--- files/rkhunter/rkhunter.conf.j2 | 590 -------------------------------- files/rkhunter/rkhunter.sysconfig | 11 - playbooks/groups/arm-packager.yml | 4 +- playbooks/groups/arm-qa.yml | 4 +- playbooks/groups/backup-server.yml | 5 +- playbooks/groups/badges-backend.yml | 4 +- playbooks/groups/badges-web.yml | 4 +- playbooks/groups/beaker.yml | 4 +- playbooks/groups/gallery.yml | 4 +- playbooks/groups/kernel-qa.yml | 4 +- playbooks/groups/keyserver.yml | 4 +- playbooks/groups/koji-hub.yml | 4 +- playbooks/groups/mailman.yml | 4 +- playbooks/groups/mirrorlist.yml | 4 +- playbooks/groups/postgresl-server.yml | 5 +- playbooks/groups/sign.yml | 4 +- playbooks/groups/taskbot.yml | 4 +- playbooks/groups/virthost.yml | 5 +- playbooks/rkhunter_update.yml | 8 +- roles/rkhunter/files/rkhunter.conf.j2 | 590 ++++++++++++++++++++++++++++++++ roles/rkhunter/files/rkhunter.sysconfig | 11 + roles/rkhunter/tasks/main.yml | 18 + tasks/rkhunter.yml | 18 - 23 files changed, 671 insertions(+), 642 deletions(-) delete mode 100644 files/rkhunter/rkhunter.conf.j2 delete mode 100644 files/rkhunter/rkhunter.sysconfig create mode 100644 roles/rkhunter/files/rkhunter.conf.j2 create mode 100644 roles/rkhunter/files/rkhunter.sysconfig create mode 100644 roles/rkhunter/tasks/main.yml delete mode 100644 tasks/rkhunter.yml diff --git a/files/rkhunter/rkhunter.conf.j2 b/files/rkhunter/rkhunter.conf.j2 deleted file mode 100644 index 7055175..0000000 --- a/files/rkhunter/rkhunter.conf.j2 +++ /dev/null @@ -1,590 +0,0 @@ -# -# This is the configuration file for Rootkit Hunter. -# -# Please modify it to your own requirements. -# Please review the documentation before posting bug reports or questions. -# To report bugs, obtain updates, or provide patches or comments, please go to: -# http://rkhunter.sourceforge.net -# -# To ask questions about rkhunter, please use the rkhunter-users mailing list. -# Note this is a moderated list: please subscribe before posting. -# -# Lines beginning with a hash (#), and blank lines, will be ignored. -# -# Most of the following options need only be specified once. If -# they appear more than once, then the last one seen will be used. -# Some options are allowed to appear more than once, and the text -# describing the option will say if this is so. -# - -# -# If this option is set to 1, it specifies that the mirrors file, which -# is used when the '--update' and '--versioncheck' options are used, is -# to be rotated. Rotating the entries in the file allows a basic form -# of load-balancing between the mirror sites whenever the above options -# are used. -# If the option is set to 0, then the mirrors will be treated as if in -# a priority list. That is, the first mirror will always be used. The -# second mirror will only be used if the first mirror fails, then the -# third mirror will be used if the second fails and so on. -# - -ROTATE_MIRRORS=1 - -# -# If this option is set to 1, it specifies that when the '--update' -# option is used, then the mirrors file is to be checked for updates -# as well. If the current mirrors file contains any local mirrors, -# these will be prepended to the updated file. -# If this option is set to 0, the mirrors file can only be updated -# manually. This may be useful if only using local mirrors. -# -UPDATE_MIRRORS=1 - -# -# The MIRRORS_MODE option tells rkhunter which mirrors are to be -# used when the '--update' or '--versioncheck' command-line options -# are given. Possible values are: -# 0 - use any mirror (the default) -# 1 - only use local mirrors -# 2 - only use remote mirrors -# -# Local and remote mirrors can be defined in the mirrors.dat file -# by using the 'local=' and 'remote=' keywords respectively. -# -MIRRORS_MODE=0 - -# -# Email a message to this address if a warning is found when the -# system is being checked. Multiple addresses may be specified -# simply be separating them with a space. -# -MAIL-ON-WARNING="" - -# -# Specify the mail command to use if MAIL-ON-WARNING is set. -# NOTE: Double quotes are not required around the command, but -# are required around the subject line if it contains spaces. -# -MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" - -# -# Specify the temporary directory to use. -# -# NOTE: Do not use /tmp as your temporary directory. Some -# important files will be written to this directory, so be -# sure that the directory permissions are tight. -# -TMPDIR=/var/lib/rkhunter - -# -# Specify the database directory to use. -# -DBDIR=/var/lib/rkhunter/db - -# -# Specify the script directory to use. -# -SCRIPTDIR=/usr/share/rkhunter/scripts - -# -# Specify the root directory to use. -# -#ROOTDIR="" - -# -# Specify the command directories to be checked. This is a -# space-separated list of directories. -# -BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec" - -# -# Specify the language to use. This should be similar -# to the ISO 639 language code. -# -# NOTE: Please ensure that the language you specify is supported. -# For a list of supported languages use the following command: -# -# rkhunter --lang en --list languages -# -#LANGUAGE=en - -# -# Specify the log file pathname. -# -LOGFILE=/var/log/rkhunter/rkhunter.log - -# -# Set the following option to 1 if the log file is to be appended to -# whenever rkhunter is run. -# - - -# -# Set the following option to enable the rkhunter check start and finish -# times to be logged by syslog. Warning messages will also be logged. -# The value of the option must be a standard syslog facility and -# priority, separated by a dot. -# -# For example: USE_SYSLOG=authpriv.warning -# -# Setting the value to 'none', or just leaving the option commented out, -# disables the use of syslog. -# -USE_SYSLOG=authpriv.notice - -# -# Set the following option to 1 if the second colour set is to be used. -# This can be useful if your screen uses black characters on a white -# background (for example, a PC instead of a server). -# -COLOR_SET2=0 - -# -# Set the following option to 0 if rkhunter should not detect if X is -# being used. If X is detected as being used, then the second colour -# set will automatically be used. -# -AUTO_X_DETECT=1 - -# -# The following option is checked against the SSH configuration file -# 'PermitRootLogin' option. A warning will be displayed if they do not -# match. However, if a value has not been set in the SSH configuration -# file, then a value here of 'yes' or 'unset' will not cause a warning. -# This option has a default value of 'no'. -# -ALLOW_SSH_ROOT_USER=without-password - -# -# Set this option to '1' to allow the use of the SSH-1 protocol, but note -# that theoretically it is weaker, and therefore less secure, than the -# SSH-2 protocol. Do not modify this option unless you have good reasons -# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 -# authentication). If the 'Protocol' option has not been set in the SSH -# configuration file, then a value of '2' may be set here in order to -# suppress a warning message. This option has a default value of '0'. -# -ALLOW_SSH_PROT_V1=0 - -# -# This setting tells rkhunter the directory containing the SSH configuration -# file. This setting will be worked out by rkhunter, and so should not -# usually need to be set. -# -#SSH_CONFIG_DIR=/etc/ssh - -# -# These two options determine which tests are to be performed. -# The ENABLE_TESTS option can use the word 'all' to refer to all the -# available tests. The DISABLE_TESTS option can use the word 'none' to -# mean that no tests are disabled. The list of disabled tests is applied to -# the list of enabled tests. Both options are space-separated lists of test -# names. The currently available test names can be seen by using the command -# 'rkhunter --list tests'. -# -# The program defaults are to enable all tests and disable none. However, if -# either option is specified in this file, then it overrides the program -# default. The supplied rkhunter.conf file has some tests already disabled, -# and these are tests that will be used only incidentally, can be considered -# "advanced" or those that are prone to produce more than the "average" number -# of "false positives". -# -# Please read the README file for more details about enabling and disabling -# tests, the test names, and how rkhunter behaves when these options are used. -# -ENABLE_TESTS="all" -DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" - -# -# The HASH_FUNC option can be used to specify the command to use -# for the file hash value check. It can be specified as just -# the command name or the full pathname. Systems using prelinking -# are restricted to using either SHA1 or MD5 functions. To get rkhunter -# to look for the sha1(sum)/md5(sum) command, or to use the supplied -# perl scripts, simply specify this option as 'SHA1' or 'MD5' in -# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found. -# -# A value of 'NONE' (in uppercase) can be specified to indicate that -# no hash function should be used. Rootkit Hunter will detect this and -# automatically disable the file hash checks. -# -# Examples: -# For Solaris 9 : HASH_FUNC=gmd5sum -# For Solaris 10: HASH_FUNC=sha1sum -# For AIX (>5.2): HASH_FUNC="csum -hMD5" -# For NetBSD : HASH_FUNC="cksum -a sha512" -# -# NOTE: If the hash function is changed then you MUST run rkhunter with -# the '--propupd' option to rebuild the file properties database. -# -HASH_FUNC=sha1sum - -# -# The HASH_FLD_IDX option specifies which field from the HASH_FUNC -# command output contains the hash value. The fields are assumed to -# be space-separated. The default value is one, but for *BSD users -# rkhunter will, by default, use a value of 4 if the HASH_FUNC option -# has not been set. The option value must be a positive integer. -# -#HASH_FLD_IDX=4 - -# -# The PKGMGR option tells rkhunter to use the specified package manager -# to obtain the file property information. This is used when updating -# the file properties file 'rkhunter.dat', and when running the file -# properties check. For RedHat/RPM-based systems, 'RPM' can be used -# to get information from the RPM database. For Debian-based systems -# 'DPKG' can be used, and for *BSD systems 'BSD' can be used. -# No value, or a value of 'NONE', indicates that no package manager -# is to be used. The default is 'NONE'. -# -# The current package managers store the file hash values using an -# MD5 hash function. -# -# The 'DPKG' and 'BSD' package managers only provide MD5 hash values. -# The 'RPM' package manager additionally provides values for the inode, -# file permissions, uid, gid and other values. -# -# For any file not part of a package, rkhunter will revert to using -# the HASH_FUNC hash function instead. -# -PKGMGR=RPM - -# -# Whitelist various attributes of the specified files. -# The attributes are those of the 'attributes' test. -# Specifying a file name here does not include it being -# whitelisted for the write permission test below. -# One command per line (use multiple ATTRWHITELIST lines). -# -#ATTRWHITELIST=/bin/ps - -# -# Allow the specified commands to have the 'others' -# (world) permission have the write-bit set. -# -# For example, files with permissions r-xr-xrwx -# or rwxrwxrwx. -# -# One command per line (use multiple WRITEWHITELIST lines). -# -#WRITEWHITELIST=/bin/ps - -# -# Allow the specified commands to be scripts. -# One command per line (use multiple SCRIPTWHITELIST lines). -# -#SCRIPTWHITELIST=/sbin/ifup -#SCRIPTWHITELIST=/sbin/ifdown -#SCRIPTWHITELIST=/usr/bin/groups - -# -# Allow the specified commands to have the immutable attribute set. -# One command per line (use multiple IMMUTWHITELIST lines). -# -#IMMUTWHITELIST=/sbin/ifup - -# -# Allow the specified hidden directories. -# One directory per line (use multiple ALLOWHIDDENDIR lines). -# -ALLOWHIDDENDIR=/dev/.udev -ALLOWHIDDENDIR=/dev/.mdadm -ALLOWHIDDENDIR=/dev/.systemd -ALLOWHIDDENDIR=/dev/.mount -ALLOWHIDDENDIR=/dev/.udevdb -ALLOWHIDDENDIR=/dev/.udev.tdb -ALLOWHIDDENDIR=/dev/.udev/db -ALLOWHIDDENDIR=/dev/.udev/rules.d - -# -# Allow the specified hidden files. -# One file per line (use multiple ALLOWHIDDENFILE lines). -# -ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz -ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh.hmac -ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac -ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac -ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz -ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz -ALLOWHIDDENFILE=/sbin/.cryptsetup.hmac -ALLOWHIDDENFILE=/dev/.udev/queue.bin -ALLOWHIDDENFILE=/dev/.udev/uevent_seqnum - -# -# Allow the specified processes to use deleted files. -# One process per line (use multiple ALLOWPROCDELFILE lines). -# -#ALLOWPROCDELFILE=/sbin/cardmgr -#ALLOWPROCDELFILE=/usr/sbin/gpm -#ALLOWPROCDELFILE=/usr/libexec/gconfd-2 -#ALLOWPROCDELFILE=/usr/sbin/mysqld - -# -# Allow the specified processes to listen on any network interface. -# One process per line (use multiple ALLOWPROCLISTEN lines). -# -#ALLOWPROCLISTEN=/sbin/dhclient -#ALLOWPROCLISTEN=/usr/bin/dhcpcd -#ALLOWPROCLISTEN=/usr/sbin/pppoe -#ALLOWPROCLISTEN=/usr/sbin/tcpdump -#ALLOWPROCLISTEN=/usr/sbin/snort-plain -#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant - -# -# SCAN_MODE_DEV governs how we scan /dev for suspicious files. -# The two allowed options are: THOROUGH or LAZY. -# If commented out we do a THOROUGH scan which will increase the runtime. -# Even though this adds to the running time it is highly recommended to -# leave it like this. -# -#SCAN_MODE_DEV=THOROUGH - -# -# Allow the specified files to be present in the /dev directory, -# and not regarded as suspicious. One file per line (use multiple -# ALLOWDEVFILE lines). -# -#ALLOWDEVFILE=/dev/abc -#ALLOWDEVFILE=/dev/shm/pulse-shm-* -ALLOWDEVFILE=/dev/shm/sem.slapd-FEDORAPROJECT-ORG.stats -ALLOWDEVFILE=/dev/md/md-device-map -ALLOWDEVFILE=/dev/.udev/queue.bin -ALLOWDEVFILE=/dev/.udev/db/* -ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules -ALLOWDEVFILE=/dev/.udev/uevent_seqnum -ALLOWDEVFILE=/dev/md/autorebuild.pid - -# -# This setting tells rkhunter where the inetd configuration -# file is located. -# -#INETD_CONF_PATH=/etc/inetd.conf - -# -# Allow the following enabled inetd services. -# Only one service per line (use multiple INETD_ALLOWED_SVC lines). -# -# Below are some Solaris 9 and 10 services that may want to be whitelisted. -# -#INETD_ALLOWED_SVC=echo -#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd -#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto -#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd -#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad -#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd -#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd -#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd -#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd -#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd -#INETD_ALLOWED_SVC=/usr/lib/gss/gssd -#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader -#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd -#INETD_ALLOWED_SVC=/network/rpc/mdcomm -#INETD_ALLOWED_SVC=/network/rpc/meta -#INETD_ALLOWED_SVC=/network/rpc/metamed -#INETD_ALLOWED_SVC=/network/rpc/metamh -#INETD_ALLOWED_SVC=/network/security/ktkt_warn -#INETD_ALLOWED_SVC=/application/x11/xfs -#INETD_ALLOWED_SVC=/application/print/rfc1179 -#INETD_ALLOWED_SVC=/application/font/stfsloader -#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord -#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp -#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp - -# -# This setting tells rkhunter where the xinetd configuration -# file is located. -# -#XINETD_CONF_PATH=/etc/xinetd.conf - -# -# Allow the following enabled xinetd services. Whilst it would be -# nice to use the service names themselves, at the time of testing -# we only have the pathname available. As such, these entries are -# the xinetd file pathnames. -# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines). -# -XINETD_ALLOWED_SVC=/etc/xinetd.d/rsync -XINETD_ALLOWED_SVC=/etc/xinetd.d/cvspserver -XINETD_ALLOWED_SVC=/etc/xinetd.d/tftp -XINETD_ALLOWED_SVC=/etc/xinetd.d/git-server -XINETD_ALLOWED_SVC=/etc/xinetd.d/git -XINETD_ALLOWED_SVC=/etc/xinetd.d/bzr-server - -# -# This setting tells rkhunter the local system startup file pathnames. -# More than one file may be present on the system, and so this option -# can be a space-separated list. This setting will be worked out by -# rkhunter, and so should not usually need to be set. -# -# If the system uses a directory of local startup scripts, then rather -# that setting all the file names here, leave this setting blank, and -# specify the directory name in SYSTEM_RC_DIR instead. -# -# If the system does not use a local startup script at all, then this -# setting can be set to 'none'. Without this, rkhunter would give a -# warning that no local startup script could be found. -# -#LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit" - -# -# This setting tells rkhunter the local system startup file directory. -# This setting will be worked out by rkhunter, and so should not usually -# need to be set. -# -#SYSTEM_RC_DIR=/etc/rc.d - -# -# This setting tells rkhunter the pathname to the file containing the -# user account passwords. This setting will be worked out by rkhunter, -# and so should not usually need to be set. -# -PASSWORD_FILE=/etc/shadow - -# -# Allow the following accounts to be root equivalent. These accounts -# will have a UID value of zero. This option is a space-separated list -# of account names. The 'root' account does not need to be listed as it -# is automatically whitelisted. -# -# Note: For *BSD systems you may need to enable this for the 'toor' account. -# -#UID0_ACCOUNTS="toor rooty" - -# -# Allow the following accounts to have no password. This option is a -# space-separated list of account names. NIS/YP entries do not need to -# be listed as they are automatically whitelisted. -# -#PWDLESS_ACCOUNTS="abc" - -# -# This setting tells rkhunter the pathname to the syslog configuration -# file. This setting will be worked out by rkhunter, and so should not -# usually need to be set. -# -#SYSLOG_CONFIG_FILE=/etc/syslog.conf - -# -# This option permits the use of syslog remote logging. -# -ALLOW_SYSLOG_REMOTE_LOGGING=1 - -# -# Allow the following applications, or a specific version of an application, -# to be whitelisted. This option is a space-separated list consisting of the -# application names. If a specific version is to be whitelisted, then the -# name must be followed by a colon and then the version number. -# -# For example: APP_WHITELIST="openssl:0.9.7d gpg" -# -APP_WHITELIST="sshd:4.3p2 sshd:5.2p1 httpd:2.2.3 httpd:2.2.13 php:5.1.6 named:9.3.6 openssl:0.9.8e php:5.2.6 named:9.3.6-P1" - -# -# Scan for suspicious files in directories containing temporary files and -# directories posing a relatively higher risk due to user write access. -# Please do not enable by default as suspscan is CPU and I/O intensive and prone to -# producing false positives. Do review all settings before usage. -# Also be aware that running suspscan in combination with verbose logging on, -# RKH's default, will show all ignored files. -# Please consider adding all directories the user the (web)server runs as has -# write access to including the document root (example: "/var/www") and log -# directories (example: "/var/log/httpd"). -# -# A space-separated list of directories to scan. -# -SUSPSCAN_DIRS="/tmp /var/tmp" - -# -# Directory for temporary files. A memory-based one is better (faster). -# Do not use a directory name that is listed in SUSPSCAN_DIRS. -# Please make sure you have a tempfs mounted and the directory exists. -# -SUSPSCAN_TEMP=/dev/shm - -# -# Maximum filesize in bytes. Files larger than this will not be inspected. -# Do make sure you have enough space left in your temporary files directory. -# -SUSPSCAN_MAXSIZE=10240000 - -# -# Score threshold. Below this value no hits will be reported. -# A value of "200" seems "good" after testing on malware. Please adjust -# locally if necessary. -# -SUSPSCAN_THRESH=200 - -# -# The following option can be used to whitelist network ports which -# are known to have been used by malware. The option is a space- -# separated list of one or more of three types of whitelisting. -# These are: -# -# 1) a 'protocol:port' pair (e.g. TCP:25) -# 2) a pathname to an executable (e.g. /usr/sbin/squid) -# 3) an asterisk ('*') -# -# Only the UDP or TCP protocol may be specified, and the port number -# must be between 1 and 65535 inclusive. -# -# The asterisk can be used to indicate that any executable in a trusted -# path directory will be whitelisted. A trusted path directory is one which -# rkhunter uses to locate commands. It is composed of the root PATH -# environment variable, and the BINDIR command-line or configuration -# file option. -# -# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" -# -#PORT_WHITELIST="" - -# -# The following option can be used to tell rkhunter where the operating -# system 'release' file is located. This file contains information -# specifying the current O/S version. RKH will store this information -# itself, and check to see if it has changed between each run. If it has -# changed, then the user is warned that RKH may issue warning messages -# until RKH has been run with the '--propupd' option. -# -# Since the contents of the file vary according to the O/S distribution, -# RKH will perform different actions when it detects the file itself. As -# such, this option should not be set unless necessary. If this option is -# specified, then RKH will assume the O/S release information is on the -# first non-blank line of the file. -# -# {{ ansible_distribution|lower }} -OS_VERSION_FILE=/etc/{{ ansible_distribution|lower }}-release - -# -# The following two options can be used to whitelist files and directories -# that would normally be flagged with a warning during the rootkit checks. -# If the file or directory name contains a space, then the percent character -# ('%') must be used instead. Only existing files and directories can be -# specified. -# -#RTKT_DIR_WHITELIST="" -#RTKT_FILE_WHITELIST="" - -# -# To force rkhunter to use the supplied script for the 'stat' or 'readlink' -# command, then the following two options can be used. The value must be -# set to 'BUILTIN'. -# -# NOTE: IRIX users will probably need to enable STAT_CMD. -# -#STAT_CMD=BUILTIN -#READLINK_CMD=BUILTIN - -INSTALLDIR=/usr -SCRIPTWHITELIST=/usr/bin/whatis -SCRIPTWHITELIST=/usr/bin/ldd -SCRIPTWHITELIST=/usr/bin/groups -SCRIPTWHITELIST=/usr/bin/GET -SCRIPTWHITELIST=/sbin/ifup -SCRIPTWHITELIST=/sbin/ifdown diff --git a/files/rkhunter/rkhunter.sysconfig b/files/rkhunter/rkhunter.sysconfig deleted file mode 100644 index 0c463db..0000000 --- a/files/rkhunter/rkhunter.sysconfig +++ /dev/null @@ -1,11 +0,0 @@ -# System configuration file for Rootkit Hunter which -# stores RPM system specifics for cron run, etc. -# -# MAILTO= <email address to send scan report> -# DIAG_SCAN= no - perform normal report scan -# yes - perform detailed report scan -# (includes application check) - -MAILTO=smooge@xxxxxxxxxxxxxxxxx,kevin@xxxxxxxxxxxxxxxxx -DIAG_SCAN=no - diff --git a/playbooks/groups/arm-packager.yml b/playbooks/groups/arm-packager.yml index efdc0fa..e8008f9 100644 --- a/playbooks/groups/arm-packager.yml +++ b/playbooks/groups/arm-packager.yml @@ -11,6 +11,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + tasks: # this is how you include other task lists - include: $tasks/hosts.yml @@ -20,7 +23,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml handlers: diff --git a/playbooks/groups/arm-qa.yml b/playbooks/groups/arm-qa.yml index af789b2..d9a745b 100644 --- a/playbooks/groups/arm-qa.yml +++ b/playbooks/groups/arm-qa.yml @@ -11,6 +11,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + tasks: # this is how you include other task lists - include: $tasks/hosts.yml @@ -20,7 +23,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml handlers: diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml index 965c8cb..8b95ebb 100644 --- a/playbooks/groups/backup-server.yml +++ b/playbooks/groups/backup-server.yml @@ -13,7 +13,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml - tasks: + roles: + - rkhunter + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml @@ -22,7 +24,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/mysql_server.yml diff --git a/playbooks/groups/badges-backend.yml b/playbooks/groups/badges-backend.yml index 77514dd..73aba95 100644 --- a/playbooks/groups/badges-backend.yml +++ b/playbooks/groups/badges-backend.yml @@ -29,6 +29,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml @@ -37,7 +40,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/openvpn_client.yml diff --git a/playbooks/groups/badges-web.yml b/playbooks/groups/badges-web.yml index c93eb85..15ae8df 100644 --- a/playbooks/groups/badges-web.yml +++ b/playbooks/groups/badges-web.yml @@ -32,6 +32,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml @@ -40,7 +43,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/openvpn_client.yml diff --git a/playbooks/groups/beaker.yml b/playbooks/groups/beaker.yml index ddd2dd2..1be9e9d 100644 --- a/playbooks/groups/beaker.yml +++ b/playbooks/groups/beaker.yml @@ -28,6 +28,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + tasks: # this is how you include other task lists - include: $tasks/hosts.yml @@ -38,7 +41,6 @@ - include: $tasks/collectd/client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml diff --git a/playbooks/groups/gallery.yml b/playbooks/groups/gallery.yml index 596ce8b..a99a438 100644 --- a/playbooks/groups/gallery.yml +++ b/playbooks/groups/gallery.yml @@ -29,6 +29,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml @@ -37,7 +40,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/fedmsg_base.yml diff --git a/playbooks/groups/kernel-qa.yml b/playbooks/groups/kernel-qa.yml index b08ebe3..4f2fdc7 100644 --- a/playbooks/groups/kernel-qa.yml +++ b/playbooks/groups/kernel-qa.yml @@ -12,6 +12,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + tasks: # this is how you include other task lists - include: $tasks/hosts.yml @@ -21,7 +24,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml index d8a4ba7..0b9e190 100644 --- a/playbooks/groups/keyserver.yml +++ b/playbooks/groups/keyserver.yml @@ -29,6 +29,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml @@ -37,7 +40,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/fedmsg_base.yml diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index 4d26766..6b9725f 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -30,6 +30,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml @@ -38,7 +41,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/collectd/client.yml diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index d85eab8..cd3af1c 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -28,6 +28,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + tasks: # this is how you include other task lists - include: $tasks/hosts.yml @@ -38,7 +41,6 @@ - include: $tasks/collectd/client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml diff --git a/playbooks/groups/mirrorlist.yml b/playbooks/groups/mirrorlist.yml index a6bc4d1..dbc70ed 100644 --- a/playbooks/groups/mirrorlist.yml +++ b/playbooks/groups/mirrorlist.yml @@ -38,6 +38,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + tasks: # this is how you include other task lists - include: $tasks/hosts.yml @@ -49,7 +52,6 @@ - include: $tasks/openvpn_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/apache.yml diff --git a/playbooks/groups/postgresl-server.yml b/playbooks/groups/postgresl-server.yml index d95801d..44f9934 100644 --- a/playbooks/groups/postgresl-server.yml +++ b/playbooks/groups/postgresl-server.yml @@ -30,7 +30,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml - tasks: + roles: + - rkhunter + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml @@ -39,7 +41,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/collectd/client.yml diff --git a/playbooks/groups/sign.yml b/playbooks/groups/sign.yml index c287286..1c5c64d 100644 --- a/playbooks/groups/sign.yml +++ b/playbooks/groups/sign.yml @@ -19,9 +19,11 @@ tasks: - include: $tasks/base.yml - include: $tasks/serialgetty.yml - - include: $tasks/rkhunter.yml - include: $tasks/motd.yml - include: $tasks/sign_setup.yml + roles: + - rkhunter + handlers: - include: $handlers/restart_services.yml diff --git a/playbooks/groups/taskbot.yml b/playbooks/groups/taskbot.yml index 5c4e24a..47bb3a2 100644 --- a/playbooks/groups/taskbot.yml +++ b/playbooks/groups/taskbot.yml @@ -28,6 +28,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + tasks: # this is how you include other task lists - include: $tasks/hosts.yml @@ -38,7 +41,6 @@ - include: $tasks/collectd/client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml index 5d5b22c..6d22a47 100644 --- a/playbooks/groups/virthost.yml +++ b/playbooks/groups/virthost.yml @@ -12,7 +12,9 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml - tasks: + roles: + - rkhunter + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml @@ -21,7 +23,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/collectd/client.yml diff --git a/playbooks/rkhunter_update.yml b/playbooks/rkhunter_update.yml index a47d6bf..c69ea64 100644 --- a/playbooks/rkhunter_update.yml +++ b/playbooks/rkhunter_update.yml @@ -6,20 +6,20 @@ tasks: - name: expire-caches - action: command yum clean expire-cache + command: yum clean expire-cache - name: yum -y ${yumcommand} - action: command yum -y ${yumcommand} + command: yum -y ${yumcommand} async: 7200 poll: 15 - name: check for rkhunter - action: command /usr/bin/test -f /usr/bin/rkhunter + command: /usr/bin/test -f /usr/bin/rkhunter register: rkhunter ignore_errors: true - name: run rkhunter --propupd - action: command /usr/bin/rkhunter --propupd + command: /usr/bin/rkhunter --propupd when: rkhunter|success diff --git a/roles/rkhunter/files/rkhunter.conf.j2 b/roles/rkhunter/files/rkhunter.conf.j2 new file mode 100644 index 0000000..7055175 --- /dev/null +++ b/roles/rkhunter/files/rkhunter.conf.j2 @@ -0,0 +1,590 @@ +# +# This is the configuration file for Rootkit Hunter. +# +# Please modify it to your own requirements. +# Please review the documentation before posting bug reports or questions. +# To report bugs, obtain updates, or provide patches or comments, please go to: +# http://rkhunter.sourceforge.net +# +# To ask questions about rkhunter, please use the rkhunter-users mailing list. +# Note this is a moderated list: please subscribe before posting. +# +# Lines beginning with a hash (#), and blank lines, will be ignored. +# +# Most of the following options need only be specified once. If +# they appear more than once, then the last one seen will be used. +# Some options are allowed to appear more than once, and the text +# describing the option will say if this is so. +# + +# +# If this option is set to 1, it specifies that the mirrors file, which +# is used when the '--update' and '--versioncheck' options are used, is +# to be rotated. Rotating the entries in the file allows a basic form +# of load-balancing between the mirror sites whenever the above options +# are used. +# If the option is set to 0, then the mirrors will be treated as if in +# a priority list. That is, the first mirror will always be used. The +# second mirror will only be used if the first mirror fails, then the +# third mirror will be used if the second fails and so on. +# + +ROTATE_MIRRORS=1 + +# +# If this option is set to 1, it specifies that when the '--update' +# option is used, then the mirrors file is to be checked for updates +# as well. If the current mirrors file contains any local mirrors, +# these will be prepended to the updated file. +# If this option is set to 0, the mirrors file can only be updated +# manually. This may be useful if only using local mirrors. +# +UPDATE_MIRRORS=1 + +# +# The MIRRORS_MODE option tells rkhunter which mirrors are to be +# used when the '--update' or '--versioncheck' command-line options +# are given. Possible values are: +# 0 - use any mirror (the default) +# 1 - only use local mirrors +# 2 - only use remote mirrors +# +# Local and remote mirrors can be defined in the mirrors.dat file +# by using the 'local=' and 'remote=' keywords respectively. +# +MIRRORS_MODE=0 + +# +# Email a message to this address if a warning is found when the +# system is being checked. Multiple addresses may be specified +# simply be separating them with a space. +# +MAIL-ON-WARNING="" + +# +# Specify the mail command to use if MAIL-ON-WARNING is set. +# NOTE: Double quotes are not required around the command, but +# are required around the subject line if it contains spaces. +# +MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" + +# +# Specify the temporary directory to use. +# +# NOTE: Do not use /tmp as your temporary directory. Some +# important files will be written to this directory, so be +# sure that the directory permissions are tight. +# +TMPDIR=/var/lib/rkhunter + +# +# Specify the database directory to use. +# +DBDIR=/var/lib/rkhunter/db + +# +# Specify the script directory to use. +# +SCRIPTDIR=/usr/share/rkhunter/scripts + +# +# Specify the root directory to use. +# +#ROOTDIR="" + +# +# Specify the command directories to be checked. This is a +# space-separated list of directories. +# +BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec" + +# +# Specify the language to use. This should be similar +# to the ISO 639 language code. +# +# NOTE: Please ensure that the language you specify is supported. +# For a list of supported languages use the following command: +# +# rkhunter --lang en --list languages +# +#LANGUAGE=en + +# +# Specify the log file pathname. +# +LOGFILE=/var/log/rkhunter/rkhunter.log + +# +# Set the following option to 1 if the log file is to be appended to +# whenever rkhunter is run. +# + + +# +# Set the following option to enable the rkhunter check start and finish +# times to be logged by syslog. Warning messages will also be logged. +# The value of the option must be a standard syslog facility and +# priority, separated by a dot. +# +# For example: USE_SYSLOG=authpriv.warning +# +# Setting the value to 'none', or just leaving the option commented out, +# disables the use of syslog. +# +USE_SYSLOG=authpriv.notice + +# +# Set the following option to 1 if the second colour set is to be used. +# This can be useful if your screen uses black characters on a white +# background (for example, a PC instead of a server). +# +COLOR_SET2=0 + +# +# Set the following option to 0 if rkhunter should not detect if X is +# being used. If X is detected as being used, then the second colour +# set will automatically be used. +# +AUTO_X_DETECT=1 + +# +# The following option is checked against the SSH configuration file +# 'PermitRootLogin' option. A warning will be displayed if they do not +# match. However, if a value has not been set in the SSH configuration +# file, then a value here of 'yes' or 'unset' will not cause a warning. +# This option has a default value of 'no'. +# +ALLOW_SSH_ROOT_USER=without-password + +# +# Set this option to '1' to allow the use of the SSH-1 protocol, but note +# that theoretically it is weaker, and therefore less secure, than the +# SSH-2 protocol. Do not modify this option unless you have good reasons +# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 +# authentication). If the 'Protocol' option has not been set in the SSH +# configuration file, then a value of '2' may be set here in order to +# suppress a warning message. This option has a default value of '0'. +# +ALLOW_SSH_PROT_V1=0 + +# +# This setting tells rkhunter the directory containing the SSH configuration +# file. This setting will be worked out by rkhunter, and so should not +# usually need to be set. +# +#SSH_CONFIG_DIR=/etc/ssh + +# +# These two options determine which tests are to be performed. +# The ENABLE_TESTS option can use the word 'all' to refer to all the +# available tests. The DISABLE_TESTS option can use the word 'none' to +# mean that no tests are disabled. The list of disabled tests is applied to +# the list of enabled tests. Both options are space-separated lists of test +# names. The currently available test names can be seen by using the command +# 'rkhunter --list tests'. +# +# The program defaults are to enable all tests and disable none. However, if +# either option is specified in this file, then it overrides the program +# default. The supplied rkhunter.conf file has some tests already disabled, +# and these are tests that will be used only incidentally, can be considered +# "advanced" or those that are prone to produce more than the "average" number +# of "false positives". +# +# Please read the README file for more details about enabling and disabling +# tests, the test names, and how rkhunter behaves when these options are used. +# +ENABLE_TESTS="all" +DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" + +# +# The HASH_FUNC option can be used to specify the command to use +# for the file hash value check. It can be specified as just +# the command name or the full pathname. Systems using prelinking +# are restricted to using either SHA1 or MD5 functions. To get rkhunter +# to look for the sha1(sum)/md5(sum) command, or to use the supplied +# perl scripts, simply specify this option as 'SHA1' or 'MD5' in +# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found. +# +# A value of 'NONE' (in uppercase) can be specified to indicate that +# no hash function should be used. Rootkit Hunter will detect this and +# automatically disable the file hash checks. +# +# Examples: +# For Solaris 9 : HASH_FUNC=gmd5sum +# For Solaris 10: HASH_FUNC=sha1sum +# For AIX (>5.2): HASH_FUNC="csum -hMD5" +# For NetBSD : HASH_FUNC="cksum -a sha512" +# +# NOTE: If the hash function is changed then you MUST run rkhunter with +# the '--propupd' option to rebuild the file properties database. +# +HASH_FUNC=sha1sum + +# +# The HASH_FLD_IDX option specifies which field from the HASH_FUNC +# command output contains the hash value. The fields are assumed to +# be space-separated. The default value is one, but for *BSD users +# rkhunter will, by default, use a value of 4 if the HASH_FUNC option +# has not been set. The option value must be a positive integer. +# +#HASH_FLD_IDX=4 + +# +# The PKGMGR option tells rkhunter to use the specified package manager +# to obtain the file property information. This is used when updating +# the file properties file 'rkhunter.dat', and when running the file +# properties check. For RedHat/RPM-based systems, 'RPM' can be used +# to get information from the RPM database. For Debian-based systems +# 'DPKG' can be used, and for *BSD systems 'BSD' can be used. +# No value, or a value of 'NONE', indicates that no package manager +# is to be used. The default is 'NONE'. +# +# The current package managers store the file hash values using an +# MD5 hash function. +# +# The 'DPKG' and 'BSD' package managers only provide MD5 hash values. +# The 'RPM' package manager additionally provides values for the inode, +# file permissions, uid, gid and other values. +# +# For any file not part of a package, rkhunter will revert to using +# the HASH_FUNC hash function instead. +# +PKGMGR=RPM + +# +# Whitelist various attributes of the specified files. +# The attributes are those of the 'attributes' test. +# Specifying a file name here does not include it being +# whitelisted for the write permission test below. +# One command per line (use multiple ATTRWHITELIST lines). +# +#ATTRWHITELIST=/bin/ps + +# +# Allow the specified commands to have the 'others' +# (world) permission have the write-bit set. +# +# For example, files with permissions r-xr-xrwx +# or rwxrwxrwx. +# +# One command per line (use multiple WRITEWHITELIST lines). +# +#WRITEWHITELIST=/bin/ps + +# +# Allow the specified commands to be scripts. +# One command per line (use multiple SCRIPTWHITELIST lines). +# +#SCRIPTWHITELIST=/sbin/ifup +#SCRIPTWHITELIST=/sbin/ifdown +#SCRIPTWHITELIST=/usr/bin/groups + +# +# Allow the specified commands to have the immutable attribute set. +# One command per line (use multiple IMMUTWHITELIST lines). +# +#IMMUTWHITELIST=/sbin/ifup + +# +# Allow the specified hidden directories. +# One directory per line (use multiple ALLOWHIDDENDIR lines). +# +ALLOWHIDDENDIR=/dev/.udev +ALLOWHIDDENDIR=/dev/.mdadm +ALLOWHIDDENDIR=/dev/.systemd +ALLOWHIDDENDIR=/dev/.mount +ALLOWHIDDENDIR=/dev/.udevdb +ALLOWHIDDENDIR=/dev/.udev.tdb +ALLOWHIDDENDIR=/dev/.udev/db +ALLOWHIDDENDIR=/dev/.udev/rules.d + +# +# Allow the specified hidden files. +# One file per line (use multiple ALLOWHIDDENFILE lines). +# +ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz +ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh.hmac +ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac +ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac +ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz +ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz +ALLOWHIDDENFILE=/sbin/.cryptsetup.hmac +ALLOWHIDDENFILE=/dev/.udev/queue.bin +ALLOWHIDDENFILE=/dev/.udev/uevent_seqnum + +# +# Allow the specified processes to use deleted files. +# One process per line (use multiple ALLOWPROCDELFILE lines). +# +#ALLOWPROCDELFILE=/sbin/cardmgr +#ALLOWPROCDELFILE=/usr/sbin/gpm +#ALLOWPROCDELFILE=/usr/libexec/gconfd-2 +#ALLOWPROCDELFILE=/usr/sbin/mysqld + +# +# Allow the specified processes to listen on any network interface. +# One process per line (use multiple ALLOWPROCLISTEN lines). +# +#ALLOWPROCLISTEN=/sbin/dhclient +#ALLOWPROCLISTEN=/usr/bin/dhcpcd +#ALLOWPROCLISTEN=/usr/sbin/pppoe +#ALLOWPROCLISTEN=/usr/sbin/tcpdump +#ALLOWPROCLISTEN=/usr/sbin/snort-plain +#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant + +# +# SCAN_MODE_DEV governs how we scan /dev for suspicious files. +# The two allowed options are: THOROUGH or LAZY. +# If commented out we do a THOROUGH scan which will increase the runtime. +# Even though this adds to the running time it is highly recommended to +# leave it like this. +# +#SCAN_MODE_DEV=THOROUGH + +# +# Allow the specified files to be present in the /dev directory, +# and not regarded as suspicious. One file per line (use multiple +# ALLOWDEVFILE lines). +# +#ALLOWDEVFILE=/dev/abc +#ALLOWDEVFILE=/dev/shm/pulse-shm-* +ALLOWDEVFILE=/dev/shm/sem.slapd-FEDORAPROJECT-ORG.stats +ALLOWDEVFILE=/dev/md/md-device-map +ALLOWDEVFILE=/dev/.udev/queue.bin +ALLOWDEVFILE=/dev/.udev/db/* +ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules +ALLOWDEVFILE=/dev/.udev/uevent_seqnum +ALLOWDEVFILE=/dev/md/autorebuild.pid + +# +# This setting tells rkhunter where the inetd configuration +# file is located. +# +#INETD_CONF_PATH=/etc/inetd.conf + +# +# Allow the following enabled inetd services. +# Only one service per line (use multiple INETD_ALLOWED_SVC lines). +# +# Below are some Solaris 9 and 10 services that may want to be whitelisted. +# +#INETD_ALLOWED_SVC=echo +#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd +#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto +#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd +#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad +#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd +#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd +#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd +#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd +#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd +#INETD_ALLOWED_SVC=/usr/lib/gss/gssd +#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader +#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd +#INETD_ALLOWED_SVC=/network/rpc/mdcomm +#INETD_ALLOWED_SVC=/network/rpc/meta +#INETD_ALLOWED_SVC=/network/rpc/metamed +#INETD_ALLOWED_SVC=/network/rpc/metamh +#INETD_ALLOWED_SVC=/network/security/ktkt_warn +#INETD_ALLOWED_SVC=/application/x11/xfs +#INETD_ALLOWED_SVC=/application/print/rfc1179 +#INETD_ALLOWED_SVC=/application/font/stfsloader +#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord +#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp +#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp + +# +# This setting tells rkhunter where the xinetd configuration +# file is located. +# +#XINETD_CONF_PATH=/etc/xinetd.conf + +# +# Allow the following enabled xinetd services. Whilst it would be +# nice to use the service names themselves, at the time of testing +# we only have the pathname available. As such, these entries are +# the xinetd file pathnames. +# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines). +# +XINETD_ALLOWED_SVC=/etc/xinetd.d/rsync +XINETD_ALLOWED_SVC=/etc/xinetd.d/cvspserver +XINETD_ALLOWED_SVC=/etc/xinetd.d/tftp +XINETD_ALLOWED_SVC=/etc/xinetd.d/git-server +XINETD_ALLOWED_SVC=/etc/xinetd.d/git +XINETD_ALLOWED_SVC=/etc/xinetd.d/bzr-server + +# +# This setting tells rkhunter the local system startup file pathnames. +# More than one file may be present on the system, and so this option +# can be a space-separated list. This setting will be worked out by +# rkhunter, and so should not usually need to be set. +# +# If the system uses a directory of local startup scripts, then rather +# that setting all the file names here, leave this setting blank, and +# specify the directory name in SYSTEM_RC_DIR instead. +# +# If the system does not use a local startup script at all, then this +# setting can be set to 'none'. Without this, rkhunter would give a +# warning that no local startup script could be found. +# +#LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit" + +# +# This setting tells rkhunter the local system startup file directory. +# This setting will be worked out by rkhunter, and so should not usually +# need to be set. +# +#SYSTEM_RC_DIR=/etc/rc.d + +# +# This setting tells rkhunter the pathname to the file containing the +# user account passwords. This setting will be worked out by rkhunter, +# and so should not usually need to be set. +# +PASSWORD_FILE=/etc/shadow + +# +# Allow the following accounts to be root equivalent. These accounts +# will have a UID value of zero. This option is a space-separated list +# of account names. The 'root' account does not need to be listed as it +# is automatically whitelisted. +# +# Note: For *BSD systems you may need to enable this for the 'toor' account. +# +#UID0_ACCOUNTS="toor rooty" + +# +# Allow the following accounts to have no password. This option is a +# space-separated list of account names. NIS/YP entries do not need to +# be listed as they are automatically whitelisted. +# +#PWDLESS_ACCOUNTS="abc" + +# +# This setting tells rkhunter the pathname to the syslog configuration +# file. This setting will be worked out by rkhunter, and so should not +# usually need to be set. +# +#SYSLOG_CONFIG_FILE=/etc/syslog.conf + +# +# This option permits the use of syslog remote logging. +# +ALLOW_SYSLOG_REMOTE_LOGGING=1 + +# +# Allow the following applications, or a specific version of an application, +# to be whitelisted. This option is a space-separated list consisting of the +# application names. If a specific version is to be whitelisted, then the +# name must be followed by a colon and then the version number. +# +# For example: APP_WHITELIST="openssl:0.9.7d gpg" +# +APP_WHITELIST="sshd:4.3p2 sshd:5.2p1 httpd:2.2.3 httpd:2.2.13 php:5.1.6 named:9.3.6 openssl:0.9.8e php:5.2.6 named:9.3.6-P1" + +# +# Scan for suspicious files in directories containing temporary files and +# directories posing a relatively higher risk due to user write access. +# Please do not enable by default as suspscan is CPU and I/O intensive and prone to +# producing false positives. Do review all settings before usage. +# Also be aware that running suspscan in combination with verbose logging on, +# RKH's default, will show all ignored files. +# Please consider adding all directories the user the (web)server runs as has +# write access to including the document root (example: "/var/www") and log +# directories (example: "/var/log/httpd"). +# +# A space-separated list of directories to scan. +# +SUSPSCAN_DIRS="/tmp /var/tmp" + +# +# Directory for temporary files. A memory-based one is better (faster). +# Do not use a directory name that is listed in SUSPSCAN_DIRS. +# Please make sure you have a tempfs mounted and the directory exists. +# +SUSPSCAN_TEMP=/dev/shm + +# +# Maximum filesize in bytes. Files larger than this will not be inspected. +# Do make sure you have enough space left in your temporary files directory. +# +SUSPSCAN_MAXSIZE=10240000 + +# +# Score threshold. Below this value no hits will be reported. +# A value of "200" seems "good" after testing on malware. Please adjust +# locally if necessary. +# +SUSPSCAN_THRESH=200 + +# +# The following option can be used to whitelist network ports which +# are known to have been used by malware. The option is a space- +# separated list of one or more of three types of whitelisting. +# These are: +# +# 1) a 'protocol:port' pair (e.g. TCP:25) +# 2) a pathname to an executable (e.g. /usr/sbin/squid) +# 3) an asterisk ('*') +# +# Only the UDP or TCP protocol may be specified, and the port number +# must be between 1 and 65535 inclusive. +# +# The asterisk can be used to indicate that any executable in a trusted +# path directory will be whitelisted. A trusted path directory is one which +# rkhunter uses to locate commands. It is composed of the root PATH +# environment variable, and the BINDIR command-line or configuration +# file option. +# +# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" +# +#PORT_WHITELIST="" + +# +# The following option can be used to tell rkhunter where the operating +# system 'release' file is located. This file contains information +# specifying the current O/S version. RKH will store this information +# itself, and check to see if it has changed between each run. If it has +# changed, then the user is warned that RKH may issue warning messages +# until RKH has been run with the '--propupd' option. +# +# Since the contents of the file vary according to the O/S distribution, +# RKH will perform different actions when it detects the file itself. As +# such, this option should not be set unless necessary. If this option is +# specified, then RKH will assume the O/S release information is on the +# first non-blank line of the file. +# +# {{ ansible_distribution|lower }} +OS_VERSION_FILE=/etc/{{ ansible_distribution|lower }}-release + +# +# The following two options can be used to whitelist files and directories +# that would normally be flagged with a warning during the rootkit checks. +# If the file or directory name contains a space, then the percent character +# ('%') must be used instead. Only existing files and directories can be +# specified. +# +#RTKT_DIR_WHITELIST="" +#RTKT_FILE_WHITELIST="" + +# +# To force rkhunter to use the supplied script for the 'stat' or 'readlink' +# command, then the following two options can be used. The value must be +# set to 'BUILTIN'. +# +# NOTE: IRIX users will probably need to enable STAT_CMD. +# +#STAT_CMD=BUILTIN +#READLINK_CMD=BUILTIN + +INSTALLDIR=/usr +SCRIPTWHITELIST=/usr/bin/whatis +SCRIPTWHITELIST=/usr/bin/ldd +SCRIPTWHITELIST=/usr/bin/groups +SCRIPTWHITELIST=/usr/bin/GET +SCRIPTWHITELIST=/sbin/ifup +SCRIPTWHITELIST=/sbin/ifdown diff --git a/roles/rkhunter/files/rkhunter.sysconfig b/roles/rkhunter/files/rkhunter.sysconfig new file mode 100644 index 0000000..0c463db --- /dev/null +++ b/roles/rkhunter/files/rkhunter.sysconfig @@ -0,0 +1,11 @@ +# System configuration file for Rootkit Hunter which +# stores RPM system specifics for cron run, etc. +# +# MAILTO= <email address to send scan report> +# DIAG_SCAN= no - perform normal report scan +# yes - perform detailed report scan +# (includes application check) + +MAILTO=smooge@xxxxxxxxxxxxxxxxx,kevin@xxxxxxxxxxxxxxxxx +DIAG_SCAN=no + diff --git a/roles/rkhunter/tasks/main.yml b/roles/rkhunter/tasks/main.yml new file mode 100644 index 0000000..4bec0f7 --- /dev/null +++ b/roles/rkhunter/tasks/main.yml @@ -0,0 +1,18 @@ +--- + +- name: install rkhunter + yum: name=rkhunter state=present + tags: + - packages + +- name: rkhunter.conf + template: src=rkhunter.conf.j2 dest=/etc/rkhunter.conf mode=0640 + tags: + - config + +- name: rkhunter sysconfig + copy: src=rkhunter.sysconfig dest=/etc/sysconfig/rkhunter mode=0640 + tags: + - config + + diff --git a/tasks/rkhunter.yml b/tasks/rkhunter.yml deleted file mode 100644 index 325315b..0000000 --- a/tasks/rkhunter.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: install rkhunter - yum: name=rkhunter state=present - tags: - - packages - -- name: rkhunter.conf - template: src=$files/rkhunter/rkhunter.conf.j2 dest=/etc/rkhunter.conf mode=0640 - tags: - - config - -- name: rkhunter sysconfig - copy: src=$files/rkhunter/rkhunter.sysconfig dest=/etc/sysconfig/rkhunter mode=0640 - tags: - - config - - -- 1.8.3.1 _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
