatching "^# !/root"
        UnCommentLinesMatching "^# !/tmp"
        UnCommentLinesMatching "^# !/var"
        UnCommentLinesMatching "^# =/usr/include"
        UnCommentLinesMatching "^# =/usr/X11R6/include"
        UnCommentLinesMatching "^# =/usr/doc"
        UnCommentLinesMatching "^# =/usr/info"
        UnCommentLinesMatching "^# =/usr/share"
        UnCommentLinesMatching "^# =/usr/X11R6/man"
        UnCommentLinesMatching "^# =/usr/X11R6/lib/X11/fonts"
        UnCommentLinesMatching "^# !/usr/local"
        UnCommentLinesMatching "^# !/usr/src"
        AppendIfNoSuchLine "!/initrd"
        AppendIfNoSuchLine "!/.journal"
        AppendIfNoSuchLine "!/usr/local"
        AppendIfNoSuchLine "!/usr/src"
        AppendIfNoSuchLine "!/dev/cpu/mtrr"
    }
    { /etc/cron.daily/integrit
        #
        # Uncomment defaults
        #
        SetCommentStart "    # ! "
        SetCommentEnd ""
        UnCommentLinesMatching "    # ! if .*"
        UnCommentLinesMatching "    # ! fi"
    }

copy:
    #The linktype is necessary for links to be replaced with files.
    NameServer::
        $(LocalCommon)/logcheck/ignore.d.$(type)/bind dest=$(logcheck)/ignore.d/local-bind linktype=copy
        $(LocalCommon)/logcheck/violations.ignore.d/bind dest=$(logcheck)/violations.ignore.d/local-bind linktype=copy

    FileServer::
        $(LocalCommon)/logcheck/ignore.d.$(type)/samba dest=$(logcheck)/ignore.d/local-samba linktype=copy
        $(LocalCommon)/logcheck/ignore.d.$(type)/netatalk dest=$(logcheck)/ignore.d/local-netatalk linktype=copy
        $(LocalCommon)/logcheck/violations.ignore.d/samba dest=$(logcheck)/violations.ignore.d/local-samba linktype=copy

    DHCPServer::
        $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp dest=$(logcheck)/ignore.d/local-dhcp linktype=copy
        $(LocalCommon)/logcheck/ignore.d.$(type)/dhcp3-common dest=$(logcheck)/ignore.d/local-dhcp3-common linktype=copy

    WWWServer::

    FTPServer::
        $(LocalCommon)/logcheck/ignore.d.$(type)/proftpd dest=$(logcheck)/ignore.d/local-proftpd linktype=copy
        $(LocalCommon)/logcheck/violations.ignore.d/proftpd dest=$(logcheck)/violations.ignore.d/local-proftpd linktype=copy

    IMAPServer::
        $(LocalCommon)/logcheck/ignore.d.$(type)/uw-imap dest=$(logcheck)/ignore.d/local-uw-imap linktype=copy

    SpamAssServer::
        $(LocalCommon)/logcheck/ignore.d.$(type)/spamassassin dest=$(logcheck)/ignore.d/local-spamassassin linktype=copy

    runs_postfix::
        $(LocalCommon)/logcheck/ignore.d.$(type)/postfix dest=$(logcheck)/ignore.d/local-postfix linktype=copy
        $(LocalCommon)/logcheck/violations.ignore.d/postfix dest=$(logcheck)/violations.ignore.d/local-postfix linktype=copy

    any::
        $(LocalCommon)/logcheck/ignore.d.$(type)/ssh dest=$(logcheck)/ignore.d/local-ssh linktype=copy
        $(LocalCommon)/logcheck/violations.ignore.d/ssh dest=$(logcheck)/violations.ignore.d/local-ssh linktype=copy

#links:
#   any::
#       # Sættes alt efter om det er server eller workstation. Pakken peger på workstation
#       $(logcheck)/ignore.d ->! $(logcheck)/ignore.d.$(type)
#       $(logcheck)/logcheck.ignore ->! $(logcheck)/logcheck.ignore.$(type)
        
shellcommands:
    install_logcheck::
        #Installerer logcheck hvis ikke allerede er
        "/usr/bin/yes no | /usr/bin/apt-get -q=2 install logcheck"