From 2495327985da791891b579bd05b3cda1f41dfda7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 3 Dec 2018 03:04:22 +0100 Subject: Upgrade baseline to Debian Stretch. --- .../files/etc/nginx/sites-available/default | 4 +- .../files/etc/nginx/snippets/fastcgi-php-ssl.conf | 10 +-- .../files/etc/nginx/snippets/fastcgi-php.conf | 12 +-- .../files/etc/nginx/snippets/fastcgi.conf | 3 +- roles/common-web/files/etc/nginx/snippets/ssl.conf | 2 +- roles/common-web/tasks/main.yml | 4 +- .../files/etc/apt/apt.conf.d/50unattended-upgrades | 12 ++- roles/common/files/etc/default/rkhunter | 6 +- .../etc/logcheck/ignore.d.server/common-local | 43 ++++++++--- .../etc/logcheck/ignore.d.server/postfix-local | 6 +- .../etc/logcheck/ignore.d.server/strongswan-local | 8 +- roles/common/files/etc/rkhunter.conf | 22 +++--- roles/common/files/etc/rsyslog.conf | 49 ++---------- roles/common/files/etc/strongswan.d/charon.conf | 53 +++++++++++-- .../common/files/usr/local/sbin/update-firewall.sh | 86 +++++++++++----------- roles/common/tasks/mail.yml | 2 +- roles/common/templates/etc/apt/preferences.j2 | 8 +- roles/common/templates/etc/apt/sources.list.j2 | 8 +- .../etc/munin/plugin-conf.d/munin-node.j2 | 1 + roles/common/templates/etc/postfix/main.cf.j2 | 9 ++- roles/common/templates/etc/postfix/master.cf.j2 | 42 +++++------ roles/lacme/handlers/main.yml | 2 - roles/lacme/tasks/main.yml | 20 ++--- 23 files changed, 217 insertions(+), 195 deletions(-) delete mode 100644 roles/lacme/handlers/main.yml diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default index 6cbea18..63c7910 100644 --- a/roles/common-web/files/etc/nginx/sites-available/default +++ b/roles/common-web/files/etc/nginx/sites-available/default @@ -1,6 +1,6 @@ server { - listen 80 default_server; - listen [::]:80 default_server; + listen 80 default_server; + listen [::]:80 default_server; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log info; diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf index ebf3aa0..aa82ca6 100644 --- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php-ssl.conf @@ -3,8 +3,8 @@ include snippets/fastcgi-php.conf; -fastcgi_param HTTPS on; -fastcgi_param SSL_PROTOCOL $ssl_protocol; -fastcgi_param SSL_CIPHER $ssl_cipher; -fastcgi_param SSL_SESSION_ID $ssl_session_id; -fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify; +fastcgi_param HTTPS on; +fastcgi_param SSL_PROTOCOL $ssl_protocol; +fastcgi_param SSL_CIPHER $ssl_cipher; +fastcgi_param SSL_SESSION_ID $ssl_session_id; +fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify; diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf index 5823909..9668bb8 100644 --- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf @@ -1,10 +1,10 @@ # cf. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP -try_files $uri $uri/ =404; +try_files $fastcgi_script_name =404; -include snippets/fastcgi.conf; +include snippets/fastcgi.conf; # required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; +fastcgi_param REDIRECT_STATUS 200; -fastcgi_intercept_errors on; -fastcgi_read_timeout 14400; -fastcgi_pass unix:/var/run/php5-fpm.sock; +fastcgi_intercept_errors on; +fastcgi_read_timeout 14400; +fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf index 80132ec..ee058da 100644 --- a/roles/common-web/files/etc/nginx/snippets/fastcgi.conf +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi.conf @@ -6,6 +6,7 @@ fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; +fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; @@ -20,4 +21,4 @@ fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; -fastcgi_param HTTPS $https; +fastcgi_param HTTPS $https if_not_empty; diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf index 09082e7..d3ccd9e 100644 --- a/roles/common-web/files/etc/nginx/snippets/ssl.conf +++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf @@ -1,5 +1,5 @@ # https://wiki.mozilla.org/Security/Server_Side_TLS -# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate +# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0j&hsts=yes&profile=intermediate # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate # ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lacme/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml index 02b7134..e2eb3ee 100644 --- a/roles/common-web/tasks/main.yml +++ b/roles/common-web/tasks/main.yml @@ -1,10 +1,10 @@ - name: Install Nginx - apt: pkg=nginx + apt: pkg=nginx-light - name: Limit Nginx logging lineinfile: "dest=/etc/logrotate.d/nginx create=yes regexp='^\\s*rotate\\s' - line='\trotate 1'" + line='\trotate 7'" tags: - logrotate diff --git a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades index c9adc5f..86c6508 100644 --- a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades +++ b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades @@ -7,7 +7,7 @@ // keywords are wild cards.) The keywords originate from the Release // file, but several aliases are accepted. The accepted keywords are: // a,archive,suite (eg, "stable") -// c,component (eg, "main", "crontrib", "non-free") +// c,component (eg, "main", "contrib", "non-free") // l,label (eg, "Debian", "Debian-Security") // o,origin (eg, "Debian", "Unofficial Multimedia Packages") // n,codename (eg, "jessie", "jessie-updates") @@ -36,7 +36,6 @@ Unattended-Upgrade::Origins-Pattern { // "o=Debian,a=stable"; // "o=Debian,a=stable-updates"; // "o=Debian,a=proposed-updates"; - "origin=Debian,codename=${distro_codename}"; "origin=Debian,codename=${distro_codename},label=Debian-Security"; }; @@ -83,6 +82,9 @@ Unattended-Upgrade::Mail "admin@fripost.org"; // the file /var/run/reboot-required is found after the upgrade //Unattended-Upgrade::Automatic-Reboot "false"; +// Automatically reboot even if there are users currently logged in. +//Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; + // If automatic reboot is enabled and needed, reboot at the specific // time instead of immediately // Default: "now" @@ -91,3 +93,9 @@ Unattended-Upgrade::Mail "admin@fripost.org"; // Use apt bandwidth limit feature, this example limits the download // speed to 256kb/sec Acquire::http::Dl-Limit "256"; + +// Enable logging to syslog. Default is False +// Unattended-Upgrade::SyslogEnable "false"; + +// Specify syslog facility. Default is daemon +// Unattended-Upgrade::SyslogFacility "daemon"; diff --git a/roles/common/files/etc/default/rkhunter b/roles/common/files/etc/default/rkhunter index da59a73..2e7fae7 100644 --- a/roles/common/files/etc/default/rkhunter +++ b/roles/common/files/etc/default/rkhunter @@ -5,11 +5,11 @@ # # Set this to yes to enable rkhunter daily runs -# (default: true) +# (default: false) CRON_DAILY_RUN="yes" # Set this to yes to enable rkhunter weekly database updates -# (default: true) +# (default: false) CRON_DB_UPDATE="yes" # Set this to yes to enable reports of weekly database updates @@ -31,4 +31,4 @@ NICE="10" # Should daily check be run when running on battery # powermgmt-base is required to detect if running on battery or on AC power # (default: false) -RUN_CHECK_ON_BATTERY="false" +RUN_CHECK_ON_BATTERY="false" diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common-local b/roles/common/files/etc/logcheck/ignore.d.server/common-local index 3d5e158..6210cc1 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/common-local +++ b/roles/common/files/etc/logcheck/ignore.d.server/common-local @@ -5,36 +5,55 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [-_.[:alnum:]]+ not allowed because account is locked$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: (Connection reset by peer|Connection timed out) \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+: (3|11|14): .* \[preauth\]$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Protocol major versions differ for [:.[:xdigit:]]+: SSH-2\.0-OpenSSH_ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Change of username or service not allowed: \(\S+\) -> (\(\S+\) )?\[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for invalid user [-_.[:alnum:]]+ from [:.[:xdigit:]]+ port [[:digit:]]+ ssh2? \[preauth\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [0-9]+:(3|11|14): .* \[preauth\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (Disconnected from|Connection (closed|reset) by) [[:xdigit:].:]{3,39} port [0-9]+ \[preauth\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (Did not receive identification string|Invalid user .*) from [[:xdigit:].:]{3,39} port [0-9]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user .* from [:.[:xdigit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user .* \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: userauth_pubkey: unsupported public key algorithm: [[:alnum:]-]+ \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: (Connection (timed out|reset by peer)|Broken pipe) \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: (no hostkey alg|Unable to negotiate a key exchange method) \[preauth\]$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* \[preauth\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Unable to negotiate with [:.[:xdigit:]]+ port [[:digit:]]+: no matching (host key type|key exchange method|cipher) found\. Their offer: [@.[:alnum:],-]+ \[preauth\]$ +no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '.*' from [:.[:xdigit:]]+ port [[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?(: (DSA|RSA|ECDSA|ED25519) ([[:xdigit:]]{2}:){15}[[:xdigit:]]{2})?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: WARNING: no suitable primes in /etc/ssh/primes$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: dispatch_protocol_error: type [0-9]+ seq [0-9]+ \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Cleanup of Temporary Directories\.(\.\.)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ slapd\[[[:digit:]]+\]: connection_input: conn=[[:digit:]]+ deferring operation: binding$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (slapd\[[[:digit:]]+\]|slap(acl|add|auth|cat|dn|index)|ldap(add|compare|delete|exop|modify|modrdn|passwd|search|url|whoami)): DIGEST-MD5 common mech free$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Created|Removed) slice User Slice of [-[:alnum:]]+\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: (Listening on|Closed) .*\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Cleanup of Temporary Directories\.(\.\.)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Session [0-9]+ of user [-[:alnum:]]+\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Startup finished in \S+\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user [-[:alnum:]]+( by \(uid=0\))?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ runuser: pam_unix\(runuser:session\): session (opened|closed) for user [-[:alnum:]]+( by \(uid=0\))?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Session [0-9]+ of user [-[:alnum:]]+\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[0-9]+\]: Received SIGRTMIN\+24 from PID [0-9]+ \(kill\)\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: New session c?[0-9]+ of user [-[:alnum:]]+\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[0-9]+\]: Removed session c?[0-9]+\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: apt-daily(-upgrade)?\.timer: Adding .* random time\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ) -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: bytecode\.(cld|cvd) (is up to date|updated) \(version: [[:digit:]]+, sigs: [[:digit:]]+, f-level: [[:digit:]]+, builder: [._[:alnum:]-]+\)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Your ClamAV installation is OUTDATED!$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Local version: [[:digit:]]+(\.[[:digit:]]+)* Recommended version: [[:digit:]]+(\.[[:digit:]]+)*$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> (bytecode|main|daily)\.(cld|cvd) (is up to date|updated) \(version: [[:digit:]]+, sigs: [[:digit:]]+, f-level: [[:digit:]]+, builder: [._[:alnum:]-]+\)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Received signal: wake up$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> ClamAV update process started at \w{3} \w{3} [ :[:digit:]]{16}$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (\w{3} \w{3} [ :[:digit:]]{16} -> \^|WARNING: )Your ClamAV installation is OUTDATED!$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (\w{3} \w{3} [ :[:digit:]]{16} -> \^|WARNING: )Local version: [[:digit:]]+(\.[[:digit:]]+)* Recommended version: [[:digit:]]+(\.[[:digit:]]+)*$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: getfile: [._[:alnum:]-]+ not found on remote server \(IP: [.[:digit:]]+\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Incremental update failed, trying to download daily\.cvd$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (WARNING|ERROR): (getpatch: )?Can't download [._[:alnum:]-]+ from [.[:alnum:]-]+$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Trying host [.[:alnum:]-]+ \([.[:digit:]]+\)\.\.\.$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Trying again in [[:digit:]]+ secs\.\.\.$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Giving up on [.[:alnum:]-]+\.\.\.$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Downloading [._[:alnum:]-]+ \[[[:digit:]]+%\]$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: DON'T PANIC! Read http://www\.clamav\.net/(support/faq|documents/upgrading-clamav)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Downloading [._[:alnum:]-]+ \[[[:digit:]]+%\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> DON'T PANIC! Read https?://www\.clamav\.net/(support/faq|documents/upgrading-clamav)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Database updated \([0-9]+ signatures\) from .* \(IP: [[:xdigit:].:]{3,39}\)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Clamd successfully notified about the update\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Reading databases from /var/lib/clamav$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> SelfCheck: Database status OK\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamd\[[[:digit:]]+\]: \w{3} \w{3} [ :[:digit:]]{16} -> Database correctly reloaded \([0-9]+ signatures\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+ *\] Peer [.[:digit:]]+:[[:digit:]]+/[[:digit:]]+ unexpectedly shrunk window [[:digit:]]+:[[:digit:]]+ \(repaired\)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[.[:digit:]]+" x-pid="[[:digit:]]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd-?([[:digit:]]+): action '[^']+' (resumed \(module '[.[:alnum:]-]+:[.[:alnum:]-]+'\)|suspended, next retry is \w{3} \w{3} [ :[:digit:]]{16}) \[try http://www\.rsyslog\.com/e/\1 \]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ liblogging-stdlog: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www\.rsyslog\.com"\] rsyslogd was HUPed$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([_a-z0-9]+|): Invoked with ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (sympa\((command|distribute)\)|wwsympa|archived|bounced|bulk|task_manager)\[[[:digit:]]+\]: (info|notice)\s ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa\(command\)\[[[:digit:]]+\]: err tools::valid_email\(\) Invalid email address 'MAILER-DAEMON'$ diff --git a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local index e32fce6..df5e158 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local +++ b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local @@ -19,9 +19,8 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: message-id=(<[^>]*>|[[:alnum:]_/+.$@-]+)( \(added by [^[:space:]]+\))? ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: removed$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: skipped, still being delivered$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/verify\[[[:digit:]]+\]: close database /var/lib/postfix\1/verify_cache\.db: No such file or directory \(possible Berkeley DB bug\)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/verify\[[[:digit:]]+\]: cache btree:/var/lib/postfix\1/verify_cache full cleanup: retained=[[:digit:]]+ dropped=[[:digit:]]+ entries$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/verify\[[[:digit:]]+\]: cache \S+A partial cleanup: retained=[[:digit:]]+ dropped=[[:digit:]]+ entries$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/smtpd\[[[:digit:]]+\]: disconnect from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]( (ehlo|helo|xforward|starttls|auth|mail|rcpt|data|noop|rset|quit|commands|unknown)=[0-9]+(/[0-9]+)?)+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/pickup\[[[:digit:]]+\]: [[:xdigit:]]+: uid=[[:digit:]]+ from=<[^>]*>$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/cleanup\[[[:digit:]]+\]: [[:xdigit:]]+: replace: header\s ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: [[:xdigit:]]+: client=[^[:space:]]+, sasl_method=[-[:alnum:]]+, sasl_username=[-_.@[:alnum:]]+(, sasl_sender=[-_.@[:alnum:]]+)?$ @@ -32,7 +31,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 5[[:digit:]]{2} 5(\.[[:digit:]]){2} <[^>]+>: Helo command rejected: need fully-qualified hostname;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^>]+>)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 4[[:digit:]]{2} 4(\.[[:digit:]]){2} <[^>]+>: Sender address rejected: Domain not found;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^>]+>)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 5[[:digit:]]{2} 5(\.[[:digit:]]){2} Service unavailable; (Unverified Client host|Sender address) \[\S+\] blocked using [._[:alnum:]-]+; https?://[^[:blank:];]+; from=<[^>]*> to=<[^>]+> proto=E?SMTP( helo=<[^>]+>)?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[([[:xdigit:].:]{3,39})\]: 4[[:digit:]]{2} 4(\.[[:digit:]]){2} Client host rejected: cannot find your hostname, \[\1\]; from=<[^>]*> to=<[^>]+> proto=E?SMTP( helo=<[^>]+>)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[([[:xdigit:].:]{3,39})\]: 4[[:digit:]]{2} 4(\.[[:digit:]]+){2} Client host rejected: cannot find your hostname, \[\1\]; from=<[^>]*> to=<[^>]+> proto=E?SMTP( helo=<[^>]+>)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: timeout after [-[:upper:]]+( \([[:digit:]]+ bytes\))? from [^[:space:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-((msa|mx)/smtpd|out/smtp)\[[[:digit:]]+\]: warning: (tls_text_name: [-._[:alnum:]]+\[[[:xdigit:].:]{3,39}\]: )?peer certificate has no (subject CN|issuer Organization)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 450( 4\.1\.2)? <[^>]*>: Recipient address rejected: Domain not found;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$ @@ -72,6 +71,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: RCPT from [^[:space:]]+: [[:digit:]]{3}( [45](\.[[:digit:]]){2})? <[^[:space:]]*>: Relay access denied; from=<[^>]*> to=<[^>]+> proto=E?SMTP helo=<[^[:space:]]+>$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: ([-._[:alnum:]]+): RBL lookup error: Host or domain name not found\. Name service error for name=\1 type=A(AAA)?: Host not found, try again$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mx|msa)/(smtpd|tlsproxy)\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:SSL2?3_(GET_RECORD:(decryption failed or bad record mac|wrong version number):s3_pkt\.c:[0-9]+:|READ_BYTES:(reason\([[:digit:]]+\)|sslv3 alert (unexpected message|bad certificate)):s3_pkt\.c:[[:digit:]]+:SSL alert number (0|10|42):|GET_CLIENT_HELLO:(unsupported protocol|no shared cipher|unknown protocol|wrong version number):s2?3_srvr\.c:[0-9]+:)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/tlsproxy\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:tls_post_process_client_hello:no shared cipher:\.\./ssl/statem/statem_srvr\.c:[0-9]+:$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 554( 5\.1\.[01])? <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: [[:xdigit:]]+: reject: RCPT from [^[:space:]]+: [45][[:digit:]][[:digit:]]( [45](\.[[:digit:]]){2})? <[^[:space:]]*>: Helo command rejected: .+; from=<[^>]*> to=<[^>]+> proto=E?SMTP helo=<[^[:space:]]+>$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: too many errors after ([[:upper:]]{4}|END-OF-MESSAGE|UNKNOWN|DATA \(0 bytes\)) from [._[:alnum:]-]+\[[.[:digit:]]+\]$ diff --git a/roles/common/files/etc/logcheck/ignore.d.server/strongswan-local b/roles/common/files/etc/logcheck/ignore.d.server/strongswan-local index 1a6cdd7..cebfaba 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/strongswan-local +++ b/roles/common/files/etc/logcheck/ignore.d.server/strongswan-local @@ -1,12 +1,10 @@ # Ansible Managed # Do NOT edit this file directly! # -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[JOB\] spawning [[:digit:]]+ worker threads$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating acquire job for policy [[:xdigit:].:]{3,39}/[[:digit:]]+(\[\w+(/[[:alnum:]-]+)?\])? === [[:xdigit:].:]{3,39}/[[:digit:]]+(\[\w+(/[[:alnum:]-]+)?\])? with reqid \{[[:digit:]]+\}$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] unable to receive from rt event socket$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating rekey job for ESP CHILD_SA with SPI [[:xdigit:]]{8} and reqid \{[[:digit:]]+\}$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating delete job for ESP CHILD_SA with SPI [[:xdigit:]]{8} and reqid \{[[:digit:]]+\}$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] querying SAD entry with SPI [[:xdigit:]]{8} failed: No such process \([[:digit:]]+\)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating rekey job for CHILD_SA ESP/0x[[:xdigit:]]{8}/[[:xdigit:].:]{3,39}$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[KNL\] creating delete job for CHILD_SA ESP/0x[[:xdigit:]]{8}/[[:xdigit:].:]{3,39}$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[JOB\] CHILD_SA ESP/0x[[:xdigit:]]{8}/[[:xdigit:].:]{3,39} not found for delete$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] initiating IKE_SA [[:alnum:]._-]+\[[[:digit:]]+\] to [[:xdigit:].:]{3,39}$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] [[:xdigit:].:]{3,39} is initiating an IKE_SA$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (charon|ipsec\[[[:digit:]]+\]): [[:digit:]]+\[IKE\] establishing CHILD_SA [[:alnum:]._-]+(\{[[:digit:]]+\})?$ diff --git a/roles/common/files/etc/rkhunter.conf b/roles/common/files/etc/rkhunter.conf index abdbd6c..b6a7d06 100644 --- a/roles/common/files/etc/rkhunter.conf +++ b/roles/common/files/etc/rkhunter.conf @@ -259,7 +259,7 @@ LOGFILE=/var/log/rkhunter.log # # USE_SYSLOG=authpriv.warning # -# Setting the value to 'NONE', or just leaving the option commented out, +# Setting the value to 'none', or just leaving the option commented out, # disables the use of syslog. # # The default value is not to use syslog. @@ -330,8 +330,8 @@ AUTO_X_DETECT=1 # # These two options determine which tests are to be performed. The ENABLE_TESTS -# option can use the word 'ALL' to refer to all of the available tests. The -# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are +# option can use the word 'all' to refer to all of the available tests. The +# DISABLE_TESTS option can use the word 'none' to mean that no tests are # disabled. The list of disabled tests is applied to the list of enabled tests. # # Both options are space-separated lists of test names, and both options may @@ -356,7 +356,7 @@ AUTO_X_DETECT=1 # applications (and warns about possible security risk: we better trust # the Debian Security Team). # -ENABLE_TESTS=ALL +ENABLE_TESTS=all DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps # @@ -587,12 +587,11 @@ HASH_CMD=sha512sum SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep SCRIPTWHITELIST=/bin/which -SCRIPTWHITELIST=/usr/bin/groups SCRIPTWHITELIST=/usr/bin/ldd -#SCRIPTWHITELIST=/usr/bin/lwp-request +SCRIPTWHITELIST=/usr/bin/lwp-request SCRIPTWHITELIST=/usr/sbin/adduser #SCRIPTWHITELIST=/usr/sbin/prelink -#SCRIPTWHITELIST=/usr/bin/unhide.rb +#SCRIPTWHITELIST=/usr/sbin/unhide.rb # # Allow the specified file to have the immutable attribute set. @@ -619,8 +618,9 @@ SCRIPTWHITELIST=/usr/sbin/adduser # # The default value is the null string. # -ALLOWHIDDENDIR=/etc/.java +#ALLOWHIDDENDIR=/etc/.java ALLOWHIDDENDIR=/etc/.git +#ALLOWHIDDENDIR=/dev/.lxc # # Allow the specified hidden file to be whitelisted. @@ -637,10 +637,10 @@ ALLOWHIDDENDIR=/etc/.git #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac #ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac #ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz -ALLOWHIDDENFILE=/etc/.etckeeper +#ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz ALLOWHIDDENFILE=/etc/.gitignore #ALLOWHIDDENFILE=/etc/.bzrignore - +ALLOWHIDDENFILE=/etc/.etckeeper # # Allow the specified process to use deleted files. The process name may be @@ -657,7 +657,7 @@ ALLOWHIDDENFILE=/etc/.gitignore #ALLOWPROCDELFILE=/sbin/cardmgr #ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2 #ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib* -#ALLOWPROCDELFILE=/usr/lib/iceweasel/firefox-bin +#ALLOWPROCDELFILE=/usr/lib/iceweasel/iceweasel #ALLOWPROCDELFILE=/usr/bin/file-roller # diff --git a/roles/common/files/etc/rsyslog.conf b/roles/common/files/etc/rsyslog.conf index 6ebaa92..70e8a77 100644 --- a/roles/common/files/etc/rsyslog.conf +++ b/roles/common/files/etc/rsyslog.conf @@ -8,21 +8,17 @@ #### MODULES #### ################# -$ModLoad imuxsock # provides support for local system logging -$ModLoad imklog # provides kernel logging support -#$ModLoad immark # provides --MARK-- message capability +module(load="imuxsock") # provides support for local system logging +module(load="imklog") # provides kernel logging support +#module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception -#$ModLoad imudp -#$UDPServerRun 514 +#module(load="imudp") +#input(type="imudp" port="514") # provides TCP syslog reception -#$ModLoad imtcp -#$InputTCPServerRun 514 - -# Disable rate-limiting (the default for rsyslog v7, but not for rsyslog v5) -$SystemLogRateLimitInterval 0 -$SystemLogRateLimitBurst 0 +#module(load="imtcp") +#input(type="imtcp" port="514") ########################### @@ -81,7 +77,7 @@ if ($programname startswith 'postfix-' or $programname == 'dovecot') and $syslog # # Some standard log files. Log by facility. # -auth,authpriv.* /var/log/auth.log +auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log @@ -89,13 +85,6 @@ kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log user.* -/var/log/user.log -# -# Logging for INN news system. -# -news.crit /var/log/news/news.crit -news.err /var/log/news/news.err -news.notice -/var/log/news/news.notice - # # Some "catch-all" log files. # @@ -111,25 +100,3 @@ news.notice -/var/log/news/news.notice # Emergencies are sent to everybody logged in. # *.emerg :omusrmsg:* - -# -# I like to have messages displayed on the console, but only on a virtual -# console I usually leave idle. -# -#daemon,mail.*;\ -# news.=crit;news.=err;news.=notice;\ -# *.=debug;*.=info;\ -# *.=notice;*.=warn /dev/tty8 - -# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, -# you must invoke `xconsole' with the `-file' option: -# -# $ xconsole -file /dev/xconsole [...] -# -# NOTE: adjust the list below, or you'll go crazy if you have a reasonably -# busy site.. -# -#daemon.*;mail.*;\ -# news.err;\ -# *.=debug;*.=info;\ -# *.=notice;*.=warn |/dev/xconsole diff --git a/roles/common/files/etc/strongswan.d/charon.conf b/roles/common/files/etc/strongswan.d/charon.conf index 17e917a..5ed6452 100644 --- a/roles/common/files/etc/strongswan.d/charon.conf +++ b/roles/common/files/etc/strongswan.d/charon.conf @@ -7,6 +7,12 @@ charon { # Maximum number of half-open IKE_SAs for a single peer IP. # block_threshold = 5 + # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should + # be saved under a unique file name derived from the public key of the + # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or + # /etc/swanctl/x509crl (vici), respectively. + # cache_crls = no + # Whether relations in validated certificate chains should be cached in # memory. # cert_cache = yes @@ -20,10 +26,17 @@ charon { # Number of half-open IKE_SAs that activate the cookie mechanism. # cookie_threshold = 10 + # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). + # delete_rekeyed = no + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic # strength. # dh_exponent_ansi_x9_42 = yes + # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal + # missing symbols immediately. + # dlopen_use_rtld_now = no + # DNS server assigned to peer via configuration payload (CP). # dns1 = @@ -40,11 +53,15 @@ charon { # Free objects during authentication (might conflict with plugins). # flush_auth_cfg = no + # Whether to follow IKEv2 redirects (RFC 5685). + # follow_redirects = yes + # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment - # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for - # address family specific default values). If specified this limit is - # used for both IPv4 and IPv6. - # fragment_size = 0 + # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults + # to 1280 (use 0 for address family specific default values, which uses a + # lower value for IPv4). If specified this limit is used for both IPv4 and + # IPv6. + # fragment_size = 1280 # Name of the group the daemon changes to after startup. # group = @@ -58,6 +75,10 @@ charon { # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. # i_dont_care_about_security_and_use_aggressive_mode_psk = no + # Whether to ignore the traffic selectors from the kernel's acquire events + # for IKEv2 connections (they are not used for IKEv1). + # ignore_acquire_ts = no + # A space-separated list of routing tables to be excluded from route # lookups. # ignore_routing_tables = @@ -116,6 +137,13 @@ charon { # Determine plugins to load via each plugin's load option. # load_modular = no + # Initiate IKEv2 reauthentication with a make-before-break scheme. + # make_before_break = no + + # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about + # and track concurrently. + # max_ikev1_exchanges = 3 + # Maximum packet size accepted by charon. # max_packet = 10000 @@ -136,6 +164,11 @@ charon { # will be allocated. # port_nat_t = 4500 + # Prefer locally configured proposals for IKE/IPsec over supplied ones as + # responder (disabling this can avoid keying retries due to + # INVALID_KE_PAYLOAD notifies). + # prefer_configured_proposals = yes + # By default public IPv6 addresses are preferred over temporary ones (RFC # 4941), to make connections more stable. Enable this option to reverse # this. @@ -169,11 +202,11 @@ charon { # Number of times to retransmit a packet before giving up. # retransmit_tries = 5 - # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS - # resolution failed), 0 to disable retries. + # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if + # DNS resolution failed), 0 to disable retries. # retry_initiate_interval = 0 - # Initiate CHILD_SA within existing IKE_SAs. + # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). # reuse_ikesa = yes # Numerical routing table to install routes to. @@ -197,6 +230,12 @@ charon { # Send strongSwan vendor ID payload # send_vendor_id = no + # Whether to enable Signature Authentication as per RFC 7427. + # signature_authentication = yes + + # Whether to enable constraints against IKEv2 signature schemes. + # signature_authentication_constraints = yes + # Number of worker threads in charon. # threads = 16 diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 994df14..207eada 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -47,7 +47,7 @@ else ipsec=n fi -fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S' +fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A f2b-\S' IPsec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$" declare -A rss=() tables=() @@ -66,21 +66,21 @@ usage() { } log() { - /usr/bin/logger -st firewall -p user.info -- "$@" + logger -st firewall -p user.info -- "$@" } fatal() { - /usr/bin/logger -st firewall -p user.err -- "$@" + logger -st firewall -p user.err -- "$@" exit 1 } iptables() { # Fake iptables/ip6tables(8); use the more efficient # iptables-restore(8) instead. - echo "$@" >> "$new"; + echo "$@" >>"$new"; } commit() { # End a table - echo COMMIT >> "$new" + echo COMMIT >>"$new" } inet46() { case "$1" in @@ -96,25 +96,25 @@ ipt-chains() { ?*) echo "*$1";; esac shift - done >> "$new" + done >>"$new" } ipt-trim() { # Remove dynamic chain/rules from the input stream, as they are # automatically included by third-party servers (such as strongSwan # or fail2ban). The output is ready to be made persistent. - grep -Ev -e '^:fail2ban-\S' \ + grep -Ev -e '^:f2b-\S' \ -e "$IPsec_re" \ - -e '-j fail2ban-\S+$' \ + -e '-j f2b-\S+$' \ -e "$fail2ban_re" } ipt-diff() { # Get the difference between two rulesets. if [ $verbose -eq 1 ]; then - /usr/bin/diff -u -I '^#' "$1" "$2" + diff -u -I '^#' --color=auto "$@" else - /usr/bin/diff -q -I '^#' "$1" "$2" >/dev/null + diff -q -I '^#' "$@" >/dev/null fi } @@ -127,12 +127,12 @@ ipt-persist() { local f rs table for f in "${!tables[@]}"; do - ipts=/sbin/$(inet46 $f iptables ip6tables)-save + ipts=$(inet46 $f iptables ip6tables)-save rs=/etc/iptables/rules.v$f for table in ${tables[$f]}; do - /bin/ip netns exec $netns $ipts -t $table - done | ipt-trim > "$rs" + ip netns exec $netns $ipts -t $table + done | ipt-trim >"$rs" chmod 0600 "$rs" done } @@ -143,7 +143,7 @@ ipt-revert() { local rs for f in "${!rss[@]}"; do - /sbin/$(inet46 $f iptables ip6tables)-restore -c < "${rss[$f]}" + $(inet46 $f iptables ip6tables)-restore -c <"${rss[$f]}" rm -f "${rss[$f]}" done exit 1 @@ -152,7 +152,7 @@ ipt-revert() { run() { # Build and apply the firewall for IPv4/6. local f="$1" - local ipt=/sbin/$(inet46 $f iptables ip6tables) + local ipt=$(inet46 $f iptables ip6tables) tables[$f]=filter # The default interface associated with this address. @@ -164,14 +164,14 @@ run() { new=$(mktemp --tmpdir new-rules.v$f.XXXXXX) for table in ${tables[$f]}; do $ipt-save -ct $table - done > "$old" + done >"$old" rss[$f]="$old" local fail2ban=0 # XXX: As of Wheezy, fail2ban is IPv4 only. See # https://github.com/fail2ban/fail2ban/issues/39 for the current # state of the art. - if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then + if [ "$f" = 4 ] && which fail2ban-server >/dev/null; then fail2ban=1 fi @@ -191,14 +191,14 @@ run() { if [ $fail2ban -eq 1 ]; then echo ":fail2ban - [0:0]" # Don't remove existing rules & traps in the current rulest - grep -- '^:fail2ban-\S' "$old" || true - grep -E -- ' -j fail2ban-\S+$' "$old" || true - grep -E -- "$fail2ban_re" "$old" || true - fi >> "$new" + grep -- '^:f2b-\S' "$old" || true + grep -E -- ' -j f2b-\S+$' "$old" || true + grep -E -- "$fail2ban_re" "$old" || true + fi >>"$new" - if [ "$f" = 4 -a "$ipsec" = y ]; then + if [ "$f" = 4 -o "$f" = 6 ] && [ "$ipsec" = y ]; then # IPsec tunnels come first (IPv4 only). - grep -E -- "$IPsec_re" "$old" >> "$new" || true + grep -E -- "$IPsec_re" "$old" >>"$new" || true # Allow any IPsec $secproto protocol packets to be sent and received. iptables -A INPUT -i $if -p $secproto -j ACCEPT @@ -212,14 +212,14 @@ run() { # http://baldric.net/loose-iptables-firewall-for-servers/ local ip - if [ "$f" = 4 -a "$ipsec" = y ]; then + if [ "$f" = 4 ] && [ "$ipsec" = y ]; then # Private-use networks (RFC 1918) and link local (RFC 3927) - local MyIPsec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )" - local MyNetwork="$( /bin/ip -4 -o address show dev $if scope global \ + local MyIPsec="$( ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )" + local MyNetwork="$( ip -4 -o address show dev $if scope global \ | sed -nr "s/^[0-9]+:\s+$if\s+inet\s(\S+).*/\1/p" \ | while read ip; do for ips in $MyIPsec; do - [ "$ips" = "$(/usr/bin/netmask -nc "$ip" "$ips" | sed 's/^ *//')" ] || echo "$ip" + [ "$ips" = "$(netmask -nc "$ip" "$ips" | sed 's/^ *//')" ] || echo "$ip" done done )" @@ -227,7 +227,7 @@ run() { for ip in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16; do # Don't lock us out if we are behind a NAT ;-) for myip in $MyNetwork; do - [ "$ip" = "$(/usr/bin/netmask -nc "$ip" "$myip" | sed 's/^ *//')" ] || echo "$ip" + [ "$ip" = "$(netmask -nc "$ip" "$myip" | sed 's/^ *//')" ] || echo "$ip" done | uniq | while read ip; do iptables -A INPUT -i $if -s "$ip" -j DROP; done done @@ -260,9 +260,9 @@ run() { local localhost=$(inet46 $f '127.0.0.1/8' '::1/128') iptables -A INPUT -i lo -s "$localhost" -d "$localhost" -j ACCEPT iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT - if [ "$f" = 4 -a "$ipsec" = y ]; then + if [ "$f" = 4 ] && [ "$ipsec" = y ]; then # Allow local access to our virtual IP - /bin/ip -4 -o route show table 220 dev $if \ + ip -4 -o route show table 220 dev $if \ | sed -nr 's/.*\ssrc\s+([[:digit:].]{7,15})(\s.*)?$/\1/p' \ | while read ips; do iptables -A INPUT -i lo -s "$ips" -d "$ips" -j ACCEPT @@ -340,25 +340,25 @@ run() { # to restore the counters when reverting.) sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \ -e 's/^\[[0-9]+:[0-9]+\]\s+//' \ - "$old" > "$oldz" + "$old" >"$oldz" - /bin/ip netns exec $netns $ipt-restore <"$new" || ipt-revert + ip netns exec $netns $ipt-restore <"$new" || ipt-revert for table in ${tables[$f]}; do - /bin/ip netns exec $netns $ipt-save -t $table - done > "$new" + ip netns exec $netns $ipt-save -t $table + done >"$new" - ipt-diff "$oldz" "$new" || rv1=$? + ipt-diff --label="a/$ipt-save" --label="b/$ipt-save" "$oldz" "$new" || rv1=$? - if ! [ -f "$persistent" -a -x /etc/network/if-pre-up.d/iptables ]; then + if ! [ -f "$persistent" ] && [ -x /etc/network/if-pre-up.d/iptables ]; then rv2=1 else - ipt-trim < "$oldz" | ipt-diff - "$persistent" || rv2=$? + ipt-trim <"$new" | ipt-diff --label="a/rules.v$f" --label="b/$ipt-save" "$persistent" - || rv2=$? fi local update="Please run '${0##*/}'." if [ $check -eq 0 ]; then - $ipt-restore <"$new" || ipt-revert + uniq "$new" | $ipt-restore || ipt-revert else if [ $rv1 -ne 0 ]; then log "WARN: The IPv$f firewall is not up to date! $update" @@ -394,7 +394,7 @@ done # If we are going to apply the ruleset, we should either have a TTY, or # use -f. -if ! /usr/bin/tty -s && [ $force -eq 0 -a $check -eq 0 ]; then +if ! tty -s && [ $force -eq 0 ] && [ $check -eq 0 ]; then echo "Error: Not a TTY. Try with -f (at your own risks!)" >&2 exit 1 fi @@ -403,10 +403,10 @@ fi # we can easily get a normalized version we can compare latter. See # http://bugzilla.netfilter.org/show_bug.cgi?id=790 netns="ipt-firewall-test-$$" -/bin/ip netns add $netns +ip netns add $netns -trap '/bin/ip netns del $netns 2>/dev/null || true; ipt-revert' SIGINT -trap '/bin/ip netns del $netns; rm -f "${rss[@]}"' EXIT +trap 'ip netns del $netns 2>/dev/null || true; ipt-revert' SIGINT +trap 'ip netns del $netns; rm -f "${rss[@]}"' EXIT rv=0 for f in ${addrfam:=4 6}; do @@ -417,7 +417,7 @@ if [ $force -eq 1 ]; then # At the user's own risks... ipt-persist -elif [ $check -eq 1 -o $rv -eq 0 ]; then +elif [ $check -eq 1 ] || [ $rv -eq 0 ]; then # Nothing to do, we're all set. exit $rv diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml index 1877f21..7692c28 100644 --- a/roles/common/tasks/mail.yml +++ b/roles/common/tasks/mail.yml @@ -2,7 +2,7 @@ apt: pkg={{ item }} with_items: # That one is nicer than GNU mailutils' mailx(1) - - heirloom-mailx + - s-nail - postfix - postfix-cdb diff --git a/roles/common/templates/etc/apt/preferences.j2 b/roles/common/templates/etc/apt/preferences.j2 index 4e18a6e..383037f 100644 --- a/roles/common/templates/etc/apt/preferences.j2 +++ b/roles/common/templates/etc/apt/preferences.j2 @@ -3,27 +3,27 @@ # Install updates as soon as they're available Package: * -Pin: release a={{ ansible_lsb.codename }}-updates +Pin: release o=Debian, n={{ ansible_lsb.codename }}-updates Pin-Priority: 990 {% if 'backports' in group_names -%} # Automatically packages from backports (those manually installed) Package: * -Pin: release a={{ ansible_lsb.codename }}-backports +Pin: release o=Debian Backports, n={{ ansible_lsb.codename }}-backports Pin-Priority: 200 {% endif %} {% if inventory_hostname_short in non_free_packages.keys() -%} # Automatically upgrade non-free firmwares (when manually installed) Package: {{ non_free_packages[inventory_hostname_short] | join (' ') }} -Pin: version * +Pin: release o=Debian Pin-Priority: 200 {% endif %} {% if ansible_processor[1] is search('^(Genuine)?Intel.*') and not ansible_virtualization_role == 'guest' -%} # Automatically upgrade the microcode (when manually installed) Package: intel-microcode iucode-tool -Pin: version * +Pin: release o=Debian Pin-Priority: 200 {% endif %} diff --git a/roles/common/templates/etc/apt/sources.list.j2 b/roles/common/templates/etc/apt/sources.list.j2 index 8d1b7fd..4ae1cb5 100644 --- a/roles/common/templates/etc/apt/sources.list.j2 +++ b/roles/common/templates/etc/apt/sources.list.j2 @@ -2,12 +2,12 @@ # Do NOT edit this file directly! # vim: set filetype=debsources : -deb http://deb.debian.org/debian/ {{ ansible_lsb.codename }} main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and ansible_virtualization_role == 'guest') %} contrib non-free{% endif %} +deb http://deb.debian.org/debian {{ ansible_lsb.codename }} main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %} -deb http://deb.debian.org/debian-security/ {{ ansible_lsb.codename }}/updates main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %} +deb http://deb.debian.org/debian-security {{ ansible_lsb.codename }}/updates main{% if inventory_hostname_short in non_free_packages.keys() or (ansible_processor[1] is search("^(Genuine)?Intel.*") and not ansible_virtualization_role == 'guest') %} contrib non-free{% endif %} -deb http://deb.debian.org/debian/ {{ ansible_lsb.codename }}-updates main +deb http://deb.debian.org/debian {{ ansible_lsb.codename }}-updates main {% if 'backports' in group_names -%} -deb http://deb.debian.org/debian/ {{ ansible_lsb.codename }}-backports main +deb http://deb.debian.org/debian {{ ansible_lsb.codename }}-backports main {% endif %} diff --git a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 index 6cfa3f9..2d434bc 100644 --- a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 +++ b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 @@ -36,6 +36,7 @@ user root [df*] env.warning 92 env.critical 98 +env.exclude_re ^/run/user [exim_mailqueue] group adm, (Debian-exim) diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2 index af909ba..55361ee 100644 --- a/roles/common/templates/etc/postfix/main.cf.j2 +++ b/roles/common/templates/etc/postfix/main.cf.j2 @@ -4,10 +4,11 @@ # {{ ansible_managed }} # Do NOT edit this file directly! -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -biff = no -readme_directory = no -mail_owner = postfix +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +readme_directory = no +mail_owner = postfix +compatibility_level = 2 myorigin = /etc/mailname myhostname = {{ ansible_fqdn }} diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2 index c30f95b..10fc303 100644 --- a/roles/common/templates/etc/postfix/master.cf.j2 +++ b/roles/common/templates/etc/postfix/master.cf.j2 @@ -11,7 +11,7 @@ # ========================================================================== {% if inst is not defined %} -[127.0.0.1]:16132 inet n - - - - smtpd +[127.0.0.1]:16132 inet n - y - - smtpd {% elif inst == 'MX' %} smtpd pass - - n - - smtpd -o cleanup_service_name=cleanup_nochroot @@ -20,7 +20,7 @@ tlsproxy unix - - n - 0 tlsproxy dnsblog unix - - n - 0 dnsblog cleanup_nochroot unix n - n - 0 cleanup {% elif inst == 'MSA' %} -submission inet n - - - - smtpd +submission inet n - y - - smtpd -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL {% if groups.webmail | difference([inventory_hostname]) | length > 0 %} [{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - - - - smtpd @@ -34,30 +34,30 @@ submission inet n - - - - smtpd [{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n - - - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }} {% endif %} -pickup unix n - - 60 1 pickup -cleanup unix n - - - 0 cleanup +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr -tlsmgr unix - - - 1000? 1 tlsmgr -rewrite unix - - - - - trivial-rewrite -bounce unix - - - - 0 bounce -defer unix - - - - 0 bounce -trace unix - - - - 0 bounce -verify unix - - - - 1 verify -flush unix n - - 1000? 0 flush +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap -smtp unix - - - - - smtp -relay unix - - - - - smtp +smtp unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - - - - showq -error unix - - - - - error -retry unix - - - - - error -discard unix - - - - - discard +relay unix - - y - - smtp +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual -lmtp unix - - - - - lmtp -anvil unix - - - - 1 anvil -scache unix - - - - 1 scache +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache {% if inst is defined and inst == 'MX' %} reserved-alias unix - n n - - pipe flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org @@ -76,7 +76,7 @@ amavisfeed unix - - n - 5 lmtp -o disable_dns_lookups=yes # Server part (smtpd) - amavis -[127.0.0.1]:10025 inet n - n - - smtpd +[127.0.0.1]:10025 inet n - y - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject diff --git a/roles/lacme/handlers/main.yml b/roles/lacme/handlers/main.yml deleted file mode 100644 index 0b9ddfc..0000000 --- a/roles/lacme/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: Install lacme - apt: deb=/tmp/lacme_0.2-1_all.deb diff --git a/roles/lacme/tasks/main.yml b/roles/lacme/tasks/main.yml index 6dcf6ec..9ff88c2 100644 --- a/roles/lacme/tasks/main.yml +++ b/roles/lacme/tasks/main.yml @@ -1,19 +1,9 @@ -- name: Install dependencies for lacme - apt: pkg={{ item }} - with_items: - - libjson-perl - - libjson-xs-perl - - libconfig-tiny-perl - - libwww-perl +- name: Install lacme + apt: pkg={{ packages }} install_recommends=no + vars: + packages: - liblwp-protocol-https-perl - - libnet-ssleay-perl - -- name: Copy lacme - copy: src=deb/lacme_0.2-1_all.deb - dest=/tmp - notify: Install lacme - -- meta: flush_handlers + - lacme - name: Create a user 'lacme' user: name=lacme system=yes -- cgit v1.2.3