Configure the (basic) logging policy.

5 files changed, 141 insertions, 0 deletions

diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common.local b/roles/common/files/etc/logcheck/ignore.d.server/common.local
new file mode 100644
index 0000000..22fe621
--- /dev/null
+++ b/roles/common/files/etc/logcheck/ignore.d.server/common.local
@@ -0,0 +1,6 @@
+# Ansible Managed
+# Do NOT edit this file directly!
+#
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version
+# Ansible logs everything into syslog
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-[a-z]+: Invoked
diff --git a/roles/common/files/etc/logcheck/logcheck.conf b/roles/common/files/etc/logcheck/logcheck.conf
new file mode 100644
index 0000000..9a7e7c6
--- /dev/null
+++ b/roles/common/files/etc/logcheck/logcheck.conf
@@ -0,0 +1,85 @@
+# The following variable settings are the initial default values,
+# which can be uncommented and modified to alter logcheck's behaviour
+
+# Controls the format of date-/time-stamps in subject lines:
+# Alternatively, set the format to suit your locale
+
+#DATE="$(date +'%Y-%m-%d %H:%M')"
+
+# Controls the presence of boilerplate at the top of each message:
+# Alternatively, set to "0" to disable the introduction.
+#
+# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
+# are present their contents will be read and used as the header and
+# footer of any generated mails.
+
+INTRO=0
+
+# Controls the level of filtering:
+# Can be Set to "workstation", "server" or "paranoid" for different
+# levels of filtering. Defaults to server if not set.
+
+REPORTLEVEL="server"
+
+# Controls the address mail goes to:
+# *NOTE* the script does not set a default value for this variable!
+# Should be set to an offsite "emailaddress@some.domain.tld"
+
+SENDMAILTO="admin@fripost.org"
+
+# Send the results as attachment or not.
+# 0=not as attachment; 1=as attachment; 2=as gzip attachment
+# Default is 0
+
+MAILASATTACH=0
+
+# Should the hostname in the subject of generated mails be fully qualified?
+
+FQDN=1
+
+# Controls whether "sort -u" is used on log entries (which will
+# eliminate duplicates but destroy the original ordering); the
+# default is to use "sort -k 1,3 -s":
+# Alternatively, set to "1" to enable unique sorting
+
+#SORTUNIQ=0
+
+# Controls whether /etc/logcheck/cracking.ignore.d is scanned for
+# exceptions to the rules in /etc/logcheck/cracking.d:
+# Alternatively, set to "1" to enable cracking.ignore support
+
+#SUPPORT_CRACKING_IGNORE=0
+
+# Controls the base directory for rules file location
+# This must be an absolute path
+
+#RULEDIR="/etc/logcheck"
+
+# Controls if syslog-summary is run over each section.
+# Alternatively, set to "1" to enable extra summary.
+# HINT: syslog-summary needs to be installed.
+
+#SYSLOGSUMMARY=0
+
+# Controls Subject: lines on logcheck reports:
+
+#ATTACKSUBJECT="Security Alerts"
+#SECURITYSUBJECT="Security Events"
+#EVENTSSUBJECT="System Events"
+
+# Controls [logcheck] prefix on Subject: lines
+
+#ADDTAG="no"                                                                                                                                           
+
+# Set a different location for temporary files than /tmp
+# this is useful if your /tmp is small and you are getting
+# errors such as:
+# cp: writing `/tmp/logcheck.y12449/checked': No space left on device
+# /usr/sbin/logcheck: line 161: cannot create temp file for here document: No space left on device
+# mail: /tmp/mail.RsXXXXpc2eAx: No space left on device
+# Null message body; hope that's ok
+#
+# If this is happening, likely you will want to change the following to be some other
+# location, such as /var/tmp
+
+TMP="/tmp"
diff --git a/roles/common/files/etc/logrotate.d/fripost-mail b/roles/common/files/etc/logrotate.d/fripost-mail
new file mode 100644
index 0000000..9ed2617
--- /dev/null
+++ b/roles/common/files/etc/logrotate.d/fripost-mail
@@ -0,0 +1,17 @@
+# Don't forget to remove these log files from other files under
+# /etc/logrotate.d/ !
+
+/var/log/mail.log
+/var/log/mail.info
+{
+	rotate 3
+	daily
+	missingok
+	notifempty
+	compress
+	delaycompress
+	sharedscripts
+	postrotate
+		invoke-rc.d rsyslog rotate > /dev/null
+	endscript
+}
diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml
new file mode 100644
index 0000000..d305e29
--- /dev/null
+++ b/roles/common/tasks/logging.yml
@@ -0,0 +1,32 @@
+- name: Install logging server & utilities
+  apt: pkg={{ item }}
+  with_items:
+    - rsyslog
+    - syslog-summary
+    - logcheck
+    - logcheck-database
+    - logrotate
+
+- name: Configure logcheck
+  copy: src=etc/logcheck/{{ item }}
+        dest=/etc/logcheck/{{ item }}
+        owner=root group=logcheck
+        mode=0640
+  with_items:
+    - logcheck.conf
+    - ignore.d.server/common.local
+
+- name: Minimal logging policy (1)
+  lineinfile: dest=/etc/logrotate.d/rsyslog
+              regexp="^/var/log/mail.(log|info)$"
+              state=absent
+
+- name: Minimal logging policy (2)
+  copy: src=etc/logrotate.d/fripost-mail
+        dest=/etc/logrotate.d/fripost-mail
+        owner=root group=root
+        mode=0644
+
+# TODO: We also have specialized per-role logcheck rulesets, per-role
+# logrotate configuration (/etc/logrotate.d), and per-role rsyslog
+# configuration (/etc/rsyslog.d).
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index ea85900..3ee4f49 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -7,3 +7,4 @@
 - include: rkhunter.yml tags=rkhunter
 - include: fail2ban.yml tags=fail2ban
 - include: ipsec.yml    tags=strongswan,ipsec
+- include: logging.yml  tags=logging