From 1387b69c898cb93fd0343603f92670b40b88eb04 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 1 Dec 2013 16:35:46 +0100 Subject: Use a dedicated SMTP port for samhain. It's unfortunate that samhain cannot use the sendmail binary, and wants to use a inet socket instead. We use a custom port to avoid conflicts with the usual SMTP port the MX:es need to listen on. See also: /usr/share/doc/samhain/TODO.Debian --- roles/common/files/etc/postfix/master.cf | 1 + roles/common/files/etc/samhain/samhainrc | 11 ++++++++--- roles/common/tasks/samhain.yml | 16 +++++++++------- roles/common/templates/etc/postfix/main.cf.j2 | 4 ++++ 4 files changed, 22 insertions(+), 10 deletions(-) diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf index dd49d31..d9722ef 100644 --- a/roles/common/files/etc/postfix/master.cf +++ b/roles/common/files/etc/postfix/master.cf @@ -33,3 +33,4 @@ virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache +16132 inet n - - - - smtpd diff --git a/roles/common/files/etc/samhain/samhainrc b/roles/common/files/etc/samhain/samhainrc index 200cdc6..1fd9d42 100644 --- a/roles/common/files/etc/samhain/samhainrc +++ b/roles/common/files/etc/samhain/samhainrc @@ -512,7 +512,7 @@ ChecksumTest=check ## and I/O limit (kilobytes per second; 0 == off) ## to reduce load on host. # -# SetNiceLevel = 0 +SetNiceLevel = 19 # SetIOLimit = 0 ## The version string to embed in file signature databases @@ -522,7 +522,7 @@ ChecksumTest=check ## Interval between time stamp messages # # SetLoopTime = 60 -SetLoopTime = 600 +SetLoopTime = 21600 ## Interval between file checks # @@ -541,7 +541,7 @@ SetFileCheckTime = 7200 ## Setting this to 'FALSE' will generate a report for any policy ## violation (old and new ones) each time the daemon checks the file system. # -# ReportOnlyOnce = True +ReportOnlyOnce = True ## Report in full detail # @@ -591,7 +591,12 @@ SetMailAddress = admin@fripost.org ## Mail relay (IP address) # +# XXX: it's unfortunate that samhain cannot use the sendmail binary. We +# use a custom port here to avoid conflicts with the usual SMTP port the +# MX:es need to listen on. +# See also: /usr/share/doc/samhain/TODO.Debian SetMailRelay = 127.0.0.1 +SetMailPort = 16132 ## Custom subject format # diff --git a/roles/common/tasks/samhain.yml b/roles/common/tasks/samhain.yml index 768ceb6..0d911a5 100644 --- a/roles/common/tasks/samhain.yml +++ b/roles/common/tasks/samhain.yml @@ -1,12 +1,14 @@ - name: Install samhain - apt: pkg=samhain + apt: pkg={{ item }} + with_items: + - samhain + - auditd # XXX: Doesn't work out of the box, see #660197. - # If this is the first installation, you may want to start with a fresh database - # sudo service samhain stop - # sudo rm /var/state/samhain/samhain_file - # sudo samhain -t init -p warn - # sudo service samhain start - # sudo samhain -t update -l none + # Every once in a while, or after a major upgrade, you may want to + # update Samhain's database (to avoid being flooded at the next + # reboot): + # + # sudo samhain -t update --foreground -m none - name: Configure samhain copy: src=etc/samhain/samhainrc diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index 3169ac6..0922b49 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -43,6 +43,10 @@ relayhost = [outgoing.fripost.org]:2525 smtpd_tls_security_level = none smtp_tls_security_level = none +# Turn off all TCP/IP listener ports except that dedicated to +# samhain(8), which sadly cannot use pickup through the sendmail binary. +master_service_disable = !16132.inet inet + {% set multi_instance = False %} {%- for g in postfix_instance.keys() | sort -%} {%- if g in group_names -%} -- cgit v1.2.3