Make use of Ansible 1.5 new features.

Most notably pipelining=True and sysctl_set=yes.

6 files changed, 38 insertions, 14 deletions

diff --git a/ansible.cfg b/ansible.cfg
index 6afc1ef..82de41a 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -11,88 +11,100 @@
 # location of ansible library, eliminates need to specify --module-path
 
 library = ./lib/:/usr/share/ansible/
 
 # default module name used in /usr/bin/ansible when -m is not specified
 
 module_name = command
 
 # home directory where temp files are stored on remote systems.  Should
 # almost always contain $HOME or be a directory writeable by all users
 
 remote_tmp = $HOME/.ansible/tmp
 
 # the default pattern for ansible-playbooks ("hosts:")
 
 pattern = *
 
 # the default number of forks (parallelism) to be used.  Usually you
 # can crank this up.
 
-forks=5
+forks = 5
 
 # the timeout used by various connection types.  Usually this corresponds
 # to an SSH timeout
 
-timeout=10
+timeout = 10
 
 # when using --poll or "poll:" in an ansible playbook, and not specifying
 # an explicit poll interval, use this interval
 
-poll_interval=15
+poll_interval = 15
 
 # when specifying --sudo to /usr/bin/ansible or "sudo:" in a playbook,
 # and not specifying "--sudo-user" or "sudo_user" respectively, sudo
 # to this user account
 
-sudo=True
-#sudo_user=root
+sudo = True
+#sudo_user = root
+
+# what flags to pass to sudo
+sudo_flags = -H LC_ALL=C
 
 # the following forces ansible to always ask for the sudo password (instead of having
 # to add -K to the commandline). Or you can use the environment variable (ANSIBLE_ASK_SUDO_PASS)
 
-ask_sudo_pass=True
+ask_sudo_pass = True
 
 # the following forces ansible to always ask for the ssh-password (-k)
 # can also be set by the environment variable ANSIBLE_ASK_PASS
 
-#ask_pass=True
+#ask_pass = True
 
 # connection to use when -c <connection_type> is not specified
 
-transport=ssh
+transport = ssh
 
 # remote SSH port to be used when --port or "port:" or an equivalent inventory
 # variable is not specified.
 
-remote_port=22
+remote_port = 22
 
 # if set, always run /usr/bin/ansible commands as this user, and assume this value
 # if "user:" is not set in a playbook.  If not set, use the current Unix user
 # as the default
 
-#remote_user=root
+#remote_user = root
+
+# if set, always use this private key file for authentication, same as if passing
+# --private-key to ansible or ansible-playbook
+
+#private_key_file=/path/to/file
 
 # format of string $ansible_managed available within Jinja2 templates, replacing
 # {file}, {host} and {uid} with template filename, host and owner respectively.
 # The resulting string is passed through strftime(3) so it may contain any
 # time-formatting specifiers.
 #
 # Example: ansible_managed = DONT TOUCH {file}: call {uid} at {host} for changes
 ansible_managed = Ansible Managed: modified on %Y-%m-%d %H:%M:%S by {uid}@{host}
 
 # additional plugin paths for non-core plugins
 
 action_plugins     = /usr/share/ansible_plugins/action_plugins
 callback_plugins   = /usr/share/ansible_plugins/callback_plugins
 connection_plugins = /usr/share/ansible_plugins/connection_plugins
 lookup_plugins     = /usr/share/ansible_plugins/lookup_plugins
 vars_plugins       = /usr/share/ansible_plugins/vars_plugins
 
-legacy_playbook_variables = no
-
 [ssh_connection]
 
+# if uncommented, sets the ansible ssh arguments to the following.  Leaving off ControlPersist
+# will result in poor performance, so use transport=paramiko on older platforms rather than
+# removing it
+
 ssh_args = -F ../virtualenv/.ssh/config
            -o ControlMaster=auto
            -o ControlPersist=60s
            -o ControlPath=/tmp/ansible-ssh-%h-%p-%r
+
+pipelining = True
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common.local b/roles/common/files/etc/logcheck/ignore.d.server/common.local
index 22fe621..331edeb 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/common.local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/common.local
@@ -1,6 +1,8 @@
 # Ansible Managed
 # Do NOT edit this file directly!
 #
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [^[:space:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit )
 # Ansible logs everything into syslog
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-[a-z]+: Invoked
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([a-z]+|<stdin>): Invoked with
diff --git a/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo b/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo
new file mode 100644
index 0000000..e474019
--- /dev/null
+++ b/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo
@@ -0,0 +1,7 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]-]+@[.A-Z]+$
+# ignore sudo with custom ENV
+#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$
diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml
index 06f06b0..d25a75e 100644
--- a/roles/common/tasks/logging.yml
+++ b/roles/common/tasks/logging.yml
@@ -3,37 +3,38 @@
   with_items:
     - rsyslog
     - syslog-summary
     - logcheck
     - logcheck-database
     - logrotate
 
 - name: Start rsyslog
   service: name=rsyslog state=started
   tags:
     - syslog
 
 - name: Configure logcheck
   copy: src=etc/logcheck/{{ item }}
         dest=/etc/logcheck/{{ item }}
         owner=root group=logcheck
         mode=0640
   with_items:
     - logcheck.conf
     - ignore.d.server/common.local
+    - violations.ignore.d/logcheck-sudo
 
 - name: Minimal logging policy (1)
   lineinfile: dest=/etc/logrotate.d/rsyslog
               regexp="^/var/log/mail.(log|info)$"
               state=absent
 
 - name: Minimal logging policy (2)
   copy: src=etc/logrotate.d/fripost-mail
         dest=/etc/logrotate.d/fripost-mail
         owner=root group=root
         mode=0644
   tags:
     - logrotate
 
 # TODO: We also have specialized per-role logcheck rulesets, per-role
 # logrotate configuration (/etc/logrotate.d), and per-role rsyslog
 # configuration (/etc/rsyslog.d).
diff --git a/roles/common/tasks/rkhunter.yml b/roles/common/tasks/rkhunter.yml
index f6a4d71..78eec90 100644
--- a/roles/common/tasks/rkhunter.yml
+++ b/roles/common/tasks/rkhunter.yml
@@ -1,24 +1,26 @@
 - name: Install rkhunter
   apt: pkg={{ item }}
   with_items:
     - rkhunter
     - curl
     - iproute
     - lsof
     - unhide
     - unhide.rb
 
+# To test the configuration:
+#   ansible all -m command -a '/usr/bin/rkhunter -c --nomow --rwo'
 - name: Configure rkhunter
   copy: src=etc/{{ item }}
         dest=/etc/{{ item }}
         owner=root group=root
         mode=0644
   with_items:
     - rkhunter.conf
     - default/rkhunter
   notify:
     # This might not always be necessary, but it's not like we would
     # change the config every day...
     - Update rkhunter's data file
 
 - meta: flush_handlers
diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml
index 9adeece..6ac7feb 100644
--- a/roles/common/tasks/sysctl.yml
+++ b/roles/common/tasks/sysctl.yml
@@ -1,21 +1,21 @@
-- sysctl: name={{ item.name }} value={{ item.value }}
+- sysctl: name={{ item.name }} "value={{ item.value }}" sysctl_set=yes
   with_items:
     - { name: 'kernel.domainname', value: '{{ ansible_domain }}' }
 
       # Networking. See
       # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
 
       # Enable Spoof protection (reverse-path filter). Turn on Source
       # Address Verification in all interfaces to prevent some spoofing
       # attacks.
     - { name: 'net.ipv4.conf.default.rp_filter', value: 1 }
     - { name: 'net.ipv4.conf.all.rp_filter',     value: 1 }
 
       # Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We
       # rate-limit not only the default ICMP types 3, 4, 11 and 12
       # (0x1818), but also types 0 and 8. See icmp(7).
     - { name: 'net.ipv4.tcp_syncookies',  value: 1 }
     - { name: 'net.ipv4.icmp_ratemask',   value: 6425 }
     - { name: 'net.ipv4.icmp_ratelimit',  value: 1000 }
 
       # Disable paquet forwarding between interfaces (we are not a router).