Migrate a bunch of things to roles. Thanks to misc!

This commit is contained in:
Kevin Fenzi 2013-08-19 20:12:26 +00:00
parent 16ce004157
commit 8e2ec48cc0
55 changed files with 138 additions and 108 deletions

View file

@ -1,27 +0,0 @@
# We mustn't block localhost
127.0.0.1
#bastion
10.5.126.11
10.5.126.12
#lockbox
10.5.126.23
# don't block lockbox's remote addr, either
209.132.181.6
#noc1
noc1.phx2.fedoraproject.org
10.5.126.41
192.168.1.10
# RDU NAT
66.187.233.202
66.187.233.206
# RH NAT
66.187.230.200
# PHX2 NAT
209.132.181.102
# tlv RHT NAT
66.187.237.10
# brno RHT NAT
209.132.186.34

View file

@ -1,626 +0,0 @@
############ THESE SETTINGS ARE REQUIRED ############
########################################################################
#
# SECURE_LOG: the log file that contains sshd logging info
# if you are not sure, grep "sshd:" /var/log/*
#
# The file to process can be overridden with the --file command line
# argument
#
# Redhat or Fedora Core:
SECURE_LOG = /var/log/secure
#
# Mandrake, FreeBSD or OpenBSD:
#SECURE_LOG = /var/log/auth.log
#
# SuSE:
#SECURE_LOG = /var/log/messages
#
# Mac OS X (v10.4 or greater -
# also refer to: http://www.denyhosts.net/faq.html#macos
#SECURE_LOG = /private/var/log/asl.log
#
# Mac OS X (v10.3 or earlier):
#SECURE_LOG=/private/var/log/system.log
#
########################################################################
########################################################################
#
# HOSTS_DENY: the file which contains restricted host access information
#
# Most operating systems:
HOSTS_DENY = /etc/hosts.deny
#
# Some BSD (FreeBSD) Unixes:
#HOSTS_DENY = /etc/hosts.allow
#
# Another possibility (also see the next option):
#HOSTS_DENY = /etc/hosts.evil
#######################################################################
########################################################################
#
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
# when DenyHosts is invoked with the --purge flag
#
# format is: i[dhwmy]
# Where 'i' is an integer (eg. 7)
# 'm' = minutes
# 'h' = hours
# 'd' = days
# 'w' = weeks
# 'y' = years
#
# never purge:
#PURGE_DENY =
#
# purge entries older than 1 week
#PURGE_DENY = 1w
#
# purge entries older than 5 days
#PURGE_DENY = 5d
#
# For the default Fedora Extras install, we want timestamping but no
# expiration (at least by default) so this is deliberately set high.
# Adjust to taste.
PURGE_DENY = 4w
#######################################################################
#######################################################################
#
# PURGE_THRESHOLD: defines the maximum times a host will be purged.
# Once this value has been exceeded then this host will not be purged.
# Setting this parameter to 0 (the default) disables this feature.
#
# default: a denied host can be purged/re-added indefinitely
PURGE_THRESHOLD = 4
#
# a denied host will be purged at most 2 times.
#PURGE_THRESHOLD = 2
#
#######################################################################
#######################################################################
#
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
#
# man 5 hosts_access for details
#
# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
#
# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
BLOCK_SERVICE = sshd
# To only record the offending host and nothing else (if using
# an auxilary file to list the hosts). Refer to:
# http://denyhosts.sourceforge.net/faq.html#aux
#BLOCK_SERVICE =
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value. This value applies to invalid
# user login attempts (eg. non-existent user accounts)
#
DENY_THRESHOLD_INVALID = 15
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_VALID: block each host after the number of failed
# login attempts has exceeded this value. This value applies to valid
# user login attempts (eg. user accounts that exist in /etc/passwd) except
# for the "root" user
#
DENY_THRESHOLD_VALID = 15
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_ROOT: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# "root" user login attempts only.
#
DENY_THRESHOLD_ROOT = 5
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# usernames that appear in the WORK_DIR/restricted-usernames file only.
#
DENY_THRESHOLD_RESTRICTED = 1
#
#######################################################################
#######################################################################
#
# WORK_DIR: the path that DenyHosts will use for writing data to
# (it will be created if it does not already exist).
#
# Note: it is recommended that you use an absolute pathname
# for this value (eg. /home/foo/denyhosts/data)
#
WORK_DIR = /var/lib/denyhosts
#
#######################################################################
#######################################################################
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
# If set to YES, if a suspicious login attempt results from an allowed-host
# then it is considered suspicious. If this is NO, then suspicious logins
# from allowed-hosts will not be reported. All suspicious logins from
# ip addresses that are not in allowed-hosts will always be reported.
#
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
######################################################################
######################################################################
#
# HOSTNAME_LOOKUP
#
# HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each IP address that is reported by Denyhosts,
# the corresponding hostname will be looked up and reported as well
# (if available).
#
HOSTNAME_LOOKUP=YES
#
######################################################################
######################################################################
#
# LOCK_FILE
#
# LOCK_FILE=/path/denyhosts
# If this file exists when DenyHosts is run, then DenyHosts will exit
# immediately. Otherwise, this file will be created upon invocation
# and deleted upon exit. This ensures that only one instance is
# running at a time.
#
# Redhat/Fedora:
LOCK_FILE = /var/lock/subsys/denyhosts
#
# Debian
#LOCK_FILE = /var/run/denyhosts.pid
#
# Misc
#LOCK_FILE = /tmp/denyhosts.lock
#
######################################################################
############ THESE SETTINGS ARE OPTIONAL ############
#######################################################################
#
# ADMIN_EMAIL: if you would like to receive emails regarding newly
# restricted hosts and suspicious logins, set this address to
# match your email address. If you do not want to receive these reports
# leave this field blank (or run with the --noemail option)
#
# Multiple email addresses can be delimited by a comma, eg:
# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
#
# ADMIN_EMAIL = ausil@fedoraproject.org
#
#######################################################################
#######################################################################
#
# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
# reports (see ADMIN_EMAIL) then these settings specify the
# email server address (SMTP_HOST) and the server port (SMTP_PORT)
#
#
# THEMOVE FIXME this needs to work from external non-VPN machines.
SMTP_HOST = bastion
SMTP_PORT = 25
#
#######################################################################
#######################################################################
#
# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
# smtp email server requires authentication
#
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
#
######################################################################
#######################################################################
#
# SMTP_FROM: you can specify the "From:" address in messages sent
# from DenyHosts when it reports thwarted abuse attempts
#
SMTP_FROM = DenyHosts <denyhosts@fedoraproject.org>
#
#######################################################################
#######################################################################
#
# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
# by DenyHosts when it reports thwarted abuse attempts
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
#
######################################################################
######################################################################
#
# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
# when sending email messages.
#
# for possible values for this parameter refer to: man strftime
#
# the default:
#
#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
#
######################################################################
######################################################################
#
# SYSLOG_REPORT
#
# SYSLOG_REPORT=YES|NO
# If set to yes, when denied hosts are recorded the report data
# will be sent to syslog (syslog must be present on your system).
# The default is: NO
#
#SYSLOG_REPORT=NO
#
#SYSLOG_REPORT=YES
#
######################################################################
######################################################################
#
# ALLOWED_HOSTS_HOSTNAME_LOOKUP
#
# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
# the hostname will be looked up. If your versions of tcp_wrappers
# and sshd sometimes log hostnames in addition to ip addresses
# then you may wish to specify this option.
#
#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
#
######################################################################
######################################################################
#
# AGE_RESET_VALID: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0. This value applies to login attempts
# to all valid users (those within /etc/passwd) with the
# exception of root. If not defined, this count will never
# be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_VALID=5d
#
######################################################################
######################################################################
#
# AGE_RESET_ROOT: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0. This value applies to all login
# attempts to the "root" user account. If not defined,
# this count will never be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_ROOT=25d
#
######################################################################
######################################################################
#
# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0. This value applies to all login
# attempts to entries found in the WORK_DIR/restricted-usernames file.
# If not defined, the count will never be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_RESTRICTED=25d
#
######################################################################
######################################################################
#
# AGE_RESET_INVALID: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0. This value applies to login attempts
# made to any invalid username (those that do not appear
# in /etc/passwd). If not defined, count will never be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_INVALID=10d
#
######################################################################
######################################################################
#
# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
# failed count for the respective ip address will be reset to 0
# if the login is successful.
#
# The default is RESET_ON_SUCCESS = no
#
RESET_ON_SUCCESS = yes
#
#####################################################################
######################################################################
#
# PLUGIN_DENY: If set, this value should point to an executable
# program that will be invoked when a host is added to the
# HOSTS_DENY file. This executable will be passed the host
# that will be added as it's only argument.
#
#PLUGIN_DENY=/usr/bin/true
#
######################################################################
######################################################################
#
# PLUGIN_PURGE: If set, this value should point to an executable
# program that will be invoked when a host is removed from the
# HOSTS_DENY file. This executable will be passed the host
# that is to be purged as it's only argument.
#
#PLUGIN_PURGE=/usr/bin/true
#
######################################################################
######################################################################
#
# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
# a regular expression that can be used to identify additional
# hackers for your particular ssh configuration. This functionality
# extends the built-in regular expressions that DenyHosts uses.
# This parameter can be specified multiple times.
# See this faq entry for more details:
# http://denyhosts.sf.net/faq.html#userdef_regex
#
#USERDEF_FAILED_ENTRY_REGEX=
#
#
######################################################################
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
#######################################################################
#
# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
# this is the logfile that DenyHosts uses to report it's status.
# To disable logging, leave blank. (default is: /var/log/denyhosts)
#
DAEMON_LOG = /var/log/denyhosts
#
# disable logging:
#DAEMON_LOG =
#
######################################################################
#######################################################################
#
# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
# (--daemon flag) this specifies the timestamp format of
# the DAEMON_LOG messages (default is the ISO8061 format:
# ie. 2005-07-22 10:38:01,745)
#
# for possible values for this parameter refer to: man strftime
#
# Jan 1 13:05:59
#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
#
# Jan 1 01:05:59
#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
#
######################################################################
#######################################################################
#
# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode
# (--daemon flag) this specifies the message format of each logged
# entry. By default the following format is used:
#
# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
#
# Where the "%(asctime)s" portion is expanded to the format
# defined by DAEMON_LOG_TIME_FORMAT
#
# This string is passed to python's logging.Formatter contstuctor.
# For details on the possible format types please refer to:
# http://docs.python.org/lib/node357.html
#
# This is the default:
#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
#
#
######################################################################
#######################################################################
#
# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
# this is the amount of time DenyHosts will sleep between polling
# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
#
#
DAEMON_SLEEP = 30s
#
#######################################################################
#######################################################################
#
# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
# run the purge mechanism to expire old entries in HOSTS_DENY
# This has no effect if PURGE_DENY is blank.
#
DAEMON_PURGE = 1h
#
#######################################################################
######### THESE SETTINGS ARE SPECIFIC TO ##########
######### DAEMON SYNCHRONIZATION ##########
#######################################################################
#
# Synchronization mode allows the DenyHosts daemon the ability
# to periodically send and receive denied host data such that
# DenyHosts daemons worldwide can automatically inform one
# another regarding banned hosts. This mode is disabled by
# default, you must uncomment SYNC_SERVER to enable this mode.
#
# for more information, please refer to:
# http:/denyhosts.sourceforge.net/faq.html#sync
#
#######################################################################
#######################################################################
#
# SYNC_SERVER: The central server that communicates with DenyHost
# daemons. Currently, denyhosts.net is the only available server
# however, in the future, it may be possible for organizations to
# install their own server for internal network synchronization
#
# To disable synchronization (the default), do nothing.
#
# To enable synchronization, you must uncomment the following line:
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
#
#######################################################################
#######################################################################
#
# SYNC_INTERVAL: the interval of time to perform synchronizations if
# SYNC_SERVER has been uncommented. The default is 1 hour.
#
SYNC_INTERVAL = 1h
#
#######################################################################
#######################################################################
#
# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
# been denied? This option only applies if SYNC_SERVER has
# been uncommented.
# The default is SYNC_UPLOAD = yes
#
#SYNC_UPLOAD = no
#SYNC_UPLOAD = yes
#
#######################################################################
#######################################################################
#
# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
# been denied by others? This option only applies if SYNC_SERVER has
# been uncommented.
# The default is SYNC_DOWNLOAD = yes
#
#SYNC_DOWNLOAD = no
#SYNC_DOWNLOAD = yes
#
#
#
#######################################################################
#######################################################################
#
# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter
# filters the returned hosts to those that have been blocked this many
# times by others. That is, if set to 1, then if a single DenyHosts
# server has denied an ip address then you will receive the denied host.
#
# See also SYNC_DOWNLOAD_RESILIENCY
#
#SYNC_DOWNLOAD_THRESHOLD = 10
#
# The default is SYNC_DOWNLOAD_THRESHOLD = 3
#
#SYNC_DOWNLOAD_THRESHOLD = 3
#
#######################################################################
#######################################################################
#
# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the
# value specified for this option limits the downloaded data
# to this resiliency period or greater.
#
# Resiliency is defined as the timespan between a hackers first known
# attack and it's most recent attack. Example:
#
# If the centralized denyhosts.net server records an attack at 2 PM
# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h
# will not download this ip address.
#
# However, if the attacker is recorded again at 6:15 PM then the
# ip address will be downloaded by your DenyHosts instance.
#
# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD
# and only hosts that satisfy both values will be downloaded.
# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1
#
# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
#
# Only obtain hackers that have been at it for 2 days or more:
#SYNC_DOWNLOAD_RESILIENCY = 2d
#
# Only obtain hackers that have been at it for 5 hours or more:
#SYNC_DOWNLOAD_RESILIENCY = 5h
#
#######################################################################

View file

@ -1 +0,0 @@
*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 180)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1"

View file

@ -1,92 +0,0 @@
[global]
; url - Location to fas server
url = https://admin.fedoraproject.org/accounts/
; temp - Location to generate files while user creation process is happening
temp = /var/db
; login - username to contact fas
login = {{ fedorathirdpartyUser }}
; password - password for login name
password = {{ fedorathirdpartyPassword }}
; prefix - install to a location other than /
prefix = /
; modefile - Location of a file containing saved home directory modes
modefile = /var/lib/fas/client_dir_perms
; cla_group - Group for CLA requirements
cla_group = cla_done
[host]
; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
; so if someone is in all 3, the client behaves the same as if they were just
; in 'groups'
; groups that should have a shell account on this system.
{% if fas_client_groups %}
groups = sysadmin-main,{{ fas_client_groups }}
{% else %}
groups = sysadmin-main
{% endif %}
; groups that should have a restricted account on this system.
; restricted accounts use the restricted_shell value in [users]
restricted_groups =
; ssh_restricted_groups: groups that should be restricted by ssh key. You will
; need to disable password based logins in order for this value to have any
; security meaning. Group types can be placed here as well, for example
; @hg,@git,@svn
{% if fas_client_ssh_groups %}
ssh_restricted_groups = {{ fas_client_ssh_groups }}
{% else %}
ssh_restricted_groups =
{% endif %}
; aliases_template: Gets prepended to the aliases file when it is generated by
; fasClient
aliases_template = /etc/aliases.template
[users]
; default shell given to people in [host] groups
shell = /bin/bash
; home - the location for fas user home dirs
home = /home/fedora
; home_backup_dir - Location home dirs should get moved to when a user is
; deleted this location should be tmpwatched
home_backup_dir = /home/fedora.bak
; ssh_restricted_app - This is the path to the restricted shell script. It
; will not work automatically for most people though through alterations it
; is a powerfull way to restrict access to a machine. An alternative example
; could be given to people who should only have cvs access on the machine.
; setting this value to "/usr/bin/cvs server" would do this.
{% if fas_client_restricted_app %}
ssh_restricted_app = {{ fas_client_restricted_app }}
{% else %}
ssh_restricted_app =
{% endif %}
; ssh_admin_app - This is the path to an app that an admin is allowed to use.
{% if fas_client_admin_app %}
ssh_admin_app = {{ fas_client_admin_app }}
{% else %}
ssh_admin_app =
{% endif %}
; restricted_shell - The shell given to users in the ssh_restricted_groups
restricted_shell = /sbin/nologin
; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
ssh_restricted_shell = /bin/bash
; ssh_key_options - Options to be appended to people ssh keys. Users in the
; ssh_restricted_groups will have the keys they uploaded altered when they are
; installed on this machine, appended with the options below.
ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

View file

@ -1,45 +0,0 @@
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
passwd: db files
shadow: db files
group: db files
#hosts: db files nisplus nis dns
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

View file

@ -1,2 +0,0 @@
# cron job to sync the geoip data files
0 1 4 * * root /usr/local/bin/syncFiles.sh bigfiles/geoip /usr/share/GeoIP

View file

@ -1,44 +0,0 @@
Alias /mirrorlists /var/lib/mirrormanager/mirrorlists/
Alias /publiclist /var/lib/mirrormanager/mirrorlists/publiclist/
Alias /static /var/lib/mirrormanager/mirrorlists/static/
<Directory /var/lib/mirrormanager/mirrorlists>
Options Indexes FollowSymLinks
ExpiresActive On
ExpiresDefault "modification plus 1 day"
</Directory>
WSGIDaemonProcess mirrorlist user=apache processes=45 threads=1 display-name=mirrorlist maximum-requests=1000
WSGIScriptAlias /metalink /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi
WSGIScriptAlias /mirrorlist /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi
# Set this if you do not have a Reverse Proxy (HTTP Accelerator) that
# is in front of your application server running this code.
# SetEnv mirrorlist_client.noreverseproxy 1
<Location /mirrorlist>
WSGIProcessGroup mirrorlist
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order deny,allow
Allow from all
</IfModule>
</Location>
<Location /metalink>
WSGIProcessGroup mirrorlist
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order deny,allow
Allow from all
</IfModule>
</Location>

View file

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA1+Mq0V8RPuCZrjsSz2y56tVR+hykwoYSodhs6ivqkuf16PHo1Aq2PR+I7xnxnJ/fqF20UEV4bmRFs9k4y/QnMOwi90O32vC3WZmfLfoY9S9dzUYXXOYy0lQZPMjmB+yOYZhhGIu2HTc4/CHKjVpCUZKHXwgkouEwsAEHQI86TrepvPwt5GrmAeZjcRp8T3maaFlRf8UFgcajF9ztgiEnBpWBEKaemtUtQ/g9cr/SwNMT3GK+M4qMVaXkuTCeiKwqxueZmTgn76aQ11sfoWYi1lVCyYt02iMDoBLaLERbwBLt3WpY/l3tQaZiPVoRPDH2EQb6v/XISsXNsqGtnc8APfhkVniURNwW/Qz8eXhpnd7GlU90iWPExvGo/Eaj2cNemgiNZH7/U7OKe3/7Li+IpPDhLCfJ8ue7Nqn+2uqhEWvzZXvamzcvEg89PBbgrdHDvJqVLnfsMDuDEo93KZ2pCfTGmjbYjbV3nnArhimLjkkb2E86489F09p65e4AoZw3HFgeW8yA3ecXtXd9FmYYkL0urT1AZFuJ/9B364h4gOqUt0oO7aW0vqhS1hW+7brIJ2DzM/vn90ONk8JVt1T3DvmgmVLxtuo1wu1PkDtekZNtJPGuGzvt5TYDjGPwZzrkYdYazLow3NMCyrhV6oNm8sxuZCLxeyZdM83Q7xty5nM= toshio@puppet1.fedora.phx.redhat.com

View file

@ -1,4 +0,0 @@
#!/bin/bash
rsync -az --delete-delay --delay-updates --delete mirrormanager@bapp02:/var/lib/mirrormanager/ /var/lib/mirrormanager/
kill -HUP $(cat /var/run/mirrormanager/mirrorlist_server.pid)

View file

@ -1,67 +0,0 @@
[supervisord]
http_port=/var/tmp/supervisor.sock ; (default is to run a UNIX domain socket server)
;http_port=127.0.0.1:9001 ; (alternately, ip_address:port specifies AF_INET)
;sockchmod=0700 ; AF_UNIX socketmode (AF_INET ignore, default 0700)
;sockchown=nobody.nogroup ; AF_UNIX socket uid.gid owner (AF_INET ignores)
;umask=022 ; (process file creation umask;default 022)
logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log)
logfile_maxbytes=50MB ; (max main logfile bytes b4 rotation;default 50MB)
logfile_backups=10 ; (num of main logfile rotation backups;default 10)
loglevel=info ; (logging level;default info; others: debug,warn)
pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
nodaemon=false ; (start in foreground if true;default false)
minfds=1024 ; (min. avail startup file descriptors;default 1024)
minprocs=200 ; (min. avail process descriptors;default 200)
;nocleanup=true ; (don't clean up tempfiles at start;default false)
;http_username=user ; (default is no username (open system))
;http_password=123 ; (default is no password (open system))
;childlogdir=/tmp ; ('AUTO' child log dir, default $TEMP)
;user=chrism ; (default is current user, required if root)
;directory=/tmp ; (default is not to cd during start)
;environment=KEY=value ; (key value pairs to add to environment)
[supervisorctl]
serverurl=unix:///var/tmp/supervisor.sock ; use a unix:// URL for a unix socket
;serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket
;username=chris ; should be same as http_username if set
;password=123 ; should be same as http_password if set
;prompt=mysupervisor ; cmd line prompt (default "supervisor")
; The below sample program section shows all possible program subsection values,
; create one or more 'real' program: sections to be able to control them under
; supervisor.
;[program:theprogramname]
;command=/bin/cat ; the program (relative uses PATH, can take args)
;priority=999 ; the relative start priority (default 999)
;autostart=true ; start at supervisord start (default: true)
;autorestart=true ; retstart at unexpected quit (default: true)
;startsecs=10 ; number of secs prog must stay running (def. 10)
;startretries=3 ; max # of serial start failures (default 3)
;exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
;stopsignal=QUIT ; signal used to kill process (default TERM)
;stopwaitsecs=10 ; max num secs to wait before SIGKILL (default 10)
;user=chrism ; setuid to this UNIX account to run the program
;log_stdout=true ; if true, log program stdout (default true)
;log_stderr=true ; if true, log program stderr (def false)
;logfile=/var/log/cat.log ; child log path, use NONE for none; default AUTO
;logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB)
;logfile_backups=10 ; # of logfile backups (default 10)
[program:mirrorlist_server]
command=/usr/share/mirrormanager/mirrorlist-server/mirrorlist_server.py
priority=1
autostart=true
autorestart=true
startsecs=10
startretries=5
stopsignal=TERM
stopwaitsecs=10
user=mirrormanager
log_stderr=true
log_stdout=true
logfile=/var/log/mirrormanager/mirrorlist-server.log
logfile_maxbytes=50MB
logfile_backups=10

View file

@ -1 +0,0 @@
command[check_cron]=/usr/lib64/nagios/plugins/check_procs -c 1:10 -C 'crond' -u root

View file

@ -1,2 +0,0 @@
command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /
command[check_disk_/boot]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /boot

View file

@ -1 +0,0 @@
command[check_lock]=/usr/lib64/nagios/plugins/check_lock

View file

@ -1 +0,0 @@
command[check_mirrorlist_cache]=/usr/lib64/nagios/plugins/check_file_age -w 14400 -c 129600 -f /var/lib/mirrormanager/mirrorlist_cache.pkl

View file

@ -1 +0,0 @@
command[check_postfix_queue]=/usr/lib64/nagios/plugins/check_postfix_queue -w 2 -c 5

View file

@ -1 +0,0 @@
command[check_raid]=/usr/lib64/nagios/plugins/check_raid.py

View file

@ -1 +0,0 @@
command[check_swap]=/usr/lib64/nagios/plugins/check_swap -w 15% -c 10%

View file

@ -1,223 +0,0 @@
#############################################################################
# Sample NRPE Config File
# Written by: Ethan Galstad (nagios@nagios.org)
#
# Last Modified: 11-23-2007
#
# NOTES:
# This is a sample configuration file for the NRPE daemon. It needs to be
# located on the remote host that is running the NRPE daemon, not the host
# from which the check_nrpe client is being executed.
#############################################################################
# LOG FACILITY
# The syslog facility that should be used for logging purposes.
log_facility=daemon
# PID FILE
# The name of the file in which the NRPE daemon should write it's process ID
# number. The file is only written if the NRPE daemon is started by the root
# user and is running in standalone mode.
pid_file=/var/run/nrpe/nrpe.pid
# PORT NUMBER
# Port number we should wait for connections on.
# NOTE: This must be a non-priviledged port (i.e. > 1024).
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
server_port=5666
# SERVER ADDRESS
# Address that nrpe should bind to in case there are more than one interface
# and you do not want nrpe to bind on all interfaces.
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
#server_address=127.0.0.1
# NRPE USER
# This determines the effective user that the NRPE daemon should run as.
# You can either supply a username or a UID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
nrpe_user=nrpe
# NRPE GROUP
# This determines the effective group that the NRPE daemon should run as.
# You can either supply a group name or a GID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
nrpe_group=nrpe
# ALLOWED HOST ADDRESSES
# This is an optional comma-delimited list of IP address or hostnames
# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently
# supported.
#
# Note: The daemon only does rudimentary checking of the client's IP
# address. I would highly recommend adding entries in your /etc/hosts.allow
# file to allow only the specified host to connect to the port
# you are running this daemon on.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
allowed_hosts=10.5.126.41,192.168.1.10,192.168.1.20,209.132.181.35
# COMMAND ARGUMENT PROCESSING
# This option determines whether or not the NRPE daemon will allow clients
# to specify arguments to commands that are executed. This option only works
# if the daemon was configured with the --enable-command-args configure script
# option.
#
# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
# Read the SECURITY file for information on some of the security implications
# of enabling this variable.
#
# Values: 0=do not allow arguments, 1=allow command arguments
dont_blame_nrpe=0
# COMMAND PREFIX
# This option allows you to prefix all commands with a user-defined string.
# A space is automatically added between the specified prefix string and the
# command line from the command definition.
#
# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
# Usage scenario:
# Execute restricted commmands using sudo. For this to work, you need to add
# the nagios user to your /etc/sudoers. An example entry for alllowing
# execution of the plugins from might be:
#
# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
#
# This lets the nagios user run all commands in that directory (and only them)
# without asking for a password. If you do this, make sure you don't give
# random users write access to that directory or its contents!
# command_prefix=/usr/bin/sudo
# DEBUGGING OPTION
# This option determines whether or not debugging messages are logged to the
# syslog facility.
# Values: 0=debugging off, 1=debugging on
debug=0
# COMMAND TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# allow plugins to finish executing before killing them off.
command_timeout=60
# CONNECTION TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# wait for a connection to be established before exiting. This is sometimes
# seen where a network problem stops the SSL being established even though
# all network sessions are connected. This causes the nrpe daemons to
# accumulate, eating system resources. Do not set this too low.
connection_timeout=300
# WEEK RANDOM SEED OPTION
# This directive allows you to use SSL even if your system does not have
# a /dev/random or /dev/urandom (on purpose or because the necessary patches
# were not applied). The random number generator will be seeded from a file
# which is either a file pointed to by the environment valiable $RANDFILE
# or $HOME/.rnd. If neither exists, the pseudo random number generator will
# be initialized and a warning will be issued.
# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
#allow_weak_random_seed=1
# INCLUDE CONFIG FILE
# This directive allows you to include definitions from an external config file.
#include=<somefile.cfg>
# INCLUDE CONFIG DIRECTORY
# This directive allows you to include definitions from config files (with a
# .cfg extension) in one or more directories (with recursion).
include_dir=/etc/nrpe.d/
# COMMAND DEFINITIONS
# Command definitions that this daemon will run. Definitions
# are in the following format:
#
# command[<command_name>]=<command_line>
#
# When the daemon receives a request to return the results of <command_name>
# it will execute the command specified by the <command_line> argument.
#
# Unlike Nagios, the command line cannot contain macros - it must be
# typed exactly as it should be executed.
#
# Note: Any plugins that are used in the command lines must reside
# on the machine that this daemon is running on! The examples below
# assume that you have plugins installed in a /usr/local/nagios/libexec
# directory. Also note that you will have to modify the definitions below
# to match the argument format the plugins expect. Remember, these are
# examples only!
# The following examples use hardcoded command arguments...
command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_hda1]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1
command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w {{ nrpe_procs_warn }} -c {{ nrpe_procs_crit }}
# The following examples allow user-supplied arguments and can
# only be used if the NRPE daemon was compiled with support for
# command arguments *AND* the dont_blame_nrpe directive in this
# config file is set to '1'. This poses a potential security risk, so
# make sure you read the SECURITY file before doing this.
#command[check_users]=/usr/lib64/nagios/plugins/check_users -w $ARG1$ -c $ARG2$
#command[check_load]=/usr/lib64/nagios/plugins/check_load -w $ARG1$ -c $ARG2$
#command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
#command[check_procs]=/usr/lib64/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
# NEVER ADD ANYTHING HERE - ANY ENTRIES TO NRPE SHOULD BE in .cfg files in /etc/nrpe.d/
# NEVER NEVER NEVER
#

View file

@ -1,17 +0,0 @@
#!/usr/bin/python
import fcntl
import sys
try:
f = open('/mnt/koji/.nagios_test', 'r')
f.close()
f = open('/mnt/koji/.nagios_test', 'w')
except IOError:
print "Could not create file"
sys.exit(2)
fcntl.flock(f, fcntl.LOCK_EX)
f.close()
print "File Locked Successfully"
sys.exit(0)

View file

@ -1,49 +0,0 @@
#!/bin/bash
#
# 19-07-2010
# Author: Cherwin Nooitmeer <cherwin@gmail.com>
#
# exit codes
e_ok=0
e_warning=1
e_critical=2
e_unknown=3
# regular expression that matches queue IDs (e.g. D71EF7AC80F8)
queue_id='^[A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9]'
usage="Invalid command line usage"
if [ -z $1 ]; then
echo $usage
exit $e_unknown
fi
while getopts ":w:c:" options
do
case $options in
w ) warning=$OPTARG ;;
c ) critical=$OPTARG ;;
* ) echo $usage
exit $e_unknown ;;
esac
done
# determine queue size
qsize=$(mailq | egrep -c $queue_id)
if [ -z $qsize ]
then
exit $e_unknown
fi
if [ $qsize -ge $critical ]; then
retval=$e_critical
elif [ $qsize -ge $warning ]; then
retval=$e_warning
elif [ $qsize -lt $warning ]; then
retval=$e_ok
fi
echo "$qsize mail(s) in queue | mail_queue=$qsize"
exit $retval

View file

@ -1,45 +0,0 @@
#!/usr/bin/env python
#
# very simple python script to parse out /proc/mdstat
# and give results for nagios to monitor
#
import sys
import string
devices = []
try:
mdstat = string.split(open('/proc/mdstat').read(), '\n')
except IOError:
# seems we have no software raid on this machines
sys.exit(0)
error = ""
i = 0
for line in mdstat:
if line[0:2] == 'md':
device = string.split(line)[0]
devices.append(device)
status = string.split(mdstat[i+1])[3]
if string.count(status, "_"):
# see if we can figure out what's going on
err = string.split(mdstat[i+2])
msg = "device=%s status=%s" % (device, status)
if len(err) > 0:
msg = msg + " rebuild=%s" % err[0]
if not error:
error = msg
else:
error = error + ", " + msg
i = i + 1
if not error:
print "DEVICES %s OK" % " ".join(devices)
sys.exit(0)
else:
print error
sys.exit(2)

View file

@ -1,590 +0,0 @@
#
# This is the configuration file for Rootkit Hunter.
#
# Please modify it to your own requirements.
# Please review the documentation before posting bug reports or questions.
# To report bugs, obtain updates, or provide patches or comments, please go to:
# http://rkhunter.sourceforge.net
#
# To ask questions about rkhunter, please use the rkhunter-users mailing list.
# Note this is a moderated list: please subscribe before posting.
#
# Lines beginning with a hash (#), and blank lines, will be ignored.
#
# Most of the following options need only be specified once. If
# they appear more than once, then the last one seen will be used.
# Some options are allowed to appear more than once, and the text
# describing the option will say if this is so.
#
#
# If this option is set to 1, it specifies that the mirrors file, which
# is used when the '--update' and '--versioncheck' options are used, is
# to be rotated. Rotating the entries in the file allows a basic form
# of load-balancing between the mirror sites whenever the above options
# are used.
# If the option is set to 0, then the mirrors will be treated as if in
# a priority list. That is, the first mirror will always be used. The
# second mirror will only be used if the first mirror fails, then the
# third mirror will be used if the second fails and so on.
#
ROTATE_MIRRORS=1
#
# If this option is set to 1, it specifies that when the '--update'
# option is used, then the mirrors file is to be checked for updates
# as well. If the current mirrors file contains any local mirrors,
# these will be prepended to the updated file.
# If this option is set to 0, the mirrors file can only be updated
# manually. This may be useful if only using local mirrors.
#
UPDATE_MIRRORS=1
#
# The MIRRORS_MODE option tells rkhunter which mirrors are to be
# used when the '--update' or '--versioncheck' command-line options
# are given. Possible values are:
# 0 - use any mirror (the default)
# 1 - only use local mirrors
# 2 - only use remote mirrors
#
# Local and remote mirrors can be defined in the mirrors.dat file
# by using the 'local=' and 'remote=' keywords respectively.
#
MIRRORS_MODE=0
#
# Email a message to this address if a warning is found when the
# system is being checked. Multiple addresses may be specified
# simply be separating them with a space.
#
MAIL-ON-WARNING=""
#
# Specify the mail command to use if MAIL-ON-WARNING is set.
# NOTE: Double quotes are not required around the command, but
# are required around the subject line if it contains spaces.
#
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
#
# Specify the temporary directory to use.
#
# NOTE: Do not use /tmp as your temporary directory. Some
# important files will be written to this directory, so be
# sure that the directory permissions are tight.
#
TMPDIR=/var/lib/rkhunter
#
# Specify the database directory to use.
#
DBDIR=/var/lib/rkhunter/db
#
# Specify the script directory to use.
#
SCRIPTDIR=/usr/share/rkhunter/scripts
#
# Specify the root directory to use.
#
#ROOTDIR=""
#
# Specify the command directories to be checked. This is a
# space-separated list of directories.
#
BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
#
# Specify the language to use. This should be similar
# to the ISO 639 language code.
#
# NOTE: Please ensure that the language you specify is supported.
# For a list of supported languages use the following command:
#
# rkhunter --lang en --list languages
#
#LANGUAGE=en
#
# Specify the log file pathname.
#
LOGFILE=/var/log/rkhunter/rkhunter.log
#
# Set the following option to 1 if the log file is to be appended to
# whenever rkhunter is run.
#
#
# Set the following option to enable the rkhunter check start and finish
# times to be logged by syslog. Warning messages will also be logged.
# The value of the option must be a standard syslog facility and
# priority, separated by a dot.
#
# For example: USE_SYSLOG=authpriv.warning
#
# Setting the value to 'none', or just leaving the option commented out,
# disables the use of syslog.
#
USE_SYSLOG=authpriv.notice
#
# Set the following option to 1 if the second colour set is to be used.
# This can be useful if your screen uses black characters on a white
# background (for example, a PC instead of a server).
#
COLOR_SET2=0
#
# Set the following option to 0 if rkhunter should not detect if X is
# being used. If X is detected as being used, then the second colour
# set will automatically be used.
#
AUTO_X_DETECT=1
#
# The following option is checked against the SSH configuration file
# 'PermitRootLogin' option. A warning will be displayed if they do not
# match. However, if a value has not been set in the SSH configuration
# file, then a value here of 'yes' or 'unset' will not cause a warning.
# This option has a default value of 'no'.
#
ALLOW_SSH_ROOT_USER=without-password
#
# Set this option to '1' to allow the use of the SSH-1 protocol, but note
# that theoretically it is weaker, and therefore less secure, than the
# SSH-2 protocol. Do not modify this option unless you have good reasons
# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
# authentication). If the 'Protocol' option has not been set in the SSH
# configuration file, then a value of '2' may be set here in order to
# suppress a warning message. This option has a default value of '0'.
#
ALLOW_SSH_PROT_V1=0
#
# This setting tells rkhunter the directory containing the SSH configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set.
#
#SSH_CONFIG_DIR=/etc/ssh
#
# These two options determine which tests are to be performed.
# The ENABLE_TESTS option can use the word 'all' to refer to all the
# available tests. The DISABLE_TESTS option can use the word 'none' to
# mean that no tests are disabled. The list of disabled tests is applied to
# the list of enabled tests. Both options are space-separated lists of test
# names. The currently available test names can be seen by using the command
# 'rkhunter --list tests'.
#
# The program defaults are to enable all tests and disable none. However, if
# either option is specified in this file, then it overrides the program
# default. The supplied rkhunter.conf file has some tests already disabled,
# and these are tests that will be used only incidentally, can be considered
# "advanced" or those that are prone to produce more than the "average" number
# of "false positives".
#
# Please read the README file for more details about enabling and disabling
# tests, the test names, and how rkhunter behaves when these options are used.
#
ENABLE_TESTS="all"
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
#
# The HASH_FUNC option can be used to specify the command to use
# for the file hash value check. It can be specified as just
# the command name or the full pathname. Systems using prelinking
# are restricted to using either SHA1 or MD5 functions. To get rkhunter
# to look for the sha1(sum)/md5(sum) command, or to use the supplied
# perl scripts, simply specify this option as 'SHA1' or 'MD5' in
# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found.
#
# A value of 'NONE' (in uppercase) can be specified to indicate that
# no hash function should be used. Rootkit Hunter will detect this and
# automatically disable the file hash checks.
#
# Examples:
# For Solaris 9 : HASH_FUNC=gmd5sum
# For Solaris 10: HASH_FUNC=sha1sum
# For AIX (>5.2): HASH_FUNC="csum -hMD5"
# For NetBSD : HASH_FUNC="cksum -a sha512"
#
# NOTE: If the hash function is changed then you MUST run rkhunter with
# the '--propupd' option to rebuild the file properties database.
#
HASH_FUNC=sha1sum
#
# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
# command output contains the hash value. The fields are assumed to
# be space-separated. The default value is one, but for *BSD users
# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
# has not been set. The option value must be a positive integer.
#
#HASH_FLD_IDX=4
#
# The PKGMGR option tells rkhunter to use the specified package manager
# to obtain the file property information. This is used when updating
# the file properties file 'rkhunter.dat', and when running the file
# properties check. For RedHat/RPM-based systems, 'RPM' can be used
# to get information from the RPM database. For Debian-based systems
# 'DPKG' can be used, and for *BSD systems 'BSD' can be used.
# No value, or a value of 'NONE', indicates that no package manager
# is to be used. The default is 'NONE'.
#
# The current package managers store the file hash values using an
# MD5 hash function.
#
# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
# The 'RPM' package manager additionally provides values for the inode,
# file permissions, uid, gid and other values.
#
# For any file not part of a package, rkhunter will revert to using
# the HASH_FUNC hash function instead.
#
PKGMGR=RPM
#
# Whitelist various attributes of the specified files.
# The attributes are those of the 'attributes' test.
# Specifying a file name here does not include it being
# whitelisted for the write permission test below.
# One command per line (use multiple ATTRWHITELIST lines).
#
#ATTRWHITELIST=/bin/ps
#
# Allow the specified commands to have the 'others'
# (world) permission have the write-bit set.
#
# For example, files with permissions r-xr-xrwx
# or rwxrwxrwx.
#
# One command per line (use multiple WRITEWHITELIST lines).
#
#WRITEWHITELIST=/bin/ps
#
# Allow the specified commands to be scripts.
# One command per line (use multiple SCRIPTWHITELIST lines).
#
#SCRIPTWHITELIST=/sbin/ifup
#SCRIPTWHITELIST=/sbin/ifdown
#SCRIPTWHITELIST=/usr/bin/groups
#
# Allow the specified commands to have the immutable attribute set.
# One command per line (use multiple IMMUTWHITELIST lines).
#
#IMMUTWHITELIST=/sbin/ifup
#
# Allow the specified hidden directories.
# One directory per line (use multiple ALLOWHIDDENDIR lines).
#
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.mdadm
ALLOWHIDDENDIR=/dev/.systemd
ALLOWHIDDENDIR=/dev/.mount
ALLOWHIDDENDIR=/dev/.udevdb
ALLOWHIDDENDIR=/dev/.udev.tdb
ALLOWHIDDENDIR=/dev/.udev/db
ALLOWHIDDENDIR=/dev/.udev/rules.d
#
# Allow the specified hidden files.
# One file per line (use multiple ALLOWHIDDENFILE lines).
#
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
ALLOWHIDDENFILE=/sbin/.cryptsetup.hmac
ALLOWHIDDENFILE=/dev/.udev/queue.bin
ALLOWHIDDENFILE=/dev/.udev/uevent_seqnum
#
# Allow the specified processes to use deleted files.
# One process per line (use multiple ALLOWPROCDELFILE lines).
#
#ALLOWPROCDELFILE=/sbin/cardmgr
#ALLOWPROCDELFILE=/usr/sbin/gpm
#ALLOWPROCDELFILE=/usr/libexec/gconfd-2
#ALLOWPROCDELFILE=/usr/sbin/mysqld
#
# Allow the specified processes to listen on any network interface.
# One process per line (use multiple ALLOWPROCLISTEN lines).
#
#ALLOWPROCLISTEN=/sbin/dhclient
#ALLOWPROCLISTEN=/usr/bin/dhcpcd
#ALLOWPROCLISTEN=/usr/sbin/pppoe
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
#ALLOWPROCLISTEN=/usr/sbin/snort-plain
#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant
#
# SCAN_MODE_DEV governs how we scan /dev for suspicious files.
# The two allowed options are: THOROUGH or LAZY.
# If commented out we do a THOROUGH scan which will increase the runtime.
# Even though this adds to the running time it is highly recommended to
# leave it like this.
#
#SCAN_MODE_DEV=THOROUGH
#
# Allow the specified files to be present in the /dev directory,
# and not regarded as suspicious. One file per line (use multiple
# ALLOWDEVFILE lines).
#
#ALLOWDEVFILE=/dev/abc
#ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/shm/sem.slapd-FEDORAPROJECT-ORG.stats
ALLOWDEVFILE=/dev/md/md-device-map
ALLOWDEVFILE=/dev/.udev/queue.bin
ALLOWDEVFILE=/dev/.udev/db/*
ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules
ALLOWDEVFILE=/dev/.udev/uevent_seqnum
ALLOWDEVFILE=/dev/md/autorebuild.pid
#
# This setting tells rkhunter where the inetd configuration
# file is located.
#
#INETD_CONF_PATH=/etc/inetd.conf
#
# Allow the following enabled inetd services.
# Only one service per line (use multiple INETD_ALLOWED_SVC lines).
#
# Below are some Solaris 9 and 10 services that may want to be whitelisted.
#
#INETD_ALLOWED_SVC=echo
#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd
#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto
#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd
#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad
#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd
#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd
#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd
#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd
#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd
#INETD_ALLOWED_SVC=/usr/lib/gss/gssd
#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader
#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd
#INETD_ALLOWED_SVC=/network/rpc/mdcomm
#INETD_ALLOWED_SVC=/network/rpc/meta
#INETD_ALLOWED_SVC=/network/rpc/metamed
#INETD_ALLOWED_SVC=/network/rpc/metamh
#INETD_ALLOWED_SVC=/network/security/ktkt_warn
#INETD_ALLOWED_SVC=/application/x11/xfs
#INETD_ALLOWED_SVC=/application/print/rfc1179
#INETD_ALLOWED_SVC=/application/font/stfsloader
#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp
#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp
#
# This setting tells rkhunter where the xinetd configuration
# file is located.
#
#XINETD_CONF_PATH=/etc/xinetd.conf
#
# Allow the following enabled xinetd services. Whilst it would be
# nice to use the service names themselves, at the time of testing
# we only have the pathname available. As such, these entries are
# the xinetd file pathnames.
# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines).
#
XINETD_ALLOWED_SVC=/etc/xinetd.d/rsync
XINETD_ALLOWED_SVC=/etc/xinetd.d/cvspserver
XINETD_ALLOWED_SVC=/etc/xinetd.d/tftp
XINETD_ALLOWED_SVC=/etc/xinetd.d/git-server
XINETD_ALLOWED_SVC=/etc/xinetd.d/git
XINETD_ALLOWED_SVC=/etc/xinetd.d/bzr-server
#
# This setting tells rkhunter the local system startup file pathnames.
# More than one file may be present on the system, and so this option
# can be a space-separated list. This setting will be worked out by
# rkhunter, and so should not usually need to be set.
#
# If the system uses a directory of local startup scripts, then rather
# that setting all the file names here, leave this setting blank, and
# specify the directory name in SYSTEM_RC_DIR instead.
#
# If the system does not use a local startup script at all, then this
# setting can be set to 'none'. Without this, rkhunter would give a
# warning that no local startup script could be found.
#
#LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit"
#
# This setting tells rkhunter the local system startup file directory.
# This setting will be worked out by rkhunter, and so should not usually
# need to be set.
#
#SYSTEM_RC_DIR=/etc/rc.d
#
# This setting tells rkhunter the pathname to the file containing the
# user account passwords. This setting will be worked out by rkhunter,
# and so should not usually need to be set.
#
PASSWORD_FILE=/etc/shadow
#
# Allow the following accounts to be root equivalent. These accounts
# will have a UID value of zero. This option is a space-separated list
# of account names. The 'root' account does not need to be listed as it
# is automatically whitelisted.
#
# Note: For *BSD systems you may need to enable this for the 'toor' account.
#
#UID0_ACCOUNTS="toor rooty"
#
# Allow the following accounts to have no password. This option is a
# space-separated list of account names. NIS/YP entries do not need to
# be listed as they are automatically whitelisted.
#
#PWDLESS_ACCOUNTS="abc"
#
# This setting tells rkhunter the pathname to the syslog configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set.
#
#SYSLOG_CONFIG_FILE=/etc/syslog.conf
#
# This option permits the use of syslog remote logging.
#
ALLOW_SYSLOG_REMOTE_LOGGING=1
#
# Allow the following applications, or a specific version of an application,
# to be whitelisted. This option is a space-separated list consisting of the
# application names. If a specific version is to be whitelisted, then the
# name must be followed by a colon and then the version number.
#
# For example: APP_WHITELIST="openssl:0.9.7d gpg"
#
APP_WHITELIST="sshd:4.3p2 sshd:5.2p1 httpd:2.2.3 httpd:2.2.13 php:5.1.6 named:9.3.6 openssl:0.9.8e php:5.2.6 named:9.3.6-P1"
#
# Scan for suspicious files in directories containing temporary files and
# directories posing a relatively higher risk due to user write access.
# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
# producing false positives. Do review all settings before usage.
# Also be aware that running suspscan in combination with verbose logging on,
# RKH's default, will show all ignored files.
# Please consider adding all directories the user the (web)server runs as has
# write access to including the document root (example: "/var/www") and log
# directories (example: "/var/log/httpd").
#
# A space-separated list of directories to scan.
#
SUSPSCAN_DIRS="/tmp /var/tmp"
#
# Directory for temporary files. A memory-based one is better (faster).
# Do not use a directory name that is listed in SUSPSCAN_DIRS.
# Please make sure you have a tempfs mounted and the directory exists.
#
SUSPSCAN_TEMP=/dev/shm
#
# Maximum filesize in bytes. Files larger than this will not be inspected.
# Do make sure you have enough space left in your temporary files directory.
#
SUSPSCAN_MAXSIZE=10240000
#
# Score threshold. Below this value no hits will be reported.
# A value of "200" seems "good" after testing on malware. Please adjust
# locally if necessary.
#
SUSPSCAN_THRESH=200
#
# The following option can be used to whitelist network ports which
# are known to have been used by malware. The option is a space-
# separated list of one or more of three types of whitelisting.
# These are:
#
# 1) a 'protocol:port' pair (e.g. TCP:25)
# 2) a pathname to an executable (e.g. /usr/sbin/squid)
# 3) an asterisk ('*')
#
# Only the UDP or TCP protocol may be specified, and the port number
# must be between 1 and 65535 inclusive.
#
# The asterisk can be used to indicate that any executable in a trusted
# path directory will be whitelisted. A trusted path directory is one which
# rkhunter uses to locate commands. It is composed of the root PATH
# environment variable, and the BINDIR command-line or configuration
# file option.
#
# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
#
#PORT_WHITELIST=""
#
# The following option can be used to tell rkhunter where the operating
# system 'release' file is located. This file contains information
# specifying the current O/S version. RKH will store this information
# itself, and check to see if it has changed between each run. If it has
# changed, then the user is warned that RKH may issue warning messages
# until RKH has been run with the '--propupd' option.
#
# Since the contents of the file vary according to the O/S distribution,
# RKH will perform different actions when it detects the file itself. As
# such, this option should not be set unless necessary. If this option is
# specified, then RKH will assume the O/S release information is on the
# first non-blank line of the file.
#
# {{ ansible_distribution|lower }}
OS_VERSION_FILE=/etc/{{ ansible_distribution|lower }}-release
#
# The following two options can be used to whitelist files and directories
# that would normally be flagged with a warning during the rootkit checks.
# If the file or directory name contains a space, then the percent character
# ('%') must be used instead. Only existing files and directories can be
# specified.
#
#RTKT_DIR_WHITELIST=""
#RTKT_FILE_WHITELIST=""
#
# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
# command, then the following two options can be used. The value must be
# set to 'BUILTIN'.
#
# NOTE: IRIX users will probably need to enable STAT_CMD.
#
#STAT_CMD=BUILTIN
#READLINK_CMD=BUILTIN
INSTALLDIR=/usr
SCRIPTWHITELIST=/usr/bin/whatis
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/GET
SCRIPTWHITELIST=/sbin/ifup
SCRIPTWHITELIST=/sbin/ifdown

View file

@ -1,11 +0,0 @@
# System configuration file for Rootkit Hunter which
# stores RPM system specifics for cron run, etc.
#
# MAILTO= <email address to send scan report>
# DIAG_SCAN= no - perform normal report scan
# yes - perform detailed report scan
# (includes application check)
MAILTO=smooge@fedoraproject.org,kevin@fedoraproject.org
DIAG_SCAN=no