summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--roles/common/files/etc/samhain/samhainrc711
-rw-r--r--roles/common/handlers/main.yml3
-rw-r--r--roles/common/tasks/main.yml2
-rw-r--r--roles/common/tasks/samhain.yml26
4 files changed, 0 insertions, 742 deletions
diff --git a/roles/common/files/etc/samhain/samhainrc b/roles/common/files/etc/samhain/samhainrc
deleted file mode 100644
index 7f304b7..0000000
--- a/roles/common/files/etc/samhain/samhainrc
+++ /dev/null
@@ -1,711 +0,0 @@
-#####################################################################
-#
-# Configuration file template for samhain.
-#
-#####################################################################
-#
-# -- empty lines and lines starting with '#', ';' or '//' are ignored
-# -- boolean options can be Yes/No or True/False or 1/0
-# -- you can PGP clearsign this file -- samhain will check (if compiled
-# with support) or otherwise ignore the signature
-# -- CHECK mail address
-#
-# To each log facility, you can assign a threshold severity. Only
-# reports with at least the threshold severity will be logged
-# to the respective facility (even further below).
-#
-#####################################################################
-#
-# SETUP for file system checking:
-#
-# (i) There are several policies, each has its own section. Put files
-# into the section for the appropriate policy (see below).
-# (ii) Section [EventSeverity]:
-# To each policy, you can assign a severity (further below).
-# (iii) Section [Log]:
-# To each log facility, you can assign a threshold severity. Only
-# reports with at least the threshold severity will be logged
-# to the respective facility (even further below).
-#
-#####################################################################
-
-#####################################################################
-#
-# Files are defined with: file = /absolute/path
-#
-# Directories are defined with: dir = /absolute/path
-# or with an optional recursion depth (N <= 99): dir = N/absolute/path
-#
-# Directory inodes are checked. If you only want to check files
-# in a directory, but not the directory inode itself, use (e.g.):
-#
-# [ReadOnly]
-# dir = /some/directory
-# [IgnoreAll]
-# file = /some/directory
-#
-# You can use shell-style globbing patterns, like: file = /path/foo*
-#
-######################################################################
-
-[Misc]
-##
-## Add or subtract tests from the policies
-## - if you want to change their definitions,
-## you need to do that before using the policies
-##
-# RedefReadOnly = (no default)
-# RedefAttributes=(no default)
-# RedefLogFiles=(no default)
-# RedefGrowingLogFiles=(no default)
-# RedefIgnoreAll=(no default)
-# RedefIgnoreNone=(no default)
-# RedefUser0=(no default)
-# RedefUser1=(no default)
-FileNamesAreUTF8 = yes
-# Switch off hardlink check for BTRFS
-UseHardlinkCheck=no
-
-[Attributes]
-##
-## for these files, only changes in permissions and ownership are checked
-##
-file=/etc/mtab
-#file=/etc/ssh_random_seed
-#file=/etc/asound.conf
-file=/etc/resolv.conf
-file=/etc/localtime
-#file=/etc/ioctl.save
-#file=/etc/passwd.backup
-#file=/etc/shadow.backup
-#file=/etc/postfix/prng_exch
-file=/etc/adjtime
-file=/etc/network/run/ifstate
-#file=/etc/lvm/.cache
-file=/etc/ld.so.cache
-
-#
-# There are files in /etc that might change, thus changing the directory
-# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
-#
-file=/etc
-
-[LogFiles]
-##
-## for these files, changes in signature, timestamps, and size are ignored
-##
-file=/var/run/utmp
-file=/etc/motd
-
-
-
-#####################################################################
-#
-# This would be the proper syntax for parts that should only be
-# included for certain hosts.
-# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
-# result still has the proper syntax for the config file.
-# You may have any number of @HOSTNAME/@end brackets.
-# HOSTNAME should be the fully qualified 'official' name
-# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
-# No IP number - except if samhain cannot determine the
-# fully qualified hostname.
-#
-# @HOSTNAME
-# file=/foo/bar
-# @end
-#
-# These are two examples for conditional inclusion/exclusion
-# of a machine based on the output from 'uname -srm'
-#
-# $Linux:2.*.7:i666
-# file=/foo/bar3
-# $end
-#
-# !$Linux:2.*.7:i686
-# file=/foo/bar2
-# $end
-#
-#####################################################################
-
-[GrowingLogFiles]
-##
-## for these files, changes in signature, timestamps, and increase in size
-## are ignored
-##
-#file=/var/log/warn
-file=/var/log/messages
-file=/var/log/wtmp
-file=/var/log/faillog
-file=/var/log/auth.log
-file=/var/log/daemon.log
-file=/var/log/user.log
-file=/var/log/kern.log
-file=/var/log/syslog
-
-
-[IgnoreAll]
-##
-## for these files, no modifications are reported
-##
-## This file might be created or removed by the system sometimes.
-##
-#file=/etc/resolv.conf.pcmcia.save
-#file=/etc/nologin
-file=/etc/network/run
-file=/etc/.etckeeper
-dir=-1/etc/.git
-
-
-[IgnoreNone]
-##
-## for these files, all modifications (even access time) are reported
-## - you may create some interesting-looking file (like /etc/safe_passwd),
-## just to watch whether someone will access it ...
-##
-
-[Prelink]
-##
-## Use for prelinked files or directories holding them
-##
-
-
-[ReadOnly]
-##
-## for these files, only access time is ignored
-##
-dir=/usr/bin
-dir=/bin
-dir=/boot
-#
-# SuSE (old) has the boot init scripts in /sbin/init.d/*,
-# so we go 3 levels deep
-#
-dir=3/sbin
-dir=/usr/sbin
-dir=/lib
-#
-# RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*,
-# so we go 3 levels deep there too
-#
-dir=3/etc
-
-# Various directories / files that may include / be SUID/SGID binaries
-#
-#
-file=/usr/lib/pt_chown
-# X11, in Debian X7 this is now a symlink
-#dir=/usr/X11R6/bin
-#dir=/usr/X11R6/lib/X11/xmcd/bin
-# Apache:
-#file=/usr/lib/apache/suexec
-#file=/usr/lib/apache/suexec.disabled
-# Extra directories:
-#dir=/opt/gnome/bin
-#dir=/opt/kde/bin
-
-[User0]
-[User1]
-## User0 and User1 are sections for files/dirs with user-definable checking
-## (see the manual)
-
-
-[EventSeverity]
-##
-## Here you can assign severities to policy violations.
-## If this severity exceeds the treshold of a log facility (see below),
-## a policy violation will be logged to that facility.
-##
-## Severity for verification failures.
-##
-# SeverityReadOnly=crit
-# SeverityLogFiles=crit
-# SeverityGrowingLogs=crit
-# SeverityIgnoreNone=crit
-# SeverityAttributes=crit
-# SeverityUser0=crit
-# SeverityUser1=crit
-
-# Default behaviour
-SeverityReadOnly=crit
-SeverityLogFiles=crit
-SeverityGrowingLogs=warn
-SeverityIgnoreNone=crit
-SeverityAttributes=crit
-
-
-##
-## We have a file in IgnoreAll that might or might not be present.
-## Setting the severity to 'info' prevents messages about deleted/new file.
-##
-# SeverityIgnoreAll=crit
-SeverityIgnoreAll=info
-
-## Files : file access problems
-# SeverityFiles=crit
-
-## Dirs : directory access problems
-# SeverityDirs=crit
-
-## Names : suspect (non-printable) characters in a pathname
-# SeverityNames=crit
-
-# Default behaviour
-SeverityFiles=crit
-SeverityDirs=crit
-SeverityNames=warn
-
-
-[Log]
-##
-## Switch on/OFF log facilities and set their threshold severity
-##
-## Values: debug, info, notice, warn, mark, err, crit, alert, none.
-## 'mark' is used for timestamps.
-##
-##
-## Use 'none' to SWITCH OFF a log facility
-##
-## By default, everything equal to and above the threshold is logged.
-## The specifiers '*', '!', and '=' are interpreted as
-## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
-## at least on Linux). Examples:
-## MailSeverity=*
-## MailSeverity=!warn
-## MailSeverity==crit
-
-## E-mail
-##
-MailSeverity=crit
-
-## Console
-##
-PrintSeverity=none
-
-## Logfile
-##
-LogSeverity=warn
-
-## Syslog
-##
-SyslogSeverity=alert
-
-## Remote server (yule)
-##
-# ExportSeverity=none
-
-## External script or program
-##
-# ExternalSeverity = none
-
-## Logging to a database
-##
-# DatabaseSeverity = none
-
-
-
-
-
-#####################################################
-#
-# Optional modules
-#
-#####################################################
-
-# [SuidCheck]
-##
-## --- Check the filesystem for SUID/SGID binaries
-##
-
-## Switch on
-#
-# SuidCheckActive = yes
-
-## Interval for check (seconds)
-#
-# SuidCheckInterval = 7200
-
-## Alternative: crontab-like schedule
-#
-# SuidCheckSchedule = NULL
-
-## Directory to exclude
-#
-# SuidCheckExclude = NULL
-
-## Limit on files per second (0 == no limit)
-#
-# SuidCheckFps = 0
-
-## Alternative: yield after every file
-#
-# SuidCheckYield = no
-
-## Severity of a detection
-#
-# SeveritySuidCheck = crit
-
-## Quarantine SUID/SGID files if found
-#
-# SuidCheckQuarantineFiles = yes
-
-## Method for Quarantining files:
-# 0 - Delete or truncate the file.
-# 1 - Remove SUID/SGID permissions from file.
-# 2 - Move SUID/SGID file to quarantine dir.
-#
-# SuidCheckQuarantineMethod = 0
-
-## For method 1 and 3, really delete instead of truncating
-#
-# SuidCheckQuarantineDelete = yes
-
-# [Kernel]
-##
-## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
-##
-
-## Switch on/off
-#
-# KernelCheckActive = True
-
-## Check interval (seconds); btw., the check is VERY fast
-#
-# KernelCheckInterval = 300
-
-## Severity
-#
-# SeverityKernel = crit
-
-
-# [Utmp]
-##
-## --- Logging of login/logout events
-##
-
-## Switch on/off
-#
-# LoginCheckActive = True
-
-## Severity for logins, multiple logins, logouts
-#
-# SeverityLogin=info
-# SeverityLoginMulti=warn
-# SeverityLogout=info
-
-## Interval for login/logout checks
-#
-# LoginCheckInterval = 300
-
-
-# [Database]
-##
-## --- Logging to a relational database
-##
-
-## Database name
-#
-# SetDBName = samhain
-
-## Database table
-#
-# SetDBTable = log
-
-## Database user
-#
-# SetDBUser = samhain
-
-## Database password
-#
-# SetDBPassword = (default: none)
-
-## Database host
-#
-# SetDBHost = localhost
-
-## Log the server timestamp for received messages
-#
-# SetDBServerTstamp = True
-
-## Use a persistent connection
-#
-# UsePersistent = True
-
-# [External]
-##
-## Interface to call external scripts/programs for logging
-##
-
-## The absolute path to the command
-## - Each invocation of this directive will end the definition of the
-## preceding command, and start the definition of
-## an additional, new command
-#
-# OpenCommand = (no default)
-
-## Type (log or rv)
-## - log for log messages, srv for messages received by the server
-#
-# SetType = log
-
-## The command (full command line) to execute
-#
-# SetCommandLine = (no default)
-
-## The environment (KEY=value; repeat for more)
-#
-# SetEnviron = TZ=(your timezone)
-
-## The TIGER192 checksum (optional)
-#
-# SetChecksum = (no default)
-
-## User who runs the command
-#
-# SetCredentials = (default: samhain process uid)
-
-## Words not allowed in message
-#
-# SetFilterNot = (none)
-
-## Words required (ALL of them)
-#
-# SetFilterAnd = (none)
-
-## Words required (at least one)
-#
-# SetFilterOr = (none)
-
-## Deadtime between consecutive calls
-#
-# SetDeadtime = 0
-
-## Add default environment (HOME, PATH, SHELL)
-#
-# SetDefault = no
-
-
-#####################################################
-#
-# Miscellaneous configuration options
-#
-#####################################################
-
-[Misc]
-
-## whether to become a daemon process
-## (this is not honoured on database initialisation)
-#
-# Daemon = no
-Daemon = yes
-
-## whether to test signature of files (init/check/none)
-## - if 'none', then we have to decide this on the command line -
-#
-# ChecksumTest = none
-ChecksumTest=check
-
-## whether to drop linux capabilities that are not required
-## - will make a root process a 'mere mortal' in many respects
-#
-# UseCaps = yes
-
-## Set nice level (-19 to 19, see 'man nice'),
-## and I/O limit (kilobytes per second; 0 == off)
-## to reduce load on host.
-#
-SetNiceLevel = 19
-# SetIOLimit = 0
-
-## The version string to embed in file signature databases
-#
-# VersionString = NULL
-
-## Interval between time stamp messages
-#
-# SetLoopTime = 60
-SetLoopTime = 21600
-
-## Interval between file checks
-#
-# SetFileCheckTime = 600
-SetFileCheckTime = 7200
-
-## Alternative: crontab-like schedule
-#
-# FileCheckScheduleOne = NULL
-
-## Alternative: crontab-like schedule(2)
-#
-# FileCheckScheduleTwo = NULL
-
-## Report only once on modified fles
-## Setting this to 'FALSE' will generate a report for any policy
-## violation (old and new ones) each time the daemon checks the file system.
-#
-# ReportOnlyOnce = True
-
-## Report in full detail
-#
-# ReportFullDetail = False
-
-## Report file timestamps in local time rather than GMT
-#
-# UseLocalTime = No
-
-## The console device (can also be a file or named pipe)
-## - There are two console devices. Accordingly, you can use
-## this directive a second time to set the second console device.
-## If you have not defined the second device at compile time,
-## and you don't want to use it, then:
-## setting it to /dev/null is less effective than just leaving
-## it alone (setting to /dev/null will waste time by opening
-## /dev/null and writing to it)
-#
-# SetConsole = /dev/console
-
-## Activate the SysV IPC message queue
-#
-# MessageQueueActive = False
-
-
-## If false, skip reverse lookup when connecting to a host known
-## by name rather than IP address (i.e. trust the DNS)
-#
-# SetReverseLookup = True
-
-## --- E-Mail ---
-
-# Only highest-level (alert) reports will be mailed immediately,
-# others will be queued. Here you can define, when the queue will
-# be flushed (Note: the queue is automatically flushed after
-# completing a file check).
-#
-SetMailTime = 86400
-
-## Maximum number of mails to queue
-#
-SetMailNum = 10
-
-## Recipient (max. 8)
-#
-SetMailAddress = admin@fripost.org
-
-## Mail relay (IP address)
-#
-# XXX: it's unfortunate that samhain cannot use the sendmail binary. We
-# use a custom port here to avoid conflicts with the usual SMTP port the
-# MX:es need to listen on.
-# See also: /usr/share/doc/samhain/TODO.Debian
-SetMailRelay = 127.0.0.1
-SetMailPort = 16132
-
-## Custom subject format
-#
-MailSubject = [Samhain at %H] %T: %S
-
-## --- end E-Mail ---
-
-## Path to the prelink executable
-#
-# SetPrelinkPath = /usr/sbin/prelink
-
-## TIGER192 checksum of the prelink executable
-#
-# SetPrelinkChecksum = (no default)
-
-
-## Path to the executable. If set, will be checksummed after startup
-## and before exit.
-#
-# SamhainPath = (no default)
-
-
-## The IP address of the log server
-#
-# SetLogServer = (default: compiled-in)
-
-## The IP address of the time server
-#
-# SetTimeServer = (default: compiled-in)
-
-## Trusted Users (comma delimited list of user names)
-#
-# TrustedUser = (no default; this adds to the compiled-in list)
-
-## Path to the file signature database
-#
-# SetDatabasePath = (default: compiled-in)
-
-## Path to the log file
-#
-# SetLogfilePath = (default: compiled-in)
-
-## Path to the PID file
-#
-# SetLockPath = (default: compiled-in)
-
-
-## The digest/checksum/hash algorithm
-#
-# DigestAlgo = TIGER192
-
-
-## Custom format for message header.
-## CAREFUL if you use XML logfile format.
-##
-## %S severity
-## %T timestamp
-## %C class
-##
-## %F source file
-## %L source line
-#
-# MessageHeader="%S %T "
-
-
-## Don't log path to config/database file on startup
-#
-# HideSetup = False
-
-## The syslog facility, if you log to syslog
-#
-# SyslogFacility = LOG_AUTHPRIV
-SyslogFacility=LOG_LOCAL2
-
-## The message authentication method
-## - If you change this, you *must* change it
-## on client *and* server
-#
-# MACType = HMAC-TIGER
-
-
-## everything below is ignored
-[EOF]
-
-#####################################################################
-# This would be the proper syntax for parts that should only be
-# included for certain hosts.
-# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
-# result still has the proper syntax for the config file.
-# You may have any number of @HOSTNAME/@end brackets.
-# HOSTNAME should be the fully qualified 'official' name
-# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
-# No IP number - except if samhain cannot determine the
-# fully qualified hostname.
-#
-# @HOSTNAME
-# file=/foo/bar
-# @end
-#
-# These are two examples for conditional inclusion/exclusion
-# of a machine based on the output from 'uname -srm'
-# $Linux:2.*.7:i666
-# file=/foo/bar3
-# $end
-#
-# !$Linux:2.*.7:i686
-# file=/foo/bar2
-# $end
-#
-#####################################################################
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 73877f8..36f744e 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -11,9 +11,6 @@
- name: apt-get update
apt: update_cache=yes
-- name: Reload samhain
- service: name=samhain state=reloaded
-
- name: Update rkhunter's data file
command: /usr/bin/rkhunter --propupd
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index b3ed8a0..c978e91 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -16,8 +16,6 @@
- import_tasks: stunnel.yml
tags: stunnel
when: "'webmail' in group_names and 'LDAP-provider' not in group_names"
-- import_tasks: samhain.yml
- tags: samhain
- import_tasks: auditd.yml
tags: auditd
- import_tasks: rkhunter.yml
diff --git a/roles/common/tasks/samhain.yml b/roles/common/tasks/samhain.yml
deleted file mode 100644
index dd5c09b..0000000
--- a/roles/common/tasks/samhain.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-- name: Install samhain
- apt: pkg=samhain
- # XXX: Doesn't work out of the box, see #660197.
- # Every once in a while, or after a major upgrade, you may want to
- # update Samhain's database:
- #
- # sudo samhain -t update --foreground -l none
- #
- # To update the database interactively, without sending mails:
- #
- # sudo samhain -t update --interactive -l none -m none
-
-- name: Configure samhain
- copy: src=etc/samhain/samhainrc
- dest=/etc/samhain/samhainrc
- owner=root group=root
- mode=0644
- notify:
- - Reload samhain
-
-- name: Start samhain
- # This task is inconditional because samhain is reloaded not
- # restarted.
- service: name=samhain state=started
-
-- meta: flush_handlers