commit 6e709bbd759ceb38c478b9fe5d21110afd1efae4
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jul 31 11:25:40 2019 +0200
Update rkhunter default config
roles/rkhunter/tasks/main.yml | 4 ++--
roles/rkhunter/templates/rkhunter.conf.j2 | 27 +++++++++++++++++++++++++--
2 files changed, 27 insertions(+), 4 deletions(-)
---
diff --git a/roles/rkhunter/tasks/main.yml b/roles/rkhunter/tasks/main.yml
index e696ba2..83788c3 100644
--- a/roles/rkhunter/tasks/main.yml
+++ b/roles/rkhunter/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: install rkhunter (yum)
- yum: name=rkhunter state=present
+ package: name=rkhunter state=present
notify:
- run rkhunter
tags:
@@ -9,7 +9,7 @@
when: ansible_distribution_major_version|int < 22
- name: install rkhunter (dnf)
- dnf: name=rkhunter state=present
+ package: name=rkhunter state=present
notify:
- run rkhunter
tags:
diff --git a/roles/rkhunter/templates/rkhunter.conf.j2
b/roles/rkhunter/templates/rkhunter.conf.j2
index 663a4b8..9e30994 100644
--- a/roles/rkhunter/templates/rkhunter.conf.j2
+++ b/roles/rkhunter/templates/rkhunter.conf.j2
@@ -200,8 +200,12 @@ ALLOW_SSH_PROT_V1=0
# tests, the test names, and how rkhunter behaves when these options are used.
#
ENABLE_TESTS="all"
+{% if ansible_hostname.startswith(('cloud', 'buildvmhost-s390x')) %}
# Disable the promisc test here as openstack has it set on interfaces
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps
promisc"
+{% else %}
+DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
+{% endif %}
#
# The HASH_FUNC option can be used to specify the command to use
@@ -304,7 +308,9 @@ ALLOWHIDDENDIR=/dev/.udevdb
ALLOWHIDDENDIR=/dev/.udev.tdb
ALLOWHIDDENDIR=/dev/.udev/db
ALLOWHIDDENDIR=/dev/.udev/rules.d
+{% if ansible_hostname.startswith('cloud') %}
ALLOWHIDDENDIR=/etc/.git
+{% endif %}
ALLOWHIDDENDIR=/etc/.java
#
@@ -318,6 +324,14 @@ ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
+{% if ansible_distribution_version|int > 27 %}
+# In Fedora 28+ there's a new package for dracut that does the FIPs stuff
+ALLOWHIDDENFILE=/usr/bin/.sha1hmac.hmac
+ALLOWHIDDENFILE=/usr/bin/.sha224hmac.hmac
+ALLOWHIDDENFILE=/usr/bin/.sha256hmac.hmac
+ALLOWHIDDENFILE=/usr/bin/.sha384hmac.hmac
+ALLOWHIDDENFILE=/usr/bin/.sha512hmac.hmac
+{% endif %}
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
@@ -326,8 +340,10 @@ ALLOWHIDDENFILE=/dev/.udev/queue.bin
ALLOWHIDDENFILE=/dev/.udev/uevent_seqnum
# Fedora 21+ and RHEL 7.2+ have a /etc/.updated file
ALLOWHIDDENFILE=/etc/.updated
+{% if ansible_hostname.startswith('cloud') %}
ALLOWHIDDENFILE=/etc/.etckeeper
ALLOWHIDDENFILE=/etc/.gitignore
+{% endif %}
#
# Allow the specified processes to use deleted files.
@@ -372,7 +388,9 @@ ALLOWDEVFILE=/dev/.udev/db/*
ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules
ALLOWDEVFILE=/dev/.udev/uevent_seqnum
ALLOWDEVFILE=/dev/md/autorebuild.pid
+{% if ansible_hostname == 'notifs-backend01' %}
ALLOWDEVFILE=/dev/shm/fmn-cache.dbm
+{% endif %}
ALLOWDEVFILE=/dev/shm/squid-squid-page-pool.shm
ALLOWDEVFILE=/dev/shm/squid-cache_mem.shm
ALLOWDEVFILE=/dev/shm/squid-ssl_session_cache.shm
@@ -383,14 +401,19 @@ ALLOWDEVFILE=/dev/shm/squid-cache_mem_space.shm
ALLOWDEVFILE=/dev/shm/squid-cf__readers.shm
ALLOWDEVFILE=/dev/shm/squid-cf__queues.shm
ALLOWDEVFILE=/dev/shm/squid-cf__metadata.shm
-{% if inventory_hostname in groups['virtservers'] %}
+{% if inventory_hostname in groups['virtservers'] or inventory_hostname in
groups['openqa_workers'] or inventory_hostname in
groups['openqa_stg_workers'] or inventory_hostname in
groups['taskotron_stg_client_hosts'] or inventory_hostname in
groups['taskotron_dev_client_hosts'] %}
# libvirt spice device makes a /dev/shm/spice file
ALLOWDEVFILE=/dev/shm/spice.*
{% endif %}
-{% if inventory_hostname in groups['ipa'] %}
+{% if inventory_hostname in groups['ipa'] or inventory_hostname in
groups['ipa_stg'] %}
ALLOWDEVFILE=/dev/shm/sem.slapd*.stats
{% endif %}
+{% if inventory_hostname in groups['proxies'] or inventory_hostname in
groups['proxies_stg'] %}
+ALLOWDEVFILE=/dev/shm/libpod_lock
+{% endif %}
+{% if inventory_hostname in groups['pgbdr'] or inventory_hostname in
groups['pgbdr_stg'] or inventory_hostname ==
'ci-cc-rdu01.fedoraproject.org' or inventory_hostname ==
'hubs01.stg.phx2.fedoraproject.org' or inventory_hostname ==
'db-koji01.stg.phx2.fedoraproject.org' or inventory_hostname ==
'db-qa03.qa.fedoraproject.org' %}
ALLOWDEVFILE=/dev/shm/PostgreSQL*
+{% endif %}
#
# This setting tells rkhunter where the inetd configuration