cybercinch/ansible-role-csf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

feat: Initial Project 🎉
Some checks failed
CI / lint (push) Failing after 2m15s
Details
CI / release (push) Has been skipped
Details
CI / notify (push) Has been skipped
Details

Browse Source
This commit is contained in:
Aaron Guise
2024-08-20 11:11:35 +12:00
commit d4366fef2a
22 changed files with 998 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
.github/workflows/CI.yml vendored Normal file
View File

@@ -0,0 +1,106 @@
name: CI
on:
push:
branches:
- "**"
tags:
- "!**"
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.10'
cache: 'pip' # caching pip dependencies
- name: Ensure requirements are installed
run: pip install -r requirements.txt
- name: Lint with ansible-lint
run: ansible-lint --exclude ./tests -c ".ansible-lint"
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
- name: Lint with yamllint
run: yamllint .
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
# molecule:
# name: Molecule Test
# runs-on: ubuntu-latest
# needs: lint
# strategy:
# fail-fast: true
# matrix:
# os: [almalinux8, almalinux9]
# steps:
# - name: Checkout code
# uses: actions/checkout@v4
# - name: Setup Python
# uses: actions/setup-python@v5
# with:
# python-version: '3.10'
# cache: 'pip' # caching pip dependencies
# - name: Ensure requirements are installed
# run: pip install -r requirements.txt
# - name: Run Molecule tests.
# run: molecule test
# env:
# PY_COLORS: '1'
# ANSIBLE_FORCE_COLOR: '1'
# MOLECULE_DISTRO: ${{ matrix.os }}
release:
runs-on: ubuntu-latest
needs:
- lint
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.22'
- run: |
echo "github repo: ${GITHUB_REPOSITORY}"
echo "env vars: $(env)"
- uses: go-semantic-release/action@v1
with:
custom-arguments: --provider=gitea
env:
GITEA_TOKEN: ${{ secrets.G_TOKEN }}
GITEA_HOST: ${{ secrets.G_SERVER_URL}}
notify:
runs-on: ubuntu-latest
needs:
- lint
- release
steps:
- name: ntfy-success-notifications
uses: niniyas/ntfy-action@master
if: success()
with:
url: '${{ vars.NTFY_URL }}'
title: Workflow success - ansible-role-repo-epel
topic: 'ci-status'
priority: 4
tags: +1,partying_face,action,successfully,completed
details: Workflow has been successfully completed!
icon: 'https://styles.redditmedia.com/t5_32uhe/styles/communityIcon_xnt6chtnr2j21.png'
image: true
- name: ntfy-failed-notifications
uses: niniyas/ntfy-action@master
if: failure()
with:
url: '${{ vars.NTFY_URL }}'
title: Workflow failed - ansible-role-repo-epel
topic: 'ci-status'
priority: 5
tags: -1,skull,action,failed
details: Workflow has failed!
actions: 'default'

66
.travis.yml Normal file
View File

@@ -0,0 +1,66 @@
---
dist: bionic
sudo: false
language: python
services: docker
cache: pip
addons:
apt:
packages:
- python-pip
env:
global:
- _ANSIBLE_CONNECTION=local
- _ANSIBLE_PLAYBOOK=tests/docker_playbook.yml
matrix:
- _ANSIBLE_CONNECTION=ssh _ANSIBLE_PLAYBOOK=tests/test.yml
_DOCKER_NAME=alpine _DOCKER_IMAGE=alpine
# - _DOCKER_NAME=centos6 _DOCKER_IMAGE=ansiblecheck/ansiblecheck:centos-6 _DOCKER_IMAGE_INIT=/sbin/init
- _DOCKER_NAME=centos7 _DOCKER_IMAGE=ansiblecheck/ansiblecheck:centos-7 _DOCKER_IMAGE_INIT=/usr/lib/systemd/systemd
- _DOCKER_NAME=debian8 _DOCKER_IMAGE=ansiblecheck/ansiblecheck:debian-8 _DOCKER_IMAGE_INIT=/lib/systemd/systemd
- _DOCKER_NAME=debian9 _DOCKER_IMAGE=ansiblecheck/ansiblecheck:debian-9 _DOCKER_IMAGE_INIT=/lib/systemd/systemd
- _DOCKER_NAME=ubuntu16 _DOCKER_IMAGE=ansiblecheck/ansiblecheck:ubuntu-16.04 _DOCKER_IMAGE_INIT=/lib/systemd/systemd
- _DOCKER_NAME=ubuntu18 _DOCKER_IMAGE=ansiblecheck/ansiblecheck:ubuntu-18.04 _DOCKER_IMAGE_INIT=/lib/systemd/systemd
matrix:
fast_finish: true
before_install:
- >
ssh-keygen -t rsa -C travis@localhost -q -P '' -f ~/.ssh/id_rsa ;
cat /home/travis/.ssh/id_rsa.pub >> /home/travis/.ssh/authorized_keys ;
printf 'Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile=/dev/null\n' > /home/travis/.ssh/config;
install:
# - travis_retry pip install git+git://github.com/ansible/ansible.git@devel
- travis_retry pip install --upgrade --upgrade-strategy=eager ansible ansible-lint
- travis_retry docker pull ${_DOCKER_IMAGE}
before_script:
- printf '[defaults]\nroles_path=../\nhost_key_checking = False\nretry_files_enabled = False\n\n[ssh_connection]\npipelining = True\n' > ansible.cfg
- printf 'localhost' > inventory
- sudo ln -s /bin/true /usr/sbin/sendmail
- ansible --version
script:
- ansible-lint -v ${_ANSIBLE_PLAYBOOK}
- >
ansible-playbook -i inventory ${_ANSIBLE_PLAYBOOK}
--connection=${_ANSIBLE_CONNECTION}
--extra-vars "DOCKER_NAME=${_DOCKER_NAME} DOCKER_IMAGE=${_DOCKER_IMAGE} DOCKER_IMAGE_INIT=${_DOCKER_IMAGE_INIT}"
--skip-tags "destroy"
-vv
- >
ANSIBLE_LOG_PATH=/tmp/idempotence.log
ansible-playbook -i inventory ${_ANSIBLE_PLAYBOOK}
--connection=${_ANSIBLE_CONNECTION}
--extra-vars "DOCKER_NAME=${_DOCKER_NAME} DOCKER_IMAGE=${_DOCKER_IMAGE} DOCKER_IMAGE_INIT=${_DOCKER_IMAGE_INIT}"
- >
awk '/PLAY RECAP/,/EOF/
{if (NF && $7 !~ "PLAY" && $10$11$12 !~ "changed=0unreachable=0failed=0" ) status=1 } END
{ print (status)? "Idempotence test: FAIL" : "Idempotence test: PASS"; exit status }'
/tmp/idempotence.log
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

21
LICENSE Normal file
View File

@@ -0,0 +1,21 @@
The MIT License (MIT)
Copyright (c) 2021 Lik
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

77
README.md Normal file
View File

@@ -0,0 +1,77 @@
[![Ansible Galaxy](https://img.shields.io/badge/role-likg.csf-blue.svg?style=flat)](https://galaxy.ansible.com/likg/csf/)
[![Build Status](https://travis-ci.org/likg/ansible-role-csf.svg?branch=master)](https://travis-ci.org/likg/ansible-role-csf)
# Ansible Role: CSF/LFD
Install and configure [CSF/LFD](https://configserver.com/cp/csf.html)
## Requirements
CSF/LFD is a set of perl scripts, thus perl interpreter is required. Many popular distros comes with perl installed by default, nevertheless, this role will install perl if it is missing.
Full list of required packages (will be installed by this role) defined in [`csf_required_packages`](defaults/main.yml#L6-L11) and [`csf_required_packages_dist`](vars/) variables.
## Role Variables
Available variables with their default values can be found in [defaults/main.yml](defaults/main.yml).
## Dependencies
None.
## Example Playbook
```yaml
- hosts: servers
become: yes
roles:
- { role: likg.csf }
vars_files:
- path_to_vars.yml
```
File `path_to_vars.yml`:
```yaml
csf_global_ini:
- option: RESTRICT_SYSLOG
value: "2"
- option: URLGET
value: "2"
- option: TCP_IN
value: "80,443,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535"
- option: TCP_OUT
value: "20,21,22,25,37,43,53,80,123,443,873,953,8080,9418,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535"
- option: UDP_IN
value: "53"
- option: UDP_OUT
value: "20,21,43,53,113,123,58745,30000:65535"
csf_allow:
- 10.10.10.10
- 172.16.1.1/29
csf_ignore:
- 10.10.10.10
- 172.16.1.1/29
csf_pignore:
- 'exe:/usr/sbin/nginx'
- 'user:mysql'
csf_fignore:
- '/tmp/\.horde'
- '/tmp/\.horde/.*'
csf_blocklists:
- "SPAMDROP"
csf_csfpre_sh: |
#!/bin/bash
/sbin/iptables -t nat -F POSTROUTING
```
## License
MIT
## Author Information
This role was created by Lik. Extended by Cybercinch Team

96
defaults/main.yml Normal file
View File

@@ -0,0 +1,96 @@
---
# csf/defaults/main.yml
csf_tmp_dir: "/usr/src"
csf_required_packages:
- iptables
- perl
- unzip
- tar
- net-tools
csf_global_ini_core:
- option: TESTING
value: "0"
- option: AUTO_UPDATES
value: "1"
- option: PORTS_sshd
value: "{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }}"
csf_global_ini:
- option: RESTRICT_UI
value: "2"
- option: RESTRICT_SYSLOG
value: "2"
- option: URLGET
value: "2"
- option: USE_CONNTRACK
value: "1"
- option: TCP_IN
value: "80,443,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535"
- option: TCP_OUT
value: "20,21,22,25,37,43,53,80,123,443,873,953,8080,9418,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535"
- option: UDP_IN
value: "53"
- option: UDP_OUT
value: "20,21,43,53,113,123,58745,30000:65535"
#csf_allow:
# - 10.10.10.10
# - 172.16.1.1/29
#csf_ignore:
# - 10.10.10.10
# - 172.16.1.1/29
#csf_pignore:
# - 'exe:/usr/sbin/nginx'
# - 'user:mysql'
#csf_fignore:
# - '/tmp/\.horde'
# - '/tmp/\.horde/.*'
#csf_blocklists:
# - "SPAMDROP"
#csf_dyndns:
# - "no-ip.com"
#csf_csfpre_sh: |
# #!/bin/bash
# /sbin/iptables -t nat -F POSTROUTING
#csf_csfpost_sh: |
# #!/bin/bash
# /sbin/iptables -t nat -F POSTROUTING
# Host based custom allow rules
#csf_allow_host:
# - 'tcp|in|d=22|s=1.1.1.1'
#csf_ignore_host:
# - '1.1.1.1'
#csf_pignore_host:
# - 'exe:/usr/sbin/nginx'
# - 'user:mysql'
#csf_fignore_host:
# - '/tmp/\.horde'
# - '/tmp/\.horde/.*'
#csf_blocklists_host:
# - "SPAMDROP"
#csf_dyndns_host:
# - "no-ip.com"
#csf_csfpre_sh_host: |
# #!/bin/bash
# /sbin/iptables -t nat -F POSTROUTING
#csf_csfpost_sh_host: |
# #!/bin/bash
# /sbin/iptables -t nat -F POSTROUTING

22
handlers/main.yml Normal file
View File

@@ -0,0 +1,22 @@
---
# csf/handlers/main.yml
- name: run csftest.pl
command: /etc/csf/csftest.pl
register: csf_check_contents
changed_when: false
failed_when: csf_check_contents.stdout.find('csf should function on this server') == -1
when: ansible_facts.virtualization_type != 'docker'
# toremove when: statement ^
- name: check csf conf
command: csf -c
register: csf_conf_check
changed_when: false
failed_when: "'error' in csf_conf_check.stdout.lower()"
- name: restart csf
command: csf -ra
- name: enable csf
command: csf -e

33
meta/main.yml Normal file
View File

@@ -0,0 +1,33 @@
---
dependencies: []
galaxy_info:
author: cybercinch
description: Install and configure CSF/LFD (https://configserver.com/cp/csf.html)
min_ansible_version: 2.9
license: MIT
platforms:
- name: EL
versions:
- 6
- 7
- 8
- 9
- name: Debian
versions:
- wheezy
- jessie
- stretch
- name: Ubuntu
versions:
- precise
- trusty
- xenial
- bionic
galaxy_tags:
- csf
- lfd
- firewall
- iptables
- networking
- system

117
tasks/configure.yml Normal file
View File

@@ -0,0 +1,117 @@
---
# csf/tasks/configure.yml
- name: edit csf.conf
lineinfile:
dest: /etc/csf/csf.conf
regexp: '^#? ?{{ item.option }} ='
line: '{{ item.option }} = "{{ item.value }}"'
state: present
with_flattened:
- '{{ csf_global_ini_core }}'
- '{{ csf_global_ini }}'
notify:
- check csf conf
- restart csf
tags:
- csf
- csf_conf
- configuration
- name: edit csf.{allow,ignore,pignore,fignore,dyndns}
template:
src: '{{ item }}.j2'
dest: '/etc/csf/{{ item }}'
owner: root
group: root
mode: 0600
loop:
- 'csf.allow'
- 'csf.ignore'
- 'csf.pignore'
- 'csf.fignore'
- 'csf.dyndns'
notify:
- check csf conf
- restart csf
tags:
- csf
- csf_conf
- configuration
- name: disable csf.blocklists
replace:
dest: /etc/csf/csf.blocklists
regexp: '^(\w+\|.*)$'
replace: '#\1'
when: csf_blocklists is undefined
notify:
- check csf conf
- restart csf
tags:
- csf
- csf_conf
- configuration
- name: enable csf.blocklists
lineinfile:
dest: /etc/csf/csf.blocklists
regexp: '^#{{ item }}\|(.*)$'
line: '{{ item }}|\1'
state: present
backrefs: yes
loop: '{{ csf_blocklists }}'
when: csf_blocklists is defined
notify:
- check csf conf
- restart csf
tags:
- csf
- csf_conf
- configuration
- name: remove csfpre.sh hook
file:
path: '/etc/csf/csfpre.sh'
state: absent
when: csf_csfpre_sh is undefined
tags:
- csf
- csf_conf
- configuration
- name: remove csfpost.sh hook
file:
path: '/etc/csf/csfpost.sh'
state: absent
when: csf_csfpost_sh is undefined
tags:
- csf
- csf_conf
- configuration
- name: create csfpre.sh hook
copy:
content: "{{ vars['csf_csfpre_sh'] }}"
dest: '/etc/csf/csfpre.sh'
mode: 0700
when: csf_csfpre_sh is defined
notify:
- restart csf
tags:
- csf
- csf_conf
- configuration
- name: create csfpost.sh hook
copy:
content: "{{ vars['csf_csfpost_sh'] }}"
dest: '/etc/csf/csfpost.sh'
mode: 0700
when: csf_csfpost_sh is defined
notify:
- restart csf
tags:
- csf
- csf_conf
- configuration

25
tasks/disable_firewall.yml Normal file
View File

@@ -0,0 +1,25 @@
---
# csf/tasks/disable_firewall.yml
- name: disable firewalld (RedHat case)
service:
name: firewalld
state: stopped
enabled: no
when:
- ansible_facts.os_family == 'RedHat'
- ansible_facts.service_mgr == 'systemd'
ignore_errors: true
tags:
- services
- name: disable ufw (Ubuntu case)
service:
name: ufw
state: stopped
enabled: no
when:
- ansible_facts.distribution == 'Ubuntu'
ignore_errors: true
tags:
- services

44
tasks/install.yml Normal file
View File

@@ -0,0 +1,44 @@
---
# csf/tasks/install.yml
- name: install required packages
package:
name: '{{ item }}'
state: present
update_cache: yes
with_flattened:
- '{{ csf_required_packages }}'
- '{{ csf_required_packages_dist }}'
tags:
- packages
- name: check /usr/sbin/csf file
stat:
path: /usr/sbin/csf
register: csf_sbin_file
- name: download csf.tgz
get_url:
url: 'https://download.configserver.com/csf.tgz'
dest: '{{ csf_tmp_dir }}/csf.tgz'
checksum: 'sha256:https://www.configserver.com/checksums.txt'
when: not csf_sbin_file.stat.exists
tags:
- download
- name: unpack csf.tgz
unarchive: # noqa 208
src: '{{ csf_tmp_dir }}/csf.tgz'
dest: '{{ csf_tmp_dir }}'
remote_src: yes
creates: '{{ csf_tmp_dir }}/csf/install.sh'
when: not csf_sbin_file.stat.exists
- name: run CSF installer
command: sh install.sh
args:
chdir: '{{ csf_tmp_dir }}/csf'
creates: /etc/csf/csf.conf
when: not csf_sbin_file.stat.exists
notify:
- run csftest.pl

37
tasks/main.yml Normal file
View File

@@ -0,0 +1,37 @@
---
# csf/tasks/main.yml
- name: include OS-specific variables
include_vars: '{{ item }}'
with_first_found:
- '{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml'
- '{{ ansible_facts.os_family }}.yml'
- 'main.yml'
tags:
- csf
- vars
- packages
- import_tasks: disable_firewall.yml
tags:
- csf
- import_tasks: install.yml
tags:
- csf
- import_tasks: configure.yml
tags:
- csf
- name: ensure csf/lfd started/enabled
service:
name: '{{ item }}'
state: started
enabled: yes
loop:
- csf
- lfd
tags:
- csf
- services

34
templates/csf.allow.j2 Normal file
View File

@@ -0,0 +1,34 @@
###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port,port,...|s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore
# BEGIN GENERAL ALLOW LIST
{% if ansible_env['SSH_CONNECTION'] is defined %}
{{ ansible_env['SSH_CONNECTION'].split()[0] }} # csf SSH installation/upgrade IP address
{% endif %}
{% for ip in csf_allow | default([]) %}
{{ ip }}
{% endfor %}
# END GENERAL ALLOW LIST
{% if csf_allow_host is defined %}
# BEGIN HOST SPECIFIC ALLOW LIST
{% for ip in csf_allow_host | default([]) %}
{{ ip }}
{% endfor %}
# END HOST SPECIFIC ALLOW LIST
{% endif %}

32
templates/csf.dyndns.j2 Normal file
View File

@@ -0,0 +1,32 @@
###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following FQDN's will be allowed through the firewall. This is controlled
# by lfd which checks the DNS resolution of the FQDN and adds the ip address
# into the ALLOWDYNIN and ALLOWDYNOUT iptables chains. lfd will check for IP
# updates every DYNDNS seconds if set.
#
# If the FQDN has multiple A records then all of the IP addresses will be
# processed. If IPV6 is enabled and the perl module Socket6 from cpan.org is
# installed, then all IPv6 AAAA IP address records will also be allowed.
#
# Only list fully qualified domain names (FQDN's) in this file, either on their
# own to allow full access, or using Advanced Allow/Deny Filters (see
# readme.txt)
#
# BEGIN GENERAL DYNDNS ALLOW LIST
{% for fqdn in csf_dyndns | default([]) %}
{{ fqdn }}
{% endfor %}
# END GENERAL DYNDNS ALLOW LIST
{% if csf_dyndns_host is defined %}
# BEGIN HOST SPECIFIC DYNDNS ALLOW LIST
{% for fqdn in csf_dyndns_host %}
{{ fqdn }}
{% endfor %}
# END HOST SPECIFIC DYNDNS ALLOW LIST
{% endif %}

37
templates/csf.fignore.j2 Normal file
View File

@@ -0,0 +1,37 @@
###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of files that lfd directory watching will ignore. You
# must specify the full path to the file
#
# You can also use perl regular expression pattern matching, for example:
# /tmp/clamav.*
# /tmp/.*\.wrk
#
# Remember that you will need to escape special characters (precede them with a
# backslash) such as \. \?
#
# Pattern matching will only occur with strings containing an asterix (*),
# otherwise full file path matching will be applied
#
# You can also add entries to ignore files owner by a particular user by
# preceding it with user:, for example:
# user:bob
#
# Note: files owned by root are ignored
# BEGIN GENERAL FILE IGNORE LIST
{% for file in csf_fignore | default([]) %}
{{ file }}
{% endfor %}
# END GENERAL FILE IGNORE LIST
{% if csf_fignore_host is defined %}
# BEGIN HOST SPECIFIC FILE IGNORE LIST
{% for file in csf_fignore_host %}
{{ file }}
{% endfor %}
# END HOST SPECIFIC FILE IGNORE LIST
{% endif %}

25
templates/csf.ignore.j2 Normal file
View File

@@ -0,0 +1,25 @@
###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be ignored by all lfd checks
# One IP address per line
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
# Only list IP addresses, not domain names (they will be ignored)
#
127.0.0.1
# BEGIN GENERAL IGNORE LIST
{% for ip in csf_ignore | default([]) %}
{{ ip }}
{% endfor %}
# END GENERAL IGNORE LIST
{% if csf_ignore_host is defined %}
# BEGIN HOST SPECIFIC IGNORE LIST
{% for ip in csf_ignore_host %}
{{ ip }}
{% endfor %}
# END HOST SPECIFIC IGNORE LIST
{% endif %}

138
templates/csf.pignore.j2 Normal file
View File

@@ -0,0 +1,138 @@
###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt
exe:/bin/dbus-daemon
exe:/sbin/ntpd
exe:/usr/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
exe:/usr/bin/lsmd
exe:/usr/bin/postgres
exe:/usr/bin/spamc
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/polkit-1/polkitd
exe:/usr/libexec/dovecot/anvil
exe:/usr/libexec/dovecot/auth
exe:/usr/libexec/dovecot/dict
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/lmtp
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/quota-status
exe:/usr/libexec/dovecot/stats
exe:/usr/libexec/dovecot/imap-hibernate
exe:/usr/libexec/gam_server
exe:/usr/libexec/hald-addon-acpi
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/libexec/mysqld
exe:/usr/local/apache/bin/httpd
exe:/usr/local/cpanel/3rdparty/bin/analog
exe:/usr/local/cpanel/3rdparty/bin/english/webalizer
exe:/usr/local/cpanel/3rdparty/bin/imapd
exe:/usr/local/cpanel/3rdparty/bin/php
exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
exe:/usr/local/cpanel/3rdparty/php/54/bin/php-cgi
exe:/usr/local/cpanel/3rdparty/php/56/bin/php-cgi
exe:/usr/local/cpanel/3rdparty/php/56/sbin/php-fpm
exe:/usr/local/cpanel/3rdparty/php/54/sbin/php-fpm
exe:/usr/local/cpanel/3rdparty/sbin/mydns
exe:/usr/local/cpanel/3rdparty/sbin/p0f
exe:/usr/local/cpanel/bin/cppop
exe:/usr/local/cpanel/bin/cppop-ssl
exe:/usr/local/cpanel/bin/cpuwatch
exe:/usr/local/cpanel/bin/cpwrap
exe:/usr/local/cpanel/bin/logrunner
exe:/usr/local/cpanel/bin/pkgacct
exe:/usr/local/cpanel/cpanel
exe:/usr/local/cpanel/cpdavd
exe:/usr/local/cpanel/cpsrvd
exe:/usr/local/cpanel/cpsrvd-ssl
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/urchin/bin/urchinwebd
exe:/usr/sbin/chronyd
exe:/usr/sbin/exim
exe:/usr/sbin/exim
exe:/usr/sbin/hald
exe:/usr/sbin/httpd
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/sbin/named
exe:/usr/sbin/nscd
exe:/usr/sbin/nsd
exe:/usr/sbin/ntpd
exe:/usr/sbin/proftpd
exe:/usr/sbin/pure-ftpd
exe:/usr/sbin/sshd
exe:/var/cpanel/3rdparty/bin/php
exe:/usr/sbin/pdns_server
exe:/usr/local/cpanel/bin/autossl_check
exe:/usr/local/cpanel/bin/whm_xfer_download-ssl
pexe:^/usr/lib/jvm/java-.*/jre/bin/java$
exe:/usr/libexec/dovecot/indexer-worker
exe:/usr/libexec/dovecot/indexer
pexe:/usr/local/cpanel/3rdparty/bin/git.*
pexe:/usr/local/cpanel/3rdparty/libexec/git-core/git.*
# Some additional entries that you might want to ignore on cPanel servers.
# However, be aware of the security implications under "Process Tracking" in
# the csf readme.txt when using these:
#
#cmd:/bin/sh /usr/bin/mysqld_safe
#cmd:/bin/sh /usr/bin/mysqld_safe --basedir=/usr
#cmd:spamd child
#pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
#pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*
#pcmd:/usr/bin/python.? /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
#pcmd:/usr/bin/python.? /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*
#pcmd:/usr/bin/perl /usr/local/cpanel/3rdparty/bin/awstats\.pl.*
#pcmd:/usr/bin/perl /usr/local/cpanel/base/awstats\.pl.*
#pcmd:cpanellogd - (http|ftp) logs for .*
#pcmd:ubic-guardian ubic-periodic.*
#pcmd:perl /usr/local/cpanel/3rdparty/perl/\d+/bin/ubic-periodic.*
#pcmd:MailScanner:.*
# BEGIN GENERAL PROCESS IGNORE LIST
{% for process in csf_pignore | default([]) %}
{{ process }}
{% endfor %}
# END GENERAL PROCESS IGNORE LIST
{% if csf_pignore_host is defined %}
# BEGIN HOST SPECIFIC PROCESS IGNORE LIST
{% for process in csf_pignore_host %}
{{ process }}
{% endfor %}
# END HOST SPECIFIC PROCESS IGNORE LIST
{% endif %}

58
tests/docker_playbook.yml Normal file
View File

@@ -0,0 +1,58 @@
---
# docker_playbook.yml
- hosts: localhost
become: yes
pre_tasks:
- name: define containers facts
set_fact:
containers:
- name: '{{ DOCKER_NAME }}'
image: '{{ DOCKER_IMAGE }}'
init: '{{ DOCKER_IMAGE_INIT | d("/sbin/init") }}'
tags:
- always
tasks:
- name: install docker on localhost
pip:
name: docker
extra_args: "--upgrade"
- name: create docker containers
docker_container:
name: '{{ item.name }}'
image: '{{ item.image }}'
command: '{{ item.init }}'
state: started
privileged: true
volumes:
- '/sys/fs/cgroup:/sys/fs/cgroup:ro'
loop: '{{ containers }}'
- name: add containers to inventory
add_host:
name: '{{ item.name }}'
groups: docker_containers
ansible_connection: docker
changed_when: false
loop: '{{ containers }}'
- name: run tasks in containers
hosts: docker_containers
strategy: free
become: yes
roles:
- { role: ../.. }
- hosts: localhost
tasks:
- name: remove docker containers
docker_container:
name: '{{ item.name }}'
state: absent
loop: '{{ containers }}'
changed_when: false
tags:
- destroy

5
tests/test.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- hosts: all
become: yes
roles:
- ../..

7
vars/Debian.yml Normal file
View File

@@ -0,0 +1,7 @@
---
# csf/vars/Debian.yml
csf_required_packages_dist:
- bind9-host
- libwww-perl
- liblwp-protocol-https-perl

7
vars/RedHat-6.yml Normal file
View File

@@ -0,0 +1,7 @@
---
# csf/vars/RedHat-6.yml
csf_required_packages_dist:
- bind-utils
- perl-libwww-perl
- perl-Crypt-SSLeay

7
vars/RedHat-7.yml Normal file
View File

@@ -0,0 +1,7 @@
---
# csf/vars/RedHat-7.yml
csf_required_packages_dist:
- bind-utils
- perl-libwww-perl
- perl-LWP-Protocol-https

4
vars/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
# csf/vars/main.yml
csf_required_packages_dist: []