From 8de8e4d99c8856bd593bbb135428698ffa444f3b Mon Sep 17 00:00:00 2001
From: clime <clime@redhat.com>
Date: Wed, 7 Sep 2016 11:15:25 +0200
Subject: [PATCH] rkhunter exceptions for ipa servers

---
 inventory/inventory                       | 3 +++
 roles/rkhunter/templates/rkhunter.conf.j2 | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/inventory/inventory b/inventory/inventory
index 8644ee2803..179835ab44 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -381,6 +381,9 @@ batcave01.phx2.fedoraproject.org
 [batcave]
 batcave01.phx2.fedoraproject.org
 
+[ipa]
+ipa01.phx2.fedoraproject.org
+
 [ipa-stg]
 ipa01.stg.phx2.fedoraproject.org
 
diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2
index 35e5576ed0..eb19b2b950 100644
--- a/roles/rkhunter/templates/rkhunter.conf.j2
+++ b/roles/rkhunter/templates/rkhunter.conf.j2
@@ -390,6 +390,9 @@ ALLOWDEVFILE=/dev/shm/squid-cache_mem.shm
 # libvirt spice device makes a /dev/shm/spice file
 ALLOWDEVFILE=/dev/shm/spice.*
 {% endif %}
+{% if inventory_hostname in groups['ipa'] or inventory_hostname in groups['ipa-stg'] %}
+ALLOWDEVFILE=/dev/shm/sem.slapd*.stats
+{% endif %}
 
 #
 # This setting tells rkhunter where the inetd configuration
@@ -601,6 +604,9 @@ OS_VERSION_FILE=/etc/{{ ansible_distribution|lower }}-release
 #
 #RTKT_DIR_WHITELIST=""
 #RTKT_FILE_WHITELIST=""
+{% if inventory_hostname in groups['ipa'] or inventory_hostname in groups['ipa-stg'] %}
+RTKT_FILE_WHITELIST="/var/log/pki/pki-tomcat/ca/system"
+{% endif %}
 
 #
 # To force rkhunter to use the supplied script for the 'stat' or 'readlink'