Merge pull request 'Release of EvoBSD 6.9.0' (#38) from dev into master

Reviewed-on: #38
This commit is contained in:
Tristan Pilat 2021-05-06 15:54:13 +02:00
commit c7e3c41775
21 changed files with 741 additions and 64 deletions

View file

@ -7,6 +7,41 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
## [6.9.0] - 2021-05-06
### Changed
- Remove the variable VERBOSESTATUS in daily.local configuration file since it is no longer valid.
## [6.8.3] - 2021-02-15
### Added
- Add a customization of the logsentry configuration
- Add a check_openvpn_certificates in NRPE and OpenVPN role to check expiration date of server CA and certificates files
### Fixed
- Fix the check_mem command in the NRPE role, precising the percentage sign for it not to check the memory in MB.
- Fix the check_mem script in the NRPE role, adding cached RAM as free RAM
- Fix motd-carp-state.sh by updating the OpenBSD release in our customized motd after an upgrade
### Changed
- The PF role now use a variable for trusted IPs
## [6.8.2] - 2020-10-30
### Added
- Add a Logsentry role
## [6.8.1] - 2020-10-26
### Fixed
- Fix a task using a register where simple quotes prevented the register to be properly filled, breaking the following task
## [6.8.0] - 2020-10-23
### Added

View file

@ -1,4 +1,4 @@
# EvoBSD 6.8.0
# EvoBSD 6.9.0
EvoBSD is an ansible project used for customising OpenBSD hosts
used by Evolix.

View file

@ -30,7 +30,7 @@ SERVERS="node0.backup.example.com:2XXX node1.backup.example.com:2XXX"
SERVERS_FALLBACK=${SERVERS_FALLBACK:-1}
# timeout (in seconds) for SSH connections
SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-30}
SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-90}
## We use /home/backup : feel free to use your own dir
LOCAL_BACKUP_DIR="/home/backup"
@ -83,7 +83,7 @@ test_server() {
else
# SSH connection failed
new_error=$(printf "Failed to connect to \`%s' within %s seconds" "${item}" "${SSH_CONNECT_TIMEOUT}")
SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
SERVERS_SSH_ERRORS=$(printf "%s\\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
return 1
fi
@ -96,16 +96,16 @@ pick_server() {
if [ "${increment}" -ge "${list_length}" ]; then
# We've reached the end of the list
new_error="No more server available"
SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
SERVERS_SSH_ERRORS=$(printf "%s\\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
# Log errors to stderr
printf "%s\n" "${SERVERS_SSH_ERRORS}" >&2
printf "%s\\n" "${SERVERS_SSH_ERRORS}" >&2
# Log errors to logfile
printf "%s\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE
printf "%s\\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE
return 1
fi
# Extract the day of month, without leading 0 (which would give an octal based number)
# Extract the day of month, without leading 0 (which would give an octal based number)
today=$(date +%e)
# A salt is useful to randomize the starting point in the list
# but stay identical each time it's called for a server (based on hostname).
@ -123,14 +123,14 @@ pick_server() {
if [ -e "${PIDFILE}" ]; then
pid=$(cat "${PIDFILE}")
# Does process still exist ?
if kill -0 ${pid} 2> /dev/null; then
if kill -0 "${pid}" 2> /dev/null; then
# Killing the childs of evobackup.
for ppid in $(pgrep -P "${pid}"); do
kill -9 "${ppid}";
done
# Then kill the main PID.
kill -9 "${pid}"
printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\n" >&2
printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\\n" >&2
else
rm -f ${PIDFILE}
fi
@ -145,6 +145,8 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
# You can comment or uncomment sections below to customize the backup
## OpenLDAP : example with slapcat
# slapcat -n 0 -l ${LOCAL_BACKUP_DIR}/config.ldap.bak
# slapcat -n 1 -l ${LOCAL_BACKUP_DIR}/data.ldap.bak
# slapcat -l ${LOCAL_BACKUP_DIR}/ldap.bak
## MySQL
@ -160,29 +162,33 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments \
# --fields-enclosed-by='\"' --fields-terminated-by=',' -T /home/mysqldump/$i $i; done
## Dump all grants (requires 'percona-toolkit' package)
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
# pt-show-grants --flush --no-header > ${LOCAL_BACKUP_DIR}/mysql/all_grants.sql
## example with SQL dump (schema only, no data) for each databases
# mkdir -p -m 700 /home/mysqldump/
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
# | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > /home/mysqldump/${i}.schema.sql
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > ${LOCAL_BACKUP_DIR}/mysql/${i}.schema.sql
# done
## example with compressed SQL dump (with data) for each databases
# mkdir -p -m 700 /home/mysqldump/
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
# | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > /home/mysqldump/${i}.sql.gz
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > ${LOCAL_BACKUP_DIR}/mysql/${i}.sql.gz
# done
## example with *one* uncompressed SQL dump for *one* database (MYBASE)
# mkdir -p -m 700 /home/mysqldump/MYBASE
# chown -RL mysql /home/mysqldump/
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/MYBASE
# chown -RL mysql ${LOCAL_BACKUP_DIR}/mysql/
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \
# --opt --events --hex-blob --skip-comments -T /home/mysqldump/MYBASE MYBASE
# --opt --events --hex-blob --skip-comments -T ${LOCAL_BACKUP_DIR}/mysql/MYBASE MYBASE
## example with mysqlhotcopy
# mkdir -p -m 700 /home/mysqlhotcopy/
# mysqlhotcopy BASE /home/mysqlhotcopy/
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysqlhotcopy/
# mysqlhotcopy BASE ${LOCAL_BACKUP_DIR}/mysql/mysqlhotcopy/
## example for multiples MySQL instances
# mysqladminpasswd=$(grep -m1 'password = .*' /root/.my.cnf|cut -d" " -f3)
@ -225,7 +231,14 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
## Redis
## example with copy .rdb file
## for the default instance :
# cp /var/lib/redis/dump.rdb ${LOCAL_BACKUP_DIR}/
## for multiple instances :
# for instance in $(ls -d /var/lib/redis-*); do
# name=$(basename $instance)
# mkdir -p ${LOCAL_BACKUP_DIR}/${name}
# cp -a ${instance}/dump.rdb ${LOCAL_BACKUP_DIR}/${name}
# done
## ElasticSearch
@ -295,7 +308,7 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
## Dump findmnt(8) output
FINDMNT_BIN=$(command -v findmnt)
if [ -x ${FINDMNT_BIN} ]; then
if [ -x "${FINDMNT_BIN}" ]; then
${FINDMNT_BIN} > ${LOCAL_BACKUP_DIR}/findmnt.txt
fi
else
@ -362,36 +375,51 @@ if [ "${SYNC_TASKS}" = "1" ]; then
# Remote shell command
RSH_COMMAND="ssh -p ${SSH_PORT} -o 'ConnectTimeout ${SSH_CONNECT_TIMEOUT}'"
rsync -avzh --stats --delete --delete-excluded --force --ignore-errors --partial \
# ignore check because we want it to split the different arguments to $rep
# shellcheck disable=SC2086
rsync -avzh --relative --stats --delete --delete-excluded --force --ignore-errors --partial \
--exclude "dev" \
--exclude "lost+found" \
--exclude ".nfs.*" \
--exclude "/var/log" \
--exclude "/var/log/evobackup*" \
--exclude "/usr/doc" \
--exclude "/usr/obj" \
--exclude "/usr/share/doc" \
--exclude "/usr/src" \
--exclude "/var/apt" \
--exclude "/var/cache" \
--exclude "/var/lib/amavis/amavisd.sock" \
--exclude "/var/lib/amavis/tmp" \
--exclude "/var/lib/clamav/*.tmp" \
--exclude "/var/lib/elasticsearch" \
--exclude "/var/lib/metche" \
--exclude "/var/lib/munin/*tmp*" \
--exclude "/var/db/munin/*.tmp" \
--exclude "/var/lib/mysql" \
--exclude "/var/lib/php5" \
--exclude "/var/lib/php/sessions" \
--exclude "/var/lib/postgres" \
--exclude "/var/lib/postgresql" \
--exclude "/var/lib/sympa" \
--exclude "/var/lib/metche" \
--exclude "/var/run" \
--exclude "/var/lock" \
--exclude "/var/state" \
--exclude "/var/apt" \
--exclude "/var/cache" \
--exclude "/usr/src" \
--exclude "/usr/doc" \
--exclude "/usr/share/doc" \
--exclude "/usr/obj" \
--exclude "dev" \
--exclude "/var/log" \
--exclude "/var/log/evobackup*" \
--exclude "/var/run" \
--exclude "/var/spool/postfix" \
--exclude "/var/lib/amavis/amavisd.sock" \
--exclude "/var/lib/munin/*tmp*" \
--exclude "/var/lib/php5" \
--exclude "/var/spool/smtpd" \
--exclude "/var/spool/squid" \
--exclude "/var/lib/elasticsearch" \
--exclude "/var/lib/amavis/tmp" \
--exclude "/var/lib/clamav/*.tmp" \
--exclude "/var/state" \
--exclude "lxc/*/rootfs/usr/doc" \
--exclude "lxc/*/rootfs/usr/obj" \
--exclude "lxc/*/rootfs/usr/share/doc" \
--exclude "lxc/*/rootfs/usr/src" \
--exclude "lxc/*/rootfs/var/apt" \
--exclude "lxc/*/rootfs/var/cache" \
--exclude "lxc/*/rootfs/var/lib/php5" \
--exclude "lxc/*/rootfs/var/lock" \
--exclude "lxc/*/rootfs/var/log" \
--exclude "lxc/*/rootfs/var/run" \
--exclude "lxc/*/rootfs/var/state" \
--exclude "/home/mysqltmp" \
--exclude "/var/lib/php/sessions" \
${rep} \
/etc \
/root \
@ -406,11 +434,11 @@ fi
END=$(/bin/date +"%d-%m-%Y ; %H:%M")
printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \
printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\\n" \
"${HOSTNAME}" "${BEGINNING}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \
>> $LOGFILE
printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \
printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\\n" \
"${HOSTNAME}" "${END}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \
>> $LOGFILE

View file

@ -5,15 +5,4 @@
env: true
value: "{{ cron_root_path }}"
tags:
- cron
- name: Customize daily.local environment
lineinfile:
path: /etc/daily.local
line: 'VERBOSESTATUS=0'
insertbefore: BOF
owner: root
mode: "0644"
create: true
tags:
- cron
- cron

View file

@ -1,3 +1,4 @@
aliases.db
*.swp
random.seed
openvpn/ipp.txt

View file

@ -0,0 +1,7 @@
# logsentry
Installation and custom configuration of logsentry (formely logcheck)
## Tasks
Everything is in the `tasks/main.yml` file.

View file

@ -0,0 +1,100 @@
authsrv.*AUTHENTICATE
cron.*CMD
cron.*RELOAD
cron.*STARTUP
ftp-gw.*: exit host
ftp-gw.*: permit host
ftpd.*ANONYMOUS FTP LOGIN
ftpd.*FTP LOGIN FROM
ftpd.*retrieved
ftpd.*stored
http-gw.*: exit host
http-gw.*: permit host
mail.local
named.*Lame delegation
named.*Response from
named.*answer queries
named.*points to a CNAME
named.*reloading
named.*starting
netacl.*: exit host
netacl.*: permit host
popper.*Unable
popper: -ERR POP server at
popper: -ERR Unknown command: "uidl".
qmail.*new msg
qmail.*info msg
qmail.*starting delivery
qmail.*delivery
qmail.*end msg
rlogin-gw.*: exit host
rlogin-gw.*: permit host
sendmail.*User Unknown
sendmail.*alias database.*rebuilt
sendmail.*aliases.*longest
sendmail.*from=
sendmail.*lost input channel
sendmail.*message-id=
sendmail.*putoutmsg
sendmail.*return to sender
sendmail.*stat=
sendmail.*timeout waiting
smap.*host=
smapd.*daemon running
smapd.*delivered
telnetd.*ttloop: peer died
tn-gw.*: exit host
tn-gw.*: permit host
x-gw.*: exit host
x-gw.*: permit host
xntpd.*Previous time adjustment didn't complete
xntpd.*time reset
ansible-command: Invoked
ansible-copy: Invoked
ansible-cron: Invoked
ansible-file: Invoked
ansible-openbsd_pkg: Invoked
ansible-setup: Invoked
ansible-slurp: Invoked
ansible-stat: Invoked
ansible-synchronize: Invoked
bgpd.*: neighbor .*: sending IPv4 unicast EOR marker
bgpd.*: neighbor .*: sending IPv6 unicast EOR marker
bgpd.*: RDE reconfigured
bgpd.*: RDE soft reconfiguration done
bgpd.*: rereading config
bgpd.*: running softreconfig in
bgpd.*: SE reconfigured
bgpd.*: softreconfig in done
doas: _collectd ran command /bin/cat /var/log/daemon as root from /var/collectd
doas: _collectd ran command /usr/sbin/bgpctl sh as root from /var/collectd
doas: _collectd ran command /usr/sbin/bgpctl show neighbor as root from /var/collectd
doas: _nrpe ran command /sbin/bioctl sd2 as root from /
doas: _nrpe ran command /usr/local/libexec/nagios
doas:.*ran command /usr/share/scripts/evomaintenance.sh as root from
last message repeated .* times
mownitoring.py: Alert sent through email
mownitoring.py: Already known state but still a problem for
newsyslog.*logfile turned over
nrpe.*: Could not read request from client, bailing out...
nrpe.*: Error: Could not complete SSL handshake.
nrpe.*: INFO: SSL Socket Shutdown.
ntpd.*: adjusting clock frequency by
pkg_add: Added
smtpd.*mta connected
smtpd.*mta connecting address=smtp://
smtpd.*mta delivery evpid=
smtpd.*mta disconnected reason=quit messages=
smtpd.*mta server-cert-check result=
smtpd.*mta tls ciphers=
smtpd.*smtp connected address=127.0.0.1 host=localhost
smtpd.*smtp connected address=local
smtpd.*smtp disconnected reason=quit
smtpd.*smtp envelope evpid=
smtpd.*smtp message msgid=
sshd.*Connection closed by 127.0.0.1 port
sshd.*Connection reset by 127.0.0.1 port
sudo:.*: a password is required ; TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
sudo:.*: TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
syslogd.*restart
unbound:.*info:

View file

@ -0,0 +1,281 @@
#!/bin/sh
#
# logcheck.sh: Log file checker
# Written by Craig Rowland <crowland@psionic.com>
#
# This file needs the program logtail.c to run
#
# This script checks logs for unusual activity and blatant
# attempts at hacking. All items are mailed to administrators
# for review. This script and the logtail.c program are based upon
# the frequentcheck.sh script idea from the Gauntlet(tm) Firewall
# (c)Trusted Information Systems Inc. The original authors are
# Marcus J. Ranum and Fred Avolio.
#
# Default search files are tuned towards the TIS Firewall toolkit
# the TCP Wrapper program. Custom daemons and reporting facilites
# can be accounted for as well...read the rest of the script for
# details.
#
# Version Information
#
# 1.0 9/29/96 -- Initial Release
# 1.01 11/01/96 -- Added working /tmp directory for symlink protection
# (Thanks Richard Bullington (rbulling@obscure.org)
# 1.1 1/03/97 -- Made this script more portable for Sun's.
# 1/03/97 -- Made this script work on HPUX
# 5/14/97 -- Added Digital OSF/1 logging support. Big thanks
# to Jay Vassos-Libove <libove@compgen.com> for
# his changes.
# CONFIGURATION SECTION
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
# Logcheck is pre-configured to work on most BSD like systems, however it
# is a rather dumb program and may need some help to work on other
# systems. Please check the following command paths to ensure they are
# correct.
# Person to send log activity to.
SYSADMIN=root
# Full path to logtail program.
# This program is required to run this script and comes with the package.
LOGTAIL=/usr/local/bin/logtail
# Full path to SECURED (non public writable) /tmp directory.
# Prevents Race condition and potential symlink problems. I highly
# recommend you do NOT make this a publically writable/readable directory.
# You would also be well advised to make sure all your system/cron scripts
# use this directory for their "scratch" area.
TMPDIR=/var/cache/logsentry
# The 'grep' command. This command MUST support the
# '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
# good GNUs for you Linux/FreeBSD/BSDI people :) ). The Sun grep I'm told
# does not support these switches, but the 'egrep' command does (Thanks
# Jason <jason@mastaler.com> ). Since grep and egrep are usually the GNU
# variety on most systems (well most Linux, FreeBSD, BSDI, etc) and just
# hard links to each other we'll just specify egrep here. Change this if
# you get errors.
# Linux, FreeBSD, BSDI, Sun, HPUX, etc.
GREP=egrep
# The 'mail' command. Most systems this should be OK to leave as is.
# If your default mail command does not support the '-s' (subject) command
# line switch you will need to change this command one one that does.
# The only system I've seen this to be a problem on are HPUX boxes.
# Naturally, the HPUX is so superior to the rest of UNIX OS's that they
# feel they need to do everything differently to remind the rest that
# they are the best ;).
# Linux, FreeBSD, BSDI, Sun, etc.
MAIL=mail
# HPUX 10.x and others(?)
#MAIL=mailx
# Digital OSF/1, Irix
#MAIL=Mail
# File of known active hacking attack messages to look for.
# Only put messages in here if you are sure they won't cause
# false alarms. This is a rather generic way of checking for
# malicious activity and can be inaccurate unless you know
# what past hacking activity looks like. The default is to
# look for generic ISS probes (who the hell else looks for
# "WIZ" besides ISS?), and obvious sendmail attacks/probes.
HACKING_FILE=/etc/logsentry/logsentry.hacking
# File of security violation patterns to specifically look for.
# This file should contain keywords of information administrators should
# probably be aware of. May or may not cause false alarms sometimes.
# Generally, anything that is "negative" is put in this file. It may miss
# some items, but these will be caught by the next check. Move suspicious
# items into this file to have them reported regularly.
VIOLATIONS_FILE=/etc/logsentry/logsentry.violations
# File that contains more complete sentences that have keywords from
# the violations file. These keywords are normal and are not cause for
# concern but could cause a false alarm. An example of this is the word
# "refused" which is often reported by sendmail if a message cannot be
# delivered or can be a more serious security violation of a system
# attaching to illegal ports. Obviously you would put the sendmail
# warning as part of this file. Use your judgement before putting words
# in here or you can miss really important events. The default is to leave
# this file with only a couple entries. DO NOT LEAVE THE FILE EMPTY. Some
# grep's will assume that an EMPTY file means a wildcard and will ignore
# everything! The basic configuration allows for the more frequent sendmail
# error.
#
# Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
VIOLATIONS_IGNORE_FILE=/etc/logsentry/logsentry.violations.ignore
# This is the name of a file that contains patterns that we should
# ignore if found in a log file. If you have repeated false alarms
# or want specific errors ignored, you should put them in here.
# Once again, be as specific as possible, and go easy on the wildcards
IGNORE_FILE=/etc/logsentry/logsentry.ignore
# The files are reported in the order of hacking, security
# violations, and unusual system events. Notice that this
# script uses the principle of "That which is not explicitely
# ignored is reported" in that the script will report all items
# that you do not tell it to ignore specificially. Be careful
# how you use wildcards in the logcheck.ignore file or you
# may miss important entries.
# Make sure we really did clean up from the last run.
# Also this ensures that people aren't trying to trick us into
# overwriting files that we aren't supposed to. This is still a race
# condition, but if you are in a temp directory that does not have
# generic luser access it is not a problem. Do not allow this program
# to write to a generic /tmp directory where others can watch and/or
# create files!!
# Shouldn't need to touch these...
HOSTNAME=`hostname`
DATE=`date +%m/%d/%y:%H.%M`
umask 077
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
echo "Log files exist in $TMPDIR directory that cannot be removed. This
may be an attempt to spoof the log checker." \
| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
exit 1
fi
# LOG FILE CONFIGURATION SECTION
# You might have to customize these entries depending on how
# you have syslogd configured. Be sure you check all relevant logs.
# The logtail utility is required to read and mark log files.
# See INSTALL for more information. Again, using one log file
# is preferred and is easier to manage. Be sure you know what the
# > and >> operators do before you change them. LOG FILES SHOULD
# ALWAYS BE chmod 600 OWNER root!!
# Generic and Linux Slackware 3.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
# OpenBSD 2.x, 3.x
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
$LOGTAIL /var/log/authlog >> $TMPDIR/check.$$
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
$LOGTAIL /var/log/daemon >> $TMPDIR/check.$$
$LOGTAIL /var/log/xferlog >> $TMPDIR/check.$$
# Linux Red Hat Version 3.x, 4.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
# FreeBSD 2.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
# BSDI 2.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
#$LOGTAIL /var/log/ftp.log >> $TMPDIR/check.$$
# Un-comment out the line below if you are using BSDI 2.1
#$LOGTAIL /var/log/daemon.log >> $TMPDIR/check.$$
# SunOS, Sun Solaris 2.5
#$LOGTAIL /var/log/syslog > $TMPDIR/check.$$
#$LOGTAIL /var/adm/messages >> $TMPDIR/check.$$
# HPUX 10.x and others(?)
#$LOGTAIL /var/adm/syslog/syslog.log > $TMPDIR/check.$$
# Digital OSF/1
# OSF/1 - uses rotating log directory with date & time in name
# LOGDIRS=`find /var/adm/syslog.dated/* -type d -prune -print`
# LOGDIR=`ls -dtr1 $LOGDIRS | tail -1`
# if [ ! -d "$LOGDIR" ]
# then
# echo "Can't identify current log directory." >> $TMPDIR/checkrepo$
# else
# $LOGTAIL $LOGDIR/auth.log >> $TMPDIR/check.$$
# $LOGTAIL $LOGDIR/daemon.log >> $TMPDIR/check.$$
# $LOGTAIL $LOGDIR/kern.log >> $TMPDIR/check.$$
# $LOGTAIL $LOGDIR/lpr.log >> $TMPDIR/check.$$
# $LOGTAIL $LOGDIR/mail.log >> $TMPDIR/check.$$
# $LOGTAIL $LOGDIR/syslog.log >> $TMPDIR/check.$$
# $LOGTAIL $LOGDIR/user.log >> $TMPDIR/check.$$
# fi
#
# END CONFIGURATION SECTION. YOU SHOULDN'T HAVE TO EDIT ANYTHING
# BELOW THIS LINE.
# Set the flag variables
FOUND=0
ATTACK=0
# See if the tmp file exists and actually has data to check,
# if it doesn't we should erase it and exit as our job is done.
if [ ! -s $TMPDIR/check.$$ ]; then
rm -f $TMPDIR/check.$$
exit 0
fi
# Perform Searches
# Check for blatant hacking attempts
if [ -f "$HACKING_FILE" ]; then
if $GREP -i -f $HACKING_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
echo >> $TMPDIR/checkreport.$$
echo "Active System Attack Alerts" >> $TMPDIR/checkreport.$$
echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
FOUND=1
ATTACK=1
fi
fi
# Check for security violations
if [ -f "$VIOLATIONS_FILE" ]; then
if $GREP -i -f $VIOLATIONS_FILE $TMPDIR/check.$$ |
$GREP -v -f $VIOLATIONS_IGNORE_FILE > $TMPDIR/checkoutput.$$; then
echo >> $TMPDIR/checkreport.$$
echo "Security Violations" >> $TMPDIR/checkreport.$$
echo "=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
FOUND=1
fi
fi
# Do reverse grep on patterns we want to ignore
if [ -f "$IGNORE_FILE" ]; then
if $GREP -v -f $IGNORE_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
echo >> $TMPDIR/checkreport.$$
echo "Unusual System Events" >> $TMPDIR/checkreport.$$
echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
FOUND=1
fi
fi
# If there are results, mail them to sysadmin
if [ "$ATTACK" -eq 1 ]; then
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
elif [ "$FOUND" -eq 1 ]; then
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN
fi
# Clean Up
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$

View file

@ -0,0 +1,9 @@
stat=Deferred
unbound:.*info: server stats for
smtpd.*smtp connected address=127.0.0.1 host=localhost
smtpd.*smtp connected address=local
smtpd.*smtp disconnected reason=quit
smtpd.*smtp envelope evpid=
smtpd.*smtp message msgid=
nrpe.*: INFO: SSL Socket Shutdown.
collectd.*: exec plugin: Failed to execute

View file

@ -0,0 +1,49 @@
---
- name: Install logsentry
openbsd_pkg:
name:
- logsentry--
state: present
tags:
- logsentry
- name: Copy logsentry script to /usr/share/scripts
copy:
src: logsentry.sh
dest: /usr/share/scripts/logsentry.sh
owner: root
group: wheel
mode: "0644"
tags:
- logsentry
- name: Copy logsentry.ignore configuration
copy:
src: "{{ item }}"
dest: /etc/logsentry/logsentry.ignore
with_first_found:
- "files/logsentry/logsentry.ignore"
- "logsentry.ignore"
tags:
- logsentry
- config
- name: Copy logsentry.violations.ignore configuration
copy:
src: "{{ item }}"
dest: /etc/logsentry/logsentry.violations.ignore
with_first_found:
- "files/logsentry/logsentry.violations.ignore"
- "logsentry.violations.ignore"
tags:
- logsentry
- config
- name: hourly cron job for logsentry.sh is installed
cron:
name: logsentry
minute: "11"
job: >
/bin/sh /usr/share/scripts/logsentry.sh
tags:
- logsentry

View file

@ -1,11 +1,9 @@
---
evolix_trusted_ips: []
additional_trusted_ips: []
# Let's merge evolix_trusted_ips with additional_trusted_ips
nagios_nrpe_default_allowed_hosts: []
nagios_nrpe_additional_allowed_hosts: []
nagios_nrpe_allowed_hosts:
"{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT"
nagios_nrpe_ldap_passwd: LDAP_PASSWD
"{{ nagios_nrpe_default_allowed_hosts
| union(nagios_nrpe_additional_allowed_hosts) | unique }}"
nagios_nrpe_pgsql_passwd: PGSQL_PASSWD
nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}"

View file

@ -37,8 +37,9 @@ command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/
# Local checks (not packaged)
#command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD
#command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the server is CARP backup and OpenVPN should not run
command[check_openvpn_certificates]=/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh
#command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master
command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20 -c 10
command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20% -c 10%
#command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME"
command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states
command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd

View file

@ -67,7 +67,7 @@ tot_mem=$(( `/sbin/sysctl -n hw.physmem` / BYTES_IN_MB))
{% if ansible_distribution_version is version_compare("6.2",'<') %}
free_mem=$(( `/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $5 }'` / KB_IN_MB ))
{% else %}
free_mem=$(/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $4 }' | tr -d 'M')
free_mem=$(($(/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $4 }' | tr -d 'M') + $(top -n | grep Memory | awk '{print $8}' | tr -d 'M')))
{% endif %}
# Free memory size (in percentage)
free_mem_perc=$(( free_mem * 100 / tot_mem ))

View file

@ -0,0 +1,140 @@
#!/bin/sh
set -eu
trap error 0
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE=$STATE_OK
CERT_STATE=$STATE
CA_STATE=$STATE
CERT_ECHO=""
CA_ECHO=""
error() {
if [ $? -eq 2 ] && [ "X$CERT_ECHO" = "X" ] && [ "X$CA_ECHO" = "X" ] ; then
echo "CRITICAL - The check exited with an error. Is the conf_file var containing the real conf file location ?"
fi
}
SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
date_cmd=$(command -v date)
# Dates in seconds
_15_days="1296000"
_30_days="2592000"
current_date=$($date_cmd +"%s")
# Trying to define the OpenVPN conf file location - default to /etc/openvpn/server.conf
conf_file=$(ps auwwwx | grep openvpn | grep -- --config | grep -v sed | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/")
[ "$SYSTEM" = "openbsd" ] && conf_file=${conf_file:-$(grep openvpn_flags /etc/rc.conf.local | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/")}
conf_file=${conf_file:-"/etc/openvpn/server.conf"}
# Get the cert and ca file location, based on the OpenVPN conf file location
# Done in 2 times because sh does not support pipefail - needed in the case where $conf_file does not exist
cert_file=$(grep -s "^cert " $conf_file)
cert_file=$(echo $cert_file | sed -e "s/^cert *\//\//")
ca_file=$(grep -s "^ca " $conf_file)
ca_file=$(echo $ca_file | sed -e "s/^ca *\//\//")
# Get expiration date of cert and ca certificates
cert_expiration_date=$(grep "Not After" $cert_file | sed -e "s/.*Not After : //")
ca_expiration_date=$(openssl x509 -enddate -noout -in $ca_file | cut -d '=' -f 2)
test_cert_expiration() {
# Already expired - Cert file
if [ $current_date -ge $1 ]; then
CERT_ECHO="CRITICAL - The server certificate has expired on $formatted_cert_expiration_date"
CERT_STATE=$STATE_CRITICAL
# Expiration in 15 days or less - Cert file
elif [ $((current_date+_15_days)) -ge $1 ]; then
CERT_ECHO="CRITICAL - The server certificate expires in 15 days or less : $formatted_cert_expiration_date"
CERT_STATE=$STATE_CRITICAL
# Expiration in 30 days or less - Cert file
elif [ $((current_date+_30_days)) -ge $1 ]; then
CERT_ECHO="WARNING - The server certificate expires in 30 days or less : $formatted_cert_expiration_date"
CERT_STATE=$STATE_WARNING
# Expiration in more than 30 days - Cert file
else
CERT_ECHO="OK - The server certificate expires on $formatted_cert_expiration_date"
CERT_STATE=$STATE_OK
fi
}
test_ca_expiration() {
# Already expired - CA file
if [ $current_date -ge $1 ]; then
CA_ECHO="CRITICAL - The server CA has expired on $formatted_ca_expiration_date"
CA_STATE=$STATE_CRITICAL
# Expiration in 15 days or less - CA file
elif [ $((current_date+_15_days)) -ge $1 ]; then
CA_ECHO="CRITICAL - The server CA expires in 15 days or less : $formatted_ca_expiration_date"
CA_STATE=$STATE_CRITICAL
# Expiration in 30 days or less - CA file
elif [ $((current_date+_30_days)) -ge $1 ]; then
CA_ECHO="WARNING - The server CA expires in 30 days or less : $formatted_ca_expiration_date"
CA_STATE=$STATE_WARNING
# Expiration in more than 30 days - CA file
else
CA_ECHO="OK - The server CA expires on $formatted_ca_expiration_date"
CA_STATE=$STATE_OK
fi
}
# Linux and BSD systems do not implement 'date' the same way
if [ "$SYSTEM" = "linux" ]; then
# Cert expiration date human formated then in seconds
formatted_cert_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$cert_expiration_date" +"%F %T %Z")
seconds_cert_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$cert_expiration_date" +"%s")
# CA expiration date human formated then in seconds
formatted_ca_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$ca_expiration_date" +"%F %T %Z")
seconds_ca_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$ca_expiration_date" +"%s")
test_cert_expiration $seconds_cert_expiration_date
test_ca_expiration $seconds_ca_expiration_date
elif [ "$SYSTEM" = "openbsd" ]; then
# Cert expiration date for POSIX date, human formated then in seconds
posix_cert_expiration_date=$(echo "$cert_expiration_date" | awk '{ printf $4" "(index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3" "$2" ",split($3,time,":"); print time[1],time[2],time[3]}' | awk '{printf "%04d%02d%02d%02d%02d.%02d\n", $1, $2, $3, $4, $5, $6}')
cert_zone=$(echo "$cert_expiration_date" | awk '{print $5}')
formatted_cert_expiration_date=$(TZ=$cert_zone $date_cmd -j -z "Europe/Paris" "$posix_cert_expiration_date" +"%F %T %Z")
seconds_cert_expiration_date=$(TZ=$cert_zone $date_cmd -j -z "Europe/Paris" "$posix_cert_expiration_date" +"%s")
# CA expiration date for POSIX date, human formated then in seconds
posix_ca_expiration_date=$(echo "$ca_expiration_date" | awk '{ printf $4" "(index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3" "$2" ",split($3,time,":"); print time[1],time[2],time[3]}' | awk '{printf "%04d%02d%02d%02d%02d.%02d\n", $1, $2, $3, $4, $5, $6}')
ca_zone=$(echo "$ca_expiration_date" | awk '{print $5}')
formatted_ca_expiration_date=$(TZ=$ca_zone $date_cmd -j -z "Europe/Paris" "$posix_ca_expiration_date" +"%F %T %Z")
seconds_ca_expiration_date=$(TZ=$ca_zone $date_cmd -j -z "Europe/Paris" "$posix_ca_expiration_date" +"%s")
test_cert_expiration $seconds_cert_expiration_date
test_ca_expiration $seconds_ca_expiration_date
# If neither Linux nor BSD
else
echo "CRITICAL - OS not supported"
STATE=$STATE_CRITICAL
exit $STATE
fi
# Display the first one that expires first
if [ $CA_STATE -gt $CERT_STATE ]; then
echo $CA_ECHO
echo $CERT_ECHO
exit $CA_STATE
elif [ $CERT_STATE -gt $CA_STATE ]; then
echo $CERT_ECHO
echo $CA_ECHO
exit $CERT_STATE
else
echo $CERT_ECHO
echo $CA_ECHO
exit $CERT_STATE
fi

View file

@ -1 +1 @@
/home/tpilat/GIT/shellpki/
../../../../shellpki

View file

@ -119,3 +119,18 @@
name: "p5-Net-Telnet"
tags:
- openvpn
- name: Copy check_openvpn_certificates.sh
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: wheel
mode: "{{ item.mode }}"
force: true
with_items:
- src: 'files/check_openvpn_certificates.sh'
dest: '/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh'
mode: '0755'
tags:
- openvpn

13
roles/pf/README.md Normal file
View file

@ -0,0 +1,13 @@
# PacketFilter
Custom configuration of PacketFilter.
## Tasks
Everything is in the `tasks/main.yml` file.
## Available variables
* `pf_trusted_ips` : list of IP trusted for important access (default: all).
The full list of variables (with default values) can be found in `defaults/main.yml`.

View file

@ -0,0 +1,9 @@
---
pf_default_trusted_ips: []
pf_additional_trusted_ips: []
# and default to ['0.0.0.0/0'] if the result is still empty
pf_trusted_ips:
"{{ pf_default_trusted_ips | union(pf_additional_trusted_ips)
| unique | join(', ')
| default(['0.0.0.0/0'], true) }}"

View file

@ -12,7 +12,7 @@ ext_if="{{ ansible_default_ipv4.device }}"
###########################
# Evolix
table <evolix> { 88.179.18.233, 31.170.9.129, 31.170.8.4 }
table <evolix> { {{ pf_trusted_ips }} }
# Port en entrée
# 2222 = ssh secondaire

View file

@ -5,6 +5,8 @@ if [ ! -f /etc/motd-original ]; then
fi
if [ ! -f /tmp/carp.state ]; then
# Replace OpenBSD version in motd after each boot for it to be up to date after an upgrade
sed -i "1 s/^.*$/$(head -1 \/var\/run\/dmesg.boot)/" /etc/motd-original
echo "unknown" > /tmp/carp.state
fi

View file

@ -9,7 +9,7 @@
- name: Fetch root crontab content
command: >
'grep "/bin/sh /usr/share/scripts/motd-carp-state.sh" /var/cron/tabs/root'
grep "/bin/sh /usr/share/scripts/motd-carp-state.sh" /var/cron/tabs/root
check_mode: false
register: root_crontab_content
failed_when: false