Encryption and major changes
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
DSHELL=/bin/false
|
||||
DHOME=/home
|
||||
GROUPHOMES=no
|
||||
LETTERHOMES=no
|
||||
SKEL=/etc/skel
|
||||
FIRST_SYSTEM_UID=100
|
||||
LAST_SYSTEM_UID=999
|
||||
FIRST_SYSTEM_GID=100
|
||||
LAST_SYSTEM_GID=999
|
||||
FIRST_UID=1000
|
||||
LAST_UID=29999
|
||||
FIRST_GID=1000
|
||||
LAST_GID=29999
|
||||
USERGROUPS=yes
|
||||
USERS_GID=100
|
||||
DIR_MODE=0750
|
||||
SETGID_HOME=no
|
||||
QUOTAUSER=""
|
||||
SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
|
||||
@@ -0,0 +1,6 @@
|
||||
#!/bin/sh
|
||||
if grep -sqo rdrand /proc/cpuinfo; then
|
||||
echo "{ \"rdrand\" : true }"
|
||||
else
|
||||
echo "{ \"rdrand\" : false }"
|
||||
fi
|
||||
@@ -0,0 +1,39 @@
|
||||
#!/bin/sh
|
||||
set -u
|
||||
|
||||
ssh_keys() {
|
||||
HOST="$(hostname -s)"
|
||||
TMPFILE="$(mktemp)"
|
||||
I=0
|
||||
|
||||
{
|
||||
echo "{ \"keys\": {"
|
||||
find -L /etc/ssh /home/*/.ssh /root /Users/*/.ssh \( -name '*.pub' -o -name 'authorized_keys*' \) -type f 2>/dev/null |\
|
||||
while read -r SSHFILE; do
|
||||
grep -vE '^#|^$' "${SSHFILE}" | while read -r SSHKEY; do
|
||||
KEYINFO="$(echo "${SSHKEY}" | ssh-keygen -lf -)"
|
||||
KEYSTAT="$(stat -c "%Y %U %G %u %g %a" "${SSHFILE}")"
|
||||
KEYFILE="\"file\" : \"${SSHFILE}\""
|
||||
KEYSIZE="\"size\" : $(echo "${KEYINFO}" | awk '{print $1}')"
|
||||
KEYHASH="\"hash\" : \"$(echo "${KEYINFO}" | awk '{print $2}')\""
|
||||
KEYTYPE="\"type\" : \"$(echo "${KEYINFO}" | awk '{print $NF}' | tr -d '()')\""
|
||||
KEYCOMMENT="\"comment\" : \"$(echo "${KEYINFO}" | awk '{$1=$2=$NF="";print}' | sed -e "s/^ *//" -e "s/ *$//")\""
|
||||
FILEMODEPOCH="\"modified_epoch\" : $(echo "${KEYSTAT}" | awk '{print $1}')"
|
||||
FILEMODHUMAN="\"modified_human\" : \"$(stat -c "%y" "${SSHFILE}")\""
|
||||
FILEOWNERNAME="\"user_name\" : \"$(echo "${KEYSTAT}" | awk '{print $2}')\""
|
||||
FILEGROUPNAME="\"group_name\" : \"$(echo "${KEYSTAT}" | awk '{print $3}')\""
|
||||
FILEOWNERID="\"user_id\" : $(echo "${KEYSTAT}" | awk '{print $4}')"
|
||||
FILEGROUPID="\"group_id\" : $(echo "${KEYSTAT}" | awk '{print $5}')"
|
||||
FILEPERM="\"permissions\": $(echo "${KEYSTAT}" | awk '{print $6}')"
|
||||
echo "\"${HOST}_${I}\": { ${KEYFILE}, ${KEYSIZE}, ${KEYHASH}, ${KEYCOMMENT}, ${KEYTYPE}, ${FILEMODEPOCH}, ${FILEMODHUMAN}, ${FILEOWNERNAME}, ${FILEGROUPNAME}, ${FILEOWNERID}, ${FILEGROUPID}, ${FILEPERM} },"
|
||||
done
|
||||
I=$((I + 1))
|
||||
done
|
||||
echo "} }"
|
||||
} > "${TMPFILE}"
|
||||
|
||||
grep -v '^#' "${TMPFILE}" | tr '\n' ' ' | sed 's/ }, } }/ } } }/g'
|
||||
rm "${TMPFILE}"
|
||||
}
|
||||
|
||||
ssh_keys
|
||||
@@ -0,0 +1,6 @@
|
||||
#!/bin/sh
|
||||
if command -v systemctl 1>/dev/null; then
|
||||
echo "{ \"version\" : $(systemctl --version | grep '^systemd\s' | awk '{print $2}') }"
|
||||
else
|
||||
echo "{ \"version\" : false }"
|
||||
fi
|
||||
@@ -0,0 +1,352 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# Remove any existing rules
|
||||
-D
|
||||
|
||||
# Buffer Size
|
||||
-b 8192
|
||||
|
||||
# Report errors
|
||||
-c
|
||||
|
||||
# Failure Mode
|
||||
-f {{ auditd_mode|int }}
|
||||
|
||||
# File and directory access
|
||||
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b32 -S open -F dir=/bin -F success=0 -k access
|
||||
-a always,exit -F arch=b32 -S open -F dir=/etc -F success=0 -k access
|
||||
-a always,exit -F arch=b32 -S open -F dir=/home -F success=0 -k access
|
||||
-a always,exit -F arch=b32 -S open -F dir=/root -F success=0 -k access
|
||||
-a always,exit -F arch=b32 -S open -F dir=/sbin -F success=0 -k access
|
||||
-a always,exit -F arch=b32 -S open -F dir=/srv -F success=0 -k access
|
||||
-a always,exit -F arch=b32 -S open -F dir=/tmp -F success=0 -k access
|
||||
-a always,exit -F arch=b32 -S open -F dir=/usr/bin -F success=0 -k access
|
||||
-a always,exit -F arch=b32 -S open -F dir=/usr/sbin -F success=0 -k access
|
||||
-a always,exit -F arch=b32 -S open -F dir=/var -F success=0 -k access
|
||||
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k access
|
||||
-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k access
|
||||
-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k access
|
||||
-a always,exit -F arch=b64 -S open -F dir=/root -F success=0 -k access
|
||||
-a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -k access
|
||||
-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -k access
|
||||
-a always,exit -F arch=b64 -S open -F dir=/tmp -F success=0 -k access
|
||||
-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k access
|
||||
-a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k access
|
||||
-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k access
|
||||
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
|
||||
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
|
||||
|
||||
-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=-1 -S execve -k actions
|
||||
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=-1 -S execve -k actions
|
||||
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k actions
|
||||
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=-1 -k actions
|
||||
|
||||
# su and sudo
|
||||
-w /bin/su -p x -k actions
|
||||
-w /etc/sudoers -p wa -k actions
|
||||
-w /etc/sudoers.d -p wa -k actions
|
||||
-w /usr/bin/sudo -p x -k actions
|
||||
|
||||
-a always,exit -S all -F dir=/home/ -F uid=0 -C auid!=obj_uid -k admin-user-home
|
||||
|
||||
# Apparmor configuration and tools
|
||||
-w /etc/apparmor -p wa -k apparmor
|
||||
-w /etc/apparmor.d -p wa -k apparmor
|
||||
-w /sbin/apparmor_parser -p x -k apparmor-tools
|
||||
-w /usr/sbin/aa-complain -p x -k apparmor-tools
|
||||
-w /usr/sbin/aa-disable -p x -k apparmor-tools
|
||||
-w /usr/sbin/aa-enforce -p x -k apparmor-tools
|
||||
|
||||
# Auditd configuration
|
||||
-w /etc/audisp -p wa -k audispconfig
|
||||
-w /etc/audit -p wa -k auditconfig
|
||||
-w /etc/libaudit.conf -p wa -k auditconfig
|
||||
-w /var/log/audit -p rwxa -k auditlog
|
||||
-w /sbin/auditctl -p x -k audittools
|
||||
-w /sbin/auditd -p x -k audittools
|
||||
|
||||
# Cron
|
||||
-w /etc/cron.allow -p wa -k cron
|
||||
-w /etc/cron.d -p wa -k cron
|
||||
-w /etc/cron.daily -p wa -k cron
|
||||
-w /etc/cron.deny -p wa -k cron
|
||||
-w /etc/cron.hourly -p wa -k cron
|
||||
-w /etc/cron.monthly -p wa -k cron
|
||||
-w /etc/cron.weekly -p wa -k cron
|
||||
-w /etc/crontab -p wa -k cron
|
||||
-w /var/spool/cron/crontabs -p rwxa -k cron
|
||||
|
||||
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete
|
||||
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete
|
||||
|
||||
# Docker configuration and tools
|
||||
-a exit,always -F path=/var/lib/docker -F perm=war -k docker
|
||||
-w /etc/default/docker -p rwxa -k docker
|
||||
-w /etc/docker -p rwxa -k docker
|
||||
-w /etc/sysconfig/docker -p rwxa -k docker
|
||||
-w /etc/sysconfig/docker-network -p rwxa -k docker
|
||||
-w /etc/sysconfig/docker-registry -p rwxa -k docker
|
||||
-w /etc/sysconfig/docker-storage -p rwxa -k docker
|
||||
-w /etc/systemd/system/docker-registry.service -p rwxa -k docker
|
||||
-w /etc/systemd/system/docker.service -p rwxa -k docker
|
||||
-w /lib/systemd/system/docker-registry.service -p rwxa -k docker
|
||||
-w /lib/systemd/system/docker.service -p rwxa -k docker
|
||||
-w /lib/systemd/system/docker.socket -p rwxa -k docker
|
||||
-w /usr/bin/containerd -p rwxa -k docker
|
||||
-w /usr/bin/containerd-shim -p rwxa -k docker
|
||||
-w /usr/bin/containerd-shim-runc-v1 -p rwxa -k docker
|
||||
-w /usr/bin/containerd-shim-runc-v2 -p rwxa -k docker
|
||||
-w /usr/bin/ctr -p rwxa -k docker
|
||||
-w /usr/bin/docker -p rwxa -k docker
|
||||
-w /usr/bin/docker-containerd -p rwxa -k docker
|
||||
-w /usr/bin/docker-containerd-ctr -p rwxa -k docker
|
||||
-w /usr/bin/docker-containerd-shim -p rwxa -k docker
|
||||
-w /usr/bin/docker-init -p rwxa -k docker
|
||||
-w /usr/bin/docker-proxy -p rwxa -k docker
|
||||
-w /usr/bin/docker-runc -p rwxa -k docker
|
||||
-w /usr/bin/dockerd -p rwxa -k docker
|
||||
-w /usr/bin/dockerd-ce -p rwxa -k docker
|
||||
-w /usr/bin/rootlesskit -p rwxa -k docker
|
||||
-w /usr/bin/rootlesskit-docker-proxy -p rwxa -k docker
|
||||
-w /usr/bin/runc -p rwxa -k docker
|
||||
-w /usr/lib/systemd/system/docker-registry.service -p rwxa -k docker
|
||||
-w /usr/lib/systemd/system/docker.service -p rwxa -k docker
|
||||
-w /usr/sbin/runc -p rwxa -k docker
|
||||
-w /var/run/docker.sock -p rwxa -k docker
|
||||
|
||||
# Group modifications
|
||||
-w /etc/group -p wa -k group-modification
|
||||
-w /etc/gshadow -p wa -k group-modification
|
||||
-w /etc/passwd -p wa -k group-modification
|
||||
-w /etc/security/opasswd -p wa -k group-modification
|
||||
-w /etc/shadow -p wa -k group-modification
|
||||
-w /usr/sbin/addgroup -p x -k group-modification
|
||||
-w /usr/sbin/groupadd -p x -k group-modification
|
||||
-w /usr/sbin/groupmod -p x -k group-modification
|
||||
|
||||
# Startup scripts
|
||||
-w /etc/init -p wa -k init
|
||||
-w /etc/init.d -p wa -k init
|
||||
-w /etc/inittab -p wa -k init
|
||||
|
||||
# Library lookup paths
|
||||
-w /etc/ld.so.conf -p wa -k libpath
|
||||
-w /etc/ld.so.conf.d/ -p wa -k libpath
|
||||
|
||||
# Local time
|
||||
-w /etc/localtime -p wa -k localtime
|
||||
|
||||
# Login monitoring
|
||||
-w /etc/login.defs -p wa -k login
|
||||
-w /etc/securetty -p wa -k login
|
||||
-w /var/log/faillog -p wa -k login
|
||||
-w /var/log/lastlog -p wa -k login
|
||||
-w /var/log/tallylog -p wa -k login
|
||||
-w /var/run/faillock -p wa -k login
|
||||
|
||||
# SELinux configuration
|
||||
-w /etc/selinux -p wa -k mac-policy
|
||||
|
||||
# Postfix configuration
|
||||
-w /etc/aliases -p wa -k mail
|
||||
-w /etc/postfix -p wa -k mail
|
||||
|
||||
# Kernel module configuration and tools
|
||||
-w /etc/modprobe.conf -p wa -k modprobe
|
||||
-w /etc/modprobe.d -p wa -k modprobe
|
||||
-w /etc/modules -p wa -k modprobe
|
||||
-a always,exit -F arch=b32 -S finit_module -k modules
|
||||
-a always,exit -F arch=b32 -S init_module -k modules
|
||||
-a always,exit -F arch=b64 -S finit_module -k modules
|
||||
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
|
||||
-w /bin/kmod -p x -k modules
|
||||
-w /sbin/insmod -p x -k modules
|
||||
-w /sbin/modprobe -p x -k modules
|
||||
-w /sbin/rmmod -p x -k modules
|
||||
-w /usr/bin/kmod -p x -k modules
|
||||
-w /usr/sbin/insmod -p x -k modules
|
||||
-w /usr/sbin/modprobe -p x -k modules
|
||||
-w /usr/sbin/rmmod -p x -k modules
|
||||
|
||||
# Mounts
|
||||
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -k mounts
|
||||
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -k mounts
|
||||
|
||||
# Network configuration
|
||||
-w /etc/hosts -p wa -k network-config
|
||||
-w /etc/issue -p wa -k network-config
|
||||
-w /etc/issue.net -p wa -k network-config
|
||||
-w /etc/netplan -p wa -k network-config
|
||||
-w /etc/network -p wa -k network-config
|
||||
-w /etc/sysconfig/network -p wa -k network-config
|
||||
|
||||
# PAM configuration
|
||||
-w /etc/pam.d -p wa -k pam
|
||||
-w /etc/security/limits.conf -p wa -k pam
|
||||
-w /etc/security/namespace.conf -p wa -k pam
|
||||
-w /etc/security/namespace.init -p wa -k pam
|
||||
-w /etc/security/pam_env.conf -p wa -k pam
|
||||
|
||||
# Password modifications
|
||||
-w /usr/bin/passwd -p x -k passwd-modification
|
||||
|
||||
# Power state
|
||||
-w /sbin/halt -p x -k power
|
||||
-w /sbin/poweroff -p x -k power
|
||||
-w /sbin/reboot -p x -k power
|
||||
-w /sbin/shutdown -p x -k power
|
||||
|
||||
# Use of privileged commands
|
||||
-a always,exit -F path=/bin/fusermount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/bin/ntfs-3g -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/sbin/pam_extrausers_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/cgexec -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/dotlockfile -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/mlocate -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/traceroute6.iputils -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/lib/snapd/snap-confine -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/fping -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/fping6 -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/mount.cifs -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/pam_extrausers_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/pam-tmpdir-helper -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/usernetct -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
-a always,exit -F path=/usr/sbin/vlock-main -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
|
||||
|
||||
#
|
||||
-w /var/log/btmp -p wa -k session
|
||||
-w /var/log/wtmp -p wa -k session
|
||||
-w /var/run/utmp -p wa -k session
|
||||
|
||||
# Special files
|
||||
-a always,exit -F arch=b32 -S mknod,mknodat -k specialfiles
|
||||
-a always,exit -F arch=b64 -S mknod,mknodat -k specialfiles
|
||||
|
||||
# sshd configuration
|
||||
-w /etc/ssh/sshd_config -p rwxa -k sshd
|
||||
-w /etc/ssh/sshd_config.d/ -p rwxa -k sshd
|
||||
|
||||
# Kernel modification
|
||||
-w /etc/sysctl.conf -p wa -k sysctl
|
||||
-w {{ sysctl_conf_dir }}/zz-hardening.conf -p wa -k sysctl
|
||||
|
||||
# Hostname changes
|
||||
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
|
||||
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
|
||||
|
||||
# systemd configuration and tools
|
||||
-w /etc/systemd -p wa -k systemd
|
||||
-w /lib/systemd -p wa -k systemd
|
||||
-w /bin/journalctl -p x -k systemd-tools
|
||||
-w /bin/systemctl -p x -k systemd-tools
|
||||
|
||||
# Time modification
|
||||
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
|
||||
-a always,exit -F arch=b32 -S clock_settime -k time-change
|
||||
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
|
||||
-a always,exit -F arch=b64 -S clock_settime -k time-change
|
||||
-w /etc/localtime -p wa -k time-change
|
||||
-w /etc/timezone -p wa -k time-changezone
|
||||
|
||||
# /tmp directories
|
||||
-w /tmp -p wxa -k tmp
|
||||
-w /var/tmp -p wxa -k tmp
|
||||
|
||||
# User modification
|
||||
-w /usr/sbin/adduser -p x -k user-modification
|
||||
-w /usr/sbin/useradd -p x -k user-modification
|
||||
-w /usr/sbin/usermod -p x -k user-modification
|
||||
|
||||
-e 2
|
||||
@@ -0,0 +1,9 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
CRON_DAILY_RUN="yes"
|
||||
CRON_DB_UPDATE=""
|
||||
DB_UPDATE_EMAIL="false"
|
||||
REPORT_EMAIL="root"
|
||||
APT_AUTOGEN="yes"
|
||||
NICE="0"
|
||||
RUN_CHECK_ON_BATTERY="false"
|
||||
@@ -0,0 +1,4 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
SHELL=/bin/false
|
||||
INACTIVE=30
|
||||
@@ -0,0 +1,4 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
sshd : ALL : ALLOW
|
||||
ALL: LOCAL, 127.0.0.1
|
||||
@@ -0,0 +1,3 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
ALL: ALL
|
||||
@@ -0,0 +1,6 @@
|
||||
|
||||
By accessing this system, you consent to the following conditions:
|
||||
- This system is for authorized use only.
|
||||
- Any or all uses of this system and all files on this system may be monitored.
|
||||
- Communications using, or data stored on, this system are not private.
|
||||
|
||||
@@ -0,0 +1,36 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
CHFN_RESTRICT rwh
|
||||
DEFAULT_HOME no
|
||||
ENCRYPT_METHOD SHA512
|
||||
ENV_PATH PATH=/usr/local/bin:/usr/sbin:/usr/bin:/bin:/snap/bin
|
||||
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
|
||||
ERASECHAR 0177
|
||||
FAILLOG_ENAB yes
|
||||
FTMP_FILE /var/log/btmp
|
||||
GID_MAX 60000
|
||||
GID_MIN 1000
|
||||
HUSHLOGIN_FILE .hushlogin
|
||||
KILLCHAR 025
|
||||
LOGIN_RETRIES 5
|
||||
LOGIN_TIMEOUT 60
|
||||
LOG_OK_LOGINS yes
|
||||
LOG_UNKFAIL_ENAB no
|
||||
MAIL_DIR /var/mail
|
||||
PASS_MAX_DAYS 60
|
||||
PASS_MIN_DAYS 1
|
||||
{% if ansible_distribution == "CentOS" %}
|
||||
PASS_MIN_LEN 15
|
||||
{% endif %}
|
||||
PASS_WARN_AGE 7
|
||||
SHA_CRYPT_MAX_ROUNDS 65536
|
||||
SHA_CRYPT_MIN_ROUNDS 10000
|
||||
SU_NAME su
|
||||
SYSLOG_SG_ENAB yes
|
||||
SYSLOG_SU_ENAB yes
|
||||
TTYGROUP tty
|
||||
TTYPERM 0600
|
||||
UID_MAX 60000
|
||||
UID_MIN 1000
|
||||
UMASK {{ umask_value }}
|
||||
USERGROUPS_ENAB no
|
||||
@@ -0,0 +1,17 @@
|
||||
# {{ ansible_managed }}
|
||||
# CCE-80195-1
|
||||
|
||||
daily
|
||||
{% if ansible_distribution == 'Ubuntu' %}
|
||||
su root syslog
|
||||
{% endif %}
|
||||
rotate 7
|
||||
create
|
||||
dateext
|
||||
compress
|
||||
|
||||
compresscmd /usr/bin/xz
|
||||
uncompresscmd /usr/bin/unxz
|
||||
compressext .xz
|
||||
|
||||
include /etc/logrotate.d
|
||||
@@ -0,0 +1,6 @@
|
||||
|
||||
By accessing this system, you consent to the following conditions:
|
||||
- This system is for authorized use only.
|
||||
- Any or all uses of this system and all files on this system may be monitored.
|
||||
- Communications using, or data stored on, this system are not private.
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
|
||||
account requisite pam_deny.so
|
||||
account required pam_permit.so
|
||||
{% if faillock.matched >= 1 %}
|
||||
account required pam_faillock.so
|
||||
{% else %}
|
||||
account required pam_tally2.so
|
||||
{% endif %}
|
||||
@@ -0,0 +1,14 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
{% if faillock.matched >= 1 %}
|
||||
auth required pam_faillock.so preauth
|
||||
auth [success=1 default=ignore] pam_unix.so
|
||||
auth [default=die] pam_faillock.so authfail
|
||||
auth sufficient pam_faillock.so authsucc
|
||||
{% else %}
|
||||
auth [success=1 default=ignore] pam_unix.so
|
||||
auth required pam_tally2.so onerr=fail audit silent deny=3 unlock_time=900
|
||||
{% endif %}
|
||||
auth requisite pam_deny.so
|
||||
auth required pam_permit.so
|
||||
auth optional pam_cap.so
|
||||
@@ -0,0 +1,11 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
password requisite pam_pwquality.so retry=3
|
||||
{% if ansible_os_family == 'Debian' %}
|
||||
password required pam_pwhistory.so use_authtok remember=5
|
||||
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 rounds=65536
|
||||
{% else %}
|
||||
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 rounds=65536 remember=5
|
||||
{% endif %}
|
||||
password requisite pam_deny.so
|
||||
password required pam_permit.so
|
||||
@@ -0,0 +1,33 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
auth optional pam_faildelay.so delay=4000000
|
||||
|
||||
{% if (ansible_distribution_major_version < '11' and ansible_distribution == "Debian") or ansible_distribution == "Ubuntu" %}
|
||||
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
||||
{% endif %}
|
||||
|
||||
auth requisite pam_nologin.so
|
||||
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
|
||||
session required pam_loginuid.so
|
||||
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
@include common-auth
|
||||
|
||||
auth optional pam_group.so
|
||||
|
||||
session required pam_limits.so
|
||||
|
||||
session optional pam_lastlog.so showfailed
|
||||
|
||||
session optional pam_mail.so standard
|
||||
|
||||
session optional pam_keyinit.so force revoke
|
||||
|
||||
@include common-account
|
||||
@include common-session
|
||||
@include common-password
|
||||
@@ -0,0 +1,8 @@
|
||||
#!/bin/bash
|
||||
# {{ ansible_managed }}
|
||||
|
||||
if [[ $EUID -eq 0 ]]; then
|
||||
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
|
||||
else
|
||||
export PATH=/usr/local/bin:/usr/sbin:/usr/bin:/bin:/snap/bin
|
||||
fi
|
||||
@@ -0,0 +1,6 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
* hard maxlogins 10
|
||||
* hard core 0
|
||||
* soft nproc {{ limit_nproc_soft }}
|
||||
* hard nproc {{ limit_nproc_hard }}
|
||||
@@ -0,0 +1,13 @@
|
||||
# {{ ansible_managed }}
|
||||
{% if ssh_config_d.stat.exists and ssh_config_d.stat.isdir %}
|
||||
Include /etc/ssh/ssh_config.d/*.conf
|
||||
{% endif %}
|
||||
|
||||
Host *
|
||||
Ciphers {{ sshd_ciphers }}
|
||||
GSSAPIAuthentication {{ sshd_gssapi_authentication }}
|
||||
HashKnownHosts yes
|
||||
HostKeyAlgorithms {{ sshd_host_key_algorithms }}
|
||||
KexAlgorithms {{ sshd_kex_algorithms }}
|
||||
MACs {{ sshd_macs }}
|
||||
RekeyLimit {{ sshd_rekey_limit }}
|
||||
@@ -0,0 +1,41 @@
|
||||
# {{ ansible_managed }}
|
||||
AcceptEnv {{ sshd_accept_env }}
|
||||
AllowAgentForwarding {{ sshd_allow_agent_forwarding }}
|
||||
AllowGroups {{ sshd_allow_groups }}
|
||||
AllowTcpForwarding {{ sshd_allow_tcp_forwarding }}
|
||||
AuthenticationMethods {{ sshd_authentication_methods }}
|
||||
Banner {{ sshd_banner }}
|
||||
ChallengeResponseAuthentication {{ sshd_challenge_response_authentication }}
|
||||
Ciphers {{ sshd_ciphers }}
|
||||
ClientAliveCountMax {{ sshd_client_alive_count_max|int }}
|
||||
ClientAliveInterval {{ sshd_client_alive_interval|int }}
|
||||
Compression {{ sshd_compression }}
|
||||
GSSAPIAuthentication {{ sshd_gssapi_authentication }}
|
||||
HostbasedAuthentication {{ sshd_hostbased_authentication }}
|
||||
HostKeyAlgorithms {{ sshd_host_key_algorithms }}
|
||||
IgnoreUserKnownHosts {{ sshd_ignore_user_known_hosts }}
|
||||
KerberosAuthentication {{ sshd_kerberos_authentication }}
|
||||
KexAlgorithms {{ sshd_kex_algorithms }}
|
||||
LoginGraceTime {{ sshd_login_grace_time|int }}
|
||||
LogLevel {{ sshd_log_level }}
|
||||
Macs {{ sshd_macs }}
|
||||
MaxAuthTries {{ sshd_max_auth_tries|int }}
|
||||
MaxSessions {{ sshd_max_sessions|int }}
|
||||
MaxStartups {{ sshd_max_startups }}
|
||||
PasswordAuthentication {{ sshd_password_authentication }}
|
||||
PermitEmptyPasswords {{ sshd_permit_empty_passwords }}
|
||||
PermitRootLogin {{ sshd_permit_root_login }}
|
||||
PermitUserEnvironment {{ sshd_permit_user_environment }}
|
||||
Port {{ sshd_port|int }}
|
||||
PrintLastLog {{ sshd_print_last_log }}
|
||||
PrintMotd {{ sshd_print_motd }}
|
||||
RekeyLimit {{ sshd_rekey_limit }}
|
||||
{% if ssh_installed_version is version('9.1', '>') %}
|
||||
RequiredRSASize {{ sshd_required_rsa_size }}
|
||||
{% endif %}
|
||||
StrictModes {{ sshd_strict_modes }}
|
||||
Subsystem {{ sshd_subsystem }}
|
||||
TCPKeepAlive {{ sshd_tcp_keep_alive }}
|
||||
UseDNS {{ sshd_use_dns }}
|
||||
UsePAM {{ sshd_use_pam }}
|
||||
X11Forwarding {{ sshd_x11_forwarding }}
|
||||
@@ -0,0 +1,5 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[Coredump]
|
||||
Storage=none
|
||||
ProcessSizeMax=0
|
||||
@@ -0,0 +1,6 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[Journal]
|
||||
Storage=persistent
|
||||
ForwardToSyslog=yes
|
||||
Compress=yes
|
||||
@@ -0,0 +1,8 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[Login]
|
||||
KillUserProcesses=1
|
||||
KillExcludeUsers=root
|
||||
IdleAction=lock
|
||||
IdleActionSec=15min
|
||||
RemoveIPC=yes
|
||||
@@ -0,0 +1,9 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[Resolve]
|
||||
DNS={{ dns }}
|
||||
FallbackDNS={{ fallback_dns }}
|
||||
DNSSEC={{ dnssec }}
|
||||
{% if ansible_local.systemd.version|int >= 239 %}
|
||||
DNSOverTLS={{ dns_over_tls }}
|
||||
{% endif %}
|
||||
@@ -0,0 +1,9 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[Manager]
|
||||
DumpCore=no
|
||||
CrashShell=no
|
||||
CtrlAltDelBurstAction=none
|
||||
DefaultLimitCORE=0
|
||||
DefaultLimitNOFILE={{ limit_nofile_hard }}
|
||||
DefaultLimitNPROC={{ limit_nproc_hard }}
|
||||
@@ -0,0 +1,8 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[Time]
|
||||
NTP={{ ntp }}
|
||||
FallbackNTP={{ fallback_ntp }}
|
||||
{% if ansible_local.systemd.version|int >= 236 %}
|
||||
RootDistanceMaxSec=1
|
||||
{% endif %}
|
||||
@@ -0,0 +1,17 @@
|
||||
[Unit]
|
||||
Description=Temporary Directory /tmp
|
||||
Documentation=man:file-hierarchy(7)
|
||||
ConditionPathIsSymbolicLink=!/tmp
|
||||
DefaultDependencies=no
|
||||
Conflicts=umount.target
|
||||
Before=local-fs.target umount.target
|
||||
After=swap.target
|
||||
|
||||
[Mount]
|
||||
What=tmpfs
|
||||
Where=/tmp
|
||||
Type=tmpfs
|
||||
Options=mode=1777,strictatime,nodev,noexec,nosuid
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,6 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[Manager]
|
||||
DefaultLimitCORE=0
|
||||
DefaultLimitNOFILE={{ limit_nofile_hard }}
|
||||
DefaultLimitNPROC={{ limit_nproc_hard }}
|
||||
@@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=Aide Check
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
{% if ansible_os_family == 'Debian' %}
|
||||
ExecStart=/usr/bin/aide --check --config /etc/aide/aide.conf
|
||||
{% else %}
|
||||
ExecStart=/usr/sbin/aide --check
|
||||
{% endif %}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,9 @@
|
||||
[Unit]
|
||||
Description=Aide check every day at midnight
|
||||
|
||||
[Timer]
|
||||
OnCalendar=*-*-* 00:00:00
|
||||
Unit=aidecheck.service
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user