refactor(pillar): add default pillars for each OS family

saltstack-formulas · May 11, 2019 · 7dd3e18 · 7dd3e18
1 parent d898f10
commit 7dd3e18
Show file tree

Hide file tree

Showing 3 changed files with 248 additions and 73 deletions.
diff --git a/rkhunter/defaults.yaml b/rkhunter/defaults.yaml
@@ -1,38 +1,4 @@
 # -*- coding: utf-8 -*-
 # vim: ft=yaml
 ---
-rkhunter:
-  default:
-    cron_daily_run: true
-    cron_db_update: true
-    db_update_email: false
-    report_email: root
-    apt_autogen: true
-    run_check_on_battery: false
-
-  config:
-    mail-on-warning: root
-    logfile: /var/log/rkhunter.log
-    allow_ssh_root_user: without-password
-    allow_ssh_prot_v1: 2
-    tmpdir: /var/lib/rkhunter/tmp
-    dbdir: /var/lib/rkhunter/db
-    scriptdir: /usr/share/rkhunter/scripts
-    installdir: /usr
-    disable_unhide: 1
-    auto_x_detect: 1
-    enable_tests: all
-    disable_tests:
-      - suspscan
-      - hidden_procs
-      - deleted_files
-      - packet_cap_apps
-      - apps
-
-    scriptwhitelist:
-      - /bin/egrep
-      - /bin/fgrep
-      - /bin/which
-      - /usr/bin/groups
-      - /usr/bin/ldd
-      - /usr/sbin/adduser
+rkhunter: {}
diff --git a/rkhunter/osfamilymap.yaml b/rkhunter/osfamilymap.yaml
@@ -5,13 +5,177 @@ Debian:
   package: rkhunter
   default_file: /etc/default/rkhunter
   config_file: /etc/rkhunter.conf
+  default:
+    cron_daily_run: true
+    cron_db_update: true
+    db_update_email: false
+    report_email: root
+    apt_autogen: true
+    run_check_on_battery: false
+  config:
+    mail-on-warning: root
+    logfile: /var/log/rkhunter.log
+    allow_ssh_root_user: without-password
+    allow_ssh_prot_v1: 2
+    tmpdir: /var/lib/rkhunter/tmp
+    dbdir: /var/lib/rkhunter/db
+    scriptdir: /usr/share/rkhunter/scripts
+    installdir: /usr
+    disable_unhide: 1
+    auto_x_detect: 1
+    enable_tests: all
+    disable_tests:
+      - suspscan
+      - hidden_procs
+      - deleted_files
+      - packet_cap_apps
+      - apps
+    scriptwhitelist:
+      - /bin/egrep
+      - /bin/fgrep
+      - /bin/which
+      - /usr/bin/groups
+      - /usr/bin/ldd
+      - /usr/sbin/adduser
 
 RedHat:
   package: rkhunter
   default_file: /etc/sysconfig/rkhunter
   config_file: /etc/rkhunter.conf
+  default:
+    mailto: root@localhost
+    diag_scan: 'no'
+  config:
+    tmpdir: /var/lib/rkhunter
+    dbdir: /var/lib/rkhunter/db
+    scriptdir: /usr/share/rkhunter/scripts
+    logfile: /var/log/rkhunter/rkhunter.log
+    append_log: 1
+    auto_x_detect: 1
+    allow_ssh_root_user: unset
+    allow_ssh_prot_v1: 2
+    enable_tests: ALL
+    disable_tests:
+      - suspscan
+      - hidden_procs
+      - deleted_files
+      - packet_cap_apps
+      - apps
+      - ipc_shared_mem
+    pkgmgr: RPM
+    existwhitelist:
+      - /bin/ad
+      - /var/log/pki-ca/system
+      - /var/log/pki/pki-tomcat/ca/system
+      - /usr/bin/GET
+      - /usr/bin/whatis
+      - /var/log/pki/pki-tomcat/kra/system
+    scriptwhitelist:
+      - /usr/bin/whatis
+      - /usr/bin/ldd
+      - /usr/bin/groups
+      - /usr/bin/GET
+      - /sbin/ifup
+      - /sbin/ifdown
+    allowhiddendir:
+      - /etc/.java
+      - /dev/.udev
+      - /dev/.udevdb
+      - /dev/.udev.tdb
+      - /dev/.static
+      - /dev/.initramfs
+      - /dev/.SRC-unix
+      - /dev/.mdadm
+      - /dev/.systemd
+      - /dev/.mount
+      - /etc/.git
+      - /etc/.bzr
+    allowhiddenfile:
+      - /usr/sbin/.sshd.hmac
+      - "/usr/share/man/man1/..1.gz"
+      - /lib*/.libcrypto.so.*.hmac
+      - /lib*/.libssl.so.*.hmac
+      - /usr/bin/.fipscheck.hmac
+      - /usr/bin/.ssh.hmac
+      - /usr/bin/.ssh-keygen.hmac
+      - /usr/bin/.ssh-keyscan.hmac
+      - /usr/bin/.ssh-add.hmac
+      - /usr/bin/.ssh-agent.hmac
+      - /usr/lib*/.libfipscheck.so.*.hmac
+      - /usr/lib*/.libgcrypt.so.*.hmac
+      - /usr/lib*/hmaccalc/sha1hmac.hmac
+      - /usr/lib*/hmaccalc/sha256hmac.hmac
+      - /usr/lib*/hmaccalc/sha384hmac.hmac
+      - /usr/lib*/hmaccalc/sha512hmac.hmac
+      - /usr/sbin/.sshd.hmac
+      - /dev/.mdadm.map
+      - /usr/share/man/man5/.k5login.5.gz
+      - /usr/share/man/man5/.k5identity.5.gz
+      - /usr/sbin/.ipsec.hmac
+      - /etc/.etckeeper
+      - /etc/.gitignore
+      - /etc/.bzrignore
+      - /etc/.updated
+    allowdevfile:
+      - /dev/shm/qb-attrd-*
+      - /dev/shm/qb-cfg-*
+      - /dev/shm/qb-cib_rw-*
+      - /dev/shm/qb-cib_shm-*
+      - /dev/shm/qb-corosync-*
+      - /dev/shm/qb-cpg-*
+      - /dev/shm/qb-lrmd-*
+      - /dev/shm/qb-pengine-*
+      - /dev/shm/qb-quorum-*
+      - /dev/shm/qb-stonith-*
+      - /dev/shm/pulse-shm-*
+      - /dev/md/md-device-map
+      - "/dev/shm/mono.*"
+      - "/dev/shm/libv4l-*"
+      - "/dev/shm/spice.*"
+      - "/dev/md/autorebuild.pid"
+      - /dev/shm/sem.slapd-*.stats
+      - /dev/shm/squid-cf*
+      - /dev/shm/squid-ssl_session_cache.shm
+    rtkt_file_whitelist:
+      - /bin/ad
+      - /var/log/pki-ca/system
+      - /var/log/pki/pki-tomcat/ca/system
+      - /var/log/pki/pki-tomcat/kra/system
+    installdir: /usr
 
 Suse:
   package: rkhunter
   default_file: /etc/sysconfig/rkhunter
   config_file: /etc/rkhunter.conf
+  default:
+    start_rkhunter: 'yes'
+    run_suseconfig: 'yes'
+    cron_db_update: 'no'
+    pro_update: 'no'
+    nice: 0
+    logfile: /var/log/rkhunter.log
+    report_email: root
+    options: '"--no-mail-on-warning --cronjob --report-warnings-only --append-log --pkgmgr RPM"'
+  config:
+    tmpdir: /var/lib/rkhunter/tmp
+    dbdir: /var/lib/rkhunter/db
+    scriptdir: /usr/lib/rkhunter/scripts
+    logfile: /var/log/rkhunter.log
+    auto_x_detect: 1
+    enable_tests: ALL
+    disable_tests:
+      - suspscan
+      - hidden_ports
+      - hidden_procs
+      - deleted_files
+      - packet_cap_apps
+      - apps
+    pkgmgr: RPM
+    allowhiddendir:
+      - /etc/.java
+      - /dev/.udev
+      - /dev/.udev
+    allowdevfile: /dev/shm/sysconfig/new-stamp-*
+    os_version_file: /etc/os-release
+    installdir: /usr
+    user_fileprop_files_dirs: /etc/rkhunter.conf
diff --git a/test/integration/rkhunter/controls/config_spec.rb b/test/integration/rkhunter/controls/config_spec.rb
@@ -1,48 +1,93 @@
 control 'Rkhunter configuration' do
   title 'should match desired lines'
 
-  describe file('/etc/rkhunter.conf') do
-    # Default config
-    its('content') { should include 'AUTO_X_DETECT=1' }
-    its('content') { should include 'DISABLE_UNHIDE=1' }
-    its('content') { should include 'DBDIR=/var/lib/rkhunter/db' }
-    its('content') { should include 'SCRIPTWHITELIST=/bin/egrep' }
-    its('content') { should include 'SCRIPTWHITELIST=/bin/fgrep' }
-    its('content') { should include 'SCRIPTWHITELIST=/bin/which' }
-    its('content') { should include 'SCRIPTWHITELIST=/usr/bin/groups' }
-    its('content') { should include 'SCRIPTWHITELIST=/usr/bin/ldd' }
-    its('content') { should include 'SCRIPTWHITELIST=/usr/sbin/adduser' }
-    its('content') { should include 'LOGFILE=/var/log/rkhunter.log' }
-    its('content') { should include 'INSTALLDIR=/usr' }
-    its('content') { should include 'ENABLE_TESTS=all' }
-    its('content') { should include 'TMPDIR=/var/lib/rkhunter/tmp' }
-    its('content') { should include 'SCRIPTDIR=/usr/share/rkhunter/scripts' }
-    its('content') { should include "DISABLE_TESTS='suspscan hidden_procs deleted_files packet_cap_apps apps'" }
-
-    # Custom config from pillar
-    its('content') { should include 'ALLOW_SSH_ROOT_USER=yes' }
+  def check_debian
+    describe file('/etc/default/rkhunter') do
+      # Default config
+      its('content') { should include 'APT_AUTOGEN="true"' }
+      its('content') { should include 'REPORT_EMAIL=root' }
+      its('content') { should include 'DB_UPDATE_EMAIL="false"' }
+      its('content') { should include 'CRON_DB_UPDATE="true"' }
+      its('content') { should include 'CRON_DAILY_RUN="true"' }
+
+      # Custom config from pillar
+      its('content') { should include 'RUN_CHECK_ON_BATTERY="true"' }
+    end
+
+    describe file('/etc/rkhunter.conf') do
+      # Default config
+      its('content') { should include 'AUTO_X_DETECT=1' }
+      its('content') { should include 'DISABLE_UNHIDE=1' }
+      its('content') { should include 'DBDIR=/var/lib/rkhunter/db' }
+      its('content') { should include 'SCRIPTWHITELIST=/bin/egrep' }
+      its('content') { should include 'SCRIPTWHITELIST=/bin/fgrep' }
+      its('content') { should include 'SCRIPTWHITELIST=/bin/which' }
+      its('content') { should include 'SCRIPTWHITELIST=/usr/bin/groups' }
+      its('content') { should include 'SCRIPTWHITELIST=/usr/bin/ldd' }
+      its('content') { should include 'SCRIPTWHITELIST=/usr/sbin/adduser' }
+      its('content') { should include 'LOGFILE=/var/log/rkhunter.log' }
+      its('content') { should include 'INSTALLDIR=/usr' }
+      its('content') { should include 'ENABLE_TESTS=all' }
+      its('content') { should include 'TMPDIR=/var/lib/rkhunter/tmp' }
+      its('content') { should include 'SCRIPTDIR=/usr/share/rkhunter/scripts' }
+      its('content') { should include "DISABLE_TESTS='suspscan hidden_procs deleted_files packet_cap_apps apps'" }
+
+      # Custom config from pillar
+      its('content') { should include 'ALLOW_SSH_ROOT_USER=yes' }
+    end
   end
 
-  # Override by OS
-  config =
-    case os[:name]
-    when 'debian'
-      '/etc/default/rkhunter'
-    when 'redhat', 'fedora', 'centos', 'opensuse'
-      '/etc/sysconfig/rkhunter'
-    else
-      '/etc/default/rkhunter'
+  def check_redhat
+    describe file('/etc/sysconfig/rkhunter') do
+      # Default config
+      its('content') { should include 'MAILTO=root@localhost' }
+      its('content') { should include 'DIAG_SCAN=no' }
+    end
+
+    describe file('/etc/rkhunter.conf') do
+      # Default config
+      its('content') { should include 'PKGMGR=RPM' }
+      its('content') { should include 'LOGFILE=/var/log/rkhunter/rkhunter.log' }
+      its('content') { should include 'INSTALLDIR=/usr' }
+      its('content') { should include 'ENABLE_TESTS=ALL' }
+      its('content') { should include 'TMPDIR=/var/lib/rkhunter' }
+      its('content') { should include 'SCRIPTDIR=/usr/share/rkhunter/scripts' }
+      its('content') { should include "DISABLE_TESTS='suspscan hidden_procs deleted_files packet_cap_apps apps ipc_shared_mem'" }
     end
+  end
 
-  describe file(config) do
-    # Default config
-    its('content') { should include 'APT_AUTOGEN="true"' }
-    its('content') { should include 'REPORT_EMAIL=root' }
-    its('content') { should include 'DB_UPDATE_EMAIL="false"' }
-    its('content') { should include 'CRON_DB_UPDATE="true"' }
-    its('content') { should include 'CRON_DAILY_RUN="true"' }
+  def check_suse
+    describe file('/etc/sysconfig/rkhunter') do
+      # Default config
+      its('content') { should include "START_RKHUNTER=yes" }
+      its('content') { should include "RUN_SUSECONFIG=yes" }
+      its('content') { should include "CRON_DB_UPDATE=no" }
+      its('content') { should include "PRO_UPDATE=no" }
+      its('content') { should include "NICE=0" }
+      its('content') { should include "LOGFILE=/var/log/rkhunter.log" }
+      its('content') { should include "REPORT_EMAIL=root" }
+      its('content') { should include 'OPTIONS="--no-mail-on-warning --cronjob --report-warnings-only --append-log --pkgmgr RPM"' }
+    end
 
-    # Custom config from pillar
-    its('content') { should include 'RUN_CHECK_ON_BATTERY="true"' }
+    describe file('/etc/rkhunter.conf') do
+      # Default config
+      its('content') { should include 'PKGMGR=RPM' }
+      its('content') { should include 'LOGFILE=/var/log/rkhunter.log' }
+      its('content') { should include 'INSTALLDIR=/usr' }
+      its('content') { should include 'ENABLE_TESTS=ALL' }
+      its('content') { should include 'TMPDIR=/var/lib/rkhunter' }
+      its('content') { should include 'SCRIPTDIR=/usr/lib/rkhunter/scripts' }
+      its('content') { should include "DISABLE_TESTS='suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps'" }
+    end
+  end
+
+  # Override by OS
+  case os[:name]
+  when 'debian'
+    check_debian
+  when 'redhat', 'fedora', 'centos'
+    check_redhat
+  when 'suse'
+    check_suse
   end
 end