fix(logcheck): updated patch for debian-12/ubuntu-24, few missing var…

…iables aide/auditd/lkrg/sshd crypto
juju4 · Nov 23, 2024 · 4e46358 · 4e46358
1 parent 0902cbc
commit 4e46358
Show file tree

Hide file tree

Showing 14 changed files with 58 additions and 6 deletions.
diff --git a/files/patch-logcheck-replace2 b/files/patch-logcheck-replace2
@@ -0,0 +1,12 @@
+--- logcheck.orig	2024-11-21 21:40:15.264264647 +0000
++++ logcheck	2024-11-21 21:45:17.978301439 +0000
+@@ -780,7 +780,8 @@
+ # First sort the logs to remove duplicate lines (including from different logfiles with
+ # the same lines) to reduce CPU and memory usage.
+ debug "Sorting logs"
+-$SORT "$TMPDIR/logoutput"/* | sed -e 's/[[:space:]]\+$//' > "$TMPDIR/logoutput-sorted" \
++$SORT "$TMPDIR/logoutput"/* | sed -e 's/[[:space:]]\+$//' \
++		| sed -f /etc/logcheck/logcheck.replace > "$TMPDIR/logoutput-sorted" \
+ 		|| error "Could not save sorted log content to $TMPDIR/logoutput-sorted"
+ debug "After sorting, we have the following log entries to check" "$TMPDIR/logoutput-sorted"
+
diff --git a/tasks/debian-logcheck.yml b/tasks/debian-logcheck.yml
@@ -83,7 +83,7 @@
   block:
     - name: Patch logcheck to do replacement
       ansible.posix.patch:
-        src: patch-logcheck-replace
+        src: "{{ harden_logcheck_patch }}"
         dest: /usr/sbin/logcheck
         remote_src: no
         backup: "{{ harden_backup | default(false) }}"

diff --git a/vars/Debian-10.yml b/vars/Debian-10.yml
@@ -80,6 +80,8 @@ harden_sshd_crypto_mac: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh
 
 sshd_validate: 'sshd -f %s -T -C user=nobody -C host=localhost -C addr=localhost'
 
+harden_logcheck_patch: patch-logcheck-replace
+
 aptconf_unattended: /etc/apt/apt.conf.d/50unattended-upgrades
 monitrc: /etc/monit/monitrc
 monit_confdir: /etc/monit/conf-available

diff --git a/vars/Debian-11.yml b/vars/Debian-11.yml
@@ -1,10 +1,13 @@
 ---
 
 ssh_svc: ssh
-aide_bin: aide.wrapper
+aide_bin: aide
+aide_conf: /etc/aide/aide.conf
+aide_args_v: --log-level info
 aide_hids_cron_patch: patch-cron.daily-aide2
 aide_hids_crondaily: cron.daily-aide-22.j2
 immutable_testfile: /etc/init.d/sudo
+auditd_pkg: auditd
 
 harden_pkg:
   - openssh-server
@@ -74,12 +77,14 @@ harden_services_containers:
   - psacct
   - auditd
 
-harden_sshd_crypto_kex: 'curve25519-sha256@libssh.org'
+harden_sshd_crypto_kex: 'sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
 harden_sshd_crypto_cipher: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
 harden_sshd_crypto_mac: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
 
 sshd_validate: 'sshd -f %s -T -C user=nobody -C host=localhost -C addr=localhost'
 
+harden_logcheck_patch: patch-logcheck-replace
+
 aptconf_unattended: /etc/apt/apt.conf.d/50unattended-upgrades
 monitrc: /etc/monit/monitrc
 monit_confdir: /etc/monit/conf-available
@@ -99,5 +104,10 @@ build_dev_tools:
   - g++
   - make
 
+lkrg_dep_pkgs:
+  - "linux-headers-{{ ansible_kernel }}"
+  - make
+  - gcc
+
 inspec_url: https://packages.chef.io/files/stable/inspec/4.18.39/ubuntu/18.04/inspec_4.18.39-1_amd64.deb
 inspec_hash: 'sha256:303a8dbe90dfa45857dd315ad3f970ddd528a46efcd25bf27dc5affd03e35005'
diff --git a/vars/Debian-12.yml b/vars/Debian-12.yml
@@ -1,10 +1,13 @@
 ---
 
 ssh_svc: ssh
-aide_bin: aide.wrapper
+aide_bin: aide
+aide_conf: /etc/aide/aide.conf
+aide_args_v: --log-level info
 aide_hids_cron_patch: patch-cron.daily-aide2
 aide_hids_crondaily: cron.daily-aide-22.j2
 immutable_testfile: /etc/init.d/sudo
+auditd_pkg: auditd
 
 harden_pkg:
   - openssh-server
@@ -33,7 +36,7 @@ harden_pkg:
   # - update-notifier-common
   - gnupg
   # - gnupg-curl
-  - libpam-cracklib
+  # - libpam-cracklib
   - debsums
   # - apt-show-versions
   - lynis
@@ -74,12 +77,14 @@ harden_services_containers:
   - psacct
   - auditd
 
-harden_sshd_crypto_kex: 'curve25519-sha256@libssh.org'
+harden_sshd_crypto_kex: 'sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
 harden_sshd_crypto_cipher: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
 harden_sshd_crypto_mac: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
 
 sshd_validate: 'sshd -f %s -T -C user=nobody -C host=localhost -C addr=localhost'
 
+harden_logcheck_patch: patch-logcheck-replace2
+
 aptconf_unattended: /etc/apt/apt.conf.d/50unattended-upgrades
 monitrc: /etc/monit/monitrc
 monit_confdir: /etc/monit/conf-available
@@ -99,5 +104,10 @@ build_dev_tools:
   - g++
   - make
 
+lkrg_dep_pkgs:
+  - "linux-headers-{{ ansible_kernel }}"
+  - make
+  - gcc
+
 inspec_url: https://packages.chef.io/files/stable/inspec/4.18.39/ubuntu/18.04/inspec_4.18.39-1_amd64.deb
 inspec_hash: 'sha256:303a8dbe90dfa45857dd315ad3f970ddd528a46efcd25bf27dc5affd03e35005'
diff --git a/vars/Debian-8.yml b/vars/Debian-8.yml
@@ -67,6 +67,8 @@ harden_sshd_crypto_kex: 'curve25519-sha256@libssh.org'
 harden_sshd_crypto_cipher: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
 harden_sshd_crypto_mac: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
 
+harden_logcheck_patch: patch-logcheck-replace
+
 monitrc: /etc/monit/monitrc
 monit_confdir: /etc/monit/conf-available
 

diff --git a/vars/Debian-9.yml b/vars/Debian-9.yml
@@ -73,6 +73,8 @@ harden_sshd_crypto_kex: 'curve25519-sha256@libssh.org'
 harden_sshd_crypto_cipher: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
 harden_sshd_crypto_mac: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
 
+harden_logcheck_patch: patch-logcheck-replace
+
 aptconf_unattended: /etc/apt/apt.conf.d/50unattended-upgrades
 monitrc: /etc/monit/monitrc
 monit_confdir: /etc/monit/conf-available

diff --git a/vars/Ubuntu-12.04.yml b/vars/Ubuntu-12.04.yml
@@ -70,6 +70,8 @@ harden_sshd_crypto_kex: 'diffie-hellman-group-exchange-sha256'
 harden_sshd_crypto_cipher: 'aes256-ctr,aes192-ctr,aes128-ctr'
 harden_sshd_crypto_mac: 'hmac-sha2-512,hmac-sha2-256'
 
+harden_logcheck_patch: patch-logcheck-replace
+
 monitrc: /etc/monit/monitrc
 monit_confdir: /etc/monit/conf.d
 

diff --git a/vars/Ubuntu-14.04.yml b/vars/Ubuntu-14.04.yml
@@ -71,6 +71,8 @@ harden_sshd_crypto_kex: 'curve25519-sha256@libssh.org'
 harden_sshd_crypto_cipher: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
 harden_sshd_crypto_mac: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,umac-128@openssh.com'
 
+harden_logcheck_patch: patch-logcheck-replace
+
 monitrc: /etc/monit/monitrc
 monit_confdir: /etc/monit/monitrc.d
 

diff --git a/vars/Ubuntu-16.04.yml b/vars/Ubuntu-16.04.yml
@@ -75,6 +75,8 @@ harden_sshd_crypto_kex: 'curve25519-sha256@libssh.org'
 harden_sshd_crypto_cipher: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
 harden_sshd_crypto_mac: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
 
+harden_logcheck_patch: patch-logcheck-replace
+
 monitrc: /etc/monit/monitrc
 monit_confdir: /etc/monit/conf-available
 

diff --git a/vars/Ubuntu-18.04.yml b/vars/Ubuntu-18.04.yml
@@ -79,6 +79,8 @@ harden_sshd_crypto_kex: 'curve25519-sha256@libssh.org'
 harden_sshd_crypto_cipher: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
 harden_sshd_crypto_mac: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
 
+harden_logcheck_patch: patch-logcheck-replace
+
 monitrc: /etc/monit/monitrc
 monit_confdir: /etc/monit/conf-available
 

diff --git a/vars/Ubuntu-20.04.yml b/vars/Ubuntu-20.04.yml
@@ -83,6 +83,8 @@ harden_sshd_crypto_cipher: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
 harden_sshd_crypto_mac: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
 sshd_validate: 'sshd -f %s -T -C user=nobody -C host=localhost -C addr=localhost'
 
+harden_logcheck_patch: patch-logcheck-replace
+
 monitrc: /etc/monit/monitrc
 monit_confdir: /etc/monit/conf-available
 

diff --git a/vars/Ubuntu-22.04.yml b/vars/Ubuntu-22.04.yml
@@ -79,6 +79,8 @@ harden_sshd_crypto_cipher: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
 harden_sshd_crypto_mac: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
 sshd_validate: 'sshd -f %s -T -C user=nobody -C host=localhost -C addr=localhost'
 
+harden_logcheck_patch: patch-logcheck-replace
+
 monitrc: /etc/monit/monitrc
 monit_confdir: /etc/monit/conf-available
 

diff --git a/vars/Ubuntu-24.04.yml b/vars/Ubuntu-24.04.yml
@@ -79,6 +79,8 @@ harden_sshd_crypto_cipher: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
 harden_sshd_crypto_mac: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com'
 sshd_validate: 'sshd -f %s -T -C user=nobody -C host=localhost -C addr=localhost'
 
+harden_logcheck_patch: patch-logcheck-replace2
+
 monitrc: /etc/monit/monitrc
 monit_confdir: /etc/monit/conf-available