summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2018-12-03 03:04:22 +0100
committerGuilhem Moulin <guilhem@fripost.org>2018-12-03 03:43:36 +0100
commit2495327985da791891b579bd05b3cda1f41dfda7 (patch)
tree4a48fbc071739ec5b38f3bda049fa984cb795498
parent203c3ca3d0b3d053827e6ced01cdde85eb0871c5 (diff)
Upgrade baseline to Debian Stretch.
-rw-r--r--roles/common-web/files/etc/nginx/sites-available/default4
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf10
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf12
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi.conf3
-rw-r--r--roles/common-web/files/etc/nginx/snippets/ssl.conf2
-rw-r--r--roles/common-web/tasks/main.yml4
-rw-r--r--roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades12
-rw-r--r--roles/common/files/etc/default/rkhunter6
-rw-r--r--roles/common/files/etc/logcheck/ignore.d.server/common-local43
-rw-r--r--roles/common/files/etc/logcheck/ignore.d.server/postfix-local6
-rw-r--r--roles/common/files/etc/logcheck/ignore.d.server/strongswan-local8
-rw-r--r--roles/common/files/etc/rkhunter.conf22
-rw-r--r--roles/common/files/etc/rsyslog.conf49
-rw-r--r--roles/common/files/etc/strongswan.d/charon.conf53
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall.sh86
-rw-r--r--roles/common/tasks/mail.yml2
-rw-r--r--roles/common/templates/etc/apt/preferences.j28
-rw-r--r--roles/common/templates/etc/apt/sources.list.j28
-rw-r--r--roles/common/templates/etc/munin/plugin-conf.d/munin-node.j21
-rw-r--r--roles/common/templates/etc/postfix/main.cf.j29
-rw-r--r--roles/common/templates/etc/postfix/master.cf.j242
-rw-r--r--roles/lacme/handlers/main.yml2
-rw-r--r--roles/lacme/tasks/main.yml20
23 files changed, 217 insertions, 195 deletions
diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default
index 6cbea18..63c7910 100644
--- a/roles/common-web/files/etc/nginx/sites-available/default
+++ b/roles/common-web/files/etc/nginx/sites-available/default
@@ -1,6 +1,6 @@
server {
- listen 80 default_server;
- listen [::]:80 default_server;
+ listen 80 default_server;
+ listen [::]:80 default_server;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
index ebf3aa0..aa82ca6 100644
--- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf
@@ -3,8 +3,8 @@
include snippets/fastcgi-php.conf;
-fastcgi_param HTTPS on;
-fastcgi_param SSL_PROTOCOL $ssl_protocol;
-fastcgi_param SSL_CIPHER $ssl_cipher;
-fastcgi_param SSL_SESSION_ID $ssl_session_id;
-fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
+fastcgi_param HTTPS on;
+fastcgi_param SSL_PROTOCOL $ssl_protocol;
+fastcgi_param SSL_CIPHER $ssl_cipher;
+fastcgi_param SSL_SESSION_ID $ssl_session_id;
+fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
index 5823909..9668bb8 100644
--- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
@@ -1,10 +1,10 @@
# cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
-try_files $uri $uri/ =404;
+try_files $fastcgi_script_name =404;
-include snippets/fastcgi.conf;
+include snippets/fastcgi.conf;
# required if PHP was built with --enable-force-cgi-redirect
-fastcgi_param REDIRECT_STATUS 200;
+fastcgi_param REDIRECT_STATUS 200;
-fastcgi_intercept_errors on;
-fastcgi_read_timeout 14400;
-fastcgi_pass unix:/var/run/php5-fpm.sock;
+fastcgi_intercept_errors on;
+fastcgi_read_timeout 14400;
+fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
index 80132ec..ee058da 100644
--- a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf
@@ -6,6 +6,7 @@ fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
+fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
@@ -20,4 +21,4 @@ fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
-fastcgi_param HTTPS $https;
+fastcgi_param HTTPS $https if_not_empty;
diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf
index 09082e7..d3ccd9e 100644
--- a/roles/common-web/files/etc/nginx/snippets/ssl.conf
+++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf
@@ -1,5 +1,5 @@
# https://wiki.mozilla.org/Security/Server_Side_TLS
-# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0j&hsts=yes&profile=intermediate
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lacme/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem
diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml
index 02b7134..e2eb3ee 100644
--- a/roles/common-web/tasks/main.yml
+++ b/roles/common-web/tasks/main.yml
@@ -1,10 +1,10 @@
- name: Install Nginx
- apt: pkg=nginx
+ apt: pkg=nginx-light
- name: Limit Nginx logging
lineinfile: "dest=/etc/logrotate.d/nginx create=yes
regexp='^\\s*rotate\\s'
- line='\trotate 1'"
+ line='\trotate 7'"
tags:
- logrotate
diff --git a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades
index c9adc5f..86c6508 100644
--- a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades
+++ b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades
@@ -7,7 +7,7 @@
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted. The accepted keywords are:
// a,archive,suite (eg, "stable")
-// c,component (eg, "main", "crontrib", "non-free")
+// c,component (eg, "main", "contrib", "non-free")
// l,label (eg, "Debian", "Debian-Security")
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
// n,codename (eg, "jessie", "jessie-updates")
@@ -36,7 +36,6 @@ Unattended-Upgrade::Origins-Pattern {
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
- "origin=Debian,codename=${distro_codename}";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
@@ -83,6 +82,9 @@ Unattended-Upgrade::Mail "admin@fripost.org";
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
+// Automatically reboot even if there are users currently logged in.
+//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
@@ -91,3 +93,9 @@ Unattended-Upgrade::Mail "admin@fripost.org";
// Use apt bandwidth limit feature, this example limits the download
// speed to 256kb/sec
Acquire::http::Dl-Limit "256";
+
+// Enable logging to syslog. Default is False
+// Unattended-Upgrade::SyslogEnable "false";
+
+// Specify syslog facility. Default is daemon
+// Unattended-Upgrade::SyslogFacility "daemon";
diff --git a/roles/common/files/etc/default/rkhunter b/roles/common/files/etc/default/rkhunter
index da59a73..2e7fae7 100644
--- a/roles/common/files/etc/default/rkhunter
+++ b/roles/common/files/etc/default/rkhunter
@@ -5,11 +5,11 @@
#
# Set this to yes to enable rkhunter daily runs
-# (default: true)
+# (default: false)
CRON_DAILY_RUN="yes"
# Set this to yes to enable rkhunter weekly database updates
-# (default: true)
+# (default: false)
CRON_DB_UPDATE="yes"
# Set this to yes to enable reports of weekly database updates
@@ -31,4 +31,4 @@ NICE="10"
# Should daily check be run when running on battery
# powermgmt-base is required to detect if running on battery or on AC power
# (default: false)
-RUN_CHECK_ON_BATTERY="false"
+RUN_CHECK_ON_BATTERY="false"
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common-local b/roles/common/files/etc/logcheck/ignore.d.server/common-local
index 3d5e158..6210cc1 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/common-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/common-local
@@ -5,36 +5,55 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [-_.[:alnum:]]+ not allowed because account is locked$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: (Connection reset by peer|Connection timed out) \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+: (3|11|14): .* \[preauth\]$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Protocol major versions differ for [:.[:xdigit:]]+: SSH-2\.0-OpenSSH_
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Change of username or service not allowed: \(\S+\) -> (\(\S+\) )?\[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for invalid user [-_.[:alnum:]]+ from [:.[:xdigit:]]+ port [[:digit:]]+ ssh2? \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [0-9]+:(3|11|14): .* \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (Disconnected from|Connection (closed|reset) by) [[:xdigit:].:]{3,39} port [0-9]+ \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (Did not receive identification string|Invalid user .*) from [[:xdigit:].:]{3,39} port [0-9]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user .* from [:.[:xdigit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user .* \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: userauth_pubkey: unsupported public key algorithm: [[:alnum:]-]+ \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: (Connection (timed out|reset by peer)|Broken pipe) \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: (no hostkey alg|Unable to negotiate a key exchange method) \[preauth\]$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Unable to negotiate with [:.[:xdigit:]]+ port [[:digit:]]+: no matching (host key type|key exchange method|cipher) found\. Their offer: [@.[:alnum:],-]+ \[preauth\]$
+no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '.*' from [:.[:xdigit:]]+ port [[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?(: (DSA|RSA|ECDSA|ED25519) ([[:xdigit:]]{2}:){15}[[:xdigit:]]{2})?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: WARNING: no suitable primes in /etc/ssh/primes$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: dispatch_protocol_error: type [0-9]+ seq [0-9]+ \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Cleanup of Temporary Directories\.(\.\.)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ slapd\[[[:digit:]]+\]: connection_input: conn=[[:digit:]]+ deferring operation: binding$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (slapd\[[[:digit:]]+\]|slap(acl|add|auth|cat|dn|index)|ldap(add|compare|delete|exop|modify|modrdn|passwd|search|url|whoami)): DIGEST-MD5 common mech free$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Created|Removed) slice User Slice of [-[:alnum:]]+\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: (Listening on|Closed) .*\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Cleanup of Temporary Directories\.(\.\.)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Session [0-9]+ of user [-[:alnum:]]+\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Startup finished in \S+\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user [-[:alnum:]]+( by \(uid=0\))?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ runuser: pam_unix\(runuser:session\): session (opened|closed) for user [-[:alnum:]]+( by \(uid=0\))?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Session [0-9]+ of user [-[:alnum:]]+\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Received SIGRTMIN\+24 from PID [0-9]+ \(kill\)\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: New session c?[0-9]+ of user [-[:alnum:]]+\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: Removed session c?[0-9]+\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: apt-daily(-upgrade)?\.timer: Adding .* random time\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit )
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: bytecode\.(cld|cvd) (is up to date|updated) \(version: [[:digit:]]+, sigs: [[:digit:]]+, f-level: [[:digit:]]+, builder: [._[:alnum:]-]+\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Your ClamAV installation is OUTDATED!$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Local version: [[:digit:]]+(\.[[:digit:]]+)* Recommended version: [[:digit:]]+(\.[[:digit:]]+)*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> (bytecode|main|daily)\.(cld|cvd) (is up to date|updated) \(version: [[:digit:]]+, sigs: [[:digit:]]+, f-level: [[:digit:]]+, builder: [._[:alnum:]-]+\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Received signal: wake up$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> ClamAV update process started at \w{3} \w{3} [ :[:digit:]]{16}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (\w{3} \w{3} [ :[:digit:]]{16} -> \^|WARNING: )Your ClamAV installation is OUTDATED!$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (\w{3} \w{3} [ :[:digit:]]{16} -> \^|WARNING: )Local version: [[:digit:]]+(\.[[:digit:]]+)* Recommended version: [[:digit:]]+(\.[[:digit:]]+)*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: getfile: [._[:alnum:]-]+ not found on remote server \(IP: [.[:digit:]]+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Incremental update failed, trying to download daily\.cvd$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (WARNING|ERROR): (getpatch: )?Can't download [._[:alnum:]-]+ from [.[:alnum:]-]+$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Trying host [.[:alnum:]-]+ \([.[:digit:]]+\)\.\.\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Trying again in [[:digit:]]+ secs\.\.\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Giving up on [.[:alnum:]-]+\.\.\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Downloading [._[:alnum:]-]+ \[[[:digit:]]+%\]$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: DON'T PANIC! Read http://www\.clamav\.net/(support/faq|documents/upgrading-clamav)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Downloading [._[:alnum:]-]+ \[[[:digit:]]+%\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> DON'T PANIC! Read https?://www\.clamav\.net/(support/faq|documents/upgrading-clamav)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Database updated \([0-9]+ signatures\) from .* \(IP: [[:xdigit:].:]{3,39}\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Clamd successfully notified about the update\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Reading databases from /var/lib/clamav$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> SelfCheck: Database status OK\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Database correctly reloaded \([0-9]+ signatures\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+ *\] Peer [.[:digit:]]+:[[:digit:]]+/[[:digit:]]+ unexpectedly shrunk window [[:digit:]]+:[[:digit:]]+ \(repaired\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[.[:digit:]]+" x-pid="[[:digit:]]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd-?([[:digit:]]+): action '[^']+' (resumed \(module '[.[:alnum:]-]+:[.[:alnum:]-]+'\)|suspended, next retry is \w{3} \w{3} [ :[:digit:]]{16}) \[try http://www\.rsyslog\.com/e/\1 \]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ liblogging-stdlog: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www\.rsyslog\.com"\] rsyslogd was HUPed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([_a-z0-9]+|<stdin>): Invoked with
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (sympa\((command|distribute)\)|wwsympa|archived|bounced|bulk|task_manager)\[[[:digit:]]+\]: (info|notice)\s
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa\(command\)\[[[:digit:]]+\]: err tools::valid_email\(\) Invalid email address 'MAILER-DAEMON'$
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
index e32fce6..df5e158 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
@@ -19,9 +19,8 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: message-id=(<[^>]*>|[[:alnum:]_/+.$@-]+)( \(added by [^[:space:]]+\))?
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: removed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: skipped, still being delivered$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/verify\[[[:digit:]]+\]: close database /var/lib/postfix\1/verify_cache\.db: No such file or directory \(possible Berkeley DB bug\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/verify\[[[:digit:]]+\]: cache btree:/var/lib/postfix\1/verify_cache full cleanup: retained=[[:digit:]]+ dropped=[[:digit:]]+ entries$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/verify\[[[:digit:]]+\]: cache \S+A partial cleanup: retained=[[:digit:]]+ dropped=[[:digit:]]+ entries$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/smtpd\[[[:digit:]]+\]: disconnect from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]( (ehlo|helo|xforward|starttls|auth|mail|rcpt|data|noop|rset|quit|commands|unknown)=[0-9]+(/[0-9]+)?)+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/pickup\[[[:digit:]]+\]: [[:xdigit:]]+: uid=[[:digit:]]+ from=<[^>]*>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/cleanup\[[[:digit:]]+\]: [[:xdigit:]]+: replace: header\s
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: [[:xdigit:]]+: client=[^[:space:]]+, sasl_method=[-[:alnum:]]+, sasl_username=[-_.@[:alnum:]]+(, sasl_sender=[-_.@[:alnum:]]+)?$
@@ -32,7 +31,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 5[[:digit:]]{2} 5(\.[[:digit:]]){2} <[^>]+>: Helo command rejected: need fully-qualified hostname;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^>]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 4[[:digit:]]{2} 4(\.[[:digit:]]){2} <[^>]+>: Sender address rejected: Domain not found;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^>]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 5[[:digit:]]{2} 5(\.[[:digit:]]){2} Service unavailable; (Unverified Client host|Sender address) \[\S+\] blocked using [._[:alnum:]-]+; https?://[^[:blank:];]+; from=<[^>]*> to=<[^>]+> proto=E?SMTP( helo=<[^>]+>)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[([[:xdigit:].:]{3,39})\]: 4[[:digit:]]{2} 4(\.[[:digit:]]){2} Client host rejected: cannot find your hostname, \[\1\]; from=<[^>]*> to=<[^>]+> proto=E?SMTP( helo=<[^>]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[([[:xdigit:].:]{3,39})\]: 4[[:digit:]]{2} 4(\.[[:digit:]]+){2} Client host rejected: cannot find your hostname, \[\1\]; from=<[^>]*> to=<[^>]+> proto=E?SMTP( helo=<[^>]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: timeout after [-[:upper:]]+( \([[:digit:]]+ bytes\))? from [^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-((msa|mx)/smtpd|out/smtp)\[[[:digit:]]+\]: warning: (tls_text_name: [-._[:alnum:]]+\[[[:xdigit:].:]{3,39}\]: )?peer certificate has no (subject CN|issuer Organization)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 450( 4\.1\.2)? <[^>]*>: Recipient address rejected: Domain not found;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
@@ -72,6 +71,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: RCPT from [^[:space:]]+: [[:digit:]]{3}( [45](\.[[:digit:]]){2})? <[^[:space:]]*>: Relay access denied; from=<[^>]*> to=<[^>]+> proto=E?SMTP helo=<[^[:space:]]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: ([-._[:alnum:]]+): RBL lookup error: Host or domain name not found\. Name service error for name=\1 type=A(AAA)?: Host not found, try again$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mx|msa)/(smtpd|tlsproxy)\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:SSL2?3_(GET_RECORD:(decryption failed or bad record mac|wrong version number):s3_pkt\.c:[0-9]+:|READ_BYTES:(reason\([[:digit:]]+\)|sslv3 alert (unexpected message|bad certificate)):s3_pkt\.c:[[:digit:]]+:SSL alert number (0|10|42):|GET_CLIENT_HELLO:(unsupported protocol|no shared cipher|unknown protocol|wrong version number):s2?3_srvr\.c:[0-9]+:)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/tlsproxy\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:tls_post_process_client_hello:no shared cipher:\.\./ssl/statem/statem_srvr\.c:[0-9]+:$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 554( 5\.1\.[01])? <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: [[:xdigit:]]+: reject: RCPT from [^[:space:]]+: [45][[:digit:]][[:digit:]]( [45](\.[[:digit:]]){2})? <[^[:space:]]*>: Helo command rejected: .+; from=<[^>]*> to=<[^>]+> proto=E?SMTP helo=<[^[:space:]]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: too many errors after ([[:upper:]]{4}|END-OF-MESSAGE|UNKNOWN|DATA \(0 bytes\)) from [._[:alnum:]-]+\[[.[:digit:]]+\]$
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/strongswan-local b/roles/common/files/etc/logcheck/ignore.d.server/strongswan-local
index 1a6cdd7..cebfaba 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/strongswan-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/strongswan-local
@@ -1,12 +1,10 @@
# Ansible Managed
# Do NOT edit this file directly!
#
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[JOB\] spawning [[:digit:]]+ worker threads$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating acquire job for policy [[:xdigit:].:]{3,39}/[[:digit:]]+(\[\w+(/[[:alnum:]-]+)?\])? === [[:xdigit:].:]{3,39}/[[:digit:]]+(\[\w+(/[[:alnum:]-]+)?\])? with reqid \{[[:digit:]]+\}$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] unable to receive from rt event socket$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating rekey job for ESP CHILD_SA with SPI [[:xdigit:]]{8} and reqid \{[[:digit:]]+\}$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating delete job for ESP CHILD_SA with SPI [[:xdigit:]]{8} and reqid \{[[:digit:]]+\}$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] querying SAD entry with SPI [[:xdigit:]]{8} failed: No such process \([[:digit:]]+\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating rekey job for CHILD_SA ESP/0x[[:xdigit:]]{8}/[[:xdigit:].:]{3,39}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating delete job for CHILD_SA ESP/0x[[:xdigit:]]{8}/[[:xdigit:].:]{3,39}$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[JOB\] CHILD_SA ESP/0x[[:xdigit:]]{8}/[[:xdigit:].:]{3,39} not found for delete$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] initiating IKE_SA [[:alnum:]._-]+\[[[:digit:]]+\] to [[:xdigit:].:]{3,39}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] [[:xdigit:].:]{3,39} is initiating an IKE_SA$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] establishing CHILD_SA [[:alnum:]._-]+(\{[[:digit:]]+\})?$
diff --git a/roles/common/files/etc/rkhunter.conf b/roles/common/files/etc/rkhunter.conf
index abdbd6c..b6a7d06 100644
--- a/roles/common/files/etc/rkhunter.conf
+++ b/roles/common/files/etc/rkhunter.conf
@@ -259,7 +259,7 @@ LOGFILE=/var/log/rkhunter.log
#
# USE_SYSLOG=authpriv.warning
#
-# Setting the value to 'NONE', or just leaving the option commented out,
+# Setting the value to 'none', or just leaving the option commented out,
# disables the use of syslog.
#
# The default value is not to use syslog.
@@ -330,8 +330,8 @@ AUTO_X_DETECT=1
#
# These two options determine which tests are to be performed. The ENABLE_TESTS
-# option can use the word 'ALL' to refer to all of the available tests. The
-# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are
+# option can use the word 'all' to refer to all of the available tests. The
+# DISABLE_TESTS option can use the word 'none' to mean that no tests are
# disabled. The list of disabled tests is applied to the list of enabled tests.
#
# Both options are space-separated lists of test names, and both options may
@@ -356,7 +356,7 @@ AUTO_X_DETECT=1
# applications (and warns about possible security risk: we better trust
# the Debian Security Team).
#
-ENABLE_TESTS=ALL
+ENABLE_TESTS=all
DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps
#
@@ -587,12 +587,11 @@ HASH_CMD=sha512sum
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
-SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
-#SCRIPTWHITELIST=/usr/bin/lwp-request
+SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
#SCRIPTWHITELIST=/usr/sbin/prelink
-#SCRIPTWHITELIST=/usr/bin/unhide.rb
+#SCRIPTWHITELIST=/usr/sbin/unhide.rb
#
# Allow the specified file to have the immutable attribute set.
@@ -619,8 +618,9 @@ SCRIPTWHITELIST=/usr/sbin/adduser
#
# The default value is the null string.
#
-ALLOWHIDDENDIR=/etc/.java
+#ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/etc/.git
+#ALLOWHIDDENDIR=/dev/.lxc
#
# Allow the specified hidden file to be whitelisted.
@@ -637,10 +637,10 @@ ALLOWHIDDENDIR=/etc/.git
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
#ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
-ALLOWHIDDENFILE=/etc/.etckeeper
+#ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
ALLOWHIDDENFILE=/etc/.gitignore
#ALLOWHIDDENFILE=/etc/.bzrignore
-
+ALLOWHIDDENFILE=/etc/.etckeeper
#
# Allow the specified process to use deleted files. The process name may be
@@ -657,7 +657,7 @@ ALLOWHIDDENFILE=/etc/.gitignore
#ALLOWPROCDELFILE=/sbin/cardmgr
#ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2
#ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib*
-#ALLOWPROCDELFILE=/usr/lib/iceweasel/firefox-bin
+#ALLOWPROCDELFILE=/usr/lib/iceweasel/iceweasel
#ALLOWPROCDELFILE=/usr/bin/file-roller
#
diff --git a/roles/common/files/etc/rsyslog.conf b/roles/common/files/etc/rsyslog.conf
index 6ebaa92..70e8a77 100644
--- a/roles/common/files/etc/rsyslog.conf
+++ b/roles/common/files/etc/rsyslog.conf
@@ -8,21 +8,17 @@
#### MODULES ####
#################
-$ModLoad imuxsock # provides support for local system logging
-$ModLoad imklog # provides kernel logging support
-#$ModLoad immark # provides --MARK-- message capability
+module(load="imuxsock") # provides support for local system logging
+module(load="imklog") # provides kernel logging support
+#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
-#$ModLoad imudp
-#$UDPServerRun 514
+#module(load="imudp")
+#input(type="imudp" port="514")
# provides TCP syslog reception
-#$ModLoad imtcp
-#$InputTCPServerRun 514
-
-# Disable rate-limiting (the default for rsyslog v7, but not for rsyslog v5)
-$SystemLogRateLimitInterval 0
-$SystemLogRateLimitBurst 0
+#module(load="imtcp")
+#input(type="imtcp" port="514")
###########################
@@ -81,7 +77,7 @@ if ($programname startswith 'postfix-' or $programname == 'dovecot') and $syslog
#
# Some standard log files. Log by facility.
#
-auth,authpriv.* /var/log/auth.log
+auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
@@ -90,13 +86,6 @@ lpr.* -/var/log/lpr.log
user.* -/var/log/user.log
#
-# Logging for INN news system.
-#
-news.crit /var/log/news/news.crit
-news.err /var/log/news/news.err
-news.notice -/var/log/news/news.notice
-
-#
# Some "catch-all" log files.
#
*.=debug;\
@@ -111,25 +100,3 @@ news.notice -/var/log/news/news.notice
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
-
-#
-# I like to have messages displayed on the console, but only on a virtual
-# console I usually leave idle.
-#
-#daemon,mail.*;\
-# news.=crit;news.=err;news.=notice;\
-# *.=debug;*.=info;\
-# *.=notice;*.=warn /dev/tty8
-
-# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
-# you must invoke `xconsole' with the `-file' option:
-#
-# $ xconsole -file /dev/xconsole [...]
-#
-# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
-# busy site..
-#
-#daemon.*;mail.*;\
-# news.err;\
-# *.=debug;*.=info;\
-# *.=notice;*.=warn |/dev/xconsole
diff --git a/roles/common/files/etc/strongswan.d/charon.conf b/roles/common/files/etc/strongswan.d/charon.conf
index 17e917a..5ed6452 100644
--- a/roles/common/files/etc/strongswan.d/charon.conf
+++ b/roles/common/files/etc/strongswan.d/charon.conf
@@ -7,6 +7,12 @@ charon {
# Maximum number of half-open IKE_SAs for a single peer IP.
# block_threshold = 5
+ # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+ # be saved under a unique file name derived from the public key of the
+ # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
+ # /etc/swanctl/x509crl (vici), respectively.
+ # cache_crls = no
+
# Whether relations in validated certificate chains should be cached in
# memory.
# cert_cache = yes
@@ -20,10 +26,17 @@ charon {
# Number of half-open IKE_SAs that activate the cookie mechanism.
# cookie_threshold = 10
+ # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+ # delete_rekeyed = no
+
# Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
# strength.
# dh_exponent_ansi_x9_42 = yes
+ # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
+ # missing symbols immediately.
+ # dlopen_use_rtld_now = no
+
# DNS server assigned to peer via configuration payload (CP).
# dns1 =
@@ -40,11 +53,15 @@ charon {
# Free objects during authentication (might conflict with plugins).
# flush_auth_cfg = no
+ # Whether to follow IKEv2 redirects (RFC 5685).
+ # follow_redirects = yes
+
# Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
- # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
- # address family specific default values). If specified this limit is
- # used for both IPv4 and IPv6.
- # fragment_size = 0
+ # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
+ # to 1280 (use 0 for address family specific default values, which uses a
+ # lower value for IPv4). If specified this limit is used for both IPv4 and
+ # IPv6.
+ # fragment_size = 1280
# Name of the group the daemon changes to after startup.
# group =
@@ -58,6 +75,10 @@ charon {
# Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
# i_dont_care_about_security_and_use_aggressive_mode_psk = no
+ # Whether to ignore the traffic selectors from the kernel's acquire events
+ # for IKEv2 connections (they are not used for IKEv1).
+ # ignore_acquire_ts = no
+
# A space-separated list of routing tables to be excluded from route
# lookups.
# ignore_routing_tables =
@@ -116,6 +137,13 @@ charon {
# Determine plugins to load via each plugin's load option.
# load_modular = no
+ # Initiate IKEv2 reauthentication with a make-before-break scheme.
+ # make_before_break = no
+
+ # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
+ # and track concurrently.
+ # max_ikev1_exchanges = 3
+
# Maximum packet size accepted by charon.
# max_packet = 10000
@@ -136,6 +164,11 @@ charon {
# will be allocated.
# port_nat_t = 4500
+ # Prefer locally configured proposals for IKE/IPsec over supplied ones as
+ # responder (disabling this can avoid keying retries due to
+ # INVALID_KE_PAYLOAD notifies).
+ # prefer_configured_proposals = yes
+
# By default public IPv6 addresses are preferred over temporary ones (RFC
# 4941), to make connections more stable. Enable this option to reverse
# this.
@@ -169,11 +202,11 @@ charon {
# Number of times to retransmit a packet before giving up.
# retransmit_tries = 5
- # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS
- # resolution failed), 0 to disable retries.
+ # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
+ # DNS resolution failed), 0 to disable retries.
# retry_initiate_interval = 0
- # Initiate CHILD_SA within existing IKE_SAs.
+ # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
# reuse_ikesa = yes
# Numerical routing table to install routes to.
@@ -197,6 +230,12 @@ charon {
# Send strongSwan vendor ID payload
# send_vendor_id = no
+ # Whether to enable Signature Authentication as per RFC 7427.
+ # signature_authentication = yes
+
+ # Whether to enable constraints against IKEv2 signature schemes.
+ # signature_authentication_constraints = yes
+
# Number of worker threads in charon.
# threads = 16
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 994df14..207eada 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -47,7 +47,7 @@ else
ipsec=n
fi
-fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S'
+fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A f2b-\S'
IPsec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$"
declare -A rss=() tables=()
@@ -66,21 +66,21 @@ usage() {
}
log() {
- /usr/bin/logger -st firewall -p user.info -- "$@"
+ logger -st firewall -p user.info -- "$@"
}
fatal() {
- /usr/bin/logger -st firewall -p user.err -- "$@"
+ logger -st firewall -p user.err -- "$@"
exit 1
}
iptables() {
# Fake iptables/ip6tables(8); use the more efficient
# iptables-restore(8) instead.
- echo "$@" >> "$new";
+ echo "$@" >>"$new";
}
commit() {
# End a table
- echo COMMIT >> "$new"
+ echo COMMIT >>"$new"
}
inet46() {
case "$1" in
@@ -96,25 +96,25 @@ ipt-chains() {
?*) echo "*$1";;
esac
shift
- done >> "$new"
+ done >>"$new"
}
ipt-trim() {
# Remove dynamic chain/rules from the input stream, as they are
# automatically included by third-party servers (such as strongSwan
# or fail2ban). The output is ready to be made persistent.
- grep -Ev -e '^:fail2ban-\S' \
+ grep -Ev -e '^:f2b-\S' \
-e "$IPsec_re" \
- -e '-j fail2ban-\S+$' \
+ -e '-j f2b-\S+$' \
-e "$fail2ban_re"
}
ipt-diff() {
# Get the difference between two rulesets.
if [ $verbose -eq 1 ]; then
- /usr/bin/diff -u -I '^#' "$1" "$2"
+ diff -u -I '^#' --color=auto "$@"
else
- /usr/bin/diff -q -I '^#' "$1" "$2" >/dev/null
+ diff -q -I '^#' "$@" >/dev/null
fi
}
@@ -127,12 +127,12 @@ ipt-persist() {
local f rs table
for f in "${!tables[@]}"; do
- ipts=/sbin/$(inet46 $f iptables ip6tables)-save
+ ipts=$(inet46 $f iptables ip6tables)-save
rs=/etc/iptables/rules.v$f
for table in ${tables[$f]}; do
- /bin/ip netns exec $netns $ipts -t $table
- done | ipt-trim > "$rs"
+ ip netns exec $netns $ipts -t $table
+ done | ipt-trim >"$rs"
chmod 0600 "$rs"
done
}
@@ -143,7 +143,7 @@ ipt-revert() {
local rs
for f in "${!rss[@]}"; do
- /sbin/$(inet46 $f iptables ip6tables)-restore -c < "${rss[$f]}"
+ $(inet46 $f iptables ip6tables)-restore -c <"${rss[$f]}"
rm -f "${rss[$f]}"
done
exit 1
@@ -152,7 +152,7 @@ ipt-revert() {
run() {
# Build and apply the firewall for IPv4/6.
local f="$1"
- local ipt=/sbin/$(inet46 $f iptables ip6tables)
+ local ipt=$(inet46 $f iptables ip6tables)
tables[$f]=filter
# The default interface associated with this address.
@@ -164,14 +164,14 @@ run() {
new=$(mktemp --tmpdir new-rules.v$f.XXXXXX)
for table in ${tables[$f]}; do
$ipt-save -ct $table
- done > "$old"
+ done >"$old"
rss[$f]="$old"
local fail2ban=0
# XXX: As of Wheezy, fail2ban is IPv4 only. See
# https://github.com/fail2ban/fail2ban/issues/39 for the current
# state of the art.
- if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then
+ if [ "$f" = 4 ] && which fail2ban-server >/dev/null; then
fail2ban=1
fi
@@ -191,14 +191,14 @@ run() {
if [ $fail2ban -eq 1 ]; then
echo ":fail2ban - [0:0]"
# Don't remove existing rules & traps in the current rulest
- grep -- '^:fail2ban-\S' "$old" || true
- grep -E -- ' -j fail2ban-\S+$' "$old" || true
- grep -E -- "$fail2ban_re" "$old" || true
- fi >> "$new"
+ grep -- '^:f2b-\S' "$old" || true
+ grep -E -- ' -j f2b-\S+$' "$old" || true
+ grep -E -- "$fail2ban_re" "$old" || true
+ fi >>"$new"
- if [ "$f" = 4 -a "$ipsec" = y ]; then
+ if [ "$f" = 4 -o "$f" = 6 ] && [ "$ipsec" = y ]; then
# IPsec tunnels come first (IPv4 only).
- grep -E -- "$IPsec_re" "$old" >> "$new" || true
+ grep -E -- "$IPsec_re" "$old" >>"$new" || true
# Allow any IPsec $secproto protocol packets to be sent and received.
iptables -A INPUT -i $if -p $secproto -j ACCEPT
@@ -212,14 +212,14 @@ run() {
# http://baldric.net/loose-iptables-firewall-for-servers/
local ip
- if [ "$f" = 4 -a "$ipsec" = y ]; then
+ if [ "$f" = 4 ] && [ "$ipsec" = y ]; then
# Private-use networks (RFC 1918) and link local (RFC 3927)
- local MyIPsec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )"
- local MyNetwork="$( /bin/ip -4 -o address show dev $if scope global \
+ local MyIPsec="$( ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )"
+ local MyNetwork="$( ip -4 -o address show dev $if scope global \
| sed -nr "s/^[0-9]+:\s+$if\s+inet\s(\S+).*/\1/p" \
| while read ip; do
for ips in $MyIPsec; do
- [ "$ips" = "$(/usr/bin/netmask -nc "$ip" "$ips" | sed 's/^ *//')" ] || echo "$ip"
+ [ "$ips" = "$(netmask -nc "$ip" "$ips" | sed 's/^ *//')" ] || echo "$ip"
done
done
)"
@@ -227,7 +227,7 @@ run() {
for ip in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16; do
# Don't lock us out if we are behind a NAT ;-)
for myip in $MyNetwork; do
- [ "$ip" = "$(/usr/bin/netmask -nc "$ip" "$myip" | sed 's/^ *//')" ] || echo "$ip"
+ [ "$ip" = "$(netmask -nc "$ip" "$myip" | sed 's/^ *//')" ] || echo "$ip"
done | uniq | while read ip; do iptables -A INPUT -i $if -s "$ip" -j DROP; done
done
@@ -260,9 +260,9 @@ run() {
local localhost=$(inet46 $f '127.0.0.1/8' '::1/128')
iptables -A INPUT -i lo -s "$localhost" -d "$localhost" -j ACCEPT
iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT
- if [ "$f" = 4 -a "$ipsec" = y ]; then
+ if [ "$f" = 4 ] && [ "$ipsec" = y ]; then
# Allow local access to our virtual IP
- /bin/ip -4 -o route show table 220 dev $if \
+ ip -4 -o route show table 220 dev $if \
| sed -nr 's/.*\ssrc\s+([[:digit:].]{7,15})(\s.*)?$/\1/p' \
| while read ips; do
iptables -A INPUT -i lo -s "$ips" -d "$ips" -j ACCEPT
@@ -340,25 +340,25 @@ run() {
# to restore the counters when reverting.)
sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \
-e 's/^\[[0-9]+:[0-9]+\]\s+//' \
- "$old" > "$oldz"
+ "$old" >"$oldz"
- /bin/ip netns exec $netns $ipt-restore <"$new" || ipt-revert
+ ip netns exec $netns $ipt-restore <"$new" || ipt-revert
for table in ${tables[$f]}; do
- /bin/ip netns exec $netns $ipt-save -t $table
- done > "$new"
+ ip netns exec $netns $ipt-save -t $table
+ done >"$new"
- ipt-diff "$oldz" "$new" || rv1=$?
+ ipt-diff --label="a/$ipt-save" --label="b/$ipt-save" "$oldz" "$new" || rv1=$?
- if ! [ -f "$persistent" -a -x /etc/network/if-pre-up.d/iptables ]; then
+ if ! [ -f "$persistent" ] && [ -x /etc/network/if-pre-up.d/iptables ]; then
rv2=1
else
- ipt-trim < "$oldz" | ipt-diff - "$persistent" || rv2=$?
+ ipt-trim <"$new" | ipt-diff --label="a/rules.v$f" --label="b/$ipt-save" "$persistent" - || rv2=$?
fi
local update="Please run '${0##*/}'."
if [ $check -eq 0 ]; then
- $ipt-restore <"$new" || ipt-revert
+ uniq "$new" | $ipt-restore || ipt-revert
else
if [ $rv1 -ne 0 ]; then
log "WARN: The IPv$f firewall is not up to date! $update"
@@ -394,7 +394,7 @@ done
# If we are going to apply the ruleset, we should either have a TTY, or
# use -f.
-if ! /usr/bin/tty -s && [ $force -eq 0 -a $check -eq 0 ]; then
+if ! tty -s && [ $force -eq 0 ] && [ $check -eq 0 ]; then
echo "Error: Not a TTY. Try with -f (at your own risks!)" >&2
exit 1
fi
@@ -403,10 +403,10 @@ fi
# we can easily get a normalized version we can compare latter. See
# http://bugzilla.netfilter.org/show_bug.cgi?id=790
netns="ipt-firewall-test-$$"
-/bin/ip netns add $netns
+ip netns add $netns
-trap '/bin/ip netns del $netns 2>/dev/null || true; ipt-revert' SIGINT
-trap '/bin/ip netns del $netns; rm -f "${rss[@]}"' EXIT
+trap 'ip netns del $netns 2>/dev/null || true; ipt-revert' SIGINT
+trap 'ip netns del $netns; rm -f "${rss[@]}"' EXIT
rv=0
for f in ${addrfam:=4 6}; do
@@ -417,7 +417,7 @@ if [ $force -eq 1 ]; then
# At the user's own risks...
ipt-persist
-elif [ $check -eq 1 -o $rv -eq 0 ]; then
+elif [ $check -eq 1 ] || [ $rv -eq 0 ]; then
# Nothing to do, we're all set.
exit $rv
diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml
index 1877f21..7692c28 100644
--- a/roles/common/tasks/mail.yml
+++ b/roles/common/tasks/mail.yml
@@ -2,7 +2,7 @@
apt: pkg={{ item }}
with_items:
# That one is nicer than GNU mailutils' mailx(1)
- - heirloom-mailx
+ - s-nail
- postfix
- postfix-cdb
diff --git a/roles/common/templates/etc/apt/preferences.j2 b/roles/common/templates/etc/apt/preferences.j2
index 4e18a6e..383037f 100644
--- a/roles/common/templates/etc/apt/preferences.j2
+++ b/roles/common/templates/etc/apt/preferences.j2
@@ -3,27 +3,27 @@
# Install updates as soon as they're available
Package: *
-Pin: release a={{ ansible_lsb.codename }}-updates
+Pin: release o=Debian, n={{ ansible_lsb.codename }}-updates
Pin-Priority: 990
{% if 'backports' in group_names -%}
# Automatically packages from backports (those manually installed)
Package: *
-Pin: release a={{ ansible_lsb.codename }}-backports
+Pin: release o=Debian Backports, n={{ ansible_lsb.codename }}-backports
Pin-Priority: 200
{% endif %}
{% if inventory_hostname_short in non_free_packages.keys() -%}
# Automatically upgrade non-free firmwares (when manually installed)
Package: {{ non_free_packages[inventory_hostname_short] | join (' ') }}
-Pin: version *
+Pin: release o=Debian
Pin-Priority: 200
{% endif %}
{% if ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest' -%}
# Automatically upgrade the microcode (when manually installed)
Package: intel-microcode iucode-tool
-Pin: version *
+Pin: release o=Debian
Pin-Priority: 200
{% endif %}
diff --git a/roles/common/templates/etc/apt/sources.list.j2 b/roles/common/templates/etc/apt/sources.list.j2
index 8d1b7fd..4ae1cb5 100644
--- a/roles/common/templates/etc/apt/sources.list.j2
+++ b/roles/common/templates/etc/apt/sources.list.j2
@@ -2,12 +2,12 @@
# Do NOT edit this file directly!
# vim: set filetype=debsources :
-deb http://deb.debian.org/debian/ {{ ansible_lsb.codename }} main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and ansible_virtualization_role == 'guest') %} contrib non-free{% endif %}
+deb http://deb.debian.org/debian {{ ansible_lsb.codename }} main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %}
-deb http://deb.debian.org/debian-security/ {{ ansible_lsb.codename }}/updates main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %}
+deb http://deb.debian.org/debian-security {{ ansible_lsb.codename }}/updates main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %}
-deb http://deb.debian.org/debian/ {{ ansible_lsb.codename }}-updates main
+deb http://deb.debian.org/debian {{ ansible_lsb.codename }}-updates main
{% if 'backports' in group_names -%}
-deb http://deb.debian.org/debian/ {{ ansible_lsb.codename }}-backports main
+deb http://deb.debian.org/debian {{ ansible_lsb.codename }}-backports main
{% endif %}
diff --git a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
index 6cfa3f9..2d434bc 100644
--- a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
+++ b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
@@ -36,6 +36,7 @@ user root
[df*]
env.warning 92
env.critical 98
+env.exclude_re ^/run/user
[exim_mailqueue]
group adm, (Debian-exim)
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index af909ba..55361ee 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -4,10 +4,11 @@
# {{ ansible_managed }}
# Do NOT edit this file directly!
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-biff = no
-readme_directory = no
-mail_owner = postfix
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+readme_directory = no
+mail_owner = postfix
+compatibility_level = 2
myorigin = /etc/mailname
myhostname = {{ ansible_fqdn }}
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index c30f95b..10fc303 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -11,7 +11,7 @@
# ==========================================================================
{% if inst is not defined %}
-[127.0.0.1]:16132 inet n - - - - smtpd
+[127.0.0.1]:16132 inet n - y - - smtpd
{% elif inst == 'MX' %}
smtpd pass - - n - - smtpd
-o cleanup_service_name=cleanup_nochroot
@@ -20,7 +20,7 @@ tlsproxy unix - - n - 0 tlsproxy
dnsblog unix - - n - 0 dnsblog
cleanup_nochroot unix n - n - 0 cleanup
{% elif inst == 'MSA' %}
-submission inet n - - - - smtpd
+submission inet n - y - - smtpd
-o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
{% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - - - - smtpd
@@ -34,30 +34,30 @@ submission inet n - - - - smtpd
[{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - - - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
{% endif %}
-pickup unix n - - 60 1 pickup
-cleanup unix n - - - 0 cleanup
+pickup unix n - y 60 1 pickup
+cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
-tlsmgr unix - - - 1000? 1 tlsmgr
-rewrite unix - - - - - trivial-rewrite
-bounce unix - - - - 0 bounce
-defer unix - - - - 0 bounce
-trace unix - - - - 0 bounce
-verify unix - - - - 1 verify
-flush unix n - - 1000? 0 flush
+tlsmgr unix - - y 1000? 1 tlsmgr
+rewrite unix - - y - - trivial-rewrite
+bounce unix - - y - 0 bounce
+defer unix - - y - 0 bounce
+trace unix - - y - 0 bounce
+verify unix - - y - 1 verify
+flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
-smtp unix - - - - - smtp
-relay unix - - - - - smtp
+smtp unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
-showq unix n - - - - showq
-error unix - - - - - error
-retry unix - - - - - error
-discard unix - - - - - discard
+relay unix - - y - - smtp
+showq unix n - y - - showq
+error unix - - y - - error
+retry unix - - y - - error
+discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
-lmtp unix - - - - - lmtp
-anvil unix - - - - 1 anvil
-scache unix - - - - 1 scache
+lmtp unix - - y - - lmtp
+anvil unix - - y - 1 anvil
+scache unix - - y - 1 scache
{% if inst is defined and inst == 'MX' %}
reserved-alias unix - n n - - pipe
flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org
@@ -76,7 +76,7 @@ amavisfeed unix - - n - 5 lmtp
-o disable_dns_lookups=yes
# Server part (smtpd) - amavis
-[127.0.0.1]:10025 inet n - n - - smtpd
+[127.0.0.1]:10025 inet n - y - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
diff --git a/roles/lacme/handlers/main.yml b/roles/lacme/handlers/main.yml
deleted file mode 100644
index 0b9ddfc..0000000
--- a/roles/lacme/handlers/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-- name: Install lacme
- apt: deb=/tmp/lacme_0.2-1_all.deb
diff --git a/roles/lacme/tasks/main.yml b/roles/lacme/tasks/main.yml
index 6dcf6ec..9ff88c2 100644
--- a/roles/lacme/tasks/main.yml
+++ b/roles/lacme/tasks/main.yml
@@ -1,19 +1,9 @@
-- name: Install dependencies for lacme
- apt: pkg={{ item }}
- with_items:
- - libjson-perl
- - libjson-xs-perl
- - libconfig-tiny-perl
- - libwww-perl
+- name: Install lacme
+ apt: pkg={{ packages }} install_recommends=no
+ vars:
+ packages:
- liblwp-protocol-https-perl
- - libnet-ssleay-perl
-
-- name: Copy lacme
- copy: src=deb/lacme_0.2-1_all.deb
- dest=/tmp
- notify: Install lacme
-
-- meta: flush_handlers
+ - lacme
- name: Create a user 'lacme'
user: name=lacme system=yes