From dd6085c28219e6acca0c7ae1c6428b064c65e752 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 30 Oct 2013 21:09:53 +0100 Subject: Configure rkhunter. --- roles/common/files/etc/default/rkhunter | 34 ++ roles/common/files/etc/rkhunter.conf | 1004 +++++++++++++++++++++++++++++++ roles/common/handlers/main.yml | 3 + roles/common/tasks/main.yml | 1 + roles/common/tasks/rkhunter.yml | 22 + 5 files changed, 1064 insertions(+) create mode 100644 roles/common/files/etc/default/rkhunter create mode 100644 roles/common/files/etc/rkhunter.conf create mode 100644 roles/common/tasks/rkhunter.yml diff --git a/roles/common/files/etc/default/rkhunter b/roles/common/files/etc/default/rkhunter new file mode 100644 index 0000000..da59a73 --- /dev/null +++ b/roles/common/files/etc/default/rkhunter @@ -0,0 +1,34 @@ +# Defaults for rkhunter automatic tasks +# sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter +# +# This is a POSIX shell fragment +# + +# Set this to yes to enable rkhunter daily runs +# (default: true) +CRON_DAILY_RUN="yes" + +# Set this to yes to enable rkhunter weekly database updates +# (default: true) +CRON_DB_UPDATE="yes" + +# Set this to yes to enable reports of weekly database updates +# (default: false) +DB_UPDATE_EMAIL="false" + +# Set this to the email address where reports and run output should be sent +# (default: root) +REPORT_EMAIL="admin@fripost.org" + +# Set this to yes to enable automatic database updates +# (default: false) +APT_AUTOGEN="false" + +# Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable) +# (default: 0) +NICE="10" + +# Should daily check be run when running on battery +# powermgmt-base is required to detect if running on battery or on AC power +# (default: false) +RUN_CHECK_ON_BATTERY="false" diff --git a/roles/common/files/etc/rkhunter.conf b/roles/common/files/etc/rkhunter.conf new file mode 100644 index 0000000..9e4cb14 --- /dev/null +++ b/roles/common/files/etc/rkhunter.conf @@ -0,0 +1,1004 @@ +# +# This is the main configuration file for Rootkit Hunter. +# +# You can either modify this file directly, or you can create a local +# configuration file. The local file must be named 'rkhunter.conf.local', +# and must reside in the same directory as this file. Please modify one +# or both files to your own requirements. It is suggested that the +# command 'rkhunter -C' is run after any changes have been made. +# +# Please review the documentation before posting bug reports or questions. +# To report bugs, obtain updates, or provide patches or comments, please go to: +# http://rkhunter.sourceforge.net +# +# To ask questions about rkhunter, please use the rkhunter-users mailing list. +# Note this is a moderated list: please subscribe before posting. +# +# Lines beginning with a hash (#), and blank lines, are ignored. +# End-of-line comments are not supported. +# +# Most of the following options need only be specified once. If +# they appear more than once, then the last one seen will be used. +# Some options are allowed to appear more than once, and the text +# describing the option will say if this is so. +# +# Some of the options are space-separated lists of pathnames. If +# wildcard characters (globbing) are allowed in the list, then the +# text describing the option will say so. +# +# Space-separated lists may be enclosed by quotes, but these must only +# appear at the start and end of the list, not in the middle. +# +# For example: XXX="abc def gh" (correct) +# XXX="abc" "def" "gh" (incorrect) +# + + +# +# If this option is set to 1, it specifies that the mirrors file +# ('mirrors.dat'), which is used when the '--update' and '--versioncheck' +# options are used, is to be rotated. Rotating the entries in the file +# allows a basic form of load-balancing between the mirror sites whenever +# the above options are used. +# If the option is set to 0, then the mirrors will be treated as if in +# a priority list. That is, the first mirror listed will always be used +# first. The second mirror will only be used if the first mirror fails, +# the third mirror will only be used if the second mirror fails, and so on. +# +# If the mirrors file is read-only, then the '--versioncheck' command-line +# option can only be used if this option is set to 0. +# +ROTATE_MIRRORS=1 + +# +# If this option is set to 1, it specifies that when the '--update' +# option is used, then the mirrors file is to be checked for updates +# as well. If the current mirrors file contains any local mirrors, +# these will be prepended to the updated file. +# If this option is set to 0, the mirrors file can only be updated +# manually. This may be useful if only using local mirrors. +# +UPDATE_MIRRORS=1 + +# +# The MIRRORS_MODE option tells rkhunter which mirrors are to be +# used when the '--update' or '--versioncheck' command-line options +# are given. Possible values are: +# 0 - use any mirror (the default) +# 1 - only use local mirrors +# 2 - only use remote mirrors +# +# Local and remote mirrors can be defined in the mirrors file +# by using the 'local=' and 'remote=' keywords respectively. +# +MIRRORS_MODE=0 + +# +# Email a message to this address if a warning is found when the +# system is being checked. Multiple addresses may be specified +# simply be separating them with a space. Setting this option to +# null disables the option. +# +# NOTE: This option should be present in the configuration file. +# +#MAIL-ON-WARNING=me@mydomain root@mydomain +MAIL-ON-WARNING=admin@fripost.org + +# +# Specify the mail command to use if MAIL-ON-WARNING is set. +# +# NOTE: Double quotes are not required around the command, but +# are required around the subject line if it contains spaces. +# +MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" + +# +# Specify the temporary directory to use. +# +# NOTE: Do not use /tmp as your temporary directory. Some +# important files will be written to this directory, so be +# sure that the directory permissions are tight. +# +TMPDIR=/var/lib/rkhunter/tmp + +# +# Specify the database directory to use. +# +DBDIR=/var/lib/rkhunter/db + +# +# Specify the script directory to use. +# +SCRIPTDIR=/usr/share/rkhunter/scripts + +# +# This option can be used to modify the command directory list used +# by rkhunter to locate commands (that is, its PATH). By default +# this will be the root PATH, and an internal list of some common +# command directories. +# +# Any directories specified here will, by default, be appended to the +# default list. However, if a directory name begins with the '+' +# character, then that directory will be prepended to the list (that +# is, it will be put at the start of the list). +# +# This is a space-separated list of directory names. The option may +# be specified more than once. +# +#BINDIR="/bin /usr/bin /sbin /usr/sbin" +#BINDIR="+/usr/local/bin +/usr/local/sbin" + +# +# Specify the default language to use. This should be similar +# to the ISO 639 language code. +# +# NOTE: Please ensure that the language you specify is supported. +# For a list of supported languages use the following command: +# +# rkhunter --lang en --list languages +# +#LANGUAGE=en + +# +# This option is a space-separated list of the languages that are to +# be updated when the '--update' option is used. If unset, then all +# the languages will be updated. If none of the languages are to be +# updated, then set this option to just 'en'. +# +# The default is for all the languages to be updated. The default +# language, specified above, and the English (en) language file will +# always be updated regardless of this option. +# +UPDATE_LANG="" + +# +# Specify the log file pathname. +# +# NOTE: This option should be present in the configuration file. +# +LOGFILE=/var/log/rkhunter.log + +# +# Set the following option to 1 if the log file is to be appended to +# whenever rkhunter is run. +# +APPEND_LOG=0 + +# +# Set the following option to 1 if the log file is to be copied when +# rkhunter finishes and an error or warning has occurred. The copied +# log file name will be appended with the current date and time +# (in YYYY-MM-DD_HH:MM:SS format). +# For example: rkhunter.log.2009-04-21_00:57:51 +# +COPY_LOG_ON_ERROR=0 + +# +# Set the following option to enable the rkhunter check start and finish +# times to be logged by syslog. Warning messages will also be logged. +# The value of the option must be a standard syslog facility and +# priority, separated by a dot. For example: +# +# USE_SYSLOG=authpriv.warning +# +# Setting the value to 'none', or just leaving the option commented out, +# disables the use of syslog. +# +#USE_SYSLOG=authpriv.notice + +# +# Set the following option to 1 if the second colour set is to be used. +# This can be useful if your screen uses black characters on a white +# background (for example, a PC instead of a server). +# +COLOR_SET2=0 + +# +# Set the following option to 0 if rkhunter should not detect if X is +# being used. If X is detected as being used, then the second colour +# set will automatically be used. +# +AUTO_X_DETECT=1 + +# +# Set the following option to 1 if it is wanted that any 'Whitelisted' +# results are shown in white rather than green. For colour set 2 users, +# setting this option will cause the result to be shown in black. +# +WHITELISTED_IS_WHITE=0 + +# +# The following option is checked against the SSH configuration file +# 'PermitRootLogin' option. A warning will be displayed if they do not +# match. However, if a value has not been set in the SSH configuration +# file, then a value here of 'unset' can be used to avoid warning messages. +# This option has a default value of 'no'. +# +ALLOW_SSH_ROOT_USER=no + +# +# Set this option to '1' to allow the use of the SSH-1 protocol, but note +# that theoretically it is weaker, and therefore less secure, than the +# SSH-2 protocol. Do not modify this option unless you have good reasons +# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 +# authentication). If the 'Protocol' option has not been set in the SSH +# configuration file, then a value of '2' may be set here in order to +# suppress a warning message. This option has a default value of '0'. +# +ALLOW_SSH_PROT_V1=0 + +# +# This setting tells rkhunter the directory containing the SSH configuration +# file. This setting will be worked out by rkhunter, and so should not +# usually need to be set. +# +#SSH_CONFIG_DIR=/etc/ssh + +# +# These two options determine which tests are to be performed. +# The ENABLE_TESTS option can use the word 'all' to refer to all the +# available tests. The DISABLE_TESTS option can use the word 'none' to +# mean that no tests are disabled. The list of disabled tests is applied to +# the list of enabled tests. Both options are space-separated lists of test +# names. The currently available test names can be seen by using the command +# 'rkhunter --list tests'. +# +# The program defaults are to enable all tests and disable none. However, if +# either of the options below are specified, then they will override the +# program defaults. +# +# The supplied configuration file has some tests already disabled, and these +# are tests that will be used only occasionally, can be considered +# "advanced" or that are prone to produce more than the average number of +# false-positives. +# +# Please read the README file for more details about enabling and disabling +# tests, the test names, and how rkhunter behaves when these options are used. +# +# hidden_procs test requires the unhide command which is part of the unhide +# package in Debian. +# +# apps test is disabled by default as it triggers warnings about outdated +# applications (and warns about possible security risk: we better trust +# the Debian Security Team). +# +ENABLE_TESTS="all" +DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" + +# +# The HASH_FUNC option can be used to specify the command to use +# for the file hash value check. It can be specified as just the +# command name or the full pathname. If just the command name is +# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or +# SHA512, then rkhunter will first look for the relevant command, +# such as 'sha256sum', and then for 'sha256'. If neither of these +# are found, it will then look to see if a perl module has been +# installed which will support the relevant hash function. To see +# which perl modules have been installed use the command +# 'rkhunter --list perl'. +# +# The default is SHA1, or MD5 if SHA1 cannot be found. +# +# Systems using prelinking are restricted to using either the +# SHA1 or MD5 function. +# +# A value of 'NONE' (in uppercase) can be specified to indicate that +# no hash function should be used. Rootkit Hunter will detect this and +# automatically disable the file hash checks. +# +# Examples: +# For Solaris 9 : HASH_FUNC=gmd5sum +# For Solaris 10: HASH_FUNC=sha1sum +# For AIX (>5.2): HASH_FUNC="csum -hMD5" +# For NetBSD : HASH_FUNC="cksum -a sha512" +# +# NOTE: If the hash function is changed then you MUST run rkhunter with +# the '--propupd' option to rebuild the file properties database. +# +HASH_FUNC=sha512sum + +# +# The HASH_FLD_IDX option specifies which field from the HASH_FUNC +# command output contains the hash value. The fields are assumed to +# be space-separated. The default value is 1, but for *BSD users +# rkhunter will, by default, use a value of 4 if the HASH_FUNC option +# has not been set. The option value must be an integer greater +# than zero. +# +#HASH_FLD_IDX=4 + +# +# The PKGMGR option tells rkhunter to use the specified package manager +# to obtain the file property information. This is used when updating +# the file properties file ('rkhunter.dat'), and when running the file +# properties check. For RedHat/RPM-based systems, 'RPM' can be used to +# get information from the RPM database. For Debian-based systems 'DPKG' +# can be used, for *BSD systems 'BSD' can be used, and for Solaris +# systems 'SOLARIS' can be used. No value, or a value of 'NONE', +# indicates that no package manager is to be used. The default is 'NONE'. +# +# The current package managers, except 'SOLARIS', store the file hash +# values using an MD5 hash function. The Solaris package manager includes +# a checksum value, but this is not used by default (see USE_SUNSUM below). +# +# The 'DPKG' and 'BSD' package managers only provide MD5 hash values. +# The 'RPM' package manager additionally provides values for the inode, +# file permissions, uid, gid and other values. The 'SOLARIS' also provides +# most of the values, similar to 'RPM', but not the inode number. +# +# For any file not part of a package, rkhunter will revert to using the +# HASH_FUNC hash function instead. +# +# Whenever this option is changed 'rkhunter --propupd' must be run. +# +# NONE is the default for Debian as well, as running --propupd takes +# about 4 times longer when it's set to DPKG +# +#PKGMGR=NONE + +# +# It is possible that a file which is part of a package may be modified +# by the administrator. Typically this occurs for configuration files. +# However, the package manager may list the file as being modified. For +# the RPM package manager this may well depend on how the package was +# built. This option specifies those pathnames which are to be exempt +# from the package manager verification process, and which will be treated +# as non-packaged files. As such, the file properties are still checked. +# +# This option only takes effect if the PKGMGR option has been set, and +# is not 'NONE'. +# +# This is a space-separated list of pathnames. The option may +# be specified more than once. +# +# Whenever this option is changed 'rkhunter --propupd' must be run. +# +#PKGMGR_NO_VRFY="" + +# +# This option can be used to tell rkhunter to ignore any prelink +# dependency errors for the given commands. However, a warning will also +# be issued if the error does not occur for a given command. As such +# this option must only be used on commands which experience a persistent +# problem. +# +# Short-term prelink dependency errors can usually be resolved simply by +# running the 'prelink' command on the given pathname. +# +# NOTE: The command 'rkhunter --propupd' must be run whenever this option +# is changed. +# +# This is a space-separated list of command pathnames. The option can be +# specified more than once. +# +#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top" + +# +# If the 'SOLARIS' package manager is used, then it is possible to use +# the checksum (hash) value stored for a file. However, this is only a +# 16-bit checksum, and as such is not nearly as secure as, for example, +# a SHA-2 value. For that reason, the checksum is not used by default, +# and the hash function given by HASH_FUNC is used instead. To enable +# this option, set its value to 1. The Solaris 'sum' command must be +# present on the system if this option is used. +# +#USE_SUNSUM=0 + +# +# This option is a space-separated list of commands, directories and file +# pathnames which will be included in the file properties checks. +# This option can be specified more than once. +# +# Whenever this option is changed, 'rkhunter --propupd' must be run. +# +# Simple command names - for example, 'top' - and directory names are +# added to the internal list of directories to be searched for each of +# the command names in the command list. Additionally, full pathnames +# to files, which need not be commands, may be given. Any files or +# directories which are already part of the internal lists will be +# silently ignored from the configuration. +# +# Normal globbing wildcards are allowed, except for simple command names. +# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. +# +# Specific files may be excluded by preceding their name with an +# exclamation mark (!). For example, '!/opt/top'. By combining this +# with wildcarding, whole directories can be excluded. For example, +# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first +# two directory levels of '/etc'. However, anything in '/etc/rc0.d', +# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded. +# +# NOTE: Only files and directories which have been added by the user, +# and are not part of the internal lists, can be excluded. So, for +# example, it is not possible to exclude the 'ps' command by using +# '!/bin/ps'. These will be silently ignored from the configuration. +# +#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*" +#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf" +#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local" +#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*" +#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat" +#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*" +#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*" + +# +# This option whitelists files and directories from existing, +# or not existing, on the system at the time of testing. This +# option is used when the configuration file options themselves +# are checked, and during the file properties check, the hidden +# files and directories checks, and the filesystem check of the +# '/dev' directory. +# +# This is a space-separated list of pathnames. The option may be +# specified more than once. The option may use wildcard characters, +# but be aware that this is probably not what you want to do as the +# wildcarding will be expanded after files have been deleted. As +# such deleted files won't be whitelisted if wildcarded. +# +# NOTE: The user must take into consideration how often the file will +# appear and disappear from the system in relation to how often +# rkhunter is run. If the file appears, and disappears, too often +# then rkhunter may not notice this. All it will see is that the file +# has changed. The inode-number and DTM will certainly be different +# for each new file, and rkhunter will report this. +# +#EXISTWHITELIST="" + +# +# Whitelist various attributes of the specified files. +# The attributes are those of the 'attributes' test. +# Specifying a file name here does not include it being +# whitelisted for the write permission test (see below). +# +# This is a space-separated list of filenames. The option may +# be specified more than once. The option may use wildcard +# characters. +# +#ATTRWHITELIST="/bin/ps /usr/bin/date" + +# +# Allow the specified commands to have the 'others' +# (world) permission have the write-bit set. +# +# For example, files with permissions r-xr-xrwx +# or rwxrwxrwx. +# +# This is a space-separated list of filenames. The option may +# be specified more than once. The option may use wildcard +# characters. +# +#WRITEWHITELIST="/bin/ps /usr/bin/date" + +# +# Allow the specified commands to be scripts. +# +# This is a space-separated list of filenames. The option may +# be specified more than once. The option may use wildcard +# characters. +# +SCRIPTWHITELIST=/bin/egrep +SCRIPTWHITELIST=/bin/fgrep +SCRIPTWHITELIST=/bin/which +SCRIPTWHITELIST=/usr/bin/groups +SCRIPTWHITELIST=/usr/bin/ldd +SCRIPTWHITELIST=/usr/bin/lwp-request +SCRIPTWHITELIST=/usr/sbin/adduser +SCRIPTWHITELIST=/usr/sbin/prelink + +# +# Allow the specified commands to have the immutable attribute set. +# +# This is a space-separated list of filenames. The option may +# be specified more than once. The option may use wildcard +# characters. +# +#IMMUTWHITELIST="/sbin/ifup /sbin/ifdown" + +# +# If this option is set to 1, then the immutable-bit test is +# reversed. That is, the files are expected to have the bit set. +# +IMMUTABLE_SET=0 + +# +# Allow the specified hidden directories to be whitelisted. +# +# This is a space-separated list of directory pathnames. +# The option may be specified more than once. The option +# may use wildcard characters. +# +#ALLOWHIDDENDIR="/etc/.java" +#ALLOWHIDDENDIR="/dev/.static" +#ALLOWHIDDENDIR="/dev/.SRC-unix" +ALLOWHIDDENDIR="/etc/.git" + +# +# Allow the specified hidden files to be whitelisted. +# +# This is a space-separated list of filenames. The option may +# be specified more than once. The option may use wildcard +# characters. +# +#ALLOWHIDDENFILE="/etc/.java" +#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz" +#ALLOWHIDDENFILE="/etc/.pwd.lock" +#ALLOWHIDDENFILE="/etc/.init.state" +#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac" +#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac" +#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac" +#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac" +#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac" +#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac" +#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac" +#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac" +#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac" +#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac" +#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac" +#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac" +#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz" +ALLOWHIDDENFILE="/etc/.gitignore" +ALLOWHIDDENFILE="/etc/.etckeeper" +#ALLOWHIDDENFILE="/etc/.bzrignore" + +# +# Allow the specified processes to use deleted files. The +# process name may be followed by a colon-separated list of +# full pathnames. The process will then only be whitelisted +# if it is using one of the given files. For example: +# +# ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz" +# +# This is a space-separated list of process names. The option +# may be specified more than once. The option may use wildcard +# characters, but only in the file names. +# +#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc" +#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2" +#ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*" +#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin" +#ALLOWPROCDELFILE="/usr/bin/file-roller" + +# +# Allow the specified processes to listen on any network interface. +# +# This is a space-separated list of process names. The option +# may be specified more than once. +# +#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd" +#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump" +#ALLOWPROCLISTEN="/usr/sbin/snort-plain" + +# +# Allow the specified network interfaces to be in promiscuous mode. +# +# This is a space-separated list of interface names. The option may +# be specified more than once. +# +#ALLOWPROMISCIF="eth0" + +# +# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files. +# The two allowed options are: THOROUGH or LAZY. +# If commented out we do a THOROUGH scan which will increase the runtime. +# Even though this adds to the running time it is highly recommended to +# leave it like this. +# +#SCAN_MODE_DEV=THOROUGH + +# +# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to +# perform a basic check, or a more thorough check. If the option is set to 0, +# then a basic check is performed. If it is set to 1, then all the directries +# in the /etc and /usr directories are scanned. The default value is 0. Users +# should note that setting this option to 1 will cause the test to take longer +# to complete. +# +PHALANX2_DIRTEST=0 + +# +# Allow the specified files to be present in the /dev directory, +# and not regarded as suspicious. +# +# This is a space-separated list of pathnames. The option may +# be specified more than once. The option may use wildcard +# characters. +# +#ALLOWDEVFILE="/dev/shm/pulse-shm-*" +#ALLOWDEVFILE="/dev/shm/sem.ADBE_*" + +# +# This setting tells rkhunter where the inetd configuration +# file is located. +# +#INETD_CONF_PATH=/etc/inetd.conf + +# +# Allow the following enabled inetd services. +# +# This is a space-separated list of service names. The option may +# be specified more than once. +# +# For non-Solaris users the simple service name should be used. +# For example: +# +# INETD_ALLOWED_SVC=echo +# +# For Solaris 9 users the simple service name should also be used, but +# if it is an RPC service, then the executable pathname should be used. +# For example: +# +# INETD_ALLOWED_SVC=imaps +# INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd" +# +# For Solaris 10 users the service/FMRI name should be used. For example: +# +# INETD_ALLOWED_SVC=/network/rpc/meta +# INETD_ALLOWED_SVC=/network/rpc/metamed +# INETD_ALLOWED_SVC=/application/font/stfsloader +# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord +# +#INETD_ALLOWED_SVC=echo + +# +# This setting tells rkhunter where the xinetd configuration +# file is located. +# +#XINETD_CONF_PATH=/etc/xinetd.conf + +# +# Allow the following enabled xinetd services. Whilst it would be +# nice to use the service names themselves, at the time of testing +# we only have the pathname available. As such, these entries are +# the xinetd file pathnames. +# +# This is a space-separated list of service names. The option may +# be specified more than once. +# +#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo + +# +# This option tells rkhunter the local system startup file pathnames. +# The directories will be searched for files. By default rkhunter +# will use certain filenames and directories. If the option is set +# to 'none', then certain tests will be skipped. +# +# This is a space-separated list of file and directory pathnames. +# The option may be specified more than once. The option may use +# wildcard characters. +# +#STARTUP_PATHS="/etc/init.d /etc/rc.local" + +# +# This setting tells rkhunter the pathname to the file containing the +# user account passwords. This setting will be worked out by rkhunter, +# and so should not usually need to be set. Users of TCB shadow files +# should not set this option. +# +#PASSWORD_FILE=/etc/shadow + +# +# Allow the following accounts to be root equivalent. These accounts +# will have a UID value of zero. The 'root' account does not need to +# be listed as it is automatically whitelisted. +# +# This is a space-separated list of account names. The option may +# be specified more than once. +# +# NOTE: For *BSD systems you will probably need to use this option +# for the 'toor' account. +# +#UID0_ACCOUNTS="toor rooty sashroot" + +# +# Allow the following accounts to have no password. NIS/YP entries do +# not need to be listed as they are automatically whitelisted. +# +# This is a space-separated list of account names. The option may +# be specified more than once. +# +#PWDLESS_ACCOUNTS="abc" + +# +# This setting tells rkhunter the pathname to the syslog configuration +# file. This setting will be worked out by rkhunter, and so should not +# usually need to be set. A value of 'NONE' can be used to indicate +# that there is no configuration file, but that the syslog daemon process +# may be running. +# +# This is a space-separated list of pathnames. The option may +# be specified more than once. +# +#SYSLOG_CONFIG_FILE=/etc/syslog.conf + +# +# This option permits the use of syslog remote logging. +# +ALLOW_SYSLOG_REMOTE_LOGGING=0 + +# +# Allow the following applications, or a specific version of an application, +# to be whitelisted. This option may be specified more than once, and is a +# space-separated list consisting of the application names. If a specific +# version is to be whitelisted, then the name must be followed by a colon +# and then the version number. For example: +# +# APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29" +# +# Note above that for the Apache web server, the name 'httpd' is used. +# +#APP_WHITELIST="" + +# +# Scan for suspicious files in directories containing temporary files and +# directories posing a relatively higher risk due to user write access. +# Please do not enable by default as suspscan is CPU and I/O intensive and prone to +# producing false positives. Do review all settings before usage. +# Also be aware that running suspscan in combination with verbose logging on, +# RKH's default, will show all ignored files. +# Please consider adding all directories the user the (web)server runs as has +# write access to including the document root (example: "/var/www") and log +# directories (example: "/var/log/httpd"). +# +# This is a space-separated list of directory pathnames. +# The option may be specified more than once. +# +#SUSPSCAN_DIRS="/tmp /var/tmp" + +# +# Directory for temporary files. A memory-based one is better (faster). +# Do not use a directory name that is listed in SUSPSCAN_DIRS. +# Please make sure you have a tempfs mounted and the directory exists. +# +SUSPSCAN_TEMP=/dev/shm + +# +# Maximum filesize in bytes. Files larger than this will not be inspected. +# Do make sure you have enough space left in your temporary files directory. +# +SUSPSCAN_MAXSIZE=10240000 + +# +# Score threshold. Below this value no hits will be reported. +# A value of "200" seems "good" after testing on malware. Please adjust +# locally if necessary. +# +SUSPSCAN_THRESH=200 + +# +# The following option can be used to whitelist network ports which +# are known to have been used by malware. This option may be specified +# more than once. The option is a space-separated list of one or more +# of four types of whitelisting. These are: +# +# 1) a 'protocol:port' pair (e.g. TCP:25) +# 2) a pathname to an executable (e.g. /usr/sbin/squid) +# 3) a combined pathname, protocol and port +# (e.g. /usr/sbin/squid:TCP:3801) +# 4) an asterisk ('*') +# +# Only the UDP or TCP protocol may be specified, and the port number +# must be between 1 and 65535 inclusive. +# +# The asterisk can be used to indicate that any executable which rkhunter +# can locate as a command, is whitelisted. (See BINDIR in this file.) +# +# For example: +# +# PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" +# +# NOTE: In order to whitelist a pathname, or use the asterisk option, +# the 'lsof' command must be present. +# +#PORT_WHITELIST="" + +# +# The following option can be used to tell rkhunter where the operating +# system 'release' file is located. This file contains information +# specifying the current O/S version. RKH will store this information +# itself, and check to see if it has changed between each run. If it has +# changed, then the user is warned that RKH may issue warning messages +# until RKH has been run with the '--propupd' option. +# +# Since the contents of the file vary according to the O/S distribution, +# RKH will perform different actions when it detects the file itself. As +# such, this option should not be set unless necessary. If this option is +# specified, then RKH will assume the O/S release information is on the +# first non-blank line of the file. +# +#OS_VERSION_FILE="/etc/debian_version" + +# +# The following two options can be used to whitelist files and directories +# that would normally be flagged with a warning during the various rootkit +# and malware checks. If the file or directory name contains a space, then +# the percent character ('%') must be used instead. Only existing files and +# directories can be specified, and these must be full pathnames not links. +# +# Additionally, the RTKT_FILE_WHITELIST option may include a string after the +# file name (separated by a colon). This will then only whitelist that string +# in that file (as part of the malware checks). For example: +# +# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm" +# +# If the option list includes the filename on its own as well, then the file +# will be whitelisted from rootkit checks of the files existence, but still +# only the specific string within the file will be whitelisted. For example: +# +# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local" +# +# To whitelist a file from the existence checks, but not from the strings +# checks, then include the filename on its own and on its own but with +# just a colon appended. For example: +# +# RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:" +# +# NOTE: It is recommended that if you whitelist any files, then you include +# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS +# configuration option. +# +# These are space-separated lists of file and directory pathnames. +# The options may be specified more than once. +# +#RTKT_DIR_WHITELIST="" +#RTKT_FILE_WHITELIST="" + +# +# The following option can be used to whitelist shared library files that would +# normally be flagged with a warning during the preloaded shared library check. +# These library pathnames usually exist in the '/etc/ld.so.preload' file or in +# the LD_PRELOAD environment variable. +# +# NOTE: It is recommended that if you whitelist any files, then you include +# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS +# configuration option. +# +# This is a space-separated list of library pathnames. +# The option may be specified more than once. +# +#SHARED_LIB_WHITELIST="/lib/snoopy.so" + +# +# To force rkhunter to use the supplied script for the 'stat' or 'readlink' +# command, then the following two options can be used. The value must be +# set to 'BUILTIN'. +# +# NOTE: IRIX users will probably need to enable STAT_CMD. +# +#STAT_CMD=BUILTIN +#READLINK_CMD=BUILTIN + +# +# In the file properties test any modification date/time is displayed as the +# number of epoch seconds. Rkhunter will try and use the 'date' command, or +# failing that the 'perl' command, to display the date and time in a +# human-readable format as well. This option may be used if some other command +# should be used instead. The given command must understand the '%s' and +# 'seconds ago' options found in the GNU date command. +# +# A value of 'NONE' may be used to request that only the epoch seconds be shown. +# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if +# it is present. +# +#EPOCH_DATE_CMD="" + +# +# This setting tells rkhunter the directory containing the available +# Linux kernel modules. This setting will be worked out by rkhunter, +# and so should not usually need to be set. +# +#MODULES_DIR="" + +# +# The following option can be set to a command which rkhunter will use when +# downloading files from the Internet - that is, when the '--update' or +# '--versioncheck' option is used. The command can take options. +# +# This allows the user to use a command other than the one automatically +# selected by rkhunter, but still one which it already knows about. +# For example: +# +# WEB_CMD=curl +# +# Alternatively, the user may specify a completely new command. However, note +# that rkhunter expects the downloaded file to be written to stdout, and that +# everything written to stderr is ignored. For example: +# +# WEB_CMD="/opt/bin/dlfile --timeout 5m -q" +# +# *BSD users may want to use the 'ftp' command, provided that it supports +# the HTTP protocol: +# +# WEB_CMD="ftp -o -" +# +#WEB_CMD="" + +# +# Set the following option to 0 if you do not want to receive a warning if +# any O/S information has changed since the last run of 'rkhunter --propupd'. +# The warnings occur during the file properties check. The default is to +# issue a warning if something has changed. +# +#WARN_ON_OS_CHANGE=1 + +# +# Set the following option to 1 if you want rkhunter to automatically run +# a file properties update ('--propupd') if the O/S has changed. Detection +# of an O/S change occurs during the file properties check. The default is +# not to do an automatic update. +# +# WARNING: Only set this option if you are sure that the update will work +# correctly. That is, that the database directory is writeable, that a valid +# hash function is available, and so on. This can usually be checked simply +# by running 'rkhunter --propupd' at least once. +# +#UPDT_ON_OS_CHANGE=0 + +# +# Set the following option to 1 if locking is to be used when rkhunter runs. +# The lock is set just before logging starts, and is removed when the program +# ends. It is used to prevent items such as the log file, and the file +# properties file, from becoming corrupted if rkhunter is running more than +# once. The mechanism used is to simply create a lock file in the TMPDIR +# directory. If the lock file already exists, because rkhunter is already +# running, then the current process simply loops around sleeping for 10 seconds +# and then retrying the lock. +# +# The default is not to use locking. +# +USE_LOCKING=0 + +# +# If locking is used, then rkhunter may have to wait to get the lock file. +# This option sets the total amount of time, in seconds, that rkhunter should +# wait. It will retry the lock every 10 seconds, until either it obtains the +# lock or the timeout value has been reached. If no value is set, then a +# default of 300 seconds (5 minutes) is used. +# +LOCK_TIMEOUT=300 + +# +# If locking is used, then rkhunter may be doing nothing for some time if it +# has to wait for the lock. Some simple messages are echo'd to the users screen +# to let them know that rkhunter is waiting for the lock. Set this option to 0 +# if the messages are not to be displayed. The default is to show them. +# +SHOW_LOCK_MSGS=1 + +# +# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function +# will search (on a per rootkit basis) for filenames in all of the directories (as defined +# by the result of running 'find / -xdev'). While still not optimal, as it +# still searches for only file names as opposed to file contents, this is one step away +# from the rigidity of searching in known (evidence) or default (installation) locations. +# +# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. +# +# You should only activate this feature as part of a more thorough investigation which +# should be based on relevant best practices and procedures. +# +# Enabling this feature implies you have the knowledge to interpret the results properly. +# +#SCANROOTKITMODE=THOROUGH + +# +# The following option can be set to the name(s) of the tests the 'unhide' command is +# to use. In order to maintain compatibility with older versions of 'unhide', this +# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but +# will only take effect when they are seen. The test names are a space-separated list, +# and will be executed in the order given. +# +#UNHIDE_TESTS="sys" + +# +# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it +# is possible to disable the execution of one of the programs if desired. By default +# rkhunter will look for both programs, and execute each of them as they are found. +# If the value of this option is 0, then both programs will be executed if they are +# present. A value of 1 will disable execution of the C 'unhide' program, and a value +# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable +# both programs, then disable the 'hidden_procs' test. +# +DISABLE_UNHIDE=1 + +INSTALLDIR="/usr" + diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 340e74b..17fbfb2 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -12,3 +12,6 @@ - name: Reload samhain service: name=samhain state=reloaded + +- name: Update rkhunter's data file + command: /usr/bin/rkhunter --propupd diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index b2ec514..1d57812 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -4,3 +4,4 @@ - include: apt.yml tags=apt - include: firewall.yml tags=firewall,iptables - include: samhain.yml tags=samhain +- include: rkhunter.yml tags=rkhunter diff --git a/roles/common/tasks/rkhunter.yml b/roles/common/tasks/rkhunter.yml new file mode 100644 index 0000000..144430e --- /dev/null +++ b/roles/common/tasks/rkhunter.yml @@ -0,0 +1,22 @@ +- name: Install rkhunter + apt: pkg={{ item }} + with_items: + - rkhunter + - curl + - iproute + - lsof + - unhide + - unhide.rb + +- name: Configure rkhunter + copy: src=etc/{{ item }} + dest=/etc/{{ item }} + owner=root group=root + mode=0644 + with_items: + - rkhunter.conf + - default/rkhunter + notify: + # This might not always be necessary, but it's not like we would + # change the config every day... + - Update rkhunter's data file -- cgit v1.2.3