Merge branch 'unstable' into stable

CHANGELOG.md

@@ -18,6 +18,19 @@ The **patch** part changes incrementally at each release.
 
 ### Security
 
+## [9.2.0] - 2018-05-16
+
+### Changed
+* filebeat: install version 6.x by default
+* filebeat: cleanup unused code
+* squid: add some domaine and fix broken restrictions
+* elasticsearch: defaults to version 6.x
+
+### Fixed
+* evolinux-users: secondary groups are comma-separated
+* ntpd: fix configuration (server and ACL)
+* varnish: don't fork the process on startup with systemd
+
 ## [9.1.9] - 2018-04-24
 
 ### Added

elasticsearch/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "5.x"
+elastic_stack_version: "6.x"
 
 elasticsearch_cluster_name: Null
 elasticsearch_node_name: "${HOSTNAME}"

evolinux-base/tasks/ssh.yml

@@ -13,7 +13,7 @@
 # We want to allow any user from a list of IP addresses to login with password,
 # but users of the "evolix" group can't login with password from other IP addresses
 
-- name: Security directives for Evolinux (Debian 10 or later)"
+- name: "Security directives for Evolinux (Debian 10 or later)"
   blockinfile:
     dest: /etc/ssh/sshd_config
     block: |

evolinux-users/README.md

@@ -31,3 +31,8 @@ evolinux_users:
       - 'ssh-rsa QWERTYUIOP'
       - 'ssh-ed25519 QWERTYUIOP'
 ```
+
+* `evolinux_sudo_group`: which group to use for sudo (default: `evolinux-sudo`)
+* `evolinux_ssh_group`: which group to use for ssh (default: `evolinux-ssh`)
+* `evolinux_internal_group`: which group to use for all created users (eg. the company name)
+* `evolinux_root_disable_ssh`: disable root's ssh access (default: `True`)

evolinux-users/defaults/main.yml

@@ -3,5 +3,6 @@ evolinux_users: {}
 
 evolinux_sudo_group: "evolinux-sudo"
 evolinux_ssh_group: "evolinux-ssh"
+evolinux_internal_group: ""
 
 evolinux_root_disable_ssh: True

evolinux-users/tasks/user.yml

@@ -43,6 +43,8 @@
 
 # Unix groups
 
+## Group for SSH authorizations
+
 - name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
   group:
     name: "{{ evolinux_ssh_group }}"
@@ -56,20 +58,49 @@
     append: yes
   when: ansible_distribution_major_version | version_compare('10', '>=')
 
+## Optional group for all evolinux users
+
+- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)"
+  group:
+    name: "{{ evolinux_internal_group }}"
+    state: present
+  when:
+    - evolinux_internal_group is defined
+    - evolinux_internal_group != ""
+    - ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)"
+  user:
+    name: '{{ user.name }}'
+    groups: "{{ evolinux_internal_group }}"
+    append: yes
+  when:
+    - evolinux_internal_group is defined
+    - evolinux_internal_group != ""
+    - ansible_distribution_major_version | version_compare('9', '>=')
+
+## Optional secondary groups, defined per user
+
 - name: "Secondary Unix groups are present"
   group:
     name: "{{ group }}"
   with_items: "{{ user.groups }}"
   loop_control:
     loop_var: group
-  when: user.groups is defined
+  when:
+    - user.groups is defined
+    - user.groups != []
 
 - name: "Unix user '{{ user.name }}' belongs to secondary groups"
   user:
     name: '{{ user.name }}'
-    groups: "{{ user.groups }}"
+    groups: "{{ user.groups | join(',') }}"
     append: yes
-  when: user.groups is defined
+  when:
+    - user.groups is defined
+    - user.groups != []
+
+# Permissions on home directory
 
 - name: "Home directory for '{{ user.name }}' is not accessible by group and other users"
   file:
@@ -86,7 +117,7 @@
   check_mode: no
   register: grep_profile_evomaintenance
 
-# Don't add the trap if it is present or commented
+## Don't add the trap if it is present or commented
 - name: "User '{{ user.name }}' has its shell trap for evomaintenance"
   lineinfile:
     state: present

evolinux-users/templates/sudoers_jessie.j2

@@ -4,7 +4,7 @@ Cmnd_Alias      MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts
 User_Alias      ADMINS = {{ user.name }}
 
 nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
-nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_minifirewall
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
 
 ADMINS          ALL = (ALL:ALL) ALL

evolinux-users/templates/sudoers_stretch.j2

@@ -3,7 +3,7 @@ Defaults        umask=0077
 Cmnd_Alias      MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount
 
 nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
-nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_minifirewall
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
 
 %{{ evolinux_sudo_group }}  ALL=(ALL:ALL) ALL

filebeat/defaults/main.yml

@@ -1,5 +1,4 @@
 ---
-elastic_stack_version: "5.x"
+elastic_stack_version: "6.x"
 
-filebeat_kibana_dashboards: False
 filebeat_logstash_plugin: False

filebeat/tasks/main.yml

@@ -40,10 +40,6 @@
     name: filebeat
     enabled: yes
 
-# - name: Kibana dashboards are imported
-#   command: /usr/share/filebeat/scripts/import_dashboards
-#   when: filebeat_kibana_dashboards
-
 - name: is logstash-plugin available?
   stat:
     path: /usr/share/logstash/bin/logstash-plugin

ntpd/defaults/main.yml

@@ -1,9 +1,8 @@
 ---
 ntpd_servers:
-- 'ntp.evolix.net'
+- 'ntp.evolix.net iburst'
 ntpd_acls:
+- '-4 default kod notrap nomodify nopeer noquery'
+- '-6 default kod notrap nomodify nopeer noquery'
 - '127.0.0.1'
 - '::1'
-- '-4 default ignore'
-- '-6 default ignore'
-

squid/files/evolinux-whitelist-defaults.conf

@@ -5,9 +5,9 @@
 ^backports\.debian\.org$
 ^www\.kernel\.org$
 ^hwraid\.le-vert\.net$
-^.*clamav\.net$
+^.*\.clamav\.net$
 ^spamassassin\.apache\.org$
-^.*sa-update.*$
+^.*\.sa-update.*$
 ^pear\.php\.net$
 ^repo\.mysql\.com$
 
@@ -18,12 +18,15 @@
 ^ocsp\.usertrust\.com$
 
 ### CMS / Wordpress / Drupal / ...
+
 # Wordpress
-^.*akismet\.com$
+^.*\.akismet\.com$
-^.*wordpress\.(org|com)$
+^.*\.wordpress\.(org|com)$
-^.*gravatar\.com$
+^.*\.gravatar\.com$
 ^www\.wordpress-fr\.net$
 ^pixel\.wp\.com$
+^wp-updates\.com$
+
 # Wordpress pingback
 ^rpc\.pingomatic\.com$
 ^blo\.gs$
@@ -53,12 +56,13 @@
 ^geourl\.org$
 ^ipings\.com$
 ^www\.weblogalot\.com$
+
 # Wordpress plugins
-^.*wpml\.org$
+^.*\.wpml\.org$
 ^www\.wpcube\.co\.uk$
-^.*wp-rocket\.me$
+^.*\.wp-rocket\.me$
 ^www\.yithemes\.com$
-^.*yoast\.com$
+^.*\.yoast\.com$
 ^yarpp\.org$
 ^repository\.kreaturamedia\.com$
 ^api\.wp-events-plugin\.com$
@@ -69,21 +73,27 @@
 ^vimeo\.com$
 ^api\.genesistheme\.com$
 ^www\.bolderelements\.net$
+^wpbakery\.com$
+^backwpup\.com$
+
 # Magento Plugins
 ^extensions\.activo\.com$
 ^amasty\.com$
+
 # Joomla
-^.*.joomla\.org$
+^.*\.joomla\.org$
 ^getk2\.org$
 ^miwisoft\.com$
 ^mijosoft\.com$
 ^www\.joomlaworks\.net$
 ^cdn\.joomlaworks\.org$
 ^download\.regularlabs\.com$
+
 # Prestashop
-^.*.prestashop\.com$
+^.*\.prestashop\.com$
 ^www\.presta-module\.com$
 ^www\.presteamshop\.com$
+
 # Others
 ^.*.drupal\.org$
 ^.*\.dotclear\.(net|org)$
@@ -92,7 +102,9 @@
 ^www\.spip\.net$
 
 ### Feeds / API / WS Tools / ...
+
 # Google
+
 ^.*\.googleapis\.com$
 ^.*\.google-analytics\.com$
 ^blogsearch\.google\.(com|fr)$
@@ -100,16 +112,19 @@
 ^maps\.google\..*$
 ^translate\.google\.com$
 ^www\.google\.com$
+
 # Facebook
 ^.*\.facebook\.com$
 ^.*\.fbcdn\.net$
+
 # Maxmind
 ^geolite\.maxmind\.com$
+
 # Others
-#^.*amazon.com$
+#^.*\.amazon.com$
-^.*twitter\.com$
+^.*\.twitter\.com$
-^.*feedburner\.com$
+^.*\.feedburner\.com$
-^.*openx\.(org|com|net)$
+^.*\.openx\.(org|com|net)$
 ^geoip-api\.meteor\.com$
 ^www\.bing\.com$
 ^www\.telize\.com$
@@ -125,3 +140,5 @@
 ^jenkins\.mirror\.isppower\.de$
 ^ftp\.icm\.edu\.pl$
 ^apt\.newrelic\.com$
+^.*\.cloudfront\.net$
+^api\.mailjet\.com$

squid/files/whitelist-evolinux.conf

@@ -1,13 +1,13 @@
 ### Evolix & System
-http://.*evolix.(net|org|com|fr)/.*
+http://.*.evolix.(net|org|com|fr)/.*
-http://.*debian.org/.*
+http://.*.debian.org/.*
 http://www.backports.org/.*
 http://backports.debian.org/.*
 http://www.kernel.org/.*
 http://hwraid.le-vert.net/.*
-http://.*clamav.net/.*
+http://.*.clamav.net/.*
 http://spamassassin.apache.org/.*
-http://.*sa-update.*
+http://.*.sa-update.*
 http://pear.php.net/.*
 http://repo.mysql.com/.*
 
@@ -18,12 +18,15 @@ http://.*.letsencrypt.org/.*
 http://ocsp.usertrust.com/.*
 
 ### CMS / Wordpress / Drupal / ...
+
 # Wordpress
-http://.*akismet.com/.*
+http://.*.akismet.com/.*
-http://.*wordpress.(org|com)/.*
+http://.*.wordpress.(org|com)/.*
-http://.*gravatar.com/.*
+http://.*.gravatar.com/.*
 http://www.wordpress-fr.net/.*
 http://pixel.wp.com/.*
+http://wp-updates.com/.*
+
 # Wordpress pingback
 http://rpc.pingomatic.com/.*
 http://blo.gs/ping.php
@@ -53,12 +56,13 @@ http://www.pingmyblog.com/.*
 http://geourl.org/ping
 http://ipings.com/.*
 http://www.weblogalot.com/ping
+
 # Wordpress plugins
-http://.*wpml.org/.*
+http://.*.wpml.org/.*
 http://www.wpcube.co.uk/.*
-http://.*wp-rocket.me/.*
+http://.*.wp-rocket.me/.*
 http://www.yithemes.com/.*
-http://.*yoast.com/.*
+http://.*.yoast.com/.*
 http://yarpp.org/.*
 http://repository.kreaturamedia.com/.*
 http://api.wp-events-plugin.com/.*
@@ -66,12 +70,16 @@ http://updates.themepunch.com/.*
 http://themeisle.com/.*
 http://download.advancedcustomfields.com/.*
 http://wpcdn.io/.*
-http://vimeo.com/channels/wpetourisme/videos/rss
+http://vimeo.com/.*
 http://api.genesistheme.com/update-themes/
 http://www.bolderelements.net/updates/.*
+
 # Magento Plugins
 http://extensions.activo.com/.*
 http://amasty.com/.*
+http://backwpup.com/.*
+http://wpbakery.com/.*
+
 # Joomla
 http://.*.joomla.org/.*
 http://getk2.org/.*
@@ -80,10 +88,12 @@ http://mijosoft.com/.*
 http://www.joomlaworks.net/.*
 http://cdn.joomlaworks.org/.*
 http://download.regularlabs.com/.*
+
 # Prestashop
 http://.*.prestashop.com/.*
 http://www.presta-module.com/.*
 http://www.presteamshop.com/.*
+
 # Others
 http://.*.drupal.org/.*
 http://.*.dotclear.(net|org)/.*
@@ -92,6 +102,7 @@ http://www.typolight.org/.*
 http://www.spip.net/.*
 
 ### Feeds / API / WS Tools / ...
+
 # Google
 http://.*.googleapis.com/.*
 http://.*.google-analytics.com/.*
@@ -100,21 +111,24 @@ http://csi.gstatic.com/.*
 http://maps.google.*/.*
 http://translate.google.com/.*
 http://www.google.com/webmasters/tools/.*
+
 # Facebook
 http://.*.facebook.com/.*
 http://.*.fbcdn.net/.*
+
 # Maxmind
 http://geolite.maxmind.com/.*
+
 # Others
-http://.*amazon.com/.*
+#http://.*.amazon.com/.*
-http://.*twitter.com/.*
+http://.*.twitter.com/.*
-http://.*feedburner.com/.*
+http://.*.feedburner.com/.*
-http://.*openx.(org|com|net)/.*
+http://.*.openx.(org|com|net)/.*
 http://geoip-api.meteor.com/.*
 http://www.bing.com/.*
 http://www.telize.com/.*
-http://.*ident.me/.*
+http://.*.ident.me/.*
-http://.*icanhazip.com/.*
+http://.*.icanhazip.com/.*
 http://www.express-mailing.com/.*
 http://bot.whatismyipaddress.com/.*
 http://ipecho.net/.*
@@ -125,3 +139,5 @@ http://mirrors.jenkins.io/.*
 http://jenkins.mirror.isppower.de/.*
 http://ftp.icm.edu.pl/.*
 http://apt.newrelic.com/.*
+http://.*.cloudfront.net/.*
+http://api.mailjet.com/.*

varnish/templates/varnish.conf.j2

@@ -2,6 +2,6 @@
 
 [Service]
 ExecStart=
-ExecStart=/usr/sbin/varnishd -a {{ varnish_addresses | join(',') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
+ExecStart=/usr/sbin/varnishd -F -a {{ varnish_addresses | join(',') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
 ExecReload=
 ExecReload=/etc/varnish/reload-vcl.sh