From 2df3fb06dbf2463a0fc373164861d6d7deebaa78 Mon Sep 17 00:00:00 2001
From: Matthieu Saulnier <fantom@fedoraproject.org>
Date: Sat, 8 Dec 2018 13:14:52 +0100
Subject: Update diagnostics role targeting all hosts except website-engines on
 raspberry And add ssh aux port in common role

---
 diagnostics.yml                         |  4 +++-
 roles/common/tasks/ssh.yml              |  7 +++++++
 roles/diagnostics/files/selinuxresto.sh |  2 +-
 roles/diagnostics/tasks/rkhunter.yml    | 14 +++++++++++---
 4 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/diagnostics.yml b/diagnostics.yml
index 69ef2ab..50b5669 100644
--- a/diagnostics.yml
+++ b/diagnostics.yml
@@ -1,4 +1,6 @@
-- hosts: all
+- hosts:
+    - dns
+    - proxy
   remote_user: root
   any_errors_fatal: true
   roles:
diff --git a/roles/common/tasks/ssh.yml b/roles/common/tasks/ssh.yml
index d5ba7f8..9be8d31 100644
--- a/roles/common/tasks/ssh.yml
+++ b/roles/common/tasks/ssh.yml
@@ -15,3 +15,10 @@
     regexp: "^#PermitRootLogin yes"
     line: "PermitRootLogin yes"
   notify: restart sshd
+
+- name: Ouverture du port ssh secondaire
+  firewalld:
+    port: "54444/tcp"
+    permanent: yes
+    immediate: yes
+    state: enabled
diff --git a/roles/diagnostics/files/selinuxresto.sh b/roles/diagnostics/files/selinuxresto.sh
index 22ff769..1720fef 100755
--- a/roles/diagnostics/files/selinuxresto.sh
+++ b/roles/diagnostics/files/selinuxresto.sh
@@ -1,2 +1,2 @@
 #!/usr/bin/bash
-touch /.autorelabel && echo 'SELinux: autorelabel au prochain reboot'
+/usr/sbin/fixfiles -F onboot && echo 'SELinux: autorelabel au prochain reboot'
diff --git a/roles/diagnostics/tasks/rkhunter.yml b/roles/diagnostics/tasks/rkhunter.yml
index 460073a..6a9a507 100644
--- a/roles/diagnostics/tasks/rkhunter.yml
+++ b/roles/diagnostics/tasks/rkhunter.yml
@@ -2,22 +2,30 @@
   dnf: name=rkhunter state=present
   notify: initialize rkhunter
 
+- name: Login SSH en root
+  lineinfile:
+    path: /etc/rkhunter.conf
+    state: present
+    backrefs: yes
+    regexp: "^ALLOW_SSH_ROOT_USER=unset"
+    line: "ALLOW_SSH_ROOT_USER=yes"
+
 - name: Activation de tests rkhunter
   lineinfile: dest=/etc/rkhunter.conf state=present backrefs=yes
               regexp="^DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps apps"
               line="DISABLE_TESTS=deleted_files"
 
-- name: Ajout de process en liste blanche
+- name: Ajout de wpa_spplicant en liste blanche
   lineinfile:
     path: /etc/rkhunter.conf
     line: 'ALLOWPROCLISTEN=/usr/sbin/wpa_supplicant'
 
-- name: Ajout de process en liste blanche
+- name: Ajout de arpwatch en liste blanche
   lineinfile:
     path: /etc/rkhunter.conf
     line: 'ALLOWPROCLISTEN=/usr/sbin/arpwatch'
 
-- name: Ajout de fichier en liste blanche
+- name: Ajout de fichier cache squid en liste blanche
   lineinfile:
     path: /etc/rkhunter.conf
     insertafter: '^ALLOWDEVFILE=/dev/shm/squid-ssl_session_cache.shm'
-- 
cgit