Compare commits
2 commits
ec72f75587
...
d288c9ecfa
Author | SHA1 | Date | |
---|---|---|---|
d288c9ecfa | |||
9e12ff1ffb |
4 changed files with 37 additions and 10 deletions
|
@ -1,14 +1,19 @@
|
|||
---
|
||||
- name: auditd | Copy configuration and rules
|
||||
- name: auditd | Copy auditd configuration
|
||||
copy:
|
||||
src: '{{ item }}'
|
||||
dest: /etc/audit/{{ item }}
|
||||
src: auditd.conf
|
||||
dest: /etc/audit/auditd.conf
|
||||
mode: '644'
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: auditd | Copy audit rules
|
||||
template:
|
||||
src: audit.rules.j2
|
||||
dest: /etc/audit/audit.rules
|
||||
mode: '644'
|
||||
owner: root
|
||||
group: root
|
||||
loop:
|
||||
- auditd.conf
|
||||
- audit.rules
|
||||
|
||||
- name: auditd | Copy daily cron job to rotate audit log
|
||||
copy:
|
||||
|
|
|
@ -52,6 +52,12 @@
|
|||
## This is not very interesting and wastes a lot of space if the server is public facing
|
||||
-a always,exclude -F msgtype=CRYPTO_KEY_USER
|
||||
|
||||
# This prevents ntpd daemons from overwhelming the logs
|
||||
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=ntp
|
||||
{% if ntp_client == 'chrony' %}
|
||||
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony
|
||||
{% endif %}
|
||||
|
||||
## High Volume Event Filter (especially on Linux Workstations)
|
||||
-a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
|
||||
-a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm
|
|
@ -15,7 +15,7 @@
|
|||
|
||||
- name: essential | Install common dependencies
|
||||
community.general.apk:
|
||||
name: zstd, dbus, terminus-font, shadow-login
|
||||
name: zstd, dbus, font-terminus, shadow-login
|
||||
state: present
|
||||
|
||||
- name: essential | Enable logging and unicode support for openrc
|
||||
|
|
|
@ -9,13 +9,29 @@ pool {{ pool }} iburst
|
|||
{% endfor %}
|
||||
|
||||
{% for server in ntp_opts.servers %}
|
||||
server {{ server }} iburst {%- if ntp_opts.nts_enabled | bool %} nts{% endif %}
|
||||
server {{ server }} iburst {%- if ntp_opts.nts_enabled | bool %} nts
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
# Verify time with more sources than 1
|
||||
tos maxclock 7
|
||||
# From ntpd/ntpd.c
|
||||
# /*
|
||||
# * ...
|
||||
# *
|
||||
# * With 2 working servers:
|
||||
# * if they don't agree, you can't tell which one is correct
|
||||
# * With 3 working servers, 2 can outvote a falseticker
|
||||
# * With 4 servers, you still have 3 if one is down.
|
||||
# */
|
||||
tos minsane 4
|
||||
|
||||
# minclock should be greater than minsane
|
||||
tos minclock 5
|
||||
|
||||
# minclock + 2 (or 3) + number of pools
|
||||
# Also should be an odd number
|
||||
{% set maxclock = 8 + (ntp_opts.pools | length) %}
|
||||
tos maxclock {{ (maxclock | int %2 == 0) | ternary(maxclock + 1, maxclock) | int }}
|
||||
|
||||
# Exchange time with everybody, but don't allow configuration.
|
||||
# This is the right security setup for 99% of deployments.
|
||||
restrict default kod limited nomodify noquery
|
||||
|
|
Reference in a new issue