diff --git a/CHANGELOG.md b/CHANGELOG.md index 27e6e8ae..bb77041b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,31 @@ The **patch** part changes incrementally at each release. ### Security +## [9.5.0] - 2018-11-14 + +### Added +* apache: separate task to update IP whitelist +* evolinux-base: install man package +* evolinux-users: add newaliases handler +* evomaintenance: FROM domain is configurable +* fail2ban: separate task to update IP whitelist +* nginx: add tag for ips management +* nginx: separate task to update IP whitelist +* postfix: enable SSL/TLS client +* ssl: add an SSL role for certificates deployment +* haproxy: add vars for tls configuration +* mysql: logdir can be customized + +### Changed +* evocheck: update script from upstream +* evomaintenance: update script from upstream +* mysql: restart service if systemd unit has been patched + +### Fixed +* packweb-apache: mod-security config is already included elsewhere +* redis: for permissions on log and lib directories +* redis: fix shell for instance users + ## [9.4.2] - 2018-10-12 ### Added diff --git a/apache/README.md b/apache/README.md index 40e17499..c6f6a91e 100644 --- a/apache/README.md +++ b/apache/README.md @@ -6,6 +6,8 @@ Install Apache Everything is in the `tasks/main.yml` file for now. +An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role. + ## Available variables Main variables are : diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index 03598682..b785c704 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -10,26 +10,9 @@ force: no tags: - apache - -- name: add IP addresses to private IP whitelist - lineinfile: - dest: /etc/apache2/ipaddr_whitelist.conf - line: "Require ip {{ item }}" - state: present - with_items: "{{ apache_ipaddr_whitelist_present }}" - notify: reload apache - tags: - - apache - -- name: remove IP addresses from private IP whitelist - lineinfile: - dest: /etc/apache2/ipaddr_whitelist.conf - line: "Require ip {{ item }}" - state: absent - with_items: "{{ apache_ipaddr_whitelist_absent }}" - notify: reload apache - tags: - - apache + +- name: Load IP whitelist task + include: ip_whitelist.yml - name: include private IP whitelist for server-status lineinfile: diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml new file mode 100644 index 00000000..ac2b6f87 --- /dev/null +++ b/apache/tasks/ip_whitelist.yml @@ -0,0 +1,23 @@ +--- + +- name: add IP addresses to private IP whitelist + lineinfile: + dest: /etc/apache2/ipaddr_whitelist.conf + line: "Require ip {{ item }}" + state: present + with_items: "{{ apache_ipaddr_whitelist_present }}" + notify: reload apache + tags: + - apache + - ips + +- name: remove IP addresses from private IP whitelist + lineinfile: + dest: /etc/apache2/ipaddr_whitelist.conf + line: "Require ip {{ item }}" + state: absent + with_items: "{{ apache_ipaddr_whitelist_absent }}" + notify: reload apache + tags: + - apache + - ips diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 200f0471..a8be7eec 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -5,7 +5,7 @@ # powered by Evolix # Repository: https://gitlab.evolix.org/evolix/evocheck -# Commit: d5a02b343f2e8e9a0b6fcd10b6b5a5d1e8c9af03 +# Commit: 956877442a3f43243fed89c491d9bdddd1ac77cd # Disable LANG* export LANG=C @@ -105,6 +105,10 @@ IS_EVOBACKUP=1 IS_DUPLICATE_FS_LABEL=1 IS_EVOMAINTENANCE_FW=1 IS_EVOLIX_USER=1 +IS_EVOACME_CRON=1 +IS_EVOACME_LIVELINKS=1 +IS_APACHE_CONFENABLED=1 +IS_MELTDOWN_SPECTRE=1 #Proper to OpenBSD IS_SOFTDEP=1 @@ -143,7 +147,7 @@ is_pack_samba(){ is_installed(){ for pkg in $*; do - dpkg -l $pkg 2>/dev/null |grep -q -E '^(i|h)i' || return 1 + dpkg -l $pkg 2>/dev/null | grep -q -E '^(i|h)i' || return 1 done } @@ -359,7 +363,7 @@ if [ -e /etc/debian_version ]; then if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then if [ -f "$MINIFW_FILE" ]; then rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE") - if [ "$rulesNumber" -lt 4 ]; then + if [ "$rulesNumber" -lt 2 ]; then echo 'IS_EVOMAINTENANCE_FW FAILED!' fi fi @@ -521,7 +525,9 @@ if [ -e /etc/debian_version ]; then # Check if no package has been upgraded since $limit. if [ "$IS_NOTUPGRADED" = 1 ]; then - last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' ')) + if zgrep -hq upgrade /var/log/dpkg.log*; then + last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' ')) + fi if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ || grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then # Manual upgrade process @@ -530,8 +536,8 @@ if [ -e /etc/debian_version ]; then # Regular process limit=$(date +%s -d "now - 90 days") fi - if [ -f /var/log/evolinux/00_prepare_system.log ]; then - install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log) + if [ -d /var/log/installer ]; then + install_date=$(stat -c %Z /var/log/installer) else install_date=0 fi @@ -769,6 +775,71 @@ if [ -e /etc/debian_version ]; then if [ "$IS_EVOLIX_USER" = 1 ]; then getent passwd evolix >/dev/null && echo 'IS_EVOLIX_USER FAILED!' fi + + if [ "$IS_EVOACME_CRON" = 1 ]; then + if [ -f "/usr/local/sbin/evoacme" ]; then + # Old cron file, should be deleted + test -f /etc/cron.daily/certbot && echo 'IS_EVOACME_CRON FAILED!' + # evoacme cron file should be present + test -f /etc/cron.daily/evoacme || echo 'IS_EVOACME_CRON FAILED!' + fi + fi + + if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then + if [ -x "$(which evoacme)" ]; then + # Sometimes evoacme is installed but no certificates has been generated + numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l) + if [ $numberOfLinks -gt 0 ]; then + for live in /etc/letsencrypt/*/live; do + actualLink=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 11) + actualCertDate=$(cut -d'/' -f5 <<< $actualLink) + liveDir=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 9) + certDir=${liveDir%%/live} + lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1) + lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir) + if [[ "$actualCertDate" != "$lastCertDate" ]]; then + echo 'IS_EVOACME_LIVELINKS FAILED!' + break + fi + done + fi + fi + fi + + if [ "$IS_APACHE_CONFENABLED" = 1 ]; then + # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/ + # must be replaced by conf-available/ and config files symlinked + # to conf-enabled/ + if is_debianversion jessie || is_debianversion stretch; then + if [ -f /etc/apache2/apache2.conf ]; then + test -d /etc/apache2/conf.d/ && echo 'IS_APACHE_CONFENABLED FAILED!' + grep -q 'Include conf.d' /etc/apache2/apache2.conf && \ + echo 'IS_APACHE_CONFENABLED FAILED!' + fi + fi + fi + + if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then + # For Stretch, detection is easy as the kernel use + # /sys/devices/system/cpu/vulnerabilities/ + if is_debianversion stretch; then + for vuln in meltdown spectre_v1 spectre_v2; do + test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!' + done + # For Jessie this is quite complicated to verify and we need to use kernel config file + elif is_debianversion jessie; then + if grep -q BOOT_IMAGE= /proc/cmdline; then + kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) + kernelVer=${kernelPath##*/vmlinuz-} + kernelConfig="config-${kernelVer}" + # Sometimes autodetection of kernel config file fail, so we test if the file really exists. + if [ -f /boot/$kernelConfig ]; then + grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!' + grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!' + fi + fi + fi + fi fi diff --git a/evolinux-base/tasks/etc-evolinux.yml b/evolinux-base/tasks/etc-evolinux.yml index d6562e68..fddc82a8 100644 --- a/evolinux-base/tasks/etc-evolinux.yml +++ b/evolinux-base/tasks/etc-evolinux.yml @@ -1,6 +1,6 @@ --- -### This is taken care of by the evolinux-todo role +### This is taken care of by the evolinux-todo role # - name: /etc/evolinux exists # file: # dest: /etc/evolinux diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 74b41667..e50045ed 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -33,6 +33,7 @@ - curl - telnet - traceroute + - man when: evolinux_packages_diagnostic - name: Install/Update hardware tools diff --git a/evolinux-users/handlers/main.yml b/evolinux-users/handlers/main.yml index 290a2c8c..a94909a5 100644 --- a/evolinux-users/handlers/main.yml +++ b/evolinux-users/handlers/main.yml @@ -3,3 +3,7 @@ service: name: sshd state: reloaded + +- name: newaliases + command: newaliases + changed_when: False diff --git a/evomaintenance/defaults/main.yml b/evomaintenance/defaults/main.yml index 6ad55a9b..462f25a6 100644 --- a/evomaintenance/defaults/main.yml +++ b/evomaintenance/defaults/main.yml @@ -22,7 +22,8 @@ evomaintenance_pg_passwd: Null evomaintenance_pg_db: Null evomaintenance_pg_table: Null -evomaintenance_from: "evomaintenance@{{ evolinux_internal_fqdn }}" +evomaintenance_from_domain: "{{ evolinux_internal_fqdn }}" +evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}" evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>" evomaintenance_urgency_from: mama.doe@example.com diff --git a/evomaintenance/files/evomaintenance.sh b/evomaintenance/files/evomaintenance.sh index 2e01c022..1d22d711 100644 --- a/evomaintenance/files/evomaintenance.sh +++ b/evomaintenance/files/evomaintenance.sh @@ -185,7 +185,7 @@ fi SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/''/g"` PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_TEXTE}')" -echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST} --quiet +echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST} # send mail MAIL_TEXTE=$(echo "${TEXTE}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@") diff --git a/fail2ban/README.md b/fail2ban/README.md index 99ab0ae3..3689aa48 100644 --- a/fail2ban/README.md +++ b/fail2ban/README.md @@ -6,6 +6,8 @@ Install Fail2ban. Everything is in the `tasks/main.yml` file. +An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role. + ## Available variables Main variables are : diff --git a/fail2ban/tasks/ip_whitelist.yml b/fail2ban/tasks/ip_whitelist.yml new file mode 100644 index 00000000..3bdd05f3 --- /dev/null +++ b/fail2ban/tasks/ip_whitelist.yml @@ -0,0 +1,10 @@ +--- +- name: Update ignoreips lists + ini_file: + dest: /etc/fail2ban/jail.local + section: "[DEFAULT]" + option: "ignoreips" + value: "{{ fail2ban_ignore_ips | join(' ') }}" + notify: restart fail2ban + tags: + - fail2ban diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index db6af2d4..f8b20694 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -28,13 +28,8 @@ tags: - fail2ban -- name: update ignoreips lists - ini_file: - dest: /etc/fail2ban/jail.local - section: "[DEFAULT]" - option: "ignoreips" - value: "{{ fail2ban_ignore_ips | join(' ') }}" - notify: restart fail2ban +- name: Include ignoredips update task + include: ip_whitelist.yml when: fail2ban_force_update_ignore_ips tags: - fail2ban diff --git a/haproxy/vars/main.yml b/haproxy/vars/main.yml new file mode 100644 index 00000000..83bcbe1c --- /dev/null +++ b/haproxy/vars/main.yml @@ -0,0 +1,21 @@ +--- +haproxy_ssl_old: | + # TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => old profile + tune.ssl.default-dh-param 1024 + ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP + ssl-default-bind-options no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP + ssl-default-server-options no-tls-tickets +haproxy_ssl_intermediate: | + # TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => intermediate profile + tune.ssl.default-dh-param 2048 + ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + ssl-default-bind-options no-sslv3 no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + ssl-default-server-options no-sslv3 no-tls-tickets +haproxy_ssl_modern: | + # TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => modern profile + ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets diff --git a/minifirewall/tasks/nrpe.yml b/minifirewall/tasks/nrpe.yml index 3893e5c9..20629ad0 100644 --- a/minifirewall/tasks/nrpe.yml +++ b/minifirewall/tasks/nrpe.yml @@ -41,7 +41,7 @@ stat: path: /etc/nagios/nrpe.d/evolix.cfg register: nrpe_evolix_cfg - + - name: check_minifirewall is available for NRPE lineinfile: dest: /etc/nagios/nrpe.d/evolix.cfg diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index 52bf8b07..c2cfa4b0 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -13,6 +13,7 @@ mysql_replace_root_with_mysqladmin: True mysql_custom_datadir: '' mysql_custom_tmpdir: '' +mysql_custom_logdir: '' mysql_thread_cache_size: '{{ ansible_processor_cores }}' mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M' diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index e7ce1772..0725ee1f 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -37,8 +37,9 @@ force: yes register: mariadb_systemd_override -- name: reload systemd +- name: reload systemd and restart MariaDB systemd: name: mysql daemon_reload: yes + notify: "{{ mysql_restart_handler_name }}" when: mariadb_systemd_override.changed diff --git a/mysql/tasks/logdir.yml b/mysql/tasks/logdir.yml new file mode 100644 index 00000000..a1b3a8d8 --- /dev/null +++ b/mysql/tasks/logdir.yml @@ -0,0 +1,45 @@ +--- + +- block: + - name: "Is {{ mysql_custom_logdir }} present ?" + stat: + path: "{{ mysql_custom_logdir }}" + check_mode: no + register: mysql_custom_logdir_test + + - name: "read the real logdir" + command: readlink -f /var/log/mysql + changed_when: False + check_mode: no + register: mysql_current_real_logdir_test + tags: + - mysql + when: mysql_custom_logdir != '' + +- block: + - name: MySQL is stopped + service: + name: mysql + state: stopped + + - name: Move MySQL logdir to {{ mysql_custom_logdir }} + command: mv {{ mysql_current_real_logdir_test.stdout }} {{ mysql_custom_logdir }} + args: + creates: "{{ mysql_custom_logdir }}" + + - name: Symlink {{ mysql_custom_logdir }} to /var/log/mysql + file: + src: "{{ mysql_custom_logdir }}" + dest: '/var/log/mysql' + state: link + + - name: MySQL is started + service: + name: mysql + state: started + tags: + - mysql + when: + - mysql_custom_logdir != '' + - mysql_custom_logdir != mysql_current_real_logdir_test.stdout + - not mysql_custom_logdir_test.stat.exists diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index 9f9c07f4..8e14c8de 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -23,6 +23,8 @@ - include: datadir.yml +- include: logdir.yml + - include: tmpdir.yml - include: nrpe.yml diff --git a/nginx/README.md b/nginx/README.md index 96d061ed..48a875ce 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -12,6 +12,8 @@ The minimal mode is for servers without real web apps, and only access to munin The regular mode is for full fledged web services with optimized defaults. +An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role. + ## Available variables Main variables are : diff --git a/nginx/tasks/ip_whitelist.yml b/nginx/tasks/ip_whitelist.yml new file mode 100644 index 00000000..10cdcc37 --- /dev/null +++ b/nginx/tasks/ip_whitelist.yml @@ -0,0 +1,23 @@ +--- + +- name: add IP addresses to private IP whitelist + lineinfile: + dest: /etc/nginx/snippets/ipaddr_whitelist + line: "allow {{ item }};" + state: present + with_items: "{{ nginx_ipaddr_whitelist_present }}" + notify: reload nginx + tags: + - nginx + - ips + +- name: remove IP addresses from private IP whitelist + lineinfile: + dest: /etc/nginx/snippets/ipaddr_whitelist + line: "allow {{ item }};" + state: absent + with_items: "{{ nginx_ipaddr_whitelist_absent }}" + notify: reload nginx + tags: + - nginx + - ips diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index 559bc5d1..f3c31d56 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -49,26 +49,10 @@ notify: reload nginx tags: - nginx + - ips -- name: add IP addresses to private IP whitelist - lineinfile: - dest: /etc/nginx/snippets/ipaddr_whitelist - line: "allow {{ item }};" - state: present - with_items: "{{ nginx_ipaddr_whitelist_present }}" - notify: reload nginx - tags: - - nginx - -- name: remove IP addresses from private IP whitelist - lineinfile: - dest: /etc/nginx/snippets/ipaddr_whitelist - line: "allow {{ item }};" - state: absent - with_items: "{{ nginx_ipaddr_whitelist_absent }}" - notify: reload nginx - tags: - - nginx +- name: Include IP address whitelist task + include: ip_whitelist.yml - name: Copy private_htpasswd copy: diff --git a/packweb-apache/files/evolinux-modsec.conf b/packweb-apache/files/evolinux-modsec.conf index d78c0d9f..4cc0c777 100644 --- a/packweb-apache/files/evolinux-modsec.conf +++ b/packweb-apache/files/evolinux-modsec.conf @@ -18,7 +18,7 @@ SecUploadKeepFiles Off # default action SecDefaultAction "log,auditlog,deny,status:406,phase:2" -SecAuditEngine RelevantOnly +SecAuditEngine Off #SecAuditLogRelevantStatus "^[45]" # use only one log file SecAuditLogType Serial @@ -39,10 +39,9 @@ SecTmpDir /tmp # RULES ######### -# File name -SecRule REQUEST_FILENAME "modsecuritytest1" "id:1" -# Complete URI -SecRule REQUEST_URI "modsecuritytest2" "id:2" -SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3" +# Removed because it does not play well with apache-itk +# Can be removed when modsecurity 2.9.3 hits debian +# See https://github.com/SpiderLabs/ModSecurity/issues/712 +SecRuleRemoveById "910000-910999" diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index b24c9ae6..230fb41a 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -71,3 +71,9 @@ - include: fhs_retrictions.yml when: packweb_fhs_retrictions + +- name: Periodically cache ftp directory sizes for ftpadmin.sh + cron: + name: "ProFTPd directory size caching" + special_time: daily + job: "/usr/share/scripts/evoadmin/stats.sh" diff --git a/postfix/templates/evolinux_main.cf.j2 b/postfix/templates/evolinux_main.cf.j2 index e42a413f..b4499958 100644 --- a/postfix/templates/evolinux_main.cf.j2 +++ b/postfix/templates/evolinux_main.cf.j2 @@ -13,6 +13,12 @@ recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 disable_vrfy_command = yes +# enable SSL/TLS client +smtp_tls_security_level = may +smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 +smtp_tls_protocols=!SSLv2,!SSLv3 +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_loglevel = 1 {% if postfix_slow_transport_include == True %} # Slow transports configuration diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 9f14ec50..bee7fe53 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -389,11 +389,19 @@ strict_rfc821_envelopes = yes # Section : Chiffrement ####################### +smtpd_tls_security_level = may +smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 +smtpd_tls_protocols=!SSLv2,!SSLv3 +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtpd_tls_loglevel = 1 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key -smtpd_use_tls=yes -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache + +smtp_tls_security_level = may +smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 +smtp_tls_protocols=!SSLv2,!SSLv3 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_loglevel = 1 # SASL smtpd_sasl_auth_enable = yes diff --git a/redis/tasks/instances.yml b/redis/tasks/instances.yml index 151f47b4..02fe4892 100644 --- a/redis/tasks/instances.yml +++ b/redis/tasks/instances.yml @@ -38,7 +38,7 @@ group: name: "redis-{{ redis_instance_name }}" state: present - system: True + system: True tags: - redis @@ -47,8 +47,8 @@ name: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" state: present - system: True - shell: '/bin/falase' + system: True + shell: '/bin/false' tags: - redis @@ -60,7 +60,9 @@ owner: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" with_items: + - "/var/lib/redis" - "{{ redis_dbdir }}" + - "/var/log/redis" - "{{ redis_logfile | dirname }}" tags: - redis diff --git a/ssl/README.md b/ssl/README.md new file mode 100644 index 00000000..d7894047 --- /dev/null +++ b/ssl/README.md @@ -0,0 +1,9 @@ +# ssl + +Deploy SSL certificate, key, dhparams and concatenate them when needed (eg. with Haproxy). + +## Available variables + +* `ssl_cert`: name of SSL certificate which is going to be deployed + +eg. `ssl_cert: "example.com"` deploy files/ssl/example.com.{pem|key|dhp} diff --git a/ssl/handlers/main.yml b/ssl/handlers/main.yml new file mode 100644 index 00000000..3393e45a --- /dev/null +++ b/ssl/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload haproxy + service: + name: haproxy + state: reloaded diff --git a/ssl/meta/main.yml b/ssl/meta/main.yml new file mode 100644 index 00000000..11377af9 --- /dev/null +++ b/ssl/meta/main.yml @@ -0,0 +1,20 @@ +galaxy_info: + author: Evolix + description: Deployment of SSL certificate, key and dhparams + + issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: 2.2 + + platforms: + - name: Debian + versions: + - jessie + - stretch + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/ssl/tasks/haproxy.yml b/ssl/tasks/haproxy.yml new file mode 100644 index 00000000..2ba30ac9 --- /dev/null +++ b/ssl/tasks/haproxy.yml @@ -0,0 +1,33 @@ +--- +- name: Concatenate SSL certificate, key and dhparam + set_fact: + ssl_cat: "{{ ssl_cat | default() }}{{ lookup('file', item) }}\n" + with_fileglob: + - "ssl/{{ ssl_cert }}.pem" + - "ssl/{{ ssl_cert }}.key" + - "ssl/{{ ssl_cert }}.dhp" + tags: + - ssl + +- name: Create haproxy ssl directory + file: + dest: /etc/haproxy/ssl + state: directory + mode: "0700" + tags: + - ssl + +- name: Copy concatenated certificate and key + copy: + content: "{{ ssl_cat }}" + dest: "/etc/haproxy/ssl/{{ ssl_cert }}.pem" + mode: "0600" + notify: reload haproxy + tags: + - ssl + +- name: Reset ssl_cat variable + set_fact: + ssl_cat: "" + tags: + - ssl diff --git a/ssl/tasks/main.yml b/ssl/tasks/main.yml new file mode 100644 index 00000000..a739f449 --- /dev/null +++ b/ssl/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: Copy SSL certificate + copy: + src: "ssl/{{ ssl_cert }}.pem" + dest: "/etc/ssl/certs/{{ ssl_cert }}.pem" + mode: "0644" + register: ssl_copy_cert + tags: + - ssl + +- name: Copy SSL key + copy: + src: "ssl/{{ ssl_cert }}.key" + dest: "/etc/ssl/private/{{ ssl_cert }}.key" + mode: "0600" + register: ssl_copy_key + tags: + - ssl + +- name: Copy SSL dhparam + copy: + src: "ssl/{{ ssl_cert }}.dhp" + dest: "/etc/ssl/certs/{{ ssl_cert }}.dhp" + mode: "0644" + register: ssl_copy_dhp + tags: + - ssl + +- name: Check if Haproxy is installed + command: dpkg -l haproxy + register: haproxy_check + check_mode: False + changed_when: False + failed_when: False + tags: + - ssl + +- include: haproxy.yml + when: haproxy_check.rc == 0