diff --git a/CHANGELOG.md b/CHANGELOG.md index bb77041b..e47f3ba1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,18 @@ The **patch** part changes incrementally at each release. ### Security +## [9.6.0] - 2018-12-04 + +### Added +* evolinux-base: deploy custom motd if template are present +* minifirewall: all variables are configurable (untouched by default) +* minifirewall: main file is configurable +* squid: minifirewall main file is configurable + +### Changed +* minifirewall: compare config before/after (for restart condition) +* squid: better replacement in minifirewall config + ## [9.5.0] - 2018-11-14 ### Added @@ -42,6 +54,7 @@ The **patch** part changes incrementally at each release. * packweb-apache: mod-security config is already included elsewhere * redis: for permissions on log and lib directories * redis: fix shell for instance users +* evoacme: fix error handling in sed_cert_path_for_(apache|nginx) ## [9.4.2] - 2018-10-12 diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index b1837992..770cd8d4 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -55,10 +55,8 @@ sed_cert_path_for_apache() { sed -i "s~${search}~${replace}~" "${vhost_full_path}" debug "Config in ${vhost_full_path} has been updated" - $(command -v apache2ctl) -t 2>&1 | grep -v "Syntax OK" - if [ "${PIPESTATUS[0]}" != "0" ]; then - error "Apache config test has exited with a non-zero exit code" - fi + $(command -v apache2ctl) -t 2>/dev/null + [ "${?}" -eq 0 ] || $(command -v apache2ctl) -t fi } sed_cert_path_for_nginx() { @@ -76,7 +74,8 @@ sed_cert_path_for_nginx() { sed -i "s~${search}~${replace}~" "${vhost_full_path}" debug "Config in ${vhost_full_path} has been updated" - $(command -v nginx) -t + $(command -v nginx) -t 2>/dev/null + [ "${?}" -eq 0 ] || $(command -v nginx) -t fi } x509_verify() { diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index fafe0a4e..ff0213a8 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -96,6 +96,8 @@ include: log2mail.yml when: evolinux_log2mail_include +- include: motd.yml + - name: Munin include_role: name: munin diff --git a/evolinux-base/tasks/motd.yml b/evolinux-base/tasks/motd.yml new file mode 100644 index 00000000..d1171eb4 --- /dev/null +++ b/evolinux-base/tasks/motd.yml @@ -0,0 +1,17 @@ +--- +- name: Deploy custom motd + template: + src: "{{ item }}" + dest: /etc/motd + force: True + owner: root + group: root + mode: "0644" + with_first_found: + - files: + - "motd/motd.{{ inventory_hostname }}.j2" + - "motd/motd.{{ host_group }}.j2" + - "motd/motd.default.j2" + skip: True + tags: + - motd diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index a331b033..3f173962 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -1,5 +1,6 @@ --- +minifirewall_main_file: /etc/default/minifirewall minifirewall_tail_file: /etc/default/minifirewall.tail minifirewall_tail_included: False minifirewall_tail_force: True @@ -25,6 +26,17 @@ minifirewall_semipublic_ports_udp: [] minifirewall_private_ports_tcp: [5666] minifirewall_private_ports_udp: [] +# Keep a null value to leave the setting as is +# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']" +minifirewall_dns_servers: Null +minifirewall_http_sites: Null +minifirewall_https_sites: Null +minifirewall_ftp_sites: Null +minifirewall_ssh_ok: Null +minifirewall_smtp_ok: Null +minifirewall_smtp_secure_ok: Null +minifirewall_ntp_ok: Null + minifirewall_autostart: False minifirewall_restart_if_needed: True minifirewall_restart_force: False diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index c2c81f81..bd71cb48 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -7,6 +7,11 @@ var: minifirewall_privilegied_ips verbosity: 1 +- name: Stat minifirewall config file (before) + stat: + path: "{{ minifirewall_main_file }}" + register: minifirewall_before + - name: Check if minifirewall is running shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" changed_when: False @@ -20,14 +25,14 @@ - name: Begin marker for IP addresses lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" create: no line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' - name: End marker for IP addresses lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' @@ -41,7 +46,7 @@ - name: Configure IP addresses blockinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" create: no marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" content: | @@ -65,21 +70,21 @@ - name: Begin marker for ports lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" create: no line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' - name: End marker for ports lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" create: no line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' - name: Configure ports blockinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" create: no marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" content: | @@ -101,20 +106,89 @@ SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' register: minifirewall_config_ports +- name: Configure DNSSERVEURS + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'" + regexp: "DNSSERVEURS='.*'" + when: minifirewall_dns_servers is not none + +- name: Configure HTTPSITES + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" + regexp: "HTTPSITES='.*'" + when: minifirewall_http_sites is not none + +- name: Configure HTTPSSITES + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'" + regexp: "HTTPSSITES='.*'" + when: minifirewall_https_sites is not none + +- name: Configure FTPSITES + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'" + regexp: "FTPSITES='.*'" + when: minifirewall_ftp_sites is not none + +- name: Configure SSHOK + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'" + regexp: "SSHOK='.*'" + when: minifirewall_ssh_ok is not none + +- name: Configure SMTPOK + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'" + regexp: "SMTPOK='.*'" + when: minifirewall_smtp_ok is not none + +- name: Configure SMTPSECUREOK + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'" + regexp: "SMTPSECUREOK='.*'" + when: minifirewall_smtp_secure_ok is not none + +- name: Configure NTPOK + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'" + regexp: "NTPOK='.*'" + when: minifirewall_ntp_ok is not none + - name: evomaintenance lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT" insertafter: "^# EvoMaintenance" with_items: "{{ evomaintenance_hosts }}" - name: remove minifirewall example rule for the evomaintenance lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)' state: absent when: evomaintenance_hosts != [] +- name: Stat minifirewall config file (after) + stat: + path: "{{ minifirewall_main_file }}" + register: minifirewall_after + - name: restart minifirewall # service: # name: minifirewall @@ -126,7 +200,7 @@ when: - minifirewall_restart_if_needed - minifirewall_is_running.rc == 0 - - (minifirewall_config_ips | changed or minifirewall_config_ports | changed) + - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum - name: restart minifirewall (noop) meta: noop diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml index 5efdd585..77f60c11 100644 --- a/minifirewall/tasks/install.yml +++ b/minifirewall/tasks/install.yml @@ -8,8 +8,8 @@ - iptables - name: init script is copied - copy: - src: minifirewall + template: + src: minifirewall.j2 dest: /etc/init.d/minifirewall force: no mode: "0700" @@ -19,7 +19,7 @@ - name: configuration is copied copy: src: minifirewall.conf - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" force: no mode: "0600" owner: root diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index 4d404136..ab382fe6 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -17,7 +17,7 @@ - name: source minifirewall.tail at the end of the main file blockinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES" block: ". {{ minifirewall_tail_file }}" insertbefore: EOF diff --git a/minifirewall/files/minifirewall b/minifirewall/templates/minifirewall.j2 similarity index 99% rename from minifirewall/files/minifirewall rename to minifirewall/templates/minifirewall.j2 index 94260a96..33b13744 100755 --- a/minifirewall/files/minifirewall +++ b/minifirewall/templates/minifirewall.j2 @@ -111,7 +111,7 @@ $IPT -A LOG_ACCEPT -j ACCEPT # Configuration oldconfigfile="/etc/firewall.rc" -configfile="/etc/default/minifirewall" +configfile="{{ minifirewall_main_file }}" if test -f $oldconfigfile; then echo "$oldconfigfile is deprecated, rename to $configfile" >&2 @@ -382,4 +382,3 @@ trap - INT TERM EXIT esac exit 0 - diff --git a/squid/defaults/main.yml b/squid/defaults/main.yml index 1a6db438..2188d606 100644 --- a/squid/defaults/main.yml +++ b/squid/defaults/main.yml @@ -6,3 +6,5 @@ squid_address: "{{ ansible_default_ipv4.address }}" squid_whitelist_items: [] squid_localproxy_enable: False + +minifirewall_main_file: /etc/default/minifirewall diff --git a/squid/tasks/minifirewall.yml b/squid/tasks/minifirewall.yml index 5eea7675..44c7ada6 100644 --- a/squid/tasks/minifirewall.yml +++ b/squid/tasks/minifirewall.yml @@ -1,28 +1,29 @@ --- - name: Check if Minifirewall is present stat: - path: /etc/default/minifirewall + path: "{{ minifirewall_main_file }}" check_mode: no register: minifirewall_test - block: - name: HTTPSITES list is commented in minifirewall replace: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" regexp: "^(HTTPSITES='[^0-9])" replace: '#\1' notify: restart minifirewall - name: all HTTPSITES are authorized in minifirewall lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" line: "HTTPSITES='0.0.0.0/0'" + regexp: "HTTPSITES='.*'" insertafter: "^#HTTPSITES=" notify: restart minifirewall - name: add iptables rules for the proxy lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" regexp: "^#? *{{ item }}" line: "{{ item }}" insertafter: "^# Proxy" @@ -35,7 +36,7 @@ - name: remove minifirewall example rule for the proxy lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)' state: absent notify: restart minifirewall