From 203c3ca3d0b3d053827e6ced01cdde85eb0871c5 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 9 Jun 2018 00:31:38 +0200 Subject: Skip samhain installation. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It's become too verbose (too many false-positive)… --- roles/common/files/etc/samhain/samhainrc | 711 ------------------------------- roles/common/handlers/main.yml | 3 - roles/common/tasks/main.yml | 2 - roles/common/tasks/samhain.yml | 26 -- 4 files changed, 742 deletions(-) delete mode 100644 roles/common/files/etc/samhain/samhainrc delete mode 100644 roles/common/tasks/samhain.yml diff --git a/roles/common/files/etc/samhain/samhainrc b/roles/common/files/etc/samhain/samhainrc deleted file mode 100644 index 7f304b7..0000000 --- a/roles/common/files/etc/samhain/samhainrc +++ /dev/null @@ -1,711 +0,0 @@ -##################################################################### -# -# Configuration file template for samhain. -# -##################################################################### -# -# -- empty lines and lines starting with '#', ';' or '//' are ignored -# -- boolean options can be Yes/No or True/False or 1/0 -# -- you can PGP clearsign this file -- samhain will check (if compiled -# with support) or otherwise ignore the signature -# -- CHECK mail address -# -# To each log facility, you can assign a threshold severity. Only -# reports with at least the threshold severity will be logged -# to the respective facility (even further below). -# -##################################################################### -# -# SETUP for file system checking: -# -# (i) There are several policies, each has its own section. Put files -# into the section for the appropriate policy (see below). -# (ii) Section [EventSeverity]: -# To each policy, you can assign a severity (further below). -# (iii) Section [Log]: -# To each log facility, you can assign a threshold severity. Only -# reports with at least the threshold severity will be logged -# to the respective facility (even further below). -# -##################################################################### - -##################################################################### -# -# Files are defined with: file = /absolute/path -# -# Directories are defined with: dir = /absolute/path -# or with an optional recursion depth (N <= 99): dir = N/absolute/path -# -# Directory inodes are checked. If you only want to check files -# in a directory, but not the directory inode itself, use (e.g.): -# -# [ReadOnly] -# dir = /some/directory -# [IgnoreAll] -# file = /some/directory -# -# You can use shell-style globbing patterns, like: file = /path/foo* -# -###################################################################### - -[Misc] -## -## Add or subtract tests from the policies -## - if you want to change their definitions, -## you need to do that before using the policies -## -# RedefReadOnly = (no default) -# RedefAttributes=(no default) -# RedefLogFiles=(no default) -# RedefGrowingLogFiles=(no default) -# RedefIgnoreAll=(no default) -# RedefIgnoreNone=(no default) -# RedefUser0=(no default) -# RedefUser1=(no default) -FileNamesAreUTF8 = yes -# Switch off hardlink check for BTRFS -UseHardlinkCheck=no - -[Attributes] -## -## for these files, only changes in permissions and ownership are checked -## -file=/etc/mtab -#file=/etc/ssh_random_seed -#file=/etc/asound.conf -file=/etc/resolv.conf -file=/etc/localtime -#file=/etc/ioctl.save -#file=/etc/passwd.backup -#file=/etc/shadow.backup -#file=/etc/postfix/prng_exch -file=/etc/adjtime -file=/etc/network/run/ifstate -#file=/etc/lvm/.cache -file=/etc/ld.so.cache - -# -# There are files in /etc that might change, thus changing the directory -# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'. -# -file=/etc - -[LogFiles] -## -## for these files, changes in signature, timestamps, and size are ignored -## -file=/var/run/utmp -file=/etc/motd - - - -##################################################################### -# -# This would be the proper syntax for parts that should only be -# included for certain hosts. -# You may enclose anything in a @HOSTNAME/@end bracket, as long as the -# result still has the proper syntax for the config file. -# You may have any number of @HOSTNAME/@end brackets. -# HOSTNAME should be the fully qualified 'official' name -# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases. -# No IP number - except if samhain cannot determine the -# fully qualified hostname. -# -# @HOSTNAME -# file=/foo/bar -# @end -# -# These are two examples for conditional inclusion/exclusion -# of a machine based on the output from 'uname -srm' -# -# $Linux:2.*.7:i666 -# file=/foo/bar3 -# $end -# -# !$Linux:2.*.7:i686 -# file=/foo/bar2 -# $end -# -##################################################################### - -[GrowingLogFiles] -## -## for these files, changes in signature, timestamps, and increase in size -## are ignored -## -#file=/var/log/warn -file=/var/log/messages -file=/var/log/wtmp -file=/var/log/faillog -file=/var/log/auth.log -file=/var/log/daemon.log -file=/var/log/user.log -file=/var/log/kern.log -file=/var/log/syslog - - -[IgnoreAll] -## -## for these files, no modifications are reported -## -## This file might be created or removed by the system sometimes. -## -#file=/etc/resolv.conf.pcmcia.save -#file=/etc/nologin -file=/etc/network/run -file=/etc/.etckeeper -dir=-1/etc/.git - - -[IgnoreNone] -## -## for these files, all modifications (even access time) are reported -## - you may create some interesting-looking file (like /etc/safe_passwd), -## just to watch whether someone will access it ... -## - -[Prelink] -## -## Use for prelinked files or directories holding them -## - - -[ReadOnly] -## -## for these files, only access time is ignored -## -dir=/usr/bin -dir=/bin -dir=/boot -# -# SuSE (old) has the boot init scripts in /sbin/init.d/*, -# so we go 3 levels deep -# -dir=3/sbin -dir=/usr/sbin -dir=/lib -# -# RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*, -# so we go 3 levels deep there too -# -dir=3/etc - -# Various directories / files that may include / be SUID/SGID binaries -# -# -file=/usr/lib/pt_chown -# X11, in Debian X7 this is now a symlink -#dir=/usr/X11R6/bin -#dir=/usr/X11R6/lib/X11/xmcd/bin -# Apache: -#file=/usr/lib/apache/suexec -#file=/usr/lib/apache/suexec.disabled -# Extra directories: -#dir=/opt/gnome/bin -#dir=/opt/kde/bin - -[User0] -[User1] -## User0 and User1 are sections for files/dirs with user-definable checking -## (see the manual) - - -[EventSeverity] -## -## Here you can assign severities to policy violations. -## If this severity exceeds the treshold of a log facility (see below), -## a policy violation will be logged to that facility. -## -## Severity for verification failures. -## -# SeverityReadOnly=crit -# SeverityLogFiles=crit -# SeverityGrowingLogs=crit -# SeverityIgnoreNone=crit -# SeverityAttributes=crit -# SeverityUser0=crit -# SeverityUser1=crit - -# Default behaviour -SeverityReadOnly=crit -SeverityLogFiles=crit -SeverityGrowingLogs=warn -SeverityIgnoreNone=crit -SeverityAttributes=crit - - -## -## We have a file in IgnoreAll that might or might not be present. -## Setting the severity to 'info' prevents messages about deleted/new file. -## -# SeverityIgnoreAll=crit -SeverityIgnoreAll=info - -## Files : file access problems -# SeverityFiles=crit - -## Dirs : directory access problems -# SeverityDirs=crit - -## Names : suspect (non-printable) characters in a pathname -# SeverityNames=crit - -# Default behaviour -SeverityFiles=crit -SeverityDirs=crit -SeverityNames=warn - - -[Log] -## -## Switch on/OFF log facilities and set their threshold severity -## -## Values: debug, info, notice, warn, mark, err, crit, alert, none. -## 'mark' is used for timestamps. -## -## -## Use 'none' to SWITCH OFF a log facility -## -## By default, everything equal to and above the threshold is logged. -## The specifiers '*', '!', and '=' are interpreted as -## 'all', 'all but', and 'only', respectively (like syslogd(8) does, -## at least on Linux). Examples: -## MailSeverity=* -## MailSeverity=!warn -## MailSeverity==crit - -## E-mail -## -MailSeverity=crit - -## Console -## -PrintSeverity=none - -## Logfile -## -LogSeverity=warn - -## Syslog -## -SyslogSeverity=alert - -## Remote server (yule) -## -# ExportSeverity=none - -## External script or program -## -# ExternalSeverity = none - -## Logging to a database -## -# DatabaseSeverity = none - - - - - -##################################################### -# -# Optional modules -# -##################################################### - -# [SuidCheck] -## -## --- Check the filesystem for SUID/SGID binaries -## - -## Switch on -# -# SuidCheckActive = yes - -## Interval for check (seconds) -# -# SuidCheckInterval = 7200 - -## Alternative: crontab-like schedule -# -# SuidCheckSchedule = NULL - -## Directory to exclude -# -# SuidCheckExclude = NULL - -## Limit on files per second (0 == no limit) -# -# SuidCheckFps = 0 - -## Alternative: yield after every file -# -# SuidCheckYield = no - -## Severity of a detection -# -# SeveritySuidCheck = crit - -## Quarantine SUID/SGID files if found -# -# SuidCheckQuarantineFiles = yes - -## Method for Quarantining files: -# 0 - Delete or truncate the file. -# 1 - Remove SUID/SGID permissions from file. -# 2 - Move SUID/SGID file to quarantine dir. -# -# SuidCheckQuarantineMethod = 0 - -## For method 1 and 3, really delete instead of truncating -# -# SuidCheckQuarantineDelete = yes - -# [Kernel] -## -## --- Check for loadable kernel module rootkits (Linux/FreeBSD only) -## - -## Switch on/off -# -# KernelCheckActive = True - -## Check interval (seconds); btw., the check is VERY fast -# -# KernelCheckInterval = 300 - -## Severity -# -# SeverityKernel = crit - - -# [Utmp] -## -## --- Logging of login/logout events -## - -## Switch on/off -# -# LoginCheckActive = True - -## Severity for logins, multiple logins, logouts -# -# SeverityLogin=info -# SeverityLoginMulti=warn -# SeverityLogout=info - -## Interval for login/logout checks -# -# LoginCheckInterval = 300 - - -# [Database] -## -## --- Logging to a relational database -## - -## Database name -# -# SetDBName = samhain - -## Database table -# -# SetDBTable = log - -## Database user -# -# SetDBUser = samhain - -## Database password -# -# SetDBPassword = (default: none) - -## Database host -# -# SetDBHost = localhost - -## Log the server timestamp for received messages -# -# SetDBServerTstamp = True - -## Use a persistent connection -# -# UsePersistent = True - -# [External] -## -## Interface to call external scripts/programs for logging -## - -## The absolute path to the command -## - Each invocation of this directive will end the definition of the -## preceding command, and start the definition of -## an additional, new command -# -# OpenCommand = (no default) - -## Type (log or rv) -## - log for log messages, srv for messages received by the server -# -# SetType = log - -## The command (full command line) to execute -# -# SetCommandLine = (no default) - -## The environment (KEY=value; repeat for more) -# -# SetEnviron = TZ=(your timezone) - -## The TIGER192 checksum (optional) -# -# SetChecksum = (no default) - -## User who runs the command -# -# SetCredentials = (default: samhain process uid) - -## Words not allowed in message -# -# SetFilterNot = (none) - -## Words required (ALL of them) -# -# SetFilterAnd = (none) - -## Words required (at least one) -# -# SetFilterOr = (none) - -## Deadtime between consecutive calls -# -# SetDeadtime = 0 - -## Add default environment (HOME, PATH, SHELL) -# -# SetDefault = no - - -##################################################### -# -# Miscellaneous configuration options -# -##################################################### - -[Misc] - -## whether to become a daemon process -## (this is not honoured on database initialisation) -# -# Daemon = no -Daemon = yes - -## whether to test signature of files (init/check/none) -## - if 'none', then we have to decide this on the command line - -# -# ChecksumTest = none -ChecksumTest=check - -## whether to drop linux capabilities that are not required -## - will make a root process a 'mere mortal' in many respects -# -# UseCaps = yes - -## Set nice level (-19 to 19, see 'man nice'), -## and I/O limit (kilobytes per second; 0 == off) -## to reduce load on host. -# -SetNiceLevel = 19 -# SetIOLimit = 0 - -## The version string to embed in file signature databases -# -# VersionString = NULL - -## Interval between time stamp messages -# -# SetLoopTime = 60 -SetLoopTime = 21600 - -## Interval between file checks -# -# SetFileCheckTime = 600 -SetFileCheckTime = 7200 - -## Alternative: crontab-like schedule -# -# FileCheckScheduleOne = NULL - -## Alternative: crontab-like schedule(2) -# -# FileCheckScheduleTwo = NULL - -## Report only once on modified fles -## Setting this to 'FALSE' will generate a report for any policy -## violation (old and new ones) each time the daemon checks the file system. -# -# ReportOnlyOnce = True - -## Report in full detail -# -# ReportFullDetail = False - -## Report file timestamps in local time rather than GMT -# -# UseLocalTime = No - -## The console device (can also be a file or named pipe) -## - There are two console devices. Accordingly, you can use -## this directive a second time to set the second console device. -## If you have not defined the second device at compile time, -## and you don't want to use it, then: -## setting it to /dev/null is less effective than just leaving -## it alone (setting to /dev/null will waste time by opening -## /dev/null and writing to it) -# -# SetConsole = /dev/console - -## Activate the SysV IPC message queue -# -# MessageQueueActive = False - - -## If false, skip reverse lookup when connecting to a host known -## by name rather than IP address (i.e. trust the DNS) -# -# SetReverseLookup = True - -## --- E-Mail --- - -# Only highest-level (alert) reports will be mailed immediately, -# others will be queued. Here you can define, when the queue will -# be flushed (Note: the queue is automatically flushed after -# completing a file check). -# -SetMailTime = 86400 - -## Maximum number of mails to queue -# -SetMailNum = 10 - -## Recipient (max. 8) -# -SetMailAddress = admin@fripost.org - -## Mail relay (IP address) -# -# XXX: it's unfortunate that samhain cannot use the sendmail binary. We -# use a custom port here to avoid conflicts with the usual SMTP port the -# MX:es need to listen on. -# See also: /usr/share/doc/samhain/TODO.Debian -SetMailRelay = 127.0.0.1 -SetMailPort = 16132 - -## Custom subject format -# -MailSubject = [Samhain at %H] %T: %S - -## --- end E-Mail --- - -## Path to the prelink executable -# -# SetPrelinkPath = /usr/sbin/prelink - -## TIGER192 checksum of the prelink executable -# -# SetPrelinkChecksum = (no default) - - -## Path to the executable. If set, will be checksummed after startup -## and before exit. -# -# SamhainPath = (no default) - - -## The IP address of the log server -# -# SetLogServer = (default: compiled-in) - -## The IP address of the time server -# -# SetTimeServer = (default: compiled-in) - -## Trusted Users (comma delimited list of user names) -# -# TrustedUser = (no default; this adds to the compiled-in list) - -## Path to the file signature database -# -# SetDatabasePath = (default: compiled-in) - -## Path to the log file -# -# SetLogfilePath = (default: compiled-in) - -## Path to the PID file -# -# SetLockPath = (default: compiled-in) - - -## The digest/checksum/hash algorithm -# -# DigestAlgo = TIGER192 - - -## Custom format for message header. -## CAREFUL if you use XML logfile format. -## -## %S severity -## %T timestamp -## %C class -## -## %F source file -## %L source line -# -# MessageHeader="%S %T " - - -## Don't log path to config/database file on startup -# -# HideSetup = False - -## The syslog facility, if you log to syslog -# -# SyslogFacility = LOG_AUTHPRIV -SyslogFacility=LOG_LOCAL2 - -## The message authentication method -## - If you change this, you *must* change it -## on client *and* server -# -# MACType = HMAC-TIGER - - -## everything below is ignored -[EOF] - -##################################################################### -# This would be the proper syntax for parts that should only be -# included for certain hosts. -# You may enclose anything in a @HOSTNAME/@end bracket, as long as the -# result still has the proper syntax for the config file. -# You may have any number of @HOSTNAME/@end brackets. -# HOSTNAME should be the fully qualified 'official' name -# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases. -# No IP number - except if samhain cannot determine the -# fully qualified hostname. -# -# @HOSTNAME -# file=/foo/bar -# @end -# -# These are two examples for conditional inclusion/exclusion -# of a machine based on the output from 'uname -srm' -# $Linux:2.*.7:i666 -# file=/foo/bar3 -# $end -# -# !$Linux:2.*.7:i686 -# file=/foo/bar2 -# $end -# -##################################################################### diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 73877f8..36f744e 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -11,9 +11,6 @@ - name: apt-get update apt: update_cache=yes -- name: Reload samhain - service: name=samhain state=reloaded - - name: Update rkhunter's data file command: /usr/bin/rkhunter --propupd diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index b3ed8a0..c978e91 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -16,8 +16,6 @@ - import_tasks: stunnel.yml tags: stunnel when: "'webmail' in group_names and 'LDAP-provider' not in group_names" -- import_tasks: samhain.yml - tags: samhain - import_tasks: auditd.yml tags: auditd - import_tasks: rkhunter.yml diff --git a/roles/common/tasks/samhain.yml b/roles/common/tasks/samhain.yml deleted file mode 100644 index dd5c09b..0000000 --- a/roles/common/tasks/samhain.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: Install samhain - apt: pkg=samhain - # XXX: Doesn't work out of the box, see #660197. - # Every once in a while, or after a major upgrade, you may want to - # update Samhain's database: - # - # sudo samhain -t update --foreground -l none - # - # To update the database interactively, without sending mails: - # - # sudo samhain -t update --interactive -l none -m none - -- name: Configure samhain - copy: src=etc/samhain/samhainrc - dest=/etc/samhain/samhainrc - owner=root group=root - mode=0644 - notify: - - Reload samhain - -- name: Start samhain - # This task is inconditional because samhain is reloaded not - # restarted. - service: name=samhain state=started - -- meta: flush_handlers -- cgit v1.2.3