diff options
27 files changed, 146 insertions, 63 deletions
diff --git a/certs/dkim/133b4ccb6097586a5171b81e5bec3b88:majsamverkan.se.pub b/certs/dkim/133b4ccb6097586a5171b81e5bec3b88:majsamverkan.se.pub new file mode 100644 index 0000000..1fcd087 --- /dev/null +++ b/certs/dkim/133b4ccb6097586a5171b81e5bec3b88:majsamverkan.se.pub @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnAQ85WT4nOn6vPudSx17 +QPumORoyNSDfccNXoM7JBgfCmdth5lcQ0v12B22vw/i7cH8rSoATMvPikWSnUGD7 +DasHMTatkXUyYRo/G1Ahicmla48aB2gANyJ5rOwiB3F6/gG4Qk8/bfFGLnUoW3uY +iNkpnEGlq1c5srnPPGXrDkPZawmcbi3roRWz7IMpjNdCWDYixUoJJhMeOIYKlSTP +ejsJECsQ5Tbwb5RlQGPUFYYA2fTwJPN1wOWuW5r4bi1CA51i+W7ASuhLQjckmsQC +O9uEmN8ts0/W2d2RBDFbV9VUehmIc2MG2LmcheWdhR7Udmtul5mc08/z+qg/W+2b +5wIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/dkim/2af92ad5df7884cc26d06e84999ff584:foodsharing.se.pub b/certs/dkim/2af92ad5df7884cc26d06e84999ff584:foodsharing.se.pub new file mode 100644 index 0000000..1552da5 --- /dev/null +++ b/certs/dkim/2af92ad5df7884cc26d06e84999ff584:foodsharing.se.pub @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3kSpMzPOm6mPoL7KcoSW +I9fkZ8pTDIxbvky3KVIs2Emav36+ZjeT7zC2TEZumvPORmLqY8TiNUeOKTUd+Iuo +nHlKsE2Fj1ydRLcP9mS3fEBygKRPkNvjcQJ7KWreJBAiyKxkIfbSSay5WhC6pC2v +kUuLPeMPXO6GkTaDorDQNDdZrOf1Ula56tGduK15qrv3bwv91ksSpZTcfQtGEHSO +YMMvJiOvsgMiKF03H1r1i3HtKNXCrtkZjymXfvy0I2VWJdYYgvDFnIs4kBsBtMTn +JXR2YTVMITRTElvQkIGS4Vq8yg8UAfnwhe/5xl5IugWLdMX+K3i/9+MZkxR0X2x2 +0wIDAQAB +-----END PUBLIC KEY----- diff --git a/certs/dkim/555eed4835d4e149dfd1698e044b4b39:logistikcentrum.se.pub b/certs/dkim/555eed4835d4e149dfd1698e044b4b39:logistikcentrum.se.pub new file mode 100644 index 0000000..f0240fc --- /dev/null +++ b/certs/dkim/555eed4835d4e149dfd1698e044b4b39:logistikcentrum.se.pub @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuZ8ioOGPCU1KWfyj360O +Uaa8A7yJ0UXaPAroUf9hDLFPsY3iGuwFLeJl9TipGSWxXKCg0f4AbB8htJa1TxtE +x4gNR2cjX7o437GFD1IZPtVu0MLzgtMvr2Ui6hydFv4Ih6zThAkgLTNR9IHuLXjQ +Ng11PFixAyKx8IpMWxzKJfGB/gN8D0SYwgPGQdNKYWeajyOkuONkhuBe5eKv42Sx +bIfPRgv8hiCdcLJgpY7OppuuPy6Gl83n83I2VRZVcNzZliwsSA6ClEf9Yg01jFLH +kftun7NB1FFITla6bkWio4ZfpAPhvgyA6czl3pCScD0KELer7xEQr79ny/Thx4VJ +1QIDAQAB +-----END PUBLIC KEY----- diff --git a/group_vars/all.yml b/group_vars/all.yml index f780262..8dc6d94 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -100,6 +100,15 @@ dkim_keys: "kodafritt.se": d: kodafritt.se s: ce3283cc9129cb6692174bd2ec480b88 + "foodsharing.se": + d: foodsharing.se + s: 2af92ad5df7884cc26d06e84999ff584 + "logistikcentrum.se": + d: logistikcentrum.se + s: 555eed4835d4e149dfd1698e044b4b39 + "majsamverkan.se": + d: majsamverkan.se + s: 133b4ccb6097586a5171b81e5bec3b88 "~": # catch-all, for our virtual domains d: x.fripost.org s: 9df9cdc7e101629b5003b587945afa70 diff --git a/lib/modules/openldap b/lib/modules/openldap index c09e791..f24a802 100644 --- a/lib/modules/openldap +++ b/lib/modules/openldap @@ -38,6 +38,7 @@ indexedAttributes = frozenset([ 'olcOverlay', 'olcLimits', 'olcAuthzRegexp', + 'olcDlAttrSet', 'olcDbConfig', ]) @@ -156,6 +157,7 @@ def processEntry(module, l, dn, entry): d,e = r fst = str2dn(dn).pop(0)[0][0] diff = [] + re1 = re.compile( b'^(\{[0-9]+\})', re.I ) for a,v in e.items(): if a not in entry.keys(): if a != fst: @@ -168,11 +170,22 @@ def processEntry(module, l, dn, entry): # by a DN with proper gidNumber and uidNumber entry[a] = list(map ( partial(sasl_ext_re.sub, acl_sasl_ext) , entry[a] )) - # add explicit indices in the entry from the LDIF - entry[a] = list(map( (lambda x: b'{%d}%s' % x) - , zip(range(len(entry[a])),entry[a]))) - if v != entry[a]: - diff.append(( ldap.MOD_REPLACE, a, entry[a] )) + if a == fst: + if len(entry[a]) != 1 or len(v) != 1: + module.fail_json(msg=f'{len(entry[a])} != 1 or {len(v)} != 1') + m1 = re1.match(v[0]) + if m1 is None: + module.fail_json(msg=f'{v[0]} is not indexed??') + else: + entry[a][0] = m1.group(1) + entry[a][0] + if entry[a] != v: + module.fail_json(msg=f'{entry[a]} != {v}, use modrdn to modifify the RDN (unimplemented)') + else: + # add explicit indices in the entry from the LDIF + entry[a] = list(map( (lambda x: b'{%d}%s' % x) + , zip(range(len(entry[a])),entry[a]))) + if v != entry[a]: + diff.append(( ldap.MOD_REPLACE, a, entry[a] )) elif v != entry[a]: # for non-indexed attribute, we update values in the # symmetric difference only diff --git a/roles/LDAP-provider/files/etc/ldap/dynlist.ldif b/roles/LDAP-provider/files/etc/ldap/dynlist.ldif new file mode 100644 index 0000000..df9a806 --- /dev/null +++ b/roles/LDAP-provider/files/etc/ldap/dynlist.ldif @@ -0,0 +1,26 @@ +# References: +# - https://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists +# - man 5 slapo-dynlist + +# TODO bookworm (slapd 2.5) +# “The dynlist overlay has been reworked with the 2.5 release to use a +# consistent namespace as with other overlays. As a side-effect the +# following cn=config parameters are deprecated and will be removed in a +# future release: olcDlAttrSet is replaced with olcDynListAttrSet +# olcDynamicList is replaced with olcDynListConfig” +# +# XXX that didn't solve the spaming from nextcloud's user_ldap plugin, +# so we disable activity mails for “Your group memberships were +# modified“ for now. See also +# +# https://github.com/nextcloud/server/issues/42195 +# https://github.com/nextcloud/server/issues/29832 +# +# TODO bookworm: use “dynlist-attrset groupOfURLs memberURL +# member+memberOf@groupOfNames” to also populate memberOf +# +dn: olcOverlay=dynlist,olcDatabase={*}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcDynamicList +olcOverlay: dynlist +olcDlAttrSet: groupOfURLs memberURL member diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml index 9bc227e..8d4e327 100644 --- a/roles/LDAP-provider/tasks/main.yml +++ b/roles/LDAP-provider/tasks/main.yml @@ -4,6 +4,15 @@ target=etc/ldap/syncprov.ldif local=file +#- name: Load dyngroup schema +# openldap: target=/etc/ldap/schema/dyngroup.ldif + +- name: Load and configure the dynlist overlay + openldap: module=dynlist + suffix=dc=fripost,dc=org + target=etc/ldap/dynlist.ldif + local=file + ## XXX should be /etc/sasl2/slapd.conf ideally, but it doesn't work with ## Stretch, cf #211156 and #798462: ## ldapsearch -LLLx -H ldapi:// -b "" -s base supportedSASLMechanisms @@ -15,7 +24,4 @@ owner=root group=root mode=0644 -#- name: Load dyngroup schema -# openldap: target=/etc/ldap/schema/dyngroup.ldif - # TODO: authz constraint diff --git a/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 b/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 index ab22375..7d862d3 100644 --- a/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 +++ b/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 @@ -628,9 +628,9 @@ Catalog { Messages { Name = Standard MailCommand = "/usr/sbin/bsmtp -h localhost:16132 -f \"\(Bacula\) \<bacula@fripost.org\>\" -s \"Bacula: %t %e of %n %l\" %r" - Mail = admin@fripost.org = all, !skipped + Mail = root@fripost.org = all, !skipped OperatorCommand = "/usr/sbin/bsmtp -h localhost:16132 -f \"\(Bacula\) \<bacula@fripost.org\>\" -s \"Bacula: Intervention needed for %j\" %r" - Operator = admin@fripost.org = mount + Operator = root@fripost.org = mount Console = all, !skipped, !saved Append = "/var/log/bacula/bacula.log" = all, !skipped Catalog = all @@ -640,11 +640,11 @@ Messages { Messages { Name = Quiet MailCommand = "/usr/sbin/bsmtp -h localhost:16132 -f \"\(Bacula\) \<bacula@fripost.org\>\" -s \"Bacula: %t %e of %n %l\" %r" - Mail On Success = admin@fripost.org = all, !info, !fatal, !skipped, !notsaved, !restored + Mail On Success = root@fripost.org = all, !info, !fatal, !skipped, !notsaved, !restored MailCommand = "/usr/sbin/bsmtp -h localhost:16132 -f \"\(Bacula\) \<bacula@fripost.org\>\" -s \"Bacula: %t %e of %n %l\" %r" - Mail On Error = admin@fripost.org = all, !skipped + Mail On Error = root@fripost.org = all, !skipped OperatorCommand = "/usr/sbin/bsmtp -h localhost:16132 -f \"\(Bacula\) \<bacula@fripost.org\>\" -s \"Bacula: Intervention needed for %j\" %r" - Operator = admin@fripost.org = mount + Operator = root@fripost.org = mount Console = all, !info, !restored, !skipped, !saved Append = "/var/lib/bacula/log" = all, !skipped Catalog = all @@ -654,7 +654,7 @@ Messages { Messages { Name = Daemon MailCommand = "/usr/sbin/bsmtp -h localhost:16132 -f \"\(Bacula\) \<bacula@fripost.org\>\" -s \"Bacula daemon message\" %r" - Mail = admin@fripost.org = all, !skipped + Mail = root@fripost.org = all, !skipped Console = all, !skipped, !saved Append = "/var/log/bacula/bacula.log" = all, !skipped } diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index a0ac705..f10bb33 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -538,9 +538,11 @@ olcAccess: to dn.exact="ou=groups,dc=fripost,dc=org" by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd by users =0 break olcAccess: to dn.exact="cn=medlemmar,ou=groups,dc=fripost,dc=org" + attrs=entry,entryDN,entryUUID,objectClass,cn,description,member by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd by users =0 break olcAccess: to dn.exact="cn=styrelse,ou=groups,dc=fripost,dc=org" + attrs=entry,entryDN,entryUUID,objectClass,cn,description,member by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd by users =0 break # diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf index 0284b0a..58adece 100644 --- a/roles/common-web/files/etc/nginx/snippets/ssl.conf +++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf @@ -16,11 +16,3 @@ ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (31557600 seconds = 1 year) add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always; - -# OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them -# https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf -ssl_stapling on; -ssl_stapling_verify on; - -# verify chain of trust of OCSP response using Root CA and Intermediate certs -ssl_trusted_certificate /usr/share/lacme/ca-certificates.crt; diff --git a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades index fd7cf1d..6f71ce6 100644 --- a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades +++ b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades @@ -91,7 +91,7 @@ Unattended-Upgrade::Package-Blacklist { // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides // 'mailx' must be installed. E.g. "user@example.com" -Unattended-Upgrade::Mail "admin@fripost.org"; +Unattended-Upgrade::Mail "root@fripost.org"; // Set this value to one of: // "always", "only-on-error" or "on-change" diff --git a/roles/common/files/etc/apt/listchanges.conf b/roles/common/files/etc/apt/listchanges.conf index cee0648..e17e36d 100644 --- a/roles/common/files/etc/apt/listchanges.conf +++ b/roles/common/files/etc/apt/listchanges.conf @@ -1,6 +1,6 @@ [apt] frontend=mail -email_address=admin@fripost.org +email_address=root@fripost.org confirm=0 save_seen=/var/lib/apt/listchanges.db which=news diff --git a/roles/common/files/etc/default/rkhunter b/roles/common/files/etc/default/rkhunter index 2e7fae7..49a63e8 100644 --- a/roles/common/files/etc/default/rkhunter +++ b/roles/common/files/etc/default/rkhunter @@ -18,7 +18,7 @@ DB_UPDATE_EMAIL="false" # Set this to the email address where reports and run output should be sent # (default: root) -REPORT_EMAIL="admin@fripost.org" +REPORT_EMAIL="root@fripost.org" # Set this to yes to enable automatic database updates # (default: false) diff --git a/roles/common/files/etc/fail2ban/fail2ban.local b/roles/common/files/etc/fail2ban/fail2ban.local index 23a92e9..5df817a 100644 --- a/roles/common/files/etc/fail2ban/fail2ban.local +++ b/roles/common/files/etc/fail2ban/fail2ban.local @@ -7,3 +7,5 @@ # A value of "None" disables the database. # Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3 dbfile = None + +allowipv6 = auto diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common-local b/roles/common/files/etc/logcheck/ignore.d.server/common-local index 3a4cb36..4cc50f3 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/common-local +++ b/roles/common/files/etc/logcheck/ignore.d.server/common-local @@ -19,6 +19,7 @@ no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Protocol major versions differ: .+ vs\. .+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: banner exchange: Connection from [[:xdigit:].:]{3,39} port [0-9]+: could not read protocol version$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: userauth_pubkey: key type [-[:alnum:]]+ not in PubkeyAcceptedKeyTypes \[preauth\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: userauth_pubkey: signature algorithm [-[:alnum:]]+ not in PubkeyAcceptedAlgorithms \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification: Connection closed by remote host$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification: read: Connection reset by peer$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification: client sent invalid protocol identifier " @@ -26,12 +27,13 @@ no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_protocol_error: type [0-9]+ seq [0-9]+ \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: ssh_packet_send_debug: Broken pipe$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: send_error: write: Connection reset by peer$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: userauth_pubkey: parse request failed: incomplete message \[preauth\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: userauth_pubkey: parse (request failed|publickey packet): incomplete message \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: banner exchange: Connection from [[:xdigit:].:]{3,39} port [0-9]+: invalid format$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: beginning MaxStartups throttling$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: exited MaxStartups throttling after [0-9]{2}:[0-9]{2}:[0-9]{2}, [0-9]+ connections dropped$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: drop connection #[0-9]+ from \[[[:xdigit:].:]{3,39}\]:[0-9]+ on \[[[:xdigit:].:]{3,39}\]:[0-9]+ past MaxStartups$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User .+ from [[:xdigit:].:]{3,39} not allowed because none of user's groups are listed in AllowGroups$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_env\(sshd:session\): deprecated reading of user environment enabled$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Cleanup of Temporary Directories\.(\.\.)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ slapd\[[[:digit:]]+\]: connection_input: conn=[[:digit:]]+ deferring operation: binding$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (slapd\[[[:digit:]]+\]|slap(acl|add|auth|cat|dn|index)|ldap(add|compare|delete|exop|modify|modrdn|passwd|search|url|whoami)): DIGEST-MD5 common mech free$ @@ -63,8 +65,8 @@ no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Database test passed\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Received signal: wake up$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> ClamAV update process started at \w{3} \w{3} [ :[:digit:]]{16}$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (\w{3} \w{3} [ :[:digit:]]{16} -> \^|WARNING: )Your ClamAV installation is OUTDATED!$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (\w{3} \w{3} [ :[:digit:]]{16} -> \^|WARNING: )Local version: [[:digit:]]+(\.[[:digit:]]+)* Recommended version: [[:digit:]]+(\.[[:digit:]]+)*$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (\w{3} \w{3} [ :[:digit:]]{16} -> \^|WARNING: (\w{3} \w{3} [ :[:digit:]]{16} -> )?)Your ClamAV installation is OUTDATED!$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (\w{3} \w{3} [ :[:digit:]]{16} -> \^|WARNING: (\w{3} \w{3} [ :[:digit:]]{16} -> )?)Local version: [[:digit:]]+(\.[[:digit:]]+)* Recommended version: [[:digit:]]+(\.[[:digit:]]+)*$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: getfile: [._[:alnum:]-]+ not found on remote server \(IP: [.[:digit:]]+\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Incremental update failed, trying to download daily\.cvd$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (WARNING|ERROR): (getpatch: )?Can't download [._[:alnum:]-]+ from [.[:alnum:]-]+$ @@ -81,7 +83,7 @@ no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> SIGHUP caught: re-opening log file\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Activating the newly loaded database\.\.\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+ *\] Peer [.[:digit:]]+:[[:digit:]]+/[[:digit:]]+ unexpectedly shrunk window [[:digit:]]+:[[:digit:]]+ \(repaired\)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="https://www\.rsyslog\.com"\] rsyslogd was HUPed$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd(\[[0-9]+\]:|: ) \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="https://www\.rsyslog\.com"\] rsyslogd was HUPed$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/sd[a-z] \[SAT\], CHECK POWER STATUS spins up disk \(0x[0-9a-f]{2} -> 0xff\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([_a-z0-9.]+|<stdin>): Invoked with ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3(\.[0-9]+)?\[[0-9]+\]: ansible-[_a-z0-9.]+ Invoked with @@ -117,7 +119,8 @@ no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info Sympa::Scenario::authz\(\) Sympa::Scenario <create_list\.[.[:alnum:]-]+;ERROR>: No rule match, reject$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: err main::#[0-9]+ > main::check_param_in#[0-9]+ > Sympa::Scenario::new#[0-9]+ Unable to find scenario file " ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: notice Sympa::Spool::Outgoing::store\(\) Message Sympa::Message <[^>]+> is stored into bulk spool as <[^>]+>$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ mysqld\[[0-9]+\]: [0-9: -]{19} [0-9]+ \[Warning\] Aborted connection [0-9]+ to db: '[^']+' user: '[^']+' host: 'localhost' \(Got (timeout|an error) reading communication packets\)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (mysqld|mariadbd)\[[0-9]+\]: [0-9: -]{19} [0-9]+ \[Warning\] Aborted connection [0-9]+ to db: '[^']+' user: '[^']+' host: 'localhost' \(Got (timeout|an error) reading communication packets\)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (mysqld|mariadbd)\[[0-9]+\]: [0-9: -]{19} [0-9]+ \[Note\] InnoDB: Memory pressure event freed [0-9]+ pages$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ bulk\[[0-9]+\]: notice main:: Bulk exited normally due to signal$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ bulk\[[0-9]+\]: notice Sympa::Mailer::store\(\) ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ bulk\[[0-9]+\]: (info|notice) Sympa::Spindle::ProcessOutgoing:: diff --git a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local index dcc1198..0921180 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local +++ b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local @@ -72,6 +72,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:SSL2?3_CHECK_CERT_AND_ALGORITHM:dh key too small:s2?3_clnt\.c:[0-9]+:$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: [[:xdigit:]]+: Cannot start TLS: handshake failure$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/tlsproxy\[[[:digit:]]+\]: TLS handshake failed for service=smtpd peer=\[[[:xdigit:].:]{3,39}\]:[0-9]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/tlsproxy\[[[:digit:]]+\]: warning: ciphertext read/write timeout for \[[[:xdigit:].:]{3,39}\]:[0-9]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-out/smtp\[[[:digit:]]+\]: Host offered STARTTLS: \[[._[:alnum:]-]+\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: [[:xdigit:]]+: reject: RCPT from [^[:space:]]+: 4[[:digit:]][[:digit:]]( 4(\.[[:digit:]]+){2}) <[^[:space:]]*>: Recipient address rejected: Greylisted( for [[:digit:]]+ (second|minute)s)?, see https?://[-_.:/[:alnum:]]+\.html?; from=<[^>]*> to=<[^>]+> proto=E?SMTP helo=<[^[:space:]]+>$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-\w+/smtpd\[[[:digit:]]+\]: lost connection after [[:upper:]]+( \([[:digit:]]+ bytes\))? from [._[:alnum:]-]+\[(unknown|[[:xdigit:].:]{3,39})\]$ @@ -79,6 +80,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: RCPT from [^[:space:]]+: [[:digit:]]{3}( [45](\.[[:digit:]]+){2})? <[^[:space:]]*>: Relay access denied; from=<[^>]*> to=<[^>]+> proto=E?SMTP helo=<[^[:space:]]+>$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: ([-._[:alnum:]]+): RBL lookup error: Host or domain name not found\. Name service error for name=\1 type=A(AAA)?: Host not found, try again$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mx|msa)/(smtpd|tlsproxy)\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:SSL2?3_(GET_RECORD:(decryption failed or bad record mac|wrong version number):s3_pkt\.c:[0-9]+:|READ_BYTES:(reason\([[:digit:]]+\)|sslv3 alert (unexpected message|bad certificate)):s3_pkt\.c:[[:digit:]]+:SSL alert number (0|10|42):|GET_CLIENT_HELLO:(unsupported protocol|no shared cipher|unknown protocol|wrong version number):s2?3_srvr\.c:[0-9]+:)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mx|msa)/(smtpd|tlsproxy)\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:ssl2?3_get_record:(decryption failed or bad record mac|wrong version number): ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mx|msa)/(smtpd|tlsproxy)\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:(ssl3_get_record:(wrong version number|http request|packet length too long|bad record type)|tls_post_process_client_hello:no shared cipher): ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mx|msa)/(smtpd|tlsproxy)\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:ssl3_read_bytes:(sslv3 alert bad certificate|unexpected record|tlsv1 alert user cancelled): ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mx|msa)/(smtpd|tlsproxy)\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:tls_parse_ctos_key_share:bad key share: diff --git a/roles/common/files/etc/logcheck/ignore.d.server/strongswan-local b/roles/common/files/etc/logcheck/ignore.d.server/strongswan-local index e78e9f0..adf47a1 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/strongswan-local +++ b/roles/common/files/etc/logcheck/ignore.d.server/strongswan-local @@ -1,24 +1,24 @@ # Ansible Managed # Do NOT edit this file directly! # -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating acquire job for policy [[:xdigit:].:]{3,39}/[[:digit:]]+(\[\w+(/[[:alnum:]-]+)?\])? === [[:xdigit:].:]{3,39}/[[:digit:]]+(\[\w+(/[[:alnum:]-]+)?\])? with reqid \{[[:digit:]]+\}$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating rekey job for CHILD_SA ESP/0x[[:xdigit:]]{8}/[[:xdigit:].:]{3,39}$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating delete job for CHILD_SA ESP/0x[[:xdigit:]]{8}/([[:xdigit:].:]{3,39}|%any)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[JOB\] CHILD_SA ESP/0x[[:xdigit:]]{8}/([[:xdigit:].:]{3,39}|%any) not found for delete$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[KNL\] creating acquire job for policy [[:xdigit:].:]{3,39}/[[:digit:]]+(\[\w+(/[[:alnum:]-]+)?\])? === [[:xdigit:].:]{3,39}/[[:digit:]]+(\[\w+(/[[:alnum:]-]+)?\])? with reqid \{[[:digit:]]+\}$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[KNL\] creating rekey job for CHILD_SA ESP/0x[[:xdigit:]]{8}/[[:xdigit:].:]{3,39}$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[KNL\] creating delete job for CHILD_SA ESP/0x[[:xdigit:]]{8}/([[:xdigit:].:]{3,39}|%any)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[JOB\] CHILD_SA ESP/0x[[:xdigit:]]{8}/([[:xdigit:].:]{3,39}|%any) not found for delete$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ipsec\[[[:digit:]]+\]: [[:digit:]]+\[JOB\] spawning [0-9]+ worker threads$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] initiating IKE_SA [[:alnum:]._-]+\[[[:digit:]]+\] to [[:xdigit:].:]{3,39}$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] [[:xdigit:].:]{3,39} is initiating an IKE_SA$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] establishing CHILD_SA [[:alnum:]._-]+(\{[[:digit:]]+\}( reqid [0-9]+)?)?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] IKE_SA [[:alnum:]._-]+\[[[:digit:]]+\] established between [[:xdigit:].:]{3,39}\[[^]\"]+\]\.\.\.[[:xdigit:].:]{3,39}\[[^]]+\]$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] ((in|out)bound )?CHILD_SA [[:alnum:]._-]+\{[[:digit:]]+\} established with SPIs [[:xdigit:]]{8}_i [[:xdigit:]]{8}_o and TS [[:xdigit:].:]{3,39}/[[:digit:]]+ === [[:xdigit:].:]{3,39}/[[:digit:]]+$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] closing CHILD_SA [[:alnum:]._-]+\{[[:digit:]]+\} with SPIs [[:xdigit:]]{8}_i \([[:digit:]]+ bytes\) [[:xdigit:]]{8}_o \([[:digit:]]+ bytes\) and TS [[:xdigit:].:]{3,39}/[[:digit:]]+ === [[:xdigit:].:]{3,39}/[[:digit:]]+$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] reauthenticating IKE_SA [[:alnum:]._-]+\[[[:digit:]]+\]$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[JOB\] deleting IKE_SA after [[:digit:]]+ seconds of CHILD_SA inactivity$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] deleting IKE_SA [[:alnum:]._-]+\[[[:digit:]]+\] between [[:xdigit:].:]{3,39}\[[^]\"]+\]\.\.\.[[:xdigit:].:]{3,39}\[[^]]+\]$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[JOB\] deleting CHILD_SA after [[:digit:]]+ seconds of inactivity$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[JOB\] CHILD_SA \{[[:digit:]]+\} not found for delete$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[JOB\] deleting half open IKE_SA with [[:xdigit:].:]{3,39} after timeout$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] IKE_SA deleted$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[MGR\] ignoring request with ID [[:digit:]]+, already processing$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] flags changed for [[:xdigit:].:]{3,39} on e[nt][[:alnum:]]+ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] [[:xdigit:].:]{3,39} appeared on e[nt][[:alnum:]]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[IKE\] initiating IKE_SA [[:alnum:]._-]+\[[[:digit:]]+\] to [[:xdigit:].:]{3,39}$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[IKE\] [[:xdigit:].:]{3,39} is initiating an IKE_SA$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[IKE\] establishing CHILD_SA [[:alnum:]._-]+(\{[[:digit:]]+\}( reqid [0-9]+)?)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[IKE\] IKE_SA [[:alnum:]._-]+\[[[:digit:]]+\] established between [[:xdigit:].:]{3,39}\[[^]\"]+\]\.\.\.[[:xdigit:].:]{3,39}\[[^]]+\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[IKE\] ((in|out)bound )?CHILD_SA [[:alnum:]._-]+\{[[:digit:]]+\} established with SPIs [[:xdigit:]]{8}_i [[:xdigit:]]{8}_o and TS [[:xdigit:].:]{3,39}/[[:digit:]]+ === [[:xdigit:].:]{3,39}/[[:digit:]]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[IKE\] closing CHILD_SA [[:alnum:]._-]+\{[[:digit:]]+\} with SPIs [[:xdigit:]]{8}_i \([[:digit:]]+ bytes\) [[:xdigit:]]{8}_o \([[:digit:]]+ bytes\) and TS [[:xdigit:].:]{3,39}/[[:digit:]]+ === [[:xdigit:].:]{3,39}/[[:digit:]]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[IKE\] reauthenticating IKE_SA [[:alnum:]._-]+\[[[:digit:]]+\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[JOB\] deleting IKE_SA after [[:digit:]]+ seconds of CHILD_SA inactivity$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[IKE\] deleting IKE_SA [[:alnum:]._-]+\[[[:digit:]]+\] between [[:xdigit:].:]{3,39}\[[^]\"]+\]\.\.\.[[:xdigit:].:]{3,39}\[[^]]+\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[JOB\] deleting CHILD_SA after [[:digit:]]+ seconds of inactivity$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[JOB\] CHILD_SA \{[[:digit:]]+\} not found for delete$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[JOB\] deleting half open IKE_SA with [[:xdigit:].:]{3,39} after timeout$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[IKE\] IKE_SA deleted$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[MGR\] ignoring request with ID [[:digit:]]+, already processing$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[KNL\] flags changed for [[:xdigit:].:]{3,39} on e[nt][[:alnum:]]+ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec)(\[[[:digit:]]+\])?: [[:digit:]]+\[KNL\] [[:xdigit:].:]{3,39} appeared on e[nt][[:alnum:]]+$ diff --git a/roles/common/files/etc/logcheck/logcheck.conf b/roles/common/files/etc/logcheck/logcheck.conf index 4c7ff10..6e06450 100644 --- a/roles/common/files/etc/logcheck/logcheck.conf +++ b/roles/common/files/etc/logcheck/logcheck.conf @@ -25,7 +25,7 @@ REPORTLEVEL="server" # *NOTE* the script does not set a default value for this variable! # Should be set to an offsite "emailaddress@some.domain.tld" -SENDMAILTO="admin@fripost.org" +SENDMAILTO="root@fripost.org" # Send the results as attachment or not. # 0=not as attachment; 1=as attachment; 2=as gzip attachment diff --git a/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo b/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo index 70673ae..4fb0765 100644 --- a/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo +++ b/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo @@ -1,5 +1,5 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user [._[:alnum:]-]+ authenticated as [._[:alnum:]-]+@[.A-Z]+$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : (TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; )?PWD=[^;]+ ; USER=[._[:alnum:]-]+( ; GROUP=[._[:alnum:]-]+)? ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo(\[[0-9]+\])?:[[:space:]]+[_[:alnum:].-]+ : (TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; )?PWD=[^;]+ ; USER=[._[:alnum:]-]+( ; GROUP=[._[:alnum:]-]+)? ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [._[:alnum:]-]+\(uid=[0-9]+\) by ([[:alnum:]-]+)?\(uid=[0-9]+\)$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [._[:alnum:]-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo(\[[0-9]+\])?: pam_[[:alnum:]]+\(sudo:session\): session opened for user [._[:alnum:]-]+\(uid=[0-9]+\) by ([[:alnum:]-]+)?\(uid=[0-9]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo(\[[0-9]+\])?: pam_[[:alnum:]]+\(sudo:session\): session closed for user [._[:alnum:]-]+$ diff --git a/roles/common/files/etc/rkhunter.conf b/roles/common/files/etc/rkhunter.conf index c7358d0..8040c88 100644 --- a/roles/common/files/etc/rkhunter.conf +++ b/roles/common/files/etc/rkhunter.conf @@ -133,7 +133,7 @@ MIRRORS_MODE=1 # # Also see the MAIL_CMD option. # -MAIL-ON-WARNING=admin@fripost.org +MAIL-ON-WARNING=root@fripost.org # # This option specifies the mail command to use if MAIL-ON-WARNING is set. @@ -599,6 +599,7 @@ SCRIPTWHITELIST=/bin/fgrep SCRIPTWHITELIST=/usr/bin/egrep SCRIPTWHITELIST=/usr/bin/fgrep SCRIPTWHITELIST=/usr/bin/which +SCRIPTWHITELIST=/usr/bin/which.debianutils SCRIPTWHITELIST=/usr/bin/ldd SCRIPTWHITELIST=/usr/bin/lwp-request SCRIPTWHITELIST=/usr/sbin/adduser diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index 72102f4..aecdaaf 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -162,7 +162,7 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then commonName = ${cn:-/} [ v3_req ] - subjectAltName = email:admin@fripost.org${dns:+, $dns} + subjectAltName = email:root@fripost.org${dns:+, $dns} basicConstraints = critical, CA:FALSE # https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml index fd1ad92..30f4fa9 100644 --- a/roles/common/tasks/firewall.yml +++ b/roles/common/tasks/firewall.yml @@ -18,7 +18,7 @@ register: rv # A non-zero return value will make ansible stop and show stderr. This # is what we want. - changed_when: rv.rc + changed_when: rv.rc != 0 - name: Enable nftables.service service: name=nftables enabled=yes diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml index aaea63f..699c6e3 100644 --- a/roles/common/tasks/logging.yml +++ b/roles/common/tasks/logging.yml @@ -60,7 +60,7 @@ state=present create=yes owner=root group=root - mode=0640 + mode=0644 with_items: - /var/log/syslog - /var/log/auth.log diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 1dc286e..293d22b 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -17,8 +17,8 @@ - import_tasks: stunnel.yml tags: stunnel when: "'webmail' in group_names and 'LDAP_provider' not in group_names" -- import_tasks: auditd.yml - tags: auditd +#- import_tasks: auditd.yml +# tags: auditd - import_tasks: resolved.yml tags: - resolv diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index 3cd19cc..2759611 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -5,7 +5,7 @@ # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. -destemail = admin@fripost.org +destemail = root@fripost.org # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses diff --git a/roles/munin-master/templates/etc/munin/munin.conf.j2 b/roles/munin-master/templates/etc/munin/munin.conf.j2 index b53ef0e..cdf659c 100644 --- a/roles/munin-master/templates/etc/munin/munin.conf.j2 +++ b/roles/munin-master/templates/etc/munin/munin.conf.j2 @@ -87,7 +87,7 @@ rrdcached_socket /run/rrdcached.sock # Drop somejuser@fnord.comm and anotheruser@blibb.comm an email everytime # something changes (OK -> WARNING, CRITICAL -> OK, etc) -contact.admin.command mail -s "Munin notification" admin@fripost.org +contact.admin.command mail -s "Munin notification" root@fripost.org # # For those with Nagios, the following might come in handy. In addition, # the services must be defined in the Nagios server as well. diff --git a/roles/out/templates/etc/postfix/canonical.j2 b/roles/out/templates/etc/postfix/canonical.j2 index ed8bb4d..14ef6e7 100644 --- a/roles/out/templates/etc/postfix/canonical.j2 +++ b/roles/out/templates/etc/postfix/canonical.j2 @@ -6,5 +6,5 @@ # address verification, so we use the admin team's address in the # envelope. {% for host in groups.all | sort %} -@{{ hostvars[host].inventory_hostname }} admin@fripost.org +@{{ hostvars[host].inventory_hostname }} root@fripost.org {% endfor %} |