summaryrefslogtreecommitdiffstats
path: root/roles/common
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common')
-rw-r--r--roles/common/files/etc/logcheck/ignore.d.server/common.local4
-rw-r--r--roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo7
-rw-r--r--roles/common/tasks/logging.yml1
-rw-r--r--roles/common/tasks/rkhunter.yml2
-rw-r--r--roles/common/tasks/sysctl.yml2
5 files changed, 14 insertions, 2 deletions
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common.local b/roles/common/files/etc/logcheck/ignore.d.server/common.local
index 22fe621..331edeb 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/common.local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/common.local
@@ -1,6 +1,8 @@
# Ansible Managed
# Do NOT edit this file directly!
#
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit )
# Ansible logs everything into syslog
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-[a-z]+: Invoked
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([a-z]+|<stdin>): Invoked with
diff --git a/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo b/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo
new file mode 100644
index 0000000..e474019
--- /dev/null
+++ b/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo
@@ -0,0 +1,7 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]-]+@[.A-Z]+$
+# ignore sudo with custom ENV
+#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$
diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml
index 06f06b0..d25a75e 100644
--- a/roles/common/tasks/logging.yml
+++ b/roles/common/tasks/logging.yml
@@ -3,37 +3,38 @@
with_items:
- rsyslog
- syslog-summary
- logcheck
- logcheck-database
- logrotate
- name: Start rsyslog
service: name=rsyslog state=started
tags:
- syslog
- name: Configure logcheck
copy: src=etc/logcheck/{{ item }}
dest=/etc/logcheck/{{ item }}
owner=root group=logcheck
mode=0640
with_items:
- logcheck.conf
- ignore.d.server/common.local
+ - violations.ignore.d/logcheck-sudo
- name: Minimal logging policy (1)
lineinfile: dest=/etc/logrotate.d/rsyslog
regexp="^/var/log/mail.(log|info)$"
state=absent
- name: Minimal logging policy (2)
copy: src=etc/logrotate.d/fripost-mail
dest=/etc/logrotate.d/fripost-mail
owner=root group=root
mode=0644
tags:
- logrotate
# TODO: We also have specialized per-role logcheck rulesets, per-role
# logrotate configuration (/etc/logrotate.d), and per-role rsyslog
# configuration (/etc/rsyslog.d).
diff --git a/roles/common/tasks/rkhunter.yml b/roles/common/tasks/rkhunter.yml
index f6a4d71..78eec90 100644
--- a/roles/common/tasks/rkhunter.yml
+++ b/roles/common/tasks/rkhunter.yml
@@ -1,24 +1,26 @@
- name: Install rkhunter
apt: pkg={{ item }}
with_items:
- rkhunter
- curl
- iproute
- lsof
- unhide
- unhide.rb
+# To test the configuration:
+# ansible all -m command -a '/usr/bin/rkhunter -c --nomow --rwo'
- name: Configure rkhunter
copy: src=etc/{{ item }}
dest=/etc/{{ item }}
owner=root group=root
mode=0644
with_items:
- rkhunter.conf
- default/rkhunter
notify:
# This might not always be necessary, but it's not like we would
# change the config every day...
- Update rkhunter's data file
- meta: flush_handlers
diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml
index 9adeece..6ac7feb 100644
--- a/roles/common/tasks/sysctl.yml
+++ b/roles/common/tasks/sysctl.yml
@@ -1,21 +1,21 @@
-- sysctl: name={{ item.name }} value={{ item.value }}
+- sysctl: name={{ item.name }} "value={{ item.value }}" sysctl_set=yes
with_items:
- { name: 'kernel.domainname', value: '{{ ansible_domain }}' }
# Networking. See
# https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
# Enable Spoof protection (reverse-path filter). Turn on Source
# Address Verification in all interfaces to prevent some spoofing
# attacks.
- { name: 'net.ipv4.conf.default.rp_filter', value: 1 }
- { name: 'net.ipv4.conf.all.rp_filter', value: 1 }
# Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We
# rate-limit not only the default ICMP types 3, 4, 11 and 12
# (0x1818), but also types 0 and 8. See icmp(7).
- { name: 'net.ipv4.tcp_syncookies', value: 1 }
- { name: 'net.ipv4.icmp_ratemask', value: 6425 }
- { name: 'net.ipv4.icmp_ratelimit', value: 1000 }
# Disable paquet forwarding between interfaces (we are not a router).
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-17 23:03:37 +0000