Compare commits
54 commits
Author | SHA1 | Date | |
---|---|---|---|
d481cf2b11 | |||
ad025bf507 | |||
7b337c2db1 | |||
8a6d16e2dc | |||
4522546edd | |||
798a87b0ff | |||
85fe9f6703 | |||
e6e05268e5 | |||
218568fc13 | |||
e0129f10b7 | |||
fe3d2035f5 | |||
9269b13123 | |||
3ccc0ca924 | |||
1bfa1d61f0 | |||
b68a18a4f5 | |||
c5f478c584 | |||
1abf0f636c | |||
82137026db | |||
91ef49f7b3 | |||
7046e193e0 | |||
b1aa50a717 | |||
14ec1ca13b | |||
3fc1dabec4 | |||
59c8b9b62f | |||
8cd6b0bda6 | |||
f8a9a86bdd | |||
a0f8339705 | |||
|
c7e3c41775 | ||
|
1efd405989 | ||
|
8d8e97f74d | ||
|
1364451198 | ||
2dae2d1ae4 | |||
119118ad06 | |||
b3496692b2 | |||
7fc4e0c7d7 | |||
54455a63df | |||
d7a427bd7f | |||
0c55f87727 | |||
60103070f2 | |||
7f5627f6bd | |||
55745e1a62 | |||
8a2111561f | |||
|
48ea75957d | ||
|
7d24b11fa9 | ||
|
6782746f3c | ||
389f1a8eae | |||
8cddc5e9ae | |||
|
7b7edb67c7 | ||
|
d84fc581d8 | ||
e9a1373a30 | |||
9a07552731 | |||
c242733808 | |||
563b17d5cd | |||
381aa50e37 |
41 changed files with 1785 additions and 155 deletions
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
|
@ -0,0 +1,2 @@
|
|||
/vars/evolinux-secrets.yml
|
||||
/vars/evolix-main.yml
|
73
CHANGELOG
73
CHANGELOG
|
@ -7,6 +7,79 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
### Added
|
||||
|
||||
### Changed
|
||||
|
||||
### Fixed
|
||||
|
||||
### Removed
|
||||
|
||||
## [21.12] - 2021-12-17
|
||||
|
||||
### Changed
|
||||
|
||||
- Configure locale to en_US.UTF-8 in .profile file so that "git log" displays the accents correctly
|
||||
- Use vim as default git editor
|
||||
- Change version pattern and fix release scheme
|
||||
|
||||
### Added
|
||||
|
||||
- Add a bioctl NRPE check for RAID devices
|
||||
|
||||
## [6.9.2] - 2021-10-15
|
||||
|
||||
### Added
|
||||
|
||||
- Add a more complete ipsecctl check script
|
||||
- Add doas configuration for check_openvpn_certificates.sh
|
||||
|
||||
### Fixed
|
||||
|
||||
- Fix check_dhcpd for dhcpd server themselves : use back check_procs -c1: -C dhcpd
|
||||
- Fix check_mailq : check from monitoring-plugins current version is not compatible with opensmtpd
|
||||
|
||||
## [6.9.1] - 2021-07-19
|
||||
|
||||
### Added
|
||||
|
||||
- Configure the ntpd.conf file
|
||||
|
||||
## [6.9.0] - 2021-05-06
|
||||
|
||||
### Changed
|
||||
|
||||
- Remove the variable VERBOSESTATUS in daily.local configuration file since it is no longer valid.
|
||||
|
||||
## [6.8.3] - 2021-02-15
|
||||
|
||||
### Added
|
||||
|
||||
- Add a customization of the logsentry configuration
|
||||
- Add a check_openvpn_certificates in NRPE and OpenVPN role to check expiration date of server CA and certificates files
|
||||
|
||||
### Fixed
|
||||
|
||||
- Fix the check_mem command in the NRPE role, precising the percentage sign for it not to check the memory in MB.
|
||||
- Fix the check_mem script in the NRPE role, adding cached RAM as free RAM
|
||||
- Fix motd-carp-state.sh by updating the OpenBSD release in our customized motd after an upgrade
|
||||
|
||||
### Changed
|
||||
|
||||
- The PF role now use a variable for trusted IPs
|
||||
|
||||
## [6.8.2] - 2020-10-30
|
||||
|
||||
### Added
|
||||
|
||||
- Add a Logsentry role
|
||||
|
||||
## [6.8.1] - 2020-10-26
|
||||
|
||||
### Fixed
|
||||
|
||||
- Fix a task using a register where simple quotes prevented the register to be properly filled, breaking the following task
|
||||
|
||||
## [6.8.0] - 2020-10-23
|
||||
|
||||
### Added
|
||||
|
|
55
README.md
55
README.md
|
@ -1,13 +1,10 @@
|
|||
# EvoBSD 6.8.0
|
||||
# EvoBSD
|
||||
|
||||
EvoBSD is an ansible project used for customising OpenBSD hosts
|
||||
used by Evolix.
|
||||
EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix.
|
||||
|
||||
## How to install an OpenBSD machine
|
||||
|
||||
**Note :** The system must be installed with a root account only.
|
||||
Put your public key in the remote root's autorized_keys
|
||||
(/root/.ssh/authorized_keys)
|
||||
|
||||
1. Install ansible's prerequisites
|
||||
|
||||
|
@ -17,6 +14,8 @@ ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME
|
|||
|
||||
2. Run it
|
||||
|
||||
The variables files evolix-main.yml and evolinux-secrets.yml are customized variables for Evolix that overwrite main.yml variables. They are not needed if you are not from Evolix.
|
||||
|
||||
First use (become_method: su) :
|
||||
|
||||
```
|
||||
|
@ -29,52 +28,8 @@ Subsequent use (become_method: sudo) :
|
|||
ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts --skip-tags pf -l HOSTNAME
|
||||
```
|
||||
|
||||
### Testing
|
||||
|
||||
Changes can be tested by using [Packer](https://www.packer.io/) and
|
||||
[vmm(4)](https://man.openbsd.org/vmm.4) :
|
||||
|
||||
* This process depends on the [Go](https://golang.org/) programming language.
|
||||
|
||||
**Packages**
|
||||
|
||||
Needing a Golang eco system and some basics
|
||||
|
||||
````
|
||||
pkg_add go-- packer-- git--
|
||||
````
|
||||
|
||||
* We use the [packer-builder-openbsd-vmm](https://github.com/double-p/packer-builder-openbsd-vmm) project to bridge Packer and vmm(4)
|
||||
|
||||
````
|
||||
git clone https://github.com/double-p/packer-builder-openbsd-vmm.git
|
||||
````
|
||||
|
||||
**builds**
|
||||
|
||||
Set ````GOPATH```` (default: ~/go), if the 1.4GB dependencies wont fit.
|
||||
|
||||
````
|
||||
make
|
||||
make install
|
||||
````
|
||||
|
||||
* You need your unprivileged user to be able to run vmctl(8) through doas(1)
|
||||
|
||||
```
|
||||
echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl" >> /etc/doas.conf
|
||||
```
|
||||
|
||||
See packer-builder-openbsd-vmm/examples/README.examples for further instructions
|
||||
|
||||
* Enable NAT on your host machine
|
||||
|
||||
```
|
||||
pass out on em0 inet from tap0:network to any nat-to (em0)
|
||||
```
|
||||
*assuming em0 is your egress interface*
|
||||
|
||||
## Contributions
|
||||
|
||||
See the [contribution guidelines](CONTRIBUTING.md)
|
||||
|
||||
## License
|
||||
|
|
|
@ -16,8 +16,8 @@
|
|||
|
||||
vars_files:
|
||||
- vars/main.yml
|
||||
- vars/secrets.yml
|
||||
- vars/openbsd-secret.yml
|
||||
- vars/evolix-main.yml
|
||||
- vars/evolinux-secrets.yml
|
||||
|
||||
roles:
|
||||
- etc-git
|
||||
|
@ -40,6 +40,3 @@
|
|||
- include_role:
|
||||
name: evocheck
|
||||
tasks_from: exec.yml
|
||||
|
||||
# environment:
|
||||
# PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/"
|
||||
|
|
4
hosts
4
hosts
|
@ -1,5 +1,5 @@
|
|||
[openbsd]
|
||||
foo.example.com
|
||||
foo.example.com ansible_host=192.0.2.1
|
||||
|
||||
[openbsd:vars]
|
||||
ansible_python_interpreter=/usr/local/bin/python3
|
||||
ansible_python_interpreter=/usr/local/bin/python3.9
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
---
|
||||
ntpd_servers:
|
||||
- "ntp.evolix.net"
|
||||
ntpd_servers: "ntp.evolix.net"
|
||||
|
||||
general_alert_email: "root@localhost"
|
||||
general_technical_realm: "example.com"
|
||||
|
|
|
@ -30,19 +30,20 @@ SERVERS="node0.backup.example.com:2XXX node1.backup.example.com:2XXX"
|
|||
SERVERS_FALLBACK=${SERVERS_FALLBACK:-1}
|
||||
|
||||
# timeout (in seconds) for SSH connections
|
||||
SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-30}
|
||||
SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-90}
|
||||
|
||||
## We use /home/backup : feel free to use your own dir
|
||||
# We use /home/backup : feel free to use your own dir
|
||||
LOCAL_BACKUP_DIR="/home/backup"
|
||||
|
||||
# You can set "linux" or "bsd" manually or let it choose automatically
|
||||
SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
|
||||
|
||||
# Change these 2 variables if you have more than one backup cron
|
||||
PIDFILE="/var/run/evobackup.pid"
|
||||
LOGFILE="/var/log/evobackup.log"
|
||||
# Store pid and logs in a file named after this program's name
|
||||
PROGNAME=$(basename $0)
|
||||
PIDFILE="/var/run/${PROGNAME}.pid"
|
||||
LOGFILE="/var/log/${PROGNAME}.log"
|
||||
|
||||
## Enable/Disable tasks
|
||||
# Enable/Disable tasks
|
||||
LOCAL_TASKS=${LOCAL_TASKS:-1}
|
||||
SYNC_TASKS=${SYNC_TASKS:-1}
|
||||
|
||||
|
@ -83,7 +84,7 @@ test_server() {
|
|||
else
|
||||
# SSH connection failed
|
||||
new_error=$(printf "Failed to connect to \`%s' within %s seconds" "${item}" "${SSH_CONNECT_TIMEOUT}")
|
||||
SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
|
||||
SERVERS_SSH_ERRORS=$(printf "%s\\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
|
||||
|
||||
return 1
|
||||
fi
|
||||
|
@ -96,16 +97,16 @@ pick_server() {
|
|||
if [ "${increment}" -ge "${list_length}" ]; then
|
||||
# We've reached the end of the list
|
||||
new_error="No more server available"
|
||||
SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
|
||||
SERVERS_SSH_ERRORS=$(printf "%s\\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
|
||||
|
||||
# Log errors to stderr
|
||||
printf "%s\n" "${SERVERS_SSH_ERRORS}" >&2
|
||||
printf "%s\\n" "${SERVERS_SSH_ERRORS}" >&2
|
||||
# Log errors to logfile
|
||||
printf "%s\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE
|
||||
printf "%s\\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Extract the day of month, without leading 0 (which would give an octal based number)
|
||||
# Extract the day of month, without leading 0 (which would give an octal based number)
|
||||
today=$(date +%e)
|
||||
# A salt is useful to randomize the starting point in the list
|
||||
# but stay identical each time it's called for a server (based on hostname).
|
||||
|
@ -123,14 +124,14 @@ pick_server() {
|
|||
if [ -e "${PIDFILE}" ]; then
|
||||
pid=$(cat "${PIDFILE}")
|
||||
# Does process still exist ?
|
||||
if kill -0 ${pid} 2> /dev/null; then
|
||||
if kill -0 "${pid}" 2> /dev/null; then
|
||||
# Killing the childs of evobackup.
|
||||
for ppid in $(pgrep -P "${pid}"); do
|
||||
kill -9 "${ppid}";
|
||||
done
|
||||
# Then kill the main PID.
|
||||
kill -9 "${pid}"
|
||||
printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\n" >&2
|
||||
printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\\n" >&2
|
||||
else
|
||||
rm -f ${PIDFILE}
|
||||
fi
|
||||
|
@ -145,6 +146,8 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
|
|||
# You can comment or uncomment sections below to customize the backup
|
||||
|
||||
## OpenLDAP : example with slapcat
|
||||
# slapcat -n 0 -l ${LOCAL_BACKUP_DIR}/config.ldap.bak
|
||||
# slapcat -n 1 -l ${LOCAL_BACKUP_DIR}/data.ldap.bak
|
||||
# slapcat -l ${LOCAL_BACKUP_DIR}/ldap.bak
|
||||
|
||||
## MySQL
|
||||
|
@ -160,29 +163,33 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
|
|||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments \
|
||||
# --fields-enclosed-by='\"' --fields-terminated-by=',' -T /home/mysqldump/$i $i; done
|
||||
|
||||
## Dump all grants (requires 'percona-toolkit' package)
|
||||
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
|
||||
# pt-show-grants --flush --no-header > ${LOCAL_BACKUP_DIR}/mysql/all_grants.sql
|
||||
|
||||
## example with SQL dump (schema only, no data) for each databases
|
||||
# mkdir -p -m 700 /home/mysqldump/
|
||||
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
|
||||
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
|
||||
# | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
|
||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > /home/mysqldump/${i}.schema.sql
|
||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > ${LOCAL_BACKUP_DIR}/mysql/${i}.schema.sql
|
||||
# done
|
||||
|
||||
## example with compressed SQL dump (with data) for each databases
|
||||
# mkdir -p -m 700 /home/mysqldump/
|
||||
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
|
||||
# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
|
||||
# | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
|
||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > /home/mysqldump/${i}.sql.gz
|
||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > ${LOCAL_BACKUP_DIR}/mysql/${i}.sql.gz
|
||||
# done
|
||||
|
||||
## example with *one* uncompressed SQL dump for *one* database (MYBASE)
|
||||
# mkdir -p -m 700 /home/mysqldump/MYBASE
|
||||
# chown -RL mysql /home/mysqldump/
|
||||
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/MYBASE
|
||||
# chown -RL mysql ${LOCAL_BACKUP_DIR}/mysql/
|
||||
# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \
|
||||
# --opt --events --hex-blob --skip-comments -T /home/mysqldump/MYBASE MYBASE
|
||||
# --opt --events --hex-blob --skip-comments -T ${LOCAL_BACKUP_DIR}/mysql/MYBASE MYBASE
|
||||
|
||||
## example with mysqlhotcopy
|
||||
# mkdir -p -m 700 /home/mysqlhotcopy/
|
||||
# mysqlhotcopy BASE /home/mysqlhotcopy/
|
||||
# mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysqlhotcopy/
|
||||
# mysqlhotcopy BASE ${LOCAL_BACKUP_DIR}/mysql/mysqlhotcopy/
|
||||
|
||||
## example for multiples MySQL instances
|
||||
# mysqladminpasswd=$(grep -m1 'password = .*' /root/.my.cnf|cut -d" " -f3)
|
||||
|
@ -225,7 +232,14 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
|
|||
## Redis
|
||||
|
||||
## example with copy .rdb file
|
||||
## for the default instance :
|
||||
# cp /var/lib/redis/dump.rdb ${LOCAL_BACKUP_DIR}/
|
||||
## for multiple instances :
|
||||
# for instance in $(ls -d /var/lib/redis-*); do
|
||||
# name=$(basename $instance)
|
||||
# mkdir -p ${LOCAL_BACKUP_DIR}/${name}
|
||||
# cp -a ${instance}/dump.rdb ${LOCAL_BACKUP_DIR}/${name}
|
||||
# done
|
||||
|
||||
## ElasticSearch
|
||||
|
||||
|
@ -295,12 +309,13 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
|
|||
|
||||
## Dump findmnt(8) output
|
||||
FINDMNT_BIN=$(command -v findmnt)
|
||||
if [ -x ${FINDMNT_BIN} ]; then
|
||||
if [ -x "${FINDMNT_BIN}" ]; then
|
||||
${FINDMNT_BIN} > ${LOCAL_BACKUP_DIR}/findmnt.txt
|
||||
fi
|
||||
else
|
||||
## Dump network connections with netstat
|
||||
netstat -finet -atn > ${LOCAL_BACKUP_DIR}/netstat.out
|
||||
## Dump network connections with fstat
|
||||
fstat | head -1 > ${LOCAL_BACKUP_DIR}/netstat.out
|
||||
fstat | grep internet >> ${LOCAL_BACKUP_DIR}/netstat.out
|
||||
|
||||
## List OpenBSD packages
|
||||
pkg_info -m > ${LOCAL_BACKUP_DIR}/packages
|
||||
|
@ -362,36 +377,52 @@ if [ "${SYNC_TASKS}" = "1" ]; then
|
|||
# Remote shell command
|
||||
RSH_COMMAND="ssh -p ${SSH_PORT} -o 'ConnectTimeout ${SSH_CONNECT_TIMEOUT}'"
|
||||
|
||||
rsync -avzh --stats --delete --delete-excluded --force --ignore-errors --partial \
|
||||
# ignore check because we want it to split the different arguments to $rep
|
||||
# shellcheck disable=SC2086
|
||||
rsync -avzh --relative --stats --delete --delete-excluded --force --ignore-errors --partial \
|
||||
--exclude "dev" \
|
||||
--exclude "lost+found" \
|
||||
--exclude ".nfs.*" \
|
||||
--exclude "/var/log" \
|
||||
--exclude "/var/log/evobackup*" \
|
||||
--exclude "/usr/doc" \
|
||||
--exclude "/usr/obj" \
|
||||
--exclude "/usr/share/doc" \
|
||||
--exclude "/usr/src" \
|
||||
--exclude "/var/apt" \
|
||||
--exclude "/var/cache" \
|
||||
--exclude "/var/lib/amavis/amavisd.sock" \
|
||||
--exclude "/var/lib/amavis/tmp" \
|
||||
--exclude "/var/lib/clamav/*.tmp" \
|
||||
--exclude "/var/lib/elasticsearch" \
|
||||
--exclude "/var/lib/metche" \
|
||||
--exclude "/var/lib/munin/*tmp*" \
|
||||
--exclude "/var/db/munin/*.tmp" \
|
||||
--exclude "/var/lib/mysql" \
|
||||
--exclude "/var/lib/php5" \
|
||||
--exclude "/var/lib/php/sessions" \
|
||||
--exclude "/var/lib/postgres" \
|
||||
--exclude "/var/lib/postgresql" \
|
||||
--exclude "/var/lib/sympa" \
|
||||
--exclude "/var/lib/metche" \
|
||||
--exclude "/var/run" \
|
||||
--exclude "/var/lock" \
|
||||
--exclude "/var/state" \
|
||||
--exclude "/var/apt" \
|
||||
--exclude "/var/cache" \
|
||||
--exclude "/usr/src" \
|
||||
--exclude "/usr/doc" \
|
||||
--exclude "/usr/share/doc" \
|
||||
--exclude "/usr/obj" \
|
||||
--exclude "dev" \
|
||||
--exclude "/var/log" \
|
||||
--exclude "/var/log/evobackup*" \
|
||||
--exclude "/var/run" \
|
||||
--exclude "/var/spool/postfix" \
|
||||
--exclude "/var/lib/amavis/amavisd.sock" \
|
||||
--exclude "/var/lib/munin/*tmp*" \
|
||||
--exclude "/var/lib/php5" \
|
||||
--exclude "/var/spool/smtpd" \
|
||||
--exclude "/var/spool/squid" \
|
||||
--exclude "/var/lib/elasticsearch" \
|
||||
--exclude "/var/lib/amavis/tmp" \
|
||||
--exclude "/var/lib/clamav/*.tmp" \
|
||||
--exclude "/var/state" \
|
||||
--exclude "lxc/*/rootfs/usr/doc" \
|
||||
--exclude "lxc/*/rootfs/usr/obj" \
|
||||
--exclude "lxc/*/rootfs/usr/share/doc" \
|
||||
--exclude "lxc/*/rootfs/usr/src" \
|
||||
--exclude "lxc/*/rootfs/var/apt" \
|
||||
--exclude "lxc/*/rootfs/var/cache" \
|
||||
--exclude "lxc/*/rootfs/var/lib/php5" \
|
||||
--exclude "lxc/*/rootfs/var/lib/php/sessions" \
|
||||
--exclude "lxc/*/rootfs/var/lock" \
|
||||
--exclude "lxc/*/rootfs/var/log" \
|
||||
--exclude "lxc/*/rootfs/var/run" \
|
||||
--exclude "lxc/*/rootfs/var/state" \
|
||||
--exclude "/home/mysqltmp" \
|
||||
--exclude "/var/lib/php/sessions" \
|
||||
${rep} \
|
||||
/etc \
|
||||
/root \
|
||||
|
@ -406,11 +437,11 @@ fi
|
|||
|
||||
END=$(/bin/date +"%d-%m-%Y ; %H:%M")
|
||||
|
||||
printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \
|
||||
printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\\n" \
|
||||
"${HOSTNAME}" "${BEGINNING}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \
|
||||
>> $LOGFILE
|
||||
|
||||
printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \
|
||||
printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\\n" \
|
||||
"${HOSTNAME}" "${END}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \
|
||||
>> $LOGFILE
|
||||
|
||||
|
|
|
@ -31,3 +31,8 @@
|
|||
command: mount -u -o noatime /home
|
||||
args:
|
||||
warn: false
|
||||
|
||||
- name: reload ntp
|
||||
service:
|
||||
name: ntpd
|
||||
state: restarted
|
||||
|
|
|
@ -5,15 +5,4 @@
|
|||
env: true
|
||||
value: "{{ cron_root_path }}"
|
||||
tags:
|
||||
- cron
|
||||
|
||||
- name: Customize daily.local environment
|
||||
lineinfile:
|
||||
path: /etc/daily.local
|
||||
line: 'VERBOSESTATUS=0'
|
||||
insertbefore: BOF
|
||||
owner: root
|
||||
mode: "0644"
|
||||
create: true
|
||||
tags:
|
||||
- cron
|
||||
- cron
|
|
@ -15,10 +15,10 @@
|
|||
dest: "{{ item.dest }}"
|
||||
owner: 'root'
|
||||
group: 'wheel'
|
||||
mode: '0755'
|
||||
mode: '{{ item.mode }}'
|
||||
with_items:
|
||||
- {src: 'evomaintenance.sh', dest: '/usr/share/scripts/'}
|
||||
- {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/'}
|
||||
- {src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700'}
|
||||
- {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600'}
|
||||
tags:
|
||||
- evomaintenance
|
||||
- script-evomaintenance
|
||||
|
|
|
@ -10,3 +10,4 @@
|
|||
- include: newsyslog.yml
|
||||
- include: cron.yml
|
||||
- include: fstab.yml
|
||||
- include: ntp.yml
|
||||
|
|
30
roles/base/tasks/ntp.yml
Normal file
30
roles/base/tasks/ntp.yml
Normal file
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
- name: Retrieve ntpd.conf content
|
||||
command: cat ntpd.conf
|
||||
args:
|
||||
chdir: /etc/
|
||||
check_mode: no
|
||||
register: ntpd_conf
|
||||
tags:
|
||||
- ntp
|
||||
|
||||
- name: Empty ntpd.conf before customizing it
|
||||
file:
|
||||
path: /etc/ntpd.conf
|
||||
state: absent
|
||||
when: ntpd_conf.stdout is not regex("^server ntp.evolix.net$")
|
||||
tags:
|
||||
- ntp
|
||||
|
||||
- name: Customize ntpd conf
|
||||
lineinfile:
|
||||
path: /etc/ntpd.conf
|
||||
line: "server {{ ntpd_servers }}"
|
||||
create: yes
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: '0644'
|
||||
notify:
|
||||
- reload ntp
|
||||
tags:
|
||||
- ntp
|
|
@ -5,8 +5,7 @@ permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_ssh_group }} as
|
|||
permit nopass _collectd as root cmd /bin/cat
|
||||
permit nopass _collectd as root cmd /usr/sbin/bgpctl
|
||||
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_dhcp
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_mailq.pl
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd
|
||||
|
@ -16,3 +15,4 @@ permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_state
|
|||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh
|
||||
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh
|
||||
|
|
|
@ -4,6 +4,8 @@
|
|||
|
||||
PATH="{{ evobsd_path }}"
|
||||
export PATH HOME TERM
|
||||
export LANG="en_US.UTF-8"
|
||||
export LC_ALL="en_US.UTF-8"
|
||||
export PS1="\u@\h:\w\\$ "
|
||||
HISTFILE=$HOME/.histfile
|
||||
export HISTSIZE=10000
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
aliases.db
|
||||
*.swp
|
||||
random.seed
|
||||
openvpn/ipp.txt
|
||||
|
|
|
@ -44,6 +44,12 @@
|
|||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: Set vim as default editor
|
||||
git_config:
|
||||
name: core.editor
|
||||
scope: global
|
||||
value: vim
|
||||
|
||||
- name: does /etc/ have any commit?
|
||||
command: "git log"
|
||||
args:
|
||||
|
@ -118,7 +124,7 @@
|
|||
- name: hourly cron job for /etc/.git status is installed
|
||||
cron:
|
||||
name: git status
|
||||
minute: 42
|
||||
minute: "42"
|
||||
job: >
|
||||
who
|
||||
> /dev/null
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# EvoCheck
|
||||
# Script to verify compliance of an OpenBSD server powered by Evolix
|
||||
|
||||
readonly VERSION="6.7.7"
|
||||
readonly VERSION="21.09"
|
||||
|
||||
# Disable LANG*
|
||||
|
||||
|
@ -108,13 +108,17 @@ check_softdep(){
|
|||
}
|
||||
|
||||
check_noatime(){
|
||||
if [ $(mount | grep -c noatime) -ne $(grep -c ffs /etc/fstab) ]; then
|
||||
if [ $(mount | grep -c noatime) -ne $(grep ffs /etc/fstab | grep -vc ^\#) ]; then
|
||||
failed "IS_NOATIME" "All partitions should be mounted with the noatime option"
|
||||
fi
|
||||
}
|
||||
|
||||
check_tmoutprofile(){
|
||||
grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files"
|
||||
if [ -f /etc/skel/.profile ]; then
|
||||
grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files"
|
||||
else
|
||||
failed "IS_TMOUTPROFILE" "File /etc/skel/.profile does not exist. Both /etc/skel/.profile and /root/.profile should contain at least 'export TMOUT=36000'"
|
||||
fi
|
||||
}
|
||||
|
||||
check_raidok(){
|
||||
|
@ -176,7 +180,7 @@ check_gitperms(){
|
|||
test -d /etc/.git && [ "$(stat -f %p /etc/.git/)" = "40700" ] || failed "IS_GITPERMS" "The directiry /etc/.git sould be in 700"
|
||||
}
|
||||
|
||||
check_advbase(){
|
||||
check_carpadvbase(){
|
||||
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||
bad_advbase=0
|
||||
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
|
||||
|
@ -185,21 +189,21 @@ check_advbase(){
|
|||
fi
|
||||
done
|
||||
if [[ "$bad_advbase" -eq 1 ]]; then
|
||||
failed "IS_ADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
|
||||
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
check_preempt(){
|
||||
check_carppreempt(){
|
||||
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||
preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2)
|
||||
if [[ "$preempt" -ne 1 ]]; then
|
||||
failed "IS_PREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
|
||||
failed "IS_CARPPREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
|
||||
fi
|
||||
if [ -f /etc/sysctl.conf ]; then
|
||||
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_PREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
|
||||
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
|
||||
else
|
||||
failed "IS_PREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
|
||||
failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
@ -353,6 +357,29 @@ check_openvpncronlog(){
|
|||
fi
|
||||
}
|
||||
|
||||
check_carpadvskew(){
|
||||
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||
for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do
|
||||
ifconfig $carp | grep -q master
|
||||
master=$?
|
||||
ifconfig $carp | grep -q backup
|
||||
backup=$?
|
||||
advskew=$(ifconfig $carp | grep advbase | awk -F 'advskew' '{print $2}' | awk '{print $1}')
|
||||
if [ "$master" -eq 0 ]; then
|
||||
if [ $advskew -lt 1 ] || [ $advskew -gt 50 ]; then
|
||||
failed "IS_CARPADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew"
|
||||
fi
|
||||
elif [ "$backup" -eq 0 ]; then
|
||||
if [ $advskew -lt 100 ] || [ $advskew -gt 150 ]; then
|
||||
failed "IS_CARPADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew"
|
||||
fi
|
||||
else
|
||||
failed "IS_CARPADVSKEW" "Interface $carp is neither master nor backup. Check interface state."
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
main() {
|
||||
# Default return code : 0 = no error
|
||||
|
@ -369,8 +396,8 @@ main() {
|
|||
test "${IS_UPTIME:=1}" = 1 && check_uptime
|
||||
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
|
||||
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
|
||||
test "${IS_ADVBASE:=1}" = 1 && check_advbase
|
||||
test "${IS_PREEMPT:=1}" = 1 && check_preempt
|
||||
test "${IS_CARPADVBASE:=1}" = 1 && check_carpadvbase
|
||||
test "${IS_CARPPREEMPT:=1}" = 1 && check_carppreempt
|
||||
test "${IS_REBOOTMAIL:=1}" = 1 && check_rebootmail
|
||||
test "${IS_PFENABLED:=1}" = 1 && check_pfenabled
|
||||
test "${IS_PFCUSTOM:=1}" = 1 && check_pfcustom
|
||||
|
@ -394,6 +421,7 @@ main() {
|
|||
test "${IS_DEFAULTROUTE:=1}" = 1 && check_defaultroute
|
||||
test "${IS_NTP:=1}" = 1 && check_ntp
|
||||
test "${IS_OPENVPNCRONLOG:=1}" = 1 && check_openvpncronlog
|
||||
test "${IS_CARPADVSKEW:=1}" = 1 && check_carpadvskew
|
||||
|
||||
exit ${RC}
|
||||
}
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
- name: Enable IPv4 forwarding
|
||||
sysctl:
|
||||
name: net.inet.ip.forwarding
|
||||
value: 1
|
||||
value: "1"
|
||||
state: present
|
||||
reload: true
|
||||
tags:
|
||||
|
@ -11,7 +11,7 @@
|
|||
- name: Enable IPv6 forwarding
|
||||
sysctl:
|
||||
name: net.inet6.ip6.forwarding
|
||||
value: 1
|
||||
value: "1"
|
||||
state: present
|
||||
reload: true
|
||||
tags:
|
||||
|
|
7
roles/logsentry/README.md
Normal file
7
roles/logsentry/README.md
Normal file
|
@ -0,0 +1,7 @@
|
|||
# logsentry
|
||||
|
||||
Installation and custom configuration of logsentry (formely logcheck)
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
100
roles/logsentry/files/logsentry.ignore
Normal file
100
roles/logsentry/files/logsentry.ignore
Normal file
|
@ -0,0 +1,100 @@
|
|||
authsrv.*AUTHENTICATE
|
||||
cron.*CMD
|
||||
cron.*RELOAD
|
||||
cron.*STARTUP
|
||||
ftp-gw.*: exit host
|
||||
ftp-gw.*: permit host
|
||||
ftpd.*ANONYMOUS FTP LOGIN
|
||||
ftpd.*FTP LOGIN FROM
|
||||
ftpd.*retrieved
|
||||
ftpd.*stored
|
||||
http-gw.*: exit host
|
||||
http-gw.*: permit host
|
||||
mail.local
|
||||
named.*Lame delegation
|
||||
named.*Response from
|
||||
named.*answer queries
|
||||
named.*points to a CNAME
|
||||
named.*reloading
|
||||
named.*starting
|
||||
netacl.*: exit host
|
||||
netacl.*: permit host
|
||||
popper.*Unable
|
||||
popper: -ERR POP server at
|
||||
popper: -ERR Unknown command: "uidl".
|
||||
qmail.*new msg
|
||||
qmail.*info msg
|
||||
qmail.*starting delivery
|
||||
qmail.*delivery
|
||||
qmail.*end msg
|
||||
rlogin-gw.*: exit host
|
||||
rlogin-gw.*: permit host
|
||||
sendmail.*User Unknown
|
||||
sendmail.*alias database.*rebuilt
|
||||
sendmail.*aliases.*longest
|
||||
sendmail.*from=
|
||||
sendmail.*lost input channel
|
||||
sendmail.*message-id=
|
||||
sendmail.*putoutmsg
|
||||
sendmail.*return to sender
|
||||
sendmail.*stat=
|
||||
sendmail.*timeout waiting
|
||||
smap.*host=
|
||||
smapd.*daemon running
|
||||
smapd.*delivered
|
||||
telnetd.*ttloop: peer died
|
||||
tn-gw.*: exit host
|
||||
tn-gw.*: permit host
|
||||
x-gw.*: exit host
|
||||
x-gw.*: permit host
|
||||
xntpd.*Previous time adjustment didn't complete
|
||||
xntpd.*time reset
|
||||
ansible-command: Invoked
|
||||
ansible-copy: Invoked
|
||||
ansible-cron: Invoked
|
||||
ansible-file: Invoked
|
||||
ansible-openbsd_pkg: Invoked
|
||||
ansible-setup: Invoked
|
||||
ansible-slurp: Invoked
|
||||
ansible-stat: Invoked
|
||||
ansible-synchronize: Invoked
|
||||
bgpd.*: neighbor .*: sending IPv4 unicast EOR marker
|
||||
bgpd.*: neighbor .*: sending IPv6 unicast EOR marker
|
||||
bgpd.*: RDE reconfigured
|
||||
bgpd.*: RDE soft reconfiguration done
|
||||
bgpd.*: rereading config
|
||||
bgpd.*: running softreconfig in
|
||||
bgpd.*: SE reconfigured
|
||||
bgpd.*: softreconfig in done
|
||||
doas: _collectd ran command /bin/cat /var/log/daemon as root from /var/collectd
|
||||
doas: _collectd ran command /usr/sbin/bgpctl sh as root from /var/collectd
|
||||
doas: _collectd ran command /usr/sbin/bgpctl show neighbor as root from /var/collectd
|
||||
doas: _nrpe ran command /sbin/bioctl sd2 as root from /
|
||||
doas: _nrpe ran command /usr/local/libexec/nagios
|
||||
doas:.*ran command /usr/share/scripts/evomaintenance.sh as root from
|
||||
last message repeated .* times
|
||||
mownitoring.py: Alert sent through email
|
||||
mownitoring.py: Already known state but still a problem for
|
||||
newsyslog.*logfile turned over
|
||||
nrpe.*: Could not read request from client, bailing out...
|
||||
nrpe.*: Error: Could not complete SSL handshake.
|
||||
nrpe.*: INFO: SSL Socket Shutdown.
|
||||
ntpd.*: adjusting clock frequency by
|
||||
pkg_add: Added
|
||||
smtpd.*mta connected
|
||||
smtpd.*mta connecting address=smtp://
|
||||
smtpd.*mta delivery evpid=
|
||||
smtpd.*mta disconnected reason=quit messages=
|
||||
smtpd.*mta server-cert-check result=
|
||||
smtpd.*mta tls ciphers=
|
||||
smtpd.*smtp connected address=127.0.0.1 host=localhost
|
||||
smtpd.*smtp connected address=local
|
||||
smtpd.*smtp disconnected reason=quit
|
||||
smtpd.*smtp envelope evpid=
|
||||
smtpd.*smtp message msgid=
|
||||
sshd.*Connection closed by 127.0.0.1 port
|
||||
sshd.*Connection reset by 127.0.0.1 port
|
||||
sudo:.*: a password is required ; TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
|
||||
sudo:.*: TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
|
||||
syslogd.*restart
|
||||
unbound:.*info:
|
281
roles/logsentry/files/logsentry.sh
Normal file
281
roles/logsentry/files/logsentry.sh
Normal file
|
@ -0,0 +1,281 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# logcheck.sh: Log file checker
|
||||
# Written by Craig Rowland <crowland@psionic.com>
|
||||
#
|
||||
# This file needs the program logtail.c to run
|
||||
#
|
||||
# This script checks logs for unusual activity and blatant
|
||||
# attempts at hacking. All items are mailed to administrators
|
||||
# for review. This script and the logtail.c program are based upon
|
||||
# the frequentcheck.sh script idea from the Gauntlet(tm) Firewall
|
||||
# (c)Trusted Information Systems Inc. The original authors are
|
||||
# Marcus J. Ranum and Fred Avolio.
|
||||
#
|
||||
# Default search files are tuned towards the TIS Firewall toolkit
|
||||
# the TCP Wrapper program. Custom daemons and reporting facilites
|
||||
# can be accounted for as well...read the rest of the script for
|
||||
# details.
|
||||
#
|
||||
# Version Information
|
||||
#
|
||||
# 1.0 9/29/96 -- Initial Release
|
||||
# 1.01 11/01/96 -- Added working /tmp directory for symlink protection
|
||||
# (Thanks Richard Bullington (rbulling@obscure.org)
|
||||
# 1.1 1/03/97 -- Made this script more portable for Sun's.
|
||||
# 1/03/97 -- Made this script work on HPUX
|
||||
# 5/14/97 -- Added Digital OSF/1 logging support. Big thanks
|
||||
# to Jay Vassos-Libove <libove@compgen.com> for
|
||||
# his changes.
|
||||
|
||||
|
||||
# CONFIGURATION SECTION
|
||||
|
||||
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
|
||||
|
||||
# Logcheck is pre-configured to work on most BSD like systems, however it
|
||||
# is a rather dumb program and may need some help to work on other
|
||||
# systems. Please check the following command paths to ensure they are
|
||||
# correct.
|
||||
|
||||
# Person to send log activity to.
|
||||
SYSADMIN=root
|
||||
|
||||
# Full path to logtail program.
|
||||
# This program is required to run this script and comes with the package.
|
||||
|
||||
LOGTAIL=/usr/local/bin/logtail
|
||||
|
||||
# Full path to SECURED (non public writable) /tmp directory.
|
||||
# Prevents Race condition and potential symlink problems. I highly
|
||||
# recommend you do NOT make this a publically writable/readable directory.
|
||||
# You would also be well advised to make sure all your system/cron scripts
|
||||
# use this directory for their "scratch" area.
|
||||
|
||||
TMPDIR=/var/cache/logsentry
|
||||
|
||||
# The 'grep' command. This command MUST support the
|
||||
# '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
|
||||
# good GNUs for you Linux/FreeBSD/BSDI people :) ). The Sun grep I'm told
|
||||
# does not support these switches, but the 'egrep' command does (Thanks
|
||||
# Jason <jason@mastaler.com> ). Since grep and egrep are usually the GNU
|
||||
# variety on most systems (well most Linux, FreeBSD, BSDI, etc) and just
|
||||
# hard links to each other we'll just specify egrep here. Change this if
|
||||
# you get errors.
|
||||
|
||||
# Linux, FreeBSD, BSDI, Sun, HPUX, etc.
|
||||
GREP=egrep
|
||||
|
||||
# The 'mail' command. Most systems this should be OK to leave as is.
|
||||
# If your default mail command does not support the '-s' (subject) command
|
||||
# line switch you will need to change this command one one that does.
|
||||
# The only system I've seen this to be a problem on are HPUX boxes.
|
||||
# Naturally, the HPUX is so superior to the rest of UNIX OS's that they
|
||||
# feel they need to do everything differently to remind the rest that
|
||||
# they are the best ;).
|
||||
|
||||
# Linux, FreeBSD, BSDI, Sun, etc.
|
||||
MAIL=mail
|
||||
# HPUX 10.x and others(?)
|
||||
#MAIL=mailx
|
||||
# Digital OSF/1, Irix
|
||||
#MAIL=Mail
|
||||
|
||||
# File of known active hacking attack messages to look for.
|
||||
# Only put messages in here if you are sure they won't cause
|
||||
# false alarms. This is a rather generic way of checking for
|
||||
# malicious activity and can be inaccurate unless you know
|
||||
# what past hacking activity looks like. The default is to
|
||||
# look for generic ISS probes (who the hell else looks for
|
||||
# "WIZ" besides ISS?), and obvious sendmail attacks/probes.
|
||||
|
||||
HACKING_FILE=/etc/logsentry/logsentry.hacking
|
||||
|
||||
# File of security violation patterns to specifically look for.
|
||||
# This file should contain keywords of information administrators should
|
||||
# probably be aware of. May or may not cause false alarms sometimes.
|
||||
# Generally, anything that is "negative" is put in this file. It may miss
|
||||
# some items, but these will be caught by the next check. Move suspicious
|
||||
# items into this file to have them reported regularly.
|
||||
|
||||
VIOLATIONS_FILE=/etc/logsentry/logsentry.violations
|
||||
|
||||
# File that contains more complete sentences that have keywords from
|
||||
# the violations file. These keywords are normal and are not cause for
|
||||
# concern but could cause a false alarm. An example of this is the word
|
||||
# "refused" which is often reported by sendmail if a message cannot be
|
||||
# delivered or can be a more serious security violation of a system
|
||||
# attaching to illegal ports. Obviously you would put the sendmail
|
||||
# warning as part of this file. Use your judgement before putting words
|
||||
# in here or you can miss really important events. The default is to leave
|
||||
# this file with only a couple entries. DO NOT LEAVE THE FILE EMPTY. Some
|
||||
# grep's will assume that an EMPTY file means a wildcard and will ignore
|
||||
# everything! The basic configuration allows for the more frequent sendmail
|
||||
# error.
|
||||
#
|
||||
# Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
|
||||
|
||||
VIOLATIONS_IGNORE_FILE=/etc/logsentry/logsentry.violations.ignore
|
||||
|
||||
# This is the name of a file that contains patterns that we should
|
||||
# ignore if found in a log file. If you have repeated false alarms
|
||||
# or want specific errors ignored, you should put them in here.
|
||||
# Once again, be as specific as possible, and go easy on the wildcards
|
||||
|
||||
IGNORE_FILE=/etc/logsentry/logsentry.ignore
|
||||
|
||||
# The files are reported in the order of hacking, security
|
||||
# violations, and unusual system events. Notice that this
|
||||
# script uses the principle of "That which is not explicitely
|
||||
# ignored is reported" in that the script will report all items
|
||||
# that you do not tell it to ignore specificially. Be careful
|
||||
# how you use wildcards in the logcheck.ignore file or you
|
||||
# may miss important entries.
|
||||
|
||||
# Make sure we really did clean up from the last run.
|
||||
# Also this ensures that people aren't trying to trick us into
|
||||
# overwriting files that we aren't supposed to. This is still a race
|
||||
# condition, but if you are in a temp directory that does not have
|
||||
# generic luser access it is not a problem. Do not allow this program
|
||||
# to write to a generic /tmp directory where others can watch and/or
|
||||
# create files!!
|
||||
|
||||
# Shouldn't need to touch these...
|
||||
HOSTNAME=`hostname`
|
||||
DATE=`date +%m/%d/%y:%H.%M`
|
||||
|
||||
umask 077
|
||||
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
|
||||
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
|
||||
echo "Log files exist in $TMPDIR directory that cannot be removed. This
|
||||
may be an attempt to spoof the log checker." \
|
||||
| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# LOG FILE CONFIGURATION SECTION
|
||||
# You might have to customize these entries depending on how
|
||||
# you have syslogd configured. Be sure you check all relevant logs.
|
||||
# The logtail utility is required to read and mark log files.
|
||||
# See INSTALL for more information. Again, using one log file
|
||||
# is preferred and is easier to manage. Be sure you know what the
|
||||
# > and >> operators do before you change them. LOG FILES SHOULD
|
||||
# ALWAYS BE chmod 600 OWNER root!!
|
||||
|
||||
# Generic and Linux Slackware 3.x
|
||||
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||
|
||||
# OpenBSD 2.x, 3.x
|
||||
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
|
||||
$LOGTAIL /var/log/authlog >> $TMPDIR/check.$$
|
||||
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
|
||||
$LOGTAIL /var/log/daemon >> $TMPDIR/check.$$
|
||||
$LOGTAIL /var/log/xferlog >> $TMPDIR/check.$$
|
||||
|
||||
# Linux Red Hat Version 3.x, 4.x
|
||||
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
|
||||
|
||||
# FreeBSD 2.x
|
||||
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
|
||||
|
||||
# BSDI 2.x
|
||||
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/log/ftp.log >> $TMPDIR/check.$$
|
||||
# Un-comment out the line below if you are using BSDI 2.1
|
||||
#$LOGTAIL /var/log/daemon.log >> $TMPDIR/check.$$
|
||||
|
||||
# SunOS, Sun Solaris 2.5
|
||||
#$LOGTAIL /var/log/syslog > $TMPDIR/check.$$
|
||||
#$LOGTAIL /var/adm/messages >> $TMPDIR/check.$$
|
||||
|
||||
# HPUX 10.x and others(?)
|
||||
#$LOGTAIL /var/adm/syslog/syslog.log > $TMPDIR/check.$$
|
||||
|
||||
# Digital OSF/1
|
||||
# OSF/1 - uses rotating log directory with date & time in name
|
||||
# LOGDIRS=`find /var/adm/syslog.dated/* -type d -prune -print`
|
||||
# LOGDIR=`ls -dtr1 $LOGDIRS | tail -1`
|
||||
# if [ ! -d "$LOGDIR" ]
|
||||
# then
|
||||
# echo "Can't identify current log directory." >> $TMPDIR/checkrepo$
|
||||
# else
|
||||
# $LOGTAIL $LOGDIR/auth.log >> $TMPDIR/check.$$
|
||||
# $LOGTAIL $LOGDIR/daemon.log >> $TMPDIR/check.$$
|
||||
# $LOGTAIL $LOGDIR/kern.log >> $TMPDIR/check.$$
|
||||
# $LOGTAIL $LOGDIR/lpr.log >> $TMPDIR/check.$$
|
||||
# $LOGTAIL $LOGDIR/mail.log >> $TMPDIR/check.$$
|
||||
# $LOGTAIL $LOGDIR/syslog.log >> $TMPDIR/check.$$
|
||||
# $LOGTAIL $LOGDIR/user.log >> $TMPDIR/check.$$
|
||||
# fi
|
||||
#
|
||||
|
||||
|
||||
|
||||
# END CONFIGURATION SECTION. YOU SHOULDN'T HAVE TO EDIT ANYTHING
|
||||
# BELOW THIS LINE.
|
||||
|
||||
# Set the flag variables
|
||||
FOUND=0
|
||||
ATTACK=0
|
||||
|
||||
# See if the tmp file exists and actually has data to check,
|
||||
# if it doesn't we should erase it and exit as our job is done.
|
||||
|
||||
if [ ! -s $TMPDIR/check.$$ ]; then
|
||||
rm -f $TMPDIR/check.$$
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Perform Searches
|
||||
|
||||
# Check for blatant hacking attempts
|
||||
if [ -f "$HACKING_FILE" ]; then
|
||||
if $GREP -i -f $HACKING_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
|
||||
echo >> $TMPDIR/checkreport.$$
|
||||
echo "Active System Attack Alerts" >> $TMPDIR/checkreport.$$
|
||||
echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
|
||||
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
|
||||
FOUND=1
|
||||
ATTACK=1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check for security violations
|
||||
if [ -f "$VIOLATIONS_FILE" ]; then
|
||||
if $GREP -i -f $VIOLATIONS_FILE $TMPDIR/check.$$ |
|
||||
$GREP -v -f $VIOLATIONS_IGNORE_FILE > $TMPDIR/checkoutput.$$; then
|
||||
echo >> $TMPDIR/checkreport.$$
|
||||
echo "Security Violations" >> $TMPDIR/checkreport.$$
|
||||
echo "=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
|
||||
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
|
||||
FOUND=1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Do reverse grep on patterns we want to ignore
|
||||
if [ -f "$IGNORE_FILE" ]; then
|
||||
if $GREP -v -f $IGNORE_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
|
||||
echo >> $TMPDIR/checkreport.$$
|
||||
echo "Unusual System Events" >> $TMPDIR/checkreport.$$
|
||||
echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
|
||||
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
|
||||
FOUND=1
|
||||
fi
|
||||
fi
|
||||
|
||||
# If there are results, mail them to sysadmin
|
||||
|
||||
if [ "$ATTACK" -eq 1 ]; then
|
||||
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
|
||||
elif [ "$FOUND" -eq 1 ]; then
|
||||
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN
|
||||
fi
|
||||
|
||||
# Clean Up
|
||||
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
|
9
roles/logsentry/files/logsentry.violations.ignore
Normal file
9
roles/logsentry/files/logsentry.violations.ignore
Normal file
|
@ -0,0 +1,9 @@
|
|||
stat=Deferred
|
||||
unbound:.*info: server stats for
|
||||
smtpd.*smtp connected address=127.0.0.1 host=localhost
|
||||
smtpd.*smtp connected address=local
|
||||
smtpd.*smtp disconnected reason=quit
|
||||
smtpd.*smtp envelope evpid=
|
||||
smtpd.*smtp message msgid=
|
||||
nrpe.*: INFO: SSL Socket Shutdown.
|
||||
collectd.*: exec plugin: Failed to execute
|
49
roles/logsentry/tasks/main.yml
Normal file
49
roles/logsentry/tasks/main.yml
Normal file
|
@ -0,0 +1,49 @@
|
|||
---
|
||||
- name: Install logsentry
|
||||
openbsd_pkg:
|
||||
name:
|
||||
- logsentry--
|
||||
state: present
|
||||
tags:
|
||||
- logsentry
|
||||
|
||||
- name: Copy logsentry script to /usr/share/scripts
|
||||
copy:
|
||||
src: logsentry.sh
|
||||
dest: /usr/share/scripts/logsentry.sh
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: "0644"
|
||||
tags:
|
||||
- logsentry
|
||||
|
||||
- name: Copy logsentry.ignore configuration
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/logsentry/logsentry.ignore
|
||||
with_first_found:
|
||||
- "files/logsentry/logsentry.ignore"
|
||||
- "logsentry.ignore"
|
||||
tags:
|
||||
- logsentry
|
||||
- config
|
||||
|
||||
- name: Copy logsentry.violations.ignore configuration
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/logsentry/logsentry.violations.ignore
|
||||
with_first_found:
|
||||
- "files/logsentry/logsentry.violations.ignore"
|
||||
- "logsentry.violations.ignore"
|
||||
tags:
|
||||
- logsentry
|
||||
- config
|
||||
|
||||
- name: hourly cron job for logsentry.sh is installed
|
||||
cron:
|
||||
name: logsentry
|
||||
minute: "11"
|
||||
job: >
|
||||
/bin/sh /usr/share/scripts/logsentry.sh
|
||||
tags:
|
||||
- logsentry
|
|
@ -1,11 +1,9 @@
|
|||
---
|
||||