summaryrefslogtreecommitdiffstats
path: root/roles/common
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-16 02:52:55 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-16 05:45:59 +0200
commitbac7811d2b35252b7a83a45d75bb344b4b1776a9 (patch)
tree02176a15d570cab6dbd55b52b6df5c7b7b0538b1 /roles/common
parentc4f24043baeccc95556fb9c3c032505ecadb5fbd (diff)
Upgrade baseline to Debian 10.
Diffstat (limited to 'roles/common')
-rw-r--r--roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades87
-rw-r--r--roles/common/files/etc/apt/listchanges.conf3
-rw-r--r--roles/common/files/etc/logcheck/logcheck.conf13
-rw-r--r--roles/common/files/etc/logrotate.d/fripost-mail4
-rw-r--r--roles/common/files/etc/rkhunter.conf240
-rw-r--r--roles/common/files/etc/rsyslog.conf8
-rw-r--r--roles/common/files/etc/strongswan.d/charon.conf32
-rw-r--r--roles/common/files/etc/strongswan.d/charon/socket-default.conf3
-rw-r--r--roles/common/files/etc/systemd/system/bacula-fd.service6
-rw-r--r--roles/common/files/etc/systemd/system/munin-node.service.d/override.conf13
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall14
-rw-r--r--roles/common/handlers/main.yml6
-rw-r--r--roles/common/tasks/bacula.yml8
-rw-r--r--roles/common/tasks/fail2ban.yml4
-rw-r--r--roles/common/tasks/ipsec.yml2
-rw-r--r--roles/common/tasks/main.yml1
-rw-r--r--roles/common/tasks/munin-node.yml26
-rw-r--r--roles/common/templates/etc/bacula/bacula-fd.conf.j25
-rw-r--r--roles/common/templates/etc/munin/munin-node.conf.j22
-rw-r--r--roles/common/templates/etc/munin/plugin-conf.d/munin-node.j22
-rwxr-xr-xroles/common/templates/etc/nftables.conf.j210
-rw-r--r--roles/common/templates/etc/ntp.conf.j22
-rw-r--r--roles/common/templates/etc/postfix/master.cf.j22
23 files changed, 362 insertions, 131 deletions
diff --git a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades
index 86c6508..02ec1e1 100644
--- a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades
+++ b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades
@@ -19,15 +19,17 @@
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
-// ${distro_codename} Installed codename (eg, "jessie")
+// ${distro_codename} Installed codename (eg, "buster")
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
-// "o=Debian,n=jessie";
-// "o=Debian,n=jessie-updates";
-// "o=Debian,n=jessie-proposed-updates";
-// "o=Debian,n=jessie,l=Debian-Security";
+ // Software will be the latest available for the named release,
+ // but the Debian release itself will not be automatically upgraded.
+// "origin=Debian,codename=${distro_codename}-updates";
+// "origin=Debian,codename=${distro_codename}-proposed-updates";
+ "origin=Debian,codename=${distro_codename},label=Debian";
+ "origin=Debian,codename=${distro_codename},label=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
@@ -36,33 +38,53 @@ Unattended-Upgrade::Origins-Pattern {
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
- "origin=Debian,codename=${distro_codename},label=Debian-Security";
+// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};
-// List of packages to not update (regexp are supported)
+// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
-// "vim";
-// "libc6";
-// "libc6-dev";
-// "libc6-i686";
+ // The following matches all packages starting with linux-
+// "linux-";
+
+ // Use $ to explicitely define the end of a package name. Without
+ // the $, "libc6" would match all of them.
+// "libc6$";
+// "libc6-dev$";
+// "libc6-i686$";
+
+ // Special characters need escaping
+// "libstdc\+\+6$";
+
+ // The following matches packages like xen-system-amd64, xen-utils-4.1,
+ // xenstore-utils and libxenstore3.0
+// "(lib)?xen(store)?";
+
+ // For more information about Python regular expressions, see
+ // https://docs.python.org/3/howto/regex.html
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
-//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
-// they can be interrupted with SIGUSR1. This makes the upgrade
+// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
-// Install all unattended-upgrades when the machine is shuting down
-// instead of doing it in the background while the machine is running
-// This will (obviously) make shutdown slower
-//Unattended-Upgrade::InstallOnShutdown "true";
+// Install all updates when the machine is shutting down
+// instead of doing it in the background while the machine is running.
+// This will (obviously) make shutdown slower.
+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+// This allows more time for unattended-upgrades to shut down gracefully
+// or even install a few packages in InstallOnShutdown mode, but is still a
+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
+// Users enabling InstallOnShutdown mode are advised to increase
+// InhibitDelayMaxSec even further, possibly to 30 minutes.
+//Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
@@ -72,17 +94,25 @@ Unattended-Upgrade::Mail "admin@fripost.org";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
-//Unattended-Upgrade::MailOnlyOnError "true";
+//Unattended-Upgrade::MailOnlyOnError "false";
-// Do automatic removal of new unused dependencies after the upgrade
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+
+// Do automatic removal of newly unused dependencies after the upgrade
+//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
// Automatically reboot *WITHOUT CONFIRMATION* if
-// the file /var/run/reboot-required is found after the upgrade
+// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
-// Automatically reboot even if there are users currently logged in.
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
@@ -99,3 +129,18 @@ Acquire::http::Dl-Limit "256";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
+
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+// Unattended-Upgrade::OnlyOnACPower "true";
+
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+
+// Verbose logging
+// Unattended-Upgrade::Verbose "false";
+
+// Print debugging information both in unattended-upgrades and
+// in unattended-upgrade-shutdown
+// Unattended-Upgrade::Debug "false";
diff --git a/roles/common/files/etc/apt/listchanges.conf b/roles/common/files/etc/apt/listchanges.conf
index dc31f5e..cee0648 100644
--- a/roles/common/files/etc/apt/listchanges.conf
+++ b/roles/common/files/etc/apt/listchanges.conf
@@ -4,3 +4,6 @@ email_address=admin@fripost.org
confirm=0
save_seen=/var/lib/apt/listchanges.db
which=news
+email_format=text
+headers=false
+reverse=false
diff --git a/roles/common/files/etc/logcheck/logcheck.conf b/roles/common/files/etc/logcheck/logcheck.conf
index 9a7e7c6..4c7ff10 100644
--- a/roles/common/files/etc/logcheck/logcheck.conf
+++ b/roles/common/files/etc/logcheck/logcheck.conf
@@ -69,7 +69,18 @@ FQDN=1
# Controls [logcheck] prefix on Subject: lines
-#ADDTAG="no"
+#ADDTAG="no"
+
+# Previous versions of logcheck always sent messages in 7bit encoding,
+# even if that resulted in RFC-violating messages. For example, really
+# long syslog lines would generate too-long SMTP lines, which are
+# rejected at least by Debian's default exim configuration. The new
+# default is to let mime-construct pick an appropriate encoding, but you
+# can override it by setting the below (to any of the encodings
+# supported by mime-construct). You may need to do this if you have
+# tools handling logcheck emails that don't understand MIME encoding.
+
+#MIMEENCODING=
# Set a different location for temporary files than /tmp
# this is useful if your /tmp is small and you are getting
diff --git a/roles/common/files/etc/logrotate.d/fripost-mail b/roles/common/files/etc/logrotate.d/fripost-mail
index 4fc1a85..7f7ffc2 100644
--- a/roles/common/files/etc/logrotate.d/fripost-mail
+++ b/roles/common/files/etc/logrotate.d/fripost-mail
@@ -12,7 +12,7 @@
delaycompress
sharedscripts
postrotate
- invoke-rc.d rsyslog rotate > /dev/null
+ /usr/lib/rsyslog/rsyslog-rotate
endscript
}
@@ -29,6 +29,6 @@
delaycompress
sharedscripts
postrotate
- invoke-rc.d rsyslog rotate > /dev/null
+ /usr/lib/rsyslog/rsyslog-rotate
endscript
}
diff --git a/roles/common/files/etc/rkhunter.conf b/roles/common/files/etc/rkhunter.conf
index b6a7d06..ce3b2d6 100644
--- a/roles/common/files/etc/rkhunter.conf
+++ b/roles/common/files/etc/rkhunter.conf
@@ -14,8 +14,8 @@
# been made.
#
# Please review the documentation before posting bug reports or questions.
-# To report bugs, obtain updates, or provide patches or comments, please go
-# to: http://rkhunter.sourceforge.net
+# To report bugs, provide patches or comments, please go to:
+# http://rkhunter.sourceforge.net
#
# To ask questions about rkhunter, please use the 'rkhunter-users' mailing list.
# Note that this is a moderated list, so please subscribe before posting.
@@ -50,7 +50,8 @@
# should be configured with one entry per line as in the first example.
#
# If wildcard characters (globbing) are allowed for an option, then the
-# text describing the option will say so.
+# text describing the option will say so. Any globbing character explicitly
+# required in a pathname should be escaped.
#
# Space-separated lists may be enclosed by quotes, although they are not
# required. If they are used, then they must only appear at the start and
@@ -69,7 +70,9 @@
# If a configuration option is never set, then the program will assume a
# default value. The text describing the option will state the default value.
# If there is no default, then rkhunter will calculate a value or pathname
-# to use.
+# to use. If a value is set for a configuration option, then the default
+# value is ignored. If it is wished to keep the default value, as well as
+# any other set value, then the default must be explicitly set.
#
@@ -259,12 +262,12 @@ LOGFILE=/var/log/rkhunter.log
#
# USE_SYSLOG=authpriv.warning
#
-# Setting the value to 'none', or just leaving the option commented out,
+# Setting the value to 'NONE', or just leaving the option commented out,
# disables the use of syslog.
#
# The default value is not to use syslog.
#
-#USE_SYSLOG=authpriv.notice
+USE_SYSLOG=authpriv.warning
#
# Set the following option to '1' if the second colour set is to be used. This
@@ -317,12 +320,12 @@ AUTO_X_DETECT=1
#
# The default value is '0'.
#
-#ALLOW_SSH_PROT_V1=0
+ALLOW_SSH_PROT_V1=2
#
# This setting tells rkhunter the directory containing the SSH configuration
-# file. This setting will be worked out by rkhunter, and so should not
-# usually need to be set.
+# file. If unset, this setting will be worked out by rkhunter, and so should
+# not usually need to be set.
#
# This option has no default value.
#
@@ -330,8 +333,8 @@ AUTO_X_DETECT=1
#
# These two options determine which tests are to be performed. The ENABLE_TESTS
-# option can use the word 'all' to refer to all of the available tests. The
-# DISABLE_TESTS option can use the word 'none' to mean that no tests are
+# option can use the word 'ALL' to refer to all of the available tests. The
+# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are
# disabled. The list of disabled tests is applied to the list of enabled tests.
#
# Both options are space-separated lists of test names, and both options may
@@ -349,14 +352,7 @@ AUTO_X_DETECT=1
# either of the options below are specified, then they will override the
# program defaults.
#
-# hidden_procs test requires the unhide and/or unhide.rb commands which are
-# part of the unhide respectively unhide.rb packages in Debian.
-#
-# apps test is disabled by default as it triggers warnings about outdated
-# applications (and warns about possible security risk: we better trust
-# the Debian Security Team).
-#
-ENABLE_TESTS=all
+ENABLE_TESTS=ALL
DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps
#
@@ -384,11 +380,13 @@ DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
-# The default value is the SHA1 function, or MD5 if SHA1 cannot be found.
+# The default value is the SHA256 function, unless prelinking is used in
+# which case it defaults to the SHA1 function.
#
-# Also see the HASH_FLD_IDX option.
+# Also see the HASH_FLD_IDX option. In addition, note the comments under
+# the PKGMGR option relating to the use of HASH_CMD.
#
-HASH_CMD=sha512sum
+HASH_CMD=SHA512
#
# The HASH_FLD_IDX option specifies which field from the HASH_CMD command
@@ -407,20 +405,28 @@ HASH_CMD=sha512sum
# properties file ('rkhunter.dat'), and when running the file properties check.
# For RedHat/RPM-based systems, 'RPM' can be used to get information from the
# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems
-# 'BSD' can be used, and for Solaris systems 'SOLARIS' can be used. No value,
-# or a value of 'NONE', indicates that no package manager is to be used.
+# 'BSD' can be used, or for *BSD systems with the 'pkg' command 'BSDng' can be
+# used, and for Solaris systems 'SOLARIS' can be used. No value, or a value of
+# 'NONE', indicates that no package manager is to be used.
#
-# The current package managers, except 'SOLARIS', store the file hash values
-# using an MD5 hash function. The Solaris package manager includes a checksum
-# value, but this is not used by default (see USE_SUNSUM below).
+# The package managers obtain each file hash value using a hash function. The
+# Solaris package manager includes a 16-bit checksum value, but this is not
+# used by default (see USE_SUNSUM below). The 'RPM' and 'BSDng' package managers
+# currently use a SHA256 hash function. Other package managers will, typically,
+# use an MD5 hash function.
#
-# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
-# The 'RPM' package manager additionally provides values for the inode,
-# file permissions, uid, gid and other values. The 'SOLARIS' also provides
-# most of the values, similar to 'RPM', but not the inode number.
+# The 'DPKG', 'BSD' and 'BSDng' package managers only provide a file hash value.
+# The 'RPM' package manager additionally provides values for the inode, file
+# permissions, uid, gid and other values. The 'SOLARIS' package manager also
+# provides most of the values, similar to 'RPM', but not the inode number.
#
# For any file not part of a package, rkhunter will revert to using the
-# HASH_CMD hash function instead.
+# HASH_CMD hash function instead. This means that if the HASH_CMD option
+# is set, and PKGMGR is set, then the HASH_CMD hash function is only used,
+# and stored, for non-packaged files. All packaged files will use, and store,
+# whatever hash function the relevant package manager uses. So, for example,
+# with the 'RPM' package manager, packaged files will be stored with their
+# SHA256 value regardless of the value of the HASH_CMD option.
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
@@ -499,6 +505,9 @@ HASH_CMD=sha512sum
# simple command names.
# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
#
+# To extend the use of wildcards to include recursive checking of directories,
+# see the GLOBSTAR configuration option.
+#
# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS
# option. Wildcards may be used with this option.
#
@@ -528,11 +537,8 @@ HASH_CMD=sha512sum
#USER_FILEPROP_FILES_DIRS=/usr/local/sbin
#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local
-#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/*
-#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/i18n/*
+#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.d/*
#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps*
-#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/mirrors.dat
-#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/rkhunter*
#
# This option whitelists files and directories from existing, or not existing,
@@ -549,7 +555,7 @@ HASH_CMD=sha512sum
# NOTE: The user must take into consideration how often the file will appear
# and disappear from the system in relation to how often rkhunter is run. If
# the file appears, and disappears, too often then rkhunter may not notice
-# this. All it will see is that the file has changed. The inode-number and DTM
+# this. All it will see is that the file has changed. The inode number and DTM
# will certainly be different for each new file, and rkhunter will report this.
#
# The default value is the null string.
@@ -612,6 +618,18 @@ SCRIPTWHITELIST=/usr/sbin/adduser
#IMMUTABLE_SET=0
#
+# If this option is set to '1', then any changed inode value is ignored in
+# the file properties check. The inode test itself still runs, but it will
+# always return that no inodes have changed.
+#
+# This option may be useful for filesystems such as Btrfs, which handle inodes
+# slightly differently than other filesystems.
+#
+# The default value is '0'.
+#
+#SKIP_INODE_CHECK=0
+
+#
# Allow the specified hidden directory to be whitelisted.
#
# This option may be specified more than once, and may use wildcard characters.
@@ -644,13 +662,21 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#
# Allow the specified process to use deleted files. The process name may be
-# followed by a colon-separated list of full pathnames. The process will then
-# only be whitelisted if it is using one of the given files. For example:
+# followed by a colon-separated list of full pathnames (which have been
+# deleted). The process will then only be whitelisted if it is using one of
+# the given pathnames. For example:
#
# ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz
#
# This option may be specified more than once. It may also use wildcards, but
-# only in the file names.
+# only in the deleted file pathnames, not in the process name. The use of
+# extended pattern matching in pathname expansion (for example, '**') is not
+# supported for this option. However, the option itself extends globbing when
+# the '*' character is used by matching zero or more characters in the
+# pathname, including those in sub-directories. For example, the pathname
+# '/tmp/abc/def/xyz' would not be matched by shell globbing using '/tmp/*/xyz'
+# but is matched when used in this option. Similarly, using '/tmp/*' will
+# match any file found in the '/tmp' directory or any sub-directories.
#
# The default value is the null string.
#
@@ -707,6 +733,46 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#ALLOWDEVFILE=/dev/shm/sem.ADBE_*
#
+# Allow the specified process pathnames to use shared memory segments.
+#
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
+#
+#ALLOWIPCPROC=/usr/bin/firefox
+#ALLOWIPCPROC=/usr/bin/vlc
+
+#
+# Allow the specified memory segment creator PIDs to use shared memory segments.
+#
+# This is a space-separated list of PID numbers (as given by the
+# 'ipcs -p' command). This option may be specified more than once.
+#
+# The default value is the null string.
+#
+#ALLOWIPCPID=12345 6789
+
+#
+# Allow the specified account names to use shared memory segments.
+#
+# This is a space-separated list of account names. The option may be specified
+# more than once.
+#
+# The default value is the null string.
+#
+#ALLOWIPCUSER=usera userb
+
+#
+# This option can be used to set the maximum shared memory segment size
+# (in bytes) that is not considered suspicious. Any segment above this size,
+# and with 600 or 666 permissions, will be considered suspicious during the
+# shared memory check.
+#
+# The default is 1048576 (1M) bytes.
+#
+#IPC_SEG_SIZE=1048576
+
+#
# This option is used to indicate if the Phalanx2 test is to perform a basic
# check, or a more thorough check. If the option is set to '0', then a basic
# check is performed. If it is set to '1', then all the directories in the
@@ -776,9 +842,9 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#
# This option tells rkhunter the local system startup file pathnames. The
-# directories will be searched for files. By default rkhunter will try and
-# determine were the startup files are located. If the option is set to 'NONE',
-# then certain tests will be skipped.
+# directories will be searched for files. If unset, then rkhunter will try
+# and determine were the startup files are located. If the option is set to
+# 'NONE' then certain tests will be skipped.
#
# This is a space-separated list of file and directory pathnames. The option
# may be specified more than once, and may use wildcard characters.
@@ -789,9 +855,9 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#
# This option tells rkhunter the pathname to the file containing the user
-# account passwords. This setting will be worked out by rkhunter, and so
-# should not usually need to be set. Users of TCB shadow files should not
-# set this option.
+# account passwords. If unset, this setting will be worked out by rkhunter,
+# and so should not usually need to be set. Users of TCB shadow files should
+# not set this option.
#
# This option has no default value.
#
@@ -825,9 +891,10 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#
# This option tells rkhunter the pathname to the syslog configuration file.
-# This setting will be worked out by rkhunter, and so should not usually need
-# to be set. A value of 'NONE' can be used to indicate that there is no
-# configuration file, but that the syslog daemon process may be running.
+# If unset, this setting will be worked out by rkhunter, and so should not
+# usually need to be set. A value of 'NONE' can be used to indicate that
+# there is no configuration file, but that the syslog daemon process may
+# be running.
#
# This is a space-separated list of pathnames. The option may be specified
# more than once.
@@ -896,7 +963,7 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#
# The default value is '1024000'.
#
-#SUSPSCAN_MAXSIZE=10240000
+#SUSPSCAN_MAXSIZE=1024000
#
# This option specifies the 'suspscan' test score threshold. Below this value
@@ -907,6 +974,18 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#SUSPSCAN_THRESH=200
#
+# This option may be used to whitelist file pathnames from the suspscan test.
+#
+# Shell globbing may be used in the pathname. Also see the GLOBSTAR configuration
+# option.
+#
+# This option may be specified more than once.
+#
+# The default value is the null string.
+#
+#SUSPSCAN_WHITELIST=""
+
+#
# The following options can be used to whitelist network ports which are known
# to have been used by malware.
#
@@ -1076,8 +1155,8 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#
# This setting tells rkhunter the directory containing the available Linux
-# kernel modules. This setting will be worked out by rkhunter, and so should
-# not usually need to be set.
+# kernel modules. If unset, this setting will be worked out by rkhunter, and
+# so should not usually need to be set.
#
# This option has no default value.
#
@@ -1114,18 +1193,33 @@ WEB_CMD="/bin/false"
# The lock is set just before logging starts, and is removed when the program
# ends. It is used to prevent items such as the log file, and the file
# properties file, from becoming corrupted if rkhunter is running more than
-# once. The mechanism used is to simply create a lock file in the TMPDIR
+# once. The mechanism used is to simply create a lock file in the LOCKDIR
# directory. If the lock file already exists, because rkhunter is already
# running, then the current process simply loops around sleeping for 10 seconds
# and then retrying the lock. A value of '0' means not to use locking.
#
# The default value is '0'.
#
-# Also see the LOCK_TIMEOUT and SHOW_LOCK_MSGS options.
+# Also see the LOCKDIR, LOCK_TIMEOUT and SHOW_LOCK_MSGS options.
#
#USE_LOCKING=0
#
+# This option specifies the directory to be used when locking is enabled.
+# If the option is unset, then the directory to be used will be worked out
+# by rkhunter. In that instance the directories '/run/lock', '/var/lock',
+# '/var/run/lock', '/run' and '/var/run' will be checked in turn. If none
+# of those can be found, or are not read/writeable, then the TMPDIR directory
+# will be used.
+#
+# To avoid the lock file persisting across a server reboot, the directory
+# used should be memory-resident.
+#
+# This option has no default value.
+#
+#LOCKDIR=""
+
+#
# If locking is used, then rkhunter may have to wait to get the lock file.
# This option sets the total amount of time, in seconds, that rkhunter should
# wait. It will retry the lock every 10 seconds, until either it obtains the
@@ -1191,22 +1285,6 @@ WEB_CMD="/bin/false"
#UNHIDETCP_OPTS=""
#
-# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system,
-# then it is possible to disable the execution of one of the programs if
-# desired. By default rkhunter will look for both programs, and execute each
-# of them as they are found. If the value of this option is '0', then both
-# programs will be executed if they are present. A value of '1' will disable
-# execution of the C 'unhide' program, and a value of '2' will disable the Ruby
-# 'unhide.rb' program. To disable both programs, then disable the
-# 'hidden_procs' test.
-#
-# The default value is '0'.
-#
-DISABLE_UNHIDE=1
-
-INSTALLDIR=/usr
-
-#
# This option can be set to either '0' or '1'. If set to '1' then the summary,
# shown after rkhunter has run, will display the actual number of warnings
# found. If it is set to '0', then the summary will simply indicate that
@@ -1249,3 +1327,25 @@ INSTALLDIR=/usr
#EMPTY_LOGFILES=""
#MISSING_LOGFILES=""
+#
+# This option can be set to either '0' or '1'. If set to '1' then the globbing
+# characters '**' can be used to allow the recursive checking of directories.
+# This can be useful, for example, with the USER_FILEPROP_FILES_DIRS option.
+# For example:
+#
+# USER_FILEPROP_FILES_DIRS=/etc/**/*.conf
+#
+# This will check all '.conf' files within the '/etc' directory, and any
+# sub-directories (at any level). If GLOBSTAR is not set, then the shell will
+# interpret '**' as '*' and only one level of sub-directories will be checked.
+#
+# NOTE: This option is only valid for those shells which support the 'globstar'
+# option. Typically this will be 'bash' (version 4 and above) via the 'shopt' command,
+# and 'ksh' via the 'set' command.
+#
+# The default value is '0'.
+#
+#GLOBSTAR=0
+
+INSTALLDIR=/usr
+
diff --git a/roles/common/files/etc/rsyslog.conf b/roles/common/files/etc/rsyslog.conf
index 70e8a77..6340537 100644
--- a/roles/common/files/etc/rsyslog.conf
+++ b/roles/common/files/etc/rsyslog.conf
@@ -1,7 +1,7 @@
-# /etc/rsyslog.conf Configuration file for rsyslog.
+# /etc/rsyslog.conf configuration file for rsyslog
#
-# For more information see
-# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+# For more information install rsyslog-doc and see
+# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
@@ -75,7 +75,7 @@ if $programname == 'amavis' and $syslogfacility-text == 'mail' and $syslogseveri
if ($programname startswith 'postfix-' or $programname == 'dovecot') and $syslogfacility-text == 'mail' and $syslogseverity >= 6 then ~
#
-# Some standard log files. Log by facility.
+# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
diff --git a/roles/common/files/etc/strongswan.d/charon.conf b/roles/common/files/etc/strongswan.d/charon.conf
index 5ed6452..22479cf 100644
--- a/roles/common/files/etc/strongswan.d/charon.conf
+++ b/roles/common/files/etc/strongswan.d/charon.conf
@@ -7,9 +7,9 @@ charon {
# Maximum number of half-open IKE_SAs for a single peer IP.
# block_threshold = 5
- # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
- # be saved under a unique file name derived from the public key of the
- # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
+ # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
+ # should be saved under a unique file name derived from the public key of
+ # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
# /etc/swanctl/x509crl (vici), respectively.
# cache_crls = no
@@ -29,6 +29,10 @@ charon {
# Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
# delete_rekeyed = no
+ # Delay in seconds until inbound IPsec SAs are deleted after rekeyings
+ # (IKEv2 only).
+ # delete_rekeyed_delay = 5
+
# Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
# strength.
# dh_exponent_ansi_x9_42 = yes
@@ -164,6 +168,9 @@ charon {
# will be allocated.
# port_nat_t = 4500
+ # Whether to prefer updating SAs to the path with the best route.
+ # prefer_best_path = no
+
# Prefer locally configured proposals for IKE/IPsec over supplied ones as
# responder (disabling this can avoid keying retries due to
# INVALID_KE_PAYLOAD notifies).
@@ -196,6 +203,14 @@ charon {
# in strongswan.conf(5).
# retransmit_base = 1.8
+ # Maximum jitter in percent to apply randomly to calculated retransmission
+ # timeout (0 to disable).
+ # retransmit_jitter = 0
+
+ # Upper limit in seconds for calculated retransmission timeout (0 to
+ # disable).
+ # retransmit_limit = 0
+
# Timeout in seconds before sending first retransmit.
# retransmit_timeout = 4.0
@@ -215,6 +230,9 @@ charon {
# Priority of the routing table.
# routing_table_prio =
+ # Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
+ # rsa_pss = no
+
# Delay in ms for sending packets, to simulate larger RTT.
# send_delay = 0
@@ -236,6 +254,12 @@ charon {
# Whether to enable constraints against IKEv2 signature schemes.
# signature_authentication_constraints = yes
+ # The upper limit for SPIs requested from the kernel for IPsec SAs.
+ # spi_max = 0xcfffffff
+
+ # The lower limit for SPIs requested from the kernel for IPsec SAs.
+ # spi_min = 0xc0000000
+
# Number of worker threads in charon.
# threads = 16
@@ -250,7 +274,7 @@ charon {
# Buffer size used for crypto benchmark.
# bench_size = 1024
- # Number of iterations to test each algorithm.
+ # Time in ms during which crypto algorithm performance is measured.
# bench_time = 50
# Test crypto algorithms during registration (requires test vectors
diff --git a/roles/common/files/etc/strongswan.d/charon/socket-default.conf b/roles/common/files/etc/strongswan.d/charon/socket-default.conf
index 6d4b73d..abf4650 100644
--- a/roles/common/files/etc/strongswan.d/charon/socket-default.conf
+++ b/roles/common/files/etc/strongswan.d/charon/socket-default.conf
@@ -10,6 +10,9 @@ socket-default {
# Set source address on outbound packets, if possible.
# set_source = yes
+ # Force sending interface on outbound packets, if possible.
+ # set_sourceif = no
+
# Listen on IPv4, if possible.
# use_ipv4 = yes
diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service
index 792d964..119b3a2 100644
--- a/roles/common/files/etc/systemd/system/bacula-fd.service
+++ b/roles/common/files/etc/systemd/system/bacula-fd.service
@@ -9,17 +9,17 @@ ExecStart=/usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf
# Hardening
NoNewPrivileges=yes
-PrivateDevices=yes
ProtectHome=read-only
ProtectSystem=strict
+ReadWriteDirectories=/var/lib/bacula
+RuntimeDirectory=bacula
PrivateTmp=yes
-ReadWriteDirectories=-/var/lib
-ReadWriteDirectories=-/var/run/bacula
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
[Install]
WantedBy=multi-user.target
diff --git a/roles/common/files/etc/systemd/system/munin-node.service.d/override.conf b/roles/common/files/etc/systemd/system/munin-node.service.d/override.conf
new file mode 100644
index 0000000..53747f6
--- /dev/null
+++ b/roles/common/files/etc/systemd/system/munin-node.service.d/override.conf
@@ -0,0 +1,13 @@
+[Service]
+
+# Hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ReadWriteDirectories=/var/lib/munin-node/plugin-state
+ReadWriteDirectories=/var/log/munin
+RuntimeDirectory=munin
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID
diff --git a/roles/common/files/usr/local/sbin/update-firewall b/roles/common/files/usr/local/sbin/update-firewall
index 957bdc1..4b3e5cf 100755
--- a/roles/common/files/usr/local/sbin/update-firewall
+++ b/roles/common/files/usr/local/sbin/update-firewall
@@ -22,13 +22,6 @@ cat <"$NFTABLES" >>"$script"
ip netns add "nft-dryrun"
netns="nft-dryrun"
-# clear sets in the old rules before diff'ing with the new ones
-nft list ruleset -sn >"$oldrules"
-ip netns exec "$netns" nft -f - <"$oldrules"
-ip netns exec "$netns" nft flush set inet filter fail2ban
-ip netns exec "$netns" nft flush set inet filter fail2ban6
-ip netns exec "$netns" nft list ruleset -sn >"$oldrules"
-
declare -a INTERFACES=()
for iface in /sys/class/net/*; do
idx="$(< "$iface/ifindex")"
@@ -42,6 +35,13 @@ for idx in "${!INTERFACES[@]}"; do
ip netns exec "$netns" ip link add "${INTERFACES[idx]}" index "$idx" type dummy
done
+# clear sets in the old rules before diff'ing with the new ones
+nft list ruleset -sn >"$oldrules"
+ip netns exec "$netns" nft -f - <"$oldrules"
+ip netns exec "$netns" nft flush set inet filter fail2ban || true
+ip netns exec "$netns" nft flush set inet filter fail2ban6 || true
+ip netns exec "$netns" nft list ruleset -sn >"$oldrules"
+
ip netns exec "$netns" nft -f - <"$script"
ip netns exec "$netns" nft list ruleset -sn >"$newrules"
ip netns del "$netns"
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 394c67a..2437653 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -26,12 +26,6 @@
- name: Restart IPsec
service: name=ipsec state=restarted
-- name: Reload networking
- # /etc/init.d/networking doesn't answer the status command; but since
- # it should be "up" whenever ansible has access to the machine, we use
- # pattern=init as a dummy assumption.
- service: name=networking pattern=init state=reloaded
-
- name: Restart rsyslog
service: name=rsyslog state=restarted
diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml
index 73a2fa1..fb37b5b 100644
--- a/roles/common/tasks/bacula.yml
+++ b/roles/common/tasks/bacula.yml
@@ -63,6 +63,14 @@
- systemctl daemon-reload
- Restart bacula-fd
+# We use RuntimeDirectory in our service unit to avoid permission issues
+# caused by the restrictive Capability Bounding Set
+- name: Mask /usr/lib/tmpfiles.d/bacula.conf
+ file: src=/dev/null
+ dest=/etc/tmpfiles.d/bacula.conf
+ owner=root group=root
+ state=link
+
- meta: flush_handlers
- name: Enable bacula-fd
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index 89427ea..e56deaf 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -53,11 +53,11 @@
notify:
- Restart fail2ban
-- name: Create directory /etc/systemd/system/fail2ban.service.d/override.conf
+- name: Create directory /etc/systemd/system/fail2ban.service.d
file: path=/etc/systemd/system/fail2ban.service.d
state=directory
owner=root group=root
- mode=0750
+ mode=0755
- name: Harden fail2ban.service
copy: src=etc/systemd/system/fail2ban.service.d/override.conf
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 989541b..30bb481 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -14,8 +14,6 @@
dest=/etc/network/if-up.d/ipsec
owner=root group=root
mode=0755
- notify:
- - Reload networking
- name: Auto-deactivate the dedicated virtual subnet for IPsec
file: src=../if-up.d/ipsec
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 02a745c..55c1489 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -82,7 +82,6 @@
- molly-guard
- rsync
- screen
- - telnet-ssl
- name: Disable resume device
# Cf. initramfs-tools(7) and initramfs.conf(5).
diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml
index f43094a..a713f08 100644
--- a/roles/common/tasks/munin-node.yml
+++ b/roles/common/tasks/munin-node.yml
@@ -133,8 +133,32 @@
notify:
- Restart munin-node
+- name: Create directory /etc/systemd/system/munin-node.service.d
+ file: path=/etc/systemd/system/munin-node.service.d
+ state=directory
+ owner=root group=root
+ mode=0755
+
+- name: Copy munin-node.service override
+ copy: src=etc/systemd/system/munin-node.service.d/override.conf
+ dest=/etc/systemd/system/munin-node.service.d/override.conf
+ owner=root group=root
+ mode=0644
+ register: r8
+ notify:
+ - systemctl daemon-reload
+ - Restart munin-node
+
+# We use RuntimeDirectory in our overrride unit to avoid permission
+# issues caused by the restrictive Capability Bounding Set
+- name: Mask /usr/lib/tmpfiles.d/munin-common.conf
+ file: src=/dev/null
+ dest=/etc/tmpfiles.d/munin-common.conf
+ owner=root group=root
+ state=link
+
- name: Start munin-node
service: name=munin-node state=started
- when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed)
+ when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed or r8.changed)
- meta: flush_handlers
diff --git a/roles/common/templates/etc/bacula/bacula-fd.conf.j2 b/roles/common/templates/etc/bacula/bacula-fd.conf.j2
index e06911f..db1960e 100644
--- a/roles/common/templates/etc/bacula/bacula-fd.conf.j2
+++ b/roles/common/templates/etc/bacula/bacula-fd.conf.j2
@@ -1,7 +1,8 @@
#
# Default Bacula File Daemon Configuration file
#
-# For Bacula release 5.2.6 (21 February 2012) -- debian jessie/sid
+# For Bacula release 9.4.2 (04 February 2019) -- debian buster/sid
+#
#
# List Directors who are permitted to contact this File daemon
@@ -25,7 +26,7 @@ Messages {
FileDaemon { # define myself
Name = {{ inventory_hostname_short }}-fd
Working Directory = /var/lib/bacula
- Pid Directory = /var/run/bacula
+ Pid Directory = /run/bacula
Maximum Concurrent Jobs = 20
FDAddress = {{ ipsec[inventory_hostname_short] }}
FDPort = 9102
diff --git a/roles/common/templates/etc/munin/munin-node.conf.j2 b/roles/common/templates/etc/munin/munin-node.conf.j2
index 1563526..a1391d9 100644
--- a/roles/common/templates/etc/munin/munin-node.conf.j2
+++ b/roles/common/templates/etc/munin/munin-node.conf.j2
@@ -4,7 +4,7 @@
log_level 4
log_file /var/log/munin/munin-node.log
-pid_file /var/run/munin/munin-node.pid
+pid_file /run/munin/munin-node.pid
background 1
setsid 1
diff --git a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
index 2d434bc..ec471eb 100644
--- a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
+++ b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
@@ -73,7 +73,7 @@ user root
[mysql*]
user root
env.mysqlopts --defaults-file=/etc/mysql/debian.cnf
-env.mysqluser debian-sys-maint
+env.mysqluser root
env.mysqlconnection DBI:mysql:mysql;mysql_read_default_file=/etc/mysql/debian.cnf
[postfix_mailqueue_*]
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index 1e1fde2..3d2a23d 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -86,7 +86,8 @@ table inet filter {
udp sport 53 ct state related,established accept
tcp sport 53 ct state related,established accept
{% if 'dhclient' in group_names %}
- udp sport 67 ct state related,established accept
+ ip version 4 udp sport 67 udp dport 68 ct state related,established accept
+ ip6 version 6 udp sport 547 udp dport 546 ct state related,established accept
{% endif %}
meta l4proto tcp ip saddr @fail2ban counter drop
@@ -115,13 +116,18 @@ table inet filter {
jump invalid
udp sport 123 udp dport 123 ct state new,related,established accept
+{% if groups.all | length > 1 %}
udp sport 500 udp dport 500 ct state new,related,established accept
+{% if groups.NATed | length > 0 %}
udp sport 4500 udp dport 4500 ct state new,related,established accept
+{% endif %}
+{% endif %}
udp dport 53 ct state new,related,established accept
tcp dport 53 ct state new,related,established accept
{% if 'dhclient' in group_names %}
- udp dport 67 ct state new,related,established accept
+ ip version 4 udp sport 68 udp dport 67 ct state new,related,established accept
+ ip6 version 6 udp sport 546 udp dport 547 ct state new,related,established accept
{% endif %}
tcp sport $in-tcp-ports ct state related,established accept
diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2
index 18c03cf..1016d55 100644
--- a/roles/common/templates/etc/ntp.conf.j2
+++ b/roles/common/templates/etc/ntp.conf.j2
@@ -2,6 +2,8 @@
driftfile /var/lib/ntp/ntp.drift
+# Leap seconds definition provided by tzdata
+leapfile /usr/share/zoneinfo/leap-seconds.list
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index a9c73f7..2c00250 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -85,7 +85,7 @@ sympa unix - n n - - pipe
{% if inst is defined and inst == 'out' %}
# Client part (lmtp) - amavis
-amavisfeed unix - - n - 5 lmtp
+amavisfeed unix - - y - 5 lmtp
-o lmtp_destination_recipient_limit=1000
-o lmtp_send_xforward_command=yes
-o lmtp_data_done_timeout=1200s