From 132ab39b9bfd5283d0452c6972f5af235bdc92bf Mon Sep 17 00:00:00 2001 From: Stephen Gran Date: Sun, 22 Feb 2009 13:56:49 +0100 Subject: [PATCH] First pass at this. Signed-off-by: Stephen Gran --- fileserver.conf | 17 + manifests/site.pp | 5 + modules/munin-node/files/munin-node.conf | 36 ++ modules/munin-node/manifests/init.pp | 19 + modules/samhain/files/samhainrc | 728 +++++++++++++++++++++++ modules/samhain/manifests/init.pp | 19 + puppet.conf | 10 + 7 files changed, 834 insertions(+) create mode 100644 fileserver.conf create mode 100644 manifests/site.pp create mode 100644 modules/munin-node/files/munin-node.conf create mode 100644 modules/munin-node/manifests/init.pp create mode 100644 modules/samhain/files/samhainrc create mode 100644 modules/samhain/manifests/init.pp create mode 100644 puppet.conf diff --git a/fileserver.conf b/fileserver.conf new file mode 100644 index 00000000..19cccda2 --- /dev/null +++ b/fileserver.conf @@ -0,0 +1,17 @@ +# This file consists of arbitrarily named sections/modules +# defining where files are served from and to whom + +# Define a section 'files' +# Adapt the allow/deny settings to your needs. Order +# for allow/deny does not matter, allow always takes precedence +# over deny +[files] + path /etc/puppet/files +# allow *.example.com +# deny *.evil.example.com +# allow 192.168.0.0/24 + +[plugins] +# allow *.example.com +# deny *.evil.example.com +# allow 192.168.0.0/24 diff --git a/manifests/site.pp b/manifests/site.pp new file mode 100644 index 00000000..24c67361 --- /dev/null +++ b/manifests/site.pp @@ -0,0 +1,5 @@ +node default { + include ntp + include munin-node +} + diff --git a/modules/munin-node/files/munin-node.conf b/modules/munin-node/files/munin-node.conf new file mode 100644 index 00000000..3c8ab751 --- /dev/null +++ b/modules/munin-node/files/munin-node.conf @@ -0,0 +1,36 @@ +# +# Example config-file for munin-node +# + +log_level 4 +log_file /var/log/munin/munin-node.log +port 4949 +pid_file /var/run/munin/munin-node.pid +background 1 +setseid 1 + +# Which port to bind to; +host * +user root +group root +setsid yes + +# Regexps for files to ignore + +ignore_file ~$ +ignore_file \.bak$ +ignore_file %$ +ignore_file \.dpkg-(tmp|new|old|dist)$ +ignore_file \.rpm(save|new)$ + +# Set this if the client doesn't report the correct hostname when +# telnetting to localhost, port 4949 +# +#host_name localhost.localdomain + +# A list of addresses that are allowed to connect. This must be a +# regular expression, due to brain damage in Net::Server, which +# doesn't understand CIDR-style network notation. You may repeat +# the allow line as many times as you'd like + +allow ^192\.25\.206\.57$ diff --git a/modules/munin-node/manifests/init.pp b/modules/munin-node/manifests/init.pp new file mode 100644 index 00000000..7f464ba7 --- /dev/null +++ b/modules/munin-node/manifests/init.pp @@ -0,0 +1,19 @@ +class munin-node { + + package { munin-node: ensure => latest } + + file { "/etc/munin/munin-node.conf": + owner => root, + group => root, + mode => 664, + source => "puppet:///munin-node/munin-node.conf", + require => Package["munin-node"], + notify => Exec["munin-node restart"], + } + + exec { "munin-node restart": + path => "/etc/init.d/", + refreshonly => true, + } +} + diff --git a/modules/samhain/files/samhainrc b/modules/samhain/files/samhainrc new file mode 100644 index 00000000..b5de4b4b --- /dev/null +++ b/modules/samhain/files/samhainrc @@ -0,0 +1,728 @@ +##################################################################### +# +# Configuration file template for samhain. +# +##################################################################### +# +# -- empty lines and lines starting with '#', ';' or '//' are ignored +# -- boolean options can be Yes/No or True/False or 1/0 +# -- you can PGP clearsign this file -- samhain will check (if compiled +# with support) or otherwise ignore the signature +# -- CHECK mail address +# +# To each log facility, you can assign a threshold severity. Only +# reports with at least the threshold severity will be logged +# to the respective facility (even further below). +# +##################################################################### +# +# SETUP for file system checking: +# +# (i) There are several policies, each has its own section. Put files +# into the section for the appropriate policy (see below). +# (ii) Section [EventSeverity]: +# To each policy, you can assign a severity (further below). +# (iii) Section [Log]: +# To each log facility, you can assign a threshold severity. Only +# reports with at least the threshold severity will be logged +# to the respective facility (even further below). +# +##################################################################### + +##################################################################### +# +# Files are defined with: file = /absolute/path +# +# Directories are defined with: dir = /absolute/path +# or with an optional recursion depth (N <= 99): dir = N/absolute/path +# +# Directory inodes are checked. If you only want to check files +# in a directory, but not the directory inode itself, use (e.g.): +# +# [ReadOnly] +# dir = /some/directory +# [IgnoreAll] +# file = /some/directory +# +# You can use shell-style globbing patterns, like: file = /path/foo* +# +###################################################################### + +[Misc] +## +## Add or subtract tests from the policies +## - if you want to change their definitions, +## you need to do that before using the policies +## +# RedefReadOnly = (no default) +# RedefAttributes=(no default) +# RedefLogFiles=(no default) +# RedefGrowingLogFiles=(no default) +# RedefIgnoreAll=(no default) +# RedefIgnoreNone=(no default) +# RedefUser0=(no default) +# RedefUser1=(no default) + +[Attributes] +## +## for these files, only changes in permissions and ownership are checked +## +file=/etc/mtab +file=/etc/ssh_random_seed +file=/etc/asound.conf +file=/etc/resolv.conf +file=/etc/localtime +file=/etc/ioctl.save +file=/etc/passwd.backup +file=/etc/shadow.backup +file=/etc/postfix/prng_exch +file=/etc/adjtime +file=/etc/lvm/.cache +file=/etc/network/run/ifstate +file=/var/state/samhain/samhain_file +file=/etc/bind/db.debian.net +file=/etc/exim4/bsmtp + +# We handle these files with puppet - please to not be bothering us +file=/etc/samhain/samhainrc +file=/etc/munin/munin-node.conf + +# +# There are files in /etc that might change, thus changing the directory +# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'. +# +file=/etc +file=/etc/ssh +file=/etc/network/run +file=/etc/bind + +# These are the directories for the files we handle with puppet +file=/etc/samhain/ +file=/etc/munin/ + +[LogFiles] +## +## for these files, changes in signature, timestamps, and size are ignored +## +file=/var/run/utmp +file=/etc/motd + + + +##################################################################### +# +# This would be the proper syntax for parts that should only be +# included for certain hosts. +# You may enclose anything in a @HOSTNAME/@end bracket, as long as the +# result still has the proper syntax for the config file. +# You may have any number of @HOSTNAME/@end brackets. +# HOSTNAME should be the fully qualified 'official' name +# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases. +# No IP number - except if samhain cannot determine the +# fully qualified hostname. +# +# @HOSTNAME +# file=/foo/bar +# @end +# +# These are two examples for conditional inclusion/exclusion +# of a machine based on the output from 'uname -srm' +# +# $Linux:2.*.7:i666 +# file=/foo/bar3 +# $end +# +# !$Linux:2.*.7:i686 +# file=/foo/bar2 +# $end +# +##################################################################### + +[GrowingLogFiles] +## +## for these files, changes in signature, timestamps, and increase in size +## are ignored +## +file=/var/log/warn +file=/var/log/messages +file=/var/log/wtmp +file=/var/log/faillog +file=/var/log/auth.log +file=/var/log/daemon.log +file=/var/log/user.log +file=/var/log/kern.log +file=/var/log/syslog + + +[IgnoreAll] +## +## for these files, no modifications are reported +## +## This file might be created or removed by the system sometimes. +## +file=/etc/resolv.conf.pcmcia.save +file=/etc/nologin +file=/etc/postfix/debian.db +file=/etc/postfix/debian +file=/etc/ssh/ssh_known_hosts +file=/etc/ssh/ssh-rsa-shadow +file=/var/lib/misc/ssh-rsa-shadow +file=/etc/.da-backup.trace +file=/etc/postfix/debianhosts +file=/etc/postfix/debianhosts.db + +[IgnoreNone] +## +## for these files, all modifications (even access time) are reported +## - you may create some interesting-looking file (like /etc/safe_passwd), +## just to watch whether someone will access it ... +## + +[Prelink] +## +## Use for prelinked files or directories holding them +## + + +[ReadOnly] +## +## for these files, only access time is ignored +## +dir=/usr/bin +dir=/bin +dir=/boot +# +# SuSE (old) has the boot init scripts in /sbin/init.d/*, +# so we go 3 levels deep +# +dir=3/sbin +dir=/usr/sbin +dir=/lib +dir=3/usr/lib +# +# RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*, +# so we go 3 levels deep there too +# +dir=3/etc + +# Various directories / files that may include / be SUID/SGID binaries +# +# +file=/usr/lib/pt_chown +# X11, in Debian X7 this is now a symlink +#dir=/usr/X11R6/bin +#dir=/usr/X11R6/lib/X11/xmcd/bin +# Apache: +#file=/usr/lib/apache/suexec +#file=/usr/lib/apache/suexec.disabled +# Extra directories: +#dir=/opt/gnome/bin +#dir=/opt/kde/bin + +[User0] +[User1] +## User0 and User1 are sections for files/dirs with user-definable checking +## (see the manual) + + +[EventSeverity] +## +## Here you can assign severities to policy violations. +## If this severity exceeds the treshold of a log facility (see below), +## a policy violation will be logged to that facility. +## +## Severity for verification failures. +## +# SeverityReadOnly=crit +# SeverityLogFiles=crit +# SeverityGrowingLogs=crit +# SeverityIgnoreNone=crit +# SeverityAttributes=crit +# SeverityUser0=crit +# SeverityUser1=crit + +# Default behaviour +SeverityReadOnly=crit +SeverityLogFiles=crit +SeverityGrowingLogs=warn +SeverityIgnoreNone=crit +SeverityAttributes=crit + + +## +## We have a file in IgnoreAll that might or might not be present. +## Setting the severity to 'info' prevents messages about deleted/new file. +## +# SeverityIgnoreAll=crit +SeverityIgnoreAll=info + +## Files : file access problems +# SeverityFiles=crit + +## Dirs : directory access problems +# SeverityDirs=crit + +## Names : suspect (non-printable) characters in a pathname +# SeverityNames=crit + +# Default behaviour +SeverityFiles=crit +SeverityDirs=crit +SeverityNames=warn + + +[Log] +## +## Switch on/OFF log facilities and set their threshold severity +## +## Values: debug, info, notice, warn, mark, err, crit, alert, none. +## 'mark' is used for timestamps. +## +## +## Use 'none' to SWITCH OFF a log facility +## +## By default, everything equal to and above the threshold is logged. +## The specifiers '*', '!', and '=' are interpreted as +## 'all', 'all but', and 'only', respectively (like syslogd(8) does, +## at least on Linux). Examples: +## MailSeverity=* +## MailSeverity=!warn +## MailSeverity==crit + +## E-mail +## +# MailSeverity=none + +## Console +## +# PrintSeverity=info + +## Logfile +## +# LogSeverity=mark + +## Syslog +## +# SyslogSeverity=none + +## Remote server (yule) +## +# ExportSeverity=none + +## External script or program +## +# ExternalSeverity = none + +## Logging to a database +## +# DatabaseSeverity = none + +# Default behaviour +MailSeverity=crit +PrintSeverity=none +LogSeverity=info +SyslogSeverity=alert +ExportSeverity=none + + + + + +##################################################### +# +# Optional modules +# +##################################################### + +# [SuidCheck] +## +## --- Check the filesystem for SUID/SGID binaries +## + +## Switch on +# +# SuidCheckActive = yes + +## Interval for check (seconds) +# +# SuidCheckInterval = 7200 + +## Alternative: crontab-like schedule +# +# SuidCheckSchedule = NULL + +## Directory to exclude +# +# SuidCheckExclude = NULL + +## Limit on files per second (0 == no limit) +# +# SuidCheckFps = 0 + +## Alternative: yield after every file +# +# SuidCheckYield = no + +## Severity of a detection +# +# SeveritySuidCheck = crit + +## Quarantine SUID/SGID files if found +# +# SuidCheckQuarantineFiles = yes + +## Method for Quarantining files: +# 0 - Delete or truncate the file. +# 1 - Remove SUID/SGID permissions from file. +# 2 - Move SUID/SGID file to quarantine dir. +# +# SuidCheckQuarantineMethod = 0 + +## For method 1 and 3, really delete instead of truncating +# +# SuidCheckQuarantineDelete = yes + +# [Kernel] +## +## --- Check for loadable kernel module rootkits (Linux/FreeBSD only) +## + +## Switch on/off +# +KernelCheckActive = True + +## Check interval (seconds); btw., the check is VERY fast +# +# KernelCheckInterval = 300 + +## Severity +# +# SeverityKernel = crit + + +# [Utmp] +## +## --- Logging of login/logout events +## + +## Switch on/off +# +LoginCheckActive = True + +## Severity for logins, multiple logins, logouts +# +# SeverityLogin=info +# SeverityLoginMulti=warn +# SeverityLogout=info + +## Interval for login/logout checks +# +# LoginCheckInterval = 300 + + +# [Database] +## +## --- Logging to a relational database +## + +## Database name +# +# SetDBName = samhain + +## Database table +# +# SetDBTable = log + +## Database user +# +# SetDBUser = samhain + +## Database password +# +# SetDBPassword = (default: none) + +## Database host +# +# SetDBHost = localhost + +## Log the server timestamp for received messages +# +# SetDBServerTstamp = True + +## Use a persistent connection +# +# UsePersistent = True + +# [External] +## +## Interface to call external scripts/programs for logging +## + +## The absolute path to the command +## - Each invocation of this directive will end the definition of the +## preceding command, and start the definition of +## an additional, new command +# +# OpenCommand = (no default) + +## Type (log or rv) +## - log for log messages, srv for messages received by the server +# +# SetType = log + +## The command (full command line) to execute +# +# SetCommandLine = (no default) + +## The environment (KEY=value; repeat for more) +# +# SetEnviron = TZ=(your timezone) + +## The TIGER192 checksum (optional) +# +# SetChecksum = (no default) + +## User who runs the command +# +# SetCredentials = (default: samhain process uid) + +## Words not allowed in message +# +# SetFilterNot = (none) + +## Words required (ALL of them) +# +# SetFilterAnd = (none) + +## Words required (at least one) +# +# SetFilterOr = (none) + +## Deadtime between consecutive calls +# +# SetDeadtime = 0 + +## Add default environment (HOME, PATH, SHELL) +# +# SetDefault = no + + +##################################################### +# +# Miscellaneous configuration options +# +##################################################### + +[Misc] + +## whether to become a daemon process +## (this is not honoured on database initialisation) +# +# Daemon = no +Daemon = yes + +## whether to test signature of files (init/check/none) +## - if 'none', then we have to decide this on the command line - +# +# ChecksumTest = none +ChecksumTest=check + +## whether to drop linux capabilities that are not required +## - will make a root process a 'mere mortal' in many respects +# +# UseCaps = yes + +## Set nice level (-19 to 19, see 'man nice'), +## and I/O limit (kilobytes per second; 0 == off) +## to reduce load on host. +# +# SetNiceLevel = 0 +# SetIOLimit = 0 + +## The version string to embed in file signature databases +# +# VersionString = NULL + +## Interval between time stamp messages +# +# SetLoopTime = 60 +SetLoopTime = 600 + +## Interval between file checks +# +# SetFileCheckTime = 600 +SetFileCheckTime = 7200 + +## Alternative: crontab-like schedule +# +# FileCheckScheduleOne = NULL + +## Alternative: crontab-like schedule(2) +# +# FileCheckScheduleTwo = NULL + +## Report only once on modified fles +## Setting this to 'FALSE' will generate a report for any policy +## violation (old and new ones) each time the daemon checks the file system. +# +# ReportOnlyOnce = True + +## Report in full detail +# +# ReportFullDetail = False + +## Report file timestamps in local time rather than GMT +# +# UseLocalTime = No + +## The console device (can also be a file or named pipe) +## - There are two console devices. Accordingly, you can use +## this directive a second time to set the second console device. +## If you have not defined the second device at compile time, +## and you don't want to use it, then: +## setting it to /dev/null is less effective than just leaving +## it alone (setting to /dev/null will waste time by opening +## /dev/null and writing to it) +# +# SetConsole = /dev/console + +## Activate the SysV IPC message queue +# +# MessageQueueActive = False + + +## If false, skip reverse lookup when connecting to a host known +## by name rather than IP address (i.e. trust the DNS) +# +# SetReverseLookup = True + +## --- E-Mail --- + +# Only highest-level (alert) reports will be mailed immediately, +# others will be queued. Here you can define, when the queue will +# be flushed (Note: the queue is automatically flushed after +# completing a file check). +# +SetMailTime = 86400 + +## Maximum number of mails to queue +# +SetMailNum = 10 + +## Recipient (max. 8) +# +SetMailAddress=samhain-reports@debian.org + +## Mail relay (IP address) +# +SetMailRelay = master.debian.org + +## Custom subject format +# +MailSubject = [Samhain at %H] %T: %S + +## --- end E-Mail --- + +## Path to the prelink executable +# +# SetPrelinkPath = /usr/sbin/prelink + +## TIGER192 checksum of the prelink executable +# +# SetPrelinkChecksum = (no default) + + +## Path to the executable. If set, will be checksummed after startup +## and before exit. +# +# SamhainPath = (no default) + + +## The IP address of the log server +# +# SetLogServer = (default: compiled-in) + +## The IP address of the time server +# +# SetTimeServer = (default: compiled-in) + +## Trusted Users (comma delimited list of user names) +# +# TrustedUser = (no default; this adds to the compiled-in list) + +## Path to the file signature database +# +# SetDatabasePath = (default: compiled-in) + +## Path to the log file +# +# SetLogfilePath = (default: compiled-in) + +## Path to the PID file +# +# SetLockPath = (default: compiled-in) + + +## The digest/checksum/hash algorithm +# +# DigestAlgo = TIGER192 + + +## Custom format for message header. +## CAREFUL if you use XML logfile format. +## +## %S severity +## %T timestamp +## %C class +## +## %F source file +## %L source line +# +# MessageHeader="%S %T " + + +## Don't log path to config/database file on startup +# +# HideSetup = False + +## The syslog facility, if you log to syslog +# +# SyslogFacility = LOG_AUTHPRIV +SyslogFacility=LOG_LOCAL2 + +## The message authentication method +## - If you change this, you *must* change it +## on client *and* server +# +# MACType = HMAC-TIGER + + +## everything below is ignored +[EOF] + +##################################################################### +# This would be the proper syntax for parts that should only be +# included for certain hosts. +# You may enclose anything in a @HOSTNAME/@end bracket, as long as the +# result still has the proper syntax for the config file. +# You may have any number of @HOSTNAME/@end brackets. +# HOSTNAME should be the fully qualified 'official' name +# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases. +# No IP number - except if samhain cannot determine the +# fully qualified hostname. +# +# @HOSTNAME +# file=/foo/bar +# @end +# +# These are two examples for conditional inclusion/exclusion +# of a machine based on the output from 'uname -srm' +# $Linux:2.*.7:i666 +# file=/foo/bar3 +# $end +# +# !$Linux:2.*.7:i686 +# file=/foo/bar2 +# $end +# +##################################################################### diff --git a/modules/samhain/manifests/init.pp b/modules/samhain/manifests/init.pp new file mode 100644 index 00000000..5a56fbe0 --- /dev/null +++ b/modules/samhain/manifests/init.pp @@ -0,0 +1,19 @@ +class samhain { + + package { samhain: ensure => latest } + + file { "/etc/samhain/samhainrc": + owner => root, + group => root, + mode => 444, + source => "puppet:///samhain/samhainrc", + require => Package["samhain"], + notify => Exec["samhain reload"], + } + + exec { "samhain reload": + path => "/etc/init.d/", + refreshonly => true, + } +} + diff --git a/puppet.conf b/puppet.conf new file mode 100644 index 00000000..01e92a1a --- /dev/null +++ b/puppet.conf @@ -0,0 +1,10 @@ +[main] +logdir=/var/log/puppet +vardir=/var/lib/puppet +ssldir=/var/lib/puppet/ssl +rundir=/var/run/puppet +factpath=$vardir/lib/facter +pluginsync=true + +[puppetmasterd] +templatedir=/var/lib/puppet/templates -- 2.39.2