From 8e2ec48cc0fa1804e46034fe1a30c783365b4d7e Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 19 Aug 2013 20:12:26 +0000 Subject: Migrate a bunch of things to roles. Thanks to misc! --- .gitignore | 1 + files/denyhosts/allowed-hosts | 27 - files/denyhosts/denyhosts.conf | 626 --------------------- files/fas-client/fas-client.cron | 1 - files/fas-client/fas.conf.j2 | 92 --- files/fas-client/nsswitch.conf | 45 -- files/geoip/geoip_sync | 2 - files/mirrorlist/mirrorlist-server.conf | 44 -- files/mirrorlist/mm-authorized_key | 1 - files/mirrorlist/mm_sync_data | 4 - files/mirrorlist/supervisord.conf | 67 --- files/nagios/client/check_cron.cfg | 1 - files/nagios/client/check_disk.cfg | 2 - files/nagios/client/check_lock.cfg | 1 - files/nagios/client/check_mirrorlist_cache.cfg | 1 - files/nagios/client/check_postfix_queue.cfg | 1 - files/nagios/client/check_raid.cfg | 1 - files/nagios/client/check_swap.cfg | 1 - files/nagios/client/nrpe.cfg | 223 -------- files/nagios/client/scripts/check_lock | 17 - files/nagios/client/scripts/check_postfix_queue | 49 -- files/nagios/client/scripts/check_raid.py | 45 -- files/rkhunter/rkhunter.conf.j2 | 590 ------------------- files/rkhunter/rkhunter.sysconfig | 11 - handlers/restart_services.yml | 15 +- playbooks/groups/arm-packager.yml | 8 +- playbooks/groups/arm-qa.yml | 8 +- playbooks/groups/arm-releng.yml | 5 +- playbooks/groups/backup-server.yml | 11 +- playbooks/groups/badges-backend.yml | 10 +- playbooks/groups/badges-web.yml | 10 +- playbooks/groups/beaker.yml | 10 +- playbooks/groups/gallery.yml | 10 +- playbooks/groups/kernel-qa.yml | 10 +- playbooks/groups/keyserver.yml | 10 +- playbooks/groups/koji-hub.yml | 10 +- playbooks/groups/mailman.yml | 10 +- playbooks/groups/mirrorlist.yml | 14 +- playbooks/groups/postgresl-server.yml | 13 +- playbooks/groups/releng.yml | 4 +- playbooks/groups/sign.yml | 4 +- playbooks/groups/taskbot.yml | 10 +- playbooks/groups/virthost.yml | 11 +- playbooks/rkhunter_update.yml | 8 +- roles/denyhosts/files/allowed-hosts | 27 + roles/denyhosts/files/denyhosts.conf | 626 +++++++++++++++++++++ roles/denyhosts/handlers/main.yml | 3 + roles/denyhosts/tasks/main.yml | 26 + roles/fas_client/files/fas-client.cron | 1 + roles/fas_client/files/nsswitch.conf | 45 ++ roles/fas_client/handlers/main.yml | 3 + roles/fas_client/tasks/main.yml | 80 +++ roles/fas_client/templates/fas.conf.j2 | 92 +++ roles/geoip/files/geoip_sync | 2 + roles/geoip/tasks/main.yml | 13 + roles/mirrorlist/files/mirrorlist-server.conf | 44 ++ roles/mirrorlist/files/mm-authorized_key | 1 + roles/mirrorlist/files/mm_sync_data | 4 + roles/mirrorlist/files/supervisord.conf | 67 +++ roles/mirrorlist/tasks/main.yml | 48 ++ roles/nagios_client/files/check_cron.cfg | 1 + roles/nagios_client/files/check_disk.cfg | 2 + roles/nagios_client/files/check_lock.cfg | 1 + .../nagios_client/files/check_mirrorlist_cache.cfg | 1 + roles/nagios_client/files/check_postfix_queue.cfg | 1 + roles/nagios_client/files/check_raid.cfg | 1 + roles/nagios_client/files/check_swap.cfg | 1 + roles/nagios_client/files/nrpe.cfg | 223 ++++++++ roles/nagios_client/files/scripts/check_lock | 17 + .../files/scripts/check_postfix_queue | 49 ++ roles/nagios_client/files/scripts/check_raid.py | 45 ++ roles/nagios_client/handlers/main.yml | 3 + roles/nagios_client/tasks/main.yml | 63 +++ roles/postgresql_server/handlers/main.yml | 3 + roles/postgresql_server/tasks/main.yml | 27 + roles/rkhunter/files/rkhunter.conf.j2 | 590 +++++++++++++++++++ roles/rkhunter/files/rkhunter.sysconfig | 11 + roles/rkhunter/tasks/main.yml | 18 + tasks/denyhosts.yml | 26 - tasks/fas_client.yml | 80 --- tasks/geoip.yml | 15 - tasks/mirrorlist.yml | 48 -- tasks/nagios_client.yml | 63 --- tasks/postgresql_server.yml | 27 - tasks/rkhunter.yml | 18 - 85 files changed, 2245 insertions(+), 2215 deletions(-) delete mode 100644 files/denyhosts/allowed-hosts delete mode 100644 files/denyhosts/denyhosts.conf delete mode 100644 files/fas-client/fas-client.cron delete mode 100644 files/fas-client/fas.conf.j2 delete mode 100644 files/fas-client/nsswitch.conf delete mode 100644 files/geoip/geoip_sync delete mode 100644 files/mirrorlist/mirrorlist-server.conf delete mode 100644 files/mirrorlist/mm-authorized_key delete mode 100755 files/mirrorlist/mm_sync_data delete mode 100644 files/mirrorlist/supervisord.conf delete mode 100644 files/nagios/client/check_cron.cfg delete mode 100644 files/nagios/client/check_disk.cfg delete mode 100644 files/nagios/client/check_lock.cfg delete mode 100644 files/nagios/client/check_mirrorlist_cache.cfg delete mode 100644 files/nagios/client/check_postfix_queue.cfg delete mode 100644 files/nagios/client/check_raid.cfg delete mode 100644 files/nagios/client/check_swap.cfg delete mode 100644 files/nagios/client/nrpe.cfg delete mode 100755 files/nagios/client/scripts/check_lock delete mode 100755 files/nagios/client/scripts/check_postfix_queue delete mode 100755 files/nagios/client/scripts/check_raid.py delete mode 100644 files/rkhunter/rkhunter.conf.j2 delete mode 100644 files/rkhunter/rkhunter.sysconfig create mode 100644 roles/denyhosts/files/allowed-hosts create mode 100644 roles/denyhosts/files/denyhosts.conf create mode 100644 roles/denyhosts/handlers/main.yml create mode 100644 roles/denyhosts/tasks/main.yml create mode 100644 roles/fas_client/files/fas-client.cron create mode 100644 roles/fas_client/files/nsswitch.conf create mode 100644 roles/fas_client/handlers/main.yml create mode 100644 roles/fas_client/tasks/main.yml create mode 100644 roles/fas_client/templates/fas.conf.j2 create mode 100644 roles/geoip/files/geoip_sync create mode 100644 roles/geoip/tasks/main.yml create mode 100644 roles/mirrorlist/files/mirrorlist-server.conf create mode 100644 roles/mirrorlist/files/mm-authorized_key create mode 100644 roles/mirrorlist/files/mm_sync_data create mode 100644 roles/mirrorlist/files/supervisord.conf create mode 100644 roles/mirrorlist/tasks/main.yml create mode 100644 roles/nagios_client/files/check_cron.cfg create mode 100644 roles/nagios_client/files/check_disk.cfg create mode 100644 roles/nagios_client/files/check_lock.cfg create mode 100644 roles/nagios_client/files/check_mirrorlist_cache.cfg create mode 100644 roles/nagios_client/files/check_postfix_queue.cfg create mode 100644 roles/nagios_client/files/check_raid.cfg create mode 100644 roles/nagios_client/files/check_swap.cfg create mode 100644 roles/nagios_client/files/nrpe.cfg create mode 100644 roles/nagios_client/files/scripts/check_lock create mode 100644 roles/nagios_client/files/scripts/check_postfix_queue create mode 100644 roles/nagios_client/files/scripts/check_raid.py create mode 100644 roles/nagios_client/handlers/main.yml create mode 100644 roles/nagios_client/tasks/main.yml create mode 100644 roles/postgresql_server/handlers/main.yml create mode 100644 roles/postgresql_server/tasks/main.yml create mode 100644 roles/rkhunter/files/rkhunter.conf.j2 create mode 100644 roles/rkhunter/files/rkhunter.sysconfig create mode 100644 roles/rkhunter/tasks/main.yml delete mode 100644 tasks/denyhosts.yml delete mode 100644 tasks/fas_client.yml delete mode 100644 tasks/geoip.yml delete mode 100644 tasks/mirrorlist.yml delete mode 100644 tasks/nagios_client.yml delete mode 100644 tasks/postgresql_server.yml delete mode 100644 tasks/rkhunter.yml diff --git a/.gitignore b/.gitignore index 1377554eb..b94898552 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.swp +*.pyc diff --git a/files/denyhosts/allowed-hosts b/files/denyhosts/allowed-hosts deleted file mode 100644 index f5a88b7b0..000000000 --- a/files/denyhosts/allowed-hosts +++ /dev/null @@ -1,27 +0,0 @@ -# We mustn't block localhost -127.0.0.1 - -#bastion -10.5.126.11 -10.5.126.12 -#lockbox -10.5.126.23 -# don't block lockbox's remote addr, either -209.132.181.6 - -#noc1 -noc1.phx2.fedoraproject.org -10.5.126.41 -192.168.1.10 - -# RDU NAT -66.187.233.202 -66.187.233.206 -# RH NAT -66.187.230.200 -# PHX2 NAT -209.132.181.102 -# tlv RHT NAT -66.187.237.10 -# brno RHT NAT -209.132.186.34 diff --git a/files/denyhosts/denyhosts.conf b/files/denyhosts/denyhosts.conf deleted file mode 100644 index 577b8518e..000000000 --- a/files/denyhosts/denyhosts.conf +++ /dev/null @@ -1,626 +0,0 @@ - ############ THESE SETTINGS ARE REQUIRED ############ - -######################################################################## -# -# SECURE_LOG: the log file that contains sshd logging info -# if you are not sure, grep "sshd:" /var/log/* -# -# The file to process can be overridden with the --file command line -# argument -# -# Redhat or Fedora Core: -SECURE_LOG = /var/log/secure -# -# Mandrake, FreeBSD or OpenBSD: -#SECURE_LOG = /var/log/auth.log -# -# SuSE: -#SECURE_LOG = /var/log/messages -# -# Mac OS X (v10.4 or greater - -# also refer to: http://www.denyhosts.net/faq.html#macos -#SECURE_LOG = /private/var/log/asl.log -# -# Mac OS X (v10.3 or earlier): -#SECURE_LOG=/private/var/log/system.log -# -######################################################################## - -######################################################################## -# -# HOSTS_DENY: the file which contains restricted host access information -# -# Most operating systems: -HOSTS_DENY = /etc/hosts.deny -# -# Some BSD (FreeBSD) Unixes: -#HOSTS_DENY = /etc/hosts.allow -# -# Another possibility (also see the next option): -#HOSTS_DENY = /etc/hosts.evil -####################################################################### - - -######################################################################## -# -# PURGE_DENY: removed HOSTS_DENY entries that are older than this time -# when DenyHosts is invoked with the --purge flag -# -# format is: i[dhwmy] -# Where 'i' is an integer (eg. 7) -# 'm' = minutes -# 'h' = hours -# 'd' = days -# 'w' = weeks -# 'y' = years -# -# never purge: -#PURGE_DENY = -# -# purge entries older than 1 week -#PURGE_DENY = 1w -# -# purge entries older than 5 days -#PURGE_DENY = 5d -# -# For the default Fedora Extras install, we want timestamping but no -# expiration (at least by default) so this is deliberately set high. -# Adjust to taste. -PURGE_DENY = 4w -####################################################################### - -####################################################################### -# -# PURGE_THRESHOLD: defines the maximum times a host will be purged. -# Once this value has been exceeded then this host will not be purged. -# Setting this parameter to 0 (the default) disables this feature. -# -# default: a denied host can be purged/re-added indefinitely -PURGE_THRESHOLD = 4 -# -# a denied host will be purged at most 2 times. -#PURGE_THRESHOLD = 2 -# -####################################################################### - - -####################################################################### -# -# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY -# -# man 5 hosts_access for details -# -# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1 -# -# To block all services for the offending host: -#BLOCK_SERVICE = ALL -# To block only sshd: -BLOCK_SERVICE = sshd -# To only record the offending host and nothing else (if using -# an auxilary file to list the hosts). Refer to: -# http://denyhosts.sourceforge.net/faq.html#aux -#BLOCK_SERVICE = -# -####################################################################### - - -####################################################################### -# -# DENY_THRESHOLD_INVALID: block each host after the number of failed login -# attempts has exceeded this value. This value applies to invalid -# user login attempts (eg. non-existent user accounts) -# -DENY_THRESHOLD_INVALID = 15 -# -####################################################################### - -####################################################################### -# -# DENY_THRESHOLD_VALID: block each host after the number of failed -# login attempts has exceeded this value. This value applies to valid -# user login attempts (eg. user accounts that exist in /etc/passwd) except -# for the "root" user -# -DENY_THRESHOLD_VALID = 15 -# -####################################################################### - -####################################################################### -# -# DENY_THRESHOLD_ROOT: block each host after the number of failed -# login attempts has exceeded this value. This value applies to -# "root" user login attempts only. -# -DENY_THRESHOLD_ROOT = 5 -# -####################################################################### - - -####################################################################### -# -# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed -# login attempts has exceeded this value. This value applies to -# usernames that appear in the WORK_DIR/restricted-usernames file only. -# -DENY_THRESHOLD_RESTRICTED = 1 -# -####################################################################### - - -####################################################################### -# -# WORK_DIR: the path that DenyHosts will use for writing data to -# (it will be created if it does not already exist). -# -# Note: it is recommended that you use an absolute pathname -# for this value (eg. /home/foo/denyhosts/data) -# -WORK_DIR = /var/lib/denyhosts -# -####################################################################### - -####################################################################### -# -# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS -# -# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO -# If set to YES, if a suspicious login attempt results from an allowed-host -# then it is considered suspicious. If this is NO, then suspicious logins -# from allowed-hosts will not be reported. All suspicious logins from -# ip addresses that are not in allowed-hosts will always be reported. -# -SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES -###################################################################### - -###################################################################### -# -# HOSTNAME_LOOKUP -# -# HOSTNAME_LOOKUP=YES|NO -# If set to YES, for each IP address that is reported by Denyhosts, -# the corresponding hostname will be looked up and reported as well -# (if available). -# -HOSTNAME_LOOKUP=YES -# -###################################################################### - - -###################################################################### -# -# LOCK_FILE -# -# LOCK_FILE=/path/denyhosts -# If this file exists when DenyHosts is run, then DenyHosts will exit -# immediately. Otherwise, this file will be created upon invocation -# and deleted upon exit. This ensures that only one instance is -# running at a time. -# -# Redhat/Fedora: -LOCK_FILE = /var/lock/subsys/denyhosts -# -# Debian -#LOCK_FILE = /var/run/denyhosts.pid -# -# Misc -#LOCK_FILE = /tmp/denyhosts.lock -# -###################################################################### - - - ############ THESE SETTINGS ARE OPTIONAL ############ - - -####################################################################### -# -# ADMIN_EMAIL: if you would like to receive emails regarding newly -# restricted hosts and suspicious logins, set this address to -# match your email address. If you do not want to receive these reports -# leave this field blank (or run with the --noemail option) -# -# Multiple email addresses can be delimited by a comma, eg: -# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com -# -# ADMIN_EMAIL = ausil@fedoraproject.org -# -####################################################################### - -####################################################################### -# -# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email -# reports (see ADMIN_EMAIL) then these settings specify the -# email server address (SMTP_HOST) and the server port (SMTP_PORT) -# -# -# THEMOVE FIXME this needs to work from external non-VPN machines. -SMTP_HOST = bastion -SMTP_PORT = 25 -# -####################################################################### - -####################################################################### -# -# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your -# smtp email server requires authentication -# -#SMTP_USERNAME=foo -#SMTP_PASSWORD=bar -# -###################################################################### - -####################################################################### -# -# SMTP_FROM: you can specify the "From:" address in messages sent -# from DenyHosts when it reports thwarted abuse attempts -# -SMTP_FROM = DenyHosts -# -####################################################################### - -####################################################################### -# -# SMTP_SUBJECT: you can specify the "Subject:" of messages sent -# by DenyHosts when it reports thwarted abuse attempts -SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME] -# -###################################################################### - -###################################################################### -# -# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header -# when sending email messages. -# -# for possible values for this parameter refer to: man strftime -# -# the default: -# -#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z -# -###################################################################### - -###################################################################### -# -# SYSLOG_REPORT -# -# SYSLOG_REPORT=YES|NO -# If set to yes, when denied hosts are recorded the report data -# will be sent to syslog (syslog must be present on your system). -# The default is: NO -# -#SYSLOG_REPORT=NO -# -#SYSLOG_REPORT=YES -# -###################################################################### - -###################################################################### -# -# ALLOWED_HOSTS_HOSTNAME_LOOKUP -# -# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO -# If set to YES, for each entry in the WORK_DIR/allowed-hosts file, -# the hostname will be looked up. If your versions of tcp_wrappers -# and sshd sometimes log hostnames in addition to ip addresses -# then you may wish to specify this option. -# -#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO -# -###################################################################### - -###################################################################### -# -# AGE_RESET_VALID: Specifies the period of time between failed login -# attempts that, when exceeded will result in the failed count for -# this host to be reset to 0. This value applies to login attempts -# to all valid users (those within /etc/passwd) with the -# exception of root. If not defined, this count will never -# be reset. -# -# See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -AGE_RESET_VALID=5d -# -###################################################################### - -###################################################################### -# -# AGE_RESET_ROOT: Specifies the period of time between failed login -# attempts that, when exceeded will result in the failed count for -# this host to be reset to 0. This value applies to all login -# attempts to the "root" user account. If not defined, -# this count will never be reset. -# -# See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -AGE_RESET_ROOT=25d -# -###################################################################### - -###################################################################### -# -# AGE_RESET_RESTRICTED: Specifies the period of time between failed login -# attempts that, when exceeded will result in the failed count for -# this host to be reset to 0. This value applies to all login -# attempts to entries found in the WORK_DIR/restricted-usernames file. -# If not defined, the count will never be reset. -# -# See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -AGE_RESET_RESTRICTED=25d -# -###################################################################### - - -###################################################################### -# -# AGE_RESET_INVALID: Specifies the period of time between failed login -# attempts that, when exceeded will result in the failed count for -# this host to be reset to 0. This value applies to login attempts -# made to any invalid username (those that do not appear -# in /etc/passwd). If not defined, count will never be reset. -# -# See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -AGE_RESET_INVALID=10d -# -###################################################################### - - -###################################################################### -# -# RESET_ON_SUCCESS: If this parameter is set to "yes" then the -# failed count for the respective ip address will be reset to 0 -# if the login is successful. -# -# The default is RESET_ON_SUCCESS = no -# -RESET_ON_SUCCESS = yes -# -##################################################################### - - -###################################################################### -# -# PLUGIN_DENY: If set, this value should point to an executable -# program that will be invoked when a host is added to the -# HOSTS_DENY file. This executable will be passed the host -# that will be added as it's only argument. -# -#PLUGIN_DENY=/usr/bin/true -# -###################################################################### - - -###################################################################### -# -# PLUGIN_PURGE: If set, this value should point to an executable -# program that will be invoked when a host is removed from the -# HOSTS_DENY file. This executable will be passed the host -# that is to be purged as it's only argument. -# -#PLUGIN_PURGE=/usr/bin/true -# -###################################################################### - -###################################################################### -# -# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain -# a regular expression that can be used to identify additional -# hackers for your particular ssh configuration. This functionality -# extends the built-in regular expressions that DenyHosts uses. -# This parameter can be specified multiple times. -# See this faq entry for more details: -# http://denyhosts.sf.net/faq.html#userdef_regex -# -#USERDEF_FAILED_ENTRY_REGEX= -# -# -###################################################################### - - - - - ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ########## - - - -####################################################################### -# -# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag) -# this is the logfile that DenyHosts uses to report it's status. -# To disable logging, leave blank. (default is: /var/log/denyhosts) -# -DAEMON_LOG = /var/log/denyhosts -# -# disable logging: -#DAEMON_LOG = -# -###################################################################### - -####################################################################### -# -# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode -# (--daemon flag) this specifies the timestamp format of -# the DAEMON_LOG messages (default is the ISO8061 format: -# ie. 2005-07-22 10:38:01,745) -# -# for possible values for this parameter refer to: man strftime -# -# Jan 1 13:05:59 -#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S -# -# Jan 1 01:05:59 -#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S -# -###################################################################### - -####################################################################### -# -# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode -# (--daemon flag) this specifies the message format of each logged -# entry. By default the following format is used: -# -# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s -# -# Where the "%(asctime)s" portion is expanded to the format -# defined by DAEMON_LOG_TIME_FORMAT -# -# This string is passed to python's logging.Formatter contstuctor. -# For details on the possible format types please refer to: -# http://docs.python.org/lib/node357.html -# -# This is the default: -#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s -# -# -###################################################################### - - -####################################################################### -# -# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag) -# this is the amount of time DenyHosts will sleep between polling -# the SECURE_LOG. See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -# -DAEMON_SLEEP = 30s -# -####################################################################### - -####################################################################### -# -# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode, -# run the purge mechanism to expire old entries in HOSTS_DENY -# This has no effect if PURGE_DENY is blank. -# -DAEMON_PURGE = 1h -# -####################################################################### - - - ######### THESE SETTINGS ARE SPECIFIC TO ########## - ######### DAEMON SYNCHRONIZATION ########## - - -####################################################################### -# -# Synchronization mode allows the DenyHosts daemon the ability -# to periodically send and receive denied host data such that -# DenyHosts daemons worldwide can automatically inform one -# another regarding banned hosts. This mode is disabled by -# default, you must uncomment SYNC_SERVER to enable this mode. -# -# for more information, please refer to: -# http:/denyhosts.sourceforge.net/faq.html#sync -# -####################################################################### - - -####################################################################### -# -# SYNC_SERVER: The central server that communicates with DenyHost -# daemons. Currently, denyhosts.net is the only available server -# however, in the future, it may be possible for organizations to -# install their own server for internal network synchronization -# -# To disable synchronization (the default), do nothing. -# -# To enable synchronization, you must uncomment the following line: -#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 -# -####################################################################### - -####################################################################### -# -# SYNC_INTERVAL: the interval of time to perform synchronizations if -# SYNC_SERVER has been uncommented. The default is 1 hour. -# -SYNC_INTERVAL = 1h -# -####################################################################### - - -####################################################################### -# -# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have -# been denied? This option only applies if SYNC_SERVER has -# been uncommented. -# The default is SYNC_UPLOAD = yes -# -#SYNC_UPLOAD = no -#SYNC_UPLOAD = yes -# -####################################################################### - - -####################################################################### -# -# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have -# been denied by others? This option only applies if SYNC_SERVER has -# been uncommented. -# The default is SYNC_DOWNLOAD = yes -# -#SYNC_DOWNLOAD = no -#SYNC_DOWNLOAD = yes -# -# -# -####################################################################### - -####################################################################### -# -# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter -# filters the returned hosts to those that have been blocked this many -# times by others. That is, if set to 1, then if a single DenyHosts -# server has denied an ip address then you will receive the denied host. -# -# See also SYNC_DOWNLOAD_RESILIENCY -# -#SYNC_DOWNLOAD_THRESHOLD = 10 -# -# The default is SYNC_DOWNLOAD_THRESHOLD = 3 -# -#SYNC_DOWNLOAD_THRESHOLD = 3 -# -####################################################################### - -####################################################################### -# -# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the -# value specified for this option limits the downloaded data -# to this resiliency period or greater. -# -# Resiliency is defined as the timespan between a hackers first known -# attack and it's most recent attack. Example: -# -# If the centralized denyhosts.net server records an attack at 2 PM -# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h -# will not download this ip address. -# -# However, if the attacker is recorded again at 6:15 PM then the -# ip address will be downloaded by your DenyHosts instance. -# -# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD -# and only hosts that satisfy both values will be downloaded. -# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 -# -# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours) -# -# Only obtain hackers that have been at it for 2 days or more: -#SYNC_DOWNLOAD_RESILIENCY = 2d -# -# Only obtain hackers that have been at it for 5 hours or more: -#SYNC_DOWNLOAD_RESILIENCY = 5h -# -####################################################################### - diff --git a/files/fas-client/fas-client.cron b/files/fas-client/fas-client.cron deleted file mode 100644 index 4ec50f9a8..000000000 --- a/files/fas-client/fas-client.cron +++ /dev/null @@ -1 +0,0 @@ -*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 180)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1" diff --git a/files/fas-client/fas.conf.j2 b/files/fas-client/fas.conf.j2 deleted file mode 100644 index d3af01dd4..000000000 --- a/files/fas-client/fas.conf.j2 +++ /dev/null @@ -1,92 +0,0 @@ -[global] -; url - Location to fas server -url = https://admin.fedoraproject.org/accounts/ - -; temp - Location to generate files while user creation process is happening -temp = /var/db - -; login - username to contact fas -login = {{ fedorathirdpartyUser }} - -; password - password for login name -password = {{ fedorathirdpartyPassword }} - -; prefix - install to a location other than / -prefix = / - -; modefile - Location of a file containing saved home directory modes -modefile = /var/lib/fas/client_dir_perms - -; cla_group - Group for CLA requirements -cla_group = cla_done - -[host] -; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups -; so if someone is in all 3, the client behaves the same as if they were just -; in 'groups' - -; groups that should have a shell account on this system. -{% if fas_client_groups %} -groups = sysadmin-main,{{ fas_client_groups }} -{% else %} -groups = sysadmin-main -{% endif %} - -; groups that should have a restricted account on this system. -; restricted accounts use the restricted_shell value in [users] -restricted_groups = - -; ssh_restricted_groups: groups that should be restricted by ssh key. You will -; need to disable password based logins in order for this value to have any -; security meaning. Group types can be placed here as well, for example -; @hg,@git,@svn -{% if fas_client_ssh_groups %} -ssh_restricted_groups = {{ fas_client_ssh_groups }} -{% else %} -ssh_restricted_groups = -{% endif %} - -; aliases_template: Gets prepended to the aliases file when it is generated by -; fasClient -aliases_template = /etc/aliases.template - -[users] -; default shell given to people in [host] groups -shell = /bin/bash - -; home - the location for fas user home dirs -home = /home/fedora - -; home_backup_dir - Location home dirs should get moved to when a user is -; deleted this location should be tmpwatched -home_backup_dir = /home/fedora.bak - -; ssh_restricted_app - This is the path to the restricted shell script. It -; will not work automatically for most people though through alterations it -; is a powerfull way to restrict access to a machine. An alternative example -; could be given to people who should only have cvs access on the machine. -; setting this value to "/usr/bin/cvs server" would do this. -{% if fas_client_restricted_app %} -ssh_restricted_app = {{ fas_client_restricted_app }} -{% else %} -ssh_restricted_app = -{% endif %} - -; ssh_admin_app - This is the path to an app that an admin is allowed to use. -{% if fas_client_admin_app %} -ssh_admin_app = {{ fas_client_admin_app }} -{% else %} -ssh_admin_app = -{% endif %} - -; restricted_shell - The shell given to users in the ssh_restricted_groups -restricted_shell = /sbin/nologin - -; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups -ssh_restricted_shell = /bin/bash - -; ssh_key_options - Options to be appended to people ssh keys. Users in the -; ssh_restricted_groups will have the keys they uploaded altered when they are -; installed on this machine, appended with the options below. -ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty - diff --git a/files/fas-client/nsswitch.conf b/files/fas-client/nsswitch.conf deleted file mode 100644 index fb4ff626f..000000000 --- a/files/fas-client/nsswitch.conf +++ /dev/null @@ -1,45 +0,0 @@ -# /etc/nsswitch.conf -# -# An example Name Service Switch config file. This file should be -# sorted with the most-used services at the beginning. -# -# The entry '[NOTFOUND=return]' means that the search for an -# entry should stop if the search in the previous entry turned -# up nothing. Note that if the search failed due to some other reason -# (like no NIS server responding) then the search continues with the -# next entry. -# -# Legal entries are: -# -# nisplus or nis+ Use NIS+ (NIS version 3) -# nis or yp Use NIS (NIS version 2), also called YP -# dns Use DNS (Domain Name Service) -# files Use the local files -# db Use the local database (.db) files -# compat Use NIS on compat mode -# hesiod Use Hesiod for user lookups -# [NOTFOUND=return] Stop searching if not found so far -# - -passwd: db files -shadow: db files -group: db files - -#hosts: db files nisplus nis dns -hosts: files dns - -bootparams: nisplus [NOTFOUND=return] files - -ethers: files -netmasks: files -networks: files -protocols: files -rpc: files -services: files - -netgroup: files - -publickey: nisplus - -automount: files -aliases: files nisplus diff --git a/files/geoip/geoip_sync b/files/geoip/geoip_sync deleted file mode 100644 index 2c5ce7991..000000000 --- a/files/geoip/geoip_sync +++ /dev/null @@ -1,2 +0,0 @@ -# cron job to sync the geoip data files -0 1 4 * * root /usr/local/bin/syncFiles.sh bigfiles/geoip /usr/share/GeoIP diff --git a/files/mirrorlist/mirrorlist-server.conf b/files/mirrorlist/mirrorlist-server.conf deleted file mode 100644 index 1ee87bcc3..000000000 --- a/files/mirrorlist/mirrorlist-server.conf +++ /dev/null @@ -1,44 +0,0 @@ -Alias /mirrorlists /var/lib/mirrormanager/mirrorlists/ -Alias /publiclist /var/lib/mirrormanager/mirrorlists/publiclist/ -Alias /static /var/lib/mirrormanager/mirrorlists/static/ - - - Options Indexes FollowSymLinks - ExpiresActive On - ExpiresDefault "modification plus 1 day" - - -WSGIDaemonProcess mirrorlist user=apache processes=45 threads=1 display-name=mirrorlist maximum-requests=1000 - -WSGIScriptAlias /metalink /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi -WSGIScriptAlias /mirrorlist /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi - -# Set this if you do not have a Reverse Proxy (HTTP Accelerator) that -# is in front of your application server running this code. -# SetEnv mirrorlist_client.noreverseproxy 1 - - - WSGIProcessGroup mirrorlist - - # Apache 2.4 - Require all granted - - - # Apache 2.2 - Order deny,allow - Allow from all - - - - - WSGIProcessGroup mirrorlist - - # Apache 2.4 - Require all granted - - - # Apache 2.2 - Order deny,allow - Allow from all - - diff --git a/files/mirrorlist/mm-authorized_key b/files/mirrorlist/mm-authorized_key deleted file mode 100644 index bef6a5561..000000000 --- a/files/mirrorlist/mm-authorized_key +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA1+Mq0V8RPuCZrjsSz2y56tVR+hykwoYSodhs6ivqkuf16PHo1Aq2PR+I7xnxnJ/fqF20UEV4bmRFs9k4y/QnMOwi90O32vC3WZmfLfoY9S9dzUYXXOYy0lQZPMjmB+yOYZhhGIu2HTc4/CHKjVpCUZKHXwgkouEwsAEHQI86TrepvPwt5GrmAeZjcRp8T3maaFlRf8UFgcajF9ztgiEnBpWBEKaemtUtQ/g9cr/SwNMT3GK+M4qMVaXkuTCeiKwqxueZmTgn76aQ11sfoWYi1lVCyYt02iMDoBLaLERbwBLt3WpY/l3tQaZiPVoRPDH2EQb6v/XISsXNsqGtnc8APfhkVniURNwW/Qz8eXhpnd7GlU90iWPExvGo/Eaj2cNemgiNZH7/U7OKe3/7Li+IpPDhLCfJ8ue7Nqn+2uqhEWvzZXvamzcvEg89PBbgrdHDvJqVLnfsMDuDEo93KZ2pCfTGmjbYjbV3nnArhimLjkkb2E86489F09p65e4AoZw3HFgeW8yA3ecXtXd9FmYYkL0urT1AZFuJ/9B364h4gOqUt0oO7aW0vqhS1hW+7brIJ2DzM/vn90ONk8JVt1T3DvmgmVLxtuo1wu1PkDtekZNtJPGuGzvt5TYDjGPwZzrkYdYazLow3NMCyrhV6oNm8sxuZCLxeyZdM83Q7xty5nM= toshio@puppet1.fedora.phx.redhat.com diff --git a/files/mirrorlist/mm_sync_data b/files/mirrorlist/mm_sync_data deleted file mode 100755 index e48bdc7b3..000000000 --- a/files/mirrorlist/mm_sync_data +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -rsync -az --delete-delay --delay-updates --delete mirrormanager@bapp02:/var/lib/mirrormanager/ /var/lib/mirrormanager/ -kill -HUP $(cat /var/run/mirrormanager/mirrorlist_server.pid) diff --git a/files/mirrorlist/supervisord.conf b/files/mirrorlist/supervisord.conf deleted file mode 100644 index 2183276e3..000000000 --- a/files/mirrorlist/supervisord.conf +++ /dev/null @@ -1,67 +0,0 @@ - -[supervisord] -http_port=/var/tmp/supervisor.sock ; (default is to run a UNIX domain socket server) -;http_port=127.0.0.1:9001 ; (alternately, ip_address:port specifies AF_INET) -;sockchmod=0700 ; AF_UNIX socketmode (AF_INET ignore, default 0700) -;sockchown=nobody.nogroup ; AF_UNIX socket uid.gid owner (AF_INET ignores) -;umask=022 ; (process file creation umask;default 022) -logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log) -logfile_maxbytes=50MB ; (max main logfile bytes b4 rotation;default 50MB) -logfile_backups=10 ; (num of main logfile rotation backups;default 10) -loglevel=info ; (logging level;default info; others: debug,warn) -pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid) -nodaemon=false ; (start in foreground if true;default false) -minfds=1024 ; (min. avail startup file descriptors;default 1024) -minprocs=200 ; (min. avail process descriptors;default 200) - -;nocleanup=true ; (don't clean up tempfiles at start;default false) -;http_username=user ; (default is no username (open system)) -;http_password=123 ; (default is no password (open system)) -;childlogdir=/tmp ; ('AUTO' child log dir, default $TEMP) -;user=chrism ; (default is current user, required if root) -;directory=/tmp ; (default is not to cd during start) -;environment=KEY=value ; (key value pairs to add to environment) - -[supervisorctl] -serverurl=unix:///var/tmp/supervisor.sock ; use a unix:// URL for a unix socket -;serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket -;username=chris ; should be same as http_username if set -;password=123 ; should be same as http_password if set -;prompt=mysupervisor ; cmd line prompt (default "supervisor") - -; The below sample program section shows all possible program subsection values, -; create one or more 'real' program: sections to be able to control them under -; supervisor. - -;[program:theprogramname] -;command=/bin/cat ; the program (relative uses PATH, can take args) -;priority=999 ; the relative start priority (default 999) -;autostart=true ; start at supervisord start (default: true) -;autorestart=true ; retstart at unexpected quit (default: true) -;startsecs=10 ; number of secs prog must stay running (def. 10) -;startretries=3 ; max # of serial start failures (default 3) -;exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) -;stopsignal=QUIT ; signal used to kill process (default TERM) -;stopwaitsecs=10 ; max num secs to wait before SIGKILL (default 10) -;user=chrism ; setuid to this UNIX account to run the program -;log_stdout=true ; if true, log program stdout (default true) -;log_stderr=true ; if true, log program stderr (def false) -;logfile=/var/log/cat.log ; child log path, use NONE for none; default AUTO -;logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB) -;logfile_backups=10 ; # of logfile backups (default 10) - -[program:mirrorlist_server] -command=/usr/share/mirrormanager/mirrorlist-server/mirrorlist_server.py -priority=1 -autostart=true -autorestart=true -startsecs=10 -startretries=5 -stopsignal=TERM -stopwaitsecs=10 -user=mirrormanager -log_stderr=true -log_stdout=true -logfile=/var/log/mirrormanager/mirrorlist-server.log -logfile_maxbytes=50MB -logfile_backups=10 diff --git a/files/nagios/client/check_cron.cfg b/files/nagios/client/check_cron.cfg deleted file mode 100644 index e01f40799..000000000 --- a/files/nagios/client/check_cron.cfg +++ /dev/null @@ -1 +0,0 @@ -command[check_cron]=/usr/lib64/nagios/plugins/check_procs -c 1:10 -C 'crond' -u root diff --git a/files/nagios/client/check_disk.cfg b/files/nagios/client/check_disk.cfg deleted file mode 100644 index d5d32903f..000000000 --- a/files/nagios/client/check_disk.cfg +++ /dev/null @@ -1,2 +0,0 @@ -command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p / -command[check_disk_/boot]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /boot diff --git a/files/nagios/client/check_lock.cfg b/files/nagios/client/check_lock.cfg deleted file mode 100644 index 9525f9f39..000000000 --- a/files/nagios/client/check_lock.cfg +++ /dev/null @@ -1 +0,0 @@ -command[check_lock]=/usr/lib64/nagios/plugins/check_lock diff --git a/files/nagios/client/check_mirrorlist_cache.cfg b/files/nagios/client/check_mirrorlist_cache.cfg deleted file mode 100644 index bd4b17130..000000000 --- a/files/nagios/client/check_mirrorlist_cache.cfg +++ /dev/null @@ -1 +0,0 @@ -command[check_mirrorlist_cache]=/usr/lib64/nagios/plugins/check_file_age -w 14400 -c 129600 -f /var/lib/mirrormanager/mirrorlist_cache.pkl diff --git a/files/nagios/client/check_postfix_queue.cfg b/files/nagios/client/check_postfix_queue.cfg deleted file mode 100644 index 557469803..000000000 --- a/files/nagios/client/check_postfix_queue.cfg +++ /dev/null @@ -1 +0,0 @@ -command[check_postfix_queue]=/usr/lib64/nagios/plugins/check_postfix_queue -w 2 -c 5 diff --git a/files/nagios/client/check_raid.cfg b/files/nagios/client/check_raid.cfg deleted file mode 100644 index 5c15d450c..000000000 --- a/files/nagios/client/check_raid.cfg +++ /dev/null @@ -1 +0,0 @@ -command[check_raid]=/usr/lib64/nagios/plugins/check_raid.py diff --git a/files/nagios/client/check_swap.cfg b/files/nagios/client/check_swap.cfg deleted file mode 100644 index bc4f19d5d..000000000 --- a/files/nagios/client/check_swap.cfg +++ /dev/null @@ -1 +0,0 @@ -command[check_swap]=/usr/lib64/nagios/plugins/check_swap -w 15% -c 10% diff --git a/files/nagios/client/nrpe.cfg b/files/nagios/client/nrpe.cfg deleted file mode 100644 index 6933f788b..000000000 --- a/files/nagios/client/nrpe.cfg +++ /dev/null @@ -1,223 +0,0 @@ -############################################################################# -# Sample NRPE Config File -# Written by: Ethan Galstad (nagios@nagios.org) -# -# Last Modified: 11-23-2007 -# -# NOTES: -# This is a sample configuration file for the NRPE daemon. It needs to be -# located on the remote host that is running the NRPE daemon, not the host -# from which the check_nrpe client is being executed. -############################################################################# - - -# LOG FACILITY -# The syslog facility that should be used for logging purposes. - -log_facility=daemon - - - -# PID FILE -# The name of the file in which the NRPE daemon should write it's process ID -# number. The file is only written if the NRPE daemon is started by the root -# user and is running in standalone mode. - -pid_file=/var/run/nrpe/nrpe.pid - - - -# PORT NUMBER -# Port number we should wait for connections on. -# NOTE: This must be a non-priviledged port (i.e. > 1024). -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -server_port=5666 - - - -# SERVER ADDRESS -# Address that nrpe should bind to in case there are more than one interface -# and you do not want nrpe to bind on all interfaces. -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -#server_address=127.0.0.1 - - - -# NRPE USER -# This determines the effective user that the NRPE daemon should run as. -# You can either supply a username or a UID. -# -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -nrpe_user=nrpe - - - -# NRPE GROUP -# This determines the effective group that the NRPE daemon should run as. -# You can either supply a group name or a GID. -# -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - -nrpe_group=nrpe - - - -# ALLOWED HOST ADDRESSES -# This is an optional comma-delimited list of IP address or hostnames -# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask -# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently -# supported. -# -# Note: The daemon only does rudimentary checking of the client's IP -# address. I would highly recommend adding entries in your /etc/hosts.allow -# file to allow only the specified host to connect to the port -# you are running this daemon on. -# -# NOTE: This option is ignored if NRPE is running under either inetd or xinetd - - -allowed_hosts=10.5.126.41,192.168.1.10,192.168.1.20,209.132.181.35 - - - -# COMMAND ARGUMENT PROCESSING -# This option determines whether or not the NRPE daemon will allow clients -# to specify arguments to commands that are executed. This option only works -# if the daemon was configured with the --enable-command-args configure script -# option. -# -# *** ENABLING THIS OPTION IS A SECURITY RISK! *** -# Read the SECURITY file for information on some of the security implications -# of enabling this variable. -# -# Values: 0=do not allow arguments, 1=allow command arguments - -dont_blame_nrpe=0 - - - -# COMMAND PREFIX -# This option allows you to prefix all commands with a user-defined string. -# A space is automatically added between the specified prefix string and the -# command line from the command definition. -# -# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** -# Usage scenario: -# Execute restricted commmands using sudo. For this to work, you need to add -# the nagios user to your /etc/sudoers. An example entry for alllowing -# execution of the plugins from might be: -# -# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ -# -# This lets the nagios user run all commands in that directory (and only them) -# without asking for a password. If you do this, make sure you don't give -# random users write access to that directory or its contents! - -# command_prefix=/usr/bin/sudo - - - -# DEBUGGING OPTION -# This option determines whether or not debugging messages are logged to the -# syslog facility. -# Values: 0=debugging off, 1=debugging on - -debug=0 - - - -# COMMAND TIMEOUT -# This specifies the maximum number of seconds that the NRPE daemon will -# allow plugins to finish executing before killing them off. - -command_timeout=60 - - - -# CONNECTION TIMEOUT -# This specifies the maximum number of seconds that the NRPE daemon will -# wait for a connection to be established before exiting. This is sometimes -# seen where a network problem stops the SSL being established even though -# all network sessions are connected. This causes the nrpe daemons to -# accumulate, eating system resources. Do not set this too low. - -connection_timeout=300 - - - -# WEEK RANDOM SEED OPTION -# This directive allows you to use SSL even if your system does not have -# a /dev/random or /dev/urandom (on purpose or because the necessary patches -# were not applied). The random number generator will be seeded from a file -# which is either a file pointed to by the environment valiable $RANDFILE -# or $HOME/.rnd. If neither exists, the pseudo random number generator will -# be initialized and a warning will be issued. -# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness - -#allow_weak_random_seed=1 - - - -# INCLUDE CONFIG FILE -# This directive allows you to include definitions from an external config file. - -#include= - - - -# INCLUDE CONFIG DIRECTORY -# This directive allows you to include definitions from config files (with a -# .cfg extension) in one or more directories (with recursion). - -include_dir=/etc/nrpe.d/ - - - -# COMMAND DEFINITIONS -# Command definitions that this daemon will run. Definitions -# are in the following format: -# -# command[]= -# -# When the daemon receives a request to return the results of -# it will execute the command specified by the argument. -# -# Unlike Nagios, the command line cannot contain macros - it must be -# typed exactly as it should be executed. -# -# Note: Any plugins that are used in the command lines must reside -# on the machine that this daemon is running on! The examples below -# assume that you have plugins installed in a /usr/local/nagios/libexec -# directory. Also note that you will have to modify the definitions below -# to match the argument format the plugins expect. Remember, these are -# examples only! - - -# The following examples use hardcoded command arguments... - -command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10 -command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 -command[check_hda1]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1 -command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z -command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w {{ nrpe_procs_warn }} -c {{ nrpe_procs_crit }} - - -# The following examples allow user-supplied arguments and can -# only be used if the NRPE daemon was compiled with support for -# command arguments *AND* the dont_blame_nrpe directive in this -# config file is set to '1'. This poses a potential security risk, so -# make sure you read the SECURITY file before doing this. - -#command[check_users]=/usr/lib64/nagios/plugins/check_users -w $ARG1$ -c $ARG2$ -#command[check_load]=/usr/lib64/nagios/plugins/check_load -w $ARG1$ -c $ARG2$ -#command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ -#command[check_procs]=/usr/lib64/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ - - -# NEVER ADD ANYTHING HERE - ANY ENTRIES TO NRPE SHOULD BE in .cfg files in /etc/nrpe.d/ - -# NEVER NEVER NEVER -# diff --git a/files/nagios/client/scripts/check_lock b/files/nagios/client/scripts/check_lock deleted file mode 100755 index 1a58e95ef..000000000 --- a/files/nagios/client/scripts/check_lock +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/python - -import fcntl -import sys - -try: - f = open('/mnt/koji/.nagios_test', 'r') - f.close() - f = open('/mnt/koji/.nagios_test', 'w') -except IOError: - print "Could not create file" - sys.exit(2) - -fcntl.flock(f, fcntl.LOCK_EX) -f.close() -print "File Locked Successfully" -sys.exit(0) diff --git a/files/nagios/client/scripts/check_postfix_queue b/files/nagios/client/scripts/check_postfix_queue deleted file mode 100755 index 44ab4445f..000000000 --- a/files/nagios/client/scripts/check_postfix_queue +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash -# -# 19-07-2010 -# Author: Cherwin Nooitmeer -# - -# exit codes -e_ok=0 -e_warning=1 -e_critical=2 -e_unknown=3 - -# regular expression that matches queue IDs (e.g. D71EF7AC80F8) -queue_id='^[A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9]' - -usage="Invalid command line usage" - -if [ -z $1 ]; then - echo $usage - exit $e_unknown -fi - -while getopts ":w:c:" options -do - case $options in - w ) warning=$OPTARG ;; - c ) critical=$OPTARG ;; - * ) echo $usage - exit $e_unknown ;; - esac -done - -# determine queue size -qsize=$(mailq | egrep -c $queue_id) -if [ -z $qsize ] -then - exit $e_unknown -fi - -if [ $qsize -ge $critical ]; then - retval=$e_critical -elif [ $qsize -ge $warning ]; then - retval=$e_warning -elif [ $qsize -lt $warning ]; then - retval=$e_ok -fi - -echo "$qsize mail(s) in queue | mail_queue=$qsize" -exit $retval diff --git a/files/nagios/client/scripts/check_raid.py b/files/nagios/client/scripts/check_raid.py deleted file mode 100755 index 48cddd93d..000000000 --- a/files/nagios/client/scripts/check_raid.py +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/env python -# -# very simple python script to parse out /proc/mdstat -# and give results for nagios to monitor -# - -import sys -import string - -devices = [] - -try: - mdstat = string.split(open('/proc/mdstat').read(), '\n') -except IOError: - # seems we have no software raid on this machines - sys.exit(0) - -error = "" -i = 0 -for line in mdstat: - if line[0:2] == 'md': - device = string.split(line)[0] - devices.append(device) - status = string.split(mdstat[i+1])[3] - if string.count(status, "_"): - # see if we can figure out what's going on - err = string.split(mdstat[i+2]) - msg = "device=%s status=%s" % (device, status) - if len(err) > 0: - msg = msg + " rebuild=%s" % err[0] - - if not error: - error = msg - else: - error = error + ", " + msg - i = i + 1 - -if not error: - print "DEVICES %s OK" % " ".join(devices) - sys.exit(0) - -else: - print error - sys.exit(2) - diff --git a/files/rkhunter/rkhunter.conf.j2 b/files/rkhunter/rkhunter.conf.j2 deleted file mode 100644 index 705517580..000000000 --- a/files/rkhunter/rkhunter.conf.j2 +++ /dev/null @@ -1,590 +0,0 @@ -# -# This is the configuration file for Rootkit Hunter. -# -# Please modify it to your own requirements. -# Please review the documentation before posting bug reports or questions. -# To report bugs, obtain updates, or provide patches or comments, please go to: -# http://rkhunter.sourceforge.net -# -# To ask questions about rkhunter, please use the rkhunter-users mailing list. -# Note this is a moderated list: please subscribe before posting. -# -# Lines beginning with a hash (#), and blank lines, will be ignored. -# -# Most of the following options need only be specified once. If -# they appear more than once, then the last one seen will be used. -# Some options are allowed to appear more than once, and the text -# describing the option will say if this is so. -# - -# -# If this option is set to 1, it specifies that the mirrors file, which -# is used when the '--update' and '--versioncheck' options are used, is -# to be rotated. Rotating the entries in the file allows a basic form -# of load-balancing between the mirror sites whenever the above options -# are used. -# If the option is set to 0, then the mirrors will be treated as if in -# a priority list. That is, the first mirror will always be used. The -# second mirror will only be used if the first mirror fails, then the -# third mirror will be used if the second fails and so on. -# - -ROTATE_MIRRORS=1 - -# -# If this option is set to 1, it specifies that when the '--update' -# option is used, then the mirrors file is to be checked for updates -# as well. If the current mirrors file contains any local mirrors, -# these will be prepended to the updated file. -# If this option is set to 0, the mirrors file can only be updated -# manually. This may be useful if only using local mirrors. -# -UPDATE_MIRRORS=1 - -# -# The MIRRORS_MODE option tells rkhunter which mirrors are to be -# used when the '--update' or '--versioncheck' command-line options -# are given. Possible values are: -# 0 - use any mirror (the default) -# 1 - only use local mirrors -# 2 - only use remote mirrors -# -# Local and remote mirrors can be defined in the mirrors.dat file -# by using the 'local=' and 'remote=' keywords respectively. -# -MIRRORS_MODE=0 - -# -# Email a message to this address if a warning is found when the -# system is being checked. Multiple addresses may be specified -# simply be separating them with a space. -# -MAIL-ON-WARNING="" - -# -# Specify the mail command to use if MAIL-ON-WARNING is set. -# NOTE: Double quotes are not required around the command, but -# are required around the subject line if it contains spaces. -# -MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" - -# -# Specify the temporary directory to use. -# -# NOTE: Do not use /tmp as your temporary directory. Some -# important files will be written to this directory, so be -# sure that the directory permissions are tight. -# -TMPDIR=/var/lib/rkhunter - -# -# Specify the database directory to use. -# -DBDIR=/var/lib/rkhunter/db - -# -# Specify the script directory to use. -# -SCRIPTDIR=/usr/share/rkhunter/scripts - -# -# Specify the root directory to use. -# -#ROOTDIR="" - -# -# Specify the command directories to be checked. This is a -# space-separated list of directories. -# -BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec" - -# -# Specify the language to use. This should be similar -# to the ISO 639 language code. -# -# NOTE: Please ensure that the language you specify is supported. -# For a list of supported languages use the following command: -# -# rkhunter --lang en --list languages -# -#LANGUAGE=en - -# -# Specify the log file pathname. -# -LOGFILE=/var/log/rkhunter/rkhunter.log - -# -# Set the following option to 1 if the log file is to be appended to -# whenever rkhunter is run. -# - - -# -# Set the following option to enable the rkhunter check start and finish -# times to be logged by syslog. Warning messages will also be logged. -# The value of the option must be a standard syslog facility and -# priority, separated by a dot. -# -# For example: USE_SYSLOG=authpriv.warning -# -# Setting the value to 'none', or just leaving the option commented out, -# disables the use of syslog. -# -USE_SYSLOG=authpriv.notice - -# -# Set the following option to 1 if the second colour set is to be used. -# This can be useful if your screen uses black characters on a white -# background (for example, a PC instead of a server). -# -COLOR_SET2=0 - -# -# Set the following option to 0 if rkhunter should not detect if X is -# being used. If X is detected as being used, then the second colour -# set will automatically be used. -# -AUTO_X_DETECT=1 - -# -# The following option is checked against the SSH configuration file -# 'PermitRootLogin' option. A warning will be displayed if they do not -# match. However, if a value has not been set in the SSH configuration -# file, then a value here of 'yes' or 'unset' will not cause a warning. -# This option has a default value of 'no'. -# -ALLOW_SSH_ROOT_USER=without-password - -# -# Set this option to '1' to allow the use of the SSH-1 protocol, but note -# that theoretically it is weaker, and therefore less secure, than the -# SSH-2 protocol. Do not modify this option unless you have good reasons -# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 -# authentication). If the 'Protocol' option has not been set in the SSH -# configuration file, then a value of '2' may be set here in order to -# suppress a warning message. This option has a default value of '0'. -# -ALLOW_SSH_PROT_V1=0 - -# -# This setting tells rkhunter the directory containing the SSH configuration -# file. This setting will be worked out by rkhunter, and so should not -# usually need to be set. -# -#SSH_CONFIG_DIR=/etc/ssh - -# -# These two options determine which tests are to be performed. -# The ENABLE_TESTS option can use the word 'all' to refer to all the -# available tests. The DISABLE_TESTS option can use the word 'none' to -# mean that no tests are disabled. The list of disabled tests is applied to -# the list of enabled tests. Both options are space-separated lists of test -# names. The currently available test names can be seen by using the command -# 'rkhunter --list tests'. -# -# The program defaults are to enable all tests and disable none. However, if -# either option is specified in this file, then it overrides the program -# default. The supplied rkhunter.conf file has some tests already disabled, -# and these are tests that will be used only incidentally, can be considered -# "advanced" or those that are prone to produce more than the "average" number -# of "false positives". -# -# Please read the README file for more details about enabling and disabling -# tests, the test names, and how rkhunter behaves when these options are used. -# -ENABLE_TESTS="all" -DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" - -# -# The HASH_FUNC option can be used to specify the command to use -# for the file hash value check. It can be specified as just -# the command name or the full pathname. Systems using prelinking -# are restricted to using either SHA1 or MD5 functions. To get rkhunter -# to look for the sha1(sum)/md5(sum) command, or to use the supplied -# perl scripts, simply specify this option as 'SHA1' or 'MD5' in -# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found. -# -# A value of 'NONE' (in uppercase) can be specified to indicate that -# no hash function should be used. Rootkit Hunter will detect this and -# automatically disable the file hash checks. -# -# Examples: -# For Solaris 9 : HASH_FUNC=gmd5sum -# For Solaris 10: HASH_FUNC=sha1sum -# For AIX (>5.2): HASH_FUNC="csum -hMD5" -# For NetBSD : HASH_FUNC="cksum -a sha512" -# -# NOTE: If the hash function is changed then you MUST run rkhunter with -# the '--propupd' option to rebuild the file properties database. -# -HASH_FUNC=sha1sum - -# -# The HASH_FLD_IDX option specifies which field from the HASH_FUNC -# command output contains the hash value. The fields are assumed to -# be space-separated. The default value is one, but for *BSD users -# rkhunter will, by default, use a value of 4 if the HASH_FUNC option -# has not been set. The option value must be a positive integer. -# -#HASH_FLD_IDX=4 - -# -# The PKGMGR option tells rkhunter to use the specified package manager -# to obtain the file property information. This is used when updating -# the file properties file 'rkhunter.dat', and when running the file -# properties check. For RedHat/RPM-based systems, 'RPM' can be used -# to get information from the RPM database. For Debian-based systems -# 'DPKG' can be used, and for *BSD systems 'BSD' can be used. -# No value, or a value of 'NONE', indicates that no package manager -# is to be used. The default is 'NONE'. -# -# The current package managers store the file hash values using an -# MD5 hash function. -# -# The 'DPKG' and 'BSD' package managers only provide MD5 hash values. -# The 'RPM' package manager additionally provides values for the inode, -# file permissions, uid, gid and other values. -# -# For any file not part of a package, rkhunter will revert to using -# the HASH_FUNC hash function instead. -# -PKGMGR=RPM - -# -# Whitelist various attributes of the specified files. -# The attributes are those of the 'attributes' test. -# Specifying a file name here does not include it being -# whitelisted for the write permission test below. -# One command per line (use multiple ATTRWHITELIST lines). -# -#ATTRWHITELIST=/bin/ps - -# -# Allow the specified commands to have the 'others' -# (world) permission have the write-bit set. -# -# For example, files with permissions r-xr-xrwx -# or rwxrwxrwx. -# -# One command per line (use multiple WRITEWHITELIST lines). -# -#WRITEWHITELIST=/bin/ps - -# -# Allow the specified commands to be scripts. -# One command per line (use multiple SCRIPTWHITELIST lines). -# -#SCRIPTWHITELIST=/sbin/ifup -#SCRIPTWHITELIST=/sbin/ifdown -#SCRIPTWHITELIST=/usr/bin/groups - -# -# Allow the specified commands to have the immutable attribute set. -# One command per line (use multiple IMMUTWHITELIST lines). -# -#IMMUTWHITELIST=/sbin/ifup - -# -# Allow the specified hidden directories. -# One directory per line (use multiple ALLOWHIDDENDIR lines). -# -ALLOWHIDDENDIR=/dev/.udev -ALLOWHIDDENDIR=/dev/.mdadm -ALLOWHIDDENDIR=/dev/.systemd -ALLOWHIDDENDIR=/dev/.mount -ALLOWHIDDENDIR=/dev/.udevdb -ALLOWHIDDENDIR=/dev/.udev.tdb -ALLOWHIDDENDIR=/dev/.udev/db -ALLOWHIDDENDIR=/dev/.udev/rules.d - -# -# Allow the specified hidden files. -# One file per line (use multiple ALLOWHIDDENFILE lines). -# -ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz -ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh.hmac -ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac -ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac -ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz -ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz -ALLOWHIDDENFILE=/sbin/.cryptsetup.hmac -ALLOWHIDDENFILE=/dev/.udev/queue.bin -ALLOWHIDDENFILE=/dev/.udev/uevent_seqnum - -# -# Allow the specified processes to use deleted files. -# One process per line (use multiple ALLOWPROCDELFILE lines). -# -#ALLOWPROCDELFILE=/sbin/cardmgr -#ALLOWPROCDELFILE=/usr/sbin/gpm -#ALLOWPROCDELFILE=/usr/libexec/gconfd-2 -#ALLOWPROCDELFILE=/usr/sbin/mysqld - -# -# Allow the specified processes to listen on any network interface. -# One process per line (use multiple ALLOWPROCLISTEN lines). -# -#ALLOWPROCLISTEN=/sbin/dhclient -#ALLOWPROCLISTEN=/usr/bin/dhcpcd -#ALLOWPROCLISTEN=/usr/sbin/pppoe -#ALLOWPROCLISTEN=/usr/sbin/tcpdump -#ALLOWPROCLISTEN=/usr/sbin/snort-plain -#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant - -# -# SCAN_MODE_DEV governs how we scan /dev for suspicious files. -# The two allowed options are: THOROUGH or LAZY. -# If commented out we do a THOROUGH scan which will increase the runtime. -# Even though this adds to the running time it is highly recommended to -# leave it like this. -# -#SCAN_MODE_DEV=THOROUGH - -# -# Allow the specified files to be present in the /dev directory, -# and not regarded as suspicious. One file per line (use multiple -# ALLOWDEVFILE lines). -# -#ALLOWDEVFILE=/dev/abc -#ALLOWDEVFILE=/dev/shm/pulse-shm-* -ALLOWDEVFILE=/dev/shm/sem.slapd-FEDORAPROJECT-ORG.stats -ALLOWDEVFILE=/dev/md/md-device-map -ALLOWDEVFILE=/dev/.udev/queue.bin -ALLOWDEVFILE=/dev/.udev/db/* -ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules -ALLOWDEVFILE=/dev/.udev/uevent_seqnum -ALLOWDEVFILE=/dev/md/autorebuild.pid - -# -# This setting tells rkhunter where the inetd configuration -# file is located. -# -#INETD_CONF_PATH=/etc/inetd.conf - -# -# Allow the following enabled inetd services. -# Only one service per line (use multiple INETD_ALLOWED_SVC lines). -# -# Below are some Solaris 9 and 10 services that may want to be whitelisted. -# -#INETD_ALLOWED_SVC=echo -#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd -#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto -#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd -#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad -#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd -#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd -#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd -#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd -#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd -#INETD_ALLOWED_SVC=/usr/lib/gss/gssd -#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader -#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd -#INETD_ALLOWED_SVC=/network/rpc/mdcomm -#INETD_ALLOWED_SVC=/network/rpc/meta -#INETD_ALLOWED_SVC=/network/rpc/metamed -#INETD_ALLOWED_SVC=/network/rpc/metamh -#INETD_ALLOWED_SVC=/network/security/ktkt_warn -#INETD_ALLOWED_SVC=/application/x11/xfs -#INETD_ALLOWED_SVC=/application/print/rfc1179 -#INETD_ALLOWED_SVC=/application/font/stfsloader -#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord -#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp -#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp - -# -# This setting tells rkhunter where the xinetd configuration -# file is located. -# -#XINETD_CONF_PATH=/etc/xinetd.conf - -# -# Allow the following enabled xinetd services. Whilst it would be -# nice to use the service names themselves, at the time of testing -# we only have the pathname available. As such, these entries are -# the xinetd file pathnames. -# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines). -# -XINETD_ALLOWED_SVC=/etc/xinetd.d/rsync -XINETD_ALLOWED_SVC=/etc/xinetd.d/cvspserver -XINETD_ALLOWED_SVC=/etc/xinetd.d/tftp -XINETD_ALLOWED_SVC=/etc/xinetd.d/git-server -XINETD_ALLOWED_SVC=/etc/xinetd.d/git -XINETD_ALLOWED_SVC=/etc/xinetd.d/bzr-server - -# -# This setting tells rkhunter the local system startup file pathnames. -# More than one file may be present on the system, and so this option -# can be a space-separated list. This setting will be worked out by -# rkhunter, and so should not usually need to be set. -# -# If the system uses a directory of local startup scripts, then rather -# that setting all the file names here, leave this setting blank, and -# specify the directory name in SYSTEM_RC_DIR instead. -# -# If the system does not use a local startup script at all, then this -# setting can be set to 'none'. Without this, rkhunter would give a -# warning that no local startup script could be found. -# -#LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit" - -# -# This setting tells rkhunter the local system startup file directory. -# This setting will be worked out by rkhunter, and so should not usually -# need to be set. -# -#SYSTEM_RC_DIR=/etc/rc.d - -# -# This setting tells rkhunter the pathname to the file containing the -# user account passwords. This setting will be worked out by rkhunter, -# and so should not usually need to be set. -# -PASSWORD_FILE=/etc/shadow - -# -# Allow the following accounts to be root equivalent. These accounts -# will have a UID value of zero. This option is a space-separated list -# of account names. The 'root' account does not need to be listed as it -# is automatically whitelisted. -# -# Note: For *BSD systems you may need to enable this for the 'toor' account. -# -#UID0_ACCOUNTS="toor rooty" - -# -# Allow the following accounts to have no password. This option is a -# space-separated list of account names. NIS/YP entries do not need to -# be listed as they are automatically whitelisted. -# -#PWDLESS_ACCOUNTS="abc" - -# -# This setting tells rkhunter the pathname to the syslog configuration -# file. This setting will be worked out by rkhunter, and so should not -# usually need to be set. -# -#SYSLOG_CONFIG_FILE=/etc/syslog.conf - -# -# This option permits the use of syslog remote logging. -# -ALLOW_SYSLOG_REMOTE_LOGGING=1 - -# -# Allow the following applications, or a specific version of an application, -# to be whitelisted. This option is a space-separated list consisting of the -# application names. If a specific version is to be whitelisted, then the -# name must be followed by a colon and then the version number. -# -# For example: APP_WHITELIST="openssl:0.9.7d gpg" -# -APP_WHITELIST="sshd:4.3p2 sshd:5.2p1 httpd:2.2.3 httpd:2.2.13 php:5.1.6 named:9.3.6 openssl:0.9.8e php:5.2.6 named:9.3.6-P1" - -# -# Scan for suspicious files in directories containing temporary files and -# directories posing a relatively higher risk due to user write access. -# Please do not enable by default as suspscan is CPU and I/O intensive and prone to -# producing false positives. Do review all settings before usage. -# Also be aware that running suspscan in combination with verbose logging on, -# RKH's default, will show all ignored files. -# Please consider adding all directories the user the (web)server runs as has -# write access to including the document root (example: "/var/www") and log -# directories (example: "/var/log/httpd"). -# -# A space-separated list of directories to scan. -# -SUSPSCAN_DIRS="/tmp /var/tmp" - -# -# Directory for temporary files. A memory-based one is better (faster). -# Do not use a directory name that is listed in SUSPSCAN_DIRS. -# Please make sure you have a tempfs mounted and the directory exists. -# -SUSPSCAN_TEMP=/dev/shm - -# -# Maximum filesize in bytes. Files larger than this will not be inspected. -# Do make sure you have enough space left in your temporary files directory. -# -SUSPSCAN_MAXSIZE=10240000 - -# -# Score threshold. Below this value no hits will be reported. -# A value of "200" seems "good" after testing on malware. Please adjust -# locally if necessary. -# -SUSPSCAN_THRESH=200 - -# -# The following option can be used to whitelist network ports which -# are known to have been used by malware. The option is a space- -# separated list of one or more of three types of whitelisting. -# These are: -# -# 1) a 'protocol:port' pair (e.g. TCP:25) -# 2) a pathname to an executable (e.g. /usr/sbin/squid) -# 3) an asterisk ('*') -# -# Only the UDP or TCP protocol may be specified, and the port number -# must be between 1 and 65535 inclusive. -# -# The asterisk can be used to indicate that any executable in a trusted -# path directory will be whitelisted. A trusted path directory is one which -# rkhunter uses to locate commands. It is composed of the root PATH -# environment variable, and the BINDIR command-line or configuration -# file option. -# -# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" -# -#PORT_WHITELIST="" - -# -# The following option can be used to tell rkhunter where the operating -# system 'release' file is located. This file contains information -# specifying the current O/S version. RKH will store this information -# itself, and check to see if it has changed between each run. If it has -# changed, then the user is warned that RKH may issue warning messages -# until RKH has been run with the '--propupd' option. -# -# Since the contents of the file vary according to the O/S distribution, -# RKH will perform different actions when it detects the file itself. As -# such, this option should not be set unless necessary. If this option is -# specified, then RKH will assume the O/S release information is on the -# first non-blank line of the file. -# -# {{ ansible_distribution|lower }} -OS_VERSION_FILE=/etc/{{ ansible_distribution|lower }}-release - -# -# The following two options can be used to whitelist files and directories -# that would normally be flagged with a warning during the rootkit checks. -# If the file or directory name contains a space, then the percent character -# ('%') must be used instead. Only existing files and directories can be -# specified. -# -#RTKT_DIR_WHITELIST="" -#RTKT_FILE_WHITELIST="" - -# -# To force rkhunter to use the supplied script for the 'stat' or 'readlink' -# command, then the following two options can be used. The value must be -# set to 'BUILTIN'. -# -# NOTE: IRIX users will probably need to enable STAT_CMD. -# -#STAT_CMD=BUILTIN -#READLINK_CMD=BUILTIN - -INSTALLDIR=/usr -SCRIPTWHITELIST=/usr/bin/whatis -SCRIPTWHITELIST=/usr/bin/ldd -SCRIPTWHITELIST=/usr/bin/groups -SCRIPTWHITELIST=/usr/bin/GET -SCRIPTWHITELIST=/sbin/ifup -SCRIPTWHITELIST=/sbin/ifdown diff --git a/files/rkhunter/rkhunter.sysconfig b/files/rkhunter/rkhunter.sysconfig deleted file mode 100644 index 0c463db71..000000000 --- a/files/rkhunter/rkhunter.sysconfig +++ /dev/null @@ -1,11 +0,0 @@ -# System configuration file for Rootkit Hunter which -# stores RPM system specifics for cron run, etc. -# -# MAILTO= -# DIAG_SCAN= no - perform normal report scan -# yes - perform detailed report scan -# (includes application check) - -MAILTO=smooge@fedoraproject.org,kevin@fedoraproject.org -DIAG_SCAN=no - diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index 805ee4e11..23aa481c3 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -26,9 +26,6 @@ - name: restart crond action: service name=crond state=restarted -- name: restart denyhosts - action: service name=denyhosts state=restarted - - name: restart httpd action: service name=httpd state=restarted @@ -59,9 +56,6 @@ - name: restart nfslock action: service name=nfslock state=restarted -- name: restart nrpe - action: service name=nrpe state=restarted - - name: restart ntpd action: service name=ntpd state=restarted @@ -71,9 +65,6 @@ - name: restart postfix action: service name=postfix state=restarted -- name: restart postgresql - service: name=postgresql state=restarted - - name: restart rpcbind action: service name=rpcbind state=restarted @@ -92,11 +83,7 @@ - name: restart sshd action: service name=sshd state=restarted -- name: restart supervisord - action: service name=supervisord state=restarted - - name: restart xinetd action: service name=xinetd state=restarted -- name: run fasclient - action: command /usr/bin/fasClient -i + diff --git a/playbooks/groups/arm-packager.yml b/playbooks/groups/arm-packager.yml index efdc0faaf..fa02fa42d 100644 --- a/playbooks/groups/arm-packager.yml +++ b/playbooks/groups/arm-packager.yml @@ -11,17 +11,19 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + - denyhosts + - fas_client + tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml handlers: - include: $handlers/restart_services.yml diff --git a/playbooks/groups/arm-qa.yml b/playbooks/groups/arm-qa.yml index af789b28a..3f281af25 100644 --- a/playbooks/groups/arm-qa.yml +++ b/playbooks/groups/arm-qa.yml @@ -11,17 +11,19 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + - denyhosts + - fas_client + tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml handlers: - include: $handlers/restart_services.yml diff --git a/playbooks/groups/arm-releng.yml b/playbooks/groups/arm-releng.yml index d2f32129b..3858ee9b7 100644 --- a/playbooks/groups/arm-releng.yml +++ b/playbooks/groups/arm-releng.yml @@ -10,9 +10,10 @@ - /srv/web/infra/ansible/vars/global.yml - ${private}/vars.yml + roles: + - fas_client + tasks: - # This task sets up fas_client for user management - - include: $tasks/fas_client.yml # This task sets up /etc/hosts for us - include: $tasks/hosts.yml # This task includes our common scripts diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml index 965c8cb47..90a4dd46b 100644 --- a/playbooks/groups/backup-server.yml +++ b/playbooks/groups/backup-server.yml @@ -13,18 +13,19 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml - tasks: + roles: + - rkhunter + - denyhosts + - nagios_client + - fas_client + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml - include: $tasks/mysql_server.yml - include: $tasks/bacula_server.yml - include: $tasks/rdiff_backup_server.yml diff --git a/playbooks/groups/badges-backend.yml b/playbooks/groups/badges-backend.yml index 77514dd7f..696cf0943 100644 --- a/playbooks/groups/badges-backend.yml +++ b/playbooks/groups/badges-backend.yml @@ -29,17 +29,19 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + - denyhosts + - nagios_client + - fas_client + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml - include: $tasks/openvpn_client.yml only_if: "'$env' != 'staging'" - include: $tasks/fedmsg_base.yml diff --git a/playbooks/groups/badges-web.yml b/playbooks/groups/badges-web.yml index c93eb85da..41a70f2a9 100644 --- a/playbooks/groups/badges-web.yml +++ b/playbooks/groups/badges-web.yml @@ -32,17 +32,19 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + - denyhosts + - nagios_client + - fas_client + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml - include: $tasks/openvpn_client.yml only_if: "'$env' != 'staging'" - include: $tasks/fedmsg_base.yml diff --git a/playbooks/groups/beaker.yml b/playbooks/groups/beaker.yml index ddd2dd215..6296bd247 100644 --- a/playbooks/groups/beaker.yml +++ b/playbooks/groups/beaker.yml @@ -28,19 +28,21 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + - denyhosts + - nagios_client + - fas_client + tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/collectd/client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml handlers: - include: $handlers/restart_services.yml diff --git a/playbooks/groups/gallery.yml b/playbooks/groups/gallery.yml index 596ce8b68..17e1961c3 100644 --- a/playbooks/groups/gallery.yml +++ b/playbooks/groups/gallery.yml @@ -29,17 +29,19 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + - denyhosts + - nagios_client + - fas_client + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml - include: $tasks/fedmsg_base.yml - include: $tasks/apache.yml diff --git a/playbooks/groups/kernel-qa.yml b/playbooks/groups/kernel-qa.yml index b08ebe32b..b46335ab8 100644 --- a/playbooks/groups/kernel-qa.yml +++ b/playbooks/groups/kernel-qa.yml @@ -12,18 +12,20 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + - denyhosts + - nagios_client + - fas_client + tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml handlers: diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml index d8a4ba7a3..9c1c29693 100644 --- a/playbooks/groups/keyserver.yml +++ b/playbooks/groups/keyserver.yml @@ -29,17 +29,19 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + - denyhosts + - nagios_client + - fas_client + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml - include: $tasks/fedmsg_base.yml - include: $tasks/apache.yml - include: $tasks/keyserver.yml diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index 4d26766d9..1cf81954a 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -30,17 +30,19 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + - denyhosts + - nagios_client + - fas_client + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml - include: $tasks/collectd/client.yml - include: $tasks/koji/koji_hub.yml diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index d85eab8e6..bea5f2319 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -28,19 +28,21 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + - denyhosts + - nagios_client + - fas_client + tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/collectd/client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml handlers: - include: $handlers/restart_services.yml diff --git a/playbooks/groups/mirrorlist.yml b/playbooks/groups/mirrorlist.yml index a6bc4d1e6..f824d6b55 100644 --- a/playbooks/groups/mirrorlist.yml +++ b/playbooks/groups/mirrorlist.yml @@ -38,24 +38,26 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + - denyhosts + - nagios_client + - geoip + - fas_client + - mirrorlist + tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/collectd/client.yml - include: $tasks/openvpn_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml - include: $tasks/apache.yml - include: $tasks/mod_wsgi.yml - - include: $tasks/geoip.yml - - include: $tasks/mirrorlist.yml handlers: diff --git a/playbooks/groups/postgresl-server.yml b/playbooks/groups/postgresl-server.yml index d95801dd7..bb33a360f 100644 --- a/playbooks/groups/postgresl-server.yml +++ b/playbooks/groups/postgresl-server.yml @@ -30,20 +30,21 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml - tasks: + roles: + - rkhunter + - denyhosts + - nagios_client + - postgresql_server + - fas_client + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml - include: $tasks/collectd/client.yml - - include: $tasks/postgresql_server.yml # TODO: add iscsi task diff --git a/playbooks/groups/releng.yml b/playbooks/groups/releng.yml index 649cfbbc5..f6428405a 100644 --- a/playbooks/groups/releng.yml +++ b/playbooks/groups/releng.yml @@ -31,10 +31,12 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - nagios_client + tasks: - include: $tasks/koji/releng_config.yml - include: $tasks/motd.yml - - include: $tasks/nagios_client.yml handlers: - include: $handlers/restart_services.yml diff --git a/playbooks/groups/sign.yml b/playbooks/groups/sign.yml index c287286cd..1c5c64d20 100644 --- a/playbooks/groups/sign.yml +++ b/playbooks/groups/sign.yml @@ -19,9 +19,11 @@ tasks: - include: $tasks/base.yml - include: $tasks/serialgetty.yml - - include: $tasks/rkhunter.yml - include: $tasks/motd.yml - include: $tasks/sign_setup.yml + roles: + - rkhunter + handlers: - include: $handlers/restart_services.yml diff --git a/playbooks/groups/taskbot.yml b/playbooks/groups/taskbot.yml index 5c4e24ab9..eab5ae91e 100644 --- a/playbooks/groups/taskbot.yml +++ b/playbooks/groups/taskbot.yml @@ -28,19 +28,21 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml + roles: + - rkhunter + - denyhosts + - nagios_client + - fas_client + tasks: # this is how you include other task lists - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/collectd/client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml handlers: - include: $handlers/restart_services.yml diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml index 5d5b22c01..ab93d9071 100644 --- a/playbooks/groups/virthost.yml +++ b/playbooks/groups/virthost.yml @@ -12,18 +12,19 @@ - ${private}/vars.yml - ${vars}/${ansible_distribution}.yml - tasks: + roles: + - rkhunter + - denyhosts + - nagios_client + - fas_client + tasks: - include: $tasks/hosts.yml - include: $tasks/yumrepos.yml - include: $tasks/base.yml - - include: $tasks/fas_client.yml - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/rkhunter.yml - - include: $tasks/denyhosts.yml - - include: $tasks/nagios_client.yml - include: $tasks/collectd/client.yml - include: $tasks/virthost.yml diff --git a/playbooks/rkhunter_update.yml b/playbooks/rkhunter_update.yml index a47d6bf26..c69ea645e 100644 --- a/playbooks/rkhunter_update.yml +++ b/playbooks/rkhunter_update.yml @@ -6,20 +6,20 @@ tasks: - name: expire-caches - action: command yum clean expire-cache + command: yum clean expire-cache - name: yum -y ${yumcommand} - action: command yum -y ${yumcommand} + command: yum -y ${yumcommand} async: 7200 poll: 15 - name: check for rkhunter - action: command /usr/bin/test -f /usr/bin/rkhunter + command: /usr/bin/test -f /usr/bin/rkhunter register: rkhunter ignore_errors: true - name: run rkhunter --propupd - action: command /usr/bin/rkhunter --propupd + command: /usr/bin/rkhunter --propupd when: rkhunter|success diff --git a/roles/denyhosts/files/allowed-hosts b/roles/denyhosts/files/allowed-hosts new file mode 100644 index 000000000..f5a88b7b0 --- /dev/null +++ b/roles/denyhosts/files/allowed-hosts @@ -0,0 +1,27 @@ +# We mustn't block localhost +127.0.0.1 + +#bastion +10.5.126.11 +10.5.126.12 +#lockbox +10.5.126.23 +# don't block lockbox's remote addr, either +209.132.181.6 + +#noc1 +noc1.phx2.fedoraproject.org +10.5.126.41 +192.168.1.10 + +# RDU NAT +66.187.233.202 +66.187.233.206 +# RH NAT +66.187.230.200 +# PHX2 NAT +209.132.181.102 +# tlv RHT NAT +66.187.237.10 +# brno RHT NAT +209.132.186.34 diff --git a/roles/denyhosts/files/denyhosts.conf b/roles/denyhosts/files/denyhosts.conf new file mode 100644 index 000000000..577b8518e --- /dev/null +++ b/roles/denyhosts/files/denyhosts.conf @@ -0,0 +1,626 @@ + ############ THESE SETTINGS ARE REQUIRED ############ + +######################################################################## +# +# SECURE_LOG: the log file that contains sshd logging info +# if you are not sure, grep "sshd:" /var/log/* +# +# The file to process can be overridden with the --file command line +# argument +# +# Redhat or Fedora Core: +SECURE_LOG = /var/log/secure +# +# Mandrake, FreeBSD or OpenBSD: +#SECURE_LOG = /var/log/auth.log +# +# SuSE: +#SECURE_LOG = /var/log/messages +# +# Mac OS X (v10.4 or greater - +# also refer to: http://www.denyhosts.net/faq.html#macos +#SECURE_LOG = /private/var/log/asl.log +# +# Mac OS X (v10.3 or earlier): +#SECURE_LOG=/private/var/log/system.log +# +######################################################################## + +######################################################################## +# +# HOSTS_DENY: the file which contains restricted host access information +# +# Most operating systems: +HOSTS_DENY = /etc/hosts.deny +# +# Some BSD (FreeBSD) Unixes: +#HOSTS_DENY = /etc/hosts.allow +# +# Another possibility (also see the next option): +#HOSTS_DENY = /etc/hosts.evil +####################################################################### + + +######################################################################## +# +# PURGE_DENY: removed HOSTS_DENY entries that are older than this time +# when DenyHosts is invoked with the --purge flag +# +# format is: i[dhwmy] +# Where 'i' is an integer (eg. 7) +# 'm' = minutes +# 'h' = hours +# 'd' = days +# 'w' = weeks +# 'y' = years +# +# never purge: +#PURGE_DENY = +# +# purge entries older than 1 week +#PURGE_DENY = 1w +# +# purge entries older than 5 days +#PURGE_DENY = 5d +# +# For the default Fedora Extras install, we want timestamping but no +# expiration (at least by default) so this is deliberately set high. +# Adjust to taste. +PURGE_DENY = 4w +####################################################################### + +####################################################################### +# +# PURGE_THRESHOLD: defines the maximum times a host will be purged. +# Once this value has been exceeded then this host will not be purged. +# Setting this parameter to 0 (the default) disables this feature. +# +# default: a denied host can be purged/re-added indefinitely +PURGE_THRESHOLD = 4 +# +# a denied host will be purged at most 2 times. +#PURGE_THRESHOLD = 2 +# +####################################################################### + + +####################################################################### +# +# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY +# +# man 5 hosts_access for details +# +# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1 +# +# To block all services for the offending host: +#BLOCK_SERVICE = ALL +# To block only sshd: +BLOCK_SERVICE = sshd +# To only record the offending host and nothing else (if using +# an auxilary file to list the hosts). Refer to: +# http://denyhosts.sourceforge.net/faq.html#aux +#BLOCK_SERVICE = +# +####################################################################### + + +####################################################################### +# +# DENY_THRESHOLD_INVALID: block each host after the number of failed login +# attempts has exceeded this value. This value applies to invalid +# user login attempts (eg. non-existent user accounts) +# +DENY_THRESHOLD_INVALID = 15 +# +####################################################################### + +####################################################################### +# +# DENY_THRESHOLD_VALID: block each host after the number of failed +# login attempts has exceeded this value. This value applies to valid +# user login attempts (eg. user accounts that exist in /etc/passwd) except +# for the "root" user +# +DENY_THRESHOLD_VALID = 15 +# +####################################################################### + +####################################################################### +# +# DENY_THRESHOLD_ROOT: block each host after the number of failed +# login attempts has exceeded this value. This value applies to +# "root" user login attempts only. +# +DENY_THRESHOLD_ROOT = 5 +# +####################################################################### + + +####################################################################### +# +# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed +# login attempts has exceeded this value. This value applies to +# usernames that appear in the WORK_DIR/restricted-usernames file only. +# +DENY_THRESHOLD_RESTRICTED = 1 +# +####################################################################### + + +####################################################################### +# +# WORK_DIR: the path that DenyHosts will use for writing data to +# (it will be created if it does not already exist). +# +# Note: it is recommended that you use an absolute pathname +# for this value (eg. /home/foo/denyhosts/data) +# +WORK_DIR = /var/lib/denyhosts +# +####################################################################### + +####################################################################### +# +# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS +# +# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO +# If set to YES, if a suspicious login attempt results from an allowed-host +# then it is considered suspicious. If this is NO, then suspicious logins +# from allowed-hosts will not be reported. All suspicious logins from +# ip addresses that are not in allowed-hosts will always be reported. +# +SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES +###################################################################### + +###################################################################### +# +# HOSTNAME_LOOKUP +# +# HOSTNAME_LOOKUP=YES|NO +# If set to YES, for each IP address that is reported by Denyhosts, +# the corresponding hostname will be looked up and reported as well +# (if available). +# +HOSTNAME_LOOKUP=YES +# +###################################################################### + + +###################################################################### +# +# LOCK_FILE +# +# LOCK_FILE=/path/denyhosts +# If this file exists when DenyHosts is run, then DenyHosts will exit +# immediately. Otherwise, this file will be created upon invocation +# and deleted upon exit. This ensures that only one instance is +# running at a time. +# +# Redhat/Fedora: +LOCK_FILE = /var/lock/subsys/denyhosts +# +# Debian +#LOCK_FILE = /var/run/denyhosts.pid +# +# Misc +#LOCK_FILE = /tmp/denyhosts.lock +# +###################################################################### + + + ############ THESE SETTINGS ARE OPTIONAL ############ + + +####################################################################### +# +# ADMIN_EMAIL: if you would like to receive emails regarding newly +# restricted hosts and suspicious logins, set this address to +# match your email address. If you do not want to receive these reports +# leave this field blank (or run with the --noemail option) +# +# Multiple email addresses can be delimited by a comma, eg: +# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com +# +# ADMIN_EMAIL = ausil@fedoraproject.org +# +####################################################################### + +####################################################################### +# +# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email +# reports (see ADMIN_EMAIL) then these settings specify the +# email server address (SMTP_HOST) and the server port (SMTP_PORT) +# +# +# THEMOVE FIXME this needs to work from external non-VPN machines. +SMTP_HOST = bastion +SMTP_PORT = 25 +# +####################################################################### + +####################################################################### +# +# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your +# smtp email server requires authentication +# +#SMTP_USERNAME=foo +#SMTP_PASSWORD=bar +# +###################################################################### + +####################################################################### +# +# SMTP_FROM: you can specify the "From:" address in messages sent +# from DenyHosts when it reports thwarted abuse attempts +# +SMTP_FROM = DenyHosts +# +####################################################################### + +####################################################################### +# +# SMTP_SUBJECT: you can specify the "Subject:" of messages sent +# by DenyHosts when it reports thwarted abuse attempts +SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME] +# +###################################################################### + +###################################################################### +# +# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header +# when sending email messages. +# +# for possible values for this parameter refer to: man strftime +# +# the default: +# +#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z +# +###################################################################### + +###################################################################### +# +# SYSLOG_REPORT +# +# SYSLOG_REPORT=YES|NO +# If set to yes, when denied hosts are recorded the report data +# will be sent to syslog (syslog must be present on your system). +# The default is: NO +# +#SYSLOG_REPORT=NO +# +#SYSLOG_REPORT=YES +# +###################################################################### + +###################################################################### +# +# ALLOWED_HOSTS_HOSTNAME_LOOKUP +# +# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO +# If set to YES, for each entry in the WORK_DIR/allowed-hosts file, +# the hostname will be looked up. If your versions of tcp_wrappers +# and sshd sometimes log hostnames in addition to ip addresses +# then you may wish to specify this option. +# +#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO +# +###################################################################### + +###################################################################### +# +# AGE_RESET_VALID: Specifies the period of time between failed login +# attempts that, when exceeded will result in the failed count for +# this host to be reset to 0. This value applies to login attempts +# to all valid users (those within /etc/passwd) with the +# exception of root. If not defined, this count will never +# be reset. +# +# See the comments in the PURGE_DENY section (above) +# for details on specifying this value or for complete details +# refer to: http://denyhosts.sourceforge.net/faq.html#timespec +# +AGE_RESET_VALID=5d +# +###################################################################### + +###################################################################### +# +# AGE_RESET_ROOT: Specifies the period of time between failed login +# attempts that, when exceeded will result in the failed count for +# this host to be reset to 0. This value applies to all login +# attempts to the "root" user account. If not defined, +# this count will never be reset. +# +# See the comments in the PURGE_DENY section (above) +# for details on specifying this value or for complete details +# refer to: http://denyhosts.sourceforge.net/faq.html#timespec +# +AGE_RESET_ROOT=25d +# +###################################################################### + +###################################################################### +# +# AGE_RESET_RESTRICTED: Specifies the period of time between failed login +# attempts that, when exceeded will result in the failed count for +# this host to be reset to 0. This value applies to all login +# attempts to entries found in the WORK_DIR/restricted-usernames file. +# If not defined, the count will never be reset. +# +# See the comments in the PURGE_DENY section (above) +# for details on specifying this value or for complete details +# refer to: http://denyhosts.sourceforge.net/faq.html#timespec +# +AGE_RESET_RESTRICTED=25d +# +###################################################################### + + +###################################################################### +# +# AGE_RESET_INVALID: Specifies the period of time between failed login +# attempts that, when exceeded will result in the failed count for +# this host to be reset to 0. This value applies to login attempts +# made to any invalid username (those that do not appear +# in /etc/passwd). If not defined, count will never be reset. +# +# See the comments in the PURGE_DENY section (above) +# for details on specifying this value or for complete details +# refer to: http://denyhosts.sourceforge.net/faq.html#timespec +# +AGE_RESET_INVALID=10d +# +###################################################################### + + +###################################################################### +# +# RESET_ON_SUCCESS: If this parameter is set to "yes" then the +# failed count for the respective ip address will be reset to 0 +# if the login is successful. +# +# The default is RESET_ON_SUCCESS = no +# +RESET_ON_SUCCESS = yes +# +##################################################################### + + +###################################################################### +# +# PLUGIN_DENY: If set, this value should point to an executable +# program that will be invoked when a host is added to the +# HOSTS_DENY file. This executable will be passed the host +# that will be added as it's only argument. +# +#PLUGIN_DENY=/usr/bin/true +# +###################################################################### + + +###################################################################### +# +# PLUGIN_PURGE: If set, this value should point to an executable +# program that will be invoked when a host is removed from the +# HOSTS_DENY file. This executable will be passed the host +# that is to be purged as it's only argument. +# +#PLUGIN_PURGE=/usr/bin/true +# +###################################################################### + +###################################################################### +# +# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain +# a regular expression that can be used to identify additional +# hackers for your particular ssh configuration. This functionality +# extends the built-in regular expressions that DenyHosts uses. +# This parameter can be specified multiple times. +# See this faq entry for more details: +# http://denyhosts.sf.net/faq.html#userdef_regex +# +#USERDEF_FAILED_ENTRY_REGEX= +# +# +###################################################################### + + + + + ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ########## + + + +####################################################################### +# +# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag) +# this is the logfile that DenyHosts uses to report it's status. +# To disable logging, leave blank. (default is: /var/log/denyhosts) +# +DAEMON_LOG = /var/log/denyhosts +# +# disable logging: +#DAEMON_LOG = +# +###################################################################### + +####################################################################### +# +# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode +# (--daemon flag) this specifies the timestamp format of +# the DAEMON_LOG messages (default is the ISO8061 format: +# ie. 2005-07-22 10:38:01,745) +# +# for possible values for this parameter refer to: man strftime +# +# Jan 1 13:05:59 +#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S +# +# Jan 1 01:05:59 +#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S +# +###################################################################### + +####################################################################### +# +# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode +# (--daemon flag) this specifies the message format of each logged +# entry. By default the following format is used: +# +# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s +# +# Where the "%(asctime)s" portion is expanded to the format +# defined by DAEMON_LOG_TIME_FORMAT +# +# This string is passed to python's logging.Formatter contstuctor. +# For details on the possible format types please refer to: +# http://docs.python.org/lib/node357.html +# +# This is the default: +#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s +# +# +###################################################################### + + +####################################################################### +# +# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag) +# this is the amount of time DenyHosts will sleep between polling +# the SECURE_LOG. See the comments in the PURGE_DENY section (above) +# for details on specifying this value or for complete details +# refer to: http://denyhosts.sourceforge.net/faq.html#timespec +# +# +DAEMON_SLEEP = 30s +# +####################################################################### + +####################################################################### +# +# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode, +# run the purge mechanism to expire old entries in HOSTS_DENY +# This has no effect if PURGE_DENY is blank. +# +DAEMON_PURGE = 1h +# +####################################################################### + + + ######### THESE SETTINGS ARE SPECIFIC TO ########## + ######### DAEMON SYNCHRONIZATION ########## + + +####################################################################### +# +# Synchronization mode allows the DenyHosts daemon the ability +# to periodically send and receive denied host data such that +# DenyHosts daemons worldwide can automatically inform one +# another regarding banned hosts. This mode is disabled by +# default, you must uncomment SYNC_SERVER to enable this mode. +# +# for more information, please refer to: +# http:/denyhosts.sourceforge.net/faq.html#sync +# +####################################################################### + + +####################################################################### +# +# SYNC_SERVER: The central server that communicates with DenyHost +# daemons. Currently, denyhosts.net is the only available server +# however, in the future, it may be possible for organizations to +# install their own server for internal network synchronization +# +# To disable synchronization (the default), do nothing. +# +# To enable synchronization, you must uncomment the following line: +#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 +# +####################################################################### + +####################################################################### +# +# SYNC_INTERVAL: the interval of time to perform synchronizations if +# SYNC_SERVER has been uncommented. The default is 1 hour. +# +SYNC_INTERVAL = 1h +# +####################################################################### + + +####################################################################### +# +# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have +# been denied? This option only applies if SYNC_SERVER has +# been uncommented. +# The default is SYNC_UPLOAD = yes +# +#SYNC_UPLOAD = no +#SYNC_UPLOAD = yes +# +####################################################################### + + +####################################################################### +# +# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have +# been denied by others? This option only applies if SYNC_SERVER has +# been uncommented. +# The default is SYNC_DOWNLOAD = yes +# +#SYNC_DOWNLOAD = no +#SYNC_DOWNLOAD = yes +# +# +# +####################################################################### + +####################################################################### +# +# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter +# filters the returned hosts to those that have been blocked this many +# times by others. That is, if set to 1, then if a single DenyHosts +# server has denied an ip address then you will receive the denied host. +# +# See also SYNC_DOWNLOAD_RESILIENCY +# +#SYNC_DOWNLOAD_THRESHOLD = 10 +# +# The default is SYNC_DOWNLOAD_THRESHOLD = 3 +# +#SYNC_DOWNLOAD_THRESHOLD = 3 +# +####################################################################### + +####################################################################### +# +# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the +# value specified for this option limits the downloaded data +# to this resiliency period or greater. +# +# Resiliency is defined as the timespan between a hackers first known +# attack and it's most recent attack. Example: +# +# If the centralized denyhosts.net server records an attack at 2 PM +# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h +# will not download this ip address. +# +# However, if the attacker is recorded again at 6:15 PM then the +# ip address will be downloaded by your DenyHosts instance. +# +# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD +# and only hosts that satisfy both values will be downloaded. +# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 +# +# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours) +# +# Only obtain hackers that have been at it for 2 days or more: +#SYNC_DOWNLOAD_RESILIENCY = 2d +# +# Only obtain hackers that have been at it for 5 hours or more: +#SYNC_DOWNLOAD_RESILIENCY = 5h +# +####################################################################### + diff --git a/roles/denyhosts/handlers/main.yml b/roles/denyhosts/handlers/main.yml new file mode 100644 index 000000000..83c446bce --- /dev/null +++ b/roles/denyhosts/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart denyhosts + action: service name=denyhosts state=restarted diff --git a/roles/denyhosts/tasks/main.yml b/roles/denyhosts/tasks/main.yml new file mode 100644 index 000000000..1e0a1c40d --- /dev/null +++ b/roles/denyhosts/tasks/main.yml @@ -0,0 +1,26 @@ +--- +#install denyhosts +- name: install denyhosts + yum: name=denyhosts state=installed + tags: + - packages + +- name: /etc/denyhosts.conf + copy: src=denyhosts.conf dest=/etc/denyhosts.conf + notify: + - restart denyhosts + tags: + - config + +- name: /var/lib/denyhosts/allowed-hosts + copy: src=allowed-hosts dest=/var/lib/denyhosts/allowed-hosts + notify: + - restart denyhosts + tags: + - config + +- name: enable the service + service: name=denyhosts state=running enabled=true + tags: + - service + diff --git a/roles/fas_client/files/fas-client.cron b/roles/fas_client/files/fas-client.cron new file mode 100644 index 000000000..4ec50f9a8 --- /dev/null +++ b/roles/fas_client/files/fas-client.cron @@ -0,0 +1 @@ +*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 180)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1" diff --git a/roles/fas_client/files/nsswitch.conf b/roles/fas_client/files/nsswitch.conf new file mode 100644 index 000000000..fb4ff626f --- /dev/null +++ b/roles/fas_client/files/nsswitch.conf @@ -0,0 +1,45 @@ +# /etc/nsswitch.conf +# +# An example Name Service Switch config file. This file should be +# sorted with the most-used services at the beginning. +# +# The entry '[NOTFOUND=return]' means that the search for an +# entry should stop if the search in the previous entry turned +# up nothing. Note that if the search failed due to some other reason +# (like no NIS server responding) then the search continues with the +# next entry. +# +# Legal entries are: +# +# nisplus or nis+ Use NIS+ (NIS version 3) +# nis or yp Use NIS (NIS version 2), also called YP +# dns Use DNS (Domain Name Service) +# files Use the local files +# db Use the local database (.db) files +# compat Use NIS on compat mode +# hesiod Use Hesiod for user lookups +# [NOTFOUND=return] Stop searching if not found so far +# + +passwd: db files +shadow: db files +group: db files + +#hosts: db files nisplus nis dns +hosts: files dns + +bootparams: nisplus [NOTFOUND=return] files + +ethers: files +netmasks: files +networks: files +protocols: files +rpc: files +services: files + +netgroup: files + +publickey: nisplus + +automount: files +aliases: files nisplus diff --git a/roles/fas_client/handlers/main.yml b/roles/fas_client/handlers/main.yml new file mode 100644 index 000000000..354ef9d89 --- /dev/null +++ b/roles/fas_client/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: run fasclient + action: command /usr/bin/fasClient -i diff --git a/roles/fas_client/tasks/main.yml b/roles/fas_client/tasks/main.yml new file mode 100644 index 000000000..c2f64c7c8 --- /dev/null +++ b/roles/fas_client/tasks/main.yml @@ -0,0 +1,80 @@ +--- +# +# This task sets up fasClient on a machine. +# It installs the fas-clients package, then the /etc/fas.conf and finally a cron job update. +# + +# +# fas-clients is in the infrastructure repo. +# nss_db is needed to store user/group info. +# +- name: install package needed for fas-client + yum: state=installed name=$item + with_items: + - fas-clients + - cronie + tags: + - packages + +- name: hotfix - python-fedora proxyclient.py + copy: > + src=$files/hotfix/python-fedora/proxyclient.py + dest=/usr/lib/python2.6/site-packages/fedora/client/proxyclient.py + owner=root mode=644 + only_if: "'${ansible_distribution}' == 'RedHat'" + tags: + - hotfix + - packages + +- name: install nss_db on rhel hosts only + yum: state=installed name=nss_db + only_if: "'${ansible_distribution}' == 'RedHat'" + tags: + - packages + +# +# setup /etc/nsswitch.conf to use nssdb +# +- name: setup /etc/nsswitch.conf for client use + copy: src=nsswitch.conf dest=/etc/nsswitch.conf owner=root mode=644 + tags: + - config + +# +# fasClients needs a valid /etc/fas.conf. +# There's vars used in this template: +# +# fas_client_groups = "sysadmin-main" +# fas_client_restricted_app = "" +# fas_client_admin_app = "" +# fas_client_ssh_groups = "" +# +# if desired, set them on a per host/group basis. +# +# Currently the default template is used, but could be modified on a host basis. +# +- name: setup /etc/fas.conf for client use + template: src=$item dest=/etc/fas.conf owner=root mode=600 + with_first_found: + - ${ansible_fqdn}.fas.conf.j2 + - ${ansible_hostname}.fas.conf.j2 + - ${ansible_hostname}.fas.conf.j2 + - fas.conf.j2 + tags: + - config + notify: + - run fasclient + +# +# setup /etc/cron.d/ file to run sync every 10min +# TODO: use cron module when it's fixed +# +#- name: fas_client cron job +# cron: name="fas client" user=root cron_file=fas-client minute="*/10" job="/usr/bin/fasClient -i" +# tags: +# - config + +- name: fas_client cron job + copy: src=fas-client.cron dest=/etc/cron.d/fas-client owner=root mode=644 + tags: + - config diff --git a/roles/fas_client/templates/fas.conf.j2 b/roles/fas_client/templates/fas.conf.j2 new file mode 100644 index 000000000..d3af01dd4 --- /dev/null +++ b/roles/fas_client/templates/fas.conf.j2 @@ -0,0 +1,92 @@ +[global] +; url - Location to fas server +url = https://admin.fedoraproject.org/accounts/ + +; temp - Location to generate files while user creation process is happening +temp = /var/db + +; login - username to contact fas +login = {{ fedorathirdpartyUser }} + +; password - password for login name +password = {{ fedorathirdpartyPassword }} + +; prefix - install to a location other than / +prefix = / + +; modefile - Location of a file containing saved home directory modes +modefile = /var/lib/fas/client_dir_perms + +; cla_group - Group for CLA requirements +cla_group = cla_done + +[host] +; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups +; so if someone is in all 3, the client behaves the same as if they were just +; in 'groups' + +; groups that should have a shell account on this system. +{% if fas_client_groups %} +groups = sysadmin-main,{{ fas_client_groups }} +{% else %} +groups = sysadmin-main +{% endif %} + +; groups that should have a restricted account on this system. +; restricted accounts use the restricted_shell value in [users] +restricted_groups = + +; ssh_restricted_groups: groups that should be restricted by ssh key. You will +; need to disable password based logins in order for this value to have any +; security meaning. Group types can be placed here as well, for example +; @hg,@git,@svn +{% if fas_client_ssh_groups %} +ssh_restricted_groups = {{ fas_client_ssh_groups }} +{% else %} +ssh_restricted_groups = +{% endif %} + +; aliases_template: Gets prepended to the aliases file when it is generated by +; fasClient +aliases_template = /etc/aliases.template + +[users] +; default shell given to people in [host] groups +shell = /bin/bash + +; home - the location for fas user home dirs +home = /home/fedora + +; home_backup_dir - Location home dirs should get moved to when a user is +; deleted this location should be tmpwatched +home_backup_dir = /home/fedora.bak + +; ssh_restricted_app - This is the path to the restricted shell script. It +; will not work automatically for most people though through alterations it +; is a powerfull way to restrict access to a machine. An alternative example +; could be given to people who should only have cvs access on the machine. +; setting this value to "/usr/bin/cvs server" would do this. +{% if fas_client_restricted_app %} +ssh_restricted_app = {{ fas_client_restricted_app }} +{% else %} +ssh_restricted_app = +{% endif %} + +; ssh_admin_app - This is the path to an app that an admin is allowed to use. +{% if fas_client_admin_app %} +ssh_admin_app = {{ fas_client_admin_app }} +{% else %} +ssh_admin_app = +{% endif %} + +; restricted_shell - The shell given to users in the ssh_restricted_groups +restricted_shell = /sbin/nologin + +; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups +ssh_restricted_shell = /bin/bash + +; ssh_key_options - Options to be appended to people ssh keys. Users in the +; ssh_restricted_groups will have the keys they uploaded altered when they are +; installed on this machine, appended with the options below. +ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty + diff --git a/roles/geoip/files/geoip_sync b/roles/geoip/files/geoip_sync new file mode 100644 index 000000000..2c5ce7991 --- /dev/null +++ b/roles/geoip/files/geoip_sync @@ -0,0 +1,2 @@ +# cron job to sync the geoip data files +0 1 4 * * root /usr/local/bin/syncFiles.sh bigfiles/geoip /usr/share/GeoIP diff --git a/roles/geoip/tasks/main.yml b/roles/geoip/tasks/main.yml new file mode 100644 index 000000000..da72a52b6 --- /dev/null +++ b/roles/geoip/tasks/main.yml @@ -0,0 +1,13 @@ +--- +# install python-geoIP +- name: install python-GeoIP + yum: name=python-GeoIP state=installed + tags: + - packages + +- name: push over the geoip db once + copy: src=$item dest=/usr/share/GeoIP/ + with_fileglob: $bigfiles/geoip/*.dat + +- name: geoip syncing script via cron + copy: src=geoip_sync dest=/etc/cron.d/geoip_sync mode=0644 diff --git a/roles/mirrorlist/files/mirrorlist-server.conf b/roles/mirrorlist/files/mirrorlist-server.conf new file mode 100644 index 000000000..1ee87bcc3 --- /dev/null +++ b/roles/mirrorlist/files/mirrorlist-server.conf @@ -0,0 +1,44 @@ +Alias /mirrorlists /var/lib/mirrormanager/mirrorlists/ +Alias /publiclist /var/lib/mirrormanager/mirrorlists/publiclist/ +Alias /static /var/lib/mirrormanager/mirrorlists/static/ + + + Options Indexes FollowSymLinks + ExpiresActive On + ExpiresDefault "modification plus 1 day" + + +WSGIDaemonProcess mirrorlist user=apache processes=45 threads=1 display-name=mirrorlist maximum-requests=1000 + +WSGIScriptAlias /metalink /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi +WSGIScriptAlias /mirrorlist /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi + +# Set this if you do not have a Reverse Proxy (HTTP Accelerator) that +# is in front of your application server running this code. +# SetEnv mirrorlist_client.noreverseproxy 1 + + + WSGIProcessGroup mirrorlist + + # Apache 2.4 + Require all granted + + + # Apache 2.2 + Order deny,allow + Allow from all + + + + + WSGIProcessGroup mirrorlist + + # Apache 2.4 + Require all granted + + + # Apache 2.2 + Order deny,allow + Allow from all + + diff --git a/roles/mirrorlist/files/mm-authorized_key b/roles/mirrorlist/files/mm-authorized_key new file mode 100644 index 000000000..bef6a5561 --- /dev/null +++ b/roles/mirrorlist/files/mm-authorized_key @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA1+Mq0V8RPuCZrjsSz2y56tVR+hykwoYSodhs6ivqkuf16PHo1Aq2PR+I7xnxnJ/fqF20UEV4bmRFs9k4y/QnMOwi90O32vC3WZmfLfoY9S9dzUYXXOYy0lQZPMjmB+yOYZhhGIu2HTc4/CHKjVpCUZKHXwgkouEwsAEHQI86TrepvPwt5GrmAeZjcRp8T3maaFlRf8UFgcajF9ztgiEnBpWBEKaemtUtQ/g9cr/SwNMT3GK+M4qMVaXkuTCeiKwqxueZmTgn76aQ11sfoWYi1lVCyYt02iMDoBLaLERbwBLt3WpY/l3tQaZiPVoRPDH2EQb6v/XISsXNsqGtnc8APfhkVniURNwW/Qz8eXhpnd7GlU90iWPExvGo/Eaj2cNemgiNZH7/U7OKe3/7Li+IpPDhLCfJ8ue7Nqn+2uqhEWvzZXvamzcvEg89PBbgrdHDvJqVLnfsMDuDEo93KZ2pCfTGmjbYjbV3nnArhimLjkkb2E86489F09p65e4AoZw3HFgeW8yA3ecXtXd9FmYYkL0urT1AZFuJ/9B364h4gOqUt0oO7aW0vqhS1hW+7brIJ2DzM/vn90ONk8JVt1T3DvmgmVLxtuo1wu1PkDtekZNtJPGuGzvt5TYDjGPwZzrkYdYazLow3NMCyrhV6oNm8sxuZCLxeyZdM83Q7xty5nM= toshio@puppet1.fedora.phx.redhat.com diff --git a/roles/mirrorlist/files/mm_sync_data b/roles/mirrorlist/files/mm_sync_data new file mode 100644 index 000000000..e48bdc7b3 --- /dev/null +++ b/roles/mirrorlist/files/mm_sync_data @@ -0,0 +1,4 @@ +#!/bin/bash + +rsync -az --delete-delay --delay-updates --delete mirrormanager@bapp02:/var/lib/mirrormanager/ /var/lib/mirrormanager/ +kill -HUP $(cat /var/run/mirrormanager/mirrorlist_server.pid) diff --git a/roles/mirrorlist/files/supervisord.conf b/roles/mirrorlist/files/supervisord.conf new file mode 100644 index 000000000..2183276e3 --- /dev/null +++ b/roles/mirrorlist/files/supervisord.conf @@ -0,0 +1,67 @@ + +[supervisord] +http_port=/var/tmp/supervisor.sock ; (default is to run a UNIX domain socket server) +;http_port=127.0.0.1:9001 ; (alternately, ip_address:port specifies AF_INET) +;sockchmod=0700 ; AF_UNIX socketmode (AF_INET ignore, default 0700) +;sockchown=nobody.nogroup ; AF_UNIX socket uid.gid owner (AF_INET ignores) +;umask=022 ; (process file creation umask;default 022) +logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log) +logfile_maxbytes=50MB ; (max main logfile bytes b4 rotation;default 50MB) +logfile_backups=10 ; (num of main logfile rotation backups;default 10) +loglevel=info ; (logging level;default info; others: debug,warn) +pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid) +nodaemon=false ; (start in foreground if true;default false) +minfds=1024 ; (min. avail startup file descriptors;default 1024) +minprocs=200 ; (min. avail process descriptors;default 200) + +;nocleanup=true ; (don't clean up tempfiles at start;default false) +;http_username=user ; (default is no username (open system)) +;http_password=123 ; (default is no password (open system)) +;childlogdir=/tmp ; ('AUTO' child log dir, default $TEMP) +;user=chrism ; (default is current user, required if root) +;directory=/tmp ; (default is not to cd during start) +;environment=KEY=value ; (key value pairs to add to environment) + +[supervisorctl] +serverurl=unix:///var/tmp/supervisor.sock ; use a unix:// URL for a unix socket +;serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket +;username=chris ; should be same as http_username if set +;password=123 ; should be same as http_password if set +;prompt=mysupervisor ; cmd line prompt (default "supervisor") + +; The below sample program section shows all possible program subsection values, +; create one or more 'real' program: sections to be able to control them under +; supervisor. + +;[program:theprogramname] +;command=/bin/cat ; the program (relative uses PATH, can take args) +;priority=999 ; the relative start priority (default 999) +;autostart=true ; start at supervisord start (default: true) +;autorestart=true ; retstart at unexpected quit (default: true) +;startsecs=10 ; number of secs prog must stay running (def. 10) +;startretries=3 ; max # of serial start failures (default 3) +;exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) +;stopsignal=QUIT ; signal used to kill process (default TERM) +;stopwaitsecs=10 ; max num secs to wait before SIGKILL (default 10) +;user=chrism ; setuid to this UNIX account to run the program +;log_stdout=true ; if true, log program stdout (default true) +;log_stderr=true ; if true, log program stderr (def false) +;logfile=/var/log/cat.log ; child log path, use NONE for none; default AUTO +;logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB) +;logfile_backups=10 ; # of logfile backups (default 10) + +[program:mirrorlist_server] +command=/usr/share/mirrormanager/mirrorlist-server/mirrorlist_server.py +priority=1 +autostart=true +autorestart=true +startsecs=10 +startretries=5 +stopsignal=TERM +stopwaitsecs=10 +user=mirrormanager +log_stderr=true +log_stdout=true +logfile=/var/log/mirrormanager/mirrorlist-server.log +logfile_maxbytes=50MB +logfile_backups=10 diff --git a/roles/mirrorlist/tasks/main.yml b/roles/mirrorlist/tasks/main.yml new file mode 100644 index 000000000..6fb68afdb --- /dev/null +++ b/roles/mirrorlist/tasks/main.yml @@ -0,0 +1,48 @@ +--- +# tasklist for setting up the mirrorlist app components +# create mirrormanager user +- name: add mirrormanager user - uid 441 + user: name=mirrormanager uid=441 state=present home=/home/mirrormanager createhome=yes + +- name: install supervisor and mirrormanager + yum: pkg=$item state=installed + with_items: + - supervisor + - mirrormanager + tags: + - packages + +# mirrormanager user ssh key(s) +- name: add authorized_keys for mirrormanager + authorized_key: key="{{ item }}" user=mirrormanager state=present + with_file: + - mm-authorized_key + +# install mirrorlist-server.conf apache config +- name: mirrorlist-server apache conf + copy: src=mirrorlist-server.conf dest=/etc/httpd/conf.d/mirrorlist-server.conf + notify: + - restart apache + tags: + - config + +# nuke mirrormanager.conf so that it doesn't start up +- name: kill /etc/httpd/conf.d/mirrrormanager.conf + copy: 'content="#blanked on purpose" dest=/etc/httpd/conf.d/mirrormanager.conf' + notify: + - restart apache + tags: + - config + +# selinux policy - mirrormanager - put in place - for the sockfile +# + +# setup and configure supervisord +- name: /etc/supervisord.conf + copy: src=supervisord.conf dest=/etc/supervisord.conf mode=0644 + notify: + - restart supervisord + +- name: enable supervisord + service: name=supervisord state=started enabled=yes + diff --git a/roles/nagios_client/files/check_cron.cfg b/roles/nagios_client/files/check_cron.cfg new file mode 100644 index 000000000..e01f40799 --- /dev/null +++ b/roles/nagios_client/files/check_cron.cfg @@ -0,0 +1 @@ +command[check_cron]=/usr/lib64/nagios/plugins/check_procs -c 1:10 -C 'crond' -u root diff --git a/roles/nagios_client/files/check_disk.cfg b/roles/nagios_client/files/check_disk.cfg new file mode 100644 index 000000000..d5d32903f --- /dev/null +++ b/roles/nagios_client/files/check_disk.cfg @@ -0,0 +1,2 @@ +command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p / +command[check_disk_/boot]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /boot diff --git a/roles/nagios_client/files/check_lock.cfg b/roles/nagios_client/files/check_lock.cfg new file mode 100644 index 000000000..9525f9f39 --- /dev/null +++ b/roles/nagios_client/files/check_lock.cfg @@ -0,0 +1 @@ +command[check_lock]=/usr/lib64/nagios/plugins/check_lock diff --git a/roles/nagios_client/files/check_mirrorlist_cache.cfg b/roles/nagios_client/files/check_mirrorlist_cache.cfg new file mode 100644 index 000000000..bd4b17130 --- /dev/null +++ b/roles/nagios_client/files/check_mirrorlist_cache.cfg @@ -0,0 +1 @@ +command[check_mirrorlist_cache]=/usr/lib64/nagios/plugins/check_file_age -w 14400 -c 129600 -f /var/lib/mirrormanager/mirrorlist_cache.pkl diff --git a/roles/nagios_client/files/check_postfix_queue.cfg b/roles/nagios_client/files/check_postfix_queue.cfg new file mode 100644 index 000000000..557469803 --- /dev/null +++ b/roles/nagios_client/files/check_postfix_queue.cfg @@ -0,0 +1 @@ +command[check_postfix_queue]=/usr/lib64/nagios/plugins/check_postfix_queue -w 2 -c 5 diff --git a/roles/nagios_client/files/check_raid.cfg b/roles/nagios_client/files/check_raid.cfg new file mode 100644 index 000000000..5c15d450c --- /dev/null +++ b/roles/nagios_client/files/check_raid.cfg @@ -0,0 +1 @@ +command[check_raid]=/usr/lib64/nagios/plugins/check_raid.py diff --git a/roles/nagios_client/files/check_swap.cfg b/roles/nagios_client/files/check_swap.cfg new file mode 100644 index 000000000..bc4f19d5d --- /dev/null +++ b/roles/nagios_client/files/check_swap.cfg @@ -0,0 +1 @@ +command[check_swap]=/usr/lib64/nagios/plugins/check_swap -w 15% -c 10% diff --git a/roles/nagios_client/files/nrpe.cfg b/roles/nagios_client/files/nrpe.cfg new file mode 100644 index 000000000..6933f788b --- /dev/null +++ b/roles/nagios_client/files/nrpe.cfg @@ -0,0 +1,223 @@ +############################################################################# +# Sample NRPE Config File +# Written by: Ethan Galstad (nagios@nagios.org) +# +# Last Modified: 11-23-2007 +# +# NOTES: +# This is a sample configuration file for the NRPE daemon. It needs to be +# located on the remote host that is running the NRPE daemon, not the host +# from which the check_nrpe client is being executed. +############################################################################# + + +# LOG FACILITY +# The syslog facility that should be used for logging purposes. + +log_facility=daemon + + + +# PID FILE +# The name of the file in which the NRPE daemon should write it's process ID +# number. The file is only written if the NRPE daemon is started by the root +# user and is running in standalone mode. + +pid_file=/var/run/nrpe/nrpe.pid + + + +# PORT NUMBER +# Port number we should wait for connections on. +# NOTE: This must be a non-priviledged port (i.e. > 1024). +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +server_port=5666 + + + +# SERVER ADDRESS +# Address that nrpe should bind to in case there are more than one interface +# and you do not want nrpe to bind on all interfaces. +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +#server_address=127.0.0.1 + + + +# NRPE USER +# This determines the effective user that the NRPE daemon should run as. +# You can either supply a username or a UID. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +nrpe_user=nrpe + + + +# NRPE GROUP +# This determines the effective group that the NRPE daemon should run as. +# You can either supply a group name or a GID. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +nrpe_group=nrpe + + + +# ALLOWED HOST ADDRESSES +# This is an optional comma-delimited list of IP address or hostnames +# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask +# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently +# supported. +# +# Note: The daemon only does rudimentary checking of the client's IP +# address. I would highly recommend adding entries in your /etc/hosts.allow +# file to allow only the specified host to connect to the port +# you are running this daemon on. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + + +allowed_hosts=10.5.126.41,192.168.1.10,192.168.1.20,209.132.181.35 + + + +# COMMAND ARGUMENT PROCESSING +# This option determines whether or not the NRPE daemon will allow clients +# to specify arguments to commands that are executed. This option only works +# if the daemon was configured with the --enable-command-args configure script +# option. +# +# *** ENABLING THIS OPTION IS A SECURITY RISK! *** +# Read the SECURITY file for information on some of the security implications +# of enabling this variable. +# +# Values: 0=do not allow arguments, 1=allow command arguments + +dont_blame_nrpe=0 + + + +# COMMAND PREFIX +# This option allows you to prefix all commands with a user-defined string. +# A space is automatically added between the specified prefix string and the +# command line from the command definition. +# +# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** +# Usage scenario: +# Execute restricted commmands using sudo. For this to work, you need to add +# the nagios user to your /etc/sudoers. An example entry for alllowing +# execution of the plugins from might be: +# +# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ +# +# This lets the nagios user run all commands in that directory (and only them) +# without asking for a password. If you do this, make sure you don't give +# random users write access to that directory or its contents! + +# command_prefix=/usr/bin/sudo + + + +# DEBUGGING OPTION +# This option determines whether or not debugging messages are logged to the +# syslog facility. +# Values: 0=debugging off, 1=debugging on + +debug=0 + + + +# COMMAND TIMEOUT +# This specifies the maximum number of seconds that the NRPE daemon will +# allow plugins to finish executing before killing them off. + +command_timeout=60 + + + +# CONNECTION TIMEOUT +# This specifies the maximum number of seconds that the NRPE daemon will +# wait for a connection to be established before exiting. This is sometimes +# seen where a network problem stops the SSL being established even though +# all network sessions are connected. This causes the nrpe daemons to +# accumulate, eating system resources. Do not set this too low. + +connection_timeout=300 + + + +# WEEK RANDOM SEED OPTION +# This directive allows you to use SSL even if your system does not have +# a /dev/random or /dev/urandom (on purpose or because the necessary patches +# were not applied). The random number generator will be seeded from a file +# which is either a file pointed to by the environment valiable $RANDFILE +# or $HOME/.rnd. If neither exists, the pseudo random number generator will +# be initialized and a warning will be issued. +# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness + +#allow_weak_random_seed=1 + + + +# INCLUDE CONFIG FILE +# This directive allows you to include definitions from an external config file. + +#include= + + + +# INCLUDE CONFIG DIRECTORY +# This directive allows you to include definitions from config files (with a +# .cfg extension) in one or more directories (with recursion). + +include_dir=/etc/nrpe.d/ + + + +# COMMAND DEFINITIONS +# Command definitions that this daemon will run. Definitions +# are in the following format: +# +# command[]= +# +# When the daemon receives a request to return the results of +# it will execute the command specified by the argument. +# +# Unlike Nagios, the command line cannot contain macros - it must be +# typed exactly as it should be executed. +# +# Note: Any plugins that are used in the command lines must reside +# on the machine that this daemon is running on! The examples below +# assume that you have plugins installed in a /usr/local/nagios/libexec +# directory. Also note that you will have to modify the definitions below +# to match the argument format the plugins expect. Remember, these are +# examples only! + + +# The following examples use hardcoded command arguments... + +command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10 +command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 +command[check_hda1]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1 +command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z +command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w {{ nrpe_procs_warn }} -c {{ nrpe_procs_crit }} + + +# The following examples allow user-supplied arguments and can +# only be used if the NRPE daemon was compiled with support for +# command arguments *AND* the dont_blame_nrpe directive in this +# config file is set to '1'. This poses a potential security risk, so +# make sure you read the SECURITY file before doing this. + +#command[check_users]=/usr/lib64/nagios/plugins/check_users -w $ARG1$ -c $ARG2$ +#command[check_load]=/usr/lib64/nagios/plugins/check_load -w $ARG1$ -c $ARG2$ +#command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ +#command[check_procs]=/usr/lib64/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ + + +# NEVER ADD ANYTHING HERE - ANY ENTRIES TO NRPE SHOULD BE in .cfg files in /etc/nrpe.d/ + +# NEVER NEVER NEVER +# diff --git a/roles/nagios_client/files/scripts/check_lock b/roles/nagios_client/files/scripts/check_lock new file mode 100644 index 000000000..1a58e95ef --- /dev/null +++ b/roles/nagios_client/files/scripts/check_lock @@ -0,0 +1,17 @@ +#!/usr/bin/python + +import fcntl +import sys + +try: + f = open('/mnt/koji/.nagios_test', 'r') + f.close() + f = open('/mnt/koji/.nagios_test', 'w') +except IOError: + print "Could not create file" + sys.exit(2) + +fcntl.flock(f, fcntl.LOCK_EX) +f.close() +print "File Locked Successfully" +sys.exit(0) diff --git a/roles/nagios_client/files/scripts/check_postfix_queue b/roles/nagios_client/files/scripts/check_postfix_queue new file mode 100644 index 000000000..44ab4445f --- /dev/null +++ b/roles/nagios_client/files/scripts/check_postfix_queue @@ -0,0 +1,49 @@ +#!/bin/bash +# +# 19-07-2010 +# Author: Cherwin Nooitmeer +# + +# exit codes +e_ok=0 +e_warning=1 +e_critical=2 +e_unknown=3 + +# regular expression that matches queue IDs (e.g. D71EF7AC80F8) +queue_id='^[A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9]' + +usage="Invalid command line usage" + +if [ -z $1 ]; then + echo $usage + exit $e_unknown +fi + +while getopts ":w:c:" options +do + case $options in + w ) warning=$OPTARG ;; + c ) critical=$OPTARG ;; + * ) echo $usage + exit $e_unknown ;; + esac +done + +# determine queue size +qsize=$(mailq | egrep -c $queue_id) +if [ -z $qsize ] +then + exit $e_unknown +fi + +if [ $qsize -ge $critical ]; then + retval=$e_critical +elif [ $qsize -ge $warning ]; then + retval=$e_warning +elif [ $qsize -lt $warning ]; then + retval=$e_ok +fi + +echo "$qsize mail(s) in queue | mail_queue=$qsize" +exit $retval diff --git a/roles/nagios_client/files/scripts/check_raid.py b/roles/nagios_client/files/scripts/check_raid.py new file mode 100644 index 000000000..48cddd93d --- /dev/null +++ b/roles/nagios_client/files/scripts/check_raid.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python +# +# very simple python script to parse out /proc/mdstat +# and give results for nagios to monitor +# + +import sys +import string + +devices = [] + +try: + mdstat = string.split(open('/proc/mdstat').read(), '\n') +except IOError: + # seems we have no software raid on this machines + sys.exit(0) + +error = "" +i = 0 +for line in mdstat: + if line[0:2] == 'md': + device = string.split(line)[0] + devices.append(device) + status = string.split(mdstat[i+1])[3] + if string.count(status, "_"): + # see if we can figure out what's going on + err = string.split(mdstat[i+2]) + msg = "device=%s status=%s" % (device, status) + if len(err) > 0: + msg = msg + " rebuild=%s" % err[0] + + if not error: + error = msg + else: + error = error + ", " + msg + i = i + 1 + +if not error: + print "DEVICES %s OK" % " ".join(devices) + sys.exit(0) + +else: + print error + sys.exit(2) + diff --git a/roles/nagios_client/handlers/main.yml b/roles/nagios_client/handlers/main.yml new file mode 100644 index 000000000..1086c3d4f --- /dev/null +++ b/roles/nagios_client/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart nrpe + action: service name=nrpe state=restarted diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml new file mode 100644 index 000000000..5888ede7f --- /dev/null +++ b/roles/nagios_client/tasks/main.yml @@ -0,0 +1,63 @@ +# nagios-client/nrpe + +--- +# install pkgs: +- name: install nagios client pkgs + yum: name=$item state=installed + with_items: + - nrpe + - nagios-plugins + - nagios-plugins-disk + - nagios-plugins-file_age + - nagios-plugins-users + - nagios-plugins-procs + - nagios-plugins-swap + - nagios-plugins-load + - nagios-plugins-ping + tags: + - packages + +- name: install local nrpe check scripts that are not packaged + copy: src=scripts/$item dest=/usr/lib64/nagios/plugins/$item mode=0755 owner=nagios group=nagios + with_items: + - check_postfix_queue + - check_raid.py + - check_lock + +# create dirs +# puppet used to make /var/spool/nagios (owned by nagios.nagios) mode 750 +# and /usr/lib/nagios/plugins (owned by root) mode 755 - but we don't know WHY +# then stuff it with plugins from the plugins dir in the nagios module +# then we symlinked that to /usr/lib64/nagios/plugins +# it was a nightmare - don't do that - my ghost will haunt you if you do +# skvidal 2013-05-21 + + +# FIXME? figure out nrpe selinux policy of DOOM is needed + +- name: /etc/nagios/nrpe.cfg + template: src=nrpe.cfg dest=/etc/nagios/nrpe.cfg + notify: + - restart nrpe + tags: + - config + +- name: install nrpe client configs + template: src=$item dest=/etc/nrpe.d/$item + with_items: + - check_mirrorlist_cache.cfg + - check_raid.cfg + - check_cron.cfg + - check_disk.cfg + - check_swap.cfg + - check_postfix_queue.cfg + - check_lock.cfg + notify: + - restart nrpe + tags: + - config + +- name: nrpe service start + service: name=nrpe state=running enabled=true + tags: + - service diff --git a/roles/postgresql_server/handlers/main.yml b/roles/postgresql_server/handlers/main.yml new file mode 100644 index 000000000..c51e7d1cc --- /dev/null +++ b/roles/postgresql_server/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart postgresql + service: name=postgresql state=restarted diff --git a/roles/postgresql_server/tasks/main.yml b/roles/postgresql_server/tasks/main.yml new file mode 100644 index 000000000..ca74bc616 --- /dev/null +++ b/roles/postgresql_server/tasks/main.yml @@ -0,0 +1,27 @@ +--- +# +# Setup postgresql server. +# +- name: install postgresql server packages + yum: name=$item state=installed + with_items: + - postgresql-server + - postgresql-contrib + - postgresql-plpython + tags: + - packages + +- name: initialize postgresql + command: service postgresql initdb + creates=/var/lib/pgsql/data/postgresql.conf + ignore_errors: true + tags: + - service + +- name: Set postgresql-server to run on boot + service: name=postgresql enabled=yes + ignore_errors: true + notify: + - restart postgresql + tags: + - service diff --git a/roles/rkhunter/files/rkhunter.conf.j2 b/roles/rkhunter/files/rkhunter.conf.j2 new file mode 100644 index 000000000..705517580 --- /dev/null +++ b/roles/rkhunter/files/rkhunter.conf.j2 @@ -0,0 +1,590 @@ +# +# This is the configuration file for Rootkit Hunter. +# +# Please modify it to your own requirements. +# Please review the documentation before posting bug reports or questions. +# To report bugs, obtain updates, or provide patches or comments, please go to: +# http://rkhunter.sourceforge.net +# +# To ask questions about rkhunter, please use the rkhunter-users mailing list. +# Note this is a moderated list: please subscribe before posting. +# +# Lines beginning with a hash (#), and blank lines, will be ignored. +# +# Most of the following options need only be specified once. If +# they appear more than once, then the last one seen will be used. +# Some options are allowed to appear more than once, and the text +# describing the option will say if this is so. +# + +# +# If this option is set to 1, it specifies that the mirrors file, which +# is used when the '--update' and '--versioncheck' options are used, is +# to be rotated. Rotating the entries in the file allows a basic form +# of load-balancing between the mirror sites whenever the above options +# are used. +# If the option is set to 0, then the mirrors will be treated as if in +# a priority list. That is, the first mirror will always be used. The +# second mirror will only be used if the first mirror fails, then the +# third mirror will be used if the second fails and so on. +# + +ROTATE_MIRRORS=1 + +# +# If this option is set to 1, it specifies that when the '--update' +# option is used, then the mirrors file is to be checked for updates +# as well. If the current mirrors file contains any local mirrors, +# these will be prepended to the updated file. +# If this option is set to 0, the mirrors file can only be updated +# manually. This may be useful if only using local mirrors. +# +UPDATE_MIRRORS=1 + +# +# The MIRRORS_MODE option tells rkhunter which mirrors are to be +# used when the '--update' or '--versioncheck' command-line options +# are given. Possible values are: +# 0 - use any mirror (the default) +# 1 - only use local mirrors +# 2 - only use remote mirrors +# +# Local and remote mirrors can be defined in the mirrors.dat file +# by using the 'local=' and 'remote=' keywords respectively. +# +MIRRORS_MODE=0 + +# +# Email a message to this address if a warning is found when the +# system is being checked. Multiple addresses may be specified +# simply be separating them with a space. +# +MAIL-ON-WARNING="" + +# +# Specify the mail command to use if MAIL-ON-WARNING is set. +# NOTE: Double quotes are not required around the command, but +# are required around the subject line if it contains spaces. +# +MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" + +# +# Specify the temporary directory to use. +# +# NOTE: Do not use /tmp as your temporary directory. Some +# important files will be written to this directory, so be +# sure that the directory permissions are tight. +# +TMPDIR=/var/lib/rkhunter + +# +# Specify the database directory to use. +# +DBDIR=/var/lib/rkhunter/db + +# +# Specify the script directory to use. +# +SCRIPTDIR=/usr/share/rkhunter/scripts + +# +# Specify the root directory to use. +# +#ROOTDIR="" + +# +# Specify the command directories to be checked. This is a +# space-separated list of directories. +# +BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec" + +# +# Specify the language to use. This should be similar +# to the ISO 639 language code. +# +# NOTE: Please ensure that the language you specify is supported. +# For a list of supported languages use the following command: +# +# rkhunter --lang en --list languages +# +#LANGUAGE=en + +# +# Specify the log file pathname. +# +LOGFILE=/var/log/rkhunter/rkhunter.log + +# +# Set the following option to 1 if the log file is to be appended to +# whenever rkhunter is run. +# + + +# +# Set the following option to enable the rkhunter check start and finish +# times to be logged by syslog. Warning messages will also be logged. +# The value of the option must be a standard syslog facility and +# priority, separated by a dot. +# +# For example: USE_SYSLOG=authpriv.warning +# +# Setting the value to 'none', or just leaving the option commented out, +# disables the use of syslog. +# +USE_SYSLOG=authpriv.notice + +# +# Set the following option to 1 if the second colour set is to be used. +# This can be useful if your screen uses black characters on a white +# background (for example, a PC instead of a server). +# +COLOR_SET2=0 + +# +# Set the following option to 0 if rkhunter should not detect if X is +# being used. If X is detected as being used, then the second colour +# set will automatically be used. +# +AUTO_X_DETECT=1 + +# +# The following option is checked against the SSH configuration file +# 'PermitRootLogin' option. A warning will be displayed if they do not +# match. However, if a value has not been set in the SSH configuration +# file, then a value here of 'yes' or 'unset' will not cause a warning. +# This option has a default value of 'no'. +# +ALLOW_SSH_ROOT_USER=without-password + +# +# Set this option to '1' to allow the use of the SSH-1 protocol, but note +# that theoretically it is weaker, and therefore less secure, than the +# SSH-2 protocol. Do not modify this option unless you have good reasons +# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 +# authentication). If the 'Protocol' option has not been set in the SSH +# configuration file, then a value of '2' may be set here in order to +# suppress a warning message. This option has a default value of '0'. +# +ALLOW_SSH_PROT_V1=0 + +# +# This setting tells rkhunter the directory containing the SSH configuration +# file. This setting will be worked out by rkhunter, and so should not +# usually need to be set. +# +#SSH_CONFIG_DIR=/etc/ssh + +# +# These two options determine which tests are to be performed. +# The ENABLE_TESTS option can use the word 'all' to refer to all the +# available tests. The DISABLE_TESTS option can use the word 'none' to +# mean that no tests are disabled. The list of disabled tests is applied to +# the list of enabled tests. Both options are space-separated lists of test +# names. The currently available test names can be seen by using the command +# 'rkhunter --list tests'. +# +# The program defaults are to enable all tests and disable none. However, if +# either option is specified in this file, then it overrides the program +# default. The supplied rkhunter.conf file has some tests already disabled, +# and these are tests that will be used only incidentally, can be considered +# "advanced" or those that are prone to produce more than the "average" number +# of "false positives". +# +# Please read the README file for more details about enabling and disabling +# tests, the test names, and how rkhunter behaves when these options are used. +# +ENABLE_TESTS="all" +DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" + +# +# The HASH_FUNC option can be used to specify the command to use +# for the file hash value check. It can be specified as just +# the command name or the full pathname. Systems using prelinking +# are restricted to using either SHA1 or MD5 functions. To get rkhunter +# to look for the sha1(sum)/md5(sum) command, or to use the supplied +# perl scripts, simply specify this option as 'SHA1' or 'MD5' in +# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found. +# +# A value of 'NONE' (in uppercase) can be specified to indicate that +# no hash function should be used. Rootkit Hunter will detect this and +# automatically disable the file hash checks. +# +# Examples: +# For Solaris 9 : HASH_FUNC=gmd5sum +# For Solaris 10: HASH_FUNC=sha1sum +# For AIX (>5.2): HASH_FUNC="csum -hMD5" +# For NetBSD : HASH_FUNC="cksum -a sha512" +# +# NOTE: If the hash function is changed then you MUST run rkhunter with +# the '--propupd' option to rebuild the file properties database. +# +HASH_FUNC=sha1sum + +# +# The HASH_FLD_IDX option specifies which field from the HASH_FUNC +# command output contains the hash value. The fields are assumed to +# be space-separated. The default value is one, but for *BSD users +# rkhunter will, by default, use a value of 4 if the HASH_FUNC option +# has not been set. The option value must be a positive integer. +# +#HASH_FLD_IDX=4 + +# +# The PKGMGR option tells rkhunter to use the specified package manager +# to obtain the file property information. This is used when updating +# the file properties file 'rkhunter.dat', and when running the file +# properties check. For RedHat/RPM-based systems, 'RPM' can be used +# to get information from the RPM database. For Debian-based systems +# 'DPKG' can be used, and for *BSD systems 'BSD' can be used. +# No value, or a value of 'NONE', indicates that no package manager +# is to be used. The default is 'NONE'. +# +# The current package managers store the file hash values using an +# MD5 hash function. +# +# The 'DPKG' and 'BSD' package managers only provide MD5 hash values. +# The 'RPM' package manager additionally provides values for the inode, +# file permissions, uid, gid and other values. +# +# For any file not part of a package, rkhunter will revert to using +# the HASH_FUNC hash function instead. +# +PKGMGR=RPM + +# +# Whitelist various attributes of the specified files. +# The attributes are those of the 'attributes' test. +# Specifying a file name here does not include it being +# whitelisted for the write permission test below. +# One command per line (use multiple ATTRWHITELIST lines). +# +#ATTRWHITELIST=/bin/ps + +# +# Allow the specified commands to have the 'others' +# (world) permission have the write-bit set. +# +# For example, files with permissions r-xr-xrwx +# or rwxrwxrwx. +# +# One command per line (use multiple WRITEWHITELIST lines). +# +#WRITEWHITELIST=/bin/ps + +# +# Allow the specified commands to be scripts. +# One command per line (use multiple SCRIPTWHITELIST lines). +# +#SCRIPTWHITELIST=/sbin/ifup +#SCRIPTWHITELIST=/sbin/ifdown +#SCRIPTWHITELIST=/usr/bin/groups + +# +# Allow the specified commands to have the immutable attribute set. +# One command per line (use multiple IMMUTWHITELIST lines). +# +#IMMUTWHITELIST=/sbin/ifup + +# +# Allow the specified hidden directories. +# One directory per line (use multiple ALLOWHIDDENDIR lines). +# +ALLOWHIDDENDIR=/dev/.udev +ALLOWHIDDENDIR=/dev/.mdadm +ALLOWHIDDENDIR=/dev/.systemd +ALLOWHIDDENDIR=/dev/.mount +ALLOWHIDDENDIR=/dev/.udevdb +ALLOWHIDDENDIR=/dev/.udev.tdb +ALLOWHIDDENDIR=/dev/.udev/db +ALLOWHIDDENDIR=/dev/.udev/rules.d + +# +# Allow the specified hidden files. +# One file per line (use multiple ALLOWHIDDENFILE lines). +# +ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz +ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh.hmac +ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac +ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac +ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz +ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz +ALLOWHIDDENFILE=/sbin/.cryptsetup.hmac +ALLOWHIDDENFILE=/dev/.udev/queue.bin +ALLOWHIDDENFILE=/dev/.udev/uevent_seqnum + +# +# Allow the specified processes to use deleted files. +# One process per line (use multiple ALLOWPROCDELFILE lines). +# +#ALLOWPROCDELFILE=/sbin/cardmgr +#ALLOWPROCDELFILE=/usr/sbin/gpm +#ALLOWPROCDELFILE=/usr/libexec/gconfd-2 +#ALLOWPROCDELFILE=/usr/sbin/mysqld + +# +# Allow the specified processes to listen on any network interface. +# One process per line (use multiple ALLOWPROCLISTEN lines). +# +#ALLOWPROCLISTEN=/sbin/dhclient +#ALLOWPROCLISTEN=/usr/bin/dhcpcd +#ALLOWPROCLISTEN=/usr/sbin/pppoe +#ALLOWPROCLISTEN=/usr/sbin/tcpdump +#ALLOWPROCLISTEN=/usr/sbin/snort-plain +#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant + +# +# SCAN_MODE_DEV governs how we scan /dev for suspicious files. +# The two allowed options are: THOROUGH or LAZY. +# If commented out we do a THOROUGH scan which will increase the runtime. +# Even though this adds to the running time it is highly recommended to +# leave it like this. +# +#SCAN_MODE_DEV=THOROUGH + +# +# Allow the specified files to be present in the /dev directory, +# and not regarded as suspicious. One file per line (use multiple +# ALLOWDEVFILE lines). +# +#ALLOWDEVFILE=/dev/abc +#ALLOWDEVFILE=/dev/shm/pulse-shm-* +ALLOWDEVFILE=/dev/shm/sem.slapd-FEDORAPROJECT-ORG.stats +ALLOWDEVFILE=/dev/md/md-device-map +ALLOWDEVFILE=/dev/.udev/queue.bin +ALLOWDEVFILE=/dev/.udev/db/* +ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules +ALLOWDEVFILE=/dev/.udev/uevent_seqnum +ALLOWDEVFILE=/dev/md/autorebuild.pid + +# +# This setting tells rkhunter where the inetd configuration +# file is located. +# +#INETD_CONF_PATH=/etc/inetd.conf + +# +# Allow the following enabled inetd services. +# Only one service per line (use multiple INETD_ALLOWED_SVC lines). +# +# Below are some Solaris 9 and 10 services that may want to be whitelisted. +# +#INETD_ALLOWED_SVC=echo +#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd +#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto +#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd +#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad +#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd +#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd +#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd +#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd +#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd +#INETD_ALLOWED_SVC=/usr/lib/gss/gssd +#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader +#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd +#INETD_ALLOWED_SVC=/network/rpc/mdcomm +#INETD_ALLOWED_SVC=/network/rpc/meta +#INETD_ALLOWED_SVC=/network/rpc/metamed +#INETD_ALLOWED_SVC=/network/rpc/metamh +#INETD_ALLOWED_SVC=/network/security/ktkt_warn +#INETD_ALLOWED_SVC=/application/x11/xfs +#INETD_ALLOWED_SVC=/application/print/rfc1179 +#INETD_ALLOWED_SVC=/application/font/stfsloader +#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord +#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp +#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp + +# +# This setting tells rkhunter where the xinetd configuration +# file is located. +# +#XINETD_CONF_PATH=/etc/xinetd.conf + +# +# Allow the following enabled xinetd services. Whilst it would be +# nice to use the service names themselves, at the time of testing +# we only have the pathname available. As such, these entries are +# the xinetd file pathnames. +# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines). +# +XINETD_ALLOWED_SVC=/etc/xinetd.d/rsync +XINETD_ALLOWED_SVC=/etc/xinetd.d/cvspserver +XINETD_ALLOWED_SVC=/etc/xinetd.d/tftp +XINETD_ALLOWED_SVC=/etc/xinetd.d/git-server +XINETD_ALLOWED_SVC=/etc/xinetd.d/git +XINETD_ALLOWED_SVC=/etc/xinetd.d/bzr-server + +# +# This setting tells rkhunter the local system startup file pathnames. +# More than one file may be present on the system, and so this option +# can be a space-separated list. This setting will be worked out by +# rkhunter, and so should not usually need to be set. +# +# If the system uses a directory of local startup scripts, then rather +# that setting all the file names here, leave this setting blank, and +# specify the directory name in SYSTEM_RC_DIR instead. +# +# If the system does not use a local startup script at all, then this +# setting can be set to 'none'. Without this, rkhunter would give a +# warning that no local startup script could be found. +# +#LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit" + +# +# This setting tells rkhunter the local system startup file directory. +# This setting will be worked out by rkhunter, and so should not usually +# need to be set. +# +#SYSTEM_RC_DIR=/etc/rc.d + +# +# This setting tells rkhunter the pathname to the file containing the +# user account passwords. This setting will be worked out by rkhunter, +# and so should not usually need to be set. +# +PASSWORD_FILE=/etc/shadow + +# +# Allow the following accounts to be root equivalent. These accounts +# will have a UID value of zero. This option is a space-separated list +# of account names. The 'root' account does not need to be listed as it +# is automatically whitelisted. +# +# Note: For *BSD systems you may need to enable this for the 'toor' account. +# +#UID0_ACCOUNTS="toor rooty" + +# +# Allow the following accounts to have no password. This option is a +# space-separated list of account names. NIS/YP entries do not need to +# be listed as they are automatically whitelisted. +# +#PWDLESS_ACCOUNTS="abc" + +# +# This setting tells rkhunter the pathname to the syslog configuration +# file. This setting will be worked out by rkhunter, and so should not +# usually need to be set. +# +#SYSLOG_CONFIG_FILE=/etc/syslog.conf + +# +# This option permits the use of syslog remote logging. +# +ALLOW_SYSLOG_REMOTE_LOGGING=1 + +# +# Allow the following applications, or a specific version of an application, +# to be whitelisted. This option is a space-separated list consisting of the +# application names. If a specific version is to be whitelisted, then the +# name must be followed by a colon and then the version number. +# +# For example: APP_WHITELIST="openssl:0.9.7d gpg" +# +APP_WHITELIST="sshd:4.3p2 sshd:5.2p1 httpd:2.2.3 httpd:2.2.13 php:5.1.6 named:9.3.6 openssl:0.9.8e php:5.2.6 named:9.3.6-P1" + +# +# Scan for suspicious files in directories containing temporary files and +# directories posing a relatively higher risk due to user write access. +# Please do not enable by default as suspscan is CPU and I/O intensive and prone to +# producing false positives. Do review all settings before usage. +# Also be aware that running suspscan in combination with verbose logging on, +# RKH's default, will show all ignored files. +# Please consider adding all directories the user the (web)server runs as has +# write access to including the document root (example: "/var/www") and log +# directories (example: "/var/log/httpd"). +# +# A space-separated list of directories to scan. +# +SUSPSCAN_DIRS="/tmp /var/tmp" + +# +# Directory for temporary files. A memory-based one is better (faster). +# Do not use a directory name that is listed in SUSPSCAN_DIRS. +# Please make sure you have a tempfs mounted and the directory exists. +# +SUSPSCAN_TEMP=/dev/shm + +# +# Maximum filesize in bytes. Files larger than this will not be inspected. +# Do make sure you have enough space left in your temporary files directory. +# +SUSPSCAN_MAXSIZE=10240000 + +# +# Score threshold. Below this value no hits will be reported. +# A value of "200" seems "good" after testing on malware. Please adjust +# locally if necessary. +# +SUSPSCAN_THRESH=200 + +# +# The following option can be used to whitelist network ports which +# are known to have been used by malware. The option is a space- +# separated list of one or more of three types of whitelisting. +# These are: +# +# 1) a 'protocol:port' pair (e.g. TCP:25) +# 2) a pathname to an executable (e.g. /usr/sbin/squid) +# 3) an asterisk ('*') +# +# Only the UDP or TCP protocol may be specified, and the port number +# must be between 1 and 65535 inclusive. +# +# The asterisk can be used to indicate that any executable in a trusted +# path directory will be whitelisted. A trusted path directory is one which +# rkhunter uses to locate commands. It is composed of the root PATH +# environment variable, and the BINDIR command-line or configuration +# file option. +# +# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" +# +#PORT_WHITELIST="" + +# +# The following option can be used to tell rkhunter where the operating +# system 'release' file is located. This file contains information +# specifying the current O/S version. RKH will store this information +# itself, and check to see if it has changed between each run. If it has +# changed, then the user is warned that RKH may issue warning messages +# until RKH has been run with the '--propupd' option. +# +# Since the contents of the file vary according to the O/S distribution, +# RKH will perform different actions when it detects the file itself. As +# such, this option should not be set unless necessary. If this option is +# specified, then RKH will assume the O/S release information is on the +# first non-blank line of the file. +# +# {{ ansible_distribution|lower }} +OS_VERSION_FILE=/etc/{{ ansible_distribution|lower }}-release + +# +# The following two options can be used to whitelist files and directories +# that would normally be flagged with a warning during the rootkit checks. +# If the file or directory name contains a space, then the percent character +# ('%') must be used instead. Only existing files and directories can be +# specified. +# +#RTKT_DIR_WHITELIST="" +#RTKT_FILE_WHITELIST="" + +# +# To force rkhunter to use the supplied script for the 'stat' or 'readlink' +# command, then the following two options can be used. The value must be +# set to 'BUILTIN'. +# +# NOTE: IRIX users will probably need to enable STAT_CMD. +# +#STAT_CMD=BUILTIN +#READLINK_CMD=BUILTIN + +INSTALLDIR=/usr +SCRIPTWHITELIST=/usr/bin/whatis +SCRIPTWHITELIST=/usr/bin/ldd +SCRIPTWHITELIST=/usr/bin/groups +SCRIPTWHITELIST=/usr/bin/GET +SCRIPTWHITELIST=/sbin/ifup +SCRIPTWHITELIST=/sbin/ifdown diff --git a/roles/rkhunter/files/rkhunter.sysconfig b/roles/rkhunter/files/rkhunter.sysconfig new file mode 100644 index 000000000..0c463db71 --- /dev/null +++ b/roles/rkhunter/files/rkhunter.sysconfig @@ -0,0 +1,11 @@ +# System configuration file for Rootkit Hunter which +# stores RPM system specifics for cron run, etc. +# +# MAILTO= +# DIAG_SCAN= no - perform normal report scan +# yes - perform detailed report scan +# (includes application check) + +MAILTO=smooge@fedoraproject.org,kevin@fedoraproject.org +DIAG_SCAN=no + diff --git a/roles/rkhunter/tasks/main.yml b/roles/rkhunter/tasks/main.yml new file mode 100644 index 000000000..4bec0f7b1 --- /dev/null +++ b/roles/rkhunter/tasks/main.yml @@ -0,0 +1,18 @@ +--- + +- name: install rkhunter + yum: name=rkhunter state=present + tags: + - packages + +- name: rkhunter.conf + template: src=rkhunter.conf.j2 dest=/etc/rkhunter.conf mode=0640 + tags: + - config + +- name: rkhunter sysconfig + copy: src=rkhunter.sysconfig dest=/etc/sysconfig/rkhunter mode=0640 + tags: + - config + + diff --git a/tasks/denyhosts.yml b/tasks/denyhosts.yml deleted file mode 100644 index cc4e7566a..000000000 --- a/tasks/denyhosts.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -#install denyhosts -- name: install denyhosts - yum: name=denyhosts state=installed - tags: - - packages - -- name: /etc/denyhosts.conf - copy: src=$files/denyhosts/denyhosts.conf dest=/etc/denyhosts.conf - notify: - - restart denyhosts - tags: - - config - -- name: /var/lib/denyhosts/allowed-hosts - copy: src=$files/denyhosts/allowed-hosts dest=/var/lib/denyhosts/allowed-hosts - notify: - - restart denyhosts - tags: - - config - -- name: enable the service - service: name=denyhosts state=running enabled=true - tags: - - service - diff --git a/tasks/fas_client.yml b/tasks/fas_client.yml deleted file mode 100644 index fedeb5b1f..000000000 --- a/tasks/fas_client.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- -# -# This task sets up fasClient on a machine. -# It installs the fas-clients package, then the /etc/fas.conf and finally a cron job update. -# - -# -# fas-clients is in the infrastructure repo. -# nss_db is needed to store user/group info. -# -- name: install package needed for fas-client - action: yum state=installed name=$item - with_items: - - fas-clients - - cronie - tags: - - packages - -- name: hotfix - python-fedora proxyclient.py - copy: > - src=$files/hotfix/python-fedora/proxyclient.py - dest=/usr/lib/python2.6/site-packages/fedora/client/proxyclient.py - owner=root mode=644 - only_if: "'${ansible_distribution}' == 'RedHat'" - tags: - - hotfix - - packages - -- name: install nss_db on rhel hosts only - action: yum state=installed name=nss_db - only_if: "'${ansible_distribution}' == 'RedHat'" - tags: - - packages - -# -# setup /etc/nsswitch.conf to use nssdb -# -- name: setup /etc/nsswitch.conf for client use - action: copy src=$files/fas-client/nsswitch.conf dest=/etc/nsswitch.conf owner=root mode=644 - tags: - - config - -# -# fasClients needs a valid /etc/fas.conf. -# There's vars used in this template: -# -# fas_client_groups = "sysadmin-main" -# fas_client_restricted_app = "" -# fas_client_admin_app = "" -# fas_client_ssh_groups = "" -# -# if desired, set them on a per host/group basis. -# -# Currently the default template is used, but could be modified on a host basis. -# -- name: setup /etc/fas.conf for client use - action: template src=$item dest=/etc/fas.conf owner=root mode=600 - with_first_found: - - $files/fas-client/${ansible_fqdn}.fas.conf.j2 - - $files/fas-client/${ansible_hostname}.fas.conf.j2 - - $files/fas-client/${ansible_hostname}.fas.conf.j2 - - $files/fas-client/fas.conf.j2 - tags: - - config - notify: - - run fasclient - -# -# setup /etc/cron.d/ file to run sync every 10min -# TODO: use cron module when it's fixed -# -#- name: fas_client cron job -# cron: name="fas client" user=root cron_file=fas-client minute="*/10" job="/usr/bin/fasClient -i" -# tags: -# - config - -- name: fas_client cron job - action: copy src=$files/fas-client/fas-client.cron dest=/etc/cron.d/fas-client owner=root mode=644 - tags: - - config diff --git a/tasks/geoip.yml b/tasks/geoip.yml deleted file mode 100644 index d37a5d5d0..000000000 --- a/tasks/geoip.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# install python-geoIP -- name: install python-GeoIP - yum: name=python-GeoIP state=installed - tags: - - packages - -- name: push over the geoip db once - copy: src=$item dest=/usr/share/GeoIP/ - with_fileglob: $bigfiles/geoip/*.dat - -- name: geoip syncing script via cron - copy: src=$files/geoip/geoip_sync dest=/etc/cron.d/geoip_sync mode=0644 - - diff --git a/tasks/mirrorlist.yml b/tasks/mirrorlist.yml deleted file mode 100644 index 0bc4cf81e..000000000 --- a/tasks/mirrorlist.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -# tasklist for setting up the mirrorlist app components -# create mirrormanager user -- name: add mirrormanager user - uid 441 - user: name=mirrormanager uid=441 state=present home=/home/mirrormanager createhome=yes - -- name: install supervisor and mirrormanager - yum: pkg=$item state=installed - with_items: - - supervisor - - mirrormanager - tags: - - packages - -# mirrormanager user ssh key(s) -- name: add authorized_keys for mirrormanager - authorized_key: key="{{ item }}" user=mirrormanager state=present - with_file: - - $files/mirrorlist/mm-authorized_key - -# install mirrorlist-server.conf apache config -- name: mirrorlist-server apache conf - copy: src=$files/mirrorlist/mirrorlist-server.conf dest=/etc/httpd/conf.d/mirrorlist-server.conf - notify: - - restart apache - tags: - - config - -# nuke mirrormanager.conf so that it doesn't start up -- name: kill /etc/httpd/conf.d/mirrrormanager.conf - copy: 'content="#blanked on purpose" dest=/etc/httpd/conf.d/mirrormanager.conf' - notify: - - restart apache - tags: - - config - -# selinux policy - mirrormanager - put in place - for the sockfile -# - -# setup and configure supervisord -- name: /etc/supervisord.conf - copy: src=$files/mirrorlist/supervisord.conf dest=/etc/supervisord.conf mode=0644 - notify: - - restart supervisord - -- name: enable supervisord - service: name=supervisord state=started enabled=yes - diff --git a/tasks/nagios_client.yml b/tasks/nagios_client.yml deleted file mode 100644 index 56093f088..000000000 --- a/tasks/nagios_client.yml +++ /dev/null @@ -1,63 +0,0 @@ -# nagios-client/nrpe - ---- -# install pkgs: -- name: install nagios client pkgs - yum: name=$item state=installed - with_items: - - nrpe - - nagios-plugins - - nagios-plugins-disk - - nagios-plugins-file_age - - nagios-plugins-users - - nagios-plugins-procs - - nagios-plugins-swap - - nagios-plugins-load - - nagios-plugins-ping - tags: - - packages - -- name: install local nrpe check scripts that are not packaged - copy: src=$files/nagios/client/scripts/$item dest=/usr/lib64/nagios/plugins/$item mode=0755 owner=nagios group=nagios - with_items: - - check_postfix_queue - - check_raid.py - - check_lock - -# create dirs -# puppet used to make /var/spool/nagios (owned by nagios.nagios) mode 750 -# and /usr/lib/nagios/plugins (owned by root) mode 755 - but we don't know WHY -# then stuff it with plugins from the plugins dir in the nagios module -# then we symlinked that to /usr/lib64/nagios/plugins -# it was a nightmare - don't do that - my ghost will haunt you if you do -# skvidal 2013-05-21 - - -# FIXME? figure out nrpe selinux policy of DOOM is needed - -- name: /etc/nagios/nrpe.cfg - template: src=$files/nagios/client/nrpe.cfg dest=/etc/nagios/nrpe.cfg - notify: - - restart nrpe - tags: - - config - -- name: install nrpe client configs - template: src=$files/nagios/client/$item dest=/etc/nrpe.d/$item - with_items: - - check_mirrorlist_cache.cfg - - check_raid.cfg - - check_cron.cfg - - check_disk.cfg - - check_swap.cfg - - check_postfix_queue.cfg - - check_lock.cfg - notify: - - restart nrpe - tags: - - config - -- name: nrpe service start - service: name=nrpe state=running enabled=true - tags: - - service diff --git a/tasks/postgresql_server.yml b/tasks/postgresql_server.yml deleted file mode 100644 index ca74bc616..000000000 --- a/tasks/postgresql_server.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# -# Setup postgresql server. -# -- name: install postgresql server packages - yum: name=$item state=installed - with_items: - - postgresql-server - - postgresql-contrib - - postgresql-plpython - tags: - - packages - -- name: initialize postgresql - command: service postgresql initdb - creates=/var/lib/pgsql/data/postgresql.conf - ignore_errors: true - tags: - - service - -- name: Set postgresql-server to run on boot - service: name=postgresql enabled=yes - ignore_errors: true - notify: - - restart postgresql - tags: - - service diff --git a/tasks/rkhunter.yml b/tasks/rkhunter.yml deleted file mode 100644 index 325315b79..000000000 --- a/tasks/rkhunter.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: install rkhunter - yum: name=rkhunter state=present - tags: - - packages - -- name: rkhunter.conf - template: src=$files/rkhunter/rkhunter.conf.j2 dest=/etc/rkhunter.conf mode=0640 - tags: - - config - -- name: rkhunter sysconfig - copy: src=$files/rkhunter/rkhunter.sysconfig dest=/etc/sysconfig/rkhunter mode=0640 - tags: - - config - - -- cgit