rkhunter exceptions for ipa servers

2016-09-07 11:15:25 +02:00 · 2016-09-07 11:15:25 +02:00 · 8de8e4d99c
commit 8de8e4d99c
parent b5e7b32258
2 changed files with 9 additions and 0 deletions
--- a/inventory/inventory
+++ b/inventory/inventory
@ -381,6 +381,9 @@ batcave01.phx2.fedoraproject.org
 [batcave]
 batcave01.phx2.fedoraproject.org

+[ipa]
+ipa01.phx2.fedoraproject.org
+
 [ipa-stg]
 ipa01.stg.phx2.fedoraproject.org

--- a/roles/rkhunter/templates/rkhunter.conf.j2
+++ b/roles/rkhunter/templates/rkhunter.conf.j2
@ -390,6 +390,9 @@ ALLOWDEVFILE=/dev/shm/squid-cache_mem.shm
 # libvirt spice device makes a /dev/shm/spice file
 ALLOWDEVFILE=/dev/shm/spice.*
 {% endif %}
+{% if inventory_hostname in groups['ipa'] or inventory_hostname in groups['ipa-stg'] %}
+ALLOWDEVFILE=/dev/shm/sem.slapd*.stats
+{% endif %}

 #
 # This setting tells rkhunter where the inetd configuration
@ -601,6 +604,9 @@ OS_VERSION_FILE=/etc/{{ ansible_distribution|lower }}-release
 #
 #RTKT_DIR_WHITELIST=""
 #RTKT_FILE_WHITELIST=""
+{% if inventory_hostname in groups['ipa'] or inventory_hostname in groups['ipa-stg'] %}
+RTKT_FILE_WHITELIST="/var/log/pki/pki-tomcat/ca/system"
+{% endif %}

 #
 # To force rkhunter to use the supplied script for the 'stat' or 'readlink'