From 4ace41334383d4175e2cf3b2d716b846a7bd4ee0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= <jdubois@evolix.fr>
Date: Mon, 21 Nov 2022 17:27:07 +0100
Subject: [PATCH] logsentry: update config files, add "[logsentry]" in subject,
 and simplify task

---
 CHANGELOG                                     |  1 +
 roles/logsentry/files/logsentry.ignore        | 32 +++++++++++++------
 roles/logsentry/files/logsentry.sh            |  6 ++--
 .../files/logsentry.violations.ignore         | 10 ++++++
 roles/logsentry/tasks/main.yml                | 20 ++++--------
 5 files changed, 43 insertions(+), 26 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 58952c0..bea7d26 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -52,6 +52,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * base: we can chose to deploy or not utils files
 * base: reordering default variable file and deleting unused one
 * base: use a template for ntp configuration to ease the management of the different cases
+* logsentry: update config files, add "[logsentry]" in subject, and simplify task
 
 ### Fixed
 
diff --git a/roles/logsentry/files/logsentry.ignore b/roles/logsentry/files/logsentry.ignore
index 25a00c1..d372b96 100644
--- a/roles/logsentry/files/logsentry.ignore
+++ b/roles/logsentry/files/logsentry.ignore
@@ -49,38 +49,44 @@ x-gw.*: exit host
 x-gw.*: permit host
 xntpd.*Previous time adjustment didn't complete
 xntpd.*time reset
-ansible-command: Invoked
-ansible-copy: Invoked
-ansible-cron: Invoked
-ansible-file: Invoked
-ansible-openbsd_pkg: Invoked
-ansible-setup: Invoked
-ansible-slurp: Invoked
-ansible-stat: Invoked
-ansible-synchronize: Invoked
+ansible-.*: Invoked with
 bgpd.*: neighbor .*: sending IPv4 unicast EOR marker
 bgpd.*: neighbor .*: sending IPv6 unicast EOR marker
+bgpd.*: neighbor .*: received IPv4 unicast EOR marker
+bgpd.*: neighbor .*: received IPv6 unicast EOR marker
 bgpd.*: RDE reconfigured
 bgpd.*: RDE soft reconfiguration done
 bgpd.*: rereading config
 bgpd.*: running softreconfig in
 bgpd.*: SE reconfigured
 bgpd.*: softreconfig in done
+collectd.*: parse_value: Failed to parse string as gauge: "Active".
+collectd.*: parse_value: Failed to parse string as gauge: "Connect".
+collectd.*: parse_value: Failed to parse string as gauge: "Idle".
 doas: _collectd ran command /bin/cat /var/log/daemon as root from /var/collectd
 doas: _collectd ran command /usr/sbin/bgpctl sh as root from /var/collectd
 doas: _collectd ran command /usr/sbin/bgpctl show neighbor as root from /var/collectd
 doas: _nrpe ran command /sbin/bioctl sd2 as root from /
 doas: _nrpe ran command /usr/local/libexec/nagios
+doas: .* ran command su - as root from
 doas:.*ran command /usr/share/scripts/evomaintenance.sh as root from
 last message repeated .* times
 mownitoring.py: Alert sent through email
 mownitoring.py: Already known state but still a problem for
+mta server-cert-check result="failure"
 newsyslog.*logfile turned over
 nrpe.*: Could not read request from client, bailing out...
 nrpe.*: Error: Could not complete SSL handshake.
 nrpe.*: INFO: SSL Socket Shutdown.
+nrpe.*: Client request was invalid, bailing out...
+nrpe.*: Error: Request packet type/version was invalid!
 ntpd.*: adjusting clock frequency by
+ntpd.*: peer 31.170.8.123 now invalid
+ntpd.*: peer 31.170.8.123 now valid
+ospfd.*recv_packet: authentication error, interface
 pkg_add: Added
+pmap_unwire: wiring for pmap .* va .* didn't change!
+smtpd.*delivery evpid=.* from=<root@.*.evolix.net> to=
 smtpd.*mta connected
 smtpd.*mta connecting address=smtp://
 smtpd.*mta delivery evpid=
@@ -92,8 +98,16 @@ smtpd.*smtp connected address=local
 smtpd.*smtp disconnected reason=quit
 smtpd.*smtp envelope evpid=
 smtpd.*smtp message msgid=
+sshd.*Accepted publickey for.*from 31.170.* port
+sshd.*Accepted publickey for.*from 82.65.34.85 port
 sshd.*Connection closed by 127.0.0.1 port
+sshd.*: Connection closed by authenticating user .* 31.170.* port
+sshd.*: Connection closed by authenticating user .* 82.65.34.85 port
 sshd.*Connection reset by 127.0.0.1 port
+sshd.*Disconnected from user.*31.170.* port
+sshd.*Disconnected from user.*82.65.34.85 port
+sshd.*Received disconnect from 31.170.* port
+sshd.*Received disconnect from 82.65.34.85 port
 sudo:.*: a password is required ; TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
 sudo:.*: TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
 syslogd.*restart
diff --git a/roles/logsentry/files/logsentry.sh b/roles/logsentry/files/logsentry.sh
index cc509f1..3658282 100644
--- a/roles/logsentry/files/logsentry.sh
+++ b/roles/logsentry/files/logsentry.sh
@@ -149,7 +149,7 @@ rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
 if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
 	echo "Log files exist in $TMPDIR directory that cannot be removed. This 
 may be an attempt to spoof the log checker." \
-	| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
+	| $MAIL -s "[logsentry] $HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
 	exit 1
 fi
 
@@ -272,9 +272,9 @@ fi
 # If there are results, mail them to sysadmin
 
 if [ "$ATTACK" -eq 1 ]; then
-	cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
+	cat $TMPDIR/checkreport.$$ | $MAIL -s "[logsentry] $HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
 elif [ "$FOUND" -eq 1 ]; then
-	cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN 
+	cat $TMPDIR/checkreport.$$ | $MAIL -s "[logsentry] $HOSTNAME $DATE system check" $SYSADMIN 
 fi
 
 # Clean Up
diff --git a/roles/logsentry/files/logsentry.violations.ignore b/roles/logsentry/files/logsentry.violations.ignore
index ec7894e..4646ec2 100644
--- a/roles/logsentry/files/logsentry.violations.ignore
+++ b/roles/logsentry/files/logsentry.violations.ignore
@@ -5,5 +5,15 @@ smtpd.*smtp connected address=local
 smtpd.*smtp disconnected reason=quit
 smtpd.*smtp envelope evpid=
 smtpd.*smtp message msgid=
+smtpd.*mta connecting address=smtp://.* host=
+smtpd.*mta connected
+smtpd.*mta tls ciphers=
+smtpd.*mta server-cert-check result="success"
+smtpd.*mta delivery evpid=
+smtpd.*mta disconnected reason=quit messages=
 nrpe.*: INFO: SSL Socket Shutdown.
 collectd.*: exec plugin: Failed to execute
+collectd.*: parse_value: Failed to parse string as gauge: "Active".
+collectd.*: parse_value: Failed to parse string as gauge: "Connect".
+collectd.*: parse_value: Failed to parse string as gauge: "Idle".
+mta server-cert-check result="failure"
diff --git a/roles/logsentry/tasks/main.yml b/roles/logsentry/tasks/main.yml
index be1cc58..bca2f6b 100644
--- a/roles/logsentry/tasks/main.yml
+++ b/roles/logsentry/tasks/main.yml
@@ -17,23 +17,15 @@
   tags:
     - logsentry
 
-- name: "Copy logsentry.ignore configuration"
+- name: "Copy custom logsentry configuration files"
   copy:
     src: "{{ item }}"
-    dest: /etc/logsentry/logsentry.ignore
-  with_first_found:
-    - "files/logsentry/logsentry.ignore"
+    dest: /etc/logsentry/"{{ item}}"
+    owner: root
+    group: wheel
+    mode: "0600"
+  with_items:
     - "logsentry.ignore"
-  tags:
-    - logsentry
-    - logsentry-config
-
-- name: "Copy logsentry.violations.ignore configuration"
-  copy:
-    src: "{{ item }}"
-    dest: /etc/logsentry/logsentry.violations.ignore
-  with_first_found:
-    - "files/logsentry/logsentry.violations.ignore"
     - "logsentry.violations.ignore"
   tags:
     - logsentry