diff --git a/CHANGELOG.md b/CHANGELOG.md index c74ef4e5..056650ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,19 @@ The **patch** part changes incrementally at each release. ### Security +## [9.2.0] - 2018-05-16 + +### Changed +* filebeat: install version 6.x by default +* filebeat: cleanup unused code +* squid: add some domaine and fix broken restrictions +* elasticsearch: defaults to version 6.x + +### Fixed +* evolinux-users: secondary groups are comma-separated +* ntpd: fix configuration (server and ACL) +* varnish: don't fork the process on startup with systemd + ## [9.1.9] - 2018-04-24 ### Added diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index 02dd0d5a..8b5dd20e 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -1,5 +1,5 @@ --- -elastic_stack_version: "5.x" +elastic_stack_version: "6.x" elasticsearch_cluster_name: Null elasticsearch_node_name: "${HOSTNAME}" diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 323ef8ae..225add01 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -13,7 +13,7 @@ # We want to allow any user from a list of IP addresses to login with password, # but users of the "evolix" group can't login with password from other IP addresses -- name: Security directives for Evolinux (Debian 10 or later)" +- name: "Security directives for Evolinux (Debian 10 or later)" blockinfile: dest: /etc/ssh/sshd_config block: | diff --git a/evolinux-users/README.md b/evolinux-users/README.md index 439bd898..c0f6e9ef 100644 --- a/evolinux-users/README.md +++ b/evolinux-users/README.md @@ -31,3 +31,8 @@ evolinux_users: - 'ssh-rsa QWERTYUIOP' - 'ssh-ed25519 QWERTYUIOP' ``` + +* `evolinux_sudo_group`: which group to use for sudo (default: `evolinux-sudo`) +* `evolinux_ssh_group`: which group to use for ssh (default: `evolinux-ssh`) +* `evolinux_internal_group`: which group to use for all created users (eg. the company name) +* `evolinux_root_disable_ssh`: disable root's ssh access (default: `True`) diff --git a/evolinux-users/defaults/main.yml b/evolinux-users/defaults/main.yml index fe97185c..8ff94551 100644 --- a/evolinux-users/defaults/main.yml +++ b/evolinux-users/defaults/main.yml @@ -3,5 +3,6 @@ evolinux_users: {} evolinux_sudo_group: "evolinux-sudo" evolinux_ssh_group: "evolinux-ssh" +evolinux_internal_group: "" evolinux_root_disable_ssh: True diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 21cb97b3..bd480cfb 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -43,6 +43,8 @@ # Unix groups +## Group for SSH authorizations + - name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)" group: name: "{{ evolinux_ssh_group }}" @@ -56,20 +58,49 @@ append: yes when: ansible_distribution_major_version | version_compare('10', '>=') +## Optional group for all evolinux users + +- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)" + group: + name: "{{ evolinux_internal_group }}" + state: present + when: + - evolinux_internal_group is defined + - evolinux_internal_group != "" + - ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)" + user: + name: '{{ user.name }}' + groups: "{{ evolinux_internal_group }}" + append: yes + when: + - evolinux_internal_group is defined + - evolinux_internal_group != "" + - ansible_distribution_major_version | version_compare('9', '>=') + +## Optional secondary groups, defined per user + - name: "Secondary Unix groups are present" group: name: "{{ group }}" with_items: "{{ user.groups }}" loop_control: loop_var: group - when: user.groups is defined + when: + - user.groups is defined + - user.groups != [] - name: "Unix user '{{ user.name }}' belongs to secondary groups" user: name: '{{ user.name }}' - groups: "{{ user.groups }}" + groups: "{{ user.groups | join(',') }}" append: yes - when: user.groups is defined + when: + - user.groups is defined + - user.groups != [] + +# Permissions on home directory - name: "Home directory for '{{ user.name }}' is not accessible by group and other users" file: @@ -86,7 +117,7 @@ check_mode: no register: grep_profile_evomaintenance -# Don't add the trap if it is present or commented +## Don't add the trap if it is present or commented - name: "User '{{ user.name }}' has its shell trap for evomaintenance" lineinfile: state: present diff --git a/evolinux-users/templates/sudoers_jessie.j2 b/evolinux-users/templates/sudoers_jessie.j2 index ff50f482..391ae898 100644 --- a/evolinux-users/templates/sudoers_jessie.j2 +++ b/evolinux-users/templates/sudoers_jessie.j2 @@ -4,7 +4,7 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts User_Alias ADMINS = {{ user.name }} nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs -nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_minifirewall +nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt ADMINS ALL = (ALL:ALL) ALL diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2 index 82d9bc97..9a9ea7ed 100644 --- a/evolinux-users/templates/sudoers_stretch.j2 +++ b/evolinux-users/templates/sudoers_stretch.j2 @@ -3,7 +3,7 @@ Defaults umask=0077 Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs -nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_minifirewall +nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt %{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL diff --git a/filebeat/defaults/main.yml b/filebeat/defaults/main.yml index 89b6e753..75c8ae0f 100644 --- a/filebeat/defaults/main.yml +++ b/filebeat/defaults/main.yml @@ -1,5 +1,4 @@ --- -elastic_stack_version: "5.x" +elastic_stack_version: "6.x" -filebeat_kibana_dashboards: False filebeat_logstash_plugin: False diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index 89c0f7ab..eebbd8ee 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -40,10 +40,6 @@ name: filebeat enabled: yes -# - name: Kibana dashboards are imported -# command: /usr/share/filebeat/scripts/import_dashboards -# when: filebeat_kibana_dashboards - - name: is logstash-plugin available? stat: path: /usr/share/logstash/bin/logstash-plugin diff --git a/ntpd/defaults/main.yml b/ntpd/defaults/main.yml index 5b86419e..221a829c 100644 --- a/ntpd/defaults/main.yml +++ b/ntpd/defaults/main.yml @@ -1,9 +1,8 @@ --- ntpd_servers: -- 'ntp.evolix.net' +- 'ntp.evolix.net iburst' ntpd_acls: +- '-4 default kod notrap nomodify nopeer noquery' +- '-6 default kod notrap nomodify nopeer noquery' - '127.0.0.1' - '::1' -- '-4 default ignore' -- '-6 default ignore' - diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf index 125eda7d..e4dc240d 100644 --- a/squid/files/evolinux-whitelist-defaults.conf +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -5,9 +5,9 @@ ^backports\.debian\.org$ ^www\.kernel\.org$ ^hwraid\.le-vert\.net$ -^.*clamav\.net$ +^.*\.clamav\.net$ ^spamassassin\.apache\.org$ -^.*sa-update.*$ +^.*\.sa-update.*$ ^pear\.php\.net$ ^repo\.mysql\.com$ @@ -18,12 +18,15 @@ ^ocsp\.usertrust\.com$ ### CMS / Wordpress / Drupal / ... + # Wordpress -^.*akismet\.com$ -^.*wordpress\.(org|com)$ -^.*gravatar\.com$ +^.*\.akismet\.com$ +^.*\.wordpress\.(org|com)$ +^.*\.gravatar\.com$ ^www\.wordpress-fr\.net$ ^pixel\.wp\.com$ +^wp-updates\.com$ + # Wordpress pingback ^rpc\.pingomatic\.com$ ^blo\.gs$ @@ -53,12 +56,13 @@ ^geourl\.org$ ^ipings\.com$ ^www\.weblogalot\.com$ + # Wordpress plugins -^.*wpml\.org$ +^.*\.wpml\.org$ ^www\.wpcube\.co\.uk$ -^.*wp-rocket\.me$ +^.*\.wp-rocket\.me$ ^www\.yithemes\.com$ -^.*yoast\.com$ +^.*\.yoast\.com$ ^yarpp\.org$ ^repository\.kreaturamedia\.com$ ^api\.wp-events-plugin\.com$ @@ -69,21 +73,27 @@ ^vimeo\.com$ ^api\.genesistheme\.com$ ^www\.bolderelements\.net$ +^wpbakery\.com$ +^backwpup\.com$ + # Magento Plugins ^extensions\.activo\.com$ ^amasty\.com$ + # Joomla -^.*.joomla\.org$ +^.*\.joomla\.org$ ^getk2\.org$ ^miwisoft\.com$ ^mijosoft\.com$ ^www\.joomlaworks\.net$ ^cdn\.joomlaworks\.org$ ^download\.regularlabs\.com$ + # Prestashop -^.*.prestashop\.com$ +^.*\.prestashop\.com$ ^www\.presta-module\.com$ ^www\.presteamshop\.com$ + # Others ^.*.drupal\.org$ ^.*\.dotclear\.(net|org)$ @@ -92,7 +102,9 @@ ^www\.spip\.net$ ### Feeds / API / WS Tools / ... + # Google + ^.*\.googleapis\.com$ ^.*\.google-analytics\.com$ ^blogsearch\.google\.(com|fr)$ @@ -100,16 +112,19 @@ ^maps\.google\..*$ ^translate\.google\.com$ ^www\.google\.com$ + # Facebook ^.*\.facebook\.com$ ^.*\.fbcdn\.net$ + # Maxmind ^geolite\.maxmind\.com$ + # Others -#^.*amazon.com$ -^.*twitter\.com$ -^.*feedburner\.com$ -^.*openx\.(org|com|net)$ +#^.*\.amazon.com$ +^.*\.twitter\.com$ +^.*\.feedburner\.com$ +^.*\.openx\.(org|com|net)$ ^geoip-api\.meteor\.com$ ^www\.bing\.com$ ^www\.telize\.com$ @@ -125,3 +140,5 @@ ^jenkins\.mirror\.isppower\.de$ ^ftp\.icm\.edu\.pl$ ^apt\.newrelic\.com$ +^.*\.cloudfront\.net$ +^api\.mailjet\.com$ diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf index 5c22f4a7..bd3f33e0 100644 --- a/squid/files/whitelist-evolinux.conf +++ b/squid/files/whitelist-evolinux.conf @@ -1,13 +1,13 @@ ### Evolix & System -http://.*evolix.(net|org|com|fr)/.* -http://.*debian.org/.* +http://.*.evolix.(net|org|com|fr)/.* +http://.*.debian.org/.* http://www.backports.org/.* http://backports.debian.org/.* http://www.kernel.org/.* http://hwraid.le-vert.net/.* -http://.*clamav.net/.* +http://.*.clamav.net/.* http://spamassassin.apache.org/.* -http://.*sa-update.* +http://.*.sa-update.* http://pear.php.net/.* http://repo.mysql.com/.* @@ -18,12 +18,15 @@ http://.*.letsencrypt.org/.* http://ocsp.usertrust.com/.* ### CMS / Wordpress / Drupal / ... + # Wordpress -http://.*akismet.com/.* -http://.*wordpress.(org|com)/.* -http://.*gravatar.com/.* +http://.*.akismet.com/.* +http://.*.wordpress.(org|com)/.* +http://.*.gravatar.com/.* http://www.wordpress-fr.net/.* http://pixel.wp.com/.* +http://wp-updates.com/.* + # Wordpress pingback http://rpc.pingomatic.com/.* http://blo.gs/ping.php @@ -53,12 +56,13 @@ http://www.pingmyblog.com/.* http://geourl.org/ping http://ipings.com/.* http://www.weblogalot.com/ping + # Wordpress plugins -http://.*wpml.org/.* +http://.*.wpml.org/.* http://www.wpcube.co.uk/.* -http://.*wp-rocket.me/.* +http://.*.wp-rocket.me/.* http://www.yithemes.com/.* -http://.*yoast.com/.* +http://.*.yoast.com/.* http://yarpp.org/.* http://repository.kreaturamedia.com/.* http://api.wp-events-plugin.com/.* @@ -66,12 +70,16 @@ http://updates.themepunch.com/.* http://themeisle.com/.* http://download.advancedcustomfields.com/.* http://wpcdn.io/.* -http://vimeo.com/channels/wpetourisme/videos/rss +http://vimeo.com/.* http://api.genesistheme.com/update-themes/ http://www.bolderelements.net/updates/.* + # Magento Plugins http://extensions.activo.com/.* http://amasty.com/.* +http://backwpup.com/.* +http://wpbakery.com/.* + # Joomla http://.*.joomla.org/.* http://getk2.org/.* @@ -80,10 +88,12 @@ http://mijosoft.com/.* http://www.joomlaworks.net/.* http://cdn.joomlaworks.org/.* http://download.regularlabs.com/.* + # Prestashop http://.*.prestashop.com/.* http://www.presta-module.com/.* http://www.presteamshop.com/.* + # Others http://.*.drupal.org/.* http://.*.dotclear.(net|org)/.* @@ -92,6 +102,7 @@ http://www.typolight.org/.* http://www.spip.net/.* ### Feeds / API / WS Tools / ... + # Google http://.*.googleapis.com/.* http://.*.google-analytics.com/.* @@ -100,21 +111,24 @@ http://csi.gstatic.com/.* http://maps.google.*/.* http://translate.google.com/.* http://www.google.com/webmasters/tools/.* + # Facebook http://.*.facebook.com/.* http://.*.fbcdn.net/.* + # Maxmind http://geolite.maxmind.com/.* + # Others -http://.*amazon.com/.* -http://.*twitter.com/.* -http://.*feedburner.com/.* -http://.*openx.(org|com|net)/.* +#http://.*.amazon.com/.* +http://.*.twitter.com/.* +http://.*.feedburner.com/.* +http://.*.openx.(org|com|net)/.* http://geoip-api.meteor.com/.* http://www.bing.com/.* http://www.telize.com/.* -http://.*ident.me/.* -http://.*icanhazip.com/.* +http://.*.ident.me/.* +http://.*.icanhazip.com/.* http://www.express-mailing.com/.* http://bot.whatismyipaddress.com/.* http://ipecho.net/.* @@ -125,3 +139,5 @@ http://mirrors.jenkins.io/.* http://jenkins.mirror.isppower.de/.* http://ftp.icm.edu.pl/.* http://apt.newrelic.com/.* +http://.*.cloudfront.net/.* +http://api.mailjet.com/.* diff --git a/varnish/templates/varnish.conf.j2 b/varnish/templates/varnish.conf.j2 index a60462e2..257da952 100644 --- a/varnish/templates/varnish.conf.j2 +++ b/varnish/templates/varnish.conf.j2 @@ -2,6 +2,6 @@ [Service] ExecStart= -ExecStart=/usr/sbin/varnishd -a {{ varnish_addresses | join(',') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} +ExecStart=/usr/sbin/varnishd -F -a {{ varnish_addresses | join(',') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} ExecReload= ExecReload=/etc/varnish/reload-vcl.sh