diff options
Diffstat (limited to 'roles/common/files/etc')
10 files changed, 304 insertions, 105 deletions
diff --git a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades index 86c6508..02ec1e1 100644 --- a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades +++ b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades @@ -2,100 +2,145 @@ // upgraded. // // Lines below have the format format is "keyword=value,...". A // package will be upgraded only if the values in its metadata match // all the supplied keywords in a line. (In other words, omitted // keywords are wild cards.) The keywords originate from the Release // file, but several aliases are accepted. The accepted keywords are: // a,archive,suite (eg, "stable") // c,component (eg, "main", "contrib", "non-free") // l,label (eg, "Debian", "Debian-Security") // o,origin (eg, "Debian", "Unofficial Multimedia Packages") // n,codename (eg, "jessie", "jessie-updates") // site (eg, "http.debian.net") // The available values on the system are printed by the command // "apt-cache policy", and can be debugged by running // "unattended-upgrades -d" and looking at the log file. // // Within lines unattended-upgrades allows 2 macros whose values are // derived from /etc/debian_version: // ${distro_id} Installed origin. -// ${distro_codename} Installed codename (eg, "jessie") +// ${distro_codename} Installed codename (eg, "buster") Unattended-Upgrade::Origins-Pattern { // Codename based matching: // This will follow the migration of a release through different // archives (e.g. from testing to stable and later oldstable). -// "o=Debian,n=jessie"; -// "o=Debian,n=jessie-updates"; -// "o=Debian,n=jessie-proposed-updates"; -// "o=Debian,n=jessie,l=Debian-Security"; + // Software will be the latest available for the named release, + // but the Debian release itself will not be automatically upgraded. +// "origin=Debian,codename=${distro_codename}-updates"; +// "origin=Debian,codename=${distro_codename}-proposed-updates"; + "origin=Debian,codename=${distro_codename},label=Debian"; + "origin=Debian,codename=${distro_codename},label=Debian-Security"; // Archive or Suite based matching: // Note that this will silently match a different release after // migration to the specified archive (e.g. testing becomes the // new stable). // "o=Debian,a=stable"; // "o=Debian,a=stable-updates"; // "o=Debian,a=proposed-updates"; - "origin=Debian,codename=${distro_codename},label=Debian-Security"; +// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports"; }; -// List of packages to not update (regexp are supported) +// Python regular expressions, matching packages to exclude from upgrading Unattended-Upgrade::Package-Blacklist { -// "vim"; -// "libc6"; -// "libc6-dev"; -// "libc6-i686"; + // The following matches all packages starting with linux- +// "linux-"; + + // Use $ to explicitely define the end of a package name. Without + // the $, "libc6" would match all of them. +// "libc6$"; +// "libc6-dev$"; +// "libc6-i686$"; + + // Special characters need escaping +// "libstdc\+\+6$"; + + // The following matches packages like xen-system-amd64, xen-utils-4.1, + // xenstore-utils and libxenstore3.0 +// "(lib)?xen(store)?"; + + // For more information about Python regular expressions, see + // https://docs.python.org/3/howto/regex.html }; // This option allows you to control if on a unclean dpkg exit // unattended-upgrades will automatically run // dpkg --force-confold --configure -a // The default is true, to ensure updates keep getting installed -//Unattended-Upgrade::AutoFixInterruptedDpkg "false"; +//Unattended-Upgrade::AutoFixInterruptedDpkg "true"; // Split the upgrade into the smallest possible chunks so that -// they can be interrupted with SIGUSR1. This makes the upgrade +// they can be interrupted with SIGTERM. This makes the upgrade // a bit slower but it has the benefit that shutdown while a upgrade // is running is possible (with a small delay) //Unattended-Upgrade::MinimalSteps "true"; -// Install all unattended-upgrades when the machine is shuting down -// instead of doing it in the background while the machine is running -// This will (obviously) make shutdown slower -//Unattended-Upgrade::InstallOnShutdown "true"; +// Install all updates when the machine is shutting down +// instead of doing it in the background while the machine is running. +// This will (obviously) make shutdown slower. +// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s. +// This allows more time for unattended-upgrades to shut down gracefully +// or even install a few packages in InstallOnShutdown mode, but is still a +// big step back from the 30 minutes allowed for InstallOnShutdown previously. +// Users enabling InstallOnShutdown mode are advised to increase +// InhibitDelayMaxSec even further, possibly to 30 minutes. +//Unattended-Upgrade::InstallOnShutdown "false"; // Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides // 'mailx' must be installed. E.g. "user@example.com" Unattended-Upgrade::Mail "admin@fripost.org"; // Set this value to "true" to get emails only on errors. Default // is to always send a mail if Unattended-Upgrade::Mail is set -//Unattended-Upgrade::MailOnlyOnError "true"; +//Unattended-Upgrade::MailOnlyOnError "false"; -// Do automatic removal of new unused dependencies after the upgrade +// Remove unused automatically installed kernel-related packages +// (kernel images, kernel headers and kernel version locked tools). +//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; + +// Do automatic removal of newly unused dependencies after the upgrade +//Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; + +// Do automatic removal of unused packages after the upgrade // (equivalent to apt-get autoremove) //Unattended-Upgrade::Remove-Unused-Dependencies "false"; // Automatically reboot *WITHOUT CONFIRMATION* if -// the file /var/run/reboot-required is found after the upgrade +// the file /var/run/reboot-required is found after the upgrade //Unattended-Upgrade::Automatic-Reboot "false"; -// Automatically reboot even if there are users currently logged in. +// Automatically reboot even if there are users currently logged in +// when Unattended-Upgrade::Automatic-Reboot is set to true //Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; // If automatic reboot is enabled and needed, reboot at the specific // time instead of immediately // Default: "now" //Unattended-Upgrade::Automatic-Reboot-Time "02:00"; // Use apt bandwidth limit feature, this example limits the download // speed to 256kb/sec Acquire::http::Dl-Limit "256"; // Enable logging to syslog. Default is False // Unattended-Upgrade::SyslogEnable "false"; // Specify syslog facility. Default is daemon // Unattended-Upgrade::SyslogFacility "daemon"; + +// Download and install upgrades only on AC power +// (i.e. skip or gracefully stop updates on battery) +// Unattended-Upgrade::OnlyOnACPower "true"; + +// Download and install upgrades only on non-metered connection +// (i.e. skip or gracefully stop updates on a metered connection) +// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"; + +// Verbose logging +// Unattended-Upgrade::Verbose "false"; + +// Print debugging information both in unattended-upgrades and +// in unattended-upgrade-shutdown +// Unattended-Upgrade::Debug "false"; diff --git a/roles/common/files/etc/apt/listchanges.conf b/roles/common/files/etc/apt/listchanges.conf index dc31f5e..cee0648 100644 --- a/roles/common/files/etc/apt/listchanges.conf +++ b/roles/common/files/etc/apt/listchanges.conf @@ -1,6 +1,9 @@ [apt] frontend=mail email_address=admin@fripost.org confirm=0 save_seen=/var/lib/apt/listchanges.db which=news +email_format=text +headers=false +reverse=false diff --git a/roles/common/files/etc/logcheck/logcheck.conf b/roles/common/files/etc/logcheck/logcheck.conf index 9a7e7c6..4c7ff10 100644 --- a/roles/common/files/etc/logcheck/logcheck.conf +++ b/roles/common/files/etc/logcheck/logcheck.conf @@ -52,34 +52,45 @@ FQDN=1 # Controls the base directory for rules file location # This must be an absolute path #RULEDIR="/etc/logcheck" # Controls if syslog-summary is run over each section. # Alternatively, set to "1" to enable extra summary. # HINT: syslog-summary needs to be installed. #SYSLOGSUMMARY=0 # Controls Subject: lines on logcheck reports: #ATTACKSUBJECT="Security Alerts" #SECURITYSUBJECT="Security Events" #EVENTSSUBJECT="System Events" # Controls [logcheck] prefix on Subject: lines -#ADDTAG="no" +#ADDTAG="no" + +# Previous versions of logcheck always sent messages in 7bit encoding, +# even if that resulted in RFC-violating messages. For example, really +# long syslog lines would generate too-long SMTP lines, which are +# rejected at least by Debian's default exim configuration. The new +# default is to let mime-construct pick an appropriate encoding, but you +# can override it by setting the below (to any of the encodings +# supported by mime-construct). You may need to do this if you have +# tools handling logcheck emails that don't understand MIME encoding. + +#MIMEENCODING= # Set a different location for temporary files than /tmp # this is useful if your /tmp is small and you are getting # errors such as: # cp: writing `/tmp/logcheck.y12449/checked': No space left on device # /usr/sbin/logcheck: line 161: cannot create temp file for here document: No space left on device # mail: /tmp/mail.RsXXXXpc2eAx: No space left on device # Null message body; hope that's ok # # If this is happening, likely you will want to change the following to be some other # location, such as /var/tmp TMP="/tmp" diff --git a/roles/common/files/etc/logrotate.d/fripost-mail b/roles/common/files/etc/logrotate.d/fripost-mail index 4fc1a85..7f7ffc2 100644 --- a/roles/common/files/etc/logrotate.d/fripost-mail +++ b/roles/common/files/etc/logrotate.d/fripost-mail @@ -1,34 +1,34 @@ # Don't forget to remove these log files from other files under # /etc/logrotate.d/ ! /var/log/mail.log /var/log/mail.info { rotate 3 daily missingok notifempty compress delaycompress sharedscripts postrotate - invoke-rc.d rsyslog rotate > /dev/null + /usr/lib/rsyslog/rsyslog-rotate endscript } # Keep a mapping Postfix's message ID -> SASL username for a month, to # find authors of potential abuse emails (if we are shown the header of # such emails.) /var/log/mail.sasl { rotate 4 weekly missingok notifempty compress delaycompress sharedscripts postrotate - invoke-rc.d rsyslog rotate > /dev/null + /usr/lib/rsyslog/rsyslog-rotate endscript } diff --git a/roles/common/files/etc/rkhunter.conf b/roles/common/files/etc/rkhunter.conf index b6a7d06..ce3b2d6 100644 --- a/roles/common/files/etc/rkhunter.conf +++ b/roles/common/files/etc/rkhunter.conf @@ -1,92 +1,95 @@ # # This is the main configuration file for Rootkit Hunter. # # You can modify this file directly, or you can create a local configuration # file. The local file must be named 'rkhunter.conf.local', and must reside # in the same directory as this file. Alternatively you can create a directory, # named 'rkhunter.d', which also must be in the same directory as this # configuration file. Within the 'rkhunter.d' directory you can place further # configuration files. There is no restriction on the file names used, other # than they must end in '.conf'. # # Please modify the configuration file(s) to your own requirements. It is # recommended that the command 'rkhunter -C' is run after any changes have # been made. # # Please review the documentation before posting bug reports or questions. -# To report bugs, obtain updates, or provide patches or comments, please go -# to: http://rkhunter.sourceforge.net +# To report bugs, provide patches or comments, please go to: +# http://rkhunter.sourceforge.net # # To ask questions about rkhunter, please use the 'rkhunter-users' mailing list. # Note that this is a moderated list, so please subscribe before posting. # # In the configuration files, lines beginning with a hash (#), and blank lines, # are ignored. Also, end-of-line comments are not supported. # # Any of the configuration options may appear more than once. However, several # options only take one value, and so the last one seen will be used. Some # options are allowed to appear more than once, and the text describing the # option will say if this is so. These configuration options will, in effect, # have their values concatenated together. To delete a previously specified # option list, specify the option with no value (that is, a null string). # # Some of the options are space-separated lists, others, typically those # specifying pathnames, are newline-separated lists. These must be entered # as one item per line. Quotes must not be used to surround the pathname. # # For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an # option: XXX=/tmp/abc (correct) # XXX=/tmp/xyz # # XXX="/tmp/abc" (incorrect) # XXX="/tmp/xyz" # # XXX=/tmp/abc /tmp/xyz (incorrect) # or XXX="/tmp/abc /tmp/xyz" (incorrect) # or XXX="/tmp/abc" "/tmp/xyz" (incorrect) # # The last three examples are being configured as space-separated lists, # which is incorrect, generally, for options specifying pathnames. They # should be configured with one entry per line as in the first example. # # If wildcard characters (globbing) are allowed for an option, then the -# text describing the option will say so. +# text describing the option will say so. Any globbing character explicitly +# required in a pathname should be escaped. # # Space-separated lists may be enclosed by quotes, although they are not # required. If they are used, then they must only appear at the start and # end of the list, not in the middle. # # For example: XXX=abc def gh (correct) # XXX="abc def gh" (correct) # XXX="abc" "def" "gh" (incorrect) # # Space-separated lists may also be entered simply as one entry per line. # # For example: XXX=abc (correct) # XXX=def # XXX="gh" # # If a configuration option is never set, then the program will assume a # default value. The text describing the option will state the default value. # If there is no default, then rkhunter will calculate a value or pathname -# to use. +# to use. If a value is set for a configuration option, then the default +# value is ignored. If it is wished to keep the default value, as well as +# any other set value, then the default must be explicitly set. # # # If this option is set to '1', it specifies that the mirrors file # ('mirrors.dat'), which is used when the '--update' and '--versioncheck' # options are used, is to be rotated. Rotating the entries in the file allows # a basic form of load-balancing between the mirror sites whenever the above # options are used. # # If the option is set to '0', then the mirrors will be treated as if in a # priority list. That is, the first mirror listed will always be used first. # The second mirror will only be used if the first mirror fails, the third # mirror will only be used if the second mirror fails, and so on. # # If the mirrors file is read-only, then the '--versioncheck' command-line # option can only be used if this option is set to '0'. # # The default value is '1'. # @@ -242,46 +245,46 @@ LOGFILE=/var/log/rkhunter.log # # Set the following option to '1' if the log file is to be copied when rkhunter # finishes and an error or warning has occurred. The copied log file name will # be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format). # For example: rkhunter.log.2009-04-21_00:57:51 # If the option value is '0', then the log file will not be copied regardless # of whether any errors or warnings occurred. # # The default value is '0'. # #COPY_LOG_ON_ERROR=0 # # Set the following option to enable the rkhunter check start and finish times # to be logged by syslog. Warning messages will also be logged. The value of # the option must be a standard syslog facility and priority, separated by a # dot. For example: # # USE_SYSLOG=authpriv.warning # -# Setting the value to 'none', or just leaving the option commented out, +# Setting the value to 'NONE', or just leaving the option commented out, # disables the use of syslog. # # The default value is not to use syslog. # -#USE_SYSLOG=authpriv.notice +USE_SYSLOG=authpriv.warning # # Set the following option to '1' if the second colour set is to be used. This # can be useful if your screen uses black characters on a white background # (for example, a PC instead of a server). A value of '0' will cause the default # colour set to be used. # # The default value is '0'. # #COLOR_SET2=0 # # Set the following option to '0' if rkhunter should not detect if X is being # used. If X is detected as being used, then the second colour set will # automatically be used. If set to '1', then the use of X will be detected. # # The default value is '0'. # AUTO_X_DETECT=1 @@ -300,144 +303,147 @@ AUTO_X_DETECT=1 # 'PermitRootLogin' option. A warning will be displayed if they do not match. # However, if a value has not been set in the SSH configuration file, then a # value here of 'unset' can be used to avoid warning messages. # # The default value is 'no'. # #ALLOW_SSH_ROOT_USER=no # # Set this option to '1' to allow the use of the SSH-1 protocol, but note # that theoretically it is weaker, and therefore less secure, than the # SSH-2 protocol. Do not modify this option unless you have good reasons # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 # authentication). If the 'Protocol' option has not been set in the SSH # configuration file, then a value of '2' may be set here in order to # suppress a warning message. A value of '0' indicates that the use of # SSH-1 is not allowed. # # The default value is '0'. # -#ALLOW_SSH_PROT_V1=0 +ALLOW_SSH_PROT_V1=2 # # This setting tells rkhunter the directory containing the SSH configuration -# file. This setting will be worked out by rkhunter, and so should not -# usually need to be set. +# file. If unset, this setting will be worked out by rkhunter, and so should +# not usually need to be set. # # This option has no default value. # #SSH_CONFIG_DIR=/etc/ssh # # These two options determine which tests are to be performed. The ENABLE_TESTS -# option can use the word 'all' to refer to all of the available tests. The -# DISABLE_TESTS option can use the word 'none' to mean that no tests are +# option can use the word 'ALL' to refer to all of the available tests. The +# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are # disabled. The list of disabled tests is applied to the list of enabled tests. # # Both options are space-separated lists of test names, and both options may # be specified more than once. The currently available test names can be seen # by using the command 'rkhunter --list tests'. # # The supplied configuration file has some tests already disabled, and these # are tests that will be used only occasionally, can be considered 'advanced' # or that are prone to produce more than the average number of false-positives. # # Please read the README file for more details about enabling and disabling # tests, the test names, and how rkhunter behaves when these options are used. # # The default values are to enable all tests and to disable none. However, if # either of the options below are specified, then they will override the # program defaults. # -# hidden_procs test requires the unhide and/or unhide.rb commands which are -# part of the unhide respectively unhide.rb packages in Debian. -# -# apps test is disabled by default as it triggers warnings about outdated -# applications (and warns about possible security risk: we better trust -# the Debian Security Team). -# -ENABLE_TESTS=all +ENABLE_TESTS=ALL DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps # # The HASH_CMD option can be used to specify the command to use for the file # properties hash value check. It can be specified as just the command name or # the full pathname. If just the command name is given, and it is one of MD5, # SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the # relevant command, such as 'sha256sum', and then for 'sha256'. If neither of # these are found, it will then look to see if a perl module has been installed # which will support the relevant hash function. To see which perl modules have # been installed use the command 'rkhunter --list perl'. # # Systems using prelinking are restricted to using either the SHA1 or MD5 # function. # # A value of 'NONE' (in uppercase) can be specified to indicate that no hash # function should be used. Rkhunter will detect this, and automatically disable # the file properties hash check test. # # Examples: # For Solaris 9 : HASH_CMD=gmd5sum # For Solaris 10: HASH_CMD=sha1sum # For AIX (>5.2): HASH_CMD="csum -hMD5" # For NetBSD : HASH_CMD="cksum -a sha512" # # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. # -# The default value is the SHA1 function, or MD5 if SHA1 cannot be found. +# The default value is the SHA256 function, unless prelinking is used in +# which case it defaults to the SHA1 function. # -# Also see the HASH_FLD_IDX option. +# Also see the HASH_FLD_IDX option. In addition, note the comments under +# the PKGMGR option relating to the use of HASH_CMD. # -HASH_CMD=sha512sum +HASH_CMD=SHA512 # # The HASH_FLD_IDX option specifies which field from the HASH_CMD command # output contains the hash value. The fields are assumed to be space-separated. # # The option value must be an integer greater than zero. # # The default value is '1', but for *BSD users rkhunter will, by default, use a # value of '4' if the HASH_CMD option has not been set. # #HASH_FLD_IDX=4 # # The PKGMGR option tells rkhunter to use the specified package manager to # obtain the file property information. This is used when updating the file # properties file ('rkhunter.dat'), and when running the file properties check. # For RedHat/RPM-based systems, 'RPM' can be used to get information from the # RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems -# 'BSD' can be used, and for Solaris systems 'SOLARIS' can be used. No value, -# or a value of 'NONE', indicates that no package manager is to be used. +# 'BSD' can be used, or for *BSD systems with the 'pkg' command 'BSDng' can be +# used, and for Solaris systems 'SOLARIS' can be used. No value, or a value of +# 'NONE', indicates that no package manager is to be used. # -# The current package managers, except 'SOLARIS', store the file hash values -# using an MD5 hash function. The Solaris package manager includes a checksum -# value, but this is not used by default (see USE_SUNSUM below). +# The package managers obtain each file hash value using a hash function. The +# Solaris package manager includes a 16-bit checksum value, but this is not +# used by default (see USE_SUNSUM below). The 'RPM' and 'BSDng' package managers +# currently use a SHA256 hash function. Other package managers will, typically, +# use an MD5 hash function. # -# The 'DPKG' and 'BSD' package managers only provide MD5 hash values. -# The 'RPM' package manager additionally provides values for the inode, -# file permissions, uid, gid and other values. The 'SOLARIS' also provides -# most of the values, similar to 'RPM', but not the inode number. +# The 'DPKG', 'BSD' and 'BSDng' package managers only provide a file hash value. +# The 'RPM' package manager additionally provides values for the inode, file +# permissions, uid, gid and other values. The 'SOLARIS' package manager also +# provides most of the values, similar to 'RPM', but not the inode number. # # For any file not part of a package, rkhunter will revert to using the -# HASH_CMD hash function instead. +# HASH_CMD hash function instead. This means that if the HASH_CMD option +# is set, and PKGMGR is set, then the HASH_CMD hash function is only used, +# and stored, for non-packaged files. All packaged files will use, and store, +# whatever hash function the relevant package manager uses. So, for example, +# with the 'RPM' package manager, packaged files will be stored with their +# SHA256 value regardless of the value of the HASH_CMD option. # # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. # # The default value is 'NONE'. # # Also see the PKGMGR_NO_VRFY and USE_SUNSUM options. # # NONE is the default for Debian as well, as running --propupd takes # about 4 times longer when it's set to DPKG # #PKGMGR=NONE # # It is possible that a file, which is part of a package, may have been # modified by the administrator. Typically this occurs for configuration # files. However, the package manager may list the file as being modified. # For the RPM package manager this may well depend on how the package was # built. This option specifies a pathname which is to be exempt from the # package manager verification process, and which will be treated # as a non-packaged file. As such, the file properties are still checked. @@ -482,91 +488,91 @@ HASH_CMD=sha512sum # # The default value is the null string. # #IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top # # These options specify a command, directory or file pathname which will be # included or excluded in the file properties checks. # # For the USER_FILEPROP_FILES_DIRS option, simple command names - for example, # 'top' - and directory names are added to the internal list of directories to # be searched for each of the command names in the command list. Additionally, # full pathnames to files, which need not be commands, may be given. Any files # or directories which are already part of the internal lists will be silently # ignored from the configuration. # # For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for # simple command names. # For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. # +# To extend the use of wildcards to include recursive checking of directories, +# see the GLOBSTAR configuration option. +# # Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS # option. Wildcards may be used with this option. # # By combining these two options, and using wildcards, whole directories can be # excluded. For example: # # USER_FILEPROP_FILES_DIRS=/etc/* # USER_FILEPROP_FILES_DIRS=/etc/*/* # EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/* # # This will look for files in the first two directory levels of '/etc'. However, # anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be # excluded. # # NOTE: Only files and directories which have been added by the user, and are # not part of the internal lists, can be excluded. So, for example, it is not # possible to exclude the 'ps' command by using '/bin/ps'. These will be # silently ignored from the configuration. # # Both options can be specified more than once. # # NOTE: Whenever these options are changed 'rkhunter --propupd' must be run. # # The default value for both options is the null string. # #USER_FILEPROP_FILES_DIRS=top #USER_FILEPROP_FILES_DIRS=/usr/local/sbin #USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf #USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local -#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/* -#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/i18n/* +#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.d/* #EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps* -#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/mirrors.dat -#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/rkhunter* # # This option whitelists files and directories from existing, or not existing, # on the system at the time of testing. This option is used when the # configuration file options themselves are checked, and during the file # properties check, the hidden files and directories checks, and the filesystem # check of the '/dev' directory. # # This option may be specified more than once, and may use wildcards. # Be aware though that this is probably not what you want to do as the # wildcarding will be expanded after files have been deleted. As such # deleted files won't be whitelisted if wildcarded. # # NOTE: The user must take into consideration how often the file will appear # and disappear from the system in relation to how often rkhunter is run. If # the file appears, and disappears, too often then rkhunter may not notice -# this. All it will see is that the file has changed. The inode-number and DTM +# this. All it will see is that the file has changed. The inode number and DTM # will certainly be different for each new file, and rkhunter will report this. # # The default value is the null string. # #EXISTWHITELIST="" # # Whitelist various attributes of the specified file. The attributes are those # of the 'attributes' test. Specifying a file name here does not include it # being whitelisted for the write permission test (see below). # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #ATTRWHITELIST=/usr/bin/date # # Allow the specified file to have the 'others' (world) permission have the # write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx. @@ -595,79 +601,99 @@ SCRIPTWHITELIST=/usr/sbin/adduser # # Allow the specified file to have the immutable attribute set. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #IMMUTWHITELIST=/sbin/ifdown # # If this option is set to '1', then the immutable-bit test is reversed. That # is, the files are expected to have the bit set. A value of '0' means that the # immutable-bit should not be set. # # The default value is '0'. # #IMMUTABLE_SET=0 # +# If this option is set to '1', then any changed inode value is ignored in +# the file properties check. The inode test itself still runs, but it will +# always return that no inodes have changed. +# +# This option may be useful for filesystems such as Btrfs, which handle inodes +# slightly differently than other filesystems. +# +# The default value is '0'. +# +#SKIP_INODE_CHECK=0 + +# # Allow the specified hidden directory to be whitelisted. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #ALLOWHIDDENDIR=/etc/.java ALLOWHIDDENDIR=/etc/.git #ALLOWHIDDENDIR=/dev/.lxc # # Allow the specified hidden file to be whitelisted. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz #ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac #ALLOWHIDDENFILE=/usr/bin/.ssh.hmac #ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac #ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac #ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz #ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz ALLOWHIDDENFILE=/etc/.gitignore #ALLOWHIDDENFILE=/etc/.bzrignore ALLOWHIDDENFILE=/etc/.etckeeper # # Allow the specified process to use deleted files. The process name may be -# followed by a colon-separated list of full pathnames. The process will then -# only be whitelisted if it is using one of the given files. For example: +# followed by a colon-separated list of full pathnames (which have been +# deleted). The process will then only be whitelisted if it is using one of +# the given pathnames. For example: # # ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz # # This option may be specified more than once. It may also use wildcards, but -# only in the file names. +# only in the deleted file pathnames, not in the process name. The use of +# extended pattern matching in pathname expansion (for example, '**') is not +# supported for this option. However, the option itself extends globbing when +# the '*' character is used by matching zero or more characters in the +# pathname, including those in sub-directories. For example, the pathname +# '/tmp/abc/def/xyz' would not be matched by shell globbing using '/tmp/*/xyz' +# but is matched when used in this option. Similarly, using '/tmp/*' will +# match any file found in the '/tmp' directory or any sub-directories. # # The default value is the null string. # #ALLOWPROCDELFILE=/sbin/cardmgr #ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2 #ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib* #ALLOWPROCDELFILE=/usr/lib/iceweasel/iceweasel #ALLOWPROCDELFILE=/usr/bin/file-roller # # Allow the specified process to listen on any network interface. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #ALLOWPROCLISTEN=/sbin/dhclient #ALLOWPROCLISTEN=/usr/bin/dhcpcd #ALLOWPROCLISTEN=/usr/sbin/tcpdump #ALLOWPROCLISTEN=/usr/sbin/snort-plain @@ -690,40 +716,80 @@ ALLOWHIDDENFILE=/etc/.etckeeper # it is highly recommended that this value is used. # # The default value is 'THOROUGH'. # # Also see the ALLOWDEVFILE option. # #SCAN_MODE_DEV=THOROUGH # # Allow the specified file to be present in the '/dev' directory, and not # regarded as suspicious. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #ALLOWDEVFILE=/dev/shm/pulse-shm-* #ALLOWDEVFILE=/dev/shm/sem.ADBE_* # +# Allow the specified process pathnames to use shared memory segments. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ALLOWIPCPROC=/usr/bin/firefox +#ALLOWIPCPROC=/usr/bin/vlc + +# +# Allow the specified memory segment creator PIDs to use shared memory segments. +# +# This is a space-separated list of PID numbers (as given by the +# 'ipcs -p' command). This option may be specified more than once. +# +# The default value is the null string. +# +#ALLOWIPCPID=12345 6789 + +# +# Allow the specified account names to use shared memory segments. +# +# This is a space-separated list of account names. The option may be specified +# more than once. +# +# The default value is the null string. +# +#ALLOWIPCUSER=usera userb + +# +# This option can be used to set the maximum shared memory segment size +# (in bytes) that is not considered suspicious. Any segment above this size, +# and with 600 or 666 permissions, will be considered suspicious during the +# shared memory check. +# +# The default is 1048576 (1M) bytes. +# +#IPC_SEG_SIZE=1048576 + +# # This option is used to indicate if the Phalanx2 test is to perform a basic # check, or a more thorough check. If the option is set to '0', then a basic # check is performed. If it is set to '1', then all the directories in the # '/etc' and '/usr' directories are scanned. # # NOTE: Setting this option to '1' will cause the test to take longer # to complete. # # The default value is '0'. # #PHALANX2_DIRTEST=0 # # This option tells rkhunter where the inetd configuration file is located. # # The default value is the null string. # #INETD_CONF_PATH=/etc/inetd.conf # @@ -759,92 +825,93 @@ ALLOWHIDDENFILE=/etc/.etckeeper # This option tells rkhunter where the xinetd configuration file is located. # # The default value is the null string. # #XINETD_CONF_PATH=/etc/xinetd.conf # # This option allows the specified enabled xinetd services. Whilst it would be # nice to use the service names themselves, at the time of testing we only have # the pathname available. As such, these entries are the xinetd file pathnames. # # This is a space-separated list of service names. The option may be specified # more than once. # # The default value is the null string. # #XINETD_ALLOWED_SVC=/etc/xinetd.d/echo # # This option tells rkhunter the local system startup file pathnames. The -# directories will be searched for files. By default rkhunter will try and -# determine were the startup files are located. If the option is set to 'NONE', -# then certain tests will be skipped. +# directories will be searched for files. If unset, then rkhunter will try +# and determine were the startup files are located. If the option is set to +# 'NONE' then certain tests will be skipped. # # This is a space-separated list of file and directory pathnames. The option # may be specified more than once, and may use wildcard characters. # # This option has no default value. # #STARTUP_PATHS=/etc/init.d /etc/rc.local # # This option tells rkhunter the pathname to the file containing the user -# account passwords. This setting will be worked out by rkhunter, and so -# should not usually need to be set. Users of TCB shadow files should not -# set this option. +# account passwords. If unset, this setting will be worked out by rkhunter, +# and so should not usually need to be set. Users of TCB shadow files should +# not set this option. # # This option has no default value. # #PASSWORD_FILE=/etc/shadow # # This option allows the specified accounts to be root equivalent. These # accounts will have a UID value of zero. The 'root' account does not need # to be listed as it is automatically whitelisted. # # This is a space-separated list of account names. The option may be specified # more than once. # # NOTE: For *BSD systems you will probably need to use this option for the # 'toor' account. # # The default value is the null string. # #UID0_ACCOUNTS=toor rooty sashroot # # This option allows the specified accounts to have no password. NIS/YP entries # do not need to be listed as they are automatically whitelisted. # # This is a space-separated list of account names. The option may be specified # more than once. # # The default value is the null string. # #PWDLESS_ACCOUNTS=abc # # This option tells rkhunter the pathname to the syslog configuration file. -# This setting will be worked out by rkhunter, and so should not usually need -# to be set. A value of 'NONE' can be used to indicate that there is no -# configuration file, but that the syslog daemon process may be running. +# If unset, this setting will be worked out by rkhunter, and so should not +# usually need to be set. A value of 'NONE' can be used to indicate that +# there is no configuration file, but that the syslog daemon process may +# be running. # # This is a space-separated list of pathnames. The option may be specified # more than once. # # This option has no default value. # #SYSLOG_CONFIG_FILE=/etc/syslog.conf # # If this option is set to '1', then the use of syslog remote logging is # permitted. A value of '0' disallows the use of remote logging. # # The default value is '0'. # #ALLOW_SYSLOG_REMOTE_LOGGING=0 # # This option allows the specified applications, or a specific version of an # application, to be whitelisted. If a specific version is to be whitelisted, # then the name must be followed by a colon and then the version number. @@ -879,51 +946,63 @@ ALLOWHIDDENFILE=/etc/.etckeeper # #SUSPSCAN_DIRS=/tmp /var/tmp # # This option specifies the directory for temporary files used by the # 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is # better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS # as that is highly likely to cause false-positive results. # # The default value is '/dev/shm'. # #SUSPSCAN_TEMP=/dev/shm # # This option specifies the 'suspscan' test maximum filesize in bytes. Files # larger than this will not be inspected. Do make sure you have enough space # available in your temporary files directory. # # The default value is '1024000'. # -#SUSPSCAN_MAXSIZE=10240000 +#SUSPSCAN_MAXSIZE=1024000 # # This option specifies the 'suspscan' test score threshold. Below this value # no hits will be reported. # # The default value is '200'. # #SUSPSCAN_THRESH=200 # +# This option may be used to whitelist file pathnames from the suspscan test. +# +# Shell globbing may be used in the pathname. Also see the GLOBSTAR configuration +# option. +# +# This option may be specified more than once. +# +# The default value is the null string. +# +#SUSPSCAN_WHITELIST="" + +# # The following options can be used to whitelist network ports which are known # to have been used by malware. # # The PORT_WHITELIST option is a space-separated list of one or more of two # types of whitelisting. These are: # # 1) a 'protocol:port' pair # 2) an asterisk ('*') # # Only the UDP or TCP protocol may be specified, and the port number must be # between 1 and 65535 inclusive. # # The asterisk can be used to indicate that any executable which rkhunter can # locate as a command, is whitelisted. (Also see BINDIR) # # The PORT_PATH_WHITELIST option specifies one of two types of whitelisting. # These are: # # 1) a pathname to an executable # 2) a combined pathname, protocol and port @@ -1059,90 +1138,105 @@ ALLOWHIDDENFILE=/etc/.etckeeper #READLINK_CMD=BUILTIN # # In the file properties test any modification date/time is displayed as the # number of epoch seconds. Rkhunter will try and use the 'date' command, or # failing that the 'perl' command, to display the date and time in a # human-readable format as well. This option may be used if some other command # should be used instead. The given command must understand the '%s' and # 'seconds ago' options found in the GNU 'date' command. # # A value of 'NONE' may be used to request that only the epoch seconds be shown. # A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if # it is present. # # This option has no default value. # #EPOCH_DATE_CMD="" # # This setting tells rkhunter the directory containing the available Linux -# kernel modules. This setting will be worked out by rkhunter, and so should -# not usually need to be set. +# kernel modules. If unset, this setting will be worked out by rkhunter, and +# so should not usually need to be set. # # This option has no default value. # #MODULES_DIR="" # # The following option can be set to a command which rkhunter will use when # downloading files from the Internet - that is, when the '--update' or # '--versioncheck' option is used. The command can take options. # # This allows the user to use a command other than the one automatically # selected by rkhunter, but still one which it already knows about. # For example: # # WEB_CMD=curl # # Alternatively, the user may specify a completely new command. However, note # that rkhunter expects the downloaded file to be written to stdout, and that # everything written to stderr is ignored. For example: # # WEB_CMD="/opt/bin/dlfile --timeout 5m -q" # # *BSD users may want to use the 'ftp' command, provided that it supports the # HTTP protocol: # # WEB_CMD="ftp -o -" # # This option has no default value. # WEB_CMD="/bin/false" # # Set the following option to '1' if locking is to be used when rkhunter runs. # The lock is set just before logging starts, and is removed when the program # ends. It is used to prevent items such as the log file, and the file # properties file, from becoming corrupted if rkhunter is running more than -# once. The mechanism used is to simply create a lock file in the TMPDIR +# once. The mechanism used is to simply create a lock file in the LOCKDIR # directory. If the lock file already exists, because rkhunter is already # running, then the current process simply loops around sleeping for 10 seconds # and then retrying the lock. A value of '0' means not to use locking. # # The default value is '0'. # -# Also see the LOCK_TIMEOUT and SHOW_LOCK_MSGS options. +# Also see the LOCKDIR, LOCK_TIMEOUT and SHOW_LOCK_MSGS options. # #USE_LOCKING=0 # +# This option specifies the directory to be used when locking is enabled. +# If the option is unset, then the directory to be used will be worked out +# by rkhunter. In that instance the directories '/run/lock', '/var/lock', +# '/var/run/lock', '/run' and '/var/run' will be checked in turn. If none +# of those can be found, or are not read/writeable, then the TMPDIR directory +# will be used. +# +# To avoid the lock file persisting across a server reboot, the directory +# used should be memory-resident. +# +# This option has no default value. +# +#LOCKDIR="" + +# # If locking is used, then rkhunter may have to wait to get the lock file. # This option sets the total amount of time, in seconds, that rkhunter should # wait. It will retry the lock every 10 seconds, until either it obtains the # lock or the timeout value has been reached. # # The default value is 300 seconds (5 minutes). # #LOCK_TIMEOUT=300 # # If locking is used, then rkhunter may be doing nothing for some time if it # has to wait for the lock. If this option is set to '1', then some simple # messages are echoed to the users screen to let them know that rkhunter is # waiting for the lock. Set this option to '0' if the messages are not to be # displayed. # # The default value is '1'. # #SHOW_LOCK_MSGS=1 @@ -1174,56 +1268,40 @@ WEB_CMD="/bin/false" # list, and will be executed in the order given. # # This option may be specified more than once. # # The default value is 'sys' in order to maintain compatibility with older # versions of 'unhide'. # #UNHIDE_TESTS=sys # # The following option can be used to set options for the 'unhide-tcp' command. # The options are space-separated. # # This option may be specified more than once. # # The default value is the null string. # #UNHIDETCP_OPTS="" # -# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, -# then it is possible to disable the execution of one of the programs if -# desired. By default rkhunter will look for both programs, and execute each -# of them as they are found. If the value of this option is '0', then both -# programs will be executed if they are present. A value of '1' will disable -# execution of the C 'unhide' program, and a value of '2' will disable the Ruby -# 'unhide.rb' program. To disable both programs, then disable the -# 'hidden_procs' test. -# -# The default value is '0'. -# -DISABLE_UNHIDE=1 - -INSTALLDIR=/usr - -# # This option can be set to either '0' or '1'. If set to '1' then the summary, # shown after rkhunter has run, will display the actual number of warnings # found. If it is set to '0', then the summary will simply indicate that # 'One or more' warnings were found. If no warnings were found, and this option # is set to '1', then a "0" will be shown. If the option is set to '0', then # the words 'No warnings' will be shown. # # The default value is '0'. # #SHOW_SUMMARY_WARNINGS_NUMBER=0 # # This option is used to determine where, if anywhere, the summary scan time is # displayed. A value of '0' indicates that it should not be displayed anywhere. # A value of '1' indicates that the time should only appear on the screen, and a # value of '2' that it should only appear in the log file. A value of '3' # indicates that the time taken should appear both on the screen and in the log # file. # # The default value is '3'. @@ -1232,20 +1310,42 @@ INSTALLDIR=/usr # # The two options below may be used to check if a file is missing or empty # (that is, it has a size of zero). The EMPTY_LOGFILES option will also check # if the file is missing, since that can be interpreted as a file of no size. # However, the file will only be reported as missing if the MISSING_LOGFILES # option hasn't already done this. # # Both options are space-separated lists of pathnames, and may be specified # more than once. # # NOTE: Log files are usually 'rotated' by some mechanism. At that time it is # perfectly possible for the file to be either missing or empty. As such these # options may produce false-positive warnings when log files are rotated. # # For both options the default value is the null string. # #EMPTY_LOGFILES="" #MISSING_LOGFILES="" +# +# This option can be set to either '0' or '1'. If set to '1' then the globbing +# characters '**' can be used to allow the recursive checking of directories. +# This can be useful, for example, with the USER_FILEPROP_FILES_DIRS option. +# For example: +# +# USER_FILEPROP_FILES_DIRS=/etc/**/*.conf +# +# This will check all '.conf' files within the '/etc' directory, and any +# sub-directories (at any level). If GLOBSTAR is not set, then the shell will +# interpret '**' as '*' and only one level of sub-directories will be checked. +# +# NOTE: This option is only valid for those shells which support the 'globstar' +# option. Typically this will be 'bash' (version 4 and above) via the 'shopt' command, +# and 'ksh' via the 'set' command. +# +# The default value is '0'. +# +#GLOBSTAR=0 + +INSTALLDIR=/usr + diff --git a/roles/common/files/etc/rsyslog.conf b/roles/common/files/etc/rsyslog.conf index 70e8a77..6340537 100644 --- a/roles/common/files/etc/rsyslog.conf +++ b/roles/common/files/etc/rsyslog.conf @@ -1,24 +1,24 @@ -# /etc/rsyslog.conf Configuration file for rsyslog. +# /etc/rsyslog.conf configuration file for rsyslog # -# For more information see -# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html +# For more information install rsyslog-doc and see +# /usr/share/doc/rsyslog-doc/html/configuration/index.html ################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging module(load="imklog") # provides kernel logging support #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception #module(load="imudp") #input(type="imudp" port="514") # provides TCP syslog reception #module(load="imtcp") #input(type="imtcp" port="514") ########################### @@ -58,41 +58,41 @@ $IncludeConfig /etc/rsyslog.d/*.conf # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.* -/var/log/mail.log mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # To preserve the privacy of our users, we stop processing relevant log # entries (eg, we don't put them into /var/log/syslog) that are of # severity info and lower. Those lines are put into mail.log and # mail.info for troubleshooting, but those files are rotated frequently. # XXX: we should improve that: we shouldn't log envelopes and IPs unless # the mail is bounced, for instance. if $programname == 'amavis' and $syslogfacility-text == 'mail' and $syslogseverity >= 5 then ~ if ($programname startswith 'postfix-' or $programname == 'dovecot') and $syslogfacility-text == 'mail' and $syslogseverity >= 6 then ~ # -# Some standard log files. Log by facility. +# First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log user.* -/var/log/user.log # # Some "catch-all" log files. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages diff --git a/roles/common/files/etc/strongswan.d/charon.conf b/roles/common/files/etc/strongswan.d/charon.conf index 5ed6452..22479cf 100644 --- a/roles/common/files/etc/strongswan.d/charon.conf +++ b/roles/common/files/etc/strongswan.d/charon.conf @@ -1,51 +1,55 @@ # Options for the charon IKE daemon. charon { # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. # accept_unencrypted_mainmode_messages = no # Maximum number of half-open IKE_SAs for a single peer IP. # block_threshold = 5 - # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should - # be saved under a unique file name derived from the public key of the - # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or + # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP + # should be saved under a unique file name derived from the public key of + # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or # /etc/swanctl/x509crl (vici), respectively. # cache_crls = no # Whether relations in validated certificate chains should be cached in # memory. # cert_cache = yes # Send Cisco Unity vendor ID payload (IKEv1 only). # cisco_unity = no # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. # close_ike_on_child_failure = no # Number of half-open IKE_SAs that activate the cookie mechanism. # cookie_threshold = 10 # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). # delete_rekeyed = no + # Delay in seconds until inbound IPsec SAs are deleted after rekeyings + # (IKEv2 only). + # delete_rekeyed_delay = 5 + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic # strength. # dh_exponent_ansi_x9_42 = yes # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal # missing symbols immediately. # dlopen_use_rtld_now = no # DNS server assigned to peer via configuration payload (CP). # dns1 = # DNS server assigned to peer via configuration payload (CP). # dns2 = # Enable Denial of Service protection using cookies and aggressiveness # checks. # dos_protection = yes # Compliance with the errata for RFC 4753. # ecp_x_coordinate_only = yes @@ -147,127 +151,147 @@ charon { # Maximum packet size accepted by charon. # max_packet = 10000 # Enable multiple authentication exchanges (RFC 4739). # multiple_authentication = yes # WINS servers assigned to peer via configuration payload (CP). # nbns1 = # WINS servers assigned to peer via configuration payload (CP). # nbns2 = # UDP port used locally. If set to 0 a random port will be allocated. # port = 500 # UDP port used locally in case of NAT-T. If set to 0 a random port will be # allocated. Has to be different from charon.port, otherwise a random port # will be allocated. # port_nat_t = 4500 + # Whether to prefer updating SAs to the path with the best route. + # prefer_best_path = no + # Prefer locally configured proposals for IKE/IPsec over supplied ones as # responder (disabling this can avoid keying retries due to # INVALID_KE_PAYLOAD notifies). # prefer_configured_proposals = yes # By default public IPv6 addresses are preferred over temporary ones (RFC # 4941), to make connections more stable. Enable this option to reverse # this. # prefer_temporary_addrs = no # Process RTM_NEWROUTE and RTM_DELROUTE events. # process_route = yes # Delay in ms for receiving packets, to simulate larger RTT. # receive_delay = 0 # Delay request messages. # receive_delay_request = yes # Delay response messages. # receive_delay_response = yes # Specific IKEv2 message type to delay, 0 for any. # receive_delay_type = 0 # Size of the AH/ESP replay window, in packets. # replay_window = 32 # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION # in strongswan.conf(5). # retransmit_base = 1.8 + # Maximum jitter in percent to apply randomly to calculated retransmission + # timeout (0 to disable). + # retransmit_jitter = 0 + + # Upper limit in seconds for calculated retransmission timeout (0 to + # disable). + # retransmit_limit = 0 + # Timeout in seconds before sending first retransmit. # retransmit_timeout = 4.0 # Number of times to retransmit a packet before giving up. # retransmit_tries = 5 # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if # DNS resolution failed), 0 to disable retries. # retry_initiate_interval = 0 # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). # reuse_ikesa = yes # Numerical routing table to install routes to. # routing_table = # Priority of the routing table. # routing_table_prio = + # Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + # rsa_pss = no + # Delay in ms for sending packets, to simulate larger RTT. # send_delay = 0 # Delay request messages. # send_delay_request = yes # Delay response messages. # send_delay_response = yes # Specific IKEv2 message type to delay, 0 for any. # send_delay_type = 0 # Send strongSwan vendor ID payload # send_vendor_id = no # Whether to enable Signature Authentication as per RFC 7427. # signature_authentication = yes # Whether to enable constraints against IKEv2 signature schemes. # signature_authentication_constraints = yes + # The upper limit for SPIs requested from the kernel for IPsec SAs. + # spi_max = 0xcfffffff + + # The lower limit for SPIs requested from the kernel for IPsec SAs. + # spi_min = 0xc0000000 + # Number of worker threads in charon. # threads = 16 # Name of the user the daemon changes to after startup. # user = crypto_test { # Benchmark crypto algorithms and order them by efficiency. # bench = no # Buffer size used for crypto benchmark. # bench_size = 1024 - # Number of iterations to test each algorithm. + # Time in ms during which crypto algorithm performance is measured. # bench_time = 50 # Test crypto algorithms during registration (requires test vectors # provided by the test-vectors plugin). # on_add = no # Test crypto algorithms on each crypto primitive instantiation. # on_create = no # Strictly require at least one test vector to enable an algorithm. # required = no # Whether to test RNG with TRUE quality; requires a lot of entropy. # rng_true = no } host_resolver { # Maximum number of concurrent resolver threads (they are terminated if diff --git a/roles/common/files/etc/strongswan.d/charon/socket-default.conf b/roles/common/files/etc/strongswan.d/charon/socket-default.conf index 6d4b73d..abf4650 100644 --- a/roles/common/files/etc/strongswan.d/charon/socket-default.conf +++ b/roles/common/files/etc/strongswan.d/charon/socket-default.conf @@ -1,20 +1,23 @@ socket-default { # Firewall mark to set on outbound packets. # fwmark = # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # Set source address on outbound packets, if possible. # set_source = yes + # Force sending interface on outbound packets, if possible. + # set_sourceif = no + # Listen on IPv4, if possible. # use_ipv4 = yes # Listen on IPv6, if possible. # use_ipv6 = yes } diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service index 792d964..119b3a2 100644 --- a/roles/common/files/etc/systemd/system/bacula-fd.service +++ b/roles/common/files/etc/systemd/system/bacula-fd.service @@ -1,25 +1,25 @@ [Unit] Description=Bacula File Daemon service After=network.target [Service] Type=simple StandardOutput=syslog ExecStart=/usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf # Hardening NoNewPrivileges=yes -PrivateDevices=yes ProtectHome=read-only ProtectSystem=strict +ReadWriteDirectories=/var/lib/bacula +RuntimeDirectory=bacula PrivateTmp=yes -ReadWriteDirectories=-/var/lib -ReadWriteDirectories=-/var/run/bacula PrivateDevices=yes ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +CapabilityBoundingSet=CAP_DAC_READ_SEARCH [Install] WantedBy=multi-user.target diff --git a/roles/common/files/etc/systemd/system/munin-node.service.d/override.conf b/roles/common/files/etc/systemd/system/munin-node.service.d/override.conf new file mode 100644 index 0000000..53747f6 --- /dev/null +++ b/roles/common/files/etc/systemd/system/munin-node.service.d/override.conf @@ -0,0 +1,13 @@ +[Service] + +# Hardening +NoNewPrivileges=yes +ProtectSystem=strict +ReadWriteDirectories=/var/lib/munin-node/plugin-state +ReadWriteDirectories=/var/log/munin +RuntimeDirectory=munin +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +CapabilityBoundingSet=CAP_SETUID CAP_SETGID |