diff --git a/CHANGELOG.md b/CHANGELOG.md index 66f33653..2429f2fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,25 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Security +## [22.07] 2022-07-06 + +### Added + +* evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours) +* haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional) +* kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh +* openvpn: configure logrotate + +### Changed + +* openvpn: minimal rights on /etc/shellpki/ and crl.pem + +### Fixed + +* evolinux-base: Update PermitRootLogin task to work on Debian 11 +* evolinux-user: Update PermitRootLogin task to work on Debian 11 +* minifirewall: docker mode is configurable + ## [22.06.3] 2022-06-17 ### Changed diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 6f28fd5e..ee307015 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -107,6 +107,7 @@ evolinux_system_profile: True evolinux_system_dirmode_adduser: True evolinux_system_restrict_securetty: False evolinux_system_set_timeout: True +evolinux_system_timeout: 36000 evolinux_system_cron_verboselog: True evolinux_system_cron_umask: True evolinux_system_cron_random: True diff --git a/evolinux-base/tasks/dump-server-state.yml b/evolinux-base/tasks/dump-server-state.yml new file mode 100644 index 00000000..7d4a55cd --- /dev/null +++ b/evolinux-base/tasks/dump-server-state.yml @@ -0,0 +1,15 @@ +- name: dump-server-state script is present + copy: + src: "dump-server-state.sh" + dest: /usr/local/sbin/dump-server-state + force: True + owner: root + group: root + mode: "0750" + +- name: symlink backup-server-state to dump-server-state + file: + src: /usr/local/sbin/dump-server-state + dest: /usr/local/sbin/backup-server-state + state: link + force: yes diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index df50d977..3e3d6add 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -91,7 +91,7 @@ - name: disable SSH access for root replace: dest: /etc/ssh/sshd_config - regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' + regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index e5363fed..5d71e827 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -77,7 +77,8 @@ - name: Setting TMOUT to disconnect inactive users lineinfile: dest: /etc/profile.d/evolinux.sh - line: "export TMOUT=36000" + line: "export TMOUT={{ evolinux_system_timeout }}" + regexp: "^export TMOUT=" create: yes state: present when: evolinux_system_set_timeout | bool diff --git a/evolinux-base/tasks/top.yml b/evolinux-base/tasks/top.yml index 64fdf6b6..367791e7 100644 --- a/evolinux-base/tasks/top.yml +++ b/evolinux-base/tasks/top.yml @@ -1,7 +1,5 @@ --- - name: Deploy top configuration file - copy: - # The config format is unredable; ATM it only add the SWAP column - src: topdefaultrc - dest: /etc/topdefaultrc - mode: "0644" + file: + path: /etc/topdefaultrc + state: absent diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index 6c9e27b0..8236bd92 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -3,21 +3,8 @@ - include_role: name: evolix/remount-usr -- name: dump-server-state script is present - copy: - src: "dump-server-state.sh" - dest: /usr/local/sbin/dump-server-state - force: True - owner: root - group: root - mode: "0750" - -- name: symlink backup-server-state to dump-server-state - file: - src: /usr/local/sbin/dump-server-state - dest: /usr/local/sbin/backup-server-state - state: link - force: yes +- include_tasks: + file: dump-server-state.yml - name: "/sbin/deny script is present" copy: diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index ac2fdf12..b0bf8b58 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -56,7 +56,7 @@ - name: disable root login replace: dest: /etc/ssh/sshd_config - regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' + regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" notify: reload sshd when: evolinux_root_disable_ssh | bool diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml index 0745f1a9..50f6bb48 100644 --- a/haproxy/defaults/main.yml +++ b/haproxy/defaults/main.yml @@ -35,3 +35,5 @@ haproxy_deny_ips: [] haproxy_backports_packages_stretch: haproxy libssl1.0.0 haproxy_backports_packages_buster: haproxy haproxy_backports_packages_bullseye: haproxy + +haproxy_allow_ip_nonlocal_bind: Null \ No newline at end of file diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index d29e3cbc..d38e83af 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -134,4 +134,17 @@ - haproxy - logrotate +- name: Set net.ipv4.ip_nonlocal_bind + sysctl: + name: net.ipv4.ip_nonlocal_bind + value: "{{ haproxy_allow_ip_nonlocal_bind | ternary('1','0') }}" + sysctl_file: "{{ evolinux_kernel_sysctl_path | default('/etc/sysctl.d/evolinux.conf') }}" + state: present + reload: yes + tags: + - haproxy + when: + - haproxy_allow_ip_nonlocal_bind is defined + - haproxy_allow_ip_nonlocal_bind is not none + - include: munin.yml diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh index 51b5c737..78acfe1c 100755 --- a/kvm-host/files/add-vm.sh +++ b/kvm-host/files/add-vm.sh @@ -219,7 +219,7 @@ ${drbdadm} -- --overwrite-data-of-peer primary "${vmName}" if ! isDryRun; then sleep 5 - drbd-overview | tail -4 + drbdadm status | tail -4 drbdDiskPath="/dev/drbd/by-res/${vmName}/0" if ! [ -b "${drbdDiskPath}" ]; then diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 1ddb9695..c11b83e8 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -70,7 +70,7 @@ # WARNING : If the port mapping is different between the host and the container # (ie: Listen on :8090 on host, but :8080 in container) # then you need to give the port used inside the container - DOCKER='off' + DOCKER='{{ minifirewall_docker }}' # Trusted IPv4 local network # ...will be often IP/32 if you don't trust anything diff --git a/nagios-nrpe/files/plugins/check_readwrite b/nagios-nrpe/files/plugins/check_readwrite new file mode 100755 index 00000000..578d9740 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_readwrite @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Verify mounted filesystems are readable and writable. + +filesystems=$* + +exit_code=0 +for filesystem in $filesystems; do + if findmnt --options ro --noheadings "${filesystem}"; then + exit_code=2 + fi +done + +if [ $exit_code != 0 ]; then + echo "CRITICAL - Above filesystems aren't monted in read and write mode" +else + echo "OK - All fine" +fi + +exit "${exit_code}" diff --git a/nginx/tasks/packages.yml b/nginx/tasks/packages.yml index f9a500c0..f2c0596f 100644 --- a/nginx/tasks/packages.yml +++ b/nginx/tasks/packages.yml @@ -16,12 +16,3 @@ tags: - nginx - packages - -- name: Service is running as configured. - service: - name: nginx - state: "{{ nginx_service_state }}" - enabled: "{{ nginx_service_enabled }}" - tags: - - nginx - - packages diff --git a/openvpn/files/logrotate_openvpn b/openvpn/files/logrotate_openvpn new file mode 100644 index 00000000..e240faf6 --- /dev/null +++ b/openvpn/files/logrotate_openvpn @@ -0,0 +1,10 @@ +/var/log/openvpn.log +{ + weekly + rotate 52 + missingok + notifempty + delaycompress + compress + copytruncate +} diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 3ace1f4c..4c2f6c5d 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -74,8 +74,8 @@ insertafter: "{{ item.insertafter }}" line: "{{ item.line }}" with_items: - - { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } - - { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' } + - { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } + - { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' } - name: Deploy OpenVPN server config template: @@ -149,6 +149,12 @@ value: "1" sysctl_file: "/etc/sysctl.d/openvpn.conf" +- name: Configure logrotate for OpenVPN + copy: + src: logrotate_openvpn + dest: /etc/logrotate.d/openvpn + force: no + - name: Generate a password for the management interface set_fact: management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}" diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index 18cd0156..d3238cea 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -65,8 +65,8 @@ insertafter: "{{ item.insertafter }}" line: "{{ item.line }}" with_items: - - { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } - - { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' } + - { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } + - { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' } - name: Deploy OpenVPN server config template: diff --git a/webapps/evoadmin-web/templates/config.local.php.j2 b/webapps/evoadmin-web/templates/config.local.php.j2 index d4cd4903..335bc34b 100644 --- a/webapps/evoadmin-web/templates/config.local.php.j2 +++ b/webapps/evoadmin-web/templates/config.local.php.j2 @@ -6,11 +6,11 @@ $localconf['debug'] = FALSE; $localconf['superadmin'] = array(); $localconf['script_path'] = '{{ evoadmin_scripts_dir }}'; $localconf['cluster'] = FALSE; -// auth (sha256 hashs) / echo -n YourPass | sha256sum -$oriconf['logins'] = array(); -//$oriconf['logins']['foo'] = 'd5d3c723fb82cb0078f399888af78204234535ec2ef3da56710fdd51f90d2477'; -//$oriconf['logins']['bar'] = '7938c84d6e43d1659612a7ea7c1101ed02e52751bb64597a8c20ebaba8ba4303'; +// Generate password hashes : mkpasswd --method=sha-512 (cli) or with PHP's password_hash() +$localconf['logins'] = array(); +//$localconf['logins']['foo'] = '$6$X0jqa/ausLSBkj4m$dLMMcPGVxak.aDPo4V/GJLm2d8vU8/QA5LbGTuqXCdxSNYU0kRKBgDl16GAyp0GqXXZ5wwDEJKQ1npgFwiuV81'; +//$localconf['logins']['bar'] = '$6$Q6233S6mlWAF6p.j$LtzwG02YucozwqjAgSpeldh24Mnz7lBuVSbOQYbKKh9FiUx3tMVl6kJZkmrNdPqeadFXKAYXrqn.gy8KposF5.'; {% if evoadmin_multiphp_versions != [] %} $localconf['php_versions'] = array( {{ evoadmin_multiphp_versions | join(', ') | replace('php', '') }} );