[PATCH 1/8] use rkhunter as a role, and use newer construct for the last playbook
Michael Scherer
misc at zarb.org
Mon Aug 19 19:35:17 UTC 2013
---
files/rkhunter/rkhunter.conf.j2 | 590 --------------------------------
files/rkhunter/rkhunter.sysconfig | 11 -
playbooks/groups/arm-packager.yml | 4 +-
playbooks/groups/arm-qa.yml | 4 +-
playbooks/groups/backup-server.yml | 5 +-
playbooks/groups/badges-backend.yml | 4 +-
playbooks/groups/badges-web.yml | 4 +-
playbooks/groups/beaker.yml | 4 +-
playbooks/groups/gallery.yml | 4 +-
playbooks/groups/kernel-qa.yml | 4 +-
playbooks/groups/keyserver.yml | 4 +-
playbooks/groups/koji-hub.yml | 4 +-
playbooks/groups/mailman.yml | 4 +-
playbooks/groups/mirrorlist.yml | 4 +-
playbooks/groups/postgresl-server.yml | 5 +-
playbooks/groups/sign.yml | 4 +-
playbooks/groups/taskbot.yml | 4 +-
playbooks/groups/virthost.yml | 5 +-
playbooks/rkhunter_update.yml | 8 +-
roles/rkhunter/files/rkhunter.conf.j2 | 590 ++++++++++++++++++++++++++++++++
roles/rkhunter/files/rkhunter.sysconfig | 11 +
roles/rkhunter/tasks/main.yml | 18 +
tasks/rkhunter.yml | 18 -
23 files changed, 671 insertions(+), 642 deletions(-)
delete mode 100644 files/rkhunter/rkhunter.conf.j2
delete mode 100644 files/rkhunter/rkhunter.sysconfig
create mode 100644 roles/rkhunter/files/rkhunter.conf.j2
create mode 100644 roles/rkhunter/files/rkhunter.sysconfig
create mode 100644 roles/rkhunter/tasks/main.yml
delete mode 100644 tasks/rkhunter.yml
diff --git a/files/rkhunter/rkhunter.conf.j2 b/files/rkhunter/rkhunter.conf.j2
deleted file mode 100644
index 7055175..0000000
--- a/files/rkhunter/rkhunter.conf.j2
+++ /dev/null
@@ -1,590 +0,0 @@
-#
-# This is the configuration file for Rootkit Hunter.
-#
-# Please modify it to your own requirements.
-# Please review the documentation before posting bug reports or questions.
-# To report bugs, obtain updates, or provide patches or comments, please go to:
-# http://rkhunter.sourceforge.net
-#
-# To ask questions about rkhunter, please use the rkhunter-users mailing list.
-# Note this is a moderated list: please subscribe before posting.
-#
-# Lines beginning with a hash (#), and blank lines, will be ignored.
-#
-# Most of the following options need only be specified once. If
-# they appear more than once, then the last one seen will be used.
-# Some options are allowed to appear more than once, and the text
-# describing the option will say if this is so.
-#
-
-#
-# If this option is set to 1, it specifies that the mirrors file, which
-# is used when the '--update' and '--versioncheck' options are used, is
-# to be rotated. Rotating the entries in the file allows a basic form
-# of load-balancing between the mirror sites whenever the above options
-# are used.
-# If the option is set to 0, then the mirrors will be treated as if in
-# a priority list. That is, the first mirror will always be used. The
-# second mirror will only be used if the first mirror fails, then the
-# third mirror will be used if the second fails and so on.
-#
-
-ROTATE_MIRRORS=1
-
-#
-# If this option is set to 1, it specifies that when the '--update'
-# option is used, then the mirrors file is to be checked for updates
-# as well. If the current mirrors file contains any local mirrors,
-# these will be prepended to the updated file.
-# If this option is set to 0, the mirrors file can only be updated
-# manually. This may be useful if only using local mirrors.
-#
-UPDATE_MIRRORS=1
-
-#
-# The MIRRORS_MODE option tells rkhunter which mirrors are to be
-# used when the '--update' or '--versioncheck' command-line options
-# are given. Possible values are:
-# 0 - use any mirror (the default)
-# 1 - only use local mirrors
-# 2 - only use remote mirrors
-#
-# Local and remote mirrors can be defined in the mirrors.dat file
-# by using the 'local=' and 'remote=' keywords respectively.
-#
-MIRRORS_MODE=0
-
-#
-# Email a message to this address if a warning is found when the
-# system is being checked. Multiple addresses may be specified
-# simply be separating them with a space.
-#
-MAIL-ON-WARNING=""
-
-#
-# Specify the mail command to use if MAIL-ON-WARNING is set.
-# NOTE: Double quotes are not required around the command, but
-# are required around the subject line if it contains spaces.
-#
-MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
-
-#
-# Specify the temporary directory to use.
-#
-# NOTE: Do not use /tmp as your temporary directory. Some
-# important files will be written to this directory, so be
-# sure that the directory permissions are tight.
-#
-TMPDIR=/var/lib/rkhunter
-
-#
-# Specify the database directory to use.
-#
-DBDIR=/var/lib/rkhunter/db
-
-#
-# Specify the script directory to use.
-#
-SCRIPTDIR=/usr/share/rkhunter/scripts
-
-#
-# Specify the root directory to use.
-#
-#ROOTDIR=""
-
-#
-# Specify the command directories to be checked. This is a
-# space-separated list of directories.
-#
-BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
-
-#
-# Specify the language to use. This should be similar
-# to the ISO 639 language code.
-#
-# NOTE: Please ensure that the language you specify is supported.
-# For a list of supported languages use the following command:
-#
-# rkhunter --lang en --list languages
-#
-#LANGUAGE=en
-
-#
-# Specify the log file pathname.
-#
-LOGFILE=/var/log/rkhunter/rkhunter.log
-
-#
-# Set the following option to 1 if the log file is to be appended to
-# whenever rkhunter is run.
-#
-
-
-#
-# Set the following option to enable the rkhunter check start and finish
-# times to be logged by syslog. Warning messages will also be logged.
-# The value of the option must be a standard syslog facility and
-# priority, separated by a dot.
-#
-# For example: USE_SYSLOG=authpriv.warning
-#
-# Setting the value to 'none', or just leaving the option commented out,
-# disables the use of syslog.
-#
-USE_SYSLOG=authpriv.notice
-
-#
-# Set the following option to 1 if the second colour set is to be used.
-# This can be useful if your screen uses black characters on a white
-# background (for example, a PC instead of a server).
-#
-COLOR_SET2=0
-
-#
-# Set the following option to 0 if rkhunter should not detect if X is
-# being used. If X is detected as being used, then the second colour
-# set will automatically be used.
-#
-AUTO_X_DETECT=1
-
-#
-# The following option is checked against the SSH configuration file
-# 'PermitRootLogin' option. A warning will be displayed if they do not
-# match. However, if a value has not been set in the SSH configuration
-# file, then a value here of 'yes' or 'unset' will not cause a warning.
-# This option has a default value of 'no'.
-#
-ALLOW_SSH_ROOT_USER=without-password
-
-#
-# Set this option to '1' to allow the use of the SSH-1 protocol, but note
-# that theoretically it is weaker, and therefore less secure, than the
-# SSH-2 protocol. Do not modify this option unless you have good reasons
-# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
-# authentication). If the 'Protocol' option has not been set in the SSH
-# configuration file, then a value of '2' may be set here in order to
-# suppress a warning message. This option has a default value of '0'.
-#
-ALLOW_SSH_PROT_V1=0
-
-#
-# This setting tells rkhunter the directory containing the SSH configuration
-# file. This setting will be worked out by rkhunter, and so should not
-# usually need to be set.
-#
-#SSH_CONFIG_DIR=/etc/ssh
-
-#
-# These two options determine which tests are to be performed.
-# The ENABLE_TESTS option can use the word 'all' to refer to all the
-# available tests. The DISABLE_TESTS option can use the word 'none' to
-# mean that no tests are disabled. The list of disabled tests is applied to
-# the list of enabled tests. Both options are space-separated lists of test
-# names. The currently available test names can be seen by using the command
-# 'rkhunter --list tests'.
-#
-# The program defaults are to enable all tests and disable none. However, if
-# either option is specified in this file, then it overrides the program
-# default. The supplied rkhunter.conf file has some tests already disabled,
-# and these are tests that will be used only incidentally, can be considered
-# "advanced" or those that are prone to produce more than the "average" number
-# of "false positives".
-#
-# Please read the README file for more details about enabling and disabling
-# tests, the test names, and how rkhunter behaves when these options are used.
-#
-ENABLE_TESTS="all"
-DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
-
-#
-# The HASH_FUNC option can be used to specify the command to use
-# for the file hash value check. It can be specified as just
-# the command name or the full pathname. Systems using prelinking
-# are restricted to using either SHA1 or MD5 functions. To get rkhunter
-# to look for the sha1(sum)/md5(sum) command, or to use the supplied
-# perl scripts, simply specify this option as 'SHA1' or 'MD5' in
-# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found.
-#
-# A value of 'NONE' (in uppercase) can be specified to indicate that
-# no hash function should be used. Rootkit Hunter will detect this and
-# automatically disable the file hash checks.
-#
-# Examples:
-# For Solaris 9 : HASH_FUNC=gmd5sum
-# For Solaris 10: HASH_FUNC=sha1sum
-# For AIX (>5.2): HASH_FUNC="csum -hMD5"
-# For NetBSD : HASH_FUNC="cksum -a sha512"
-#
-# NOTE: If the hash function is changed then you MUST run rkhunter with
-# the '--propupd' option to rebuild the file properties database.
-#
-HASH_FUNC=sha1sum
-
-#
-# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
-# command output contains the hash value. The fields are assumed to
-# be space-separated. The default value is one, but for *BSD users
-# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
-# has not been set. The option value must be a positive integer.
-#
-#HASH_FLD_IDX=4
-
-#
-# The PKGMGR option tells rkhunter to use the specified package manager
-# to obtain the file property information. This is used when updating
-# the file properties file 'rkhunter.dat', and when running the file
-# properties check. For RedHat/RPM-based systems, 'RPM' can be used
-# to get information from the RPM database. For Debian-based systems
-# 'DPKG' can be used, and for *BSD systems 'BSD' can be used.
-# No value, or a value of 'NONE', indicates that no package manager
-# is to be used. The default is 'NONE'.
-#
-# The current package managers store the file hash values using an
-# MD5 hash function.
-#
-# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
-# The 'RPM' package manager additionally provides values for the inode,
-# file permissions, uid, gid and other values.
-#
-# For any file not part of a package, rkhunter will revert to using
-# the HASH_FUNC hash function instead.
-#
-PKGMGR=RPM
-
-#
-# Whitelist various attributes of the specified files.
-# The attributes are those of the 'attributes' test.
-# Specifying a file name here does not include it being
-# whitelisted for the write permission test below.
-# One command per line (use multiple ATTRWHITELIST lines).
-#
-#ATTRWHITELIST=/bin/ps
-
-#
-# Allow the specified commands to have the 'others'
-# (world) permission have the write-bit set.
-#
-# For example, files with permissions r-xr-xrwx
-# or rwxrwxrwx.
-#
-# One command per line (use multiple WRITEWHITELIST lines).
-#
-#WRITEWHITELIST=/bin/ps
-
-#
-# Allow the specified commands to be scripts.
-# One command per line (use multiple SCRIPTWHITELIST lines).
-#
-#SCRIPTWHITELIST=/sbin/ifup
-#SCRIPTWHITELIST=/sbin/ifdown
-#SCRIPTWHITELIST=/usr/bin/groups
-
-#
-# Allow the specified commands to have the immutable attribute set.
-# One command per line (use multiple IMMUTWHITELIST lines).
-#
-#IMMUTWHITELIST=/sbin/ifup
-
-#
-# Allow the specified hidden directories.
-# One directory per line (use multiple ALLOWHIDDENDIR lines).
-#
-ALLOWHIDDENDIR=/dev/.udev
-ALLOWHIDDENDIR=/dev/.mdadm
-ALLOWHIDDENDIR=/dev/.systemd
-ALLOWHIDDENDIR=/dev/.mount
-ALLOWHIDDENDIR=/dev/.udevdb
-ALLOWHIDDENDIR=/dev/.udev.tdb
-ALLOWHIDDENDIR=/dev/.udev/db
-ALLOWHIDDENDIR=/dev/.udev/rules.d
-
-#
-# Allow the specified hidden files.
-# One file per line (use multiple ALLOWHIDDENFILE lines).
-#
-ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
-ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
-ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
-ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
-ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
-ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
-ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
-ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
-ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
-ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
-ALLOWHIDDENFILE=/sbin/.cryptsetup.hmac
-ALLOWHIDDENFILE=/dev/.udev/queue.bin
-ALLOWHIDDENFILE=/dev/.udev/uevent_seqnum
-
-#
-# Allow the specified processes to use deleted files.
-# One process per line (use multiple ALLOWPROCDELFILE lines).
-#
-#ALLOWPROCDELFILE=/sbin/cardmgr
-#ALLOWPROCDELFILE=/usr/sbin/gpm
-#ALLOWPROCDELFILE=/usr/libexec/gconfd-2
-#ALLOWPROCDELFILE=/usr/sbin/mysqld
-
-#
-# Allow the specified processes to listen on any network interface.
-# One process per line (use multiple ALLOWPROCLISTEN lines).
-#
-#ALLOWPROCLISTEN=/sbin/dhclient
-#ALLOWPROCLISTEN=/usr/bin/dhcpcd
-#ALLOWPROCLISTEN=/usr/sbin/pppoe
-#ALLOWPROCLISTEN=/usr/sbin/tcpdump
-#ALLOWPROCLISTEN=/usr/sbin/snort-plain
-#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant
-
-#
-# SCAN_MODE_DEV governs how we scan /dev for suspicious files.
-# The two allowed options are: THOROUGH or LAZY.
-# If commented out we do a THOROUGH scan which will increase the runtime.
-# Even though this adds to the running time it is highly recommended to
-# leave it like this.
-#
-#SCAN_MODE_DEV=THOROUGH
-
-#
-# Allow the specified files to be present in the /dev directory,
-# and not regarded as suspicious. One file per line (use multiple
-# ALLOWDEVFILE lines).
-#
-#ALLOWDEVFILE=/dev/abc
-#ALLOWDEVFILE=/dev/shm/pulse-shm-*
-ALLOWDEVFILE=/dev/shm/sem.slapd-FEDORAPROJECT-ORG.stats
-ALLOWDEVFILE=/dev/md/md-device-map
-ALLOWDEVFILE=/dev/.udev/queue.bin
-ALLOWDEVFILE=/dev/.udev/db/*
-ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules
-ALLOWDEVFILE=/dev/.udev/uevent_seqnum
-ALLOWDEVFILE=/dev/md/autorebuild.pid
-
-#
-# This setting tells rkhunter where the inetd configuration
-# file is located.
-#
-#INETD_CONF_PATH=/etc/inetd.conf
-
-#
-# Allow the following enabled inetd services.
-# Only one service per line (use multiple INETD_ALLOWED_SVC lines).
-#
-# Below are some Solaris 9 and 10 services that may want to be whitelisted.
-#
-#INETD_ALLOWED_SVC=echo
-#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd
-#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto
-#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd
-#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad
-#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd
-#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd
-#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd
-#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd
-#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd
-#INETD_ALLOWED_SVC=/usr/lib/gss/gssd
-#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader
-#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd
-#INETD_ALLOWED_SVC=/network/rpc/mdcomm
-#INETD_ALLOWED_SVC=/network/rpc/meta
-#INETD_ALLOWED_SVC=/network/rpc/metamed
-#INETD_ALLOWED_SVC=/network/rpc/metamh
-#INETD_ALLOWED_SVC=/network/security/ktkt_warn
-#INETD_ALLOWED_SVC=/application/x11/xfs
-#INETD_ALLOWED_SVC=/application/print/rfc1179
-#INETD_ALLOWED_SVC=/application/font/stfsloader
-#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
-#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp
-#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp
-
-#
-# This setting tells rkhunter where the xinetd configuration
-# file is located.
-#
-#XINETD_CONF_PATH=/etc/xinetd.conf
-
-#
-# Allow the following enabled xinetd services. Whilst it would be
-# nice to use the service names themselves, at the time of testing
-# we only have the pathname available. As such, these entries are
-# the xinetd file pathnames.
-# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines).
-#
-XINETD_ALLOWED_SVC=/etc/xinetd.d/rsync
-XINETD_ALLOWED_SVC=/etc/xinetd.d/cvspserver
-XINETD_ALLOWED_SVC=/etc/xinetd.d/tftp
-XINETD_ALLOWED_SVC=/etc/xinetd.d/git-server
-XINETD_ALLOWED_SVC=/etc/xinetd.d/git
-XINETD_ALLOWED_SVC=/etc/xinetd.d/bzr-server
-
-#
-# This setting tells rkhunter the local system startup file pathnames.
-# More than one file may be present on the system, and so this option
-# can be a space-separated list. This setting will be worked out by
-# rkhunter, and so should not usually need to be set.
-#
-# If the system uses a directory of local startup scripts, then rather
-# that setting all the file names here, leave this setting blank, and
-# specify the directory name in SYSTEM_RC_DIR instead.
-#
-# If the system does not use a local startup script at all, then this
-# setting can be set to 'none'. Without this, rkhunter would give a
-# warning that no local startup script could be found.
-#
-#LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit"
-
-#
-# This setting tells rkhunter the local system startup file directory.
-# This setting will be worked out by rkhunter, and so should not usually
-# need to be set.
-#
-#SYSTEM_RC_DIR=/etc/rc.d
-
-#
-# This setting tells rkhunter the pathname to the file containing the
-# user account passwords. This setting will be worked out by rkhunter,
-# and so should not usually need to be set.
-#
-PASSWORD_FILE=/etc/shadow
-
-#
-# Allow the following accounts to be root equivalent. These accounts
-# will have a UID value of zero. This option is a space-separated list
-# of account names. The 'root' account does not need to be listed as it
-# is automatically whitelisted.
-#
-# Note: For *BSD systems you may need to enable this for the 'toor' account.
-#
-#UID0_ACCOUNTS="toor rooty"
-
-#
-# Allow the following accounts to have no password. This option is a
-# space-separated list of account names. NIS/YP entries do not need to
-# be listed as they are automatically whitelisted.
-#
-#PWDLESS_ACCOUNTS="abc"
-
-#
-# This setting tells rkhunter the pathname to the syslog configuration
-# file. This setting will be worked out by rkhunter, and so should not
-# usually need to be set.
-#
-#SYSLOG_CONFIG_FILE=/etc/syslog.conf
-
-#
-# This option permits the use of syslog remote logging.
-#
-ALLOW_SYSLOG_REMOTE_LOGGING=1
-
-#
-# Allow the following applications, or a specific version of an application,
-# to be whitelisted. This option is a space-separated list consisting of the
-# application names. If a specific version is to be whitelisted, then the
-# name must be followed by a colon and then the version number.
-#
-# For example: APP_WHITELIST="openssl:0.9.7d gpg"
-#
-APP_WHITELIST="sshd:4.3p2 sshd:5.2p1 httpd:2.2.3 httpd:2.2.13 php:5.1.6 named:9.3.6 openssl:0.9.8e php:5.2.6 named:9.3.6-P1"
-
-#
-# Scan for suspicious files in directories containing temporary files and
-# directories posing a relatively higher risk due to user write access.
-# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
-# producing false positives. Do review all settings before usage.
-# Also be aware that running suspscan in combination with verbose logging on,
-# RKH's default, will show all ignored files.
-# Please consider adding all directories the user the (web)server runs as has
-# write access to including the document root (example: "/var/www") and log
-# directories (example: "/var/log/httpd").
-#
-# A space-separated list of directories to scan.
-#
-SUSPSCAN_DIRS="/tmp /var/tmp"
-
-#
-# Directory for temporary files. A memory-based one is better (faster).
-# Do not use a directory name that is listed in SUSPSCAN_DIRS.
-# Please make sure you have a tempfs mounted and the directory exists.
-#
-SUSPSCAN_TEMP=/dev/shm
-
-#
-# Maximum filesize in bytes. Files larger than this will not be inspected.
-# Do make sure you have enough space left in your temporary files directory.
-#
-SUSPSCAN_MAXSIZE=10240000
-
-#
-# Score threshold. Below this value no hits will be reported.
-# A value of "200" seems "good" after testing on malware. Please adjust
-# locally if necessary.
-#
-SUSPSCAN_THRESH=200
-
-#
-# The following option can be used to whitelist network ports which
-# are known to have been used by malware. The option is a space-
-# separated list of one or more of three types of whitelisting.
-# These are:
-#
-# 1) a 'protocol:port' pair (e.g. TCP:25)
-# 2) a pathname to an executable (e.g. /usr/sbin/squid)
-# 3) an asterisk ('*')
-#
-# Only the UDP or TCP protocol may be specified, and the port number
-# must be between 1 and 65535 inclusive.
-#
-# The asterisk can be used to indicate that any executable in a trusted
-# path directory will be whitelisted. A trusted path directory is one which
-# rkhunter uses to locate commands. It is composed of the root PATH
-# environment variable, and the BINDIR command-line or configuration
-# file option.
-#
-# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
-#
-#PORT_WHITELIST=""
-
-#
-# The following option can be used to tell rkhunter where the operating
-# system 'release' file is located. This file contains information
-# specifying the current O/S version. RKH will store this information
-# itself, and check to see if it has changed between each run. If it has
-# changed, then the user is warned that RKH may issue warning messages
-# until RKH has been run with the '--propupd' option.
-#
-# Since the contents of the file vary according to the O/S distribution,
-# RKH will perform different actions when it detects the file itself. As
-# such, this option should not be set unless necessary. If this option is
-# specified, then RKH will assume the O/S release information is on the
-# first non-blank line of the file.
-#
-# {{ ansible_distribution|lower }}
-OS_VERSION_FILE=/etc/{{ ansible_distribution|lower }}-release
-
-#
-# The following two options can be used to whitelist files and directories
-# that would normally be flagged with a warning during the rootkit checks.
-# If the file or directory name contains a space, then the percent character
-# ('%') must be used instead. Only existing files and directories can be
-# specified.
-#
-#RTKT_DIR_WHITELIST=""
-#RTKT_FILE_WHITELIST=""
-
-#
-# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
-# command, then the following two options can be used. The value must be
-# set to 'BUILTIN'.
-#
-# NOTE: IRIX users will probably need to enable STAT_CMD.
-#
-#STAT_CMD=BUILTIN
-#READLINK_CMD=BUILTIN
-
-INSTALLDIR=/usr
-SCRIPTWHITELIST=/usr/bin/whatis
-SCRIPTWHITELIST=/usr/bin/ldd
-SCRIPTWHITELIST=/usr/bin/groups
-SCRIPTWHITELIST=/usr/bin/GET
-SCRIPTWHITELIST=/sbin/ifup
-SCRIPTWHITELIST=/sbin/ifdown
diff --git a/files/rkhunter/rkhunter.sysconfig b/files/rkhunter/rkhunter.sysconfig
deleted file mode 100644
index 0c463db..0000000
--- a/files/rkhunter/rkhunter.sysconfig
+++ /dev/null
@@ -1,11 +0,0 @@
-# System configuration file for Rootkit Hunter which
-# stores RPM system specifics for cron run, etc.
-#
-# MAILTO= <email address to send scan report>
-# DIAG_SCAN= no - perform normal report scan
-# yes - perform detailed report scan
-# (includes application check)
-
-MAILTO=smooge at fedoraproject.org,kevin at fedoraproject.org
-DIAG_SCAN=no
-
diff --git a/playbooks/groups/arm-packager.yml b/playbooks/groups/arm-packager.yml
index efdc0fa..e8008f9 100644
--- a/playbooks/groups/arm-packager.yml
+++ b/playbooks/groups/arm-packager.yml
@@ -11,6 +11,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
+ roles:
+ - rkhunter
+
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
@@ -20,7 +23,6 @@
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
handlers:
diff --git a/playbooks/groups/arm-qa.yml b/playbooks/groups/arm-qa.yml
index af789b2..d9a745b 100644
--- a/playbooks/groups/arm-qa.yml
+++ b/playbooks/groups/arm-qa.yml
@@ -11,6 +11,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
+ roles:
+ - rkhunter
+
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
@@ -20,7 +23,6 @@
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
handlers:
diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml
index 965c8cb..8b95ebb 100644
--- a/playbooks/groups/backup-server.yml
+++ b/playbooks/groups/backup-server.yml
@@ -13,7 +13,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
- tasks:
+ roles:
+ - rkhunter
+
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
@@ -22,7 +24,6 @@
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
- include: $tasks/mysql_server.yml
diff --git a/playbooks/groups/badges-backend.yml b/playbooks/groups/badges-backend.yml
index 77514dd..73aba95 100644
--- a/playbooks/groups/badges-backend.yml
+++ b/playbooks/groups/badges-backend.yml
@@ -29,6 +29,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
+ roles:
+ - rkhunter
+
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
@@ -37,7 +40,6 @@
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
- include: $tasks/openvpn_client.yml
diff --git a/playbooks/groups/badges-web.yml b/playbooks/groups/badges-web.yml
index c93eb85..15ae8df 100644
--- a/playbooks/groups/badges-web.yml
+++ b/playbooks/groups/badges-web.yml
@@ -32,6 +32,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
+ roles:
+ - rkhunter
+
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
@@ -40,7 +43,6 @@
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
- include: $tasks/openvpn_client.yml
diff --git a/playbooks/groups/beaker.yml b/playbooks/groups/beaker.yml
index ddd2dd2..1be9e9d 100644
--- a/playbooks/groups/beaker.yml
+++ b/playbooks/groups/beaker.yml
@@ -28,6 +28,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
+ roles:
+ - rkhunter
+
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
@@ -38,7 +41,6 @@
- include: $tasks/collectd/client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
diff --git a/playbooks/groups/gallery.yml b/playbooks/groups/gallery.yml
index 596ce8b..a99a438 100644
--- a/playbooks/groups/gallery.yml
+++ b/playbooks/groups/gallery.yml
@@ -29,6 +29,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
+ roles:
+ - rkhunter
+
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
@@ -37,7 +40,6 @@
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
- include: $tasks/fedmsg_base.yml
diff --git a/playbooks/groups/kernel-qa.yml b/playbooks/groups/kernel-qa.yml
index b08ebe3..4f2fdc7 100644
--- a/playbooks/groups/kernel-qa.yml
+++ b/playbooks/groups/kernel-qa.yml
@@ -12,6 +12,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
+ roles:
+ - rkhunter
+
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
@@ -21,7 +24,6 @@
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml
index d8a4ba7..0b9e190 100644
--- a/playbooks/groups/keyserver.yml
+++ b/playbooks/groups/keyserver.yml
@@ -29,6 +29,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
+ roles:
+ - rkhunter
+
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
@@ -37,7 +40,6 @@
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
- include: $tasks/fedmsg_base.yml
diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml
index 4d26766..6b9725f 100644
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@@ -30,6 +30,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
+ roles:
+ - rkhunter
+
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
@@ -38,7 +41,6 @@
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
- include: $tasks/collectd/client.yml
diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml
index d85eab8..cd3af1c 100644
--- a/playbooks/groups/mailman.yml
+++ b/playbooks/groups/mailman.yml
@@ -28,6 +28,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
+ roles:
+ - rkhunter
+
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
@@ -38,7 +41,6 @@
- include: $tasks/collectd/client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
diff --git a/playbooks/groups/mirrorlist.yml b/playbooks/groups/mirrorlist.yml
index a6bc4d1..dbc70ed 100644
--- a/playbooks/groups/mirrorlist.yml
+++ b/playbooks/groups/mirrorlist.yml
@@ -38,6 +38,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
+ roles:
+ - rkhunter
+
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
@@ -49,7 +52,6 @@
- include: $tasks/openvpn_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
- include: $tasks/apache.yml
diff --git a/playbooks/groups/postgresl-server.yml b/playbooks/groups/postgresl-server.yml
index d95801d..44f9934 100644
--- a/playbooks/groups/postgresl-server.yml
+++ b/playbooks/groups/postgresl-server.yml
@@ -30,7 +30,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
- tasks:
+ roles:
+ - rkhunter
+
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
@@ -39,7 +41,6 @@
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
- include: $tasks/collectd/client.yml
diff --git a/playbooks/groups/sign.yml b/playbooks/groups/sign.yml
index c287286..1c5c64d 100644
--- a/playbooks/groups/sign.yml
+++ b/playbooks/groups/sign.yml
@@ -19,9 +19,11 @@
tasks:
- include: $tasks/base.yml
- include: $tasks/serialgetty.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/motd.yml
- include: $tasks/sign_setup.yml
+ roles:
+ - rkhunter
+
handlers:
- include: $handlers/restart_services.yml
diff --git a/playbooks/groups/taskbot.yml b/playbooks/groups/taskbot.yml
index 5c4e24a..47bb3a2 100644
--- a/playbooks/groups/taskbot.yml
+++ b/playbooks/groups/taskbot.yml
@@ -28,6 +28,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
+ roles:
+ - rkhunter
+
tasks:
# this is how you include other task lists
- include: $tasks/hosts.yml
@@ -38,7 +41,6 @@
- include: $tasks/collectd/client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml
index 5d5b22c..6d22a47 100644
--- a/playbooks/groups/virthost.yml
+++ b/playbooks/groups/virthost.yml
@@ -12,7 +12,9 @@
- ${private}/vars.yml
- ${vars}/${ansible_distribution}.yml
- tasks:
+ roles:
+ - rkhunter
+
tasks:
- include: $tasks/hosts.yml
- include: $tasks/yumrepos.yml
@@ -21,7 +23,6 @@
- include: $tasks/2fa_client.yml
- include: $tasks/motd.yml
- include: $tasks/sudo.yml
- - include: $tasks/rkhunter.yml
- include: $tasks/denyhosts.yml
- include: $tasks/nagios_client.yml
- include: $tasks/collectd/client.yml
diff --git a/playbooks/rkhunter_update.yml b/playbooks/rkhunter_update.yml
index a47d6bf..c69ea64 100644
--- a/playbooks/rkhunter_update.yml
+++ b/playbooks/rkhunter_update.yml
@@ -6,20 +6,20 @@
tasks:
- name: expire-caches
- action: command yum clean expire-cache
+ command: yum clean expire-cache
- name: yum -y ${yumcommand}
- action: command yum -y ${yumcommand}
+ command: yum -y ${yumcommand}
async: 7200
poll: 15
- name: check for rkhunter
- action: command /usr/bin/test -f /usr/bin/rkhunter
+ command: /usr/bin/test -f /usr/bin/rkhunter
register: rkhunter
ignore_errors: true
- name: run rkhunter --propupd
- action: command /usr/bin/rkhunter --propupd
+ command: /usr/bin/rkhunter --propupd
when: rkhunter|success
diff --git a/roles/rkhunter/files/rkhunter.conf.j2 b/roles/rkhunter/files/rkhunter.conf.j2
new file mode 100644
index 0000000..7055175
--- /dev/null
+++ b/roles/rkhunter/files/rkhunter.conf.j2
@@ -0,0 +1,590 @@
+#
+# This is the configuration file for Rootkit Hunter.
+#
+# Please modify it to your own requirements.
+# Please review the documentation before posting bug reports or questions.
+# To report bugs, obtain updates, or provide patches or comments, please go to:
+# http://rkhunter.sourceforge.net
+#
+# To ask questions about rkhunter, please use the rkhunter-users mailing list.
+# Note this is a moderated list: please subscribe before posting.
+#
+# Lines beginning with a hash (#), and blank lines, will be ignored.
+#
+# Most of the following options need only be specified once. If
+# they appear more than once, then the last one seen will be used.
+# Some options are allowed to appear more than once, and the text
+# describing the option will say if this is so.
+#
+
+#
+# If this option is set to 1, it specifies that the mirrors file, which
+# is used when the '--update' and '--versioncheck' options are used, is
+# to be rotated. Rotating the entries in the file allows a basic form
+# of load-balancing between the mirror sites whenever the above options
+# are used.
+# If the option is set to 0, then the mirrors will be treated as if in
+# a priority list. That is, the first mirror will always be used. The
+# second mirror will only be used if the first mirror fails, then the
+# third mirror will be used if the second fails and so on.
+#
+
+ROTATE_MIRRORS=1
+
+#
+# If this option is set to 1, it specifies that when the '--update'
+# option is used, then the mirrors file is to be checked for updates
+# as well. If the current mirrors file contains any local mirrors,
+# these will be prepended to the updated file.
+# If this option is set to 0, the mirrors file can only be updated
+# manually. This may be useful if only using local mirrors.
+#
+UPDATE_MIRRORS=1
+
+#
+# The MIRRORS_MODE option tells rkhunter which mirrors are to be
+# used when the '--update' or '--versioncheck' command-line options
+# are given. Possible values are:
+# 0 - use any mirror (the default)
+# 1 - only use local mirrors
+# 2 - only use remote mirrors
+#
+# Local and remote mirrors can be defined in the mirrors.dat file
+# by using the 'local=' and 'remote=' keywords respectively.
+#
+MIRRORS_MODE=0
+
+#
+# Email a message to this address if a warning is found when the
+# system is being checked. Multiple addresses may be specified
+# simply be separating them with a space.
+#
+MAIL-ON-WARNING=""
+
+#
+# Specify the mail command to use if MAIL-ON-WARNING is set.
+# NOTE: Double quotes are not required around the command, but
+# are required around the subject line if it contains spaces.
+#
+MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
+
+#
+# Specify the temporary directory to use.
+#
+# NOTE: Do not use /tmp as your temporary directory. Some
+# important files will be written to this directory, so be
+# sure that the directory permissions are tight.
+#
+TMPDIR=/var/lib/rkhunter
+
+#
+# Specify the database directory to use.
+#
+DBDIR=/var/lib/rkhunter/db
+
+#
+# Specify the script directory to use.
+#
+SCRIPTDIR=/usr/share/rkhunter/scripts
+
+#
+# Specify the root directory to use.
+#
+#ROOTDIR=""
+
+#
+# Specify the command directories to be checked. This is a
+# space-separated list of directories.
+#
+BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
+
+#
+# Specify the language to use. This should be similar
+# to the ISO 639 language code.
+#
+# NOTE: Please ensure that the language you specify is supported.
+# For a list of supported languages use the following command:
+#
+# rkhunter --lang en --list languages
+#
+#LANGUAGE=en
+
+#
+# Specify the log file pathname.
+#
+LOGFILE=/var/log/rkhunter/rkhunter.log
+
+#
+# Set the following option to 1 if the log file is to be appended to
+# whenever rkhunter is run.
+#
+
+
+#
+# Set the following option to enable the rkhunter check start and finish
+# times to be logged by syslog. Warning messages will also be logged.
+# The value of the option must be a standard syslog facility and
+# priority, separated by a dot.
+#
+# For example: USE_SYSLOG=authpriv.warning
+#
+# Setting the value to 'none', or just leaving the option commented out,
+# disables the use of syslog.
+#
+USE_SYSLOG=authpriv.notice
+
+#
+# Set the following option to 1 if the second colour set is to be used.
+# This can be useful if your screen uses black characters on a white
+# background (for example, a PC instead of a server).
+#
+COLOR_SET2=0
+
+#
+# Set the following option to 0 if rkhunter should not detect if X is
+# being used. If X is detected as being used, then the second colour
+# set will automatically be used.
+#
+AUTO_X_DETECT=1
+
+#
+# The following option is checked against the SSH configuration file
+# 'PermitRootLogin' option. A warning will be displayed if they do not
+# match. However, if a value has not been set in the SSH configuration
+# file, then a value here of 'yes' or 'unset' will not cause a warning.
+# This option has a default value of 'no'.
+#
+ALLOW_SSH_ROOT_USER=without-password
+
+#
+# Set this option to '1' to allow the use of the SSH-1 protocol, but note
+# that theoretically it is weaker, and therefore less secure, than the
+# SSH-2 protocol. Do not modify this option unless you have good reasons
+# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
+# authentication). If the 'Protocol' option has not been set in the SSH
+# configuration file, then a value of '2' may be set here in order to
+# suppress a warning message. This option has a default value of '0'.
+#
+ALLOW_SSH_PROT_V1=0
+
+#
+# This setting tells rkhunter the directory containing the SSH configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set.
+#
+#SSH_CONFIG_DIR=/etc/ssh
+
+#
+# These two options determine which tests are to be performed.
+# The ENABLE_TESTS option can use the word 'all' to refer to all the
+# available tests. The DISABLE_TESTS option can use the word 'none' to
+# mean that no tests are disabled. The list of disabled tests is applied to
+# the list of enabled tests. Both options are space-separated lists of test
+# names. The currently available test names can be seen by using the command
+# 'rkhunter --list tests'.
+#
+# The program defaults are to enable all tests and disable none. However, if
+# either option is specified in this file, then it overrides the program
+# default. The supplied rkhunter.conf file has some tests already disabled,
+# and these are tests that will be used only incidentally, can be considered
+# "advanced" or those that are prone to produce more than the "average" number
+# of "false positives".
+#
+# Please read the README file for more details about enabling and disabling
+# tests, the test names, and how rkhunter behaves when these options are used.
+#
+ENABLE_TESTS="all"
+DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
+
+#
+# The HASH_FUNC option can be used to specify the command to use
+# for the file hash value check. It can be specified as just
+# the command name or the full pathname. Systems using prelinking
+# are restricted to using either SHA1 or MD5 functions. To get rkhunter
+# to look for the sha1(sum)/md5(sum) command, or to use the supplied
+# perl scripts, simply specify this option as 'SHA1' or 'MD5' in
+# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found.
+#
+# A value of 'NONE' (in uppercase) can be specified to indicate that
+# no hash function should be used. Rootkit Hunter will detect this and
+# automatically disable the file hash checks.
+#
+# Examples:
+# For Solaris 9 : HASH_FUNC=gmd5sum
+# For Solaris 10: HASH_FUNC=sha1sum
+# For AIX (>5.2): HASH_FUNC="csum -hMD5"
+# For NetBSD : HASH_FUNC="cksum -a sha512"
+#
+# NOTE: If the hash function is changed then you MUST run rkhunter with
+# the '--propupd' option to rebuild the file properties database.
+#
+HASH_FUNC=sha1sum
+
+#
+# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
+# command output contains the hash value. The fields are assumed to
+# be space-separated. The default value is one, but for *BSD users
+# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
+# has not been set. The option value must be a positive integer.
+#
+#HASH_FLD_IDX=4
+
+#
+# The PKGMGR option tells rkhunter to use the specified package manager
+# to obtain the file property information. This is used when updating
+# the file properties file 'rkhunter.dat', and when running the file
+# properties check. For RedHat/RPM-based systems, 'RPM' can be used
+# to get information from the RPM database. For Debian-based systems
+# 'DPKG' can be used, and for *BSD systems 'BSD' can be used.
+# No value, or a value of 'NONE', indicates that no package manager
+# is to be used. The default is 'NONE'.
+#
+# The current package managers store the file hash values using an
+# MD5 hash function.
+#
+# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
+# The 'RPM' package manager additionally provides values for the inode,
+# file permissions, uid, gid and other values.
+#
+# For any file not part of a package, rkhunter will revert to using
+# the HASH_FUNC hash function instead.
+#
+PKGMGR=RPM
+
+#
+# Whitelist various attributes of the specified files.
+# The attributes are those of the 'attributes' test.
+# Specifying a file name here does not include it being
+# whitelisted for the write permission test below.
+# One command per line (use multiple ATTRWHITELIST lines).
+#
+#ATTRWHITELIST=/bin/ps
+
+#
+# Allow the specified commands to have the 'others'
+# (world) permission have the write-bit set.
+#
+# For example, files with permissions r-xr-xrwx
+# or rwxrwxrwx.
+#
+# One command per line (use multiple WRITEWHITELIST lines).
+#
+#WRITEWHITELIST=/bin/ps
+
+#
+# Allow the specified commands to be scripts.
+# One command per line (use multiple SCRIPTWHITELIST lines).
+#
+#SCRIPTWHITELIST=/sbin/ifup
+#SCRIPTWHITELIST=/sbin/ifdown
+#SCRIPTWHITELIST=/usr/bin/groups
+
+#
+# Allow the specified commands to have the immutable attribute set.
+# One command per line (use multiple IMMUTWHITELIST lines).
+#
+#IMMUTWHITELIST=/sbin/ifup
+
+#
+# Allow the specified hidden directories.
+# One directory per line (use multiple ALLOWHIDDENDIR lines).
+#
+ALLOWHIDDENDIR=/dev/.udev
+ALLOWHIDDENDIR=/dev/.mdadm
+ALLOWHIDDENDIR=/dev/.systemd
+ALLOWHIDDENDIR=/dev/.mount
+ALLOWHIDDENDIR=/dev/.udevdb
+ALLOWHIDDENDIR=/dev/.udev.tdb
+ALLOWHIDDENDIR=/dev/.udev/db
+ALLOWHIDDENDIR=/dev/.udev/rules.d
+
+#
+# Allow the specified hidden files.
+# One file per line (use multiple ALLOWHIDDENFILE lines).
+#
+ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
+ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
+ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
+ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
+ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
+ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
+ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
+ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
+ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
+ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
+ALLOWHIDDENFILE=/sbin/.cryptsetup.hmac
+ALLOWHIDDENFILE=/dev/.udev/queue.bin
+ALLOWHIDDENFILE=/dev/.udev/uevent_seqnum
+
+#
+# Allow the specified processes to use deleted files.
+# One process per line (use multiple ALLOWPROCDELFILE lines).
+#
+#ALLOWPROCDELFILE=/sbin/cardmgr
+#ALLOWPROCDELFILE=/usr/sbin/gpm
+#ALLOWPROCDELFILE=/usr/libexec/gconfd-2
+#ALLOWPROCDELFILE=/usr/sbin/mysqld
+
+#
+# Allow the specified processes to listen on any network interface.
+# One process per line (use multiple ALLOWPROCLISTEN lines).
+#
+#ALLOWPROCLISTEN=/sbin/dhclient
+#ALLOWPROCLISTEN=/usr/bin/dhcpcd
+#ALLOWPROCLISTEN=/usr/sbin/pppoe
+#ALLOWPROCLISTEN=/usr/sbin/tcpdump
+#ALLOWPROCLISTEN=/usr/sbin/snort-plain
+#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant
+
+#
+# SCAN_MODE_DEV governs how we scan /dev for suspicious files.
+# The two allowed options are: THOROUGH or LAZY.
+# If commented out we do a THOROUGH scan which will increase the runtime.
+# Even though this adds to the running time it is highly recommended to
+# leave it like this.
+#
+#SCAN_MODE_DEV=THOROUGH
+
+#
+# Allow the specified files to be present in the /dev directory,
+# and not regarded as suspicious. One file per line (use multiple
+# ALLOWDEVFILE lines).
+#
+#ALLOWDEVFILE=/dev/abc
+#ALLOWDEVFILE=/dev/shm/pulse-shm-*
+ALLOWDEVFILE=/dev/shm/sem.slapd-FEDORAPROJECT-ORG.stats
+ALLOWDEVFILE=/dev/md/md-device-map
+ALLOWDEVFILE=/dev/.udev/queue.bin
+ALLOWDEVFILE=/dev/.udev/db/*
+ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules
+ALLOWDEVFILE=/dev/.udev/uevent_seqnum
+ALLOWDEVFILE=/dev/md/autorebuild.pid
+
+#
+# This setting tells rkhunter where the inetd configuration
+# file is located.
+#
+#INETD_CONF_PATH=/etc/inetd.conf
+
+#
+# Allow the following enabled inetd services.
+# Only one service per line (use multiple INETD_ALLOWED_SVC lines).
+#
+# Below are some Solaris 9 and 10 services that may want to be whitelisted.
+#
+#INETD_ALLOWED_SVC=echo
+#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd
+#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto
+#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd
+#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad
+#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd
+#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd
+#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd
+#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd
+#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd
+#INETD_ALLOWED_SVC=/usr/lib/gss/gssd
+#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader
+#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd
+#INETD_ALLOWED_SVC=/network/rpc/mdcomm
+#INETD_ALLOWED_SVC=/network/rpc/meta
+#INETD_ALLOWED_SVC=/network/rpc/metamed
+#INETD_ALLOWED_SVC=/network/rpc/metamh
+#INETD_ALLOWED_SVC=/network/security/ktkt_warn
+#INETD_ALLOWED_SVC=/application/x11/xfs
+#INETD_ALLOWED_SVC=/application/print/rfc1179
+#INETD_ALLOWED_SVC=/application/font/stfsloader
+#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
+#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp
+#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp
+
+#
+# This setting tells rkhunter where the xinetd configuration
+# file is located.
+#
+#XINETD_CONF_PATH=/etc/xinetd.conf
+
+#
+# Allow the following enabled xinetd services. Whilst it would be
+# nice to use the service names themselves, at the time of testing
+# we only have the pathname available. As such, these entries are
+# the xinetd file pathnames.
+# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines).
+#
+XINETD_ALLOWED_SVC=/etc/xinetd.d/rsync
+XINETD_ALLOWED_SVC=/etc/xinetd.d/cvspserver
+XINETD_ALLOWED_SVC=/etc/xinetd.d/tftp
+XINETD_ALLOWED_SVC=/etc/xinetd.d/git-server
+XINETD_ALLOWED_SVC=/etc/xinetd.d/git
+XINETD_ALLOWED_SVC=/etc/xinetd.d/bzr-server
+
+#
+# This setting tells rkhunter the local system startup file pathnames.
+# More than one file may be present on the system, and so this option
+# can be a space-separated list. This setting will be worked out by
+# rkhunter, and so should not usually need to be set.
+#
+# If the system uses a directory of local startup scripts, then rather
+# that setting all the file names here, leave this setting blank, and
+# specify the directory name in SYSTEM_RC_DIR instead.
+#
+# If the system does not use a local startup script at all, then this
+# setting can be set to 'none'. Without this, rkhunter would give a
+# warning that no local startup script could be found.
+#
+#LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit"
+
+#
+# This setting tells rkhunter the local system startup file directory.
+# This setting will be worked out by rkhunter, and so should not usually
+# need to be set.
+#
+#SYSTEM_RC_DIR=/etc/rc.d
+
+#
+# This setting tells rkhunter the pathname to the file containing the
+# user account passwords. This setting will be worked out by rkhunter,
+# and so should not usually need to be set.
+#
+PASSWORD_FILE=/etc/shadow
+
+#
+# Allow the following accounts to be root equivalent. These accounts
+# will have a UID value of zero. This option is a space-separated list
+# of account names. The 'root' account does not need to be listed as it
+# is automatically whitelisted.
+#
+# Note: For *BSD systems you may need to enable this for the 'toor' account.
+#
+#UID0_ACCOUNTS="toor rooty"
+
+#
+# Allow the following accounts to have no password. This option is a
+# space-separated list of account names. NIS/YP entries do not need to
+# be listed as they are automatically whitelisted.
+#
+#PWDLESS_ACCOUNTS="abc"
+
+#
+# This setting tells rkhunter the pathname to the syslog configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set.
+#
+#SYSLOG_CONFIG_FILE=/etc/syslog.conf
+
+#
+# This option permits the use of syslog remote logging.
+#
+ALLOW_SYSLOG_REMOTE_LOGGING=1
+
+#
+# Allow the following applications, or a specific version of an application,
+# to be whitelisted. This option is a space-separated list consisting of the
+# application names. If a specific version is to be whitelisted, then the
+# name must be followed by a colon and then the version number.
+#
+# For example: APP_WHITELIST="openssl:0.9.7d gpg"
+#
+APP_WHITELIST="sshd:4.3p2 sshd:5.2p1 httpd:2.2.3 httpd:2.2.13 php:5.1.6 named:9.3.6 openssl:0.9.8e php:5.2.6 named:9.3.6-P1"
+
+#
+# Scan for suspicious files in directories containing temporary files and
+# directories posing a relatively higher risk due to user write access.
+# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
+# producing false positives. Do review all settings before usage.
+# Also be aware that running suspscan in combination with verbose logging on,
+# RKH's default, will show all ignored files.
+# Please consider adding all directories the user the (web)server runs as has
+# write access to including the document root (example: "/var/www") and log
+# directories (example: "/var/log/httpd").
+#
+# A space-separated list of directories to scan.
+#
+SUSPSCAN_DIRS="/tmp /var/tmp"
+
+#
+# Directory for temporary files. A memory-based one is better (faster).
+# Do not use a directory name that is listed in SUSPSCAN_DIRS.
+# Please make sure you have a tempfs mounted and the directory exists.
+#
+SUSPSCAN_TEMP=/dev/shm
+
+#
+# Maximum filesize in bytes. Files larger than this will not be inspected.
+# Do make sure you have enough space left in your temporary files directory.
+#
+SUSPSCAN_MAXSIZE=10240000
+
+#
+# Score threshold. Below this value no hits will be reported.
+# A value of "200" seems "good" after testing on malware. Please adjust
+# locally if necessary.
+#
+SUSPSCAN_THRESH=200
+
+#
+# The following option can be used to whitelist network ports which
+# are known to have been used by malware. The option is a space-
+# separated list of one or more of three types of whitelisting.
+# These are:
+#
+# 1) a 'protocol:port' pair (e.g. TCP:25)
+# 2) a pathname to an executable (e.g. /usr/sbin/squid)
+# 3) an asterisk ('*')
+#
+# Only the UDP or TCP protocol may be specified, and the port number
+# must be between 1 and 65535 inclusive.
+#
+# The asterisk can be used to indicate that any executable in a trusted
+# path directory will be whitelisted. A trusted path directory is one which
+# rkhunter uses to locate commands. It is composed of the root PATH
+# environment variable, and the BINDIR command-line or configuration
+# file option.
+#
+# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
+#
+#PORT_WHITELIST=""
+
+#
+# The following option can be used to tell rkhunter where the operating
+# system 'release' file is located. This file contains information
+# specifying the current O/S version. RKH will store this information
+# itself, and check to see if it has changed between each run. If it has
+# changed, then the user is warned that RKH may issue warning messages
+# until RKH has been run with the '--propupd' option.
+#
+# Since the contents of the file vary according to the O/S distribution,
+# RKH will perform different actions when it detects the file itself. As
+# such, this option should not be set unless necessary. If this option is
+# specified, then RKH will assume the O/S release information is on the
+# first non-blank line of the file.
+#
+# {{ ansible_distribution|lower }}
+OS_VERSION_FILE=/etc/{{ ansible_distribution|lower }}-release
+
+#
+# The following two options can be used to whitelist files and directories
+# that would normally be flagged with a warning during the rootkit checks.
+# If the file or directory name contains a space, then the percent character
+# ('%') must be used instead. Only existing files and directories can be
+# specified.
+#
+#RTKT_DIR_WHITELIST=""
+#RTKT_FILE_WHITELIST=""
+
+#
+# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
+# command, then the following two options can be used. The value must be
+# set to 'BUILTIN'.
+#
+# NOTE: IRIX users will probably need to enable STAT_CMD.
+#
+#STAT_CMD=BUILTIN
+#READLINK_CMD=BUILTIN
+
+INSTALLDIR=/usr
+SCRIPTWHITELIST=/usr/bin/whatis
+SCRIPTWHITELIST=/usr/bin/ldd
+SCRIPTWHITELIST=/usr/bin/groups
+SCRIPTWHITELIST=/usr/bin/GET
+SCRIPTWHITELIST=/sbin/ifup
+SCRIPTWHITELIST=/sbin/ifdown
diff --git a/roles/rkhunter/files/rkhunter.sysconfig b/roles/rkhunter/files/rkhunter.sysconfig
new file mode 100644
index 0000000..0c463db
--- /dev/null
+++ b/roles/rkhunter/files/rkhunter.sysconfig
@@ -0,0 +1,11 @@
+# System configuration file for Rootkit Hunter which
+# stores RPM system specifics for cron run, etc.
+#
+# MAILTO= <email address to send scan report>
+# DIAG_SCAN= no - perform normal report scan
+# yes - perform detailed report scan
+# (includes application check)
+
+MAILTO=smooge at fedoraproject.org,kevin at fedoraproject.org
+DIAG_SCAN=no
+
diff --git a/roles/rkhunter/tasks/main.yml b/roles/rkhunter/tasks/main.yml
new file mode 100644
index 0000000..4bec0f7
--- /dev/null
+++ b/roles/rkhunter/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+
+- name: install rkhunter
+ yum: name=rkhunter state=present
+ tags:
+ - packages
+
+- name: rkhunter.conf
+ template: src=rkhunter.conf.j2 dest=/etc/rkhunter.conf mode=0640
+ tags:
+ - config
+
+- name: rkhunter sysconfig
+ copy: src=rkhunter.sysconfig dest=/etc/sysconfig/rkhunter mode=0640
+ tags:
+ - config
+
+
diff --git a/tasks/rkhunter.yml b/tasks/rkhunter.yml
deleted file mode 100644
index 325315b..0000000
--- a/tasks/rkhunter.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-
-- name: install rkhunter
- yum: name=rkhunter state=present
- tags:
- - packages
-
-- name: rkhunter.conf
- template: src=$files/rkhunter/rkhunter.conf.j2 dest=/etc/rkhunter.conf mode=0640
- tags:
- - config
-
-- name: rkhunter sysconfig
- copy: src=$files/rkhunter/rkhunter.sysconfig dest=/etc/sysconfig/rkhunter mode=0640
- tags:
- - config
-
-
--
1.8.3.1
More information about the infrastructure
mailing list