From 43624798b9a5682bcaa0103b96e0858ac5fcb704 Mon Sep 17 00:00:00 2001 From: Matthieu Saulnier Date: Sat, 8 Dec 2018 00:45:17 +0100 Subject: Revert "Temporary disable HIDS tasks due to overload" This reverts commit d244837efa9a4f4c57d695375d9b725ac0ee811d. --- roles/clients/tasks/main.yml | 5 ++--- roles/diagnostics/tasks/aide.yml | 14 ++++++++------ roles/diagnostics/tasks/cron.yml | 8 +++++--- roles/diagnostics/tasks/rkhunter.yml | 26 +++++++++++++++++++++++--- roles/diagnostics/tasks/selinux.yml | 7 ++++--- 5 files changed, 42 insertions(+), 18 deletions(-) (limited to 'roles') diff --git a/roles/clients/tasks/main.yml b/roles/clients/tasks/main.yml index d1478d7..bb26d65 100644 --- a/roles/clients/tasks/main.yml +++ b/roles/clients/tasks/main.yml @@ -22,9 +22,8 @@ - name: Configuration mock import_tasks: mock.yml -### rkhunter est désinstallé par le role diagnostics -###- name: Configuration rkhunter pour mock -### import_tasks: rkhunter.yml +- name: Configuration rkhunter pour mock + import_tasks: rkhunter.yml - name: Ajout points de montage import_tasks: mnt.yml diff --git a/roles/diagnostics/tasks/aide.yml b/roles/diagnostics/tasks/aide.yml index c7490ca..a8640fd 100644 --- a/roles/diagnostics/tasks/aide.yml +++ b/roles/diagnostics/tasks/aide.yml @@ -1,14 +1,16 @@ - name: Installation du HIDS AIDE yum: name=aide state=present when: ansible_pkg_mgr == "yum" - notify: initialize aide - name: Installation du HIDS AIDE dnf: name=aide state=present when: ansible_pkg_mgr == "dnf" - notify: initialize aide -- name: Désactivation Cron du HIDS AIDE - file: - path: /etc/cron.daily/z-aidereport.sh - state: absent +- name: Activation Cron du HIDS AIDE + copy: + src: aidereport.sh + dest: /etc/cron.daily/z-aidereport.sh + mode: 0755 + when: ansible_distribution == "Fedora" and ansible_distribution_version|int >= 28 and + ansible_virtualization_role == "NA" or ansible_virtualization_role == "host" + notify: initialize aide diff --git a/roles/diagnostics/tasks/cron.yml b/roles/diagnostics/tasks/cron.yml index f826177..640dacc 100644 --- a/roles/diagnostics/tasks/cron.yml +++ b/roles/diagnostics/tasks/cron.yml @@ -19,9 +19,11 @@ state: absent - name: Rapport RPM Verify monthly - file: - path: /etc/cron.monthly/rpmreport.sh - state: absent + copy: + src: rpmreport.sh + dest: /etc/cron.monthly/rpmreport.sh + mode: 0755 + when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host" - name: Tests disques durs template: diff --git a/roles/diagnostics/tasks/rkhunter.yml b/roles/diagnostics/tasks/rkhunter.yml index edb73ef..460073a 100644 --- a/roles/diagnostics/tasks/rkhunter.yml +++ b/roles/diagnostics/tasks/rkhunter.yml @@ -1,4 +1,24 @@ - name: Installation du HIDS rkhunter - package: - name: rkhunter - state: absent + dnf: name=rkhunter state=present + notify: initialize rkhunter + +- name: Activation de tests rkhunter + lineinfile: dest=/etc/rkhunter.conf state=present backrefs=yes + regexp="^DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps apps" + line="DISABLE_TESTS=deleted_files" + +- name: Ajout de process en liste blanche + lineinfile: + path: /etc/rkhunter.conf + line: 'ALLOWPROCLISTEN=/usr/sbin/wpa_supplicant' + +- name: Ajout de process en liste blanche + lineinfile: + path: /etc/rkhunter.conf + line: 'ALLOWPROCLISTEN=/usr/sbin/arpwatch' + +- name: Ajout de fichier en liste blanche + lineinfile: + path: /etc/rkhunter.conf + insertafter: '^ALLOWDEVFILE=/dev/shm/squid-ssl_session_cache.shm' + line: 'ALLOWDEVFILE=/dev/shm/squid-tls_session_cache.shm' diff --git a/roles/diagnostics/tasks/selinux.yml b/roles/diagnostics/tasks/selinux.yml index 7497364..92268e7 100644 --- a/roles/diagnostics/tasks/selinux.yml +++ b/roles/diagnostics/tasks/selinux.yml @@ -6,7 +6,8 @@ when: ansible_selinux.status != "disabled" - name: Relabel système de fichier - file: - path: /etc/cron.monthly/selinuxresto.sh - state: absent + copy: + src: selinuxresto.sh + dest: /etc/cron.monthly/selinuxresto.sh + mode: 0755 when: ansible_selinux.status != "disabled" -- cgit