Use a dedicated SMTP port for samhain.

It's unfortunate that samhain cannot use the sendmail binary, and wants
to use a inet socket instead. We use a custom port to avoid
conflicts with the usual SMTP port the MX:es need to listen on.
See also: /usr/share/doc/samhain/TODO.Debian

4 files changed, 22 insertions, 10 deletions

diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index dd49d31..d9722ef 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -33,3 +33,4 @@ virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       -       -       -       lmtp
 anvil     unix  -       -       -       -       1       anvil
 scache    unix  -       -       -       -       1       scache
+16132     inet  n       -       -       -       -       smtpd
diff --git a/roles/common/files/etc/samhain/samhainrc b/roles/common/files/etc/samhain/samhainrc
index 200cdc6..1fd9d42 100644
--- a/roles/common/files/etc/samhain/samhainrc
+++ b/roles/common/files/etc/samhain/samhainrc
@@ -512,7 +512,7 @@ ChecksumTest=check
 ## and I/O limit (kilobytes per second; 0 == off)
 ## to reduce load on host.
 #
-# SetNiceLevel = 0
+SetNiceLevel = 19
 # SetIOLimit = 0
 
 ## The version string to embed in file signature databases
@@ -522,7 +522,7 @@ ChecksumTest=check
 ## Interval between time stamp messages
 #
 # SetLoopTime = 60
-SetLoopTime = 600
+SetLoopTime = 21600
 
 ## Interval between file checks 
 #
@@ -541,7 +541,7 @@ SetFileCheckTime = 7200
 ## Setting this to 'FALSE' will generate a report for any policy 
 ## violation (old and new ones) each time the daemon checks the file system.
 #
-# ReportOnlyOnce = True
+ReportOnlyOnce = True
 
 ## Report in full detail
 #
@@ -591,7 +591,12 @@ SetMailAddress = admin@fripost.org
 
 ## Mail relay (IP address)
 #
+# XXX: it's unfortunate that samhain cannot use the sendmail binary. We
+# use a custom port here to avoid conflicts with the usual SMTP port the
+# MX:es need to listen on.
+# See also: /usr/share/doc/samhain/TODO.Debian
 SetMailRelay = 127.0.0.1
+SetMailPort = 16132
 
 ## Custom subject format
 #
diff --git a/roles/common/tasks/samhain.yml b/roles/common/tasks/samhain.yml
index 768ceb6..0d911a5 100644
--- a/roles/common/tasks/samhain.yml
+++ b/roles/common/tasks/samhain.yml
@@ -1,12 +1,14 @@
 - name: Install samhain
-  apt: pkg=samhain
+  apt: pkg={{ item }}
+  with_items:
+    - samhain
+    - auditd
   # XXX: Doesn't work out of the box, see #660197.
-  # If this is the first installation, you may want to start with a fresh database
-  #   sudo service samhain stop
-  #   sudo rm /var/state/samhain/samhain_file
-  #   sudo samhain -t init -p warn
-  #   sudo service samhain start
-  #   sudo samhain -t update -l none
+  # Every once in a while, or after a major upgrade, you may want to
+  # update Samhain's database (to avoid being flooded at the next
+  # reboot):
+  #
+  #     sudo samhain -t update --foreground -m none
 
 - name: Configure samhain
   copy: src=etc/samhain/samhainrc
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index 3169ac6..0922b49 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -43,6 +43,10 @@ relayhost = [outgoing.fripost.org]:2525
 smtpd_tls_security_level = none
 smtp_tls_security_level  = none
 
+# Turn off all TCP/IP listener ports except that dedicated to
+# samhain(8), which sadly cannot use pickup through the sendmail binary.
+master_service_disable = !16132.inet inet
+
 {% set multi_instance = False %}
 {%- for g in postfix_instance.keys() | sort -%}
   {%- if g in group_names -%}