6 files changed, 38 insertions, 14 deletions

diff --git a/ansible.cfg b/ansible.cfg
index 6afc1ef..82de41a 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -28,49 +28,57 @@ pattern = *
 # the default number of forks (parallelism) to be used.  Usually you
 # can crank this up.
 
-forks=5
+forks = 5
 
 # the timeout used by various connection types.  Usually this corresponds
 # to an SSH timeout
 
-timeout=10
+timeout = 10
 
 # when using --poll or "poll:" in an ansible playbook, and not specifying
 # an explicit poll interval, use this interval
 
-poll_interval=15
+poll_interval = 15
 
 # when specifying --sudo to /usr/bin/ansible or "sudo:" in a playbook,
 # and not specifying "--sudo-user" or "sudo_user" respectively, sudo
 # to this user account
 
-sudo=True
-#sudo_user=root
+sudo = True
+#sudo_user = root
+
+# what flags to pass to sudo
+sudo_flags = -H LC_ALL=C
 
 # the following forces ansible to always ask for the sudo password (instead of having
 # to add -K to the commandline). Or you can use the environment variable (ANSIBLE_ASK_SUDO_PASS)
 
-ask_sudo_pass=True
+ask_sudo_pass = True
 
 # the following forces ansible to always ask for the ssh-password (-k)
 # can also be set by the environment variable ANSIBLE_ASK_PASS
 
-#ask_pass=True
+#ask_pass = True
 
 # connection to use when -c <connection_type> is not specified
 
-transport=ssh
+transport = ssh
 
 # remote SSH port to be used when --port or "port:" or an equivalent inventory
 # variable is not specified.
 
-remote_port=22
+remote_port = 22
 
 # if set, always run /usr/bin/ansible commands as this user, and assume this value
 # if "user:" is not set in a playbook.  If not set, use the current Unix user
 # as the default
 
-#remote_user=root
+#remote_user = root
+
+# if set, always use this private key file for authentication, same as if passing
+# --private-key to ansible or ansible-playbook
+
+#private_key_file=/path/to/file
 
 # format of string $ansible_managed available within Jinja2 templates, replacing
 # {file}, {host} and {uid} with template filename, host and owner respectively.
@@ -88,11 +96,15 @@ connection_plugins = /usr/share/ansible_plugins/connection_plugins
 lookup_plugins     = /usr/share/ansible_plugins/lookup_plugins
 vars_plugins       = /usr/share/ansible_plugins/vars_plugins
 
-legacy_playbook_variables = no
-
 [ssh_connection]
 
+# if uncommented, sets the ansible ssh arguments to the following.  Leaving off ControlPersist
+# will result in poor performance, so use transport=paramiko on older platforms rather than
+# removing it
+
 ssh_args = -F ../virtualenv/.ssh/config
            -o ControlMaster=auto
            -o ControlPersist=60s
            -o ControlPath=/tmp/ansible-ssh-%h-%p-%r
+
+pipelining = True
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common.local b/roles/common/files/etc/logcheck/ignore.d.server/common.local
index 22fe621..331edeb 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/common.local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/common.local
@@ -1,6 +1,8 @@
 # Ansible Managed
 # Do NOT edit this file directly!
 #
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [^[:space:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit )
 # Ansible logs everything into syslog
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-[a-z]+: Invoked
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([a-z]+|<stdin>): Invoked with
diff --git a/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo b/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo
new file mode 100644
index 0000000..e474019
--- /dev/null
+++ b/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo
@@ -0,0 +1,7 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]-]+@[.A-Z]+$
+# ignore sudo with custom ENV
+#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$
diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml
index 06f06b0..d25a75e 100644
--- a/roles/common/tasks/logging.yml
+++ b/roles/common/tasks/logging.yml
@@ -20,6 +20,7 @@
   with_items:
     - logcheck.conf
     - ignore.d.server/common.local
+    - violations.ignore.d/logcheck-sudo
 
 - name: Minimal logging policy (1)
   lineinfile: dest=/etc/logrotate.d/rsyslog
diff --git a/roles/common/tasks/rkhunter.yml b/roles/common/tasks/rkhunter.yml
index f6a4d71..78eec90 100644
--- a/roles/common/tasks/rkhunter.yml
+++ b/roles/common/tasks/rkhunter.yml
@@ -8,6 +8,8 @@
     - unhide
     - unhide.rb
 
+# To test the configuration:
+#   ansible all -m command -a '/usr/bin/rkhunter -c --nomow --rwo'
 - name: Configure rkhunter
   copy: src=etc/{{ item }}
         dest=/etc/{{ item }}
diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml
index 9adeece..6ac7feb 100644
--- a/roles/common/tasks/sysctl.yml
+++ b/roles/common/tasks/sysctl.yml
@@ -1,4 +1,4 @@
-- sysctl: name={{ item.name }} value={{ item.value }}
+- sysctl: name={{ item.name }} "value={{ item.value }}" sysctl_set=yes
   with_items:
     - { name: 'kernel.domainname', value: '{{ ansible_domain }}' }