Migrate a bunch of things to roles. Thanks to misc!
This commit is contained in:
parent
16ce004157
commit
8e2ec48cc0
55 changed files with 138 additions and 108 deletions
|
@ -1,27 +0,0 @@
|
|||
# We mustn't block localhost
|
||||
127.0.0.1
|
||||
|
||||
#bastion
|
||||
10.5.126.11
|
||||
10.5.126.12
|
||||
#lockbox
|
||||
10.5.126.23
|
||||
# don't block lockbox's remote addr, either
|
||||
209.132.181.6
|
||||
|
||||
#noc1
|
||||
noc1.phx2.fedoraproject.org
|
||||
10.5.126.41
|
||||
192.168.1.10
|
||||
|
||||
# RDU NAT
|
||||
66.187.233.202
|
||||
66.187.233.206
|
||||
# RH NAT
|
||||
66.187.230.200
|
||||
# PHX2 NAT
|
||||
209.132.181.102
|
||||
# tlv RHT NAT
|
||||
66.187.237.10
|
||||
# brno RHT NAT
|
||||
209.132.186.34
|
|
@ -1,626 +0,0 @@
|
|||
############ THESE SETTINGS ARE REQUIRED ############
|
||||
|
||||
########################################################################
|
||||
#
|
||||
# SECURE_LOG: the log file that contains sshd logging info
|
||||
# if you are not sure, grep "sshd:" /var/log/*
|
||||
#
|
||||
# The file to process can be overridden with the --file command line
|
||||
# argument
|
||||
#
|
||||
# Redhat or Fedora Core:
|
||||
SECURE_LOG = /var/log/secure
|
||||
#
|
||||
# Mandrake, FreeBSD or OpenBSD:
|
||||
#SECURE_LOG = /var/log/auth.log
|
||||
#
|
||||
# SuSE:
|
||||
#SECURE_LOG = /var/log/messages
|
||||
#
|
||||
# Mac OS X (v10.4 or greater -
|
||||
# also refer to: http://www.denyhosts.net/faq.html#macos
|
||||
#SECURE_LOG = /private/var/log/asl.log
|
||||
#
|
||||
# Mac OS X (v10.3 or earlier):
|
||||
#SECURE_LOG=/private/var/log/system.log
|
||||
#
|
||||
########################################################################
|
||||
|
||||
########################################################################
|
||||
#
|
||||
# HOSTS_DENY: the file which contains restricted host access information
|
||||
#
|
||||
# Most operating systems:
|
||||
HOSTS_DENY = /etc/hosts.deny
|
||||
#
|
||||
# Some BSD (FreeBSD) Unixes:
|
||||
#HOSTS_DENY = /etc/hosts.allow
|
||||
#
|
||||
# Another possibility (also see the next option):
|
||||
#HOSTS_DENY = /etc/hosts.evil
|
||||
#######################################################################
|
||||
|
||||
|
||||
########################################################################
|
||||
#
|
||||
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
|
||||
# when DenyHosts is invoked with the --purge flag
|
||||
#
|
||||
# format is: i[dhwmy]
|
||||
# Where 'i' is an integer (eg. 7)
|
||||
# 'm' = minutes
|
||||
# 'h' = hours
|
||||
# 'd' = days
|
||||
# 'w' = weeks
|
||||
# 'y' = years
|
||||
#
|
||||
# never purge:
|
||||
#PURGE_DENY =
|
||||
#
|
||||
# purge entries older than 1 week
|
||||
#PURGE_DENY = 1w
|
||||
#
|
||||
# purge entries older than 5 days
|
||||
#PURGE_DENY = 5d
|
||||
#
|
||||
# For the default Fedora Extras install, we want timestamping but no
|
||||
# expiration (at least by default) so this is deliberately set high.
|
||||
# Adjust to taste.
|
||||
PURGE_DENY = 4w
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# PURGE_THRESHOLD: defines the maximum times a host will be purged.
|
||||
# Once this value has been exceeded then this host will not be purged.
|
||||
# Setting this parameter to 0 (the default) disables this feature.
|
||||
#
|
||||
# default: a denied host can be purged/re-added indefinitely
|
||||
PURGE_THRESHOLD = 4
|
||||
#
|
||||
# a denied host will be purged at most 2 times.
|
||||
#PURGE_THRESHOLD = 2
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
|
||||
#
|
||||
# man 5 hosts_access for details
|
||||
#
|
||||
# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
|
||||
#
|
||||
# To block all services for the offending host:
|
||||
#BLOCK_SERVICE = ALL
|
||||
# To block only sshd:
|
||||
BLOCK_SERVICE = sshd
|
||||
# To only record the offending host and nothing else (if using
|
||||
# an auxilary file to list the hosts). Refer to:
|
||||
# http://denyhosts.sourceforge.net/faq.html#aux
|
||||
#BLOCK_SERVICE =
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
|
||||
# attempts has exceeded this value. This value applies to invalid
|
||||
# user login attempts (eg. non-existent user accounts)
|
||||
#
|
||||
DENY_THRESHOLD_INVALID = 15
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# DENY_THRESHOLD_VALID: block each host after the number of failed
|
||||
# login attempts has exceeded this value. This value applies to valid
|
||||
# user login attempts (eg. user accounts that exist in /etc/passwd) except
|
||||
# for the "root" user
|
||||
#
|
||||
DENY_THRESHOLD_VALID = 15
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# DENY_THRESHOLD_ROOT: block each host after the number of failed
|
||||
# login attempts has exceeded this value. This value applies to
|
||||
# "root" user login attempts only.
|
||||
#
|
||||
DENY_THRESHOLD_ROOT = 5
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
|
||||
# login attempts has exceeded this value. This value applies to
|
||||
# usernames that appear in the WORK_DIR/restricted-usernames file only.
|
||||
#
|
||||
DENY_THRESHOLD_RESTRICTED = 1
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# WORK_DIR: the path that DenyHosts will use for writing data to
|
||||
# (it will be created if it does not already exist).
|
||||
#
|
||||
# Note: it is recommended that you use an absolute pathname
|
||||
# for this value (eg. /home/foo/denyhosts/data)
|
||||
#
|
||||
WORK_DIR = /var/lib/denyhosts
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
|
||||
#
|
||||
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
|
||||
# If set to YES, if a suspicious login attempt results from an allowed-host
|
||||
# then it is considered suspicious. If this is NO, then suspicious logins
|
||||
# from allowed-hosts will not be reported. All suspicious logins from
|
||||
# ip addresses that are not in allowed-hosts will always be reported.
|
||||
#
|
||||
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
|
||||
######################################################################
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# HOSTNAME_LOOKUP
|
||||
#
|
||||
# HOSTNAME_LOOKUP=YES|NO
|
||||
# If set to YES, for each IP address that is reported by Denyhosts,
|
||||
# the corresponding hostname will be looked up and reported as well
|
||||
# (if available).
|
||||
#
|
||||
HOSTNAME_LOOKUP=YES
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# LOCK_FILE
|
||||
#
|
||||
# LOCK_FILE=/path/denyhosts
|
||||
# If this file exists when DenyHosts is run, then DenyHosts will exit
|
||||
# immediately. Otherwise, this file will be created upon invocation
|
||||
# and deleted upon exit. This ensures that only one instance is
|
||||
# running at a time.
|
||||
#
|
||||
# Redhat/Fedora:
|
||||
LOCK_FILE = /var/lock/subsys/denyhosts
|
||||
#
|
||||
# Debian
|
||||
#LOCK_FILE = /var/run/denyhosts.pid
|
||||
#
|
||||
# Misc
|
||||
#LOCK_FILE = /tmp/denyhosts.lock
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
############ THESE SETTINGS ARE OPTIONAL ############
|
||||
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# ADMIN_EMAIL: if you would like to receive emails regarding newly
|
||||
# restricted hosts and suspicious logins, set this address to
|
||||
# match your email address. If you do not want to receive these reports
|
||||
# leave this field blank (or run with the --noemail option)
|
||||
#
|
||||
# Multiple email addresses can be delimited by a comma, eg:
|
||||
# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
|
||||
#
|
||||
# ADMIN_EMAIL = ausil@fedoraproject.org
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
|
||||
# reports (see ADMIN_EMAIL) then these settings specify the
|
||||
# email server address (SMTP_HOST) and the server port (SMTP_PORT)
|
||||
#
|
||||
#
|
||||
# THEMOVE FIXME this needs to work from external non-VPN machines.
|
||||
SMTP_HOST = bastion
|
||||
SMTP_PORT = 25
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
|
||||
# smtp email server requires authentication
|
||||
#
|
||||
#SMTP_USERNAME=foo
|
||||
#SMTP_PASSWORD=bar
|
||||
#
|
||||
######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# SMTP_FROM: you can specify the "From:" address in messages sent
|
||||
# from DenyHosts when it reports thwarted abuse attempts
|
||||
#
|
||||
SMTP_FROM = DenyHosts <denyhosts@fedoraproject.org>
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
|
||||
# by DenyHosts when it reports thwarted abuse attempts
|
||||
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
|
||||
#
|
||||
######################################################################
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
|
||||
# when sending email messages.
|
||||
#
|
||||
# for possible values for this parameter refer to: man strftime
|
||||
#
|
||||
# the default:
|
||||
#
|
||||
#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
|
||||
#
|
||||
######################################################################
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# SYSLOG_REPORT
|
||||
#
|
||||
# SYSLOG_REPORT=YES|NO
|
||||
# If set to yes, when denied hosts are recorded the report data
|
||||
# will be sent to syslog (syslog must be present on your system).
|
||||
# The default is: NO
|
||||
#
|
||||
#SYSLOG_REPORT=NO
|
||||
#
|
||||
#SYSLOG_REPORT=YES
|
||||
#
|
||||
######################################################################
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# ALLOWED_HOSTS_HOSTNAME_LOOKUP
|
||||
#
|
||||
# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
|
||||
# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
|
||||
# the hostname will be looked up. If your versions of tcp_wrappers
|
||||
# and sshd sometimes log hostnames in addition to ip addresses
|
||||
# then you may wish to specify this option.
|
||||
#
|
||||
#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
|
||||
#
|
||||
######################################################################
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# AGE_RESET_VALID: Specifies the period of time between failed login
|
||||
# attempts that, when exceeded will result in the failed count for
|
||||
# this host to be reset to 0. This value applies to login attempts
|
||||
# to all valid users (those within /etc/passwd) with the
|
||||
# exception of root. If not defined, this count will never
|
||||
# be reset.
|
||||
#
|
||||
# See the comments in the PURGE_DENY section (above)
|
||||
# for details on specifying this value or for complete details
|
||||
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
|
||||
#
|
||||
AGE_RESET_VALID=5d
|
||||
#
|
||||
######################################################################
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# AGE_RESET_ROOT: Specifies the period of time between failed login
|
||||
# attempts that, when exceeded will result in the failed count for
|
||||
# this host to be reset to 0. This value applies to all login
|
||||
# attempts to the "root" user account. If not defined,
|
||||
# this count will never be reset.
|
||||
#
|
||||
# See the comments in the PURGE_DENY section (above)
|
||||
# for details on specifying this value or for complete details
|
||||
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
|
||||
#
|
||||
AGE_RESET_ROOT=25d
|
||||
#
|
||||
######################################################################
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
|
||||
# attempts that, when exceeded will result in the failed count for
|
||||
# this host to be reset to 0. This value applies to all login
|
||||
# attempts to entries found in the WORK_DIR/restricted-usernames file.
|
||||
# If not defined, the count will never be reset.
|
||||
#
|
||||
# See the comments in the PURGE_DENY section (above)
|
||||
# for details on specifying this value or for complete details
|
||||
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
|
||||
#
|
||||
AGE_RESET_RESTRICTED=25d
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# AGE_RESET_INVALID: Specifies the period of time between failed login
|
||||
# attempts that, when exceeded will result in the failed count for
|
||||
# this host to be reset to 0. This value applies to login attempts
|
||||
# made to any invalid username (those that do not appear
|
||||
# in /etc/passwd). If not defined, count will never be reset.
|
||||
#
|
||||
# See the comments in the PURGE_DENY section (above)
|
||||
# for details on specifying this value or for complete details
|
||||
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
|
||||
#
|
||||
AGE_RESET_INVALID=10d
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
|
||||
# failed count for the respective ip address will be reset to 0
|
||||
# if the login is successful.
|
||||
#
|
||||
# The default is RESET_ON_SUCCESS = no
|
||||
#
|
||||
RESET_ON_SUCCESS = yes
|
||||
#
|
||||
#####################################################################
|
||||
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# PLUGIN_DENY: If set, this value should point to an executable
|
||||
# program that will be invoked when a host is added to the
|
||||
# HOSTS_DENY file. This executable will be passed the host
|
||||
# that will be added as it's only argument.
|
||||
#
|
||||
#PLUGIN_DENY=/usr/bin/true
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# PLUGIN_PURGE: If set, this value should point to an executable
|
||||
# program that will be invoked when a host is removed from the
|
||||
# HOSTS_DENY file. This executable will be passed the host
|
||||
# that is to be purged as it's only argument.
|
||||
#
|
||||
#PLUGIN_PURGE=/usr/bin/true
|
||||
#
|
||||
######################################################################
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
|
||||
# a regular expression that can be used to identify additional
|
||||
# hackers for your particular ssh configuration. This functionality
|
||||
# extends the built-in regular expressions that DenyHosts uses.
|
||||
# This parameter can be specified multiple times.
|
||||
# See this faq entry for more details:
|
||||
# http://denyhosts.sf.net/faq.html#userdef_regex
|
||||
#
|
||||
#USERDEF_FAILED_ENTRY_REGEX=
|
||||
#
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
|
||||
|
||||
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
|
||||
|
||||
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
|
||||
# this is the logfile that DenyHosts uses to report it's status.
|
||||
# To disable logging, leave blank. (default is: /var/log/denyhosts)
|
||||
#
|
||||
DAEMON_LOG = /var/log/denyhosts
|
||||
#
|
||||
# disable logging:
|
||||
#DAEMON_LOG =
|
||||
#
|
||||
######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
|
||||
# (--daemon flag) this specifies the timestamp format of
|
||||
# the DAEMON_LOG messages (default is the ISO8061 format:
|
||||
# ie. 2005-07-22 10:38:01,745)
|
||||
#
|
||||
# for possible values for this parameter refer to: man strftime
|
||||
#
|
||||
# Jan 1 13:05:59
|
||||
#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
|
||||
#
|
||||
# Jan 1 01:05:59
|
||||
#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
|
||||
#
|
||||
######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode
|
||||
# (--daemon flag) this specifies the message format of each logged
|
||||
# entry. By default the following format is used:
|
||||
#
|
||||
# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
|
||||
#
|
||||
# Where the "%(asctime)s" portion is expanded to the format
|
||||
# defined by DAEMON_LOG_TIME_FORMAT
|
||||
#
|
||||
# This string is passed to python's logging.Formatter contstuctor.
|
||||
# For details on the possible format types please refer to:
|
||||
# http://docs.python.org/lib/node357.html
|
||||
#
|
||||
# This is the default:
|
||||
#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
|
||||
#
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
|
||||
# this is the amount of time DenyHosts will sleep between polling
|
||||
# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
|
||||
# for details on specifying this value or for complete details
|
||||
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
|
||||
#
|
||||
#
|
||||
DAEMON_SLEEP = 30s
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
|
||||
# run the purge mechanism to expire old entries in HOSTS_DENY
|
||||
# This has no effect if PURGE_DENY is blank.
|
||||
#
|
||||
DAEMON_PURGE = 1h
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
|
||||
######### THESE SETTINGS ARE SPECIFIC TO ##########
|
||||
######### DAEMON SYNCHRONIZATION ##########
|
||||
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# Synchronization mode allows the DenyHosts daemon the ability
|
||||
# to periodically send and receive denied host data such that
|
||||
# DenyHosts daemons worldwide can automatically inform one
|
||||
# another regarding banned hosts. This mode is disabled by
|
||||
# default, you must uncomment SYNC_SERVER to enable this mode.
|
||||
#
|
||||
# for more information, please refer to:
|
||||
# http:/denyhosts.sourceforge.net/faq.html#sync
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# SYNC_SERVER: The central server that communicates with DenyHost
|
||||
# daemons. Currently, denyhosts.net is the only available server
|
||||
# however, in the future, it may be possible for organizations to
|
||||
# install their own server for internal network synchronization
|
||||
#
|
||||
# To disable synchronization (the default), do nothing.
|
||||
#
|
||||
# To enable synchronization, you must uncomment the following line:
|
||||
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# SYNC_INTERVAL: the interval of time to perform synchronizations if
|
||||
# SYNC_SERVER has been uncommented. The default is 1 hour.
|
||||
#
|
||||
SYNC_INTERVAL = 1h
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
|
||||
# been denied? This option only applies if SYNC_SERVER has
|
||||
# been uncommented.
|
||||
# The default is SYNC_UPLOAD = yes
|
||||
#
|
||||
#SYNC_UPLOAD = no
|
||||
#SYNC_UPLOAD = yes
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
|
||||
# been denied by others? This option only applies if SYNC_SERVER has
|
||||
# been uncommented.
|
||||
# The default is SYNC_DOWNLOAD = yes
|
||||
#
|
||||
#SYNC_DOWNLOAD = no
|
||||
#SYNC_DOWNLOAD = yes
|
||||
#
|
||||
#
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter
|
||||
# filters the returned hosts to those that have been blocked this many
|
||||
# times by others. That is, if set to 1, then if a single DenyHosts
|
||||
# server has denied an ip address then you will receive the denied host.
|
||||
#
|
||||
# See also SYNC_DOWNLOAD_RESILIENCY
|
||||
#
|
||||
#SYNC_DOWNLOAD_THRESHOLD = 10
|
||||
#
|
||||
# The default is SYNC_DOWNLOAD_THRESHOLD = 3
|
||||
#
|
||||
#SYNC_DOWNLOAD_THRESHOLD = 3
|
||||
#
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the
|
||||
# value specified for this option limits the downloaded data
|
||||
# to this resiliency period or greater.
|
||||
#
|
||||
# Resiliency is defined as the timespan between a hackers first known
|
||||
# attack and it's most recent attack. Example:
|
||||
#
|
||||
# If the centralized denyhosts.net server records an attack at 2 PM
|
||||
# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h
|
||||
# will not download this ip address.
|
||||
#
|
||||
# However, if the attacker is recorded again at 6:15 PM then the
|
||||
# ip address will be downloaded by your DenyHosts instance.
|
||||
#
|
||||
# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD
|
||||
# and only hosts that satisfy both values will be downloaded.
|
||||
# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1
|
||||
#
|
||||
# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
|
||||
#
|
||||
# Only obtain hackers that have been at it for 2 days or more:
|
||||
#SYNC_DOWNLOAD_RESILIENCY = 2d
|
||||
#
|
||||
# Only obtain hackers that have been at it for 5 hours or more:
|
||||
#SYNC_DOWNLOAD_RESILIENCY = 5h
|
||||
#
|
||||
#######################################################################
|
||||
|
|
@ -1 +0,0 @@
|
|||
*/10 * * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 180)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1"
|
|
@ -1,92 +0,0 @@
|
|||
[global]
|
||||
; url - Location to fas server
|
||||
url = https://admin.fedoraproject.org/accounts/
|
||||
|
||||
; temp - Location to generate files while user creation process is happening
|
||||
temp = /var/db
|
||||
|
||||
; login - username to contact fas
|
||||
login = {{ fedorathirdpartyUser }}
|
||||
|
||||
; password - password for login name
|
||||
password = {{ fedorathirdpartyPassword }}
|
||||
|
||||
; prefix - install to a location other than /
|
||||
prefix = /
|
||||
|
||||
; modefile - Location of a file containing saved home directory modes
|
||||
modefile = /var/lib/fas/client_dir_perms
|
||||
|
||||
; cla_group - Group for CLA requirements
|
||||
cla_group = cla_done
|
||||
|
||||
[host]
|
||||
; Group hierarchy is 1) groups, 2) restricted_groups 3) ssh_restricted_groups
|
||||
; so if someone is in all 3, the client behaves the same as if they were just
|
||||
; in 'groups'
|
||||
|
||||
; groups that should have a shell account on this system.
|
||||
{% if fas_client_groups %}
|
||||
groups = sysadmin-main,{{ fas_client_groups }}
|
||||
{% else %}
|
||||
groups = sysadmin-main
|
||||
{% endif %}
|
||||
|
||||
; groups that should have a restricted account on this system.
|
||||
; restricted accounts use the restricted_shell value in [users]
|
||||
restricted_groups =
|
||||
|
||||
; ssh_restricted_groups: groups that should be restricted by ssh key. You will
|
||||
; need to disable password based logins in order for this value to have any
|
||||
; security meaning. Group types can be placed here as well, for example
|
||||
; @hg,@git,@svn
|
||||
{% if fas_client_ssh_groups %}
|
||||
ssh_restricted_groups = {{ fas_client_ssh_groups }}
|
||||
{% else %}
|
||||
ssh_restricted_groups =
|
||||
{% endif %}
|
||||
|
||||
; aliases_template: Gets prepended to the aliases file when it is generated by
|
||||
; fasClient
|
||||
aliases_template = /etc/aliases.template
|
||||
|
||||
[users]
|
||||
; default shell given to people in [host] groups
|
||||
shell = /bin/bash
|
||||
|
||||
; home - the location for fas user home dirs
|
||||
home = /home/fedora
|
||||
|
||||
; home_backup_dir - Location home dirs should get moved to when a user is
|
||||
; deleted this location should be tmpwatched
|
||||
home_backup_dir = /home/fedora.bak
|
||||
|
||||
; ssh_restricted_app - This is the path to the restricted shell script. It
|
||||
; will not work automatically for most people though through alterations it
|
||||
; is a powerfull way to restrict access to a machine. An alternative example
|
||||
; could be given to people who should only have cvs access on the machine.
|
||||
; setting this value to "/usr/bin/cvs server" would do this.
|
||||
{% if fas_client_restricted_app %}
|
||||
ssh_restricted_app = {{ fas_client_restricted_app }}
|
||||
{% else %}
|
||||
ssh_restricted_app =
|
||||
{% endif %}
|
||||
|
||||
; ssh_admin_app - This is the path to an app that an admin is allowed to use.
|
||||
{% if fas_client_admin_app %}
|
||||
ssh_admin_app = {{ fas_client_admin_app }}
|
||||
{% else %}
|
||||
ssh_admin_app =
|
||||
{% endif %}
|
||||
|
||||
; restricted_shell - The shell given to users in the ssh_restricted_groups
|
||||
restricted_shell = /sbin/nologin
|
||||
|
||||
; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
|
||||
ssh_restricted_shell = /bin/bash
|
||||
|
||||
; ssh_key_options - Options to be appended to people ssh keys. Users in the
|
||||
; ssh_restricted_groups will have the keys they uploaded altered when they are
|
||||
; installed on this machine, appended with the options below.
|
||||
ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
# /etc/nsswitch.conf
|
||||
#
|
||||
# An example Name Service Switch config file. This file should be
|
||||
# sorted with the most-used services at the beginning.
|
||||
#
|
||||
# The entry '[NOTFOUND=return]' means that the search for an
|
||||
# entry should stop if the search in the previous entry turned
|
||||
# up nothing. Note that if the search failed due to some other reason
|
||||
# (like no NIS server responding) then the search continues with the
|
||||
# next entry.
|
||||
#
|
||||
# Legal entries are:
|
||||
#
|
||||
# nisplus or nis+ Use NIS+ (NIS version 3)
|
||||
# nis or yp Use NIS (NIS version 2), also called YP
|
||||
# dns Use DNS (Domain Name Service)
|
||||
# files Use the local files
|
||||
# db Use the local database (.db) files
|
||||
# compat Use NIS on compat mode
|
||||
# hesiod Use Hesiod for user lookups
|
||||
# [NOTFOUND=return] Stop searching if not found so far
|
||||
#
|
||||
|
||||
passwd: db files
|
||||
shadow: db files
|
||||
group: db files
|
||||
|
||||
#hosts: db files nisplus nis dns
|
||||
hosts: files dns
|
||||
|
||||
bootparams: nisplus [NOTFOUND=return] files
|
||||
|
||||
ethers: files
|
||||
netmasks: files
|
||||
networks: files
|
||||
protocols: files
|
||||
rpc: files
|
||||
services: files
|
||||
|
||||
netgroup: files
|
||||
|
||||
publickey: nisplus
|
||||
|
||||
automount: files
|
||||
aliases: files nisplus
|
|
@ -1,2 +0,0 @@
|
|||
# cron job to sync the geoip data files
|
||||
0 1 4 * * root /usr/local/bin/syncFiles.sh bigfiles/geoip /usr/share/GeoIP
|
|
@ -1,44 +0,0 @@
|
|||
Alias /mirrorlists /var/lib/mirrormanager/mirrorlists/
|
||||
Alias /publiclist /var/lib/mirrormanager/mirrorlists/publiclist/
|
||||
Alias /static /var/lib/mirrormanager/mirrorlists/static/
|
||||
|
||||
<Directory /var/lib/mirrormanager/mirrorlists>
|
||||
Options Indexes FollowSymLinks
|
||||
ExpiresActive On
|
||||
ExpiresDefault "modification plus 1 day"
|
||||
</Directory>
|
||||
|
||||
WSGIDaemonProcess mirrorlist user=apache processes=45 threads=1 display-name=mirrorlist maximum-requests=1000
|
||||
|
||||
WSGIScriptAlias /metalink /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi
|
||||
WSGIScriptAlias /mirrorlist /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi
|
||||
|
||||
# Set this if you do not have a Reverse Proxy (HTTP Accelerator) that
|
||||
# is in front of your application server running this code.
|
||||
# SetEnv mirrorlist_client.noreverseproxy 1
|
||||
|
||||
<Location /mirrorlist>
|
||||
WSGIProcessGroup mirrorlist
|
||||
<IfModule mod_authz_core.c>
|
||||
# Apache 2.4
|
||||
Require all granted
|
||||
</IfModule>
|
||||
<IfModule !mod_authz_core.c>
|
||||
# Apache 2.2
|
||||
Order deny,allow
|
||||
Allow from all
|
||||
</IfModule>
|
||||
</Location>
|
||||
|
||||
<Location /metalink>
|
||||
WSGIProcessGroup mirrorlist
|
||||
<IfModule mod_authz_core.c>
|
||||
# Apache 2.4
|
||||
Require all granted
|
||||
</IfModule>
|
||||
<IfModule !mod_authz_core.c>
|
||||
# Apache 2.2
|
||||
Order deny,allow
|
||||
Allow from all
|
||||
</IfModule>
|
||||
</Location>
|
|
@ -1 +0,0 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA1+Mq0V8RPuCZrjsSz2y56tVR+hykwoYSodhs6ivqkuf16PHo1Aq2PR+I7xnxnJ/fqF20UEV4bmRFs9k4y/QnMOwi90O32vC3WZmfLfoY9S9dzUYXXOYy0lQZPMjmB+yOYZhhGIu2HTc4/CHKjVpCUZKHXwgkouEwsAEHQI86TrepvPwt5GrmAeZjcRp8T3maaFlRf8UFgcajF9ztgiEnBpWBEKaemtUtQ/g9cr/SwNMT3GK+M4qMVaXkuTCeiKwqxueZmTgn76aQ11sfoWYi1lVCyYt02iMDoBLaLERbwBLt3WpY/l3tQaZiPVoRPDH2EQb6v/XISsXNsqGtnc8APfhkVniURNwW/Qz8eXhpnd7GlU90iWPExvGo/Eaj2cNemgiNZH7/U7OKe3/7Li+IpPDhLCfJ8ue7Nqn+2uqhEWvzZXvamzcvEg89PBbgrdHDvJqVLnfsMDuDEo93KZ2pCfTGmjbYjbV3nnArhimLjkkb2E86489F09p65e4AoZw3HFgeW8yA3ecXtXd9FmYYkL0urT1AZFuJ/9B364h4gOqUt0oO7aW0vqhS1hW+7brIJ2DzM/vn90ONk8JVt1T3DvmgmVLxtuo1wu1PkDtekZNtJPGuGzvt5TYDjGPwZzrkYdYazLow3NMCyrhV6oNm8sxuZCLxeyZdM83Q7xty5nM= toshio@puppet1.fedora.phx.redhat.com
|
|
@ -1,4 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
rsync -az --delete-delay --delay-updates --delete mirrormanager@bapp02:/var/lib/mirrormanager/ /var/lib/mirrormanager/
|
||||
kill -HUP $(cat /var/run/mirrormanager/mirrorlist_server.pid)
|
|
@ -1,67 +0,0 @@
|
|||
|
||||
[supervisord]
|
||||
http_port=/var/tmp/supervisor.sock ; (default is to run a UNIX domain socket server)
|
||||
;http_port=127.0.0.1:9001 ; (alternately, ip_address:port specifies AF_INET)
|
||||
;sockchmod=0700 ; AF_UNIX socketmode (AF_INET ignore, default 0700)
|
||||
;sockchown=nobody.nogroup ; AF_UNIX socket uid.gid owner (AF_INET ignores)
|
||||
;umask=022 ; (process file creation umask;default 022)
|
||||
logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log)
|
||||
logfile_maxbytes=50MB ; (max main logfile bytes b4 rotation;default 50MB)
|
||||
logfile_backups=10 ; (num of main logfile rotation backups;default 10)
|
||||
loglevel=info ; (logging level;default info; others: debug,warn)
|
||||
pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
|
||||
nodaemon=false ; (start in foreground if true;default false)
|
||||
minfds=1024 ; (min. avail startup file descriptors;default 1024)
|
||||
minprocs=200 ; (min. avail process descriptors;default 200)
|
||||
|
||||
;nocleanup=true ; (don't clean up tempfiles at start;default false)
|
||||
;http_username=user ; (default is no username (open system))
|
||||
;http_password=123 ; (default is no password (open system))
|
||||
;childlogdir=/tmp ; ('AUTO' child log dir, default $TEMP)
|
||||
;user=chrism ; (default is current user, required if root)
|
||||
;directory=/tmp ; (default is not to cd during start)
|
||||
;environment=KEY=value ; (key value pairs to add to environment)
|
||||
|
||||
[supervisorctl]
|
||||
serverurl=unix:///var/tmp/supervisor.sock ; use a unix:// URL for a unix socket
|
||||
;serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket
|
||||
;username=chris ; should be same as http_username if set
|
||||
;password=123 ; should be same as http_password if set
|
||||
;prompt=mysupervisor ; cmd line prompt (default "supervisor")
|
||||
|
||||
; The below sample program section shows all possible program subsection values,
|
||||
; create one or more 'real' program: sections to be able to control them under
|
||||
; supervisor.
|
||||
|
||||
;[program:theprogramname]
|
||||
;command=/bin/cat ; the program (relative uses PATH, can take args)
|
||||
;priority=999 ; the relative start priority (default 999)
|
||||
;autostart=true ; start at supervisord start (default: true)
|
||||
;autorestart=true ; retstart at unexpected quit (default: true)
|
||||
;startsecs=10 ; number of secs prog must stay running (def. 10)
|
||||
;startretries=3 ; max # of serial start failures (default 3)
|
||||
;exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
|
||||
;stopsignal=QUIT ; signal used to kill process (default TERM)
|
||||
;stopwaitsecs=10 ; max num secs to wait before SIGKILL (default 10)
|
||||
;user=chrism ; setuid to this UNIX account to run the program
|
||||
;log_stdout=true ; if true, log program stdout (default true)
|
||||
;log_stderr=true ; if true, log program stderr (def false)
|
||||
;logfile=/var/log/cat.log ; child log path, use NONE for none; default AUTO
|
||||
;logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB)
|
||||
;logfile_backups=10 ; # of logfile backups (default 10)
|
||||
|
||||
[program:mirrorlist_server]
|
||||
command=/usr/share/mirrormanager/mirrorlist-server/mirrorlist_server.py
|
||||
priority=1
|
||||
autostart=true
|
||||
autorestart=true
|
||||
startsecs=10
|
||||
startretries=5
|
||||
stopsignal=TERM
|
||||
stopwaitsecs=10
|
||||
user=mirrormanager
|
||||
log_stderr=true
|
||||
log_stdout=true
|
||||
logfile=/var/log/mirrormanager/mirrorlist-server.log
|
||||
logfile_maxbytes=50MB
|
||||
logfile_backups=10
|
|
@ -1 +0,0 @@
|
|||
command[check_cron]=/usr/lib64/nagios/plugins/check_procs -c 1:10 -C 'crond' -u root
|
|
@ -1,2 +0,0 @@
|
|||
command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /
|
||||
command[check_disk_/boot]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /boot
|
|
@ -1 +0,0 @@
|
|||
command[check_lock]=/usr/lib64/nagios/plugins/check_lock
|
|
@ -1 +0,0 @@
|
|||
command[check_mirrorlist_cache]=/usr/lib64/nagios/plugins/check_file_age -w 14400 -c 129600 -f /var/lib/mirrormanager/mirrorlist_cache.pkl
|
|
@ -1 +0,0 @@
|
|||
command[check_postfix_queue]=/usr/lib64/nagios/plugins/check_postfix_queue -w 2 -c 5
|
|
@ -1 +0,0 @@
|
|||
command[check_raid]=/usr/lib64/nagios/plugins/check_raid.py
|
|
@ -1 +0,0 @@
|
|||
command[check_swap]=/usr/lib64/nagios/plugins/check_swap -w 15% -c 10%
|
|
@ -1,223 +0,0 @@
|
|||
#############################################################################
|
||||
# Sample NRPE Config File
|
||||
# Written by: Ethan Galstad (nagios@nagios.org)
|
||||
#
|
||||
# Last Modified: 11-23-2007
|
||||
#
|
||||
# NOTES:
|
||||
# This is a sample configuration file for the NRPE daemon. It needs to be
|
||||
# located on the remote host that is running the NRPE daemon, not the host
|
||||
# from which the check_nrpe client is being executed.
|
||||
#############################################################################
|
||||
|
||||
|
||||
# LOG FACILITY
|
||||
# The syslog facility that should be used for logging purposes.
|
||||
|
||||
log_facility=daemon
|
||||
|
||||
|
||||
|
||||
# PID FILE
|
||||
# The name of the file in which the NRPE daemon should write it's process ID
|
||||
# number. The file is only written if the NRPE daemon is started by the root
|
||||
# user and is running in standalone mode.
|
||||
|
||||
pid_file=/var/run/nrpe/nrpe.pid
|
||||
|
||||
|
||||
|
||||
# PORT NUMBER
|
||||
# Port number we should wait for connections on.
|
||||
# NOTE: This must be a non-priviledged port (i.e. > 1024).
|
||||
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
|
||||
|
||||
server_port=5666
|
||||
|
||||
|
||||
|
||||
# SERVER ADDRESS
|
||||
# Address that nrpe should bind to in case there are more than one interface
|
||||
# and you do not want nrpe to bind on all interfaces.
|
||||
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
|
||||
|
||||
#server_address=127.0.0.1
|
||||
|
||||
|
||||
|
||||
# NRPE USER
|
||||
# This determines the effective user that the NRPE daemon should run as.
|
||||
# You can either supply a username or a UID.
|
||||
#
|
||||
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
|
||||
|
||||
nrpe_user=nrpe
|
||||
|
||||
|
||||
|
||||
# NRPE GROUP
|
||||
# This determines the effective group that the NRPE daemon should run as.
|
||||
# You can either supply a group name or a GID.
|
||||
#
|
||||
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
|
||||
|
||||
nrpe_group=nrpe
|
||||
|
||||
|
||||
|
||||
# ALLOWED HOST ADDRESSES
|
||||
# This is an optional comma-delimited list of IP address or hostnames
|
||||
# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
|
||||
# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently
|
||||
# supported.
|
||||
#
|
||||
# Note: The daemon only does rudimentary checking of the client's IP
|
||||
# address. I would highly recommend adding entries in your /etc/hosts.allow
|
||||
# file to allow only the specified host to connect to the port
|
||||
# you are running this daemon on.
|
||||
#
|
||||
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
|
||||
|
||||
|
||||
allowed_hosts=10.5.126.41,192.168.1.10,192.168.1.20,209.132.181.35
|
||||
|
||||
|
||||
|
||||
# COMMAND ARGUMENT PROCESSING
|
||||
# This option determines whether or not the NRPE daemon will allow clients
|
||||
# to specify arguments to commands that are executed. This option only works
|
||||
# if the daemon was configured with the --enable-command-args configure script
|
||||
# option.
|
||||
#
|
||||
# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
|
||||
# Read the SECURITY file for information on some of the security implications
|
||||
# of enabling this variable.
|
||||
#
|
||||
# Values: 0=do not allow arguments, 1=allow command arguments
|
||||
|
||||
dont_blame_nrpe=0
|
||||
|
||||
|
||||
|
||||
# COMMAND PREFIX
|
||||
# This option allows you to prefix all commands with a user-defined string.
|
||||
# A space is automatically added between the specified prefix string and the
|
||||
# command line from the command definition.
|
||||
#
|
||||
# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
|
||||
# Usage scenario:
|
||||
# Execute restricted commmands using sudo. For this to work, you need to add
|
||||
# the nagios user to your /etc/sudoers. An example entry for alllowing
|
||||
# execution of the plugins from might be:
|
||||
#
|
||||
# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
|
||||
#
|
||||
# This lets the nagios user run all commands in that directory (and only them)
|
||||
# without asking for a password. If you do this, make sure you don't give
|
||||
# random users write access to that directory or its contents!
|
||||
|
||||
# command_prefix=/usr/bin/sudo
|
||||
|
||||
|
||||
|
||||
# DEBUGGING OPTION
|
||||
# This option determines whether or not debugging messages are logged to the
|
||||
# syslog facility.
|
||||
# Values: 0=debugging off, 1=debugging on
|
||||
|
||||
debug=0
|
||||
|
||||
|
||||
|
||||
# COMMAND TIMEOUT
|
||||
# This specifies the maximum number of seconds that the NRPE daemon will
|
||||
# allow plugins to finish executing before killing them off.
|
||||
|
||||
command_timeout=60
|
||||
|
||||
|
||||
|
||||
# CONNECTION TIMEOUT
|
||||
# This specifies the maximum number of seconds that the NRPE daemon will
|
||||
# wait for a connection to be established before exiting. This is sometimes
|
||||
# seen where a network problem stops the SSL being established even though
|
||||
# all network sessions are connected. This causes the nrpe daemons to
|
||||
# accumulate, eating system resources. Do not set this too low.
|
||||
|
||||
connection_timeout=300
|
||||
|
||||
|
||||
|
||||
# WEEK RANDOM SEED OPTION
|
||||
# This directive allows you to use SSL even if your system does not have
|
||||
# a /dev/random or /dev/urandom (on purpose or because the necessary patches
|
||||
# were not applied). The random number generator will be seeded from a file
|
||||
# which is either a file pointed to by the environment valiable $RANDFILE
|
||||
# or $HOME/.rnd. If neither exists, the pseudo random number generator will
|
||||
# be initialized and a warning will be issued.
|
||||
# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
|
||||
|
||||
#allow_weak_random_seed=1
|
||||
|
||||
|
||||
|
||||
# INCLUDE CONFIG FILE
|
||||
# This directive allows you to include definitions from an external config file.
|
||||
|
||||
#include=<somefile.cfg>
|
||||
|
||||
|
||||
|
||||
# INCLUDE CONFIG DIRECTORY
|
||||
# This directive allows you to include definitions from config files (with a
|
||||
# .cfg extension) in one or more directories (with recursion).
|
||||
|
||||
include_dir=/etc/nrpe.d/
|
||||
|
||||
|
||||
|
||||
# COMMAND DEFINITIONS
|
||||
# Command definitions that this daemon will run. Definitions
|
||||
# are in the following format:
|
||||
#
|
||||
# command[<command_name>]=<command_line>
|
||||
#
|
||||
# When the daemon receives a request to return the results of <command_name>
|
||||
# it will execute the command specified by the <command_line> argument.
|
||||
#
|
||||
# Unlike Nagios, the command line cannot contain macros - it must be
|
||||
# typed exactly as it should be executed.
|
||||
#
|
||||
# Note: Any plugins that are used in the command lines must reside
|
||||
# on the machine that this daemon is running on! The examples below
|
||||
# assume that you have plugins installed in a /usr/local/nagios/libexec
|
||||
# directory. Also note that you will have to modify the definitions below
|
||||
# to match the argument format the plugins expect. Remember, these are
|
||||
# examples only!
|
||||
|
||||
|
||||
# The following examples use hardcoded command arguments...
|
||||
|
||||
command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10
|
||||
command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
|
||||
command[check_hda1]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1
|
||||
command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z
|
||||
command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w {{ nrpe_procs_warn }} -c {{ nrpe_procs_crit }}
|
||||
|
||||
|
||||
# The following examples allow user-supplied arguments and can
|
||||
# only be used if the NRPE daemon was compiled with support for
|
||||
# command arguments *AND* the dont_blame_nrpe directive in this
|
||||
# config file is set to '1'. This poses a potential security risk, so
|
||||
# make sure you read the SECURITY file before doing this.
|
||||
|
||||
#command[check_users]=/usr/lib64/nagios/plugins/check_users -w $ARG1$ -c $ARG2$
|
||||
#command[check_load]=/usr/lib64/nagios/plugins/check_load -w $ARG1$ -c $ARG2$
|
||||
#command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
|
||||
#command[check_procs]=/usr/lib64/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
|
||||
|
||||
|
||||
# NEVER ADD ANYTHING HERE - ANY ENTRIES TO NRPE SHOULD BE in .cfg files in /etc/nrpe.d/
|
||||
|
||||
# NEVER NEVER NEVER
|
||||
#
|
|
@ -1,17 +0,0 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
import fcntl
|
||||
import sys
|
||||
|
||||
try:
|
||||
f = open('/mnt/koji/.nagios_test', 'r')
|
||||
f.close()
|
||||
f = open('/mnt/koji/.nagios_test', 'w')
|
||||
except IOError:
|
||||
print "Could not create file"
|
||||
sys.exit(2)
|
||||
|
||||
fcntl.flock(f, fcntl.LOCK_EX)
|
||||
f.close()
|
||||
print "File Locked Successfully"
|
||||
sys.exit(0)
|
|
@ -1,49 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# 19-07-2010
|
||||
# Author: Cherwin Nooitmeer <cherwin@gmail.com>
|
||||
#
|
||||
|
||||
# exit codes
|
||||
e_ok=0
|
||||
e_warning=1
|
||||
e_critical=2
|
||||
e_unknown=3
|
||||
|
||||
# regular expression that matches queue IDs (e.g. D71EF7AC80F8)
|
||||
queue_id='^[A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9]'
|
||||
|
||||
usage="Invalid command line usage"
|
||||
|
||||
if [ -z $1 ]; then
|
||||
echo $usage
|
||||
exit $e_unknown
|
||||
fi
|
||||
|
||||
while getopts ":w:c:" options
|
||||
do
|
||||
case $options in
|
||||
w ) warning=$OPTARG ;;
|
||||
c ) critical=$OPTARG ;;
|
||||
* ) echo $usage
|
||||
exit $e_unknown ;;
|
||||
esac
|
||||
done
|
||||
|
||||
# determine queue size
|
||||
qsize=$(mailq | egrep -c $queue_id)
|
||||
if [ -z $qsize ]
|
||||
then
|
||||
exit $e_unknown
|
||||
fi
|
||||
|
||||
if [ $qsize -ge $critical ]; then
|
||||
retval=$e_critical
|
||||
elif [ $qsize -ge $warning ]; then
|
||||
retval=$e_warning
|
||||
elif [ $qsize -lt $warning ]; then
|
||||
retval=$e_ok
|
||||
fi
|
||||
|
||||
echo "$qsize mail(s) in queue | mail_queue=$qsize"
|
||||
exit $retval
|
|
@ -1,45 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
#
|
||||
# very simple python script to parse out /proc/mdstat
|
||||
# and give results for nagios to monitor
|
||||
#
|
||||
|
||||
import sys
|
||||
import string
|
||||
|
||||
devices = []
|
||||
|
||||
try:
|
||||
mdstat = string.split(open('/proc/mdstat').read(), '\n')
|
||||
except IOError:
|
||||
# seems we have no software raid on this machines
|
||||
sys.exit(0)
|
||||
|
||||
error = ""
|
||||
i = 0
|
||||
for line in mdstat:
|
||||
if line[0:2] == 'md':
|
||||
device = string.split(line)[0]
|
||||
devices.append(device)
|
||||
status = string.split(mdstat[i+1])[3]
|
||||
if string.count(status, "_"):
|
||||
# see if we can figure out what's going on
|
||||
err = string.split(mdstat[i+2])
|
||||
msg = "device=%s status=%s" % (device, status)
|
||||
if len(err) > 0:
|
||||
msg = msg + " rebuild=%s" % err[0]
|
||||
|
||||
if not error:
|
||||
error = msg
|
||||
else:
|
||||
error = error + ", " + msg
|
||||
i = i + 1
|
||||
|
||||
if not error:
|
||||
print "DEVICES %s OK" % " ".join(devices)
|
||||
sys.exit(0)
|
||||
|
||||
else:
|
||||
print error
|
||||
sys.exit(2)
|
||||
|
|
@ -1,590 +0,0 @@
|
|||
#
|
||||
# This is the configuration file for Rootkit Hunter.
|
||||
#
|
||||
# Please modify it to your own requirements.
|
||||
# Please review the documentation before posting bug reports or questions.
|
||||
# To report bugs, obtain updates, or provide patches or comments, please go to:
|
||||
# http://rkhunter.sourceforge.net
|
||||
#
|
||||
# To ask questions about rkhunter, please use the rkhunter-users mailing list.
|
||||
# Note this is a moderated list: please subscribe before posting.
|
||||
#
|
||||
# Lines beginning with a hash (#), and blank lines, will be ignored.
|
||||
#
|
||||
# Most of the following options need only be specified once. If
|
||||
# they appear more than once, then the last one seen will be used.
|
||||
# Some options are allowed to appear more than once, and the text
|
||||
# describing the option will say if this is so.
|
||||
#
|
||||
|
||||
#
|
||||
# If this option is set to 1, it specifies that the mirrors file, which
|
||||
# is used when the '--update' and '--versioncheck' options are used, is
|
||||
# to be rotated. Rotating the entries in the file allows a basic form
|
||||
# of load-balancing between the mirror sites whenever the above options
|
||||
# are used.
|
||||
# If the option is set to 0, then the mirrors will be treated as if in
|
||||
# a priority list. That is, the first mirror will always be used. The
|
||||
# second mirror will only be used if the first mirror fails, then the
|
||||
# third mirror will be used if the second fails and so on.
|
||||
#
|
||||
|
||||
ROTATE_MIRRORS=1
|
||||
|
||||
#
|
||||
# If this option is set to 1, it specifies that when the '--update'
|
||||
# option is used, then the mirrors file is to be checked for updates
|
||||
# as well. If the current mirrors file contains any local mirrors,
|
||||
# these will be prepended to the updated file.
|
||||
# If this option is set to 0, the mirrors file can only be updated
|
||||
# manually. This may be useful if only using local mirrors.
|
||||
#
|
||||
UPDATE_MIRRORS=1
|
||||
|
||||
#
|
||||
# The MIRRORS_MODE option tells rkhunter which mirrors are to be
|
||||
# used when the '--update' or '--versioncheck' command-line options
|
||||
# are given. Possible values are:
|
||||
# 0 - use any mirror (the default)
|
||||
# 1 - only use local mirrors
|
||||
# 2 - only use remote mirrors
|
||||
#
|
||||
# Local and remote mirrors can be defined in the mirrors.dat file
|
||||
# by using the 'local=' and 'remote=' keywords respectively.
|
||||
#
|
||||
MIRRORS_MODE=0
|
||||
|
||||
#
|
||||
# Email a message to this address if a warning is found when the
|
||||
# system is being checked. Multiple addresses may be specified
|
||||
# simply be separating them with a space.
|
||||
#
|
||||
MAIL-ON-WARNING=""
|
||||
|
||||
#
|
||||
# Specify the mail command to use if MAIL-ON-WARNING is set.
|
||||
# NOTE: Double quotes are not required around the command, but
|
||||
# are required around the subject line if it contains spaces.
|
||||
#
|
||||
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
|
||||
|
||||
#
|
||||
# Specify the temporary directory to use.
|
||||
#
|
||||
# NOTE: Do not use /tmp as your temporary directory. Some
|
||||
# important files will be written to this directory, so be
|
||||
# sure that the directory permissions are tight.
|
||||
#
|
||||
TMPDIR=/var/lib/rkhunter
|
||||
|
||||
#
|
||||
# Specify the database directory to use.
|
||||
#
|
||||
DBDIR=/var/lib/rkhunter/db
|
||||
|
||||
#
|
||||
# Specify the script directory to use.
|
||||
#
|
||||
SCRIPTDIR=/usr/share/rkhunter/scripts
|
||||
|
||||
#
|
||||
# Specify the root directory to use.
|
||||
#
|
||||
#ROOTDIR=""
|
||||
|
||||
#
|
||||
# Specify the command directories to be checked. This is a
|
||||
# space-separated list of directories.
|
||||
#
|
||||
BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
|
||||
|
||||
#
|
||||
# Specify the language to use. This should be similar
|
||||
# to the ISO 639 language code.
|
||||
#
|
||||
# NOTE: Please ensure that the language you specify is supported.
|
||||
# For a list of supported languages use the following command:
|
||||
#
|
||||
# rkhunter --lang en --list languages
|
||||
#
|
||||
#LANGUAGE=en
|
||||
|
||||
#
|
||||
# Specify the log file pathname.
|
||||
#
|
||||
LOGFILE=/var/log/rkhunter/rkhunter.log
|
||||
|
||||
#
|
||||
# Set the following option to 1 if the log file is to be appended to
|
||||
# whenever rkhunter is run.
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
# Set the following option to enable the rkhunter check start and finish
|
||||
# times to be logged by syslog. Warning messages will also be logged.
|
||||
# The value of the option must be a standard syslog facility and
|
||||
# priority, separated by a dot.
|
||||
#
|
||||
# For example: USE_SYSLOG=authpriv.warning
|
||||
#
|
||||
# Setting the value to 'none', or just leaving the option commented out,
|
||||
# disables the use of syslog.
|
||||
#
|
||||
USE_SYSLOG=authpriv.notice
|
||||
|
||||
#
|
||||
# Set the following option to 1 if the second colour set is to be used.
|
||||
# This can be useful if your screen uses black characters on a white
|
||||
# background (for example, a PC instead of a server).
|
||||
#
|
||||
COLOR_SET2=0
|
||||
|
||||
#
|
||||
# Set the following option to 0 if rkhunter should not detect if X is
|
||||
# being used. If X is detected as being used, then the second colour
|
||||
# set will automatically be used.
|
||||
#
|
||||
AUTO_X_DETECT=1
|
||||
|
||||
#
|
||||
# The following option is checked against the SSH configuration file
|
||||
# 'PermitRootLogin' option. A warning will be displayed if they do not
|
||||
# match. However, if a value has not been set in the SSH configuration
|
||||
# file, then a value here of 'yes' or 'unset' will not cause a warning.
|
||||
# This option has a default value of 'no'.
|
||||
#
|
||||
ALLOW_SSH_ROOT_USER=without-password
|
||||
|
||||
#
|
||||
# Set this option to '1' to allow the use of the SSH-1 protocol, but note
|
||||
# that theoretically it is weaker, and therefore less secure, than the
|
||||
# SSH-2 protocol. Do not modify this option unless you have good reasons
|
||||
# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
|
||||
# authentication). If the 'Protocol' option has not been set in the SSH
|
||||
# configuration file, then a value of '2' may be set here in order to
|
||||
# suppress a warning message. This option has a default value of '0'.
|
||||
#
|
||||
ALLOW_SSH_PROT_V1=0
|
||||
|
||||
#
|
||||
# This setting tells rkhunter the directory containing the SSH configuration
|
||||
# file. This setting will be worked out by rkhunter, and so should not
|
||||
# usually need to be set.
|
||||
#
|
||||
#SSH_CONFIG_DIR=/etc/ssh
|
||||
|
||||
#
|
||||
# These two options determine which tests are to be performed.
|
||||
# The ENABLE_TESTS option can use the word 'all' to refer to all the
|
||||
# available tests. The DISABLE_TESTS option can use the word 'none' to
|
||||
# mean that no tests are disabled. The list of disabled tests is applied to
|
||||
# the list of enabled tests. Both options are space-separated lists of test
|
||||
# names. The currently available test names can be seen by using the command
|
||||
# 'rkhunter --list tests'.
|
||||
#
|
||||
# The program defaults are to enable all tests and disable none. However, if
|
||||
# either option is specified in this file, then it overrides the program
|
||||
# default. The supplied rkhunter.conf file has some tests already disabled,
|
||||
# and these are tests that will be used only incidentally, can be considered
|
||||
# "advanced" or those that are prone to produce more than the "average" number
|
||||
# of "false positives".
|
||||
#
|
||||
# Please read the README file for more details about enabling and disabling
|
||||
# tests, the test names, and how rkhunter behaves when these options are used.
|
||||
#
|
||||
ENABLE_TESTS="all"
|
||||
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
|
||||
|
||||
#
|
||||
# The HASH_FUNC option can be used to specify the command to use
|
||||
# for the file hash value check. It can be specified as just
|
||||
# the command name or the full pathname. Systems using prelinking
|
||||
# are restricted to using either SHA1 or MD5 functions. To get rkhunter
|
||||
# to look for the sha1(sum)/md5(sum) command, or to use the supplied
|
||||
# perl scripts, simply specify this option as 'SHA1' or 'MD5' in
|
||||
# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found.
|
||||
#
|
||||
# A value of 'NONE' (in uppercase) can be specified to indicate that
|
||||
# no hash function should be used. Rootkit Hunter will detect this and
|
||||
# automatically disable the file hash checks.
|
||||
#
|
||||
# Examples:
|
||||
# For Solaris 9 : HASH_FUNC=gmd5sum
|
||||
# For Solaris 10: HASH_FUNC=sha1sum
|
||||
# For AIX (>5.2): HASH_FUNC="csum -hMD5"
|
||||
# For NetBSD : HASH_FUNC="cksum -a sha512"
|
||||
#
|
||||
# NOTE: If the hash function is changed then you MUST run rkhunter with
|
||||
# the '--propupd' option to rebuild the file properties database.
|
||||
#
|
||||
HASH_FUNC=sha1sum
|
||||
|
||||
#
|
||||
# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
|
||||
# command output contains the hash value. The fields are assumed to
|
||||
# be space-separated. The default value is one, but for *BSD users
|
||||
# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
|
||||
# has not been set. The option value must be a positive integer.
|
||||
#
|
||||
#HASH_FLD_IDX=4
|
||||
|
||||
#
|
||||
# The PKGMGR option tells rkhunter to use the specified package manager
|
||||
# to obtain the file property information. This is used when updating
|
||||
# the file properties file 'rkhunter.dat', and when running the file
|
||||
# properties check. For RedHat/RPM-based systems, 'RPM' can be used
|
||||
# to get information from the RPM database. For Debian-based systems
|
||||
# 'DPKG' can be used, and for *BSD systems 'BSD' can be used.
|
||||
# No value, or a value of 'NONE', indicates that no package manager
|
||||
# is to be used. The default is 'NONE'.
|
||||
#
|
||||
# The current package managers store the file hash values using an
|
||||
# MD5 hash function.
|
||||
#
|
||||
# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
|
||||
# The 'RPM' package manager additionally provides values for the inode,
|
||||
# file permissions, uid, gid and other values.
|
||||
#
|
||||
# For any file not part of a package, rkhunter will revert to using
|
||||
# the HASH_FUNC hash function instead.
|
||||
#
|
||||
PKGMGR=RPM
|
||||
|
||||
#
|
||||
# Whitelist various attributes of the specified files.
|
||||
# The attributes are those of the 'attributes' test.
|
||||
# Specifying a file name here does not include it being
|
||||
# whitelisted for the write permission test below.
|
||||
# One command per line (use multiple ATTRWHITELIST lines).
|
||||
#
|
||||
#ATTRWHITELIST=/bin/ps
|
||||
|
||||
#
|
||||
# Allow the specified commands to have the 'others'
|
||||
# (world) permission have the write-bit set.
|
||||
#
|
||||
# For example, files with permissions r-xr-xrwx
|
||||
# or rwxrwxrwx.
|
||||
#
|
||||
# One command per line (use multiple WRITEWHITELIST lines).
|
||||
#
|
||||
#WRITEWHITELIST=/bin/ps
|
||||
|
||||
#
|
||||
# Allow the specified commands to be scripts.
|
||||
# One command per line (use multiple SCRIPTWHITELIST lines).
|
||||
#
|
||||
#SCRIPTWHITELIST=/sbin/ifup
|
||||
#SCRIPTWHITELIST=/sbin/ifdown
|
||||
#SCRIPTWHITELIST=/usr/bin/groups
|
||||
|
||||
#
|
||||
# Allow the specified commands to have the immutable attribute set.
|
||||
# One command per line (use multiple IMMUTWHITELIST lines).
|
||||
#
|
||||
#IMMUTWHITELIST=/sbin/ifup
|
||||
|
||||
#
|
||||
# Allow the specified hidden directories.
|
||||
# One directory per line (use multiple ALLOWHIDDENDIR lines).
|
||||
#
|
||||
ALLOWHIDDENDIR=/dev/.udev
|
||||
ALLOWHIDDENDIR=/dev/.mdadm
|
||||
ALLOWHIDDENDIR=/dev/.systemd
|
||||
ALLOWHIDDENDIR=/dev/.mount
|
||||
ALLOWHIDDENDIR=/dev/.udevdb
|
||||
ALLOWHIDDENDIR=/dev/.udev.tdb
|
||||
ALLOWHIDDENDIR=/dev/.udev/db
|
||||
ALLOWHIDDENDIR=/dev/.udev/rules.d
|
||||
|
||||
#
|
||||
# Allow the specified hidden files.
|
||||
# One file per line (use multiple ALLOWHIDDENFILE lines).
|
||||
#
|
||||
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
|
||||
ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
|
||||
ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
|
||||
ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
|
||||
ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
|
||||
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
|
||||
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
|
||||
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
|
||||
ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
|
||||
ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
|
||||
ALLOWHIDDENFILE=/sbin/.cryptsetup.hmac
|
||||
ALLOWHIDDENFILE=/dev/.udev/queue.bin
|
||||
ALLOWHIDDENFILE=/dev/.udev/uevent_seqnum
|
||||
|
||||
#
|
||||
# Allow the specified processes to use deleted files.
|
||||
# One process per line (use multiple ALLOWPROCDELFILE lines).
|
||||
#
|
||||
#ALLOWPROCDELFILE=/sbin/cardmgr
|
||||
#ALLOWPROCDELFILE=/usr/sbin/gpm
|
||||
#ALLOWPROCDELFILE=/usr/libexec/gconfd-2
|
||||
#ALLOWPROCDELFILE=/usr/sbin/mysqld
|
||||
|
||||
#
|
||||
# Allow the specified processes to listen on any network interface.
|
||||
# One process per line (use multiple ALLOWPROCLISTEN lines).
|
||||
#
|
||||
#ALLOWPROCLISTEN=/sbin/dhclient
|
||||
#ALLOWPROCLISTEN=/usr/bin/dhcpcd
|
||||
#ALLOWPROCLISTEN=/usr/sbin/pppoe
|
||||
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
|
||||
#ALLOWPROCLISTEN=/usr/sbin/snort-plain
|
||||
#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant
|
||||
|
||||
#
|
||||
# SCAN_MODE_DEV governs how we scan /dev for suspicious files.
|
||||
# The two allowed options are: THOROUGH or LAZY.
|
||||
# If commented out we do a THOROUGH scan which will increase the runtime.
|
||||
# Even though this adds to the running time it is highly recommended to
|
||||
# leave it like this.
|
||||
#
|
||||
#SCAN_MODE_DEV=THOROUGH
|
||||
|
||||
#
|
||||
# Allow the specified files to be present in the /dev directory,
|
||||
# and not regarded as suspicious. One file per line (use multiple
|
||||
# ALLOWDEVFILE lines).
|
||||
#
|
||||
#ALLOWDEVFILE=/dev/abc
|
||||
#ALLOWDEVFILE=/dev/shm/pulse-shm-*
|
||||
ALLOWDEVFILE=/dev/shm/sem.slapd-FEDORAPROJECT-ORG.stats
|
||||
ALLOWDEVFILE=/dev/md/md-device-map
|
||||
ALLOWDEVFILE=/dev/.udev/queue.bin
|
||||
ALLOWDEVFILE=/dev/.udev/db/*
|
||||
ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules
|
||||
ALLOWDEVFILE=/dev/.udev/uevent_seqnum
|
||||
ALLOWDEVFILE=/dev/md/autorebuild.pid
|
||||
|
||||
#
|
||||
# This setting tells rkhunter where the inetd configuration
|
||||
# file is located.
|
||||
#
|
||||
#INETD_CONF_PATH=/etc/inetd.conf
|
||||
|
||||
#
|
||||
# Allow the following enabled inetd services.
|
||||
# Only one service per line (use multiple INETD_ALLOWED_SVC lines).
|
||||
#
|
||||
# Below are some Solaris 9 and 10 services that may want to be whitelisted.
|
||||
#
|
||||
#INETD_ALLOWED_SVC=echo
|
||||
#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd
|
||||
#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto
|
||||
#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd
|
||||
#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad
|
||||
#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd
|
||||
#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd
|
||||
#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd
|
||||
#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd
|
||||
#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd
|
||||
#INETD_ALLOWED_SVC=/usr/lib/gss/gssd
|
||||
#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader
|
||||
#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd
|
||||
#INETD_ALLOWED_SVC=/network/rpc/mdcomm
|
||||
#INETD_ALLOWED_SVC=/network/rpc/meta
|
||||
#INETD_ALLOWED_SVC=/network/rpc/metamed
|
||||
#INETD_ALLOWED_SVC=/network/rpc/metamh
|
||||
#INETD_ALLOWED_SVC=/network/security/ktkt_warn
|
||||
#INETD_ALLOWED_SVC=/application/x11/xfs
|
||||
#INETD_ALLOWED_SVC=/application/print/rfc1179
|
||||
#INETD_ALLOWED_SVC=/application/font/stfsloader
|
||||
#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
|
||||
#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp
|
||||
#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp
|
||||
|
||||
#
|
||||
# This setting tells rkhunter where the xinetd configuration
|
||||
# file is located.
|
||||
#
|
||||
#XINETD_CONF_PATH=/etc/xinetd.conf
|
||||
|
||||
#
|
||||
# Allow the following enabled xinetd services. Whilst it would be
|
||||
# nice to use the service names themselves, at the time of testing
|
||||
# we only have the pathname available. As such, these entries are
|
||||
# the xinetd file pathnames.
|
||||
# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines).
|
||||
#
|
||||
XINETD_ALLOWED_SVC=/etc/xinetd.d/rsync
|
||||
XINETD_ALLOWED_SVC=/etc/xinetd.d/cvspserver
|
||||
XINETD_ALLOWED_SVC=/etc/xinetd.d/tftp
|
||||
XINETD_ALLOWED_SVC=/etc/xinetd.d/git-server
|
||||
XINETD_ALLOWED_SVC=/etc/xinetd.d/git
|
||||
XINETD_ALLOWED_SVC=/etc/xinetd.d/bzr-server
|
||||
|
||||
#
|
||||
# This setting tells rkhunter the local system startup file pathnames.
|
||||
# More than one file may be present on the system, and so this option
|
||||
# can be a space-separated list. This setting will be worked out by
|
||||
# rkhunter, and so should not usually need to be set.
|
||||
#
|
||||
# If the system uses a directory of local startup scripts, then rather
|
||||
# that setting all the file names here, leave this setting blank, and
|
||||
# specify the directory name in SYSTEM_RC_DIR instead.
|
||||
#
|
||||
# If the system does not use a local startup script at all, then this
|
||||
# setting can be set to 'none'. Without this, rkhunter would give a
|
||||
# warning that no local startup script could be found.
|
||||
#
|
||||
#LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit"
|
||||
|
||||
#
|
||||
# This setting tells rkhunter the local system startup file directory.
|
||||
# This setting will be worked out by rkhunter, and so should not usually
|
||||
# need to be set.
|
||||
#
|
||||
#SYSTEM_RC_DIR=/etc/rc.d
|
||||
|
||||
#
|
||||
# This setting tells rkhunter the pathname to the file containing the
|
||||
# user account passwords. This setting will be worked out by rkhunter,
|
||||
# and so should not usually need to be set.
|
||||
#
|
||||
PASSWORD_FILE=/etc/shadow
|
||||
|
||||
#
|
||||
# Allow the following accounts to be root equivalent. These accounts
|
||||
# will have a UID value of zero. This option is a space-separated list
|
||||
# of account names. The 'root' account does not need to be listed as it
|
||||
# is automatically whitelisted.
|
||||
#
|
||||
# Note: For *BSD systems you may need to enable this for the 'toor' account.
|
||||
#
|
||||
#UID0_ACCOUNTS="toor rooty"
|
||||
|
||||
#
|
||||
# Allow the following accounts to have no password. This option is a
|
||||
# space-separated list of account names. NIS/YP entries do not need to
|
||||
# be listed as they are automatically whitelisted.
|
||||
#
|
||||
#PWDLESS_ACCOUNTS="abc"
|
||||
|
||||
#
|
||||
# This setting tells rkhunter the pathname to the syslog configuration
|
||||
# file. This setting will be worked out by rkhunter, and so should not
|
||||
# usually need to be set.
|
||||
#
|
||||
#SYSLOG_CONFIG_FILE=/etc/syslog.conf
|
||||
|
||||
#
|
||||
# This option permits the use of syslog remote logging.
|
||||
#
|
||||
ALLOW_SYSLOG_REMOTE_LOGGING=1
|
||||
|
||||
#
|
||||
# Allow the following applications, or a specific version of an application,
|
||||
# to be whitelisted. This option is a space-separated list consisting of the
|
||||
# application names. If a specific version is to be whitelisted, then the
|
||||
# name must be followed by a colon and then the version number.
|
||||
#
|
||||
# For example: APP_WHITELIST="openssl:0.9.7d gpg"
|
||||
#
|
||||
APP_WHITELIST="sshd:4.3p2 sshd:5.2p1 httpd:2.2.3 httpd:2.2.13 php:5.1.6 named:9.3.6 openssl:0.9.8e php:5.2.6 named:9.3.6-P1"
|
||||
|
||||
#
|
||||
# Scan for suspicious files in directories containing temporary files and
|
||||
# directories posing a relatively higher risk due to user write access.
|
||||
# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
|
||||
# producing false positives. Do review all settings before usage.
|
||||
# Also be aware that running suspscan in combination with verbose logging on,
|
||||
# RKH's default, will show all ignored files.
|
||||
# Please consider adding all directories the user the (web)server runs as has
|
||||
# write access to including the document root (example: "/var/www") and log
|
||||
# directories (example: "/var/log/httpd").
|
||||
#
|
||||
# A space-separated list of directories to scan.
|
||||
#
|
||||
SUSPSCAN_DIRS="/tmp /var/tmp"
|
||||
|
||||
#
|
||||
# Directory for temporary files. A memory-based one is better (faster).
|
||||
# Do not use a directory name that is listed in SUSPSCAN_DIRS.
|
||||
# Please make sure you have a tempfs mounted and the directory exists.
|
||||
#
|
||||
SUSPSCAN_TEMP=/dev/shm
|
||||
|
||||
#
|
||||
# Maximum filesize in bytes. Files larger than this will not be inspected.
|
||||
# Do make sure you have enough space left in your temporary files directory.
|
||||
#
|
||||
SUSPSCAN_MAXSIZE=10240000
|
||||
|
||||
#
|
||||
# Score threshold. Below this value no hits will be reported.
|
||||
# A value of "200" seems "good" after testing on malware. Please adjust
|
||||
# locally if necessary.
|
||||
#
|
||||
SUSPSCAN_THRESH=200
|
||||
|
||||
#
|
||||
# The following option can be used to whitelist network ports which
|
||||
# are known to have been used by malware. The option is a space-
|
||||
# separated list of one or more of three types of whitelisting.
|
||||
# These are:
|
||||
#
|
||||
# 1) a 'protocol:port' pair (e.g. TCP:25)
|
||||
# 2) a pathname to an executable (e.g. /usr/sbin/squid)
|
||||
# 3) an asterisk ('*')
|
||||
#
|
||||
# Only the UDP or TCP protocol may be specified, and the port number
|
||||
# must be between 1 and 65535 inclusive.
|
||||
#
|
||||
# The asterisk can be used to indicate that any executable in a trusted
|
||||
# path directory will be whitelisted. A trusted path directory is one which
|
||||
# rkhunter uses to locate commands. It is composed of the root PATH
|
||||
# environment variable, and the BINDIR command-line or configuration
|
||||
# file option.
|
||||
#
|
||||
# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
|
||||
#
|
||||
#PORT_WHITELIST=""
|
||||
|
||||
#
|
||||
# The following option can be used to tell rkhunter where the operating
|
||||
# system 'release' file is located. This file contains information
|
||||
# specifying the current O/S version. RKH will store this information
|
||||
# itself, and check to see if it has changed between each run. If it has
|
||||
# changed, then the user is warned that RKH may issue warning messages
|
||||
# until RKH has been run with the '--propupd' option.
|
||||
#
|
||||
# Since the contents of the file vary according to the O/S distribution,
|
||||
# RKH will perform different actions when it detects the file itself. As
|
||||
# such, this option should not be set unless necessary. If this option is
|
||||
# specified, then RKH will assume the O/S release information is on the
|
||||
# first non-blank line of the file.
|
||||
#
|
||||
# {{ ansible_distribution|lower }}
|
||||
OS_VERSION_FILE=/etc/{{ ansible_distribution|lower }}-release
|
||||
|
||||
#
|
||||
# The following two options can be used to whitelist files and directories
|
||||
# that would normally be flagged with a warning during the rootkit checks.
|
||||
# If the file or directory name contains a space, then the percent character
|
||||
# ('%') must be used instead. Only existing files and directories can be
|
||||
# specified.
|
||||
#
|
||||
#RTKT_DIR_WHITELIST=""
|
||||
#RTKT_FILE_WHITELIST=""
|
||||
|
||||
#
|
||||
# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
|
||||
# command, then the following two options can be used. The value must be
|
||||
# set to 'BUILTIN'.
|
||||
#
|
||||
# NOTE: IRIX users will probably need to enable STAT_CMD.
|
||||
#
|
||||
#STAT_CMD=BUILTIN
|
||||
#READLINK_CMD=BUILTIN
|
||||
|
||||
INSTALLDIR=/usr
|
||||
SCRIPTWHITELIST=/usr/bin/whatis
|
||||
SCRIPTWHITELIST=/usr/bin/ldd
|
||||
SCRIPTWHITELIST=/usr/bin/groups
|
||||
SCRIPTWHITELIST=/usr/bin/GET
|
||||
SCRIPTWHITELIST=/sbin/ifup
|
||||
SCRIPTWHITELIST=/sbin/ifdown
|
|
@ -1,11 +0,0 @@
|
|||
# System configuration file for Rootkit Hunter which
|
||||
# stores RPM system specifics for cron run, etc.
|
||||
#
|
||||
# MAILTO= <email address to send scan report>
|
||||
# DIAG_SCAN= no - perform normal report scan
|
||||
# yes - perform detailed report scan
|
||||
# (includes application check)
|
||||
|
||||
MAILTO=smooge@fedoraproject.org,kevin@fedoraproject.org
|
||||
DIAG_SCAN=no
|
||||
|
Loading…
Add table
Add a link
Reference in a new issue