Use a dedicated SMTP port for samhain.

It's unfortunate that samhain cannot use the sendmail binary, and wants
to use a inet socket instead. We use a custom port to avoid
conflicts with the usual SMTP port the MX:es need to listen on.
See also: /usr/share/doc/samhain/TODO.Debian

4 files changed, 22 insertions, 10 deletions

diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index dd49d31..d9722ef 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -16,20 +16,21 @@ tlsmgr    unix  -       -       -       1000?   1       tlsmgr
 rewrite   unix  -       -       -       -       -       trivial-rewrite
 bounce    unix  -       -       -       -       0       bounce
 defer     unix  -       -       -       -       0       bounce
 trace     unix  -       -       -       -       0       bounce
 verify    unix  -       -       -       -       1       verify
 flush     unix  n       -       -       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       -       -       -       smtp
 relay     unix  -       -       -       -       -       smtp
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       -       -       -       showq
 error     unix  -       -       -       -       -       error
 retry     unix  -       -       -       -       -       error
 discard   unix  -       -       -       -       -       discard
 local     unix  -       n       n       -       -       local
 virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       -       -       -       lmtp
 anvil     unix  -       -       -       -       1       anvil
 scache    unix  -       -       -       -       1       scache
+16132     inet  n       -       -       -       -       smtpd
diff --git a/roles/common/files/etc/samhain/samhainrc b/roles/common/files/etc/samhain/samhainrc
index 200cdc6..1fd9d42 100644
--- a/roles/common/files/etc/samhain/samhainrc
+++ b/roles/common/files/etc/samhain/samhainrc
@@ -495,70 +495,70 @@ SyslogSeverity=alert
 ## (this is not honoured on database initialisation)
 #
 # Daemon = no
 Daemon = yes
 
 ## whether to test signature of files (init/check/none)
 ## - if 'none', then we have to decide this on the command line -
 #
 # ChecksumTest = none
 ChecksumTest=check
 
 ## whether to drop linux capabilities that are not required
 ## - will make a root process a 'mere mortal' in many respects
 #
 # UseCaps = yes
 
 ## Set nice level (-19 to 19, see 'man nice'),
 ## and I/O limit (kilobytes per second; 0 == off)
 ## to reduce load on host.
 #
-# SetNiceLevel = 0
+SetNiceLevel = 19
 # SetIOLimit = 0
 
 ## The version string to embed in file signature databases
 #
 # VersionString = NULL
 
 ## Interval between time stamp messages
 #
 # SetLoopTime = 60
-SetLoopTime = 600
+SetLoopTime = 21600
 
 ## Interval between file checks 
 #
 # SetFileCheckTime = 600
 SetFileCheckTime = 7200
 
 ## Alternative: crontab-like schedule
 #
 # FileCheckScheduleOne = NULL
 
 ## Alternative: crontab-like schedule(2)
 #
 # FileCheckScheduleTwo = NULL
 
 ## Report only once on modified fles 
 ## Setting this to 'FALSE' will generate a report for any policy 
 ## violation (old and new ones) each time the daemon checks the file system.
 #
-# ReportOnlyOnce = True
+ReportOnlyOnce = True
 
 ## Report in full detail
 #
 # ReportFullDetail = False
 
 ## Report file timestamps in local time rather than GMT
 #
 # UseLocalTime = No
 
 ## The console device (can also be a file or named pipe)
 ## - There are two console devices. Accordingly, you can use
 ##   this directive a second time to set the second console device.
 ##   If you have not defined the second device at compile time,
 ##   and you don't want to use it, then:
 ##   setting it to /dev/null is less effective than just leaving
 ##   it alone (setting to /dev/null will waste time by opening
 ##   /dev/null and writing to it)
 #
 # SetConsole = /dev/console
 
@@ -574,41 +574,46 @@ SetFileCheckTime = 7200
 
 ## --- E-Mail ---
 
 # Only highest-level (alert) reports will be mailed immediately,
 # others will be queued. Here you can define, when the queue will
 # be flushed (Note: the queue is automatically flushed after
 # completing a file check).
 #
 SetMailTime = 86400
 
 ## Maximum number of mails to queue
 #
 SetMailNum = 10
 
 ## Recipient (max. 8)
 #
 SetMailAddress = admin@fripost.org
 
 ## Mail relay (IP address)
 #
+# XXX: it's unfortunate that samhain cannot use the sendmail binary. We
+# use a custom port here to avoid conflicts with the usual SMTP port the
+# MX:es need to listen on.
+# See also: /usr/share/doc/samhain/TODO.Debian
 SetMailRelay = 127.0.0.1
+SetMailPort = 16132
 
 ## Custom subject format
 #
 MailSubject = [Samhain at %H] %T: %S
 
 ## --- end E-Mail ---
 
 ## Path to the prelink executable
 #
 # SetPrelinkPath = /usr/sbin/prelink
 
 ## TIGER192 checksum of the prelink executable
 #
 # SetPrelinkChecksum = (no default)
 
 
 ## Path to the executable. If set, will be checksummed after startup
 ## and before exit.
 #
 # SamhainPath = (no default)
diff --git a/roles/common/tasks/samhain.yml b/roles/common/tasks/samhain.yml
index 768ceb6..0d911a5 100644
--- a/roles/common/tasks/samhain.yml
+++ b/roles/common/tasks/samhain.yml
@@ -1,24 +1,26 @@
 - name: Install samhain
-  apt: pkg=samhain
+  apt: pkg={{ item }}
+  with_items:
+    - samhain
+    - auditd
   # XXX: Doesn't work out of the box, see #660197.
-  # If this is the first installation, you may want to start with a fresh database
-  #   sudo service samhain stop
-  #   sudo rm /var/state/samhain/samhain_file
-  #   sudo samhain -t init -p warn
-  #   sudo service samhain start
-  #   sudo samhain -t update -l none
+  # Every once in a while, or after a major upgrade, you may want to
+  # update Samhain's database (to avoid being flooded at the next
+  # reboot):
+  #
+  #     sudo samhain -t update --foreground -m none
 
 - name: Configure samhain
   copy: src=etc/samhain/samhainrc
         dest=/etc/samhain/samhainrc
         owner=root group=root
         mode=0644
   notify:
     - Reload samhain
 
 - name: Start samhain
   # This task is inconditional because samhain is reloaded not
   # restarted.
   service: name=samhain state=started
 
 - meta: flush_handlers
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index 3169ac6..0922b49 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -26,32 +26,36 @@ local_recipient_maps =
 # All aliases are virtual
 default_database_type = cdb
 virtual_alias_maps    = cdb:/etc/aliases
 alias_database        = $virtual_alias_maps
 
 # Transform local FQDN addresses to addresses routable on the internet
 smtp_generic_maps = pcre:$config_directory/generic.pcre
 
 # Forward everything to our internal mailhub
 {% if 'MTA-out' in group_names %}
 relayhost = [127.0.0.1]:2525
 {% else %}
 relayhost = [outgoing.fripost.org]:2525
 {% endif %}
 
 # This server is for internal use only; external connections are
 # protected by IPSec already
 smtpd_tls_security_level = none
 smtp_tls_security_level  = none
 
+# Turn off all TCP/IP listener ports except that dedicated to
+# samhain(8), which sadly cannot use pickup through the sendmail binary.
+master_service_disable = !16132.inet inet
+
 {% set multi_instance = False %}
 {%- for g in postfix_instance.keys() | sort -%}
   {%- if g in group_names -%}
     {%- if not multi_instance -%}
       {%- set multi_instance = True -%}
 ## Other postfix instances
 multi_instance_wrapper     = $command_directory/postmulti -p --
 multi_instance_enable      = yes
 multi_instance_directories =
     {%- endif %} /etc/postfix-{{ postfix_instance[g].name }}
   {%- endif %}
 {% endfor %}