diff --git a/CHANGELOG b/CHANGELOG index 825c09b..8f62600 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -7,6 +7,41 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [6.9.0] - 2021-05-06 + +### Changed + +- Remove the variable VERBOSESTATUS in daily.local configuration file since it is no longer valid. + +## [6.8.3] - 2021-02-15 + +### Added + +- Add a customization of the logsentry configuration +- Add a check_openvpn_certificates in NRPE and OpenVPN role to check expiration date of server CA and certificates files + +### Fixed + +- Fix the check_mem command in the NRPE role, precising the percentage sign for it not to check the memory in MB. +- Fix the check_mem script in the NRPE role, adding cached RAM as free RAM +- Fix motd-carp-state.sh by updating the OpenBSD release in our customized motd after an upgrade + +### Changed + +- The PF role now use a variable for trusted IPs + +## [6.8.2] - 2020-10-30 + +### Added + +- Add a Logsentry role + +## [6.8.1] - 2020-10-26 + +### Fixed + +- Fix a task using a register where simple quotes prevented the register to be properly filled, breaking the following task + ## [6.8.0] - 2020-10-23 ### Added diff --git a/README.md b/README.md index c3f3b2c..1037e11 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# EvoBSD 6.8.0 +# EvoBSD 6.9.0 EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix. diff --git a/roles/base/files/zzz_evobackup b/roles/base/files/zzz_evobackup index ec64280..1c1b103 100755 --- a/roles/base/files/zzz_evobackup +++ b/roles/base/files/zzz_evobackup @@ -30,7 +30,7 @@ SERVERS="node0.backup.example.com:2XXX node1.backup.example.com:2XXX" SERVERS_FALLBACK=${SERVERS_FALLBACK:-1} # timeout (in seconds) for SSH connections -SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-30} +SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-90} ## We use /home/backup : feel free to use your own dir LOCAL_BACKUP_DIR="/home/backup" @@ -83,7 +83,7 @@ test_server() { else # SSH connection failed new_error=$(printf "Failed to connect to \`%s' within %s seconds" "${item}" "${SSH_CONNECT_TIMEOUT}") - SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d') + SERVERS_SSH_ERRORS=$(printf "%s\\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d') return 1 fi @@ -96,16 +96,16 @@ pick_server() { if [ "${increment}" -ge "${list_length}" ]; then # We've reached the end of the list new_error="No more server available" - SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d') + SERVERS_SSH_ERRORS=$(printf "%s\\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d') # Log errors to stderr - printf "%s\n" "${SERVERS_SSH_ERRORS}" >&2 + printf "%s\\n" "${SERVERS_SSH_ERRORS}" >&2 # Log errors to logfile - printf "%s\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE + printf "%s\\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE return 1 fi - # Extract the day of month, without leading 0 (which would give an octal based number) + # Extract the day of month, without leading 0 (which would give an octal based number) today=$(date +%e) # A salt is useful to randomize the starting point in the list # but stay identical each time it's called for a server (based on hostname). @@ -123,14 +123,14 @@ pick_server() { if [ -e "${PIDFILE}" ]; then pid=$(cat "${PIDFILE}") # Does process still exist ? - if kill -0 ${pid} 2> /dev/null; then + if kill -0 "${pid}" 2> /dev/null; then # Killing the childs of evobackup. for ppid in $(pgrep -P "${pid}"); do kill -9 "${ppid}"; done # Then kill the main PID. kill -9 "${pid}" - printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\n" >&2 + printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\\n" >&2 else rm -f ${PIDFILE} fi @@ -145,6 +145,8 @@ if [ "${LOCAL_TASKS}" = "1" ]; then # You can comment or uncomment sections below to customize the backup ## OpenLDAP : example with slapcat + # slapcat -n 0 -l ${LOCAL_BACKUP_DIR}/config.ldap.bak + # slapcat -n 1 -l ${LOCAL_BACKUP_DIR}/data.ldap.bak # slapcat -l ${LOCAL_BACKUP_DIR}/ldap.bak ## MySQL @@ -160,29 +162,33 @@ if [ "${LOCAL_TASKS}" = "1" ]; then # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments \ # --fields-enclosed-by='\"' --fields-terminated-by=',' -T /home/mysqldump/$i $i; done + ## Dump all grants (requires 'percona-toolkit' package) + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/ + # pt-show-grants --flush --no-header > ${LOCAL_BACKUP_DIR}/mysql/all_grants.sql + ## example with SQL dump (schema only, no data) for each databases - # mkdir -p -m 700 /home/mysqldump/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/ # for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \ # | egrep -v "^(Database|information_schema|performance_schema|sys)"); do - # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > /home/mysqldump/${i}.schema.sql + # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > ${LOCAL_BACKUP_DIR}/mysql/${i}.schema.sql # done ## example with compressed SQL dump (with data) for each databases - # mkdir -p -m 700 /home/mysqldump/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/ # for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \ # | egrep -v "^(Database|information_schema|performance_schema|sys)"); do - # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > /home/mysqldump/${i}.sql.gz + # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > ${LOCAL_BACKUP_DIR}/mysql/${i}.sql.gz # done ## example with *one* uncompressed SQL dump for *one* database (MYBASE) - # mkdir -p -m 700 /home/mysqldump/MYBASE - # chown -RL mysql /home/mysqldump/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/MYBASE + # chown -RL mysql ${LOCAL_BACKUP_DIR}/mysql/ # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \ - # --opt --events --hex-blob --skip-comments -T /home/mysqldump/MYBASE MYBASE + # --opt --events --hex-blob --skip-comments -T ${LOCAL_BACKUP_DIR}/mysql/MYBASE MYBASE ## example with mysqlhotcopy - # mkdir -p -m 700 /home/mysqlhotcopy/ - # mysqlhotcopy BASE /home/mysqlhotcopy/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysqlhotcopy/ + # mysqlhotcopy BASE ${LOCAL_BACKUP_DIR}/mysql/mysqlhotcopy/ ## example for multiples MySQL instances # mysqladminpasswd=$(grep -m1 'password = .*' /root/.my.cnf|cut -d" " -f3) @@ -225,7 +231,14 @@ if [ "${LOCAL_TASKS}" = "1" ]; then ## Redis ## example with copy .rdb file + ## for the default instance : # cp /var/lib/redis/dump.rdb ${LOCAL_BACKUP_DIR}/ + ## for multiple instances : + # for instance in $(ls -d /var/lib/redis-*); do + # name=$(basename $instance) + # mkdir -p ${LOCAL_BACKUP_DIR}/${name} + # cp -a ${instance}/dump.rdb ${LOCAL_BACKUP_DIR}/${name} + # done ## ElasticSearch @@ -295,7 +308,7 @@ if [ "${LOCAL_TASKS}" = "1" ]; then ## Dump findmnt(8) output FINDMNT_BIN=$(command -v findmnt) - if [ -x ${FINDMNT_BIN} ]; then + if [ -x "${FINDMNT_BIN}" ]; then ${FINDMNT_BIN} > ${LOCAL_BACKUP_DIR}/findmnt.txt fi else @@ -362,36 +375,51 @@ if [ "${SYNC_TASKS}" = "1" ]; then # Remote shell command RSH_COMMAND="ssh -p ${SSH_PORT} -o 'ConnectTimeout ${SSH_CONNECT_TIMEOUT}'" - rsync -avzh --stats --delete --delete-excluded --force --ignore-errors --partial \ + # ignore check because we want it to split the different arguments to $rep + # shellcheck disable=SC2086 + rsync -avzh --relative --stats --delete --delete-excluded --force --ignore-errors --partial \ + --exclude "dev" \ --exclude "lost+found" \ --exclude ".nfs.*" \ - --exclude "/var/log" \ - --exclude "/var/log/evobackup*" \ + --exclude "/usr/doc" \ + --exclude "/usr/obj" \ + --exclude "/usr/share/doc" \ + --exclude "/usr/src" \ + --exclude "/var/apt" \ + --exclude "/var/cache" \ + --exclude "/var/lib/amavis/amavisd.sock" \ + --exclude "/var/lib/amavis/tmp" \ + --exclude "/var/lib/clamav/*.tmp" \ + --exclude "/var/lib/elasticsearch" \ + --exclude "/var/lib/metche" \ + --exclude "/var/lib/munin/*tmp*" \ + --exclude "/var/db/munin/*.tmp" \ --exclude "/var/lib/mysql" \ + --exclude "/var/lib/php5" \ + --exclude "/var/lib/php/sessions" \ --exclude "/var/lib/postgres" \ --exclude "/var/lib/postgresql" \ --exclude "/var/lib/sympa" \ - --exclude "/var/lib/metche" \ - --exclude "/var/run" \ --exclude "/var/lock" \ - --exclude "/var/state" \ - --exclude "/var/apt" \ - --exclude "/var/cache" \ - --exclude "/usr/src" \ - --exclude "/usr/doc" \ - --exclude "/usr/share/doc" \ - --exclude "/usr/obj" \ - --exclude "dev" \ + --exclude "/var/log" \ + --exclude "/var/log/evobackup*" \ + --exclude "/var/run" \ --exclude "/var/spool/postfix" \ - --exclude "/var/lib/amavis/amavisd.sock" \ - --exclude "/var/lib/munin/*tmp*" \ - --exclude "/var/lib/php5" \ + --exclude "/var/spool/smtpd" \ --exclude "/var/spool/squid" \ - --exclude "/var/lib/elasticsearch" \ - --exclude "/var/lib/amavis/tmp" \ - --exclude "/var/lib/clamav/*.tmp" \ + --exclude "/var/state" \ + --exclude "lxc/*/rootfs/usr/doc" \ + --exclude "lxc/*/rootfs/usr/obj" \ + --exclude "lxc/*/rootfs/usr/share/doc" \ + --exclude "lxc/*/rootfs/usr/src" \ + --exclude "lxc/*/rootfs/var/apt" \ + --exclude "lxc/*/rootfs/var/cache" \ + --exclude "lxc/*/rootfs/var/lib/php5" \ + --exclude "lxc/*/rootfs/var/lock" \ + --exclude "lxc/*/rootfs/var/log" \ + --exclude "lxc/*/rootfs/var/run" \ + --exclude "lxc/*/rootfs/var/state" \ --exclude "/home/mysqltmp" \ - --exclude "/var/lib/php/sessions" \ ${rep} \ /etc \ /root \ @@ -406,11 +434,11 @@ fi END=$(/bin/date +"%d-%m-%Y ; %H:%M") -printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \ +printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\\n" \ "${HOSTNAME}" "${BEGINNING}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \ >> $LOGFILE -printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \ +printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\\n" \ "${HOSTNAME}" "${END}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \ >> $LOGFILE diff --git a/roles/base/tasks/cron.yml b/roles/base/tasks/cron.yml index 87cce5f..4cceb69 100644 --- a/roles/base/tasks/cron.yml +++ b/roles/base/tasks/cron.yml @@ -5,15 +5,4 @@ env: true value: "{{ cron_root_path }}" tags: - - cron - -- name: Customize daily.local environment - lineinfile: - path: /etc/daily.local - line: 'VERBOSESTATUS=0' - insertbefore: BOF - owner: root - mode: "0644" - create: true - tags: - - cron + - cron \ No newline at end of file diff --git a/roles/etc-git/files/gitignore b/roles/etc-git/files/gitignore index 2a64198..9c6063c 100644 --- a/roles/etc-git/files/gitignore +++ b/roles/etc-git/files/gitignore @@ -1,3 +1,4 @@ aliases.db *.swp random.seed +openvpn/ipp.txt diff --git a/roles/logsentry/README.md b/roles/logsentry/README.md new file mode 100644 index 0000000..8a0c49c --- /dev/null +++ b/roles/logsentry/README.md @@ -0,0 +1,7 @@ +# logsentry + +Installation and custom configuration of logsentry (formely logcheck) + +## Tasks + +Everything is in the `tasks/main.yml` file. diff --git a/roles/logsentry/files/logsentry.ignore b/roles/logsentry/files/logsentry.ignore new file mode 100644 index 0000000..25a00c1 --- /dev/null +++ b/roles/logsentry/files/logsentry.ignore @@ -0,0 +1,100 @@ +authsrv.*AUTHENTICATE +cron.*CMD +cron.*RELOAD +cron.*STARTUP +ftp-gw.*: exit host +ftp-gw.*: permit host +ftpd.*ANONYMOUS FTP LOGIN +ftpd.*FTP LOGIN FROM +ftpd.*retrieved +ftpd.*stored +http-gw.*: exit host +http-gw.*: permit host +mail.local +named.*Lame delegation +named.*Response from +named.*answer queries +named.*points to a CNAME +named.*reloading +named.*starting +netacl.*: exit host +netacl.*: permit host +popper.*Unable +popper: -ERR POP server at +popper: -ERR Unknown command: "uidl". +qmail.*new msg +qmail.*info msg +qmail.*starting delivery +qmail.*delivery +qmail.*end msg +rlogin-gw.*: exit host +rlogin-gw.*: permit host +sendmail.*User Unknown +sendmail.*alias database.*rebuilt +sendmail.*aliases.*longest +sendmail.*from= +sendmail.*lost input channel +sendmail.*message-id= +sendmail.*putoutmsg +sendmail.*return to sender +sendmail.*stat= +sendmail.*timeout waiting +smap.*host= +smapd.*daemon running +smapd.*delivered +telnetd.*ttloop: peer died +tn-gw.*: exit host +tn-gw.*: permit host +x-gw.*: exit host +x-gw.*: permit host +xntpd.*Previous time adjustment didn't complete +xntpd.*time reset +ansible-command: Invoked +ansible-copy: Invoked +ansible-cron: Invoked +ansible-file: Invoked +ansible-openbsd_pkg: Invoked +ansible-setup: Invoked +ansible-slurp: Invoked +ansible-stat: Invoked +ansible-synchronize: Invoked +bgpd.*: neighbor .*: sending IPv4 unicast EOR marker +bgpd.*: neighbor .*: sending IPv6 unicast EOR marker +bgpd.*: RDE reconfigured +bgpd.*: RDE soft reconfiguration done +bgpd.*: rereading config +bgpd.*: running softreconfig in +bgpd.*: SE reconfigured +bgpd.*: softreconfig in done +doas: _collectd ran command /bin/cat /var/log/daemon as root from /var/collectd +doas: _collectd ran command /usr/sbin/bgpctl sh as root from /var/collectd +doas: _collectd ran command /usr/sbin/bgpctl show neighbor as root from /var/collectd +doas: _nrpe ran command /sbin/bioctl sd2 as root from / +doas: _nrpe ran command /usr/local/libexec/nagios +doas:.*ran command /usr/share/scripts/evomaintenance.sh as root from +last message repeated .* times +mownitoring.py: Alert sent through email +mownitoring.py: Already known state but still a problem for +newsyslog.*logfile turned over +nrpe.*: Could not read request from client, bailing out... +nrpe.*: Error: Could not complete SSL handshake. +nrpe.*: INFO: SSL Socket Shutdown. +ntpd.*: adjusting clock frequency by +pkg_add: Added +smtpd.*mta connected +smtpd.*mta connecting address=smtp:// +smtpd.*mta delivery evpid= +smtpd.*mta disconnected reason=quit messages= +smtpd.*mta server-cert-check result= +smtpd.*mta tls ciphers= +smtpd.*smtp connected address=127.0.0.1 host=localhost +smtpd.*smtp connected address=local +smtpd.*smtp disconnected reason=quit +smtpd.*smtp envelope evpid= +smtpd.*smtp message msgid= +sshd.*Connection closed by 127.0.0.1 port +sshd.*Connection reset by 127.0.0.1 port +sudo:.*: a password is required ; TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND= +sudo:.*: TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND= +syslogd.*restart +unbound:.*info: diff --git a/roles/logsentry/files/logsentry.sh b/roles/logsentry/files/logsentry.sh new file mode 100644 index 0000000..cc509f1 --- /dev/null +++ b/roles/logsentry/files/logsentry.sh @@ -0,0 +1,281 @@ +#!/bin/sh +# +# logcheck.sh: Log file checker +# Written by Craig Rowland +# +# This file needs the program logtail.c to run +# +# This script checks logs for unusual activity and blatant +# attempts at hacking. All items are mailed to administrators +# for review. This script and the logtail.c program are based upon +# the frequentcheck.sh script idea from the Gauntlet(tm) Firewall +# (c)Trusted Information Systems Inc. The original authors are +# Marcus J. Ranum and Fred Avolio. +# +# Default search files are tuned towards the TIS Firewall toolkit +# the TCP Wrapper program. Custom daemons and reporting facilites +# can be accounted for as well...read the rest of the script for +# details. +# +# Version Information +# +# 1.0 9/29/96 -- Initial Release +# 1.01 11/01/96 -- Added working /tmp directory for symlink protection +# (Thanks Richard Bullington (rbulling@obscure.org) +# 1.1 1/03/97 -- Made this script more portable for Sun's. +# 1/03/97 -- Made this script work on HPUX +# 5/14/97 -- Added Digital OSF/1 logging support. Big thanks +# to Jay Vassos-Libove for +# his changes. + + +# CONFIGURATION SECTION + +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin + +# Logcheck is pre-configured to work on most BSD like systems, however it +# is a rather dumb program and may need some help to work on other +# systems. Please check the following command paths to ensure they are +# correct. + +# Person to send log activity to. +SYSADMIN=root + +# Full path to logtail program. +# This program is required to run this script and comes with the package. + +LOGTAIL=/usr/local/bin/logtail + +# Full path to SECURED (non public writable) /tmp directory. +# Prevents Race condition and potential symlink problems. I highly +# recommend you do NOT make this a publically writable/readable directory. +# You would also be well advised to make sure all your system/cron scripts +# use this directory for their "scratch" area. + +TMPDIR=/var/cache/logsentry + +# The 'grep' command. This command MUST support the +# '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's +# good GNUs for you Linux/FreeBSD/BSDI people :) ). The Sun grep I'm told +# does not support these switches, but the 'egrep' command does (Thanks +# Jason ). Since grep and egrep are usually the GNU +# variety on most systems (well most Linux, FreeBSD, BSDI, etc) and just +# hard links to each other we'll just specify egrep here. Change this if +# you get errors. + +# Linux, FreeBSD, BSDI, Sun, HPUX, etc. +GREP=egrep + +# The 'mail' command. Most systems this should be OK to leave as is. +# If your default mail command does not support the '-s' (subject) command +# line switch you will need to change this command one one that does. +# The only system I've seen this to be a problem on are HPUX boxes. +# Naturally, the HPUX is so superior to the rest of UNIX OS's that they +# feel they need to do everything differently to remind the rest that +# they are the best ;). + +# Linux, FreeBSD, BSDI, Sun, etc. +MAIL=mail +# HPUX 10.x and others(?) +#MAIL=mailx +# Digital OSF/1, Irix +#MAIL=Mail + +# File of known active hacking attack messages to look for. +# Only put messages in here if you are sure they won't cause +# false alarms. This is a rather generic way of checking for +# malicious activity and can be inaccurate unless you know +# what past hacking activity looks like. The default is to +# look for generic ISS probes (who the hell else looks for +# "WIZ" besides ISS?), and obvious sendmail attacks/probes. + +HACKING_FILE=/etc/logsentry/logsentry.hacking + +# File of security violation patterns to specifically look for. +# This file should contain keywords of information administrators should +# probably be aware of. May or may not cause false alarms sometimes. +# Generally, anything that is "negative" is put in this file. It may miss +# some items, but these will be caught by the next check. Move suspicious +# items into this file to have them reported regularly. + +VIOLATIONS_FILE=/etc/logsentry/logsentry.violations + +# File that contains more complete sentences that have keywords from +# the violations file. These keywords are normal and are not cause for +# concern but could cause a false alarm. An example of this is the word +# "refused" which is often reported by sendmail if a message cannot be +# delivered or can be a more serious security violation of a system +# attaching to illegal ports. Obviously you would put the sendmail +# warning as part of this file. Use your judgement before putting words +# in here or you can miss really important events. The default is to leave +# this file with only a couple entries. DO NOT LEAVE THE FILE EMPTY. Some +# grep's will assume that an EMPTY file means a wildcard and will ignore +# everything! The basic configuration allows for the more frequent sendmail +# error. +# +# Again, be careful what you put in here and DO NOT LEAVE IT EMPTY! + +VIOLATIONS_IGNORE_FILE=/etc/logsentry/logsentry.violations.ignore + +# This is the name of a file that contains patterns that we should +# ignore if found in a log file. If you have repeated false alarms +# or want specific errors ignored, you should put them in here. +# Once again, be as specific as possible, and go easy on the wildcards + +IGNORE_FILE=/etc/logsentry/logsentry.ignore + +# The files are reported in the order of hacking, security +# violations, and unusual system events. Notice that this +# script uses the principle of "That which is not explicitely +# ignored is reported" in that the script will report all items +# that you do not tell it to ignore specificially. Be careful +# how you use wildcards in the logcheck.ignore file or you +# may miss important entries. + +# Make sure we really did clean up from the last run. +# Also this ensures that people aren't trying to trick us into +# overwriting files that we aren't supposed to. This is still a race +# condition, but if you are in a temp directory that does not have +# generic luser access it is not a problem. Do not allow this program +# to write to a generic /tmp directory where others can watch and/or +# create files!! + +# Shouldn't need to touch these... +HOSTNAME=`hostname` +DATE=`date +%m/%d/%y:%H.%M` + +umask 077 +rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$ +if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then + echo "Log files exist in $TMPDIR directory that cannot be removed. This +may be an attempt to spoof the log checker." \ + | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN + exit 1 +fi + +# LOG FILE CONFIGURATION SECTION +# You might have to customize these entries depending on how +# you have syslogd configured. Be sure you check all relevant logs. +# The logtail utility is required to read and mark log files. +# See INSTALL for more information. Again, using one log file +# is preferred and is easier to manage. Be sure you know what the +# > and >> operators do before you change them. LOG FILES SHOULD +# ALWAYS BE chmod 600 OWNER root!! + +# Generic and Linux Slackware 3.x +#$LOGTAIL /var/log/messages > $TMPDIR/check.$$ + +# OpenBSD 2.x, 3.x +$LOGTAIL /var/log/messages > $TMPDIR/check.$$ +$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$ +$LOGTAIL /var/log/authlog >> $TMPDIR/check.$$ +$LOGTAIL /var/log/secure >> $TMPDIR/check.$$ +$LOGTAIL /var/log/daemon >> $TMPDIR/check.$$ +$LOGTAIL /var/log/xferlog >> $TMPDIR/check.$$ + +# Linux Red Hat Version 3.x, 4.x +#$LOGTAIL /var/log/messages > $TMPDIR/check.$$ +#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$ +#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$ + +# FreeBSD 2.x +#$LOGTAIL /var/log/messages > $TMPDIR/check.$$ +#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$ + +# BSDI 2.x +#$LOGTAIL /var/log/messages > $TMPDIR/check.$$ +#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$ +#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$ +#$LOGTAIL /var/log/ftp.log >> $TMPDIR/check.$$ +# Un-comment out the line below if you are using BSDI 2.1 +#$LOGTAIL /var/log/daemon.log >> $TMPDIR/check.$$ + +# SunOS, Sun Solaris 2.5 +#$LOGTAIL /var/log/syslog > $TMPDIR/check.$$ +#$LOGTAIL /var/adm/messages >> $TMPDIR/check.$$ + +# HPUX 10.x and others(?) +#$LOGTAIL /var/adm/syslog/syslog.log > $TMPDIR/check.$$ + +# Digital OSF/1 +# OSF/1 - uses rotating log directory with date & time in name +# LOGDIRS=`find /var/adm/syslog.dated/* -type d -prune -print` +# LOGDIR=`ls -dtr1 $LOGDIRS | tail -1` +# if [ ! -d "$LOGDIR" ] +# then +# echo "Can't identify current log directory." >> $TMPDIR/checkrepo$ +# else +# $LOGTAIL $LOGDIR/auth.log >> $TMPDIR/check.$$ +# $LOGTAIL $LOGDIR/daemon.log >> $TMPDIR/check.$$ +# $LOGTAIL $LOGDIR/kern.log >> $TMPDIR/check.$$ +# $LOGTAIL $LOGDIR/lpr.log >> $TMPDIR/check.$$ +# $LOGTAIL $LOGDIR/mail.log >> $TMPDIR/check.$$ +# $LOGTAIL $LOGDIR/syslog.log >> $TMPDIR/check.$$ +# $LOGTAIL $LOGDIR/user.log >> $TMPDIR/check.$$ +# fi +# + + + +# END CONFIGURATION SECTION. YOU SHOULDN'T HAVE TO EDIT ANYTHING +# BELOW THIS LINE. + +# Set the flag variables +FOUND=0 +ATTACK=0 + +# See if the tmp file exists and actually has data to check, +# if it doesn't we should erase it and exit as our job is done. + +if [ ! -s $TMPDIR/check.$$ ]; then + rm -f $TMPDIR/check.$$ + exit 0 +fi + +# Perform Searches + +# Check for blatant hacking attempts +if [ -f "$HACKING_FILE" ]; then + if $GREP -i -f $HACKING_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then + echo >> $TMPDIR/checkreport.$$ + echo "Active System Attack Alerts" >> $TMPDIR/checkreport.$$ + echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$ + cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$ + FOUND=1 + ATTACK=1 + fi +fi + +# Check for security violations +if [ -f "$VIOLATIONS_FILE" ]; then + if $GREP -i -f $VIOLATIONS_FILE $TMPDIR/check.$$ | + $GREP -v -f $VIOLATIONS_IGNORE_FILE > $TMPDIR/checkoutput.$$; then + echo >> $TMPDIR/checkreport.$$ + echo "Security Violations" >> $TMPDIR/checkreport.$$ + echo "=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$ + cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$ + FOUND=1 + fi +fi + +# Do reverse grep on patterns we want to ignore +if [ -f "$IGNORE_FILE" ]; then + if $GREP -v -f $IGNORE_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then + echo >> $TMPDIR/checkreport.$$ + echo "Unusual System Events" >> $TMPDIR/checkreport.$$ + echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$ + cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$ + FOUND=1 + fi +fi + +# If there are results, mail them to sysadmin + +if [ "$ATTACK" -eq 1 ]; then + cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN +elif [ "$FOUND" -eq 1 ]; then + cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN +fi + +# Clean Up +rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$ diff --git a/roles/logsentry/files/logsentry.violations.ignore b/roles/logsentry/files/logsentry.violations.ignore new file mode 100644 index 0000000..ec7894e --- /dev/null +++ b/roles/logsentry/files/logsentry.violations.ignore @@ -0,0 +1,9 @@ +stat=Deferred +unbound:.*info: server stats for +smtpd.*smtp connected address=127.0.0.1 host=localhost +smtpd.*smtp connected address=local +smtpd.*smtp disconnected reason=quit +smtpd.*smtp envelope evpid= +smtpd.*smtp message msgid= +nrpe.*: INFO: SSL Socket Shutdown. +collectd.*: exec plugin: Failed to execute diff --git a/roles/logsentry/tasks/main.yml b/roles/logsentry/tasks/main.yml new file mode 100644 index 0000000..57ac5e1 --- /dev/null +++ b/roles/logsentry/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- name: Install logsentry + openbsd_pkg: + name: + - logsentry-- + state: present + tags: + - logsentry + +- name: Copy logsentry script to /usr/share/scripts + copy: + src: logsentry.sh + dest: /usr/share/scripts/logsentry.sh + owner: root + group: wheel + mode: "0644" + tags: + - logsentry + +- name: Copy logsentry.ignore configuration + copy: + src: "{{ item }}" + dest: /etc/logsentry/logsentry.ignore + with_first_found: + - "files/logsentry/logsentry.ignore" + - "logsentry.ignore" + tags: + - logsentry + - config + +- name: Copy logsentry.violations.ignore configuration + copy: + src: "{{ item }}" + dest: /etc/logsentry/logsentry.violations.ignore + with_first_found: + - "files/logsentry/logsentry.violations.ignore" + - "logsentry.violations.ignore" + tags: + - logsentry + - config + +- name: hourly cron job for logsentry.sh is installed + cron: + name: logsentry + minute: "11" + job: > + /bin/sh /usr/share/scripts/logsentry.sh + tags: + - logsentry diff --git a/roles/nagios-nrpe/defaults/main.yml b/roles/nagios-nrpe/defaults/main.yml index c27efa8..fd490d5 100644 --- a/roles/nagios-nrpe/defaults/main.yml +++ b/roles/nagios-nrpe/defaults/main.yml @@ -1,11 +1,9 @@ --- -evolix_trusted_ips: [] -additional_trusted_ips: [] -# Let's merge evolix_trusted_ips with additional_trusted_ips +nagios_nrpe_default_allowed_hosts: [] +nagios_nrpe_additional_allowed_hosts: [] nagios_nrpe_allowed_hosts: - "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" -nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT" -nagios_nrpe_ldap_passwd: LDAP_PASSWD + "{{ nagios_nrpe_default_allowed_hosts + | union(nagios_nrpe_additional_allowed_hosts) | unique }}" nagios_nrpe_pgsql_passwd: PGSQL_PASSWD nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}" diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 6273506..8fd7807 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -37,8 +37,9 @@ command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/ # Local checks (not packaged) #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the server is CARP backup and OpenVPN should not run +command[check_openvpn_certificates]=/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh #command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master -command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20 -c 10 +command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20% -c 10% #command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd diff --git a/roles/nagios-nrpe/templates/plugins_bsd/check_free_mem.sh.j2 b/roles/nagios-nrpe/templates/plugins_bsd/check_free_mem.sh.j2 index ee47ad5..fff81b5 100755 --- a/roles/nagios-nrpe/templates/plugins_bsd/check_free_mem.sh.j2 +++ b/roles/nagios-nrpe/templates/plugins_bsd/check_free_mem.sh.j2 @@ -67,7 +67,7 @@ tot_mem=$(( `/sbin/sysctl -n hw.physmem` / BYTES_IN_MB)) {% if ansible_distribution_version is version_compare("6.2",'<') %} free_mem=$(( `/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $5 }'` / KB_IN_MB )) {% else %} -free_mem=$(/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $4 }' | tr -d 'M') +free_mem=$(($(/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $4 }' | tr -d 'M') + $(top -n | grep Memory | awk '{print $8}' | tr -d 'M'))) {% endif %} # Free memory size (in percentage) free_mem_perc=$(( free_mem * 100 / tot_mem )) diff --git a/roles/openvpn/files/check_openvpn_certificates.sh b/roles/openvpn/files/check_openvpn_certificates.sh new file mode 100755 index 0000000..bfcd97b --- /dev/null +++ b/roles/openvpn/files/check_openvpn_certificates.sh @@ -0,0 +1,140 @@ +#!/bin/sh + +set -eu + +trap error 0 + +STATE_OK=0 +STATE_WARNING=1 +STATE_CRITICAL=2 +STATE_UNKNOWN=3 +STATE=$STATE_OK +CERT_STATE=$STATE +CA_STATE=$STATE +CERT_ECHO="" +CA_ECHO="" + +error() { + if [ $? -eq 2 ] && [ "X$CERT_ECHO" = "X" ] && [ "X$CA_ECHO" = "X" ] ; then + echo "CRITICAL - The check exited with an error. Is the conf_file var containing the real conf file location ?" + fi +} + +SYSTEM=$(uname | tr '[:upper:]' '[:lower:]') +date_cmd=$(command -v date) + +# Dates in seconds +_15_days="1296000" +_30_days="2592000" +current_date=$($date_cmd +"%s") + +# Trying to define the OpenVPN conf file location - default to /etc/openvpn/server.conf +conf_file=$(ps auwwwx | grep openvpn | grep -- --config | grep -v sed | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/") +[ "$SYSTEM" = "openbsd" ] && conf_file=${conf_file:-$(grep openvpn_flags /etc/rc.conf.local | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/")} +conf_file=${conf_file:-"/etc/openvpn/server.conf"} + +# Get the cert and ca file location, based on the OpenVPN conf file location +# Done in 2 times because sh does not support pipefail - needed in the case where $conf_file does not exist +cert_file=$(grep -s "^cert " $conf_file) +cert_file=$(echo $cert_file | sed -e "s/^cert *\//\//") +ca_file=$(grep -s "^ca " $conf_file) +ca_file=$(echo $ca_file | sed -e "s/^ca *\//\//") + +# Get expiration date of cert and ca certificates +cert_expiration_date=$(grep "Not After" $cert_file | sed -e "s/.*Not After : //") +ca_expiration_date=$(openssl x509 -enddate -noout -in $ca_file | cut -d '=' -f 2) + +test_cert_expiration() { + # Already expired - Cert file + if [ $current_date -ge $1 ]; then + CERT_ECHO="CRITICAL - The server certificate has expired on $formatted_cert_expiration_date" + CERT_STATE=$STATE_CRITICAL + # Expiration in 15 days or less - Cert file + elif [ $((current_date+_15_days)) -ge $1 ]; then + CERT_ECHO="CRITICAL - The server certificate expires in 15 days or less : $formatted_cert_expiration_date" + CERT_STATE=$STATE_CRITICAL + # Expiration in 30 days or less - Cert file + elif [ $((current_date+_30_days)) -ge $1 ]; then + CERT_ECHO="WARNING - The server certificate expires in 30 days or less : $formatted_cert_expiration_date" + CERT_STATE=$STATE_WARNING + # Expiration in more than 30 days - Cert file + else + CERT_ECHO="OK - The server certificate expires on $formatted_cert_expiration_date" + CERT_STATE=$STATE_OK + fi +} + +test_ca_expiration() { + # Already expired - CA file + if [ $current_date -ge $1 ]; then + CA_ECHO="CRITICAL - The server CA has expired on $formatted_ca_expiration_date" + CA_STATE=$STATE_CRITICAL + # Expiration in 15 days or less - CA file + elif [ $((current_date+_15_days)) -ge $1 ]; then + CA_ECHO="CRITICAL - The server CA expires in 15 days or less : $formatted_ca_expiration_date" + CA_STATE=$STATE_CRITICAL + # Expiration in 30 days or less - CA file + elif [ $((current_date+_30_days)) -ge $1 ]; then + CA_ECHO="WARNING - The server CA expires in 30 days or less : $formatted_ca_expiration_date" + CA_STATE=$STATE_WARNING + # Expiration in more than 30 days - CA file + else + CA_ECHO="OK - The server CA expires on $formatted_ca_expiration_date" + CA_STATE=$STATE_OK + fi +} + +# Linux and BSD systems do not implement 'date' the same way +if [ "$SYSTEM" = "linux" ]; then + + # Cert expiration date human formated then in seconds + formatted_cert_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$cert_expiration_date" +"%F %T %Z") + seconds_cert_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$cert_expiration_date" +"%s") + + # CA expiration date human formated then in seconds + formatted_ca_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$ca_expiration_date" +"%F %T %Z") + seconds_ca_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$ca_expiration_date" +"%s") + + test_cert_expiration $seconds_cert_expiration_date + test_ca_expiration $seconds_ca_expiration_date + +elif [ "$SYSTEM" = "openbsd" ]; then + + # Cert expiration date for POSIX date, human formated then in seconds + posix_cert_expiration_date=$(echo "$cert_expiration_date" | awk '{ printf $4" "(index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3" "$2" ",split($3,time,":"); print time[1],time[2],time[3]}' | awk '{printf "%04d%02d%02d%02d%02d.%02d\n", $1, $2, $3, $4, $5, $6}') + cert_zone=$(echo "$cert_expiration_date" | awk '{print $5}') + formatted_cert_expiration_date=$(TZ=$cert_zone $date_cmd -j -z "Europe/Paris" "$posix_cert_expiration_date" +"%F %T %Z") + seconds_cert_expiration_date=$(TZ=$cert_zone $date_cmd -j -z "Europe/Paris" "$posix_cert_expiration_date" +"%s") + + # CA expiration date for POSIX date, human formated then in seconds + posix_ca_expiration_date=$(echo "$ca_expiration_date" | awk '{ printf $4" "(index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3" "$2" ",split($3,time,":"); print time[1],time[2],time[3]}' | awk '{printf "%04d%02d%02d%02d%02d.%02d\n", $1, $2, $3, $4, $5, $6}') + ca_zone=$(echo "$ca_expiration_date" | awk '{print $5}') + formatted_ca_expiration_date=$(TZ=$ca_zone $date_cmd -j -z "Europe/Paris" "$posix_ca_expiration_date" +"%F %T %Z") + seconds_ca_expiration_date=$(TZ=$ca_zone $date_cmd -j -z "Europe/Paris" "$posix_ca_expiration_date" +"%s") + + test_cert_expiration $seconds_cert_expiration_date + test_ca_expiration $seconds_ca_expiration_date + +# If neither Linux nor BSD +else + + echo "CRITICAL - OS not supported" + STATE=$STATE_CRITICAL + exit $STATE + +fi + +# Display the first one that expires first +if [ $CA_STATE -gt $CERT_STATE ]; then + echo $CA_ECHO + echo $CERT_ECHO + exit $CA_STATE +elif [ $CERT_STATE -gt $CA_STATE ]; then + echo $CERT_ECHO + echo $CA_ECHO + exit $CERT_STATE +else + echo $CERT_ECHO + echo $CA_ECHO + exit $CERT_STATE +fi diff --git a/roles/openvpn/files/shellpki b/roles/openvpn/files/shellpki index 3036d45..ce09651 120000 --- a/roles/openvpn/files/shellpki +++ b/roles/openvpn/files/shellpki @@ -1 +1 @@ -/home/tpilat/GIT/shellpki/ \ No newline at end of file +../../../../shellpki \ No newline at end of file diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 0fcd91d..c94f335 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -119,3 +119,18 @@ name: "p5-Net-Telnet" tags: - openvpn + +- name: Copy check_openvpn_certificates.sh + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: wheel + mode: "{{ item.mode }}" + force: true + with_items: + - src: 'files/check_openvpn_certificates.sh' + dest: '/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh' + mode: '0755' + tags: + - openvpn diff --git a/roles/pf/README.md b/roles/pf/README.md new file mode 100644 index 0000000..274247e --- /dev/null +++ b/roles/pf/README.md @@ -0,0 +1,13 @@ +# PacketFilter + +Custom configuration of PacketFilter. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +* `pf_trusted_ips` : list of IP trusted for important access (default: all). + +The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml new file mode 100644 index 0000000..2eb9c6c --- /dev/null +++ b/roles/pf/defaults/main.yml @@ -0,0 +1,9 @@ +--- + +pf_default_trusted_ips: [] +pf_additional_trusted_ips: [] +# and default to ['0.0.0.0/0'] if the result is still empty +pf_trusted_ips: + "{{ pf_default_trusted_ips | union(pf_additional_trusted_ips) + | unique | join(', ') + | default(['0.0.0.0/0'], true) }}" diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2 index 65ee69b..f75a81e 100644 --- a/roles/pf/templates/pf.conf.j2 +++ b/roles/pf/templates/pf.conf.j2 @@ -12,7 +12,7 @@ ext_if="{{ ansible_default_ipv4.device }}" ########################### # Evolix -table { 88.179.18.233, 31.170.9.129, 31.170.8.4 } +table { {{ pf_trusted_ips }} } # Port en entrée # 2222 = ssh secondaire diff --git a/roles/post-install/files/motd-carp-state.sh b/roles/post-install/files/motd-carp-state.sh index cc29db3..ba65e7c 100755 --- a/roles/post-install/files/motd-carp-state.sh +++ b/roles/post-install/files/motd-carp-state.sh @@ -5,6 +5,8 @@ if [ ! -f /etc/motd-original ]; then fi if [ ! -f /tmp/carp.state ]; then + # Replace OpenBSD version in motd after each boot for it to be up to date after an upgrade + sed -i "1 s/^.*$/$(head -1 \/var\/run\/dmesg.boot)/" /etc/motd-original echo "unknown" > /tmp/carp.state fi diff --git a/roles/post-install/tasks/motd.yml b/roles/post-install/tasks/motd.yml index 58a0bde..f78dbf5 100644 --- a/roles/post-install/tasks/motd.yml +++ b/roles/post-install/tasks/motd.yml @@ -9,7 +9,7 @@ - name: Fetch root crontab content command: > - 'grep "/bin/sh /usr/share/scripts/motd-carp-state.sh" /var/cron/tabs/root' + grep "/bin/sh /usr/share/scripts/motd-carp-state.sh" /var/cron/tabs/root check_mode: false register: root_crontab_content failed_when: false