Compare commits
2 commits
ec72f75587
...
d288c9ecfa
Author | SHA1 | Date | |
---|---|---|---|
Hoang Nguyen | d288c9ecfa | ||
Hoang Nguyen | 9e12ff1ffb |
|
@ -1,14 +1,19 @@
|
||||||
---
|
---
|
||||||
- name: auditd | Copy configuration and rules
|
- name: auditd | Copy auditd configuration
|
||||||
copy:
|
copy:
|
||||||
src: '{{ item }}'
|
src: auditd.conf
|
||||||
dest: /etc/audit/{{ item }}
|
dest: /etc/audit/auditd.conf
|
||||||
|
mode: '644'
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: auditd | Copy audit rules
|
||||||
|
template:
|
||||||
|
src: audit.rules.j2
|
||||||
|
dest: /etc/audit/audit.rules
|
||||||
mode: '644'
|
mode: '644'
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
loop:
|
|
||||||
- auditd.conf
|
|
||||||
- audit.rules
|
|
||||||
|
|
||||||
- name: auditd | Copy daily cron job to rotate audit log
|
- name: auditd | Copy daily cron job to rotate audit log
|
||||||
copy:
|
copy:
|
||||||
|
|
|
@ -52,6 +52,12 @@
|
||||||
## This is not very interesting and wastes a lot of space if the server is public facing
|
## This is not very interesting and wastes a lot of space if the server is public facing
|
||||||
-a always,exclude -F msgtype=CRYPTO_KEY_USER
|
-a always,exclude -F msgtype=CRYPTO_KEY_USER
|
||||||
|
|
||||||
|
# This prevents ntpd daemons from overwhelming the logs
|
||||||
|
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=ntp
|
||||||
|
{% if ntp_client == 'chrony' %}
|
||||||
|
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
## High Volume Event Filter (especially on Linux Workstations)
|
## High Volume Event Filter (especially on Linux Workstations)
|
||||||
-a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
|
-a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
|
||||||
-a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm
|
-a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm
|
|
@ -15,7 +15,7 @@
|
||||||
|
|
||||||
- name: essential | Install common dependencies
|
- name: essential | Install common dependencies
|
||||||
community.general.apk:
|
community.general.apk:
|
||||||
name: zstd, dbus, terminus-font, shadow-login
|
name: zstd, dbus, font-terminus, shadow-login
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: essential | Enable logging and unicode support for openrc
|
- name: essential | Enable logging and unicode support for openrc
|
||||||
|
|
|
@ -9,13 +9,29 @@ pool {{ pool }} iburst
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% for server in ntp_opts.servers %}
|
{% for server in ntp_opts.servers %}
|
||||||
server {{ server }} iburst {%- if ntp_opts.nts_enabled | bool %} nts{% endif %}
|
server {{ server }} iburst {%- if ntp_opts.nts_enabled | bool %} nts
|
||||||
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
# Verify time with more sources than 1
|
# From ntpd/ntpd.c
|
||||||
tos maxclock 7
|
# /*
|
||||||
|
# * ...
|
||||||
|
# *
|
||||||
|
# * With 2 working servers:
|
||||||
|
# * if they don't agree, you can't tell which one is correct
|
||||||
|
# * With 3 working servers, 2 can outvote a falseticker
|
||||||
|
# * With 4 servers, you still have 3 if one is down.
|
||||||
|
# */
|
||||||
tos minsane 4
|
tos minsane 4
|
||||||
|
|
||||||
|
# minclock should be greater than minsane
|
||||||
|
tos minclock 5
|
||||||
|
|
||||||
|
# minclock + 2 (or 3) + number of pools
|
||||||
|
# Also should be an odd number
|
||||||
|
{% set maxclock = 8 + (ntp_opts.pools | length) %}
|
||||||
|
tos maxclock {{ (maxclock | int %2 == 0) | ternary(maxclock + 1, maxclock) | int }}
|
||||||
|
|
||||||
# Exchange time with everybody, but don't allow configuration.
|
# Exchange time with everybody, but don't allow configuration.
|
||||||
# This is the right security setup for 99% of deployments.
|
# This is the right security setup for 99% of deployments.
|
||||||
restrict default kod limited nomodify noquery
|
restrict default kod limited nomodify noquery
|
||||||
|
|
Reference in a new issue