diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/common/files/etc/logcheck/ignore.d.server/common.local | 4 | ||||
| -rw-r--r-- | roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo | 7 | ||||
| -rw-r--r-- | roles/common/tasks/logging.yml | 1 | ||||
| -rw-r--r-- | roles/common/tasks/rkhunter.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/sysctl.yml | 2 |
5 files changed, 14 insertions, 2 deletions
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common.local b/roles/common/files/etc/logcheck/ignore.d.server/common.local index 22fe621..331edeb 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/common.local +++ b/roles/common/files/etc/logcheck/ignore.d.server/common.local @@ -1,6 +1,8 @@ # Ansible Managed # Do NOT edit this file directly! # +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [^[:space:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ) # Ansible logs everything into syslog -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-[a-z]+: Invoked +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([a-z]+|<stdin>): Invoked with diff --git a/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo b/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo new file mode 100644 index 0000000..e474019 --- /dev/null +++ b/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo @@ -0,0 +1,7 @@ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]-]+@[.A-Z]+$ +# ignore sudo with custom ENV +#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$ diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml index 06f06b0..d25a75e 100644 --- a/roles/common/tasks/logging.yml +++ b/roles/common/tasks/logging.yml @@ -3,37 +3,38 @@ with_items: - rsyslog - syslog-summary - logcheck - logcheck-database - logrotate - name: Start rsyslog service: name=rsyslog state=started tags: - syslog - name: Configure logcheck copy: src=etc/logcheck/{{ item }} dest=/etc/logcheck/{{ item }} owner=root group=logcheck mode=0640 with_items: - logcheck.conf - ignore.d.server/common.local + - violations.ignore.d/logcheck-sudo - name: Minimal logging policy (1) lineinfile: dest=/etc/logrotate.d/rsyslog regexp="^/var/log/mail.(log|info)$" state=absent - name: Minimal logging policy (2) copy: src=etc/logrotate.d/fripost-mail dest=/etc/logrotate.d/fripost-mail owner=root group=root mode=0644 tags: - logrotate # TODO: We also have specialized per-role logcheck rulesets, per-role # logrotate configuration (/etc/logrotate.d), and per-role rsyslog # configuration (/etc/rsyslog.d). diff --git a/roles/common/tasks/rkhunter.yml b/roles/common/tasks/rkhunter.yml index f6a4d71..78eec90 100644 --- a/roles/common/tasks/rkhunter.yml +++ b/roles/common/tasks/rkhunter.yml @@ -1,24 +1,26 @@ - name: Install rkhunter apt: pkg={{ item }} with_items: - rkhunter - curl - iproute - lsof - unhide - unhide.rb +# To test the configuration: +# ansible all -m command -a '/usr/bin/rkhunter -c --nomow --rwo' - name: Configure rkhunter copy: src=etc/{{ item }} dest=/etc/{{ item }} owner=root group=root mode=0644 with_items: - rkhunter.conf - default/rkhunter notify: # This might not always be necessary, but it's not like we would # change the config every day... - Update rkhunter's data file - meta: flush_handlers diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml index 9adeece..6ac7feb 100644 --- a/roles/common/tasks/sysctl.yml +++ b/roles/common/tasks/sysctl.yml @@ -1,21 +1,21 @@ -- sysctl: name={{ item.name }} value={{ item.value }} +- sysctl: name={{ item.name }} "value={{ item.value }}" sysctl_set=yes with_items: - { name: 'kernel.domainname', value: '{{ ansible_domain }}' } # Networking. See # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt # Enable Spoof protection (reverse-path filter). Turn on Source # Address Verification in all interfaces to prevent some spoofing # attacks. - { name: 'net.ipv4.conf.default.rp_filter', value: 1 } - { name: 'net.ipv4.conf.all.rp_filter', value: 1 } # Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We # rate-limit not only the default ICMP types 3, 4, 11 and 12 # (0x1818), but also types 0 and 8. See icmp(7). - { name: 'net.ipv4.tcp_syncookies', value: 1 } - { name: 'net.ipv4.icmp_ratemask', value: 6425 } - { name: 'net.ipv4.icmp_ratelimit', value: 1000 } # Disable paquet forwarding between interfaces (we are not a router). |