├── 16.04-lts
├── at.allow
├── cron.allow
├── skel
│ └── .ssh
│ │ └── authorized_keys
├── apt
│ └── apt.conf.d
│ │ ├── 10periodic
│ │ └── 50unattended-upgrades
├── cron.daily
│ └── 00logwatch
├── default
│ ├── sysstat
│ └── aide
├── hosts.allow
├── nginx
│ ├── nginx.conf
│ └── sites-available
│ │ └── default
├── profile
├── hosts.deny
├── sudoers
├── security
│ ├── pwquality.conf
│ └── limits.conf
├── bash.bashrc
├── sysctl.conf
├── apache2
│ ├── conf-available
│ │ └── security.conf
│ ├── mods-available
│ │ └── ssl.conf
│ ├── sites-available
│ │ └── default-ssl.conf
│ └── apache2.conf
├── ssh
│ └── sshd_config
├── setup.sh
├── aide
│ └── aide.conf
└── login.defs
├── 12.04-lts
├── skel
│ ├── .ssh
│ │ └── authorized_keys
│ └── README.md
├── apache2
│ ├── mods-available
│ │ ├── proxy.load
│ │ ├── status.load
│ │ ├── autoindex.load
│ │ ├── proxy.conf
│ │ ├── proxy_html.conf
│ │ └── ssl.conf
│ ├── conf.d
│ │ └── security
│ └── apache2.conf
├── ssh
│ ├── ssh_config
│ └── sshd_config
├── security
│ └── limits.conf
├── sysctl.conf
├── securetty
├── login.defs
└── postgresql
│ └── 9.1
│ └── main
│ └── postgresql.conf
├── 14.04-lts
├── skel
│ ├── .ssh
│ │ └── authorized_keys
│ └── README.md
├── aide
│ ├── aide.conf.d
│ │ └── 70_aide_nginx_proxy
│ └── aide.conf
├── apt
│ └── apt.conf.d
│ │ └── 10periodic
├── cron.daily
│ ├── 00logwatch
│ └── aide
├── nginx
│ ├── nginx.conf
│ └── sites-available
│ │ └── default
├── setup.sh
├── ssh
│ ├── ssh_config
│ └── sshd_config
├── init.d
│ └── ssl
├── apache2
│ ├── conf-available
│ │ ├── security.conf
│ │ └── ssl.conf
│ ├── sites-available
│ │ └── default-ssl.conf
│ └── apache2.conf
├── sysctl.conf
└── default
│ └── aide
└── README.md
/16.04-lts/at.allow:
--------------------------------------------------------------------------------
1 | root
2 |
--------------------------------------------------------------------------------
/16.04-lts/cron.allow:
--------------------------------------------------------------------------------
1 | root
2 |
--------------------------------------------------------------------------------
/12.04-lts/skel/.ssh/authorized_keys:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/14.04-lts/skel/.ssh/authorized_keys:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/16.04-lts/skel/.ssh/authorized_keys:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/14.04-lts/aide/aide.conf.d/70_aide_nginx_proxy:
--------------------------------------------------------------------------------
1 | !/var/lib/nginx/proxy/[0-9]/[0-9][0-9]$
2 |
--------------------------------------------------------------------------------
/12.04-lts/apache2/mods-available/proxy.load:
--------------------------------------------------------------------------------
1 | #LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
2 |
--------------------------------------------------------------------------------
/12.04-lts/apache2/mods-available/status.load:
--------------------------------------------------------------------------------
1 | #LoadModule status_module /usr/lib/apache2/modules/mod_status.so
2 |
--------------------------------------------------------------------------------
/12.04-lts/apache2/mods-available/autoindex.load:
--------------------------------------------------------------------------------
1 | #LoadModule autoindex_module /usr/lib/apache2/modules/mod_autoindex.so
2 |
--------------------------------------------------------------------------------
/12.04-lts/skel/README.md:
--------------------------------------------------------------------------------
1 | etc/skel/.ssh/ must be set mode 0700.
2 | etc/skel/.ssh/authorized_keys must be set mode 0600.
3 |
--------------------------------------------------------------------------------
/14.04-lts/skel/README.md:
--------------------------------------------------------------------------------
1 | etc/skel/.ssh/ must be set mode 0700.
2 | etc/skel/.ssh/authorized_keys must be set mode 0600.
3 |
--------------------------------------------------------------------------------
/14.04-lts/apt/apt.conf.d/10periodic:
--------------------------------------------------------------------------------
1 | APT::Periodic::Update-Package-Lists "1";
2 | APT::Periodic::Download-Upgradeable-Packages "1";
3 | APT::Periodic::AutocleanInterval "7";
4 | APT::Periodic::Unattended-Upgrade "1";
5 |
--------------------------------------------------------------------------------
/16.04-lts/apt/apt.conf.d/10periodic:
--------------------------------------------------------------------------------
1 | APT::Periodic::Update-Package-Lists "1";
2 | APT::Periodic::Download-Upgradeable-Packages "1";
3 | APT::Periodic::AutocleanInterval "7";
4 | APT::Periodic::Unattended-Upgrade "1";
5 |
--------------------------------------------------------------------------------
/14.04-lts/cron.daily/00logwatch:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | #Check if removed-but-not-purged
4 | test -x /usr/share/logwatch/scripts/logwatch.pl || exit 0
5 |
6 | #execute
7 | /usr/sbin/logwatch --mailto root
8 |
9 | #Note: It's possible to force the recipient in above command
10 | #Just pass --mailto address@a.com instead of --output mail
11 |
--------------------------------------------------------------------------------
/16.04-lts/cron.daily/00logwatch:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | #Check if removed-but-not-purged
4 | test -x /usr/share/logwatch/scripts/logwatch.pl || exit 0
5 |
6 | #execute
7 | /usr/sbin/logwatch --mailto root
8 |
9 | #Note: It's possible to force the recipient in above command
10 | #Just pass --mailto address@a.com instead of --output mail
11 |
--------------------------------------------------------------------------------
/16.04-lts/default/sysstat:
--------------------------------------------------------------------------------
1 | #
2 | # Default settings for /etc/init.d/sysstat, /etc/cron.d/sysstat
3 | # and /etc/cron.daily/sysstat files
4 | #
5 |
6 | # Should sadc collect system activity informations? Valid values
7 | # are "true" and "false". Please do not put other values, they
8 | # will be overwritten by debconf!
9 | ENABLED="true"
10 |
11 |
--------------------------------------------------------------------------------
/16.04-lts/hosts.allow:
--------------------------------------------------------------------------------
1 | # /etc/hosts.allow: list of hosts that are allowed to access the system.
2 | # See the manual pages hosts_access(5) and hosts_options(5).
3 | #
4 | # Example: ALL: LOCAL @some_netgroup
5 | # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
6 | #
7 | # If you're going to protect the portmapper use the name "rpcbind" for the
8 | # daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
9 | #
10 | ALL: localhost
11 |
12 |
--------------------------------------------------------------------------------
/16.04-lts/nginx/nginx.conf:
--------------------------------------------------------------------------------
1 | user www-data;
2 | worker_processes 4;
3 | pid /run/nginx.pid;
4 |
5 | events {
6 | worker_connections 1024;
7 | }
8 |
9 | http {
10 | sendfile on;
11 | tcp_nopush off;
12 | tcp_nodelay on;
13 | keepalive_timeout 65;
14 | types_hash_max_size 2048;
15 | server_tokens off;
16 |
17 | include /etc/nginx/mime.types;
18 | default_type application/octet-stream;
19 |
20 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
21 | ssl_prefer_server_ciphers on;
22 |
23 | access_log /var/log/nginx/access.log;
24 | error_log /var/log/nginx/error.log;
25 |
26 | gzip off;
27 |
28 | include /etc/nginx/conf.d/*.conf;
29 | include /etc/nginx/sites-enabled/*;
30 | }
31 |
32 |
--------------------------------------------------------------------------------
/16.04-lts/profile:
--------------------------------------------------------------------------------
1 | # /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
2 | # and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).
3 |
4 | if [ "$PS1" ]; then
5 | if [ "$BASH" ] && [ "$BASH" != "/bin/sh" ]; then
6 | # The file bash.bashrc already sets the default PS1.
7 | # PS1='\h:\w\$ '
8 | if [ -f /etc/bash.bashrc ]; then
9 | . /etc/bash.bashrc
10 | fi
11 | else
12 | if [ "`id -u`" -eq 0 ]; then
13 | PS1='# '
14 | else
15 | PS1='$ '
16 | fi
17 | fi
18 | fi
19 |
20 | if [ -d /etc/profile.d ]; then
21 | for i in /etc/profile.d/*.sh; do
22 | if [ -r $i ]; then
23 | . $i
24 | fi
25 | done
26 | unset i
27 | fi
28 |
29 | # Set the default umask here, too.
30 | umask 077
31 |
32 |
--------------------------------------------------------------------------------
/16.04-lts/hosts.deny:
--------------------------------------------------------------------------------
1 | # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
2 | # See the manual pages hosts_access(5) and hosts_options(5).
3 | #
4 | # Example: ALL: some.host.name, .some.domain
5 | # ALL EXCEPT in.fingerd: other.host.name, .other.domain
6 | #
7 | # If you're going to protect the portmapper use the name "rpcbind" for the
8 | # daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
9 | #
10 | # The PARANOID wildcard matches any host whose name does not match its
11 | # address.
12 | #
13 | # You may wish to enable this to ensure any programs that don't
14 | # validate looked up hostnames still leave understandable logs. In past
15 | # versions of Debian this has been the default.
16 | ALL: PARANOID
17 |
18 |
--------------------------------------------------------------------------------
/14.04-lts/nginx/nginx.conf:
--------------------------------------------------------------------------------
1 | user www-data;
2 | worker_processes 4;
3 | pid /run/nginx.pid;
4 |
5 | events {
6 | worker_connections 1024;
7 | }
8 |
9 | http {
10 | sendfile on;
11 | tcp_nopush off;
12 | tcp_nodelay on;
13 | keepalive_timeout 65;
14 | types_hash_max_size 2048;
15 | server_tokens off;
16 |
17 | include /etc/nginx/mime.types;
18 | default_type application/octet-stream;
19 |
20 | access_log /var/log/nginx/access.log;
21 | error_log /var/log/nginx/error.log;
22 |
23 | # Disabled to mitigate some potential vulnerabilities in SSL and TLS.
24 | # Also to not conflict with the Naxsi web application firewall module.
25 | gzip off;
26 |
27 | # Not installed yet.
28 | #include /etc/nginx/naxsi_core.rules;
29 |
30 | include /etc/nginx/conf.d/*.conf;
31 | include /etc/nginx/sites-enabled/*;
32 | }
33 |
34 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | This is a set of configuration files for Ubuntu Server (versions 12.04 and
2 | 14.04, both LTS) that I deploy on new VMs in production to harden them.
3 | Recursively copy all of the files in a particular release's directory into
4 | /etc to install them.
5 |
6 | The v12.04 files are fairly well tested.
7 |
8 | Consider the v14.04 files experimental. We've stopped deploying Trusty VMs in
9 | the field because reasons.
10 |
11 | The configuration changes are taken from the following ebooks and other Git
12 | repositories:
13 |
14 | * https://benchmarks.cisecurity.org/community/editors/groups/single/?group=debian
15 | * https://benchmarks.cisecurity.org/downloads/show-single/?file=apache.310
16 | * https://benchmarks.cisecurity.org/downloads/show-single/?file=apache24.100
17 | * https://github.com/ioerror/duraconf/
18 |
19 | As always, these files are a work in progress.
20 |
21 |
--------------------------------------------------------------------------------
/12.04-lts/apache2/mods-available/proxy.conf:
--------------------------------------------------------------------------------
1 |
2 |
3 | # If you want to use apache2 as a forward proxy, uncomment the
4 | # 'ProxyRequests On' line and the block below.
5 | # WARNING: Be careful to restrict access inside the block.
6 | # Open proxy servers are dangerous both to your network and to the
7 | # Internet at large.
8 | #
9 | # If you only want to use apache2 as a reverse proxy/gateway in
10 | # front of some web application server, you DON'T need
11 | # 'ProxyRequests On'.
12 |
13 | #ProxyRequests Off
14 | #
15 | # AddDefaultCharset off
16 | # Order deny,allow
17 | # Allow from 127.0.0.1
18 | #
19 |
20 | # Enable/disable the handling of HTTP/1.1 "Via:" headers.
21 | # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
22 | # Set to one of: Off | On | Full | Block
23 | #ProxyVia Off
24 |
25 |
26 |
--------------------------------------------------------------------------------
/16.04-lts/sudoers:
--------------------------------------------------------------------------------
1 | #
2 | # This file MUST be edited with the 'visudo' command as root.
3 | #
4 | # Please consider adding local content in /etc/sudoers.d/ instead of
5 | # directly modifying this file.
6 | #
7 | # See the man page for details on how to write a sudoers file.
8 | #
9 | Defaults env_reset
10 | Defaults mail_badpass
11 | Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
12 |
13 | # Host alias specification
14 |
15 | # User alias specification
16 |
17 | # Cmnd alias specification
18 |
19 | # User privilege specification
20 | root ALL=(ALL:ALL) ALL
21 |
22 | # Members of the admin group may gain root privileges
23 | %admin ALL=(ALL) ALL
24 |
25 | # Allow members of group sudo to execute any command
26 | %sudo ALL=(ALL:ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: ALL
27 |
28 | # See sudoers(5) for more information on "#include" directives:
29 |
30 | #includedir /etc/sudoers.d
31 |
--------------------------------------------------------------------------------
/14.04-lts/setup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # by: drwho at virtadpt dot net
4 |
5 | # Copies all this stuff into place on a brand-new system to harden it. Also
6 | # installs some useful packages for monitoring.
7 |
8 | # You must be this high to ride this ride.
9 | if [ `id -u` -gt 0 ]; then
10 | echo "You must be root to update the $NAME codebase. ABENDing."
11 | exit 1
12 | fi
13 |
14 | # Patch the system.
15 | apt-get upgrade -y
16 |
17 | # Postfix sends mail.
18 | # AIDE monitors the file system.
19 | # Logwatch parses the logfiles and mails you about anomalies.
20 | apt-get install -y postfix aide logwatch
21 |
22 | # These are always good to have around.
23 | apt-get install -y haveged openntpd lynx sslscan psmisc sysstat
24 | apt-get install -y openssl-blacklist openssl-blacklist-extra
25 | apt-get install -y openssh-blacklist openssh-blacklist-extra
26 |
27 | # Install all the files. All of them.
28 | cp -rv * /etc
29 |
30 | # Just not this one.
31 | rm -f /etc/setup.sh
32 |
33 | # Build the initial AIDE database.
34 | echo "Building initial AIDE database. Please be patient, this takes a while."
35 | aide.wrapper --init
36 | cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
37 |
38 | # Fin.
39 | exit 0
40 |
--------------------------------------------------------------------------------
/12.04-lts/ssh/ssh_config:
--------------------------------------------------------------------------------
1 |
2 | # This is the ssh client system-wide configuration file. See
3 | # ssh_config(5) for more information. This file provides defaults for
4 | # users, and the values can be changed in per-user configuration files
5 | # or on the command line.
6 |
7 | # Configuration data is parsed as follows:
8 | # 1. command line options
9 | # 2. user-specific file
10 | # 3. system-wide file
11 | # Any configuration value is only changed the first time it is set.
12 | # Thus, host-specific definitions should be at the beginning of the
13 | # configuration file, and defaults at the end.
14 |
15 | # Site-wide defaults for some commonly used options. For a comprehensive
16 | # list of available options, their meanings and defaults, please see the
17 | # ssh_config(5) man page.
18 |
19 | Host *
20 | # ForwardAgent no
21 | # ForwardX11 no
22 | # ForwardX11Trusted yes
23 | # RhostsRSAAuthentication no
24 | # RSAAuthentication yes
25 | # PasswordAuthentication yes
26 | # HostbasedAuthentication no
27 | # GSSAPIAuthentication no
28 | # GSSAPIDelegateCredentials no
29 | # GSSAPIKeyExchange no
30 | # GSSAPITrustDNS no
31 | # BatchMode no
32 | # CheckHostIP yes
33 | # AddressFamily any
34 | # ConnectTimeout 0
35 | # StrictHostKeyChecking ask
36 | # IdentityFile ~/.ssh/identity
37 | # IdentityFile ~/.ssh/id_rsa
38 | # IdentityFile ~/.ssh/id_dsa
39 | # Port 22
40 | Protocol 2
41 | # Cipher 3des
42 | # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
43 | # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
44 | # EscapeChar ~
45 | # Tunnel no
46 | # TunnelDevice any:any
47 | # PermitLocalCommand no
48 | # VisualHostKey no
49 | # ProxyCommand ssh -q -W %h:%p gateway.example.com
50 | SendEnv LANG LC_*
51 | HashKnownHosts yes
52 | GSSAPIAuthentication yes
53 | GSSAPIDelegateCredentials no
54 |
--------------------------------------------------------------------------------
/12.04-lts/apache2/conf.d/security:
--------------------------------------------------------------------------------
1 | #
2 | # Disable access to the entire file system except for the directories that
3 | # are explicitly allowed later.
4 | #
5 | # This currently breaks the configurations that come with some web application
6 | # Debian packages.
7 | #
8 | #
9 | # AllowOverride None
10 | # Order Deny,Allow
11 | # Deny from all
12 | #
13 |
14 |
15 | # Changing the following options will not really affect the security of the
16 | # server, but might make attacks slightly more difficult in some cases.
17 |
18 | #
19 | # ServerTokens
20 | # This directive configures what you return as the Server HTTP response
21 | # Header. The default is 'Full' which sends information about the OS-Type
22 | # and compiled in modules.
23 | # Set to one of: Full | OS | Minimal | Minor | Major | Prod
24 | # where Full conveys the most information, and Prod the least.
25 | #
26 | #ServerTokens Minimal
27 | #ServerTokens OS
28 | ServerTokens Prod
29 |
30 | #
31 | # Optionally add a line containing the server version and virtual host
32 | # name to server-generated pages (internal error documents, FTP directory
33 | # listings, mod_status and mod_info output etc., but not CGI generated
34 | # documents or custom error documents).
35 | # Set to "EMail" to also include a mailto: link to the ServerAdmin.
36 | # Set to one of: On | Off | EMail
37 | #
38 | ServerSignature Off
39 | #ServerSignature On
40 |
41 | #
42 | # Allow TRACE method
43 | #
44 | # Set to "extended" to also reflect the request body (only for testing and
45 | # diagnostic purposes).
46 | #
47 | # Set to one of: On | Off | extended
48 | #
49 | TraceEnable Off
50 | #TraceEnable On
51 |
52 | # Restrict browser frame options.
53 | Header always append X-Frame-Options SAMEORIGIN
54 |
55 | # Limit the number of request fields.
56 | LimitRequestFields 100
57 |
58 | # Limit the size of the request body.
59 | LimitRequestBody 102400
60 |
61 |
--------------------------------------------------------------------------------
/16.04-lts/security/pwquality.conf:
--------------------------------------------------------------------------------
1 | # Configuration for systemwide password quality limits
2 |
3 | # Number of characters in the new password that must not be present in the
4 | # old password.
5 | difok = 15
6 |
7 | # Minimum acceptable size for the new password (plus one if
8 | # credits are not disabled which is the default). (See pam_cracklib manual.)
9 | # Cannot be set to lower value than 6.
10 | minlen = 20
11 |
12 | # The maximum credit for having digits in the new password. If less than 0
13 | # it is the minimum number of digits in the new password.
14 | dcredit = -5
15 |
16 | # The maximum credit for having uppercase characters in the new password.
17 | # If less than 0 it is the minimum number of uppercase characters in the new
18 | # password.
19 | ucredit = -5
20 |
21 | # The maximum credit for having lowercase characters in the new password.
22 | # If less than 0 it is the minimum number of lowercase characters in the new
23 | # password.
24 | lcredit = -5
25 |
26 | # The maximum credit for having other characters in the new password.
27 | # If less than 0 it is the minimum number of other characters in the new
28 | # password.
29 | ocredit = 1
30 |
31 | # The minimum number of required classes of characters for the new
32 | # password (digits, uppercase, lowercase, others).
33 | minclass = 3
34 |
35 | # The maximum number of allowed consecutive same characters in the new password.
36 | # The check is disabled if the value is 0.
37 | maxrepeat = 2
38 |
39 | # The maximum number of allowed consecutive characters of the same class in the
40 | # new password.
41 | # The check is disabled if the value is 0.
42 | # maxclassrepeat = 0
43 |
44 | # Whether to check for the words from the passwd entry GECOS string of the user.
45 | # The check is enabled if the value is not 0.
46 | gecoscheck = 1
47 |
48 | # Path to the cracklib dictionaries. Default is to use the cracklib default.
49 | # dictpath =
50 |
51 |
--------------------------------------------------------------------------------
/14.04-lts/ssh/ssh_config:
--------------------------------------------------------------------------------
1 |
2 | # This is the ssh client system-wide configuration file. See
3 | # ssh_config(5) for more information. This file provides defaults for
4 | # users, and the values can be changed in per-user configuration files
5 | # or on the command line.
6 |
7 | # Configuration data is parsed as follows:
8 | # 1. command line options
9 | # 2. user-specific file
10 | # 3. system-wide file
11 | # Any configuration value is only changed the first time it is set.
12 | # Thus, host-specific definitions should be at the beginning of the
13 | # configuration file, and defaults at the end.
14 |
15 | # Site-wide defaults for some commonly used options. For a comprehensive
16 | # list of available options, their meanings and defaults, please see the
17 | # ssh_config(5) man page.
18 |
19 | Host *
20 | ForwardAgent no
21 | ForwardX11 no
22 | # ForwardX11Trusted yes
23 | # RhostsRSAAuthentication no
24 | # RSAAuthentication yes
25 | # PasswordAuthentication yes
26 | # HostbasedAuthentication no
27 | # GSSAPIAuthentication no
28 | # GSSAPIDelegateCredentials no
29 | # GSSAPIKeyExchange no
30 | # GSSAPITrustDNS no
31 | # BatchMode no
32 | # CheckHostIP yes
33 | # AddressFamily any
34 | # ConnectTimeout 0
35 | # StrictHostKeyChecking ask
36 | # IdentityFile ~/.ssh/identity
37 | # IdentityFile ~/.ssh/id_rsa
38 | # IdentityFile ~/.ssh/id_dsa
39 | # Port 22
40 | Protocol 2
41 | # Cipher 3des
42 | # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
43 | # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
44 | # EscapeChar ~
45 | # Tunnel no
46 | # TunnelDevice any:any
47 | # PermitLocalCommand no
48 | # VisualHostKey no
49 | # ProxyCommand ssh -q -W %h:%p gateway.example.com
50 | # RekeyLimit 1G 1h
51 | SendEnv LANG LC_*
52 | HashKnownHosts yes
53 | GSSAPIAuthentication yes
54 | GSSAPIDelegateCredentials no
55 |
--------------------------------------------------------------------------------
/16.04-lts/security/limits.conf:
--------------------------------------------------------------------------------
1 | # /etc/security/limits.conf
2 | #
3 | #Each line describes a limit for a user in the form:
4 | #
5 | # -
6 | #
7 | #Where:
8 | # can be:
9 | # - a user name
10 | # - a group name, with @group syntax
11 | # - the wildcard *, for default entry
12 | # - the wildcard %, can be also used with %group syntax,
13 | # for maxlogin limit
14 | # - NOTE: group and wildcard limits are not applied to root.
15 | # To apply a limit to the root user, must be
16 | # the literal username root.
17 | #
18 | # can have the two values:
19 | # - "soft" for enforcing the soft limits
20 | # - "hard" for enforcing hard limits
21 | #
22 | #
- can be one of the following:
23 | # - core - limits the core file size (KB)
24 | # - data - max data size (KB)
25 | # - fsize - maximum filesize (KB)
26 | # - memlock - max locked-in-memory address space (KB)
27 | # - nofile - max number of open files
28 | # - rss - max resident set size (KB)
29 | # - stack - max stack size (KB)
30 | # - cpu - max CPU time (MIN)
31 | # - nproc - max number of processes
32 | # - as - address space limit (KB)
33 | # - maxlogins - max number of logins for this user
34 | # - maxsyslogins - max number of logins on the system
35 | # - priority - the priority to run user process with
36 | # - locks - max number of file locks the user can hold
37 | # - sigpending - max number of pending signals
38 | # - msgqueue - max memory used by POSIX message queues (bytes)
39 | # - nice - max nice priority allowed to raise to values: [-20, 19]
40 | # - rtprio - max realtime priority
41 | # - chroot - change root to directory (Debian-specific)
42 | #
43 | #
-
44 | #
45 |
46 | * soft core 0
47 | * hard core 0
48 |
49 | #root hard core 100000
50 | #* hard rss 10000
51 | #@student hard nproc 20
52 | #@faculty soft nproc 20
53 | #@faculty hard nproc 50
54 | #ftp hard nproc 0
55 | #ftp - chroot /ftp
56 | #@student - maxlogins 4
57 |
58 | # End of file
59 |
--------------------------------------------------------------------------------
/12.04-lts/security/limits.conf:
--------------------------------------------------------------------------------
1 | # /etc/security/limits.conf
2 | #
3 | #Each line describes a limit for a user in the form:
4 | #
5 | #
-
6 | #
7 | #Where:
8 | # can be:
9 | # - an user name
10 | # - a group name, with @group syntax
11 | # - the wildcard *, for default entry
12 | # - the wildcard %, can be also used with %group syntax,
13 | # for maxlogin limit
14 | # - NOTE: group and wildcard limits are not applied to root.
15 | # To apply a limit to the root user, must be
16 | # the literal username root.
17 | #
18 | # can have the two values:
19 | # - "soft" for enforcing the soft limits
20 | # - "hard" for enforcing hard limits
21 | #
22 | #
- can be one of the following:
23 | # - core - limits the core file size (KB)
24 | # - data - max data size (KB)
25 | # - fsize - maximum filesize (KB)
26 | # - memlock - max locked-in-memory address space (KB)
27 | # - nofile - max number of open files
28 | # - rss - max resident set size (KB)
29 | # - stack - max stack size (KB)
30 | # - cpu - max CPU time (MIN)
31 | # - nproc - max number of processes
32 | # - as - address space limit (KB)
33 | # - maxlogins - max number of logins for this user
34 | # - maxsyslogins - max number of logins on the system
35 | # - priority - the priority to run user process with
36 | # - locks - max number of file locks the user can hold
37 | # - sigpending - max number of pending signals
38 | # - msgqueue - max memory used by POSIX message queues (bytes)
39 | # - nice - max nice priority allowed to raise to values: [-20, 19]
40 | # - rtprio - max realtime priority
41 | # - chroot - change root to directory (Debian-specific)
42 | #
43 | #
-
44 | #
45 |
46 | * soft core 0
47 | * hard core 0
48 |
49 | #root hard core 100000
50 | #* hard rss 10000
51 | #@student hard nproc 20
52 | #@faculty soft nproc 20
53 | #@faculty hard nproc 50
54 | #ftp hard nproc 0
55 | #ftp - chroot /ftp
56 | #@student - maxlogins 4
57 |
58 | # End of file
59 |
--------------------------------------------------------------------------------
/14.04-lts/init.d/ssl:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ### BEGIN INIT INFO
3 | # Provides: ssl
4 | # Required-Start: apache2
5 | # Required-Stop: apache2
6 | # Default-Start: 2 3 4 5
7 | # Default-Stop: 0 1 6
8 | # Short-Description: Generates SSL certs if they don't exist.
9 | # Description: Generates the SSL certs used by other servers on the
10 | # node. Takes advantage of persistent storage in ByzPi.
11 | ### END INIT INFO
12 |
13 | # Tests for the presence of /etc/ssl/server.[crt,key] files, and generates
14 | # them if they don't exist.
15 |
16 | # TODO:
17 | # - Detect whether or not the cert has expired, and if so torch them and make
18 | # new ones.
19 |
20 | # Set up some variables to make things easier to maintain.
21 | OPENSSL=/usr/bin/openssl
22 | SERVER_DIR=/etc/ssl
23 | PRIVATE_KEY=$SERVER_DIR/private/server.key
24 | CERT_SIGN_REQ=$SERVER_DIR/server.csr
25 | CERT=$SERVER_DIR/certs/server.crt
26 |
27 | # Test to see if mod_ssl has been enabled.
28 | if [ ! -f /etc/apache2/mods-enabled/ssl.conf ]; then
29 | echo "Enabling mod_ssl..."
30 | /usr/sbin/a2enmod ssl
31 | fi
32 |
33 | case "$1" in
34 | start)
35 | # Test for the presence of the server cert. If it exists we don't
36 | # have to do anything, so terminate the initscript and start over.
37 | if [ -f $CERT ]; then
38 | echo "SSL certificate exists."
39 | exit 0
40 | fi
41 |
42 | # Server certificate not found. We may as well blow everything away
43 | # and start over because any files left won't match up, anyway.
44 | rm -f $PRIVATE_KEY $CERT_SIGN_REQ $CERT
45 |
46 | # Generate the private key.
47 | echo "Generating private key."
48 | $OPENSSL genrsa -out $PRIVATE_KEY 2048
49 |
50 | echo "Generating certificate signing request."
51 | $OPENSSL req -utf8 -new -key $PRIVATE_KEY -out $CERT_SIGN_REQ \
52 | -sha512 -batch
53 |
54 | echo "Signing certificate."
55 | $OPENSSL x509 -req -days 730 -in $CERT_SIGN_REQ -signkey $PRIVATE_KEY \
56 | -out $CERT -sha512
57 |
58 | echo "Making permissions on cert files usable."
59 | chmod 0644 $PRIVATE_KEY $CERT_SIGN_REQ $CERT
60 | chmod 0755 /etc/ssl/private
61 | ;;
62 | stop)
63 | # This is a no-op to prevent the shutdown process from carping.
64 | ;;
65 | status)
66 | echo "SSL related files that exist on this node:"
67 | ls -alF $PRIVATE_KEY $CERT_SIGN_REQ $CERT
68 | ;;
69 | *)
70 | echo "Usage: $0 [start|stop|status]"
71 | esac
72 |
73 |
--------------------------------------------------------------------------------
/12.04-lts/apache2/mods-available/proxy_html.conf:
--------------------------------------------------------------------------------
1 | # Configuration example.
2 | #
3 | # First, to load the module with its prerequisites
4 | #
5 | # For Unix-family systems:
6 | # LoadFile /usr/lib/libxml2.so
7 | # LoadModule proxy_html_module modules/mod_proxy_html.so
8 | #
9 | # For Windows (I don't know if there's a standard path for the libraries)
10 | # LoadFile C:/path/zlib.dll
11 | # LoadFile C:/path/iconv.dll
12 | # LoadFile C:/path/libxml2.dll
13 | # LoadModule proxy_html_module modules/mod_proxy_html.so
14 | #
15 | # All knowledge of HTML links has been removed from the mod_proxy_html
16 | # code itself, and is instead read from httpd.conf (or included file)
17 | # at server startup. So you MUST declare it. This will normally be
18 | # at top level, but can also be used in a .
19 | #
20 | # Here's the declaration for W3C HTML 4.01 and XHTML 1.0
21 |
22 | ProxyHTMLLinks a href
23 | ProxyHTMLLinks area href
24 | ProxyHTMLLinks link href
25 | ProxyHTMLLinks img src longdesc usemap
26 | ProxyHTMLLinks object classid codebase data usemap
27 | ProxyHTMLLinks q cite
28 | ProxyHTMLLinks blockquote cite
29 | ProxyHTMLLinks ins cite
30 | ProxyHTMLLinks del cite
31 | ProxyHTMLLinks form action
32 | ProxyHTMLLinks input src usemap
33 | ProxyHTMLLinks head profile
34 | ProxyHTMLLinks base href
35 | ProxyHTMLLinks script src for
36 |
37 | # To support scripting events (with ProxyHTMLExtended On),
38 | # you'll need to declare them too.
39 |
40 | ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \
41 | onmouseover onmousemove onmouseout onkeypress \
42 | onkeydown onkeyup onfocus onblur onload \
43 | onunload onsubmit onreset onselect onchange
44 |
45 | # If you need to support legacy (pre-1998, aka "transitional") HTML or XHTML,
46 | # you'll need to uncomment the following deprecated link attributes.
47 | # Note that these are enabled in earlier mod_proxy_html versions
48 | #
49 | # ProxyHTMLLinks frame src longdesc
50 | # ProxyHTMLLinks iframe src longdesc
51 | # ProxyHTMLLinks body background
52 | # ProxyHTMLLinks applet codebase
53 | #
54 | # If you're dealing with proprietary HTML variants,
55 | # declare your own URL attributes here as required.
56 | #
57 | # ProxyHTMLLinks myelement myattr otherattr
58 | #
59 | # Also at top level in httpd.conf, you can declare charset aliases.
60 | # This is the most efficient way to support encodings that libxml2
61 | # doesn't natively support. See the documentation at
62 | # http://apache.webthing.com/mod_proxy_html/
63 |
--------------------------------------------------------------------------------
/16.04-lts/bash.bashrc:
--------------------------------------------------------------------------------
1 | # System-wide .bashrc file for interactive bash(1) shells.
2 |
3 | # To enable the settings / commands in this file for login shells as well,
4 | # this file has to be sourced in /etc/profile.
5 |
6 | # If not running interactively, don't do anything
7 | [ -z "$PS1" ] && return
8 |
9 | # check the window size after each command and, if necessary,
10 | # update the values of LINES and COLUMNS.
11 | shopt -s checkwinsize
12 |
13 | # set variable identifying the chroot you work in (used in the prompt below)
14 | if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
15 | debian_chroot=$(cat /etc/debian_chroot)
16 | fi
17 |
18 | # set a fancy prompt (non-color, overwrite the one in /etc/profile)
19 | PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
20 |
21 | # Commented out, don't overwrite xterm -T "title" -n "icontitle" by default.
22 | # If this is an xterm set the title to user@host:dir
23 | #case "$TERM" in
24 | #xterm*|rxvt*)
25 | # PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"'
26 | # ;;
27 | #*)
28 | # ;;
29 | #esac
30 |
31 | # enable bash completion in interactive shells
32 | #if ! shopt -oq posix; then
33 | # if [ -f /usr/share/bash-completion/bash_completion ]; then
34 | # . /usr/share/bash-completion/bash_completion
35 | # elif [ -f /etc/bash_completion ]; then
36 | # . /etc/bash_completion
37 | # fi
38 | #fi
39 |
40 | # sudo hint
41 | if [ ! -e "$HOME/.sudo_as_admin_successful" ] && [ ! -e "$HOME/.hushlogin" ] ; then
42 | case " $(groups) " in *\ admin\ *|*\ sudo\ *)
43 | if [ -x /usr/bin/sudo ]; then
44 | cat <<-EOF
45 | To run a command as administrator (user "root"), use "sudo ".
46 | See "man sudo_root" for details.
47 |
48 | EOF
49 | fi
50 | esac
51 | fi
52 |
53 | # if the command-not-found package is installed, use it
54 | if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found/command-not-found ]; then
55 | function command_not_found_handle {
56 | # check because c-n-f could've been removed in the meantime
57 | if [ -x /usr/lib/command-not-found ]; then
58 | /usr/lib/command-not-found -- "$1"
59 | return $?
60 | elif [ -x /usr/share/command-not-found/command-not-found ]; then
61 | /usr/share/command-not-found/command-not-found -- "$1"
62 | return $?
63 | else
64 | printf "%s: command not found\n" "$1" >&2
65 | return 127
66 | fi
67 | }
68 | fi
69 |
70 | # Set the default umask.
71 | umask 077
72 |
73 |
--------------------------------------------------------------------------------
/12.04-lts/sysctl.conf:
--------------------------------------------------------------------------------
1 | #
2 | # /etc/sysctl.conf - Configuration file for setting system variables
3 | # See /etc/sysctl.d/ for additional system variables
4 | # See sysctl.conf (5) for information.
5 | #
6 |
7 | #kernel.domainname = example.com
8 |
9 | # Uncomment the following to stop low-level messages on console
10 | #kernel.printk = 3 4 1 3
11 |
12 | ##############################################################3
13 | # Functions previously found in netbase
14 | #
15 |
16 | # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
17 | # Turn on Source Address Verification in all interfaces to
18 | # prevent some spoofing attacks
19 | net.ipv4.conf.default.rp_filter=1
20 | net.ipv4.conf.all.rp_filter=1
21 |
22 | # Uncomment the next line to enable TCP/IP SYN cookies
23 | # See http://lwn.net/Articles/277146/
24 | # Note: This may impact IPv6 TCP sessions too
25 | net.ipv4.tcp_syncookies=1
26 |
27 | # Uncomment the next line to enable packet forwarding for IPv4
28 | net.ipv4.ip_forward=0
29 |
30 | # Uncomment the next line to enable packet forwarding for IPv6
31 | # Enabling this option disables Stateless Address Autoconfiguration
32 | # based on Router Advertisements for this host
33 | #net.ipv6.conf.all.forwarding=1
34 |
35 |
36 | ###################################################################
37 | # Additional settings - these settings can improve the network
38 | # security of the host and prevent against some network attacks
39 | # including spoofing attacks and man in the middle attacks through
40 | # redirection. Some network environments, however, require that these
41 | # settings are disabled so review and enable them as needed.
42 | #
43 | # Do not accept ICMP redirects (prevent MITM attacks)
44 | net.ipv4.conf.all.accept_redirects = 0
45 | net.ipv4.conf.default.accept_redirects = 0
46 | net.ipv6.conf.all.accept_redirects = 0
47 |
48 | # Accept ICMP redirects only for gateways listed in our default
49 | # gateway list (enabled by default)
50 | net.ipv4.conf.all.secure_redirects = 0
51 |
52 | # Do not send ICMP redirects (we are not a router)
53 | net.ipv4.conf.all.send_redirects = 0
54 | net.ipv4.conf.default.send_redirects = 0
55 |
56 | # Do not accept IP source route packets (we are not a router)
57 | net.ipv4.conf.all.accept_source_route = 0
58 | net.ipv4.conf.default.accept_source_route = 0
59 | net.ipv6.conf.all.accept_source_route = 0
60 |
61 | # Log Martian Packets
62 | net.ipv4.conf.all.log_martians = 1
63 |
64 | net.ipv4.tcp_max_syn_backlog = 4096
65 | net.ipv4.icmp_echo_ignore_broadcasts = 1
66 |
67 |
--------------------------------------------------------------------------------
/16.04-lts/apt/apt.conf.d/50unattended-upgrades:
--------------------------------------------------------------------------------
1 | // Automatically upgrade packages from these (origin:archive) pairs
2 | Unattended-Upgrade::Allowed-Origins {
3 | "${distro_id}:${distro_codename}-security";
4 | "${distro_id}:${distro_codename}-updates";
5 | // "${distro_id}:${distro_codename}-proposed";
6 | // "${distro_id}:${distro_codename}-backports";
7 | };
8 |
9 | // List of packages to not update (regexp are supported)
10 | Unattended-Upgrade::Package-Blacklist {
11 | // "vim";
12 | // "libc6";
13 | // "libc6-dev";
14 | // "libc6-i686";
15 | };
16 |
17 | // This option allows you to control if on a unclean dpkg exit
18 | // unattended-upgrades will automatically run
19 | // dpkg --force-confold --configure -a
20 | // The default is true, to ensure updates keep getting installed
21 | //Unattended-Upgrade::AutoFixInterruptedDpkg "false";
22 |
23 | // Split the upgrade into the smallest possible chunks so that
24 | // they can be interrupted with SIGUSR1. This makes the upgrade
25 | // a bit slower but it has the benefit that shutdown while a upgrade
26 | // is running is possible (with a small delay)
27 | //Unattended-Upgrade::MinimalSteps "true";
28 |
29 | // Install all unattended-upgrades when the machine is shuting down
30 | // instead of doing it in the background while the machine is running
31 | // This will (obviously) make shutdown slower
32 | //Unattended-Upgrade::InstallOnShutdown "true";
33 |
34 | // Send email to this address for problems or packages upgrades
35 | // If empty or unset then no email is sent, make sure that you
36 | // have a working mail setup on your system. A package that provides
37 | // 'mailx' must be installed. E.g. "user@example.com"
38 | Unattended-Upgrade::Mail "root";
39 |
40 | // Set this value to "true" to get emails only on errors. Default
41 | // is to always send a mail if Unattended-Upgrade::Mail is set
42 | //Unattended-Upgrade::MailOnlyOnError "true";
43 |
44 | // Do automatic removal of new unused dependencies after the upgrade
45 | // (equivalent to apt-get autoremove)
46 | Unattended-Upgrade::Remove-Unused-Dependencies "true";
47 |
48 | // Automatically reboot *WITHOUT CONFIRMATION*
49 | // if the file /var/run/reboot-required is found after the upgrade
50 | //Unattended-Upgrade::Automatic-Reboot "false";
51 |
52 | // If automatic reboot is enabled and needed, reboot at the specific
53 | // time instead of immediately
54 | // Default: "now"
55 | //Unattended-Upgrade::Automatic-Reboot-Time "02:00";
56 |
57 | // Use apt bandwidth limit feature, this example limits the download
58 | // speed to 70kb/sec
59 | //Acquire::http::Dl-Limit "70";
60 |
--------------------------------------------------------------------------------
/16.04-lts/sysctl.conf:
--------------------------------------------------------------------------------
1 | #
2 | # /etc/sysctl.conf - Configuration file for setting system variables
3 | # See /etc/sysctl.d/ for additional system variables.
4 | # See sysctl.conf (5) for information.
5 | #
6 |
7 | #kernel.domainname = example.com
8 |
9 | # Uncomment the following to stop low-level messages on console
10 | #kernel.printk = 3 4 1 3
11 |
12 | ##############################################################3
13 | # Functions previously found in netbase
14 | #
15 |
16 | # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
17 | # Turn on Source Address Verification in all interfaces to
18 | # prevent some spoofing attacks
19 | net.ipv4.conf.default.rp_filter=1
20 | net.ipv4.conf.all.rp_filter=1
21 |
22 | # Uncomment the next line to enable TCP/IP SYN cookies
23 | # See http://lwn.net/Articles/277146/
24 | # Note: This may impact IPv6 TCP sessions too
25 | net.ipv4.tcp_syncookies=1
26 |
27 | # Uncomment the next line to enable packet forwarding for IPv4
28 | # Disabled.
29 | net.ipv4.ip_forward=0
30 |
31 | # Uncomment the next line to enable packet forwarding for IPv6
32 | # Enabling this option disables Stateless Address Autoconfiguration
33 | # based on Router Advertisements for this host
34 | #net.ipv6.conf.all.forwarding=1
35 |
36 | ###################################################################
37 | # Additional settings - these settings can improve the network
38 | # security of the host and prevent against some network attacks
39 | # including spoofing attacks and man in the middle attacks through
40 | # redirection. Some network environments, however, require that these
41 | # settings are disabled so review and enable them as needed.
42 | #
43 | # Do not accept ICMP redirects (prevent MITM attacks)
44 | net.ipv4.conf.all.accept_redirects = 0
45 | net.ipv4.conf.default.accept_redirects = 0
46 | net.ipv4.conf.all.secure_redirects = 0
47 | net.ipv4.conf.default.secure_redirects = 0
48 | net.ipv6.conf.all.accept_redirects = 0
49 |
50 | # Do not send ICMP redirects (we are not a router)
51 | net.ipv4.conf.all.send_redirects = 0
52 | net.ipv4.conf.default.send_redirects = 0
53 |
54 | # Do not accept IP source route packets (we are not a router)
55 | net.ipv4.conf.all.accept_source_route = 0
56 | net.ipv4.conf.default.accept_source_route = 0
57 | net.ipv6.conf.all.accept_source_route = 0
58 |
59 | # Log Martian Packets
60 | net.ipv4.conf.all.log_martians = 1
61 |
62 | # Increase the maximum backlog of SYN packets in the queues.
63 | net.ipv4.tcp_max_syn_backlog = 4096
64 |
65 | # Ignore ICMP broadcasts.
66 | net.ipv4.icmp_echo_ignore_broadcasts = 1
67 |
68 |
--------------------------------------------------------------------------------
/14.04-lts/apache2/conf-available/security.conf:
--------------------------------------------------------------------------------
1 | #
2 | # Disable access to the entire file system except for the directories that
3 | # are explicitly allowed later.
4 | #
5 | # This currently breaks the configurations that come with some web application
6 | # Debian packages.
7 | #
8 | #
9 | # AllowOverride None
10 | # Order Deny,Allow
11 | # Deny from all
12 | #
13 |
14 |
15 | # Changing the following options will not really affect the security of the
16 | # server, but might make attacks slightly more difficult in some cases.
17 |
18 | #
19 | # ServerTokens
20 | # This directive configures what you return as the Server HTTP response
21 | # Header. The default is 'Full' which sends information about the OS-Type
22 | # and compiled in modules.
23 | # Set to one of: Full | OS | Minimal | Minor | Major | Prod
24 | # where Full conveys the most information, and Prod the least.
25 | #ServerTokens Minimal
26 | ServerTokens Prod
27 | #ServerTokens Full
28 |
29 | #
30 | # Optionally add a line containing the server version and virtual host
31 | # name to server-generated pages (internal error documents, FTP directory
32 | # listings, mod_status and mod_info output etc., but not CGI generated
33 | # documents or custom error documents).
34 | # Set to "EMail" to also include a mailto: link to the ServerAdmin.
35 | # Set to one of: On | Off | EMail
36 | ServerSignature Off
37 | #ServerSignature On
38 |
39 | #
40 | # Allow TRACE method
41 | #
42 | # Set to "extended" to also reflect the request body (only for testing and
43 | # diagnostic purposes).
44 | #
45 | # Set to one of: On | Off | extended
46 | TraceEnable Off
47 | #TraceEnable On
48 |
49 | #
50 | # Forbid access to version control directories
51 | #
52 | # If you use version control systems in your document root, you should
53 | # probably deny access to their directories. For example, for subversion:
54 | #
55 | #
56 | # Require all denied
57 | #
58 |
59 | #
60 | # Setting this header will prevent MSIE from interpreting files as something
61 | # else than declared by the content type in the HTTP headers.
62 | # Requires mod_headers to be enabled.
63 | #
64 | #Header set X-Content-Type-Options: "nosniff"
65 |
66 | #
67 | # Setting this header will prevent other sites from embedding pages from this
68 | # site as frames. This defends against clickjacking attacks.
69 | # Requires mod_headers to be enabled.
70 | #
71 | #Header set X-Frame-Options: "sameorigin"
72 |
73 | # Disable extended tagging information.
74 | FileETag None
75 |
76 | # Mitigate XSS by securing cookies.
77 | Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
78 |
79 | # Mitigate clickjacking.
80 | Header always append X-Frame-Options SAMEORIGIN
81 |
82 | # Enable XSS protection.
83 | Header set X-XSS-Protection "1; mode=block"
84 |
85 | # Disable HTTP/1.0.
86 | RewriteEngine On
87 | RewriteCond %{THE_REQUEST} !HTTP/1\.1$
88 | RewriteRule .* - [F]
89 |
90 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
91 |
--------------------------------------------------------------------------------
/16.04-lts/apache2/conf-available/security.conf:
--------------------------------------------------------------------------------
1 | #
2 | # Disable access to the entire file system except for the directories that
3 | # are explicitly allowed later.
4 | #
5 | # This currently breaks the configurations that come with some web application
6 | # Debian packages.
7 | #
8 | #
9 | # AllowOverride None
10 | # Order Deny,Allow
11 | # Deny from all
12 | #
13 |
14 |
15 | # Changing the following options will not really affect the security of the
16 | # server, but might make attacks slightly more difficult in some cases.
17 |
18 | #
19 | # ServerTokens
20 | # This directive configures what you return as the Server HTTP response
21 | # Header. The default is 'Full' which sends information about the OS-Type
22 | # and compiled in modules.
23 | # Set to one of: Full | OS | Minimal | Minor | Major | Prod
24 | # where Full conveys the most information, and Prod the least.
25 | #ServerTokens Minimal
26 | ServerTokens Prod
27 | #ServerTokens Full
28 |
29 | #
30 | # Optionally add a line containing the server version and virtual host
31 | # name to server-generated pages (internal error documents, FTP directory
32 | # listings, mod_status and mod_info output etc., but not CGI generated
33 | # documents or custom error documents).
34 | # Set to "EMail" to also include a mailto: link to the ServerAdmin.
35 | # Set to one of: On | Off | EMail
36 | ServerSignature Off
37 | #ServerSignature On
38 |
39 | #
40 | # Allow TRACE method
41 | #
42 | # Set to "extended" to also reflect the request body (only for testing and
43 | # diagnostic purposes).
44 | #
45 | # Set to one of: On | Off | extended
46 | TraceEnable Off
47 | #TraceEnable On
48 |
49 | #
50 | # Forbid access to version control directories
51 | #
52 | # If you use version control systems in your document root, you should
53 | # probably deny access to their directories. For example, for subversion:
54 | #
55 | #
56 | # Require all denied
57 | #
58 |
59 | #
60 | # Setting this header will prevent MSIE from interpreting files as something
61 | # else than declared by the content type in the HTTP headers.
62 | # Requires mod_headers to be enabled.
63 | #
64 | #Header set X-Content-Type-Options: "nosniff"
65 |
66 | #
67 | # Setting this header will prevent other sites from embedding pages from this
68 | # site as frames. This defends against clickjacking attacks.
69 | # Requires mod_headers to be enabled.
70 | #
71 | #Header set X-Frame-Options: "sameorigin"
72 |
73 | # Disable extended tagging information.
74 | FileETag None
75 |
76 | # Mitigate XSS by securing cookies.
77 | Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
78 |
79 | # Mitigate clickjacking.
80 | Header always append X-Frame-Options SAMEORIGIN
81 |
82 | # Enable XSS protection.
83 | Header set X-XSS-Protection "1; mode=block"
84 |
85 | # Disable HTTP/1.0.
86 | RewriteEngine On
87 | RewriteCond %{THE_REQUEST} !HTTP/1\.1$
88 | RewriteRule .* - [F]
89 |
90 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
91 |
--------------------------------------------------------------------------------
/12.04-lts/ssh/sshd_config:
--------------------------------------------------------------------------------
1 | # Package generated configuration file
2 | # See the sshd_config(5) manpage for details
3 |
4 | # What ports, IPs and protocols we listen for
5 | Port 22
6 |
7 | # Use these options to restrict which interfaces/protocols sshd will bind to
8 | #ListenAddress ::
9 | #ListenAddress 0.0.0.0
10 | Protocol 2
11 |
12 | # HostKeys for protocol version 2
13 | HostKey /etc/ssh/ssh_host_rsa_key
14 | HostKey /etc/ssh/ssh_host_dsa_key
15 | HostKey /etc/ssh/ssh_host_ecdsa_key
16 |
17 | #Privilege Separation is turned on for security
18 | UsePrivilegeSeparation yes
19 |
20 | # Lifetime and size of ephemeral version 1 server key
21 | KeyRegenerationInterval 3600
22 | ServerKeyBits 768
23 |
24 | # Logging
25 | SyslogFacility AUTH
26 | LogLevel INFO
27 |
28 | # Authentication:
29 | LoginGraceTime 120
30 | PermitRootLogin no
31 | StrictModes yes
32 |
33 | RSAAuthentication yes
34 | PubkeyAuthentication yes
35 | #AuthorizedKeysFile %h/.ssh/authorized_keys
36 |
37 | # Don't read the user's ~/.rhosts and ~/.shosts files
38 | IgnoreRhosts yes
39 |
40 | # For this to work you will also need host keys in /etc/ssh_known_hosts
41 | RhostsRSAAuthentication no
42 |
43 | # similar for protocol version 2
44 | HostbasedAuthentication no
45 |
46 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
47 | #IgnoreUserKnownHosts yes
48 |
49 | # To enable empty passwords, change to yes (NOT RECOMMENDED)
50 | PermitEmptyPasswords no
51 |
52 | # Change to yes to enable challenge-response passwords (beware issues with
53 | # some PAM modules and threads)
54 | ChallengeResponseAuthentication no
55 |
56 | # Change to no to disable tunnelled clear text passwords
57 | PasswordAuthentication no
58 |
59 | # Kerberos options
60 | #KerberosAuthentication no
61 | #KerberosGetAFSToken no
62 | #KerberosOrLocalPasswd yes
63 | #KerberosTicketCleanup yes
64 |
65 | # GSSAPI options
66 | #GSSAPIAuthentication no
67 | #GSSAPICleanupCredentials yes
68 |
69 | X11Forwarding no
70 | X11DisplayOffset 10
71 | PrintMotd no
72 | PrintLastLog yes
73 | TCPKeepAlive yes
74 | #UseLogin no
75 |
76 | #MaxStartups 10:30:60
77 | #Banner /etc/issue.net
78 |
79 | # Allow client to pass locale environment variables
80 | AcceptEnv LANG LC_*
81 |
82 | Subsystem sftp /usr/lib/openssh/sftp-server
83 |
84 | # Set this to 'yes' to enable PAM authentication, account processing,
85 | # and session processing. If this is enabled, PAM authentication will
86 | # be allowed through the ChallengeResponseAuthentication and
87 | # PasswordAuthentication. Depending on your PAM configuration,
88 | # PAM authentication via ChallengeResponseAuthentication may bypass
89 | # the setting of "PermitRootLogin without-password".
90 | # If you just want the PAM account and session checks to run without
91 | # PAM authentication, then enable this but set PasswordAuthentication
92 | # and ChallengeResponseAuthentication to 'no'.
93 | UsePAM yes
94 |
95 | # Use the hardest ciphers available.
96 | Ciphers aes256-ctr
97 | MACs hmac-sha2-512
98 |
99 |
--------------------------------------------------------------------------------
/14.04-lts/sysctl.conf:
--------------------------------------------------------------------------------
1 | #
2 | # /etc/sysctl.conf - Configuration file for setting system variables
3 | # See /etc/sysctl.d/ for additional system variables.
4 | # See sysctl.conf (5) for information.
5 | #
6 |
7 | #kernel.domainname = example.com
8 |
9 | # Uncomment the following to stop low-level messages on console
10 | #kernel.printk = 3 4 1 3
11 |
12 | ##############################################################3
13 | # Functions previously found in netbase
14 | #
15 |
16 | # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
17 | # Turn on Source Address Verification in all interfaces to
18 | # prevent some spoofing attacks
19 | net.ipv4.conf.default.rp_filter = 1
20 | net.ipv4.conf.all.rp_filter = 1
21 |
22 | # Uncomment the next line to enable TCP/IP SYN cookies
23 | # See http://lwn.net/Articles/277146/
24 | # Note: This may impact IPv6 TCP sessions too
25 | net.ipv4.tcp_syncookies = 1
26 |
27 | # Uncomment the next line to enable packet forwarding for IPv4
28 | net.ipv4.ip_forward = 0
29 |
30 | # Uncomment the next line to enable packet forwarding for IPv6
31 | # Enabling this option disables Stateless Address Autoconfiguration
32 | # based on Router Advertisements for this host
33 | net.ipv6.conf.all.forwarding = 0
34 |
35 |
36 | ###################################################################
37 | # Additional settings - these settings can improve the network
38 | # security of the host and prevent against some network attacks
39 | # including spoofing attacks and man in the middle attacks through
40 | # redirection. Some network environments, however, require that these
41 | # settings are disabled so review and enable them as needed.
42 | #
43 | # Do not accept ICMP redirects (prevent MITM attacks)
44 | net.ipv4.conf.all.accept_redirects = 0
45 | net.ipv6.conf.all.accept_redirects = 0
46 |
47 | # _or_
48 | # Accept ICMP redirects only for gateways listed in our default
49 | # gateway list (enabled by default)
50 | net.ipv4.conf.all.secure_redirects = 0
51 | net.ipv4.conf.default.secure_redirects = 0
52 |
53 | # Do not send ICMP redirects (we are not a router)
54 | net.ipv4.conf.all.send_redirects = 0
55 | net.ipv4.conf.default.send_redirects = 0
56 |
57 | # Do not accept IP source route packets (we are not a router)
58 | net.ipv4.conf.all.accept_source_route = 0
59 | net.ipv6.conf.all.accept_source_route = 0
60 |
61 | # Log Martian Packets
62 | net.ipv4.conf.all.log_martians = 1
63 |
64 | # Ignore ICMP echo broadcasts.
65 | net.ipv4.icmp_echo_ignore_broadcasts = 1
66 |
67 | # Increase the TCP backlog buffer.
68 | net.ipv4.tcp_max_syn_backlog = 4096
69 |
70 | # Decrease the lone FIN timeout.
71 | net.ipv4.tcp_fin_timeout = 10
72 |
73 | # Disable IPv6 because, by default, Apache listens on it only when it starts
74 | # up. While I'm not opposed to it, we don't know how many clients don't have
75 | # it enabled, which means fielding support requests about it. May as well
76 | # just disable it and cut the ticket queue by 90%.
77 | net.ipv6.conf.all.disable_ipv6 = 1
78 | net.ipv6.conf.default.disable_ipv6 = 1
79 | net.ipv6.conf.lo.disable_ipv6 = 1
80 |
81 |
--------------------------------------------------------------------------------
/14.04-lts/nginx/sites-available/default:
--------------------------------------------------------------------------------
1 | # Hardening techniques mostly taken from I/Oerror's duraconf repository
2 | # (http://github.com/ioerror/duraconf).
3 |
4 | server {
5 | listen 80 default_server;
6 | listen [::]:80 default_server ipv6only=on;
7 |
8 | root /var/www/html;
9 | index index.html index.htm;
10 |
11 | # Make site accessible from http://localhost/
12 | server_name localhost;
13 |
14 | location / {
15 | # Uncomment to enable naxsi on this location
16 | # include /etc/nginx/naxsi.rules
17 |
18 | # First attempt to serve request as file, then
19 | # as directory, then fall back to displaying a 404.
20 | try_files $uri $uri/ =404;
21 |
22 | # Enable strict transport security for a one year duration.
23 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
24 |
25 | # Never allow content from this site in iframes.
26 | add_header X-Frame-Options DENY;
27 | }
28 |
29 | # Only for nginx-naxsi used with nginx-naxsi-ui: process denied requests
30 | #location /RequestDenied {
31 | # proxy_pass http://127.0.0.1:8080;
32 | #}
33 |
34 | # Set a custom 404 page if there is one.
35 | #error_page 404 /404.html;
36 |
37 | error_page 500 502 503 504 /50x.html;
38 | location = /50x.html {
39 | root /usr/share/nginx/html;
40 | }
41 |
42 | # Deny access to .htaccess files if Apache's document root overlaps
43 | # with nginx's.
44 | location ~ /\.ht {
45 | deny all;
46 | }
47 | }
48 |
49 | server {
50 | listen 443;
51 | server_name localhost;
52 |
53 | root /var/www/html;
54 | index index.html index.htm;
55 |
56 | ssl on;
57 | ssl_certificate /etc/ssl/certs/server.crt;
58 | ssl_certificate_key /etc/ssl/private/server.key;
59 | ssl_session_timeout 10m;
60 | ssl_session_cache shared:SSL:10m;
61 |
62 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
63 | ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
64 | ssl_prefer_server_ciphers on;
65 |
66 | location / {
67 | # Uncomment to enable naxsi on this location
68 | # include /etc/nginx/naxsi.rules
69 |
70 | # First attempt to serve request as file, then
71 | # as directory, then fall back to displaying a 404.
72 | try_files $uri $uri/ =404;
73 |
74 | # Enable strict transport security for a one year duration.
75 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
76 |
77 | # Never allow content from this site in iframes.
78 | add_header X-Frame-Options DENY;
79 | }
80 |
81 | # Only for nginx-naxsi used with nginx-naxsi-ui: process denied requests
82 | #location /RequestDenied {
83 | # proxy_pass http://127.0.0.1:8080;
84 | #}
85 |
86 | # Set a custom 404 page if there is one.
87 | #error_page 404 /404.html;
88 |
89 | error_page 500 502 503 504 /50x.html;
90 | location = /50x.html {
91 | root /usr/share/nginx/html;
92 | }
93 |
94 | # Deny access to .htaccess files if Apache's document root overlaps
95 | # with nginx's.
96 | location ~ /\.ht {
97 | deny all;
98 | }
99 | }
100 |
101 |
--------------------------------------------------------------------------------
/14.04-lts/ssh/sshd_config:
--------------------------------------------------------------------------------
1 | # Package generated configuration file
2 | # See the sshd_config(5) manpage for details
3 |
4 | # What ports, IPs and protocols we listen for
5 | Port 22
6 |
7 | # Use these options to restrict which interfaces/protocols sshd will bind to
8 | #ListenAddress ::
9 | #ListenAddress 0.0.0.0
10 |
11 | # Only support the SSHv2 protocol.
12 | Protocol 2
13 |
14 | # HostKeys for protocol version 2
15 | HostKey /etc/ssh/ssh_host_rsa_key
16 | HostKey /etc/ssh/ssh_host_dsa_key
17 | HostKey /etc/ssh/ssh_host_ecdsa_key
18 | HostKey /etc/ssh/ssh_host_ed25519_key
19 |
20 | #Privilege Separation is turned on for security
21 | UsePrivilegeSeparation yes
22 |
23 | # Lifetime and size of ephemeral version 1 server key
24 | KeyRegenerationInterval 3600
25 | ServerKeyBits 1024
26 |
27 | # Logging
28 | SyslogFacility AUTH
29 | LogLevel INFO
30 |
31 | # Authentication:
32 | LoginGraceTime 120
33 | PermitRootLogin no
34 | StrictModes yes
35 |
36 | RSAAuthentication yes
37 | PubkeyAuthentication yes
38 | AuthorizedKeysFile %h/.ssh/authorized_keys
39 |
40 | # Don't read the user's ~/.rhosts and ~/.shosts files
41 | IgnoreRhosts yes
42 |
43 | # For this to work you will also need host keys in /etc/ssh_known_hosts
44 | RhostsRSAAuthentication no
45 |
46 | # similar for protocol version 2
47 | HostbasedAuthentication no
48 |
49 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
50 | IgnoreUserKnownHosts yes
51 |
52 | # To enable empty passwords, change to yes (NOT RECOMMENDED)
53 | PermitEmptyPasswords no
54 |
55 | # Change to yes to enable challenge-response passwords (beware issues with
56 | # some PAM modules and threads)
57 | ChallengeResponseAuthentication no
58 |
59 | # Change to no to disable tunnelled clear text passwords
60 | PasswordAuthentication no
61 |
62 | # Kerberos options
63 | #KerberosAuthentication no
64 | #KerberosGetAFSToken no
65 | #KerberosOrLocalPasswd yes
66 | #KerberosTicketCleanup yes
67 |
68 | # GSSAPI options
69 | #GSSAPIAuthentication no
70 | #GSSAPICleanupCredentials yes
71 |
72 | X11Forwarding no
73 | X11DisplayOffset 10
74 | PrintMotd yes
75 | PrintLastLog yes
76 | TCPKeepAlive yes
77 | #UseLogin no
78 |
79 | #MaxStartups 10:30:60
80 | #Banner /etc/issue.net
81 |
82 | # Allow client to pass locale environment variables
83 | AcceptEnv LANG LC_*
84 |
85 | Subsystem sftp /usr/lib/openssh/sftp-server
86 |
87 | # Set this to 'yes' to enable PAM authentication, account processing,
88 | # and session processing. If this is enabled, PAM authentication will
89 | # be allowed through the ChallengeResponseAuthentication and
90 | # PasswordAuthentication. Depending on your PAM configuration,
91 | # PAM authentication via ChallengeResponseAuthentication may bypass
92 | # the setting of "PermitRootLogin without-password".
93 | # If you just want the PAM account and session checks to run without
94 | # PAM authentication, then enable this but set PasswordAuthentication
95 | # and ChallengeResponseAuthentication to 'no'.
96 | UsePAM yes
97 |
98 | # Enable ciphers that are PFS enabled.
99 | Ciphers aes256-ctr
100 | MACs hmac-sha2-512
101 |
102 |
--------------------------------------------------------------------------------
/16.04-lts/ssh/sshd_config:
--------------------------------------------------------------------------------
1 | # Package generated configuration file
2 | # See the sshd_config(5) manpage for details
3 |
4 | # What ports, IPs and protocols we listen for
5 | Port 22
6 |
7 | # Use these options to restrict which interfaces/protocols sshd will bind to
8 | #ListenAddress ::
9 | #ListenAddress 0.0.0.0
10 |
11 | Protocol 2
12 |
13 | # HostKeys for protocol version 2
14 | HostKey /etc/ssh/ssh_host_rsa_key
15 | HostKey /etc/ssh/ssh_host_dsa_key
16 | HostKey /etc/ssh/ssh_host_ecdsa_key
17 | HostKey /etc/ssh/ssh_host_ed25519_key
18 |
19 | #Privilege Separation is turned on for security
20 | UsePrivilegeSeparation yes
21 |
22 | # Lifetime and size of ephemeral version 1 server key
23 | KeyRegenerationInterval 3600
24 | ServerKeyBits 1024
25 |
26 | # Logging
27 | SyslogFacility AUTH
28 | LogLevel INFO
29 |
30 | # Authentication:
31 | LoginGraceTime 120
32 | PermitRootLogin no
33 | StrictModes yes
34 |
35 | RSAAuthentication yes
36 | PubkeyAuthentication yes
37 | #AuthorizedKeysFile %h/.ssh/authorized_keys
38 |
39 | # Don't read the user's ~/.rhosts and ~/.shosts files
40 | IgnoreRhosts yes
41 |
42 | # For this to work you will also need host keys in /etc/ssh_known_hosts
43 | RhostsRSAAuthentication no
44 |
45 | # similar for protocol version 2
46 | HostbasedAuthentication no
47 |
48 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
49 | #IgnoreUserKnownHosts yes
50 |
51 | # To enable empty passwords, change to yes (NOT RECOMMENDED)
52 | PermitEmptyPasswords no
53 |
54 | # Change to yes to enable challenge-response passwords (beware issues with
55 | # some PAM modules and threads)
56 | ChallengeResponseAuthentication no
57 |
58 | # Change to no to disable tunnelled clear text passwords
59 | PasswordAuthentication no
60 |
61 | # Kerberos options
62 | #KerberosAuthentication no
63 | #KerberosGetAFSToken no
64 | #KerberosOrLocalPasswd yes
65 | #KerberosTicketCleanup yes
66 |
67 | # GSSAPI options
68 | #GSSAPIAuthentication no
69 | #GSSAPICleanupCredentials yes
70 |
71 | X11Forwarding yes
72 | X11DisplayOffset 10
73 | PrintMotd yes
74 | PrintLastLog yes
75 | TCPKeepAlive yes
76 | #UseLogin no
77 |
78 | #MaxStartups 10:30:60
79 | Banner /etc/issue.net
80 |
81 | # Allow client to pass locale environment variables
82 | AcceptEnv LANG LC_*
83 |
84 | Subsystem sftp /usr/lib/openssh/sftp-server
85 |
86 | # Set this to 'yes' to enable PAM authentication, account processing,
87 | # and session processing. If this is enabled, PAM authentication will
88 | # be allowed through the ChallengeResponseAuthentication and
89 | # PasswordAuthentication. Depending on your PAM configuration,
90 | # PAM authentication via ChallengeResponseAuthentication may bypass
91 | # the setting of "PermitRootLogin without-password".
92 | # If you just want the PAM account and session checks to run without
93 | # PAM authentication, then enable this but set PasswordAuthentication
94 | # and ChallengeResponseAuthentication to 'no'.
95 | UsePAM yes
96 |
97 | # Enable PFS ciphersuites.
98 | Ciphers aes256-ctr
99 |
100 | # Enable the strongest HMAC OpenSSH supports.
101 | MACs hmac-sha2-512
102 |
103 |
--------------------------------------------------------------------------------
/16.04-lts/setup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # by: drwho at virtadpt dot net
4 |
5 | # Copies all this stuff into place on a brand-new system to harden it. Also
6 | # installs some useful packages for monitoring.
7 |
8 | # You must be this high to ride this ride.
9 | if [ `id -u` -gt 0 ]; then
10 | echo "You must be root to update the $NAME codebase. ABENDing."
11 | exit 1
12 | fi
13 |
14 | # Patch the system.
15 | apt-get upgrade -y
16 |
17 | # Postfix sends mail.
18 | # AIDE monitors the file system.
19 | # Logwatch parses the logfiles and mails you about anomalies.
20 | apt-get install -y postfix aide logwatch
21 |
22 | # These are always good to have around.
23 | apt-get install -y libpam-pwquality unattended-upgrades
24 | apt-get install -y haveged openntpd lynx sslscan sysstat
25 | apt-get install -y openssl-blacklist openssl-blacklist-extra
26 | apt-get install -y openssh-blacklist openssh-blacklist-extra
27 |
28 | # Install all the files. All of them.
29 | cp -rv * /etc
30 |
31 | # Just not this one.
32 | rm -f /etc/setup.sh
33 |
34 | # Create /var/log/sulog.
35 | touch /var/log/sulog
36 | chown root:root /var/log/sulog
37 | chmod 0640 /var/log/sulog
38 |
39 | # Create the sudo log directory tree.
40 | mkdir /var/log/sudo-io
41 |
42 | # Set some file ownerships.
43 | chown root:root /etc/at.allow
44 | chown root:root /etc/cron.allow
45 | chown root:root /etc/sudoers
46 | chown -R root:root /var/spool/cron
47 | chown root:syslog /var/log/sudo-io
48 |
49 | # Set some file permissions.
50 | chmod 0400 /etc/at.allow
51 | chmod 0400 /etc/cron.allow
52 | chmod 0400 /etc/crontab
53 | chmod 0700 /etc/skel/.ssh
54 | chmod 0600 /etc/skel/.ssh/authorized_keys
55 | chmod 0440 /etc/sudoers
56 | chmod 0700 /var/log/sudo-io
57 |
58 | # Enable some system services. `systemctl list-unit-files` is your friend.
59 | systemctl enable acpid
60 | systemctl enable sysstat
61 |
62 | # Disable other system services.
63 | systemctl disable iscsi
64 | systemctl disable iscsid
65 | systemctl disable mountnfs-bootclean
66 | systemctl disable mountnfs
67 | systemctl disable umountnfs
68 |
69 | # Hand^wScript hack the /etc/postfix/main.cf file because it was completely
70 | # rewritten when the Debian configurator asked you some questions.
71 | echo "smtpd_tls_ciphers = high" >> /etc/postfix/main.cf
72 | echo "smtpd_tls_exclude_ciphers = aNULL, MD5, DES, 3DES, DES-CBC3-SHA, RC4-SHA, AES256-SHA, AES128-SHA" >> /etc/postfix/main.cf
73 | echo "smtp_tls_protocols = !SSLv2, !SSLv3" >> /etc/postfix/main.cf
74 | echo "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3" >> /etc/postfix/main.cf
75 | echo "smtp_tls_note_starttls_offer = yes" >> /etc/postfix/main.cf
76 | echo "smtpd_tls_received_header = yes" >> /etc/postfix/main.cf
77 | echo "" >> /etc/postfix/main.cf
78 |
79 | # Ensure that the Apache mod_headers and mod_rewrite modules are enabled so
80 | # that, if apache2 is installed and enabled, it won't scream and die.
81 | ln -s /etc/apache2/mods-available/headers.load \
82 | /etc/apache2/mods-enabled/headers.load
83 | ln -s /etc/apache2/mods-available/rewrite.load \
84 | /etc/apache2/mods-enabled/rewrite.load
85 |
86 | # Build the initial AIDE database.
87 | echo "Building initial AIDE database. Please be patient, this takes a while."
88 | aide.wrapper --init
89 | cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
90 |
91 | # Fin.
92 | exit 0
93 |
94 |
--------------------------------------------------------------------------------
/12.04-lts/apache2/mods-available/ssl.conf:
--------------------------------------------------------------------------------
1 |
2 | #
3 | # Pseudo Random Number Generator (PRNG):
4 | # Configure one or more sources to seed the PRNG of the SSL library.
5 | # The seed data should be of good random quality.
6 | # WARNING! On some platforms /dev/random blocks if not enough entropy
7 | # is available. This means you then cannot use the /dev/random device
8 | # because it would lead to very long connection times (as long as
9 | # it requires to make more entropy available). But usually those
10 | # platforms additionally provide a /dev/urandom device which doesn't
11 | # block. So, if available, use this one instead. Read the mod_ssl User
12 | # Manual for more details.
13 | #
14 | SSLRandomSeed startup builtin
15 | SSLRandomSeed startup file:/dev/urandom 512
16 | SSLRandomSeed connect builtin
17 | SSLRandomSeed connect file:/dev/urandom 512
18 |
19 | ##
20 | ## SSL Global Context
21 | ##
22 | ## All SSL configuration in this context applies both to
23 | ## the main server and all SSL-enabled virtual hosts.
24 | ##
25 |
26 | #
27 | # Some MIME-types for downloading Certificates and CRLs
28 | #
29 | AddType application/x-x509-ca-cert .crt
30 | AddType application/x-pkcs7-crl .crl
31 |
32 | # Pass Phrase Dialog:
33 | # Configure the pass phrase gathering process.
34 | # The filtering dialog program (`builtin' is a internal
35 | # terminal dialog) has to provide the pass phrase on stdout.
36 | SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
37 |
38 | # Inter-Process Session Cache:
39 | # Configure the SSL Session Cache: First the mechanism
40 | # to use and second the expiring timeout (in seconds).
41 | # (The mechanism dbm has known memory leaks and should not be used).
42 | #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
43 | SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
44 | SSLSessionCacheTimeout 300
45 |
46 | # Semaphore:
47 | # Configure the path to the mutual exclusion semaphore the
48 | # SSL engine uses internally for inter-process synchronization.
49 | SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
50 |
51 | # SSL Cipher Suite:
52 | # List the ciphers that the client is permitted to negotiate.
53 | # See the mod_ssl documentation for a complete list.
54 | # enable only secure ciphers:
55 | #SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5
56 | SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH
57 | SSLHonorCipherOrder On
58 | SSLCompression Off
59 |
60 | # Use this instead if you want to allow cipher upgrades via SGC facility.
61 | # In this case you also have to use something like
62 | # SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
63 | # see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
64 | #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
65 |
66 | # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
67 | #SSLProtocol all -SSLv2
68 | SSLProtocol -ALL +SSLv3 +TLSv1
69 |
70 | # Allow insecure renegotiation with clients which do not yet support the
71 | # secure renegotiation protocol. Default: Off
72 | SSLInsecureRenegotiation Off
73 |
74 | # Whether to forbid non-SNI clients to access name based virtual hosts.
75 | # Default: Off
76 | #SSLStrictSNIVHostCheck On
77 |
78 | # Add a six month HSTS header for all configured domains.
79 | Header add Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
80 |
81 |
82 |
--------------------------------------------------------------------------------
/14.04-lts/apache2/conf-available/ssl.conf:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Pseudo Random Number Generator (PRNG):
4 | # Configure one or more sources to seed the PRNG of the SSL library.
5 | # The seed data should be of good random quality.
6 | # WARNING! On some platforms /dev/random blocks if not enough entropy
7 | # is available. This means you then cannot use the /dev/random device
8 | # because it would lead to very long connection times (as long as
9 | # it requires to make more entropy available). But usually those
10 | # platforms additionally provide a /dev/urandom device which doesn't
11 | # block. So, if available, use this one instead. Read the mod_ssl User
12 | # Manual for more details.
13 | #
14 | SSLRandomSeed startup builtin
15 | SSLRandomSeed startup file:/dev/urandom 512
16 | SSLRandomSeed connect builtin
17 | SSLRandomSeed connect file:/dev/urandom 512
18 |
19 | ##
20 | ## SSL Global Context
21 | ##
22 | ## All SSL configuration in this context applies both to
23 | ## the main server and all SSL-enabled virtual hosts.
24 | ##
25 |
26 | #
27 | # Some MIME-types for downloading Certificates and CRLs
28 | #
29 | AddType application/x-x509-ca-cert .crt
30 | AddType application/x-pkcs7-crl .crl
31 |
32 | # Pass Phrase Dialog:
33 | # Configure the pass phrase gathering process.
34 | # The filtering dialog program (`builtin' is a internal
35 | # terminal dialog) has to provide the pass phrase on stdout.
36 | SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
37 |
38 | # Inter-Process Session Cache:
39 | # Configure the SSL Session Cache: First the mechanism
40 | # to use and second the expiring timeout (in seconds).
41 | # (The mechanism dbm has known memory leaks and should not be used).
42 | #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
43 | SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
44 | SSLSessionCacheTimeout 300
45 |
46 | # Semaphore:
47 | # Configure the path to the mutual exclusion semaphore the
48 | # SSL engine uses internally for inter-process synchronization.
49 | # (Disabled by default, the global Mutex directive consolidates by default
50 | # this)
51 | #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
52 |
53 |
54 | # SSL Cipher Suite:
55 | # List the ciphers that the client is permitted to negotiate. See the
56 | # ciphers(1) man page from the openssl package for list of all available
57 | # options.
58 | # Enable only secure ciphers:
59 | #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
60 |
61 | # Speed-optimized SSL Cipher configuration:
62 | # If speed is your main concern (on busy HTTPS servers e.g.),
63 | # you might want to force clients to specific, performance
64 | # optimized ciphers. In this case, prepend those ciphers
65 | # to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
66 | # Caveat: by giving precedence to RC4-SHA and AES128-SHA
67 | # (as in the example below), most connections will no longer
68 | # have perfect forward secrecy - if the server's key is
69 | # compromised, captures of past or future traffic must be
70 | # considered compromised, too.
71 | SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH
72 | SSLHonorCipherOrder on
73 | SSLCompression off
74 | ServerSignature Off
75 |
76 | # The protocols to enable.
77 | # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
78 | # SSL v2 is no longer supported
79 | SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
80 |
81 | # Allow insecure renegotiation with clients which do not yet support the
82 | # secure renegotiation protocol. Default: Off
83 | #SSLInsecureRenegotiation on
84 |
85 | # Whether to forbid non-SNI clients to access name based virtual hosts.
86 | # Default: Off
87 | #SSLStrictSNIVHostCheck On
88 |
89 |
90 |
91 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
92 |
--------------------------------------------------------------------------------
/16.04-lts/apache2/mods-available/ssl.conf:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Pseudo Random Number Generator (PRNG):
4 | # Configure one or more sources to seed the PRNG of the SSL library.
5 | # The seed data should be of good random quality.
6 | # WARNING! On some platforms /dev/random blocks if not enough entropy
7 | # is available. This means you then cannot use the /dev/random device
8 | # because it would lead to very long connection times (as long as
9 | # it requires to make more entropy available). But usually those
10 | # platforms additionally provide a /dev/urandom device which doesn't
11 | # block. So, if available, use this one instead. Read the mod_ssl User
12 | # Manual for more details.
13 | #
14 | SSLRandomSeed startup builtin
15 | SSLRandomSeed startup file:/dev/urandom 512
16 | SSLRandomSeed connect builtin
17 | SSLRandomSeed connect file:/dev/urandom 512
18 |
19 | ##
20 | ## SSL Global Context
21 | ##
22 | ## All SSL configuration in this context applies both to
23 | ## the main server and all SSL-enabled virtual hosts.
24 | ##
25 |
26 | #
27 | # Some MIME-types for downloading Certificates and CRLs
28 | #
29 | AddType application/x-x509-ca-cert .crt
30 | AddType application/x-pkcs7-crl .crl
31 |
32 | # Pass Phrase Dialog:
33 | # Configure the pass phrase gathering process.
34 | # The filtering dialog program (`builtin' is a internal
35 | # terminal dialog) has to provide the pass phrase on stdout.
36 | SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
37 |
38 | # Inter-Process Session Cache:
39 | # Configure the SSL Session Cache: First the mechanism
40 | # to use and second the expiring timeout (in seconds).
41 | # (The mechanism dbm has known memory leaks and should not be used).
42 | #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
43 | SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
44 | SSLSessionCacheTimeout 300
45 |
46 | # Semaphore:
47 | # Configure the path to the mutual exclusion semaphore the
48 | # SSL engine uses internally for inter-process synchronization.
49 | # (Disabled by default, the global Mutex directive consolidates by default
50 | # this)
51 | #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
52 |
53 |
54 | # SSL Cipher Suite:
55 | # List the ciphers that the client is permitted to negotiate. See the
56 | # ciphers(1) man page from the openssl package for list of all available
57 | # options.
58 | # Enable only secure ciphers:
59 | #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
60 |
61 | # Speed-optimized SSL Cipher configuration:
62 | # If speed is your main concern (on busy HTTPS servers e.g.),
63 | # you might want to force clients to specific, performance
64 | # optimized ciphers. In this case, prepend those ciphers
65 | # to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
66 | # Caveat: by giving precedence to RC4-SHA and AES128-SHA
67 | # (as in the example below), most connections will no longer
68 | # have perfect forward secrecy - if the server's key is
69 | # compromised, captures of past or future traffic must be
70 | # considered compromised, too.
71 | SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH
72 | SSLHonorCipherOrder on
73 | SSLCompression off
74 | ServerSignature Off
75 |
76 | # The protocols to enable.
77 | # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
78 | # SSL v2 is no longer supported
79 | SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
80 |
81 | # Allow insecure renegotiation with clients which do not yet support the
82 | # secure renegotiation protocol. Default: Off
83 | #SSLInsecureRenegotiation on
84 |
85 | # Whether to forbid non-SNI clients to access name based virtual hosts.
86 | # Default: Off
87 | #SSLStrictSNIVHostCheck On
88 |
89 |
90 |
91 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
92 |
--------------------------------------------------------------------------------
/16.04-lts/nginx/sites-available/default:
--------------------------------------------------------------------------------
1 | server {
2 | listen 80 default_server;
3 | listen [::]:80 default_server;
4 |
5 | #listen 443 ssl default_server;
6 | #listen [::]:443 ssl default_server;
7 |
8 | root /var/www/html;
9 |
10 | # Add index.php to the list if you are using PHP
11 | index index.html index.htm index.nginx-debian.html;
12 |
13 | # Make site accessible from http[s]://localhost/
14 | server_name localhost;
15 |
16 | # If you just want to short-circuit things and redirect everything to
17 | # the HTTPS site, uncomment this next bit.
18 | #return 301 https://$host$request_uri;
19 |
20 | location / {
21 | # Uncomment to enable naxsi support on this location.
22 | # include /etc/nginx/naxsi.rules
23 |
24 | # First attempt to serve request as file, then
25 | # as directory, then fall back to displaying a 404.
26 | try_files $uri $uri/ =404;
27 |
28 | # Enable strict transport security for one year.
29 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
30 |
31 | # Never allow content from this site to appear in iframes.
32 | add_header X-Frame-Options DENY;
33 | }
34 |
35 | # Pass PHP scripts to a FastCGI server listening on 127.0.0.1:9000
36 | #location ~ \.php$ {
37 | # include snippets/fastcgi-php.conf;
38 | #
39 | # # Pick one.
40 | # # With php7.0-cgi alone:
41 | # fastcgi_pass 127.0.0.1:9000;
42 | #
43 | # # With php7.0-fpm:
44 | # fastcgi_pass unix:/run/php/php7.0-fpm.sock;
45 | #}
46 |
47 | # Only for nginx-naxsi with nginx-naxsi-ui: Process denied requests.
48 | #location /RequestDenied {
49 | # proxy_pass http://127.0.0.1:8080;
50 | #}
51 |
52 | # Set a custom 404 page if there is one.
53 | #error_page 404 /404.html;
54 |
55 | # Set up 50x error pages.
56 | error_page 500 502 503 504 /50x.html;
57 | location = /50x.html {
58 | root /usr/share/nginx/html;
59 | }
60 |
61 | # deny access to .htaccess files, if Apache's document root
62 | # concurs with nginx's one
63 | location ~ /\.ht {
64 | deny all;
65 | }
66 | }
67 |
68 | server {
69 | listen 443 ssl default_server;
70 | listen [::]:443 ssl default_server;
71 |
72 | root /var/www/html;
73 |
74 | # Add index.php to the list if you are using PHP
75 | index index.html index.htm index.nginx-debian.html;
76 |
77 | # Make site accessible from http[s]://localhost/
78 | server_name localhost;
79 |
80 | ssl on;
81 | ssl_certificate /etc/ssl/certs/server.crt;
82 | ssl_certificate_key /etc/ssl/private/server.key;
83 | ssl_session_timeout 10m;
84 | ssl_session_cache shared:SSL:10m;
85 |
86 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
87 | ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
88 | ssl_prefer_server_ciphers on;
89 |
90 | location / {
91 | # Uncomment to enable naxsi support on this location.
92 | # include /etc/nginx/naxsi.rules
93 |
94 | # First attempt to serve request as file, then
95 | # as directory, then fall back to displaying a 404.
96 | try_files $uri $uri/ =404;
97 |
98 | # Enable strict transport security for one year.
99 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
100 |
101 | # Never allow content from this site to appear in iframes.
102 | add_header X-Frame-Options DENY;
103 | }
104 |
105 | # Pass PHP scripts to a FastCGI server listening on 127.0.0.1:9000
106 | #location ~ \.php$ {
107 | # include snippets/fastcgi-php.conf;
108 | #
109 | # # Pick one.
110 | # # With php7.0-cgi alone:
111 | # fastcgi_pass 127.0.0.1:9000;
112 | #
113 | # # With php7.0-fpm:
114 | # fastcgi_pass unix:/run/php/php7.0-fpm.sock;
115 | #}
116 |
117 | # Only for nginx-naxsi with nginx-naxsi-ui: Process denied requests.
118 | #location /RequestDenied {
119 | # proxy_pass http://127.0.0.1:8080;
120 | #}
121 |
122 | # Set a custom 404 page if there is one.
123 | #error_page 404 /404.html;
124 |
125 | # Set up 50x error pages.
126 | error_page 500 502 503 504 /50x.html;
127 | location = /50x.html {
128 | root /usr/share/nginx/html;
129 | }
130 |
131 | # deny access to .htaccess files, if Apache's document root
132 | # concurs with nginx's one
133 | location ~ /\.ht {
134 | deny all;
135 | }
136 | }
137 |
138 |
139 |
--------------------------------------------------------------------------------
/16.04-lts/default/aide:
--------------------------------------------------------------------------------
1 | # These settings are mainly for the wrapper scripts around aide,
2 | # such as aideinit and /etc/cron.daily/aide
3 |
4 | # Set this to no to disable daily aide runs
5 | #CRON_DAILY_RUN=yes
6 |
7 | # This is used as the host name in the AIDE reports that are sent out
8 | # via e-mail. It defaults to the output of $(hostname --fqdn), but can
9 | # be set to arbitrary values.
10 | # FQDN=
11 |
12 | # This is used as the subject for the e-mail reports.
13 | # If your mail system only threads by subject, you might want to add
14 | # some variable content here (for example $(date +%Y-%m-%d)).
15 | MAILSUBJ="Daily AIDE report for $FQDN"
16 |
17 | # This is the email address reports get mailed to
18 | # default is root
19 | # This variable is expanded before it is used, so you can use variables
20 | # here. For example, MAILTO=$FQDN-aide@domain.example will send the
21 | # report to host.name.example-aide@domain.example is the local FQDN is
22 | # host.name.example.
23 | MAILTO=root
24 |
25 | # Set this to yes to suppress mailings when no changes have been
26 | # detected during the AIDE run and no error output was given.
27 | #QUIETREPORTS=no
28 |
29 | # Set this to yes to suppress mailings under all circumstances
30 | # This option implies QUIETREPORTS=yes
31 | #SILENTREPORTS=no
32 |
33 | # This parameter defines which AIDE command to run from the cron script.
34 | # Sensible values are "update" and "check".
35 | # Default is "check", ensuring backwards compatibility.
36 | # Since "update" does not take any longer, it is recommended to use "update",
37 | # so that a new database is created every day. The new database needs to be
38 | # manually copied over the current one, though.
39 | COMMAND=update
40 |
41 | # This parameter defines what to do with a new database created by
42 | # COMMAND=update. It is ignored if COMMAND!=update.
43 | # no: Do not copy new database to old database. This is the default.
44 | # yes: Copy new database to old database. This means that changes to the
45 | # file system are only reported once. Possibly dangerous.
46 | # ifnochange: Copy new database to old database if no changes have
47 | # been reported. This is needed for ANF/ARF to work reliably.
48 | COPYNEWDB=no
49 |
50 | # Set this to yes to truncate the detailed changes part in the mail. The full
51 | # output will still be listed in the log file.
52 | TRUNCATEDETAILS=no
53 |
54 | # Set this to yes to suppress file changes by package and security
55 | # updates from appearing in the e-mail report. Filtered file changes will
56 | # still be listed in the log file. This option parses the /var/log/dpkg.log
57 | # file and implies TRUNCATEDETAILS=yes
58 | FILTERUPDATES=yes
59 |
60 | # Set this to yes to suppress file changes by package installations
61 | # from appearing in the e-mail report. Filtered file changes will still
62 | # be listed in the log file. This option parses the /var/log/dpkg.log file and
63 | # implies TRUNCATEDETAILS=yes.
64 | FILTERINSTALLATIONS=no
65 |
66 | # This parameter defines how many lines to return per e-mail. Output longer
67 | # than this value will be truncated in the e-mail sent out.
68 | # Set value to "0" to disable this option.
69 | LINES=1000
70 |
71 | # This parameter gives a grep regular expression. If given, all output lines
72 | # that _don't_ match the regexp are listed first in the script's output. This
73 | # allows to easily remove noise from the AIDE report.
74 | NOISE=""
75 |
76 | # This parameter defines which options are given to aide in the daily
77 | # cron job. The default is "-V4".
78 | AIDEARGS=""
79 |
80 | # These parameters control update-aide.conf and give the defaults for
81 | # the --confdir, --confd and --settingsd options
82 | # UPAC_CONFDIR="/etc/aide"
83 | # UPAC_CONFD="$UPAC_CONFDIR/aide.conf.d"
84 | # UPAC_SETTINGSD="$UPAC_CONFDIR/aide.settings.d"
85 |
86 | # Set this to a command that will be executed before the cron job
87 | # exits. This can be used to postprocess the generated report.
88 | # If the command is not in /sbin:/usr/sbin:/bin:/usr/bin (see PATH
89 | # setting in the daily cron job), you need to give a fully qualified
90 | # path. The script is executed before the aide lock is released.
91 | # The hook is called with a single parameter meaning:
92 | # signal: The cron job was terminated by a signal
93 | # fatal: There was a fatal error
94 | # nolock: The lock could not be obtained
95 | # cantmovetmp: It was not possible to move away the temporary directory
96 | # cantcreatetmp: It was not possible to create the temporary directory
97 | # success: aide finished successfully and gave meaningful results
98 | # unknown: onexit was called with an illegal reason (should not happen)
99 | # If the cron job aborted before the cron job was fully set up,
100 | # "early-" is prepended to the reason.
101 | CRONEXITHOOK=""
102 |
--------------------------------------------------------------------------------
/14.04-lts/default/aide:
--------------------------------------------------------------------------------
1 | # These settings are mainly for the wrapper scripts around aide,
2 | # such as aideinit and /etc/cron.daily/aide
3 |
4 | # Set this to no to disable daily aide runs
5 | #CRON_DAILY_RUN=yes
6 |
7 | # This is used as the host name in the AIDE reports that are sent out
8 | # via e-mail. It defaults to the output of $(hostname --fqdn), but can
9 | # be set to arbitrary values.
10 | FQDN=wiki.ripple.com
11 |
12 | # This is used as the subject for the e-mail reports.
13 | # If your mail system only threads by subject, you might want to add
14 | # some variable content here (for example $(date +%Y-%m-%d)).
15 | MAILSUBJ="Daily AIDE report for $FQDN"
16 |
17 | # This is the email address reports get mailed to
18 | # default is root
19 | # This variable is expanded before it is used, so you can use variables
20 | # here. For example, MAILTO=$FQDN-aide@domain.example will send the
21 | # report to host.name.example-aide@domain.example is the local FQDN is
22 | # host.name.example.
23 | MAILTO=logs@ripple.com
24 |
25 | # Set this to yes to suppress mailings when no changes have been
26 | # detected during the AIDE run and no error output was given.
27 | #QUIETREPORTS=no
28 |
29 | # Set this to yes to suppress mailings under all circumstances
30 | # This option implies QUIETREPORTS=yes
31 | #SILENTREPORTS=no
32 |
33 | # This parameter defines which AIDE command to run from the cron script.
34 | # Sensible values are "update" and "check".
35 | # Default is "check", ensuring backwards compatibility.
36 | # Since "update" does not take any longer, it is recommended to use "update",
37 | # so that a new database is created every day. The new database needs to be
38 | # manually copied over the current one, though.
39 | COMMAND=update
40 |
41 | # This parameter defines what to do with a new database created by
42 | # COMMAND=update. It is ignored if COMMAND!=update.
43 | # no: Do not copy new database to old database. This is the default.
44 | # yes: Copy new database to old database. This means that changes to the
45 | # file system are only reported once. Possibly dangerous.
46 | # ifnochange: Copy new database to old database if no changes have
47 | # been reported. This is needed for ANF/ARF to work reliably.
48 | COPYNEWDB=no
49 |
50 | # Set this to yes to truncate the detailed changes part in the mail. The full
51 | # output will still be listed in the log file.
52 | TRUNCATEDETAILS=no
53 |
54 | # Set this to yes to suppress file changes by package and security
55 | # updates from appearing in the e-mail report. Filtered file changes will
56 | # still be listed in the log file. This option parses the /var/log/dpkg.log
57 | # file and implies TRUNCATEDETAILS=yes
58 | FILTERUPDATES=yes
59 |
60 | # Set this to yes to suppress file changes by package installations
61 | # from appearing in the e-mail report. Filtered file changes will still
62 | # be listed in the log file. This option parses the /var/log/dpkg.log file and
63 | # implies TRUNCATEDETAILS=yes.
64 | FILTERINSTALLATIONS=no
65 |
66 | # This parameter defines how many lines to return per e-mail. Output longer
67 | # than this value will be truncated in the e-mail sent out.
68 | # Set value to "0" to disable this option.
69 | LINES=1000
70 |
71 | # This parameter gives a grep regular expression. If given, all output lines
72 | # that _don't_ match the regexp are listed first in the script's output. This
73 | # allows to easily remove noise from the AIDE report.
74 | NOISE=""
75 |
76 | # This parameter defines which options are given to aide in the daily
77 | # cron job. The default is "-V4".
78 | AIDEARGS=""
79 |
80 | # These parameters control update-aide.conf and give the defaults for
81 | # the --confdir, --confd and --settingsd options
82 | # UPAC_CONFDIR="/etc/aide"
83 | # UPAC_CONFD="$UPAC_CONFDIR/aide.conf.d"
84 | # UPAC_SETTINGSD="$UPAC_CONFDIR/aide.settings.d"
85 |
86 | # Set this to a command that will be executed before the cron job
87 | # exits. This can be used to postprocess the generated report.
88 | # If the command is not in /sbin:/usr/sbin:/bin:/usr/bin (see PATH
89 | # setting in the daily cron job), you need to give a fully qualified
90 | # path. The script is executed before the aide lock is released.
91 | # The hook is called with a single parameter meaning:
92 | # signal: The cron job was terminated by a signal
93 | # fatal: There was a fatal error
94 | # nolock: The lock could not be obtained
95 | # cantmovetmp: It was not possible to move away the temporary directory
96 | # cantcreatetmp: It was not possible to create the temporary directory
97 | # success: aide finished successfully and gave meaningful results
98 | # unknown: onexit was called with an illegal reason (should not happen)
99 | # If the cron job aborted before the cron job was fully set up,
100 | # "early-" is prepended to the reason.
101 | CRONEXITHOOK=""
102 |
--------------------------------------------------------------------------------
/12.04-lts/securetty:
--------------------------------------------------------------------------------
1 | # /etc/securetty: list of terminals on which root is allowed to login.
2 | # See securetty(5) and login(1).
3 |
4 | console
5 |
6 | # Local X displays (allows empty passwords with pam_unix's nullok_secure)
7 | #:0
8 | #:0.0
9 | #:0.1
10 | #:1
11 | #:1.0
12 | #:1.1
13 | #:2
14 | #:2.0
15 | #:2.1
16 | #:3
17 | #:3.0
18 | #:3.1
19 | #...
20 |
21 |
22 | # ==========================================================
23 | #
24 | # TTYs sorted by major number according to Documentation/devices.txt
25 | #
26 | # ==========================================================
27 |
28 | # Virtual consoles
29 | tty1
30 | tty2
31 | tty3
32 | tty4
33 | tty5
34 | tty6
35 | tty7
36 | tty8
37 | tty9
38 | tty10
39 | #tty11
40 | #tty12
41 | #tty13
42 | #tty14
43 | #tty15
44 | #tty16
45 | #tty17
46 | #tty18
47 | #tty19
48 | #tty20
49 | #tty21
50 | #tty22
51 | #tty23
52 | #tty24
53 | #tty25
54 | #tty26
55 | #tty27
56 | #tty28
57 | #tty29
58 | #tty30
59 | #tty31
60 | #tty32
61 | #tty33
62 | #tty34
63 | #tty35
64 | #tty36
65 | #tty37
66 | #tty38
67 | #tty39
68 | #tty40
69 | #tty41
70 | #tty42
71 | #tty43
72 | #tty44
73 | #tty45
74 | #tty46
75 | #tty47
76 | #tty48
77 | #tty49
78 | #tty50
79 | #tty51
80 | #tty52
81 | #tty53
82 | #tty54
83 | #tty55
84 | #tty56
85 | #tty57
86 | #tty58
87 | #tty59
88 | #tty60
89 | #tty61
90 | #tty62
91 | #tty63
92 |
93 | # UART serial ports
94 | #ttyS0
95 | #ttyS1
96 | #ttyS2
97 | #ttyS3
98 | #ttyS4
99 | #ttyS5
100 | #...ttyS191
101 |
102 | # Serial Mux devices (Linux/PA-RISC only)
103 | #ttyB0
104 | #ttyB1
105 | #...
106 |
107 | # Chase serial card
108 | #ttyH0
109 | #ttyH1
110 | #...
111 |
112 | # Cyclades serial cards
113 | #ttyC0
114 | #ttyC1
115 | #...ttyC31
116 |
117 | # Digiboard serial cards
118 | #ttyD0
119 | #ttyD1
120 | #...
121 |
122 | # Stallion serial cards
123 | #ttyE0
124 | #ttyE1
125 | #...ttyE255
126 |
127 | # Specialix serial cards
128 | #ttyX0
129 | #ttyX1
130 | #...
131 |
132 | # Comtrol Rocketport serial cards
133 | #ttyR0
134 | #ttyR1
135 | #...
136 |
137 | # SDL RISCom serial cards
138 | #ttyL0
139 | #ttyL1
140 | #...
141 |
142 | # Hayes ESP serial card
143 | #ttyP0
144 | #ttyP1
145 | #...
146 |
147 | # Computone IntelliPort II serial card
148 | #ttyF0
149 | #ttyF1
150 | #...ttyF255
151 |
152 | # Specialix IO8+ serial card
153 | #ttyW0
154 | #ttyW1
155 | #...
156 |
157 | # Comtrol VS-1000 serial controller
158 | #ttyV0
159 | #ttyV1
160 | #...
161 |
162 | # ISI serial card
163 | #ttyM0
164 | #ttyM1
165 | #...
166 |
167 | # Technology Concepts serial card
168 | #ttyT0
169 | #ttyT1
170 | #...
171 |
172 | # Specialix RIO serial card
173 | #ttySR0
174 | #ttySR1
175 | #...ttySR511
176 |
177 | # Chase Research AT/PCI-Fast serial card
178 | #ttyCH0
179 | #ttyCH1
180 | #...ttyCH63
181 |
182 | # Moxa Intellio serial card
183 | #ttyMX0
184 | #ttyMX1
185 | #...ttyMX127
186 |
187 | # SmartIO serial card
188 | #ttySI0
189 | #ttySI1
190 | #...
191 |
192 | # USB dongles
193 | #ttyUSB0
194 | #ttyUSB1
195 | #ttyUSB2
196 | #...
197 |
198 | # LinkUp Systems L72xx UARTs
199 | #ttyLU0
200 | #ttyLU1
201 | #ttyLU2
202 | #ttyLU3
203 |
204 | # StrongARM builtin serial ports
205 | #ttySA0
206 | #ttySA1
207 | #ttySA2
208 |
209 | # SCI serial port (SuperH) ports and SC26xx serial ports
210 | #ttySC0
211 | #ttySC1
212 | #ttySC2
213 | #ttySC3
214 |
215 | # ARM "AMBA" serial ports
216 | #ttyAM0
217 | #ttyAM1
218 | #ttyAM2
219 | #ttyAM3
220 | #ttyAM4
221 | #ttyAM5
222 | #ttyAM6
223 | #ttyAM7
224 | #ttyAM8
225 | #ttyAM9
226 | #ttyAM10
227 | #ttyAM11
228 | #ttyAM12
229 | #ttyAM13
230 | #ttyAM14
231 | #ttyAM15
232 |
233 | # Embedded ARM AMBA PL011 ports (e.g. emulated by QEMU)
234 | #ttyAMA0
235 | #ttyAMA1
236 | #ttyAMA2
237 | #ttyAMA3
238 |
239 | # DataBooster serial ports
240 | #ttyDB0
241 | #ttyDB1
242 | #ttyDB2
243 | #ttyDB3
244 | #ttyDB4
245 | #ttyDB5
246 | #ttyDB6
247 | #ttyDB7
248 |
249 | # SGI Altix console ports
250 | #ttySG0
251 |
252 | # Motorola i.MX ports
253 | #ttySMX0
254 | #ttySMX1
255 | #ttySMX2
256 |
257 | # Marvell MPSC ports
258 | #ttyMM0
259 | #ttyMM1
260 |
261 | # PPC CPM (SCC or SMC) ports
262 | #ttyCPM0
263 | #ttyCPM1
264 | #ttyCPM2
265 | #ttyCPM3
266 | #ttyCPM4
267 | #ttyCPM5
268 |
269 | # Altix serial cards
270 | #ttyIOC0
271 | #ttyIOC1
272 | #...ttyIOC31
273 |
274 | # NEC VR4100 series SIU
275 | #ttyVR0
276 |
277 | # NEC VR4100 series SSIU
278 | #ttyVR1
279 |
280 | # Altix ioc4 serial cards
281 | #ttyIOC84
282 | #ttyIOC85
283 | #...ttyIOC115
284 |
285 | # Altix ioc3 serial cards
286 | #ttySIOC0
287 | #ttySIOC1
288 | #...ttySIOC31
289 |
290 | # PPC PSC ports
291 | #ttyPSC0
292 | #ttyPSC1
293 | #ttyPSC2
294 | #ttyPSC3
295 | #ttyPSC4
296 | #ttyPSC5
297 |
298 | # ATMEL serial ports
299 | #ttyAT0
300 | #ttyAT1
301 | #...ttyAT15
302 |
303 | # Hilscher netX serial port
304 | #ttyNX0
305 | #ttyNX1
306 | #...ttyNX15
307 |
308 | # Xilinx uartlite - port
309 | #ttyUL0
310 | #ttyUL1
311 | #ttyUL2
312 | #ttyUL3
313 |
314 | # Xen virtual console - port 0
315 | xvc0
316 |
317 | # pmac_zilog - port
318 | #ttyPZ0
319 | #ttyPZ1
320 | #ttyPZ2
321 | #ttyPZ3
322 |
323 | # TX39/49 serial port
324 | #ttyTX0
325 | #ttyTX1
326 | #ttyTX2
327 | #ttyTX3
328 | #ttyTX4
329 | #ttyTX5
330 | #ttyTX6
331 | #ttyTX7
332 |
333 | # SC26xx serial ports (see SCI serial ports (SuperH))
334 |
335 | # MAX3100 serial ports
336 | #ttyMAX0
337 | #ttyMAX1
338 | #ttyMAX2
339 | #ttyMAX3
340 |
341 | # OMAP serial ports
342 | #ttyO0
343 | #ttyO1
344 | #ttyO2
345 | #ttyO3
346 |
347 | # User space serial ports
348 | #ttyU0
349 | #ttyU1
350 |
351 | # A2232 serial card
352 | #ttyY0
353 | #ttyY1
354 |
355 | # IBM 3270 terminal Unix tty access
356 | #3270/tty1
357 | #3270/tty2
358 | #...
359 |
360 | # IBM iSeries/pSeries virtual console
361 | #hvc0
362 | #hvc1
363 | #...
364 |
365 | # Equinox SST multi-port serial boards
366 | #ttyEQ0
367 | #ttyEQ1
368 | #...ttyEQ1027
369 |
370 | # ==========================================================
371 | #
372 | # Not in Documentation/Devicess.txt
373 | #
374 | # ==========================================================
375 |
376 | # Embedded Freescale i.MX ports
377 | #ttymxc0
378 | #ttymxc1
379 | #ttymxc2
380 | #ttymxc3
381 | #ttymxc4
382 | #ttymxc5
383 |
384 | # LXC (Linux Containers)
385 | lxc/console
386 | lxc/tty1
387 | lxc/tty2
388 | lxc/tty3
389 | lxc/tty4
390 |
391 |
--------------------------------------------------------------------------------
/14.04-lts/apache2/sites-available/default-ssl.conf:
--------------------------------------------------------------------------------
1 |
2 |
3 | ServerAdmin webmaster@localhost
4 |
5 | DocumentRoot /var/www/html
6 |
7 | # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
8 | # error, crit, alert, emerg.
9 | # It is also possible to configure the loglevel for particular
10 | # modules, e.g.
11 | #LogLevel info ssl:warn
12 |
13 | ErrorLog ${APACHE_LOG_DIR}/error.log
14 | CustomLog ${APACHE_LOG_DIR}/access.log combined
15 |
16 | # For most configuration files from conf-available/, which are
17 | # enabled or disabled at a global level, it is possible to
18 | # include a line for only one particular virtual host. For example the
19 | # following line enables the CGI configuration for this host only
20 | # after it has been globally disabled with "a2disconf".
21 | #Include conf-available/serve-cgi-bin.conf
22 |
23 | # SSL Engine Switch:
24 | # Enable/Disable SSL for this virtual host.
25 | SSLEngine on
26 |
27 | # A self-signed (snakeoil) certificate can be created by installing
28 | # the ssl-cert package. See
29 | # /usr/share/doc/apache2/README.Debian.gz for more info.
30 | # If both key and certificate are stored in the same file, only the
31 | # SSLCertificateFile directive is needed.
32 | SSLCertificateFile /etc/ssl/certs/server.crt
33 | SSLCertificateKeyFile /etc/ssl/private/server.key
34 |
35 | # Harden the SSL configuration.
36 | SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
37 | SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH
38 | SSLHonorCipherOrder on
39 | SSLCompression off
40 |
41 | # Server Certificate Chain:
42 | # Point SSLCertificateChainFile at a file containing the
43 | # concatenation of PEM encoded CA certificates which form the
44 | # certificate chain for the server certificate. Alternatively
45 | # the referenced file can be the same as SSLCertificateFile
46 | # when the CA certificates are directly appended to the server
47 | # certificate for convinience.
48 | #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
49 |
50 | # Certificate Authority (CA):
51 | # Set the CA certificate verification path where to find CA
52 | # certificates for client authentication or alternatively one
53 | # huge file containing all of them (file must be PEM encoded)
54 | # Note: Inside SSLCACertificatePath you need hash symlinks
55 | # to point to the certificate files. Use the provided
56 | # Makefile to update the hash symlinks after changes.
57 | #SSLCACertificatePath /etc/ssl/certs/
58 | #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
59 |
60 | # Certificate Revocation Lists (CRL):
61 | # Set the CA revocation path where to find CA CRLs for client
62 | # authentication or alternatively one huge file containing all
63 | # of them (file must be PEM encoded)
64 | # Note: Inside SSLCARevocationPath you need hash symlinks
65 | # to point to the certificate files. Use the provided
66 | # Makefile to update the hash symlinks after changes.
67 | #SSLCARevocationPath /etc/apache2/ssl.crl/
68 | #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
69 |
70 | # Client Authentication (Type):
71 | # Client certificate verification type and depth. Types are
72 | # none, optional, require and optional_no_ca. Depth is a
73 | # number which specifies how deeply to verify the certificate
74 | # issuer chain before deciding the certificate is not valid.
75 | #SSLVerifyClient require
76 | #SSLVerifyDepth 10
77 |
78 | # SSL Engine Options:
79 | # Set various options for the SSL engine.
80 | # o FakeBasicAuth:
81 | # Translate the client X.509 into a Basic Authorisation. This means that
82 | # the standard Auth/DBMAuth methods can be used for access control. The
83 | # user name is the `one line' version of the client's X.509 certificate.
84 | # Note that no password is obtained from the user. Every entry in the user
85 | # file needs this password: `xxj31ZMTZzkVA'.
86 | # o ExportCertData:
87 | # This exports two additional environment variables: SSL_CLIENT_CERT and
88 | # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
89 | # server (always existing) and the client (only existing when client
90 | # authentication is used). This can be used to import the certificates
91 | # into CGI scripts.
92 | # o StdEnvVars:
93 | # This exports the standard SSL/TLS related `SSL_*' environment variables.
94 | # Per default this exportation is switched off for performance reasons,
95 | # because the extraction step is an expensive operation and is usually
96 | # useless for serving static content. So one usually enables the
97 | # exportation for CGI and SSI requests only.
98 | # o OptRenegotiate:
99 | # This enables optimized SSL connection renegotiation handling when SSL
100 | # directives are used in per-directory context.
101 | #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
102 |
103 | SSLOptions +StdEnvVars
104 |
105 |
106 | SSLOptions +StdEnvVars
107 |
108 |
109 | # SSL Protocol Adjustments:
110 | # The safe and default but still SSL/TLS standard compliant shutdown
111 | # approach is that mod_ssl sends the close notify alert but doesn't wait for
112 | # the close notify alert from client. When you need a different shutdown
113 | # approach you can use one of the following variables:
114 | # o ssl-unclean-shutdown:
115 | # This forces an unclean shutdown when the connection is closed, i.e. no
116 | # SSL close notify alert is send or allowed to received. This violates
117 | # the SSL/TLS standard but is needed for some brain-dead browsers. Use
118 | # this when you receive I/O errors because of the standard approach where
119 | # mod_ssl sends the close notify alert.
120 | # o ssl-accurate-shutdown:
121 | # This forces an accurate shutdown when the connection is closed, i.e. a
122 | # SSL close notify alert is send and mod_ssl waits for the close notify
123 | # alert of the client. This is 100% SSL/TLS standard compliant, but in
124 | # practice often causes hanging connections with brain-dead browsers. Use
125 | # this only for browsers where you know that their SSL implementation
126 | # works correctly.
127 | # Notice: Most problems of broken clients are also related to the HTTP
128 | # keep-alive facility, so you usually additionally want to disable
129 | # keep-alive for those clients, too. Use variable "nokeepalive" for this.
130 | # Similarly, one has to force some clients to use HTTP/1.0 to workaround
131 | # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
132 | # "force-response-1.0" for this.
133 | BrowserMatch "MSIE [2-6]" \
134 | nokeepalive ssl-unclean-shutdown \
135 | downgrade-1.0 force-response-1.0
136 | # MSIE 7 and newer should be able to use keepalive
137 | BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
138 |
139 |
140 |
141 |
142 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
143 |
--------------------------------------------------------------------------------
/16.04-lts/apache2/sites-available/default-ssl.conf:
--------------------------------------------------------------------------------
1 |
2 |
3 | ServerAdmin webmaster@localhost
4 |
5 | DocumentRoot /var/www/html
6 |
7 | # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
8 | # error, crit, alert, emerg.
9 | # It is also possible to configure the loglevel for particular
10 | # modules, e.g.
11 | #LogLevel info ssl:warn
12 |
13 | ErrorLog ${APACHE_LOG_DIR}/error.log
14 | CustomLog ${APACHE_LOG_DIR}/access.log combined
15 |
16 | # For most configuration files from conf-available/, which are
17 | # enabled or disabled at a global level, it is possible to
18 | # include a line for only one particular virtual host. For example the
19 | # following line enables the CGI configuration for this host only
20 | # after it has been globally disabled with "a2disconf".
21 | #Include conf-available/serve-cgi-bin.conf
22 |
23 | # SSL Engine Switch:
24 | # Enable/Disable SSL for this virtual host.
25 | SSLEngine on
26 |
27 | # A self-signed (snakeoil) certificate can be created by installing
28 | # the ssl-cert package. See
29 | # /usr/share/doc/apache2/README.Debian.gz for more info.
30 | # If both key and certificate are stored in the same file, only the
31 | # SSLCertificateFile directive is needed.
32 | SSLCertificateFile /etc/ssl/certs/server.crt
33 | SSLCertificateKeyFile /etc/ssl/private/server.key
34 |
35 | # Harden the SSL configuration.
36 | SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
37 | SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH
38 | SSLHonorCipherOrder on
39 | SSLCompression off
40 |
41 | # Server Certificate Chain:
42 | # Point SSLCertificateChainFile at a file containing the
43 | # concatenation of PEM encoded CA certificates which form the
44 | # certificate chain for the server certificate. Alternatively
45 | # the referenced file can be the same as SSLCertificateFile
46 | # when the CA certificates are directly appended to the server
47 | # certificate for convinience.
48 | #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
49 |
50 | # Certificate Authority (CA):
51 | # Set the CA certificate verification path where to find CA
52 | # certificates for client authentication or alternatively one
53 | # huge file containing all of them (file must be PEM encoded)
54 | # Note: Inside SSLCACertificatePath you need hash symlinks
55 | # to point to the certificate files. Use the provided
56 | # Makefile to update the hash symlinks after changes.
57 | #SSLCACertificatePath /etc/ssl/certs/
58 | #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
59 |
60 | # Certificate Revocation Lists (CRL):
61 | # Set the CA revocation path where to find CA CRLs for client
62 | # authentication or alternatively one huge file containing all
63 | # of them (file must be PEM encoded)
64 | # Note: Inside SSLCARevocationPath you need hash symlinks
65 | # to point to the certificate files. Use the provided
66 | # Makefile to update the hash symlinks after changes.
67 | #SSLCARevocationPath /etc/apache2/ssl.crl/
68 | #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
69 |
70 | # Client Authentication (Type):
71 | # Client certificate verification type and depth. Types are
72 | # none, optional, require and optional_no_ca. Depth is a
73 | # number which specifies how deeply to verify the certificate
74 | # issuer chain before deciding the certificate is not valid.
75 | #SSLVerifyClient require
76 | #SSLVerifyDepth 10
77 |
78 | # SSL Engine Options:
79 | # Set various options for the SSL engine.
80 | # o FakeBasicAuth:
81 | # Translate the client X.509 into a Basic Authorisation. This means that
82 | # the standard Auth/DBMAuth methods can be used for access control. The
83 | # user name is the `one line' version of the client's X.509 certificate.
84 | # Note that no password is obtained from the user. Every entry in the user
85 | # file needs this password: `xxj31ZMTZzkVA'.
86 | # o ExportCertData:
87 | # This exports two additional environment variables: SSL_CLIENT_CERT and
88 | # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
89 | # server (always existing) and the client (only existing when client
90 | # authentication is used). This can be used to import the certificates
91 | # into CGI scripts.
92 | # o StdEnvVars:
93 | # This exports the standard SSL/TLS related `SSL_*' environment variables.
94 | # Per default this exportation is switched off for performance reasons,
95 | # because the extraction step is an expensive operation and is usually
96 | # useless for serving static content. So one usually enables the
97 | # exportation for CGI and SSI requests only.
98 | # o OptRenegotiate:
99 | # This enables optimized SSL connection renegotiation handling when SSL
100 | # directives are used in per-directory context.
101 | #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
102 |
103 | SSLOptions +StdEnvVars
104 |
105 |
106 | SSLOptions +StdEnvVars
107 |
108 |
109 | # SSL Protocol Adjustments:
110 | # The safe and default but still SSL/TLS standard compliant shutdown
111 | # approach is that mod_ssl sends the close notify alert but doesn't wait for
112 | # the close notify alert from client. When you need a different shutdown
113 | # approach you can use one of the following variables:
114 | # o ssl-unclean-shutdown:
115 | # This forces an unclean shutdown when the connection is closed, i.e. no
116 | # SSL close notify alert is send or allowed to received. This violates
117 | # the SSL/TLS standard but is needed for some brain-dead browsers. Use
118 | # this when you receive I/O errors because of the standard approach where
119 | # mod_ssl sends the close notify alert.
120 | # o ssl-accurate-shutdown:
121 | # This forces an accurate shutdown when the connection is closed, i.e. a
122 | # SSL close notify alert is send and mod_ssl waits for the close notify
123 | # alert of the client. This is 100% SSL/TLS standard compliant, but in
124 | # practice often causes hanging connections with brain-dead browsers. Use
125 | # this only for browsers where you know that their SSL implementation
126 | # works correctly.
127 | # Notice: Most problems of broken clients are also related to the HTTP
128 | # keep-alive facility, so you usually additionally want to disable
129 | # keep-alive for those clients, too. Use variable "nokeepalive" for this.
130 | # Similarly, one has to force some clients to use HTTP/1.0 to workaround
131 | # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
132 | # "force-response-1.0" for this.
133 | BrowserMatch "MSIE [2-6]" \
134 | nokeepalive ssl-unclean-shutdown \
135 | downgrade-1.0 force-response-1.0
136 | # MSIE 7 and newer should be able to use keepalive
137 | BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
138 |
139 |
140 |
141 |
142 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
143 |
--------------------------------------------------------------------------------
/14.04-lts/aide/aide.conf:
--------------------------------------------------------------------------------
1 | # AIDE conf
2 |
3 | # The daily cron job depends on these paths
4 | database=file:/var/lib/aide/aide.db
5 | database_out=file:/var/lib/aide/aide.db.new
6 | database_new=file:/var/lib/aide/aide.db.new
7 | gzip_dbout=yes
8 |
9 | # Set to no to disable summarize_changes option.
10 | summarize_changes=yes
11 |
12 | # Set to no to disable grouping of files in report.
13 | grouped=yes
14 |
15 | # standard verbose level
16 | verbose = 6
17 |
18 | # Set to yes to print the checksums in the report in hex format
19 | report_base16 = no
20 |
21 | # if you want to sacrifice security for speed, remove some of these
22 | # checksums. Whirlpool is broken on sparc and sparc64 (see #429180,
23 | # #420547, #152203).
24 | Checksums = sha512
25 |
26 | # The checksums of the databases to be printed in the report
27 | # Set to 'E' to disable.
28 | database_attrs = Checksums
29 |
30 | # check permissions, owner, group and file type
31 | OwnerMode = p+u+g+ftype
32 |
33 | # Check size and block count
34 | Size = s+b
35 |
36 | # Files that stay static
37 | InodeData = OwnerMode+n+i+Size+l+X
38 | StaticFile = m+c+Checksums
39 |
40 | # Files that stay static but are copied to a ram disk on startup
41 | # (causing different inode)
42 | RamdiskData = InodeData-i
43 |
44 | # Check everything
45 | Full = InodeData+StaticFile
46 |
47 | # Files that change their mtimes or ctimes but not their contents
48 | VarTime = InodeData+Checksums
49 |
50 | # Files that are recreated regularly but do not change their contents
51 | VarInode = VarTime-i
52 |
53 | # Files that change their contents during system operation
54 | VarFile = OwnerMode+n+l+X
55 |
56 | # Directories that change their contents during system operation
57 | VarDir = OwnerMode+n+i+X
58 |
59 | # Directories that are recreated regularly and change their contents
60 | VarDirInode = OwnerMode+n+X
61 |
62 | # Directories that change their mtimes or ctimes but not their contents
63 | VarDirTime = InodeData
64 |
65 | # Logs are special: they are continously written to, may be compressed
66 | # have their file name changed in different, mutually incompatibly ways
67 | # and apprear and vanish at will. Handling this is a a complex and error-
68 | # prone issue.
69 | #
70 | # This is best broken down in a number of small tasks:
71 | #
72 | #
73 | # (A)
74 | # While a live log is being written to, it doesn't change its mode and
75 | # inode and its size only increases.
76 | #
77 | # (B)
78 | # When a live log is rotated for the first time, it should not change
79 | # its mode, may change its inode, and its size decreases. The size
80 | # decrease may not be noticed by aide if the file had size x at the last
81 | # aide run, was rotated in the mean time and was written to so that it
82 | # had a size > x at the next aide run.
83 | #
84 | # (C)
85 | # When a log is compressed, this looks to aide like the uncompressed
86 | # file vanished (or was replaced by another file) and the compressed
87 | # file appeared out of the blue. There is (currently) no way to
88 | # associate the (gone) uncompressed file's contents with the (new)
89 | # compressed file's contents
90 | #
91 | # (D)
92 | # The actual log rotation may rename foo.{x}.bar to foo.{x+1}.bar without
93 | # changing the other properties of the file
94 | #
95 | # (E)
96 | # If only a given number of log generations is to be kept, foo.{y}.bar may
97 | # vanish, but usually only when no foo.{z}.bar exists for z>y.
98 | #
99 | # (F)
100 | # The set of files foo.{x}.bar to foo.{y}.bar is called a "log series"
101 | # in aide terms, with the lowest x being called the "LoSerMember" element
102 | # and the highest y being called the "HiSerMember" element, and the z
103 | # with x x at the next aide run.
83 | #
84 | # (C)
85 | # When a log is compressed, this looks to aide like the uncompressed
86 | # file vanished (or was replaced by another file) and the compressed
87 | # file appeared out of the blue. There is (currently) no way to
88 | # associate the (gone) uncompressed file's contents with the (new)
89 | # compressed file's contents
90 | #
91 | # (D)
92 | # The actual log rotation may rename foo.{x}.bar to foo.{x+1}.bar without
93 | # changing the other properties of the file
94 | #
95 | # (E)
96 | # If only a given number of log generations is to be kept, foo.{y}.bar may
97 | # vanish, but usually only when no foo.{z}.bar exists for z>y.
98 | #
99 | # (F)
100 | # The set of files foo.{x}.bar to foo.{y}.bar is called a "log series"
101 | # in aide terms, with the lowest x being called the "LoSerMember" element
102 | # and the highest y being called the "HiSerMember" element, and the z
103 | # with x);
65 | # you will save yourself a lot of trouble.
66 | #
67 | # Do NOT add a slash at the end of the directory path.
68 | #
69 | #ServerRoot "/etc/apache2"
70 |
71 | #
72 | # The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
73 | #
74 | Mutex file:${APACHE_LOCK_DIR} default
75 |
76 | #
77 | # PidFile: The file in which the server should record its process
78 | # identification number when it starts.
79 | # This needs to be set in /etc/apache2/envvars
80 | #
81 | PidFile ${APACHE_PID_FILE}
82 |
83 | #
84 | # Timeout: The number of seconds before receives and sends time out.
85 | #
86 | Timeout 30
87 |
88 | #
89 | # KeepAlive: Whether or not to allow persistent connections (more than
90 | # one request per connection). Set to "Off" to deactivate.
91 | #
92 | KeepAlive On
93 |
94 | #
95 | # MaxKeepAliveRequests: The maximum number of requests to allow
96 | # during a persistent connection. Set to 0 to allow an unlimited amount.
97 | # We recommend you leave this number high, for maximum performance.
98 | #
99 | MaxKeepAliveRequests 100
100 |
101 | #
102 | # KeepAliveTimeout: Number of seconds to wait for the next request from the
103 | # same client on the same connection.
104 | #
105 | KeepAliveTimeout 5
106 |
107 |
108 | # These need to be set in /etc/apache2/envvars
109 | User ${APACHE_RUN_USER}
110 | Group ${APACHE_RUN_GROUP}
111 |
112 | #
113 | # HostnameLookups: Log the names of clients or just their IP addresses
114 | # e.g., www.apache.org (on) or 204.62.129.132 (off).
115 | # The default is off because it'd be overall better for the net if people
116 | # had to knowingly turn this feature on, since enabling it means that
117 | # each client request will result in AT LEAST one lookup request to the
118 | # nameserver.
119 | #
120 | HostnameLookups Off
121 |
122 | # ErrorLog: The location of the error log file.
123 | # If you do not specify an ErrorLog directive within a
124 | # container, error messages relating to that virtual host will be
125 | # logged here. If you *do* define an error logfile for a
126 | # container, that host's errors will be logged there and not here.
127 | #
128 | ErrorLog ${APACHE_LOG_DIR}/error.log
129 |
130 | #
131 | # LogLevel: Control the severity of messages logged to the error_log.
132 | # Available values: trace8, ..., trace1, debug, info, notice, warn,
133 | # error, crit, alert, emerg.
134 | # It is also possible to configure the log level for particular modules, e.g.
135 | # "LogLevel info ssl:warn"
136 | #
137 | LogLevel warn
138 |
139 | # Include module configuration:
140 | IncludeOptional mods-enabled/*.load
141 | IncludeOptional mods-enabled/*.conf
142 |
143 | # Include list of ports to listen on
144 | Include ports.conf
145 |
146 |
147 | # Sets the default security model of the Apache2 HTTPD server. It does
148 | # not allow access to the root filesystem outside of /usr/share and /var/www.
149 | # The former is used by web applications packaged in Debian,
150 | # the latter may be used for local directories served by the web server. If
151 | # your system is serving content from a sub-directory in /srv you must allow
152 | # access here, or in any related virtual host.
153 |
154 | Options FollowSymLinks
155 | AllowOverride All
156 | Require all denied
157 |
158 |
159 | #
160 | # AllowOverride None
161 | # Require all granted
162 | #
163 |
164 |
165 | Options FollowSymLinks
166 | AllowOverride All
167 | Require all granted
168 |
169 |
170 | #
171 | # Options Indexes FollowSymLinks
172 | # AllowOverride None
173 | # Require all granted
174 | #
175 |
176 |
177 |
178 |
179 | # AccessFileName: The name of the file to look for in each directory
180 | # for additional configuration directives. See also the AllowOverride
181 | # directive.
182 | #
183 | AccessFileName .htaccess
184 |
185 | #
186 | # The following lines prevent .htaccess and .htpasswd files from being
187 | # viewed by Web clients.
188 | #
189 |
190 | Require all denied
191 |
192 |
193 |
194 | #
195 | # The following directives define some format nicknames for use with
196 | # a CustomLog directive.
197 | #
198 | # These deviate from the Common Log Format definitions in that they use %O
199 | # (the actual bytes sent including headers) instead of %b (the size of the
200 | # requested file), because the latter makes it impossible to detect partial
201 | # requests.
202 | #
203 | # Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
204 | # Use mod_remoteip instead.
205 | #
206 | LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
207 | LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
208 | LogFormat "%h %l %u %t \"%r\" %>s %O" common
209 | LogFormat "%{Referer}i -> %U" referer
210 | LogFormat "%{User-agent}i" agent
211 |
212 | # Include of directories ignores editors' and dpkg's backup files,
213 | # see README.Debian for details.
214 |
215 | # Include generic snippets of statements
216 | IncludeOptional conf-enabled/*.conf
217 |
218 | # Include the virtual host configurations:
219 | IncludeOptional sites-enabled/*.conf
220 |
221 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
222 |
223 |
--------------------------------------------------------------------------------
/16.04-lts/apache2/apache2.conf:
--------------------------------------------------------------------------------
1 | # This is the main Apache server configuration file. It contains the
2 | # configuration directives that give the server its instructions.
3 | # See http://httpd.apache.org/docs/2.4/ for detailed information about
4 | # the directives and /usr/share/doc/apache2/README.Debian about Debian specific
5 | # hints.
6 | #
7 | #
8 | # Summary of how the Apache 2 configuration works in Debian:
9 | # The Apache 2 web server configuration in Debian is quite different to
10 | # upstream's suggested way to configure the web server. This is because Debian's
11 | # default Apache2 installation attempts to make adding and removing modules,
12 | # virtual hosts, and extra configuration directives as flexible as possible, in
13 | # order to make automating the changes and administering the server as easy as
14 | # possible.
15 |
16 | # It is split into several files forming the configuration hierarchy outlined
17 | # below, all located in the /etc/apache2/ directory:
18 | #
19 | # /etc/apache2/
20 | # |-- apache2.conf
21 | # | `-- ports.conf
22 | # |-- mods-enabled
23 | # | |-- *.load
24 | # | `-- *.conf
25 | # |-- conf-enabled
26 | # | `-- *.conf
27 | # `-- sites-enabled
28 | # `-- *.conf
29 | #
30 | #
31 | # * apache2.conf is the main configuration file (this file). It puts the pieces
32 | # together by including all remaining configuration files when starting up the
33 | # web server.
34 | #
35 | # * ports.conf is always included from the main configuration file. It is
36 | # supposed to determine listening ports for incoming connections which can be
37 | # customized anytime.
38 | #
39 | # * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
40 | # directories contain particular configuration snippets which manage modules,
41 | # global configuration fragments, or virtual host configurations,
42 | # respectively.
43 | #
44 | # They are activated by symlinking available configuration files from their
45 | # respective *-available/ counterparts. These should be managed by using our
46 | # helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
47 | # their respective man pages for detailed information.
48 | #
49 | # * The binary is called apache2. Due to the use of environment variables, in
50 | # the default configuration, apache2 needs to be started/stopped with
51 | # /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
52 | # work with the default configuration.
53 |
54 |
55 | # Global configuration
56 | #
57 |
58 | #
59 | # ServerRoot: The top of the directory tree under which the server's
60 | # configuration, error, and log files are kept.
61 | #
62 | # NOTE! If you intend to place this on an NFS (or otherwise network)
63 | # mounted filesystem then please read the Mutex documentation (available
64 | # at );
65 | # you will save yourself a lot of trouble.
66 | #
67 | # Do NOT add a slash at the end of the directory path.
68 | #
69 | #ServerRoot "/etc/apache2"
70 |
71 | #
72 | # The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
73 | #
74 | Mutex file:${APACHE_LOCK_DIR} default
75 |
76 | #
77 | # PidFile: The file in which the server should record its process
78 | # identification number when it starts.
79 | # This needs to be set in /etc/apache2/envvars
80 | #
81 | PidFile ${APACHE_PID_FILE}
82 |
83 | #
84 | # Timeout: The number of seconds before receives and sends time out.
85 | #
86 | Timeout 30
87 |
88 | #
89 | # KeepAlive: Whether or not to allow persistent connections (more than
90 | # one request per connection). Set to "Off" to deactivate.
91 | #
92 | KeepAlive On
93 |
94 | #
95 | # MaxKeepAliveRequests: The maximum number of requests to allow
96 | # during a persistent connection. Set to 0 to allow an unlimited amount.
97 | # We recommend you leave this number high, for maximum performance.
98 | #
99 | MaxKeepAliveRequests 100
100 |
101 | #
102 | # KeepAliveTimeout: Number of seconds to wait for the next request from the
103 | # same client on the same connection.
104 | #
105 | KeepAliveTimeout 5
106 |
107 |
108 | # These need to be set in /etc/apache2/envvars
109 | User ${APACHE_RUN_USER}
110 | Group ${APACHE_RUN_GROUP}
111 |
112 | #
113 | # HostnameLookups: Log the names of clients or just their IP addresses
114 | # e.g., www.apache.org (on) or 204.62.129.132 (off).
115 | # The default is off because it'd be overall better for the net if people
116 | # had to knowingly turn this feature on, since enabling it means that
117 | # each client request will result in AT LEAST one lookup request to the
118 | # nameserver.
119 | #
120 | HostnameLookups Off
121 |
122 | # ErrorLog: The location of the error log file.
123 | # If you do not specify an ErrorLog directive within a
124 | # container, error messages relating to that virtual host will be
125 | # logged here. If you *do* define an error logfile for a
126 | # container, that host's errors will be logged there and not here.
127 | #
128 | ErrorLog ${APACHE_LOG_DIR}/error.log
129 |
130 | #
131 | # LogLevel: Control the severity of messages logged to the error_log.
132 | # Available values: trace8, ..., trace1, debug, info, notice, warn,
133 | # error, crit, alert, emerg.
134 | # It is also possible to configure the log level for particular modules, e.g.
135 | # "LogLevel info ssl:warn"
136 | #
137 | LogLevel warn
138 |
139 | # Include module configuration:
140 | IncludeOptional mods-enabled/*.load
141 | IncludeOptional mods-enabled/*.conf
142 |
143 | # Include list of ports to listen on
144 | Include ports.conf
145 |
146 |
147 | # Sets the default security model of the Apache2 HTTPD server. It does
148 | # not allow access to the root filesystem outside of /usr/share and /var/www.
149 | # The former is used by web applications packaged in Debian,
150 | # the latter may be used for local directories served by the web server. If
151 | # your system is serving content from a sub-directory in /srv you must allow
152 | # access here, or in any related virtual host.
153 |
154 | Options FollowSymLinks
155 | AllowOverride None
156 | Require all denied
157 |
158 |
159 | #
160 | # AllowOverride None
161 | # Require all granted
162 | #
163 |
164 |
165 | Options Indexes FollowSymLinks
166 | AllowOverride None
167 | Require all granted
168 |
169 |
170 | #
171 | # Options Indexes FollowSymLinks
172 | # AllowOverride None
173 | # Require all granted
174 | #
175 |
176 |
177 |
178 |
179 | # AccessFileName: The name of the file to look for in each directory
180 | # for additional configuration directives. See also the AllowOverride
181 | # directive.
182 | #
183 | AccessFileName .htaccess
184 |
185 | #
186 | # The following lines prevent .htaccess and .htpasswd files from being
187 | # viewed by Web clients.
188 | #
189 |
190 | Require all denied
191 |
192 |
193 |
194 | #
195 | # The following directives define some format nicknames for use with
196 | # a CustomLog directive.
197 | #
198 | # These deviate from the Common Log Format definitions in that they use %O
199 | # (the actual bytes sent including headers) instead of %b (the size of the
200 | # requested file), because the latter makes it impossible to detect partial
201 | # requests.
202 | #
203 | # Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
204 | # Use mod_remoteip instead.
205 | #
206 | LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
207 | LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
208 | LogFormat "%h %l %u %t \"%r\" %>s %O" common
209 | LogFormat "%{Referer}i -> %U" referer
210 | LogFormat "%{User-agent}i" agent
211 |
212 | # Include of directories ignores editors' and dpkg's backup files,
213 | # see README.Debian for details.
214 |
215 | # Include generic snippets of statements
216 | IncludeOptional conf-enabled/*.conf
217 |
218 | # Include the virtual host configurations:
219 | IncludeOptional sites-enabled/*.conf
220 |
221 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
222 |
--------------------------------------------------------------------------------
/12.04-lts/apache2/apache2.conf:
--------------------------------------------------------------------------------
1 | #
2 | # Based upon the NCSA server configuration files originally by Rob McCool.
3 | #
4 | # This is the main Apache server configuration file. It contains the
5 | # configuration directives that give the server its instructions.
6 | # See http://httpd.apache.org/docs/2.2/ for detailed information about
7 | # the directives.
8 | #
9 | # Do NOT simply read the instructions in here without understanding
10 | # what they do. They're here only as hints or reminders. If you are unsure
11 | # consult the online docs. You have been warned.
12 | #
13 | # The configuration directives are grouped into three basic sections:
14 | # 1. Directives that control the operation of the Apache server process as a
15 | # whole (the 'global environment').
16 | # 2. Directives that define the parameters of the 'main' or 'default' server,
17 | # which responds to requests that aren't handled by a virtual host.
18 | # These directives also provide default values for the settings
19 | # of all virtual hosts.
20 | # 3. Settings for virtual hosts, which allow Web requests to be sent to
21 | # different IP addresses or hostnames and have them handled by the
22 | # same Apache server process.
23 | #
24 | # Configuration and logfile names: If the filenames you specify for many
25 | # of the server's control files begin with "/" (or "drive:/" for Win32), the
26 | # server will use that explicit path. If the filenames do *not* begin
27 | # with "/", the value of ServerRoot is prepended -- so "foo.log"
28 | # with ServerRoot set to "/etc/apache2" will be interpreted by the
29 | # server as "/etc/apache2/foo.log".
30 | #
31 |
32 | ### Section 1: Global Environment
33 | #
34 | # The directives in this section affect the overall operation of Apache,
35 | # such as the number of concurrent requests it can handle or where it
36 | # can find its configuration files.
37 | #
38 |
39 | #
40 | # ServerRoot: The top of the directory tree under which the server's
41 | # configuration, error, and log files are kept.
42 | #
43 | # NOTE! If you intend to place this on an NFS (or otherwise network)
44 | # mounted filesystem then please read the LockFile documentation (available
45 | # at );
46 | # you will save yourself a lot of trouble.
47 | #
48 | # Do NOT add a slash at the end of the directory path.
49 | #
50 | #ServerRoot "/etc/apache2"
51 |
52 | #
53 | # The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
54 | #
55 | LockFile ${APACHE_LOCK_DIR}/accept.lock
56 |
57 | #
58 | # PidFile: The file in which the server should record its process
59 | # identification number when it starts.
60 | # This needs to be set in /etc/apache2/envvars
61 | #
62 | PidFile ${APACHE_PID_FILE}
63 |
64 | #
65 | # Timeout: The number of seconds before receives and sends time out.
66 | #
67 | Timeout 300
68 |
69 | #
70 | # KeepAlive: Whether or not to allow persistent connections (more than
71 | # one request per connection). Set to "Off" to deactivate.
72 | #
73 | KeepAlive On
74 |
75 | #
76 | # MaxKeepAliveRequests: The maximum number of requests to allow
77 | # during a persistent connection. Set to 0 to allow an unlimited amount.
78 | # We recommend you leave this number high, for maximum performance.
79 | #
80 | MaxKeepAliveRequests 100
81 |
82 | #
83 | # KeepAliveTimeout: Number of seconds to wait for the next request from the
84 | # same client on the same connection.
85 | #
86 | KeepAliveTimeout 15
87 |
88 | ##
89 | ## Server-Pool Size Regulation (MPM specific)
90 | ##
91 |
92 | # prefork MPM
93 | # StartServers: number of server processes to start
94 | # MinSpareServers: minimum number of server processes which are kept spare
95 | # MaxSpareServers: maximum number of server processes which are kept spare
96 | # MaxClients: maximum number of server processes allowed to start
97 | # MaxRequestsPerChild: maximum number of requests a server process serves
98 |
99 | StartServers 5
100 | MinSpareServers 5
101 | MaxSpareServers 10
102 | MaxClients 150
103 | MaxRequestsPerChild 0
104 |
105 |
106 | # worker MPM
107 | # StartServers: initial number of server processes to start
108 | # MinSpareThreads: minimum number of worker threads which are kept spare
109 | # MaxSpareThreads: maximum number of worker threads which are kept spare
110 | # ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
111 | # graceful restart. ThreadLimit can only be changed by stopping
112 | # and starting Apache.
113 | # ThreadsPerChild: constant number of worker threads in each server process
114 | # MaxClients: maximum number of simultaneous client connections
115 | # MaxRequestsPerChild: maximum number of requests a server process serves
116 |
117 | StartServers 2
118 | MinSpareThreads 25
119 | MaxSpareThreads 75
120 | ThreadLimit 64
121 | ThreadsPerChild 25
122 | MaxClients 150
123 | MaxRequestsPerChild 0
124 |
125 |
126 | # event MPM
127 | # StartServers: initial number of server processes to start
128 | # MinSpareThreads: minimum number of worker threads which are kept spare
129 | # MaxSpareThreads: maximum number of worker threads which are kept spare
130 | # ThreadsPerChild: constant number of worker threads in each server process
131 | # MaxClients: maximum number of simultaneous client connections
132 | # MaxRequestsPerChild: maximum number of requests a server process serves
133 |
134 | StartServers 2
135 | MinSpareThreads 25
136 | MaxSpareThreads 75
137 | ThreadLimit 64
138 | ThreadsPerChild 25
139 | MaxClients 150
140 | MaxRequestsPerChild 0
141 |
142 |
143 | # These need to be set in /etc/apache2/envvars
144 | User ${APACHE_RUN_USER}
145 | Group ${APACHE_RUN_GROUP}
146 |
147 | #
148 | # AccessFileName: The name of the file to look for in each directory
149 | # for additional configuration directives. See also the AllowOverride
150 | # directive.
151 | #
152 |
153 | AccessFileName .htaccess
154 |
155 | #
156 | # The following lines prevent .htaccess and .htpasswd files from being
157 | # viewed by Web clients.
158 | #
159 |
160 | Order allow,deny
161 | Deny from all
162 | Satisfy all
163 |
164 |
165 | #
166 | # DefaultType is the default MIME type the server will use for a document
167 | # if it cannot otherwise determine one, such as from filename extensions.
168 | # If your server contains mostly text or HTML documents, "text/plain" is
169 | # a good value. If most of your content is binary, such as applications
170 | # or images, you may want to use "application/octet-stream" instead to
171 | # keep browsers from trying to display binary files as though they are
172 | # text.
173 | #
174 | # It is also possible to omit any default MIME type and let the
175 | # client's browser guess an appropriate action instead. Typically the
176 | # browser will decide based on the file's extension then. In cases
177 | # where no good assumption can be made, letting the default MIME type
178 | # unset is suggested instead of forcing the browser to accept
179 | # incorrect metadata.
180 | #
181 | DefaultType None
182 |
183 |
184 | #
185 | # HostnameLookups: Log the names of clients or just their IP addresses
186 | # e.g., www.apache.org (on) or 204.62.129.132 (off).
187 | # The default is off because it'd be overall better for the net if people
188 | # had to knowingly turn this feature on, since enabling it means that
189 | # each client request will result in AT LEAST one lookup request to the
190 | # nameserver.
191 | #
192 | HostnameLookups Off
193 |
194 | # ErrorLog: The location of the error log file.
195 | # If you do not specify an ErrorLog directive within a
196 | # container, error messages relating to that virtual host will be
197 | # logged here. If you *do* define an error logfile for a
198 | # container, that host's errors will be logged there and not here.
199 | #
200 | ErrorLog ${APACHE_LOG_DIR}/error.log
201 |
202 | #
203 | # LogLevel: Control the number of messages logged to the error_log.
204 | # Possible values include: debug, info, notice, warn, error, crit,
205 | # alert, emerg.
206 | #
207 | LogLevel warn
208 |
209 | # Include module configuration:
210 | Include mods-enabled/*.load
211 | Include mods-enabled/*.conf
212 |
213 | # Include all the user configurations:
214 | Include httpd.conf
215 |
216 | # Include ports listing
217 | Include ports.conf
218 |
219 | #
220 | # The following directives define some format nicknames for use with
221 | # a CustomLog directive (see below).
222 | # If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
223 | #
224 | LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
225 | LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
226 | LogFormat "%h %l %u %t \"%r\" %>s %O" common
227 | LogFormat "%{Referer}i -> %U" referer
228 | LogFormat "%{User-agent}i" agent
229 |
230 | # Include of directories ignores editors' and dpkg's backup files,
231 | # see README.Debian for details.
232 |
233 | # Include generic snippets of statements
234 | Include conf.d/
235 |
236 | # Include the virtual host configurations:
237 | Include sites-enabled/
238 |
--------------------------------------------------------------------------------
/12.04-lts/login.defs:
--------------------------------------------------------------------------------
1 | #
2 | # /etc/login.defs - Configuration control definitions for the login package.
3 | #
4 | # Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
5 | # If unspecified, some arbitrary (and possibly incorrect) value will
6 | # be assumed. All other items are optional - if not specified then
7 | # the described action or option will be inhibited.
8 | #
9 | # Comment lines (lines beginning with "#") and blank lines are ignored.
10 | #
11 | # Modified for Linux. --marekm
12 |
13 | # REQUIRED for useradd/userdel/usermod
14 | # Directory where mailboxes reside, _or_ name of file, relative to the
15 | # home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
16 | # MAIL_DIR takes precedence.
17 | #
18 | # Essentially:
19 | # - MAIL_DIR defines the location of users mail spool files
20 | # (for mbox use) by appending the username to MAIL_DIR as defined
21 | # below.
22 | # - MAIL_FILE defines the location of the users mail spool files as the
23 | # fully-qualified filename obtained by prepending the user home
24 | # directory before $MAIL_FILE
25 | #
26 | # NOTE: This is no more used for setting up users MAIL environment variable
27 | # which is, starting from shadow 4.0.12-1 in Debian, entirely the
28 | # job of the pam_mail PAM modules
29 | # See default PAM configuration files provided for
30 | # login, su, etc.
31 | #
32 | # This is a temporary situation: setting these variables will soon
33 | # move to /etc/default/useradd and the variables will then be
34 | # no more supported
35 | MAIL_DIR /var/mail
36 | #MAIL_FILE .mail
37 |
38 | #
39 | # Enable logging and display of /var/log/faillog login failure info.
40 | # This option conflicts with the pam_tally PAM module.
41 | #
42 | FAILLOG_ENAB yes
43 |
44 | #
45 | # Enable display of unknown usernames when login failures are recorded.
46 | #
47 | # WARNING: Unknown usernames may become world readable.
48 | # See #290803 and #298773 for details about how this could become a security
49 | # concern
50 | LOG_UNKFAIL_ENAB no
51 |
52 | #
53 | # Enable logging of successful logins
54 | #
55 | LOG_OK_LOGINS yes
56 |
57 | #
58 | # Enable "syslog" logging of su activity - in addition to sulog file logging.
59 | # SYSLOG_SG_ENAB does the same for newgrp and sg.
60 | #
61 | SYSLOG_SU_ENAB yes
62 | SYSLOG_SG_ENAB yes
63 |
64 | #
65 | # If defined, all su activity is logged to this file.
66 | #
67 | SULOG_FILE /var/log/sulog
68 |
69 | #
70 | # If defined, file which maps tty line to TERM environment parameter.
71 | # Each line of the file is in a format something like "vt100 tty01".
72 | #
73 | #TTYTYPE_FILE /etc/ttytype
74 |
75 | #
76 | # If defined, login failures will be logged here in a utmp format
77 | # last, when invoked as lastb, will read /var/log/btmp, so...
78 | #
79 | FTMP_FILE /var/log/btmp
80 |
81 | #
82 | # If defined, the command name to display when running "su -". For
83 | # example, if this is defined as "su" then a "ps" will display the
84 | # command is "-su". If not defined, then "ps" would display the
85 | # name of the shell actually being run, e.g. something like "-sh".
86 | #
87 | SU_NAME su
88 |
89 | #
90 | # If defined, file which inhibits all the usual chatter during the login
91 | # sequence. If a full pathname, then hushed mode will be enabled if the
92 | # user's name or shell are found in the file. If not a full pathname, then
93 | # hushed mode will be enabled if the file exists in the user's home directory.
94 | #
95 | HUSHLOGIN_FILE .hushlogin
96 | #HUSHLOGIN_FILE /etc/hushlogins
97 |
98 | #
99 | # *REQUIRED* The default PATH settings, for superuser and normal users.
100 | #
101 | # (they are minimal, add the rest in the shell startup files)
102 | ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
103 | ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin
104 |
105 | #
106 | # Terminal permissions
107 | #
108 | # TTYGROUP Login tty will be assigned this group ownership.
109 | # TTYPERM Login tty will be set to this permission.
110 | #
111 | # If you have a "write" program which is "setgid" to a special group
112 | # which owns the terminals, define TTYGROUP to the group number and
113 | # TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
114 | # TTYPERM to either 622 or 600.
115 | #
116 | # In Debian /usr/bin/bsd-write or similar programs are setgid tty
117 | # However, the default and recommended value for TTYPERM is still 0600
118 | # to not allow anyone to write to anyone else console or terminal
119 |
120 | # Users can still allow other people to write them by issuing
121 | # the "mesg y" command.
122 |
123 | TTYGROUP tty
124 | TTYPERM 0600
125 |
126 | #
127 | # Login configuration initializations:
128 | #
129 | # ERASECHAR Terminal ERASE character ('\010' = backspace).
130 | # KILLCHAR Terminal KILL character ('\025' = CTRL/U).
131 | # UMASK Default "umask" value.
132 | #
133 | # The ERASECHAR and KILLCHAR are used only on System V machines.
134 | #
135 | # UMASK is the default umask value for pam_umask and is used by
136 | # useradd and newusers to set the mode of the new home directories.
137 | # 022 is the "historical" value in Debian for UMASK
138 | # 027, or even 077, could be considered better for privacy
139 | # There is no One True Answer here : each sysadmin must make up his/her
140 | # mind.
141 | #
142 | # If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
143 | # for private user groups, i. e. the uid is the same as gid, and username is
144 | # the same as the primary group name: for these, the user permissions will be
145 | # used as group permissions, e. g. 022 will become 002.
146 | #
147 | # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
148 | #
149 | ERASECHAR 0177
150 | KILLCHAR 025
151 | UMASK 077
152 |
153 | #
154 | # Password aging controls:
155 | #
156 | # PASS_MAX_DAYS Maximum number of days a password may be used.
157 | # PASS_MIN_DAYS Minimum number of days allowed between password changes.
158 | # PASS_WARN_AGE Number of days warning given before a password expires.
159 | #
160 | PASS_MAX_DAYS 99999
161 | PASS_MIN_DAYS 0
162 | PASS_WARN_AGE 7
163 |
164 | #
165 | # Min/max values for automatic uid selection in useradd
166 | #
167 | UID_MIN 1000
168 | UID_MAX 60000
169 | # System accounts
170 | #SYS_UID_MIN 100
171 | #SYS_UID_MAX 999
172 |
173 | #
174 | # Min/max values for automatic gid selection in groupadd
175 | #
176 | GID_MIN 1000
177 | GID_MAX 60000
178 |
179 | # System accounts
180 | #SYS_GID_MIN 100
181 | #SYS_GID_MAX 999
182 |
183 | #
184 | # Max number of login retries if password is bad. This will most likely be
185 | # overriden by PAM, since the default pam_unix module has it's own built
186 | # in of 3 retries. However, this is a safe fallback in case you are using
187 | # an authentication module that does not enforce PAM_MAXTRIES.
188 | #
189 | LOGIN_RETRIES 3
190 |
191 | #
192 | # Max time in seconds for login
193 | #
194 | LOGIN_TIMEOUT 60
195 |
196 | #
197 | # Which fields may be changed by regular users using chfn - use
198 | # any combination of letters "frwh" (full name, room number, work
199 | # phone, home phone). If not defined, no changes are allowed.
200 | # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
201 | #
202 | CHFN_RESTRICT rwh
203 |
204 | #
205 | # Should login be allowed if we can't cd to the home directory?
206 | # Default in no.
207 | #
208 | DEFAULT_HOME yes
209 |
210 | #
211 | # If defined, this command is run when removing a user.
212 | # It should remove any at/cron/print jobs etc. owned by
213 | # the user to be removed (passed as the first argument).
214 | #
215 | #USERDEL_CMD /usr/sbin/userdel_local
216 |
217 | #
218 | # Enable setting of the umask group bits to be the same as owner bits
219 | # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
220 | # the same as gid, and username is the same as the primary group name.
221 | #
222 | # If set to yes, userdel will remove the user´s group if it contains no
223 | # more members, and useradd will create by default a group with the name
224 | # of the user.
225 | #
226 | USERGROUPS_ENAB yes
227 |
228 | #
229 | # Instead of the real user shell, the program specified by this parameter
230 | # will be launched, although its visible name (argv[0]) will be the shell's.
231 | # The program may do whatever it wants (logging, additional authentification,
232 | # banner, ...) before running the actual shell.
233 | #
234 | # FAKE_SHELL /bin/fakeshell
235 |
236 | #
237 | # If defined, either full pathname of a file containing device names or
238 | # a ":" delimited list of device names. Root logins will be allowed only
239 | # upon these devices.
240 | #
241 | # This variable is used by login and su.
242 | #
243 | #CONSOLE /etc/consoles
244 | #CONSOLE console:tty01:tty02:tty03:tty04
245 |
246 | #
247 | # List of groups to add to the user's supplementary group set
248 | # when logging in on the console (as determined by the CONSOLE
249 | # setting). Default is none.
250 | #
251 | # Use with caution - it is possible for users to gain permanent
252 | # access to these groups, even when not logged in on the console.
253 | # How to do it is left as an exercise for the reader...
254 | #
255 | # This variable is used by login and su.
256 | #
257 | #CONSOLE_GROUPS floppy:audio:cdrom
258 |
259 | #
260 | # If set to "yes", new passwords will be encrypted using the MD5-based
261 | # algorithm compatible with the one used by recent releases of FreeBSD.
262 | # It supports passwords of unlimited length and longer salt strings.
263 | # Set to "no" if you need to copy encrypted passwords to other systems
264 | # which don't understand the new algorithm. Default is "no".
265 | #
266 | # This variable is deprecated. You should use ENCRYPT_METHOD.
267 | #
268 | #MD5_CRYPT_ENAB no
269 |
270 | #
271 | # If set to MD5 , MD5-based algorithm will be used for encrypting password
272 | # If set to SHA256, SHA256-based algorithm will be used for encrypting password
273 | # If set to SHA512, SHA512-based algorithm will be used for encrypting password
274 | # If set to DES, DES-based algorithm will be used for encrypting password (default)
275 | # Overrides the MD5_CRYPT_ENAB option
276 | #
277 | # Note: It is recommended to use a value consistent with
278 | # the PAM modules configuration.
279 | #
280 | ENCRYPT_METHOD SHA512
281 |
282 | #
283 | # Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
284 | #
285 | # Define the number of SHA rounds.
286 | # With a lot of rounds, it is more difficult to brute forcing the password.
287 | # But note also that it more CPU resources will be needed to authenticate
288 | # users.
289 | #
290 | # If not specified, the libc will choose the default number of rounds (5000).
291 | # The values must be inside the 1000-999999999 range.
292 | # If only one of the MIN or MAX values is set, then this value will be used.
293 | # If MIN > MAX, the highest value will be used.
294 | #
295 | # SHA_CRYPT_MIN_ROUNDS 5000
296 | # SHA_CRYPT_MAX_ROUNDS 5000
297 |
298 | ################# OBSOLETED BY PAM ##############
299 | # #
300 | # These options are now handled by PAM. Please #
301 | # edit the appropriate file in /etc/pam.d/ to #
302 | # enable the equivelants of them.
303 | #
304 | ###############
305 |
306 | #MOTD_FILE
307 | #DIALUPS_CHECK_ENAB
308 | #LASTLOG_ENAB
309 | #MAIL_CHECK_ENAB
310 | #OBSCURE_CHECKS_ENAB
311 | #PORTTIME_CHECKS_ENAB
312 | #SU_WHEEL_ONLY
313 | #CRACKLIB_DICTPATH
314 | #PASS_CHANGE_TRIES
315 | #PASS_ALWAYS_WARN
316 | #ENVIRON_FILE
317 | #NOLOGINS_FILE
318 | #ISSUE_FILE
319 | #PASS_MIN_LEN
320 | #PASS_MAX_LEN
321 | #ULIMIT
322 | #ENV_HZ
323 | #CHFN_AUTH
324 | #CHSH_AUTH
325 | #FAIL_DELAY
326 |
327 | ################# OBSOLETED #######################
328 | # #
329 | # These options are no more handled by shadow. #
330 | # #
331 | # Shadow utilities will display a warning if they #
332 | # still appear. #
333 | # #
334 | ###################################################
335 |
336 | # CLOSE_SESSIONS
337 | # LOGIN_STRING
338 | # NO_PASSWORD_CONSOLE
339 | # QMAIL_DIR
340 |
341 |
342 |
343 |
--------------------------------------------------------------------------------
/16.04-lts/login.defs:
--------------------------------------------------------------------------------
1 | #
2 | # /etc/login.defs - Configuration control definitions for the login package.
3 | #
4 | # Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
5 | # If unspecified, some arbitrary (and possibly incorrect) value will
6 | # be assumed. All other items are optional - if not specified then
7 | # the described action or option will be inhibited.
8 | #
9 | # Comment lines (lines beginning with "#") and blank lines are ignored.
10 | #
11 | # Modified for Linux. --marekm
12 |
13 | # REQUIRED for useradd/userdel/usermod
14 | # Directory where mailboxes reside, _or_ name of file, relative to the
15 | # home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
16 | # MAIL_DIR takes precedence.
17 | #
18 | # Essentially:
19 | # - MAIL_DIR defines the location of users mail spool files
20 | # (for mbox use) by appending the username to MAIL_DIR as defined
21 | # below.
22 | # - MAIL_FILE defines the location of the users mail spool files as the
23 | # fully-qualified filename obtained by prepending the user home
24 | # directory before $MAIL_FILE
25 | #
26 | # NOTE: This is no more used for setting up users MAIL environment variable
27 | # which is, starting from shadow 4.0.12-1 in Debian, entirely the
28 | # job of the pam_mail PAM modules
29 | # See default PAM configuration files provided for
30 | # login, su, etc.
31 | #
32 | # This is a temporary situation: setting these variables will soon
33 | # move to /etc/default/useradd and the variables will then be
34 | # no more supported
35 | MAIL_DIR /var/mail
36 | #MAIL_FILE .mail
37 |
38 | #
39 | # Enable logging and display of /var/log/faillog login failure info.
40 | # This option conflicts with the pam_tally PAM module.
41 | #
42 | FAILLOG_ENAB yes
43 |
44 | #
45 | # Enable display of unknown usernames when login failures are recorded.
46 | #
47 | # WARNING: Unknown usernames may become world readable.
48 | # See #290803 and #298773 for details about how this could become a security
49 | # concern
50 | LOG_UNKFAIL_ENAB yes
51 |
52 | #
53 | # Enable logging of successful logins
54 | #
55 | LOG_OK_LOGINS yes
56 |
57 | #
58 | # Enable "syslog" logging of su activity - in addition to sulog file logging.
59 | # SYSLOG_SG_ENAB does the same for newgrp and sg.
60 | #
61 | SYSLOG_SU_ENAB yes
62 | SYSLOG_SG_ENAB yes
63 |
64 | #
65 | # If defined, all su activity is logged to this file.
66 | #
67 | SULOG_FILE /var/log/sulog
68 |
69 | #
70 | # If defined, file which maps tty line to TERM environment parameter.
71 | # Each line of the file is in a format something like "vt100 tty01".
72 | #
73 | #TTYTYPE_FILE /etc/ttytype
74 |
75 | #
76 | # If defined, login failures will be logged here in a utmp format
77 | # last, when invoked as lastb, will read /var/log/btmp, so...
78 | #
79 | FTMP_FILE /var/log/btmp
80 |
81 | #
82 | # If defined, the command name to display when running "su -". For
83 | # example, if this is defined as "su" then a "ps" will display the
84 | # command is "-su". If not defined, then "ps" would display the
85 | # name of the shell actually being run, e.g. something like "-sh".
86 | #
87 | SU_NAME su
88 |
89 | #
90 | # If defined, file which inhibits all the usual chatter during the login
91 | # sequence. If a full pathname, then hushed mode will be enabled if the
92 | # user's name or shell are found in the file. If not a full pathname, then
93 | # hushed mode will be enabled if the file exists in the user's home directory.
94 | #
95 | HUSHLOGIN_FILE .hushlogin
96 | #HUSHLOGIN_FILE /etc/hushlogins
97 |
98 | #
99 | # *REQUIRED* The default PATH settings, for superuser and normal users.
100 | #
101 | # (they are minimal, add the rest in the shell startup files)
102 | ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
103 | ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
104 |
105 | #
106 | # Terminal permissions
107 | #
108 | # TTYGROUP Login tty will be assigned this group ownership.
109 | # TTYPERM Login tty will be set to this permission.
110 | #
111 | # If you have a "write" program which is "setgid" to a special group
112 | # which owns the terminals, define TTYGROUP to the group number and
113 | # TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
114 | # TTYPERM to either 622 or 600.
115 | #
116 | # In Debian /usr/bin/bsd-write or similar programs are setgid tty
117 | # However, the default and recommended value for TTYPERM is still 0600
118 | # to not allow anyone to write to anyone else console or terminal
119 |
120 | # Users can still allow other people to write them by issuing
121 | # the "mesg y" command.
122 |
123 | TTYGROUP tty
124 | TTYPERM 0600
125 |
126 | #
127 | # Login configuration initializations:
128 | #
129 | # ERASECHAR Terminal ERASE character ('\010' = backspace).
130 | # KILLCHAR Terminal KILL character ('\025' = CTRL/U).
131 | # UMASK Default "umask" value.
132 | #
133 | # The ERASECHAR and KILLCHAR are used only on System V machines.
134 | #
135 | # UMASK is the default umask value for pam_umask and is used by
136 | # useradd and newusers to set the mode of the new home directories.
137 | # 022 is the "historical" value in Debian for UMASK
138 | # 027, or even 077, could be considered better for privacy
139 | # There is no One True Answer here : each sysadmin must make up his/her
140 | # mind.
141 | #
142 | # If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
143 | # for private user groups, i. e. the uid is the same as gid, and username is
144 | # the same as the primary group name: for these, the user permissions will be
145 | # used as group permissions, e. g. 022 will become 002.
146 | #
147 | # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
148 | #
149 | ERASECHAR 0177
150 | KILLCHAR 025
151 | UMASK 022
152 |
153 | #
154 | # Password aging controls:
155 | #
156 | # PASS_MAX_DAYS Maximum number of days a password may be used.
157 | # PASS_MIN_DAYS Minimum number of days allowed between password changes.
158 | # PASS_WARN_AGE Number of days warning given before a password expires.
159 | #
160 | PASS_MAX_DAYS 90
161 | PASS_MIN_DAYS 7
162 | PASS_WARN_AGE 14
163 |
164 | #
165 | # Min/max values for automatic uid selection in useradd
166 | #
167 | UID_MIN 1000
168 | UID_MAX 60000
169 | # System accounts
170 | #SYS_UID_MIN 100
171 | #SYS_UID_MAX 999
172 |
173 | #
174 | # Min/max values for automatic gid selection in groupadd
175 | #
176 | GID_MIN 1000
177 | GID_MAX 60000
178 | # System accounts
179 | #SYS_GID_MIN 100
180 | #SYS_GID_MAX 999
181 |
182 | #
183 | # Max number of login retries if password is bad. This will most likely be
184 | # overriden by PAM, since the default pam_unix module has it's own built
185 | # in of 3 retries. However, this is a safe fallback in case you are using
186 | # an authentication module that does not enforce PAM_MAXTRIES.
187 | #
188 | LOGIN_RETRIES 3
189 |
190 | #
191 | # Max time in seconds for login
192 | #
193 | LOGIN_TIMEOUT 60
194 |
195 | #
196 | # Which fields may be changed by regular users using chfn - use
197 | # any combination of letters "frwh" (full name, room number, work
198 | # phone, home phone). If not defined, no changes are allowed.
199 | # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
200 | #
201 | CHFN_RESTRICT rwh
202 |
203 | #
204 | # Should login be allowed if we can't cd to the home directory?
205 | # Default in no.
206 | #
207 | DEFAULT_HOME no
208 |
209 | #
210 | # If defined, this command is run when removing a user.
211 | # It should remove any at/cron/print jobs etc. owned by
212 | # the user to be removed (passed as the first argument).
213 | #
214 | #USERDEL_CMD /usr/sbin/userdel_local
215 |
216 | #
217 | # Enable setting of the umask group bits to be the same as owner bits
218 | # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
219 | # the same as gid, and username is the same as the primary group name.
220 | #
221 | # If set to yes, userdel will remove the user´s group if it contains no
222 | # more members, and useradd will create by default a group with the name
223 | # of the user.
224 | #
225 | USERGROUPS_ENAB yes
226 |
227 | #
228 | # Instead of the real user shell, the program specified by this parameter
229 | # will be launched, although its visible name (argv[0]) will be the shell's.
230 | # The program may do whatever it wants (logging, additional authentification,
231 | # banner, ...) before running the actual shell.
232 | #
233 | # FAKE_SHELL /bin/fakeshell
234 |
235 | #
236 | # If defined, either full pathname of a file containing device names or
237 | # a ":" delimited list of device names. Root logins will be allowed only
238 | # upon these devices.
239 | #
240 | # This variable is used by login and su.
241 | #
242 | #CONSOLE /etc/consoles
243 | #CONSOLE console:tty01:tty02:tty03:tty04
244 |
245 | #
246 | # List of groups to add to the user's supplementary group set
247 | # when logging in on the console (as determined by the CONSOLE
248 | # setting). Default is none.
249 | #
250 | # Use with caution - it is possible for users to gain permanent
251 | # access to these groups, even when not logged in on the console.
252 | # How to do it is left as an exercise for the reader...
253 | #
254 | # This variable is used by login and su.
255 | #
256 | #CONSOLE_GROUPS floppy:audio:cdrom
257 |
258 | #
259 | # If set to "yes", new passwords will be encrypted using the MD5-based
260 | # algorithm compatible with the one used by recent releases of FreeBSD.
261 | # It supports passwords of unlimited length and longer salt strings.
262 | # Set to "no" if you need to copy encrypted passwords to other systems
263 | # which don't understand the new algorithm. Default is "no".
264 | #
265 | # This variable is deprecated. You should use ENCRYPT_METHOD.
266 | #
267 | #MD5_CRYPT_ENAB no
268 |
269 | #
270 | # If set to MD5 , MD5-based algorithm will be used for encrypting password
271 | # If set to SHA256, SHA256-based algorithm will be used for encrypting password
272 | # If set to SHA512, SHA512-based algorithm will be used for encrypting password
273 | # If set to DES, DES-based algorithm will be used for encrypting password (default)
274 | # Overrides the MD5_CRYPT_ENAB option
275 | #
276 | # Note: It is recommended to use a value consistent with
277 | # the PAM modules configuration.
278 | #
279 | ENCRYPT_METHOD SHA512
280 |
281 | #
282 | # Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
283 | #
284 | # Define the number of SHA rounds.
285 | # With a lot of rounds, it is more difficult to brute forcing the password.
286 | # But note also that it more CPU resources will be needed to authenticate
287 | # users.
288 | #
289 | # If not specified, the libc will choose the default number of rounds (5000).
290 | # The values must be inside the 1000-999999999 range.
291 | # If only one of the MIN or MAX values is set, then this value will be used.
292 | # If MIN > MAX, the highest value will be used.
293 | #
294 | # SHA_CRYPT_MIN_ROUNDS 5000
295 | # SHA_CRYPT_MAX_ROUNDS 5000
296 |
297 | ################# OBSOLETED BY PAM ##############
298 | # #
299 | # These options are now handled by PAM. Please #
300 | # edit the appropriate file in /etc/pam.d/ to #
301 | # enable the equivelants of them.
302 | #
303 | ###############
304 |
305 | #MOTD_FILE
306 | #DIALUPS_CHECK_ENAB
307 | #LASTLOG_ENAB
308 | #MAIL_CHECK_ENAB
309 | #OBSCURE_CHECKS_ENAB
310 | #PORTTIME_CHECKS_ENAB
311 | #SU_WHEEL_ONLY
312 | #CRACKLIB_DICTPATH
313 | #PASS_CHANGE_TRIES
314 | #PASS_ALWAYS_WARN
315 | #ENVIRON_FILE
316 | #NOLOGINS_FILE
317 | #ISSUE_FILE
318 | #PASS_MIN_LEN
319 | #PASS_MAX_LEN
320 | #ULIMIT
321 | #ENV_HZ
322 | #CHFN_AUTH
323 | #CHSH_AUTH
324 | #FAIL_DELAY
325 |
326 | ################# OBSOLETED #######################
327 | # #
328 | # These options are no more handled by shadow. #
329 | # #
330 | # Shadow utilities will display a warning if they #
331 | # still appear. #
332 | # #
333 | ###################################################
334 |
335 | # CLOSE_SESSIONS
336 | # LOGIN_STRING
337 | # NO_PASSWORD_CONSOLE
338 | # QMAIL_DIR
339 |
340 |
341 |
342 |
--------------------------------------------------------------------------------
/12.04-lts/postgresql/9.1/main/postgresql.conf:
--------------------------------------------------------------------------------
1 | # -----------------------------
2 | # PostgreSQL configuration file
3 | # -----------------------------
4 | #
5 | # This file consists of lines of the form:
6 | #
7 | # name = value
8 | #
9 | # (The "=" is optional.) Whitespace may be used. Comments are introduced with
10 | # "#" anywhere on a line. The complete list of parameter names and allowed
11 | # values can be found in the PostgreSQL documentation.
12 | #
13 | # The commented-out settings shown in this file represent the default values.
14 | # Re-commenting a setting is NOT sufficient to revert it to the default value;
15 | # you need to reload the server.
16 | #
17 | # This file is read on server startup and when the server receives a SIGHUP
18 | # signal. If you edit the file on a running system, you have to SIGHUP the
19 | # server for the changes to take effect, or use "pg_ctl reload". Some
20 | # parameters, which are marked below, require a server shutdown and restart to
21 | # take effect.
22 | #
23 | # Any parameter can also be given as a command-line option to the server, e.g.,
24 | # "postgres -c log_connections=on". Some parameters can be changed at run time
25 | # with the "SET" SQL command.
26 | #
27 | # Memory units: kB = kilobytes Time units: ms = milliseconds
28 | # MB = megabytes s = seconds
29 | # GB = gigabytes min = minutes
30 | # h = hours
31 | # d = days
32 |
33 |
34 | #------------------------------------------------------------------------------
35 | # FILE LOCATIONS
36 | #------------------------------------------------------------------------------
37 |
38 | # The default values of these variables are driven from the -D command-line
39 | # option or PGDATA environment variable, represented here as ConfigDir.
40 |
41 | data_directory = '/var/lib/postgresql/9.1/main' # use data in another directory
42 | # (change requires restart)
43 | hba_file = '/etc/postgresql/9.1/main/pg_hba.conf' # host-based authentication file
44 | # (change requires restart)
45 | ident_file = '/etc/postgresql/9.1/main/pg_ident.conf' # ident configuration file
46 | # (change requires restart)
47 |
48 | # If external_pid_file is not explicitly set, no extra PID file is written.
49 | external_pid_file = '/var/run/postgresql/9.1-main.pid' # write an extra PID file
50 | # (change requires restart)
51 |
52 |
53 | #------------------------------------------------------------------------------
54 | # CONNECTIONS AND AUTHENTICATION
55 | #------------------------------------------------------------------------------
56 |
57 | # - Connection Settings -
58 |
59 | listen_addresses = 'localhost' # what IP address(es) to listen on;
60 | # comma-separated list of addresses;
61 | # defaults to 'localhost', '*' = all
62 | # (change requires restart)
63 | port = 5432 # (change requires restart)
64 | max_connections = 100 # (change requires restart)
65 | # Note: Increasing max_connections costs ~400 bytes of shared memory per
66 | # connection slot, plus lock space (see max_locks_per_transaction).
67 |
68 | superuser_reserved_connections = 3 # (change requires restart)
69 | unix_socket_directory = '/var/run/postgresql' # (change requires restart)
70 | #unix_socket_group = '' # (change requires restart)
71 | #unix_socket_permissions = 0777 # begin with 0 to use octal notation
72 | # (change requires restart)
73 | bonjour = off # advertise server via Bonjour
74 | # (change requires restart)
75 | #bonjour_name = '' # defaults to the computer name
76 | # (change requires restart)
77 |
78 | # - Security and Authentication -
79 |
80 | authentication_timeout = 1min # 1s-600s
81 |
82 | # SSL disabled because Postgres is configured to only listen on the loopback
83 | # network interface.
84 | ssl = off
85 | #ssl_cert_file = /etc/ssl/certs/server.crt
86 | #ssl_key_file = /etc/ssl/private/server.key
87 | #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
88 | ssl_ciphers = 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH'
89 |
90 | #ssl_renegotiation_limit = 512MB # amount of data between renegotiations
91 | password_encryption = on
92 | #db_user_namespace = off
93 |
94 | # Kerberos and GSSAPI
95 | #krb_server_keyfile = ''
96 | #krb_srvname = 'postgres' # (Kerberos only)
97 | #krb_caseins_users = off
98 |
99 | # - TCP Keepalives -
100 | # see "man 7 tcp" for details
101 |
102 | #tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
103 | # 0 selects the system default
104 | #tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
105 | # 0 selects the system default
106 | #tcp_keepalives_count = 0 # TCP_KEEPCNT;
107 | # 0 selects the system default
108 |
109 |
110 | #------------------------------------------------------------------------------
111 | # RESOURCE USAGE (except WAL)
112 | #------------------------------------------------------------------------------
113 |
114 | # - Memory -
115 |
116 | shared_buffers = 24MB # min 128kB
117 | # (change requires restart)
118 | #temp_buffers = 8MB # min 800kB
119 | #max_prepared_transactions = 0 # zero disables the feature
120 | # (change requires restart)
121 | # Note: Increasing max_prepared_transactions costs ~600 bytes of shared memory
122 | # per transaction slot, plus lock space (see max_locks_per_transaction).
123 | # It is not advisable to set max_prepared_transactions nonzero unless you
124 | # actively intend to use prepared transactions.
125 |
126 | #work_mem = 1MB # min 64kB
127 | #maintenance_work_mem = 16MB # min 1MB
128 | #max_stack_depth = 2MB # min 100kB
129 |
130 | # - Kernel Resource Usage -
131 |
132 | #max_files_per_process = 1000 # min 25
133 | # (change requires restart)
134 | #shared_preload_libraries = '' # (change requires restart)
135 |
136 | # - Cost-Based Vacuum Delay -
137 |
138 | #vacuum_cost_delay = 0ms # 0-100 milliseconds
139 | #vacuum_cost_page_hit = 1 # 0-10000 credits
140 | #vacuum_cost_page_miss = 10 # 0-10000 credits
141 | #vacuum_cost_page_dirty = 20 # 0-10000 credits
142 | #vacuum_cost_limit = 200 # 1-10000 credits
143 |
144 | # - Background Writer -
145 |
146 | #bgwriter_delay = 200ms # 10-10000ms between rounds
147 | #bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round
148 | #bgwriter_lru_multiplier = 2.0 # 0-10.0 multipler on buffers scanned/round
149 |
150 | # - Asynchronous Behavior -
151 |
152 | #effective_io_concurrency = 1 # 1-1000. 0 disables prefetching
153 |
154 |
155 | #------------------------------------------------------------------------------
156 | # WRITE AHEAD LOG
157 | #------------------------------------------------------------------------------
158 |
159 | # - Settings -
160 |
161 | #wal_level = minimal # minimal, archive, or hot_standby
162 | # (change requires restart)
163 | #fsync = on # turns forced synchronization on or off
164 | #synchronous_commit = on # synchronization level; on, off, or local
165 | #wal_sync_method = fsync # the default is the first option
166 | # supported by the operating system:
167 | # open_datasync
168 | # fdatasync (default on Linux)
169 | # fsync
170 | # fsync_writethrough
171 | # open_sync
172 | #full_page_writes = on # recover from partial page writes
173 | #wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
174 | # (change requires restart)
175 | #wal_writer_delay = 200ms # 1-10000 milliseconds
176 |
177 | #commit_delay = 0 # range 0-100000, in microseconds
178 | #commit_siblings = 5 # range 1-1000
179 |
180 | # - Checkpoints -
181 |
182 | #checkpoint_segments = 3 # in logfile segments, min 1, 16MB each
183 | #checkpoint_timeout = 5min # range 30s-1h
184 | #checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
185 | #checkpoint_warning = 30s # 0 disables
186 |
187 | # - Archiving -
188 |
189 | #archive_mode = off # allows archiving to be done
190 | # (change requires restart)
191 | #archive_command = '' # command to use to archive a logfile segment
192 | #archive_timeout = 0 # force a logfile segment switch after this
193 | # number of seconds; 0 disables
194 |
195 |
196 | #------------------------------------------------------------------------------
197 | # REPLICATION
198 | #------------------------------------------------------------------------------
199 |
200 | # - Master Server -
201 |
202 | # These settings are ignored on a standby server
203 |
204 | #max_wal_senders = 0 # max number of walsender processes
205 | # (change requires restart)
206 | #wal_sender_delay = 1s # walsender cycle time, 1-10000 milliseconds
207 | #wal_keep_segments = 0 # in logfile segments, 16MB each; 0 disables
208 | #vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
209 | #replication_timeout = 60s # in milliseconds; 0 disables
210 | #synchronous_standby_names = '' # standby servers that provide sync rep
211 | # comma-separated list of application_name
212 | # from standby(s); '*' = all
213 |
214 | # - Standby Servers -
215 |
216 | # These settings are ignored on a master server
217 |
218 | #hot_standby = off # "on" allows queries during recovery
219 | # (change requires restart)
220 | #max_standby_archive_delay = 30s # max delay before canceling queries
221 | # when reading WAL from archive;
222 | # -1 allows indefinite delay
223 | #max_standby_streaming_delay = 30s # max delay before canceling queries
224 | # when reading streaming WAL;
225 | # -1 allows indefinite delay
226 | #wal_receiver_status_interval = 10s # send replies at least this often
227 | # 0 disables
228 | #hot_standby_feedback = off # send info from standby to prevent
229 | # query conflicts
230 |
231 |
232 | #------------------------------------------------------------------------------
233 | # QUERY TUNING
234 | #------------------------------------------------------------------------------
235 |
236 | # - Planner Method Configuration -
237 |
238 | #enable_bitmapscan = on
239 | #enable_hashagg = on
240 | #enable_hashjoin = on
241 | #enable_indexscan = on
242 | #enable_material = on
243 | #enable_mergejoin = on
244 | #enable_nestloop = on
245 | #enable_seqscan = on
246 | #enable_sort = on
247 | #enable_tidscan = on
248 |
249 | # - Planner Cost Constants -
250 |
251 | #seq_page_cost = 1.0 # measured on an arbitrary scale
252 | #random_page_cost = 4.0 # same scale as above
253 | #cpu_tuple_cost = 0.01 # same scale as above
254 | #cpu_index_tuple_cost = 0.005 # same scale as above
255 | #cpu_operator_cost = 0.0025 # same scale as above
256 | #effective_cache_size = 128MB
257 |
258 | # - Genetic Query Optimizer -
259 |
260 | #geqo = on
261 | #geqo_threshold = 12
262 | #geqo_effort = 5 # range 1-10
263 | #geqo_pool_size = 0 # selects default based on effort
264 | #geqo_generations = 0 # selects default based on effort
265 | #geqo_selection_bias = 2.0 # range 1.5-2.0
266 | #geqo_seed = 0.0 # range 0.0-1.0
267 |
268 | # - Other Planner Options -
269 |
270 | #default_statistics_target = 100 # range 1-10000
271 | #constraint_exclusion = partition # on, off, or partition
272 | #cursor_tuple_fraction = 0.1 # range 0.0-1.0
273 | #from_collapse_limit = 8
274 | #join_collapse_limit = 8 # 1 disables collapsing of explicit
275 | # JOIN clauses
276 |
277 |
278 | #------------------------------------------------------------------------------
279 | # ERROR REPORTING AND LOGGING
280 | #------------------------------------------------------------------------------
281 |
282 | # - Where to Log -
283 |
284 | #log_destination = 'stderr' # Valid values are combinations of
285 | # stderr, csvlog, syslog, and eventlog,
286 | # depending on platform. csvlog
287 | # requires logging_collector to be on.
288 |
289 | # This is used when logging to stderr:
290 | #logging_collector = off # Enable capturing of stderr and csvlog
291 | # into log files. Required to be on for
292 | # csvlogs.
293 | # (change requires restart)
294 |
295 | # These are only used if logging_collector is on:
296 | #log_directory = 'pg_log' # directory where log files are written,
297 | # can be absolute or relative to PGDATA
298 | #log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
299 | # can include strftime() escapes
300 | #log_file_mode = 0600 # creation mode for log files,
301 | # begin with 0 to use octal notation
302 | #log_truncate_on_rotation = off # If on, an existing log file with the
303 | # same name as the new log file will be
304 | # truncated rather than appended to.
305 | # But such truncation only occurs on
306 | # time-driven rotation, not on restarts
307 | # or size-driven rotation. Default is
308 | # off, meaning append to existing files
309 | # in all cases.
310 | #log_rotation_age = 1d # Automatic rotation of logfiles will
311 | # happen after that time. 0 disables.
312 | #log_rotation_size = 10MB # Automatic rotation of logfiles will
313 | # happen after that much log output.
314 | # 0 disables.
315 |
316 | # These are relevant when logging to syslog:
317 | #syslog_facility = 'LOCAL0'
318 | #syslog_ident = 'postgres'
319 |
320 | #silent_mode = off # Run server silently.
321 | # DO NOT USE without syslog or
322 | # logging_collector
323 | # (change requires restart)
324 |
325 |
326 | # - When to Log -
327 |
328 | #client_min_messages = notice # values in order of decreasing detail:
329 | # debug5
330 | # debug4
331 | # debug3
332 | # debug2
333 | # debug1
334 | # log
335 | # notice
336 | # warning
337 | # error
338 |
339 | #log_min_messages = warning # values in order of decreasing detail:
340 | # debug5
341 | # debug4
342 | # debug3
343 | # debug2
344 | # debug1
345 | # info
346 | # notice
347 | # warning
348 | # error
349 | # log
350 | # fatal
351 | # panic
352 |
353 | #log_min_error_statement = error # values in order of decreasing detail:
354 | # debug5
355 | # debug4
356 | # debug3
357 | # debug2
358 | # debug1
359 | # info
360 | # notice
361 | # warning
362 | # error
363 | # log
364 | # fatal
365 | # panic (effectively off)
366 |
367 | #log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
368 | # and their durations, > 0 logs only
369 | # statements running at least this number
370 | # of milliseconds
371 |
372 |
373 | # - What to Log -
374 |
375 | #debug_print_parse = off
376 | #debug_print_rewritten = off
377 | #debug_print_plan = off
378 | #debug_pretty_print = on
379 | #log_checkpoints = off
380 | #log_connections = off
381 | #log_disconnections = off
382 | #log_duration = off
383 | #log_error_verbosity = default # terse, default, or verbose messages
384 | #log_hostname = off
385 | log_line_prefix = '%t ' # special values:
386 | # %a = application name
387 | # %u = user name
388 | # %d = database name
389 | # %r = remote host and port
390 | # %h = remote host
391 | # %p = process ID
392 | # %t = timestamp without milliseconds
393 | # %m = timestamp with milliseconds
394 | # %i = command tag
395 | # %e = SQL state
396 | # %c = session ID
397 | # %l = session line number
398 | # %s = session start timestamp
399 | # %v = virtual transaction ID
400 | # %x = transaction ID (0 if none)
401 | # %q = stop here in non-session
402 | # processes
403 | # %% = '%'
404 | # e.g. '<%u%%%d> '
405 | #log_lock_waits = off # log lock waits >= deadlock_timeout
406 | #log_statement = 'none' # none, ddl, mod, all
407 | #log_temp_files = -1 # log temporary files equal or larger
408 | # than the specified size in kilobytes;
409 | # -1 disables, 0 logs all temp files
410 | #log_timezone = '(defaults to server environment setting)'
411 |
412 |
413 | #------------------------------------------------------------------------------
414 | # RUNTIME STATISTICS
415 | #------------------------------------------------------------------------------
416 |
417 | # - Query/Index Statistics Collector -
418 |
419 | #track_activities = on
420 | #track_counts = on
421 | #track_functions = none # none, pl, all
422 | #track_activity_query_size = 1024 # (change requires restart)
423 | #update_process_title = on
424 | #stats_temp_directory = 'pg_stat_tmp'
425 |
426 |
427 | # - Statistics Monitoring -
428 |
429 | #log_parser_stats = off
430 | #log_planner_stats = off
431 | #log_executor_stats = off
432 | #log_statement_stats = off
433 |
434 |
435 | #------------------------------------------------------------------------------
436 | # AUTOVACUUM PARAMETERS
437 | #------------------------------------------------------------------------------
438 |
439 | #autovacuum = on # Enable autovacuum subprocess? 'on'
440 | # requires track_counts to also be on.
441 | #log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
442 | # their durations, > 0 logs only
443 | # actions running at least this number
444 | # of milliseconds.
445 | #autovacuum_max_workers = 3 # max number of autovacuum subprocesses
446 | # (change requires restart)
447 | #autovacuum_naptime = 1min # time between autovacuum runs
448 | #autovacuum_vacuum_threshold = 50 # min number of row updates before
449 | # vacuum
450 | #autovacuum_analyze_threshold = 50 # min number of row updates before
451 | # analyze
452 | #autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
453 | #autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
454 | #autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
455 | # (change requires restart)
456 | #autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for
457 | # autovacuum, in milliseconds;
458 | # -1 means use vacuum_cost_delay
459 | #autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
460 | # autovacuum, -1 means use
461 | # vacuum_cost_limit
462 |
463 |
464 | #------------------------------------------------------------------------------
465 | # CLIENT CONNECTION DEFAULTS
466 | #------------------------------------------------------------------------------
467 |
468 | # - Statement Behavior -
469 |
470 | #search_path = '"$user",public' # schema names
471 | #default_tablespace = '' # a tablespace name, '' uses the default
472 | #temp_tablespaces = '' # a list of tablespace names, '' uses
473 | # only default tablespace
474 | #check_function_bodies = on
475 | #default_transaction_isolation = 'read committed'
476 | #default_transaction_read_only = off
477 | #default_transaction_deferrable = off
478 | #session_replication_role = 'origin'
479 | #statement_timeout = 0 # in milliseconds, 0 is disabled
480 | #vacuum_freeze_min_age = 50000000
481 | #vacuum_freeze_table_age = 150000000
482 | #bytea_output = 'hex' # hex, escape
483 | #xmlbinary = 'base64'
484 | #xmloption = 'content'
485 |
486 | # - Locale and Formatting -
487 |
488 | datestyle = 'iso, mdy'
489 | #intervalstyle = 'postgres'
490 | #timezone = '(defaults to server environment setting)'
491 | #timezone_abbreviations = 'Default' # Select the set of available time zone
492 | # abbreviations. Currently, there are
493 | # Default
494 | # Australia
495 | # India
496 | # You can create your own file in
497 | # share/timezonesets/.
498 | #extra_float_digits = 0 # min -15, max 3
499 | #client_encoding = sql_ascii # actually, defaults to database
500 | # encoding
501 |
502 | # These settings are initialized by initdb, but they can be changed.
503 | lc_messages = 'en_US.UTF-8' # locale for system error message
504 | # strings
505 | lc_monetary = 'en_US.UTF-8' # locale for monetary formatting
506 | lc_numeric = 'en_US.UTF-8' # locale for number formatting
507 | lc_time = 'en_US.UTF-8' # locale for time formatting
508 |
509 | # default configuration for text search
510 | default_text_search_config = 'pg_catalog.english'
511 |
512 | # - Other Defaults -
513 |
514 | #dynamic_library_path = '$libdir'
515 | #local_preload_libraries = ''
516 |
517 |
518 | #------------------------------------------------------------------------------
519 | # LOCK MANAGEMENT
520 | #------------------------------------------------------------------------------
521 |
522 | #deadlock_timeout = 1s
523 | #max_locks_per_transaction = 64 # min 10
524 | # (change requires restart)
525 | # Note: Each lock table slot uses ~270 bytes of shared memory, and there are
526 | # max_locks_per_transaction * (max_connections + max_prepared_transactions)
527 | # lock table slots.
528 | #max_pred_locks_per_transaction = 64 # min 10
529 | # (change requires restart)
530 |
531 | #------------------------------------------------------------------------------
532 | # VERSION/PLATFORM COMPATIBILITY
533 | #------------------------------------------------------------------------------
534 |
535 | # - Previous PostgreSQL Versions -
536 |
537 | #array_nulls = on
538 | #backslash_quote = safe_encoding # on, off, or safe_encoding
539 | #default_with_oids = off
540 | #escape_string_warning = on
541 | #lo_compat_privileges = off
542 | #quote_all_identifiers = off
543 | #sql_inheritance = on
544 | #standard_conforming_strings = on
545 | #synchronize_seqscans = on
546 |
547 | # - Other Platforms and Clients -
548 |
549 | #transform_null_equals = off
550 |
551 |
552 | #------------------------------------------------------------------------------
553 | # ERROR HANDLING
554 | #------------------------------------------------------------------------------
555 |
556 | #exit_on_error = off # terminate session on any error?
557 | #restart_after_crash = on # reinitialize after backend crash?
558 |
559 |
560 | #------------------------------------------------------------------------------
561 | # CUSTOMIZED OPTIONS
562 | #------------------------------------------------------------------------------
563 |
564 | #custom_variable_classes = '' # list of custom variable class names
565 |
--------------------------------------------------------------------------------
/14.04-lts/cron.daily/aide:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | set -e
4 | set -C
5 |
6 | # trap handler
7 |
8 | FQDN="$(hostname -f)"
9 | if [ -z "$FQDN" ]; then
10 | echo >&2 "error determining FQDN: hostname -f does not give output"
11 | hostname -f >&2
12 | exit 1
13 | fi
14 |
15 | traphandler() {
16 | trap - INT ERR
17 | if [ -n "${LOCKED:-}" ]; then
18 | # we have the lock,
19 | pidof aide | xargs --no-run-if-empty kill -9
20 | fi
21 | onexit signal $1
22 | return 0
23 | }
24 | trap ' traphandler INT; trap - INT ERR' INT
25 | trap ' traphandler ERR; trap - INT ERR' ERR
26 |
27 | # bail if no aide binary found
28 |
29 | if ! [ -f "/usr/bin/aide" ] && ! [ -f "/usr/sbin/aide" ]; then
30 | exit 0
31 | fi
32 |
33 | # default variables
34 |
35 | PATH="/sbin:/usr/sbin:/bin:/usr/bin"
36 | LOGDIR="/var/log/aide"
37 | # LOGFILE: /var/log/aide/aide.log - all logs untruncated (not temp)
38 | LOGFILE="$LOGDIR/aide.log"
39 | CONFFILE="/var/lib/aide/aide.conf.autogenerated"
40 | PREFIX="aide"
41 | TMPBASE="/run/aide"
42 | LOCKFILE="$TMPBASE/cron.daily.lock"
43 | TMPDIRIN="$TMPBASE/cron.daily"
44 | USE_SAVELOG=""
45 | if command -v savelog > /dev/null; then
46 | USE_SAVELOG="1"
47 | fi
48 |
49 | AIDEARGS="-V4"
50 | MAILSUBJ="Daily AIDE report for $FQDN"
51 |
52 | DATE="$(date +"%Y-%m-%d %H:%M")"
53 | BEGINSTAMP="$(date +"%Y-%m-%d %H:%M:%S")"
54 |
55 | # make sure $TMPBASE exists
56 |
57 | if ! [ -d "$TMPBASE" ]; then
58 | mkdir -p $TMPBASE
59 | chown root:root $TMPBASE
60 | chmod 600 $TMPBASE
61 | fi
62 |
63 | # have /etc/default/aide override variables
64 |
65 | if [ -f "/etc/default/aide" ]; then
66 | . "/etc/default/aide"
67 | fi
68 |
69 | # from here on, we're going to bail on unbound variables
70 |
71 | set -u
72 |
73 | # umask
74 |
75 | umask 077
76 |
77 | # grep aide configuration data from aide config
78 |
79 | update-aide.conf
80 | DATABASE="$(< "$CONFFILE" grep "^database[[:space:]]*=[[:space:]]*file:/" | head -n 1 | cut --delimiter=: --fields=2)"
81 | DATABASE_OUT="$(< "$CONFFILE" grep "^database_out[[:space:]]*=[[:space:]]*file:/" | head -n 1 | cut --delimiter=: --fields=2)"
82 |
83 | < "$CONFFILE" grep -qE "^grouped[[:space:]]*=[[:space:]]*(no|false)[[:space:]]*$" && GROUPED="false" || GROUPED="true"
84 |
85 | # default values
86 |
87 | CRON_DAILY_RUN="${CRON_DAILY_RUN:-yes}"
88 | MAILTO="${MAILTO:-root}"
89 | eval MAILTO="$MAILTO"
90 | DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
91 | LINES="${LINES:-1000}"
92 | COMMAND="${COMMAND:-check}"
93 | COPYNEWDB="${COPYNEWDB:-no}"
94 | QUIETREPORTS="${QUIETREPORTS:-no}"
95 | SILENTREPORTS="${SILENTREPORTS:-no}"
96 | TRUNCATEDETAILS="${TRUNCATEDETAILS:-no}"
97 | FILTERUPDATES="${FILTERUPDATES:-no}"
98 | FILTERINSTALLATIONS="${FILTERINSTALLATIONS:-no}"
99 | CRONEXITHOOK="${CRONEXITHOOK:-}"
100 | ONEXIT=""
101 |
102 | # silent implies quiet
103 | if [ "$SILENTREPORTS" = "yes" ]; then
104 | QUIETREPORTS="yes"
105 | fi
106 |
107 | # Get the database's date
108 | DATABASEDATE=""
109 | if [ -f $DATABASE ]; then
110 | DATABASEDATE="$(stat -c %y $DATABASE | sed -e "s/\..*//")"
111 | fi
112 |
113 | # Force TRUNCATEDETAILS when filter updates/installations
114 | if [ "$FILTERUPDATES" = "yes" ] || [ "$FILTERINSTALLATIONS" = "yes" ] ; then
115 | TRUNCATEDETAILS="yes"
116 | fi
117 |
118 | # functions
119 |
120 | mytempfile() {
121 | NAME="$1"
122 | echo "$TMPDIR/$NAME"
123 | touch "$TMPDIR/$NAME"
124 | }
125 |
126 | frame() {
127 | WIDTH=78
128 | STARS="*******************************************************************************"
129 | SPACES=" "
130 | printf "%s\n" "${STARS:1:$WIDTH}"
131 | while read line ; do
132 | HALF="${SPACES:1:$((($WIDTH-${#line})/2))}"
133 | LINE="$HALF$line$SPACES"
134 | printf "*%s*\n" "${LINE:1:$(($WIDTH-2))}"
135 | done
136 | printf "%s\n" "${STARS:1:$WIDTH}"
137 | }
138 |
139 | onexit() {
140 | if [ "$ONEXIT" = "running" ]; then
141 | return 1
142 | fi
143 |
144 | ONEXIT="running"
145 |
146 | local LOGHEAD
147 | local MAILHEAD
148 |
149 | CRONEXITHOOKPARM="$1"
150 | case "$1" in
151 | signal)
152 | LOGHEAD="$(printf "terminated with signal %s" "$2")"
153 | MAILHEAD="$(printf "The cron job was terminated with signal %s" "$2")"
154 | ;;
155 | fatal)
156 | LOGHEAD="$(printf "terminated by fatal error.")"
157 | MAILHEAD="$(printf "The cron job was terminated by a fatal error.")"
158 | ;;
159 | nolock)
160 | LOGHEAD="$(printf "terminated because lock %s could not be obtained." "$LOCKFILE")"
161 | MAILHEAD="$(printf "The cron job was terminated because lock %s could not be obtained." "$LOCKFILE")"
162 | ;;
163 | cantmovetmp)
164 | LOGHEAD="$(printf "terminated: Cannot move away %s." "$TMPDIRIN")"
165 | MAILHEAD="$(printf "The cron job was terminated: Cannot move away %s." "$TMPDIRIN")"
166 | ;;
167 | nohook)
168 | LOGHEAD="$(printf "terminated: CRONEXITHOOK set to %s which is not executeable." "$CRONEXITHOOK")"
169 | MAILHEAD="$(printf "The cron job was terminated: CRONEXITHOOK set to %s which is not executeable." "$CRONEXITHOOK")"
170 | ;;
171 | cantcreatetmp)
172 | LOGHEAD="$(printf "terminated: Cannot create temporary directory %s." "$TMPDIRIN")"
173 | MAILHEAD="$(printf "The cron job was terminated: Cannot create temporary directory %s." "$TMPDIRIN")"
174 | ;;
175 | success)
176 | ;;
177 | *)
178 | LOGHEAD="$(printf "wrong parameter (\"%s\") to onexit." "$1")"
179 | MAILHEAD="$(printf "The cron job was terminated for unknown reasons, and a wrong parameter (\"%s\")was given to onexit." "$1")"
180 | CRONEXITHOOKPARM="unknown"
181 | ;;
182 | esac
183 |
184 | if [ -z "${TMPDIR:-}" ] || [ -z "${MAILFILE:-}" ]; then
185 | # we are being called so early that we are not yet fully initialized
186 | # LOGHEAD goes to syslog instead of LOGFILE since we do not know
187 | # what's up with LOGFILE
188 | logger -t aide-cron-daily "$LOGHEAD"
189 | if [ "$SILENTREPORTS" != "yes" ]; then
190 | echo "$MAILHEAD" | mail -s "premature termination - $MAILSUBJ" "$MAILTO"
191 | fi
192 | CRONEXITHOOKPARM="early-$CRONEXITHOOKPARM"
193 | else
194 | # we are being called after the cron job was properly set up.
195 | # Do the full works.
196 |
197 | if [ "$USE_SAVELOG" = "1" ] || [ "$USE_SAVELOG" = "yes" ]; then
198 | savelog -t -g adm -m 640 -u root -c 7 "$LOGFILE" > /dev/null
199 | else
200 | LOGFILEWDATE="${LOGFILE}-$(date +%Y%m%d-%H%M%S)"
201 | ln -sf $LOGFILEWDATE $LOGFILE
202 | LOGFILE="${LOGFILEWDATE}"
203 | fi
204 |
205 | printf >> "$MAILFILE" \
206 | "This is an automated report generated by the Advanced Intrusion Detection
207 | Environment on %s started at %s.\n\n" "$FQDN" "$BEGINSTAMP"
208 |
209 | printf >> "$LOGFILE" \
210 | "aide run on %s started at %s.\n" "$FQDN" "$BEGINSTAMP"
211 |
212 | if [ -n "${LOGHEAD:-}" ]; then
213 | printf "$LOGHEAD\n" | frame >> "$LOGFILE"
214 | printf "\n" >> "$LOGFILE"
215 | fi
216 | if [ -n "${MAILHEAD:-}" ]; then
217 | printf "$MAILHEAD\n" | frame >> "$MAILFILE"
218 | printf "\n\n" >> "$MAILFILE"
219 | fi
220 |
221 | # report about AIDE's return value
222 |
223 | if [ -n "${ARETVAL:-}" ]; then
224 | ARETEXPL=""
225 | ARETERR=""
226 | PREFIX="$(printf "AIDE returned with exit code %d." "$ARETVAL")"
227 | case "$ARETVAL" in
228 | -1)
229 | PREFIX=""
230 | ARETERR="the cron job was interrupted before AIDE could return an exit code.";;
231 | 0)
232 | PREFIX="AIDE returned with a zero exit code."
233 | ARETEXPL="No changes detected!";;
234 | 1)
235 | ARETEXPL="Added entries detected!";;
236 | 2)
237 | ARETEXPL="Removed entries detected!";;
238 | 3)
239 | ARETEXPL="Added and removed entries detected!";;
240 | 4)
241 | ARETEXPL="Changed entries detected!";;
242 | 5)
243 | ARETEXPL="Added and changed entries detected!";;
244 | 6)
245 | ARETEXPL="Removed and changed entries detected!";;
246 | 7)
247 | ARETEXPL="Added, removed and changed entries detected!";;
248 | 14)
249 | ARETERR="Error writing!";;
250 | 15)
251 | ARETERR="Invalid Argument!";;
252 | 16)
253 | ARETERR="Unimplemented function!";;
254 | 17)
255 | ARETERR="Invalid configuration!";;
256 | 18)
257 | ARETERR="Input/Output error!";;
258 | *)
259 | ARETERR="$(printf "AIDE returned an unknown non-zero exit value\nexit value is %d\n\n" "$ARETVAL")";;
260 | esac
261 | if [ -n "$ARETEXPL" ]; then
262 | echo "$PREFIX $ARETEXPL" >> "$MAILFILE"
263 | echo "$PREFIX $ARETEXPL" >> "$LOGFILE"
264 | fi
265 | if [ -n "$ARETERR" ]; then
266 | echo "$PREFIX $ARETERR" | frame >> "$MAILFILE"
267 | echo "$PREFIX $ARETERR" | frame >> "$LOGFILE"
268 | fi
269 | unset ARETEXPL
270 | unset ARETERR
271 | unset PREFIX
272 | else
273 | ARETEXPL="ARETVAL not initialized. cron job was aborted prematurely."
274 | ARETVAL=255
275 | echo $ARETEXPL | frame >> "$LOGFILE"
276 | echo $ARETEXPL | frame >> "$MAILFILE"
277 | unset ARETEXPL
278 | printf "\n" >> "$LOGFILE"
279 | printf "\n\n" >> "$MAILFILE"
280 | fi
281 |
282 | # script errors
283 |
284 | if [ -n "${ERRORLOG:-}" ] && [ -s "$ERRORLOG" ]; then
285 | printf "script errors\n" | frame >> "$MAILFILE"
286 | < "$ERRORLOG" cat >> "$MAILFILE"
287 | printf "End of script errors\n\n" >> "$MAILFILE"
288 |
289 | printf "script errors\n" | frame >> "$LOGFILE"
290 | < "$ERRORLOG" cat >> "$LOGFILE"
291 | printf "End of script errors\n" >> "$LOGFILE"
292 | fi
293 |
294 | # aide post run information
295 |
296 | if [ -n "${POSTRUNLOG:-}" ] && [ -s "$POSTRUNLOG" ]; then
297 | printf "AIDE post run information\n" >> "$MAILFILE"
298 | < "$POSTRUNLOG" cat >> "$MAILFILE"
299 | printf "End of AIDE post run information\n\n" >> "$MAILFILE"
300 |
301 | printf "AIDE post run information\n" >> "$LOGFILE"
302 | < "$POSTRUNLOG" cat >> "$LOGFILE"
303 | printf "End of AIDE post run information\n" >> "$LOGFILE"
304 | fi
305 |
306 | # include error log in daily report e-mail
307 |
308 | if [ -n "${AERRLOG:-}" ] && [ -s "$AERRLOG" ]; then
309 | errorlines="$(wc -l "$AERRLOG" | awk '{ print $1 }')"
310 | if [ "$LINES" -gt "0" ] && [ "${errorlines:=0}" -gt "$LINES" ]; then
311 | printf "AIDE has returned many errors.\nthe error log output has been truncated in this mail\n" | \
312 | frame >> "$MAILFILE"
313 | printf >> "$MAILFILE" "Error output is %d lines, truncated to %d.\n" "$errorlines" "$LINES"
314 | < "$AERRLOG" head -n "$LINES" >> "$MAILFILE"
315 | printf >> "$MAILFILE" "\nEnd of truncated AIDE error output. The full output can be found in %s.\n\n" "$LOGFILE"
316 | else
317 | printf >> "$MAILFILE" "Errors produced (%d lines):\n" "$errorlines"
318 | < "$AERRLOG" cat >> "$MAILFILE"
319 | printf >> "$MAILFILE" "\nEnd of AIDE error output.\n\n"
320 | fi
321 | printf >> "$LOGFILE" "AIDE error output (%d lines):\n" "$errorlines"
322 | < "$AERRLOG" cat >> "$LOGFILE"
323 | printf >> "$LOGFILE" "End of AIDE error output\n"
324 | else
325 | printf >> "$MAILFILE" "AIDE produced no errors.\n\n"
326 | printf >> "$LOGFILE" "AIDE produced no errors.\n"
327 | fi
328 |
329 |
330 | # finish log file
331 | if [ -n "${ARUNLOG:-}" ] && [ -s "$ARUNLOG" ]; then
332 | printf >> "$LOGFILE" "AIDE output (%d lines):\n" "$(wc -l "$ARUNLOG" | awk '{ print $1 }')"
333 | < "$ARUNLOG" cat >> "$LOGFILE"
334 | printf >> "$LOGFILE" "End of AIDE output.\n\n"
335 | else
336 | printf >> "$LOGFILE" "AIDE detected no changes.\n\n"
337 | fi
338 |
339 | if [ -n "${DBCHECKLOG:-}" ] && [ -s "$DBCHECKLOG" ]; then
340 | < "$DBCHECKLOG" cat >> "$LOGFILE"
341 | fi
342 |
343 | ENDTIME="$(date +%s)"
344 |
345 | printf >> "$LOGFILE" "End of AIDE daily cron job at %s, run time %d seconds\n" "$(date +"%Y-%m-%d %H:%M" -d@$ENDTIME)" "$(( $ENDTIME - $BEGINTIME ))"
346 |
347 | LOGFILE_CHECKSUM="$(sha256sum $LOGFILE)"
348 |
349 | # include de-noised log into mail
350 |
351 | if [ -n "${ARUNLOG:-}" ] && [ -s "$ARUNLOG" ]; then
352 |
353 | MAIL_MODE=0
354 |
355 | # truncate details
356 | if [ "$TRUNCATEDETAILS" = "yes" ] ; then
357 | case "$ARETVAL" in
358 | 4|5|6|7)
359 | MAILTMP="$(mytempfile aidemail)"
360 | < $ARUNLOG sed '/^Detailed information about changes:$/,/^The attributes of the (uncompressed) database(s):$/{/^The attributes of the (uncompressed) database(s):$/!d}' >> "$MAILTMP"
361 | MAIL_MODE=1
362 | ;;
363 | *)
364 | MAILTMP="$ARUNLOG"
365 | ;;
366 | esac
367 |
368 | # Filter package upgrades/installations
369 |
370 | # Figure out where the dpkg log file is
371 | DPKGLOG="$(< /etc/dpkg/dpkg.cfg grep "^log" | head -n 1 | cut -d ' ' -f 2)"
372 |
373 | if ( [ "$FILTERUPDATES" = "yes" ] || [ "$FILTERINSTALLATIONS" = "yes" ] ) && [ -s "$DPKGLOG" ]; then
374 |
375 | # Create a list of files modified by system updates
376 | if ( [ "$FILTERUPDATES" = "yes" ] && [ "$FILTERINSTALLATIONS" = "yes" ] ) ; then FILTER="install|upgrade"
377 | elif [ "$FILTERUPDATES" = "yes" ]; then FILTER="upgrade"
378 | else FILTER="install"
379 | fi
380 | PKG_FILE_LIST="$(mytempfile pkg_file_list)"
381 | REGEX="^([^ ]+ [^ ]+) ("$FILTER") ([^ ]+) [^ ]+ [^ ]+$"
382 | pkgs=
383 | while read line; do
384 | if [[ $line =~ $REGEX ]] && [[ "$DATABASEDATE" < ${BASH_REMATCH[1]} ]]; then
385 | if dpkg-query -L ${BASH_REMATCH[3]} > /dev/null 2>&1; then
386 | pkgs+="${BASH_REMATCH[3]} (${BASH_REMATCH[2]})\n"
387 | dpkg-query -L ${BASH_REMATCH[3]} | sed -e "/^$/d" -e "/\/\./d" >> "$PKG_FILE_LIST"
388 | if ! ls /var/lib/dpkg/info/${BASH_REMATCH[3]}.* >> "$PKG_FILE_LIST" 2>/dev/null; then
389 | ls /var/lib/dpkg/info/${BASH_REMATCH[3]%:*}.* >> "$PKG_FILE_LIST"
390 | fi
391 | fi
392 | fi
393 | done < "$DPKGLOG"
394 |
395 | if [ -n "$pkgs" ]; then
396 | FILTEREDMAIL=$(mytempfile filteredmail)
397 | let MAIL_MODE=MAIL_MODE+2
398 | ADD=0; REM=0; CHG=0
399 | N_ADD=0; N_REM=0; N_CHG=0
400 | declare -a NF_ADD NF_REM NF_CHG
401 | NF_ADD=0; NF_REM=0; NF_CHG=0
402 | REGEX="^(changed|removed|added|[fdLDBFs?!][ :l<>=bpugamcinCAXSE.+-]{16}): (.*)"
403 | BACKUPIFS="$IFS"
404 | IFS=""
405 | while read -r line; do
406 | if [[ $line =~ $REGEX ]] ; then
407 | [ -z "$(grep -xF "${BASH_REMATCH[2]}" "$PKG_FILE_LIST")" ] && DONTFILTER_FILE=true || DONTFILTER_FILE=false
408 | case "${BASH_REMATCH[1]}" in
409 | added|[fdLDBFs?]++++++++++++++++)
410 | ((ADD++)) || true
411 | if $DONTFILTER_FILE; then
412 | ((N_ADD++)) || true
413 | if $GROUPED; then
414 | NF_ADD[${#NF_ADD[*]}]="$line"
415 | else
416 | NF_CHG[${#NF_CHG[*]}]="$line"
417 | fi
418 | fi
419 | ;;
420 | removed|[fdLDBFs?]----------------)
421 | ((REM++)) || true
422 | if $DONTFILTER_FILE; then
423 | ((N_REM++)) || true
424 | if $GROUPED; then
425 | NF_REM[${#NF_REM[*]}]="$line"
426 | else
427 | NF_CHG[${#NF_CHG[*]}]="$line"
428 | fi
429 | fi
430 | ;;
431 | changed|[fdLDBFs?!]*)
432 | ((CHG++)) || true
433 | if $DONTFILTER_FILE; then
434 | ((N_CHG++)) || true
435 | NF_CHG[${#NF_CHG[*]}]="$line"
436 | fi
437 | ;;
438 | *)
439 | printf >> "$FILTEREDMAIL" "error: '%s' could not be matched, mail report is incomplete (full output can be found in %s)!! Please file a bug report against the aide-common package and include this error message.\n" "${BASH_REMATCH[1]}" "$LOGFILE"
440 | ;;
441 | esac
442 | fi
443 | done < "$MAILTMP"
444 | IFS=$BACKUPIFS
445 | let F_ADD=$ADD-$N_ADD || true
446 | let F_REM=$REM-$N_REM || true
447 | let F_CHG=$CHG-$N_CHG || true
448 | < $MAILTMP sed -n '0,/^ Total number of entries:/{p;}' >> "$FILTEREDMAIL"
449 | SEPERATOR_TEMPLATE="\n---------------------------------------------------\n%s entries (filtered: %s):\n---------------------------------------------------\n\n"
450 | NUM_FILES_TEMPLATE=" %s entries:\t\t%s\t(filtered: %s)\n"
451 | printf >> "$FILTEREDMAIL" "$NUM_FILES_TEMPLATE" "Added" "$N_ADD" "$F_ADD"
452 | printf >> "$FILTEREDMAIL" "$NUM_FILES_TEMPLATE" "Removed" "$N_REM" "$F_REM"
453 | printf >> "$FILTEREDMAIL" "$NUM_FILES_TEMPLATE" "Changed" "$N_CHG" "$F_CHG"
454 | printf >> "$FILTEREDMAIL" "\nThe following package changes were detected and were filtered from this mail:\n"
455 | printf >> "$FILTEREDMAIL" "$pkgs"
456 | if [ "$N_ADD" -eq "0" ] && [ "$N_REM" -eq "0" ] && [ "$N_CHG" -eq "0" ] ; then
457 | printf >> "$FILTEREDMAIL" "\nAIDE detected no changes after filtering package changes.\n\n"
458 | else
459 | if [ "${#NF_ADD[@]}" -gt "0" ]; then
460 | printf >> "$FILTEREDMAIL" "$SEPERATOR_TEMPLATE" "Added" "$F_ADD"
461 | for ((i=0;i<${#NF_ADD[@]};i++)); do echo "${NF_ADD[$i]}" >> "$FILTEREDMAIL"; done
462 | fi
463 | if [ "${#NF_REM[@]}" -gt "0" ]; then
464 | printf >> "$FILTEREDMAIL" "$SEPERATOR_TEMPLATE" "Removed" "$F_REM"
465 | for ((i=0;i<${#NF_REM[@]};i++)); do echo "${NF_REM[$i]}" >> "$FILTEREDMAIL"; done
466 | fi
467 | if [ "${#NF_CHG[@]}" -gt "0" ]; then
468 | if $GROUPED; then
469 | printf >> "$FILTEREDMAIL" "$SEPERATOR_TEMPLATE" "Changed" "$F_CHG"
470 | else
471 | if [ "$N_ADD" -gt "0" ] && [ "$N_REM" -gt "0" ] && [ "$N_CHG" -gt "0" ]; then
472 | HEAD="Added, removed and changed"
473 | elif [ "$N_ADD" -gt "0" ] && [ "$N_REM" -gt "0" ]; then
474 | HEAD="Added and removed"
475 | elif [ "$N_ADD" -gt "0" ] && [ "$N_CHG" -gt "0" ]; then
476 | HEAD="Added and changed"
477 | elif [ "$N_REM" -gt "0" ] && [ "$N_CHG" -gt "0" ]; then
478 | HEAD="Removed and changed"
479 | elif [ "$N_ADD" -gt "0" ]; then
480 | HEAD="Added"
481 | elif [ "$N_REM" -gt "0" ]; then
482 | HEAD="Removed"
483 | elif [ "$N_CHG" -gt "0" ]; then
484 | HEAD="Changed"
485 | fi
486 | printf >> "$FILTEREDMAIL" "$SEPERATOR_TEMPLATE" "$HEAD" "$((F_ADD+F_REM+F_CHG))"
487 | fi
488 | for ((i=0;i<${#NF_CHG[@]};i++)); do echo "${NF_CHG[$i]}" >> "$FILTEREDMAIL"; done
489 | fi
490 | fi
491 | printf >> "$FILTEREDMAIL" "\n---------------------------------------------------\n"
492 | < $MAILTMP sed -n '/^The attributes of the (uncompressed) database(s):$/,$ {p;}' >> "$FILTEREDMAIL"
493 | MAILTMP="$FILTEREDMAIL"
494 | fi
495 | fi
496 | else
497 | MAILTMP="$ARUNLOG"
498 | fi
499 |
500 | if [ -n "${NOISE:-}" ]; then
501 | NOISETMP="$(mytempfile aidenoise1)"
502 | NOISETMP2="$(mytempfile aidenoise2)"
503 | < "$MAILTMP" sed -n '1,/^Detailed information about changes:/p' | \
504 | grep '^\(changed\|removed\|added\|[fdLDBFs?!][ :l<>=bpugamcinCAXSE.+-]\{16\}\):' | \
505 | grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" >> "$NOISETMP2"
506 |
507 | if [ -n "$NOISE" ]; then
508 | < "$NOISETMP2" grep -v "^\(changed\|removed\|added\|[fdLDBFs?!][ :l<>=bpugamcinCAXSE.+-]\{16\}\): $NOISE" >> "$NOISETMP" || true
509 | printf >> "$MAILFILE" "De-Noised output removes everything matching %s.\n" "$NOISE"
510 | fi
511 |
512 | if [ -s "$NOISETMP" ]; then
513 | loglines="$(< $NOISETMP wc -l | awk '{ print $1 }')"
514 | if [ "$LINES" -gt "0" ] && [ "${loglines:=0}" -gt "$LINES" ]; then
515 | printf "AIDE has returned long output which has been truncated in this mail\n" | \
516 | frame >> "$MAILFILE"
517 | printf >> "$MAILFILE" \
518 | "De-Noised output is %d lines, truncated to %d.\n" "$loglines" "$LINES"
519 | < "$NOISETMP" head -n "$LINES" >> "$MAILFILE"
520 | printf >> "$MAILFILE" "\nEnd of truncated De-Noised AIDE output. The full output can be found in %s.\nsha256sum: %s\n\n" "$LOGFILE" "$LOGFILE_CHECKSUM"
521 | else
522 | printf >> "$MAILFILE" "De-Noised output of the daily AIDE run (%d lines):\n" "$loglines"
523 | < "$NOISETMP" cat >> "$MAILFILE"
524 | printf >> "$MAILFILE" "\nEnd of De-Noised AIDE output.\n\n"
525 | fi
526 | else
527 | printf >> "$MAILFILE" "AIDE detected no changes after removing noise.\n\n"
528 | fi
529 | printf >> "$MAILFILE" "============================================================================\n"
530 | fi
531 |
532 | # include non-de-noised log into mail
533 |
534 | if [ -n "${MAILTMP:-}" ] && [ -s "$MAILTMP" ]; then
535 | loglines="$(wc -l "$MAILTMP" | awk '{ print $1 }')"
536 | if [ "$LINES" -gt "0" ] && [ "${loglines:=0}" -gt "$LINES" ]; then
537 | printf "AIDE has returned long output which has been truncated in this mail\n" | \
538 | frame >> "$MAILFILE"
539 | printf >> "$MAILFILE" \
540 | "Output is %d lines, truncated to %d.\n" "$loglines" "$LINES"
541 | < "$MAILTMP" head -n "$LINES" >> "$MAILFILE"
542 | printf >> "$MAILFILE" "\nEnd of truncated AIDE output. The full output can be found in %s.\nsha256sum: %s\n\n" "$LOGFILE" "$LOGFILE_CHECKSUM"
543 | else
544 | printf >> "$MAILFILE" "Output of the daily AIDE run (%d lines):\n" "$loglines"
545 | < "$MAILTMP" cat >> "$MAILFILE"
546 | if [ "$MAIL_MODE" -gt "0" ] ; then
547 | case "$MAIL_MODE" in
548 | 1) AIDE_OUTPUT="truncated" ;;
549 | 2) AIDE_OUTPUT="filtered" ;;
550 | 3) AIDE_OUTPUT="truncated and filtered" ;;
551 | esac
552 | printf >> "$MAILFILE" "\nEnd of %s AIDE output.\n\nThe full output can be found in %s.\nsha256sum: %s\n\n" "$AIDE_OUTPUT" "$LOGFILE" "$LOGFILE_CHECKSUM"
553 | else
554 | printf >> "$MAILFILE" "\nEnd of AIDE output.\n\n"
555 | fi
556 | fi
557 | else
558 | printf >> "$MAILFILE" "AIDE detected no changes.\n\n"
559 | fi
560 | else
561 | printf >> "$MAILFILE" "funny, AIDE did not leave a log.\n\n"
562 | printf >> "$LOGFILE" "funny, AIDE did not leave a log.\n"
563 | fi
564 |
565 | if [ -n "${DBCHECKLOG:-}" ] && [ -s "$DBCHECKLOG" ]; then
566 | < "$DBCHECKLOG" cat >> "$MAILFILE"
567 | printf >> "$MAILFILE" "\n"
568 | fi
569 |
570 | printf >> "$MAILFILE" "End of AIDE daily cron job at %s, run time %d seconds\n" "$(date +"%Y-%m-%d %H:%M" -d@$ENDTIME)" "$(( $ENDTIME - $BEGINTIME ))"
571 |
572 | # send mail if changes or errors were detected or quiet reports not requested
573 | if [ "$QUIETREPORTS" != "yes" ] || [ "$ARETVAL" != "0" ] || [ $(< "$ERRORLOG" wc -l) -ne 0 ]; then
574 | # do not send anything (not even error messages) if silence is requested
575 | if [ "$SILENTREPORTS" != "yes" ]; then
576 | < "$MAILFILE" mail -s "$MAILSUBJ" "$MAILTO"
577 | fi
578 | fi
579 |
580 | # clean up temp files
581 | rm -rf $TMPDIR
582 | fi
583 |
584 | if [ -n "$CRONEXITHOOK" ] && [ -x "$CRONEXITHOOK" ]; then
585 | $CRONEXITHOOK $CRONEXITHOOKPARM
586 | fi
587 |
588 | # clear lock
589 | if [ -n "${LOCKED:-}" ] && command -v dotlockfile >/dev/null 2>&1; then
590 | dotlockfile -u "$LOCKFILE" || true
591 | fi
592 | unset LOCKED
593 |
594 | return 0
595 | }
596 |
597 | BEGINTIME="$(date +%s)"
598 |
599 | if [ "$CRON_DAILY_RUN" != "yes" ] && ! tty -s; then
600 | exit 0
601 | fi
602 |
603 | if command -v dotlockfile >/dev/null 2>&1; then
604 | if ! dotlockfile -p -l "$LOCKFILE"; then
605 | onexit nolock
606 | exit 1
607 | fi
608 | else
609 | PREERRLOG="no dotlockfile binary in path, not checking for already running aide cron job\n"
610 | fi
611 | LOCKED=yes
612 |
613 | # prepare temp dir
614 | if [ -e "$TMPDIRIN" ]; then
615 | if ! NEWNAME="$(mktemp -d $TMPBASE/cron.daily.old.XXXXXXXXXX)"; then
616 | onexit cantmovetmp
617 | exit 1
618 | fi
619 | mv "$TMPDIRIN" "$NEWNAME"
620 | unset NEWNAME
621 | OLDTMPDIRFOUND="yes"
622 | fi
623 |
624 | if ! mkdir -p $TMPDIRIN; then
625 | onexit cantcreatetmp
626 | exit 1
627 | fi
628 |
629 | # handle the case that CRONEXITHOOK does not exist or is not executeable
630 | if [ -n "$CRONEXITHOOK" ]; then
631 | if ! [ -x "$CRONEXITHOOK" ]; then
632 | onexit nohook
633 | exit 1
634 | fi
635 | fi
636 |
637 | # we can now directly use file names inside $TMPDIR: It is only
638 | # writeable for us (umask 077), so we're safe against symlink attacks.
639 | # We use invariant file names here since our work files need to be
640 | # excluded from aide.
641 | TMPDIR="$TMPDIRIN"
642 |
643 | # now, with $TMPDIR having been created, we can use onexit.
644 |
645 | # ERRORLOG: Error messages from script. Gets written to $LOGFILE first
646 | ERRORLOG="$(mytempfile errorlog)"
647 |
648 | if [ -n "${PREERRORLOG:-}" ]; then
649 | printf >> "$ERRORLOG" "$PREERRORLOG"
650 | fi
651 | unset PREERRORLOG
652 |
653 | # MAILFILE: Contents gets mailed. Built and handled from inside onexit()
654 | MAILFILE="$(mytempfile mailfile)"
655 |
656 | # aide return value
657 | ARETVAL=-1
658 |
659 | if [ ! -f "$DATABASE" ]; then
660 | printf >> "$ERRORLOG" "Fatal error: The AIDE database '%s' does not exist!\n" "$DATABASE"
661 | printf >> "$ERRORLOG" "This may mean you haven't created it or that the initialization process is still running, or it may mean that someone has removed it.\n"
662 | onexit fatal
663 | exit 1
664 | fi
665 |
666 | # code
667 |
668 | # re-assign current time to be more accurate about aide's real start time
669 | BEGINSTAMP="$(date +"%Y-%m-%d %H:%M:%S")"
670 |
671 | # ARUNLOG: standard output of aide run
672 | ARUNLOG="$(mytempfile arunlog)"
673 |
674 | # AERRLOG: standard error of aide run
675 | AERRLOG="$(mytempfile aerrlog)"
676 |
677 | printf "begin timestamp %s\n" "$BEGINSTAMP" >> "$ARUNLOG"
678 |
679 | aide.wrapper $AIDEARGS "--$COMMAND" >|"$ARUNLOG" 2>|"$AERRLOG" && ARETVAL="$?"
680 | ARETVAL="$?"
681 |
682 | # POSTRUNLOG: summary of aide execution and cron job log
683 | POSTRUNLOG="$(mytempfile postrunlog)"
684 |
685 | # DBCHECKLOG: Output of the database checksums
686 | DBCHECKLOG="$(mytempfile dbchecklog)"
687 |
688 | # NOISETMP: completely de-noised log
689 | # NOISETMP2: pre-filtered ARUNLOG, containing only changed, removed and added lines
690 | NOISETMP="$(mytempfile noisetmp)"
691 | NOISETMP2="$(mytempfile noisetmp2)"
692 |
693 | # find out whether we neeed to copy the new database over the old one
694 |
695 | COPYDB="0"
696 | if [ "$COPYNEWDB" = "ifnochange" ] && [ "$ARETVAL" = "0" ]; then
697 | COPYDB="1"
698 | printf >> "$POSTRUNLOG" "no significant changes detected.\n"
699 | fi
700 |
701 | if [ "$COPYNEWDB" = "yes" ]; then
702 | COPYDB=1
703 | fi
704 |
705 | if [ "$COPYDB" = "1" ] && [ "$COMMAND" = "update" ]; then
706 | cp -f "$DATABASE_OUT" "$DATABASE"
707 | printf >> "$POSTRUNLOG" "output database %s was copied to %s as requested by cron job configuration\n" "$DATABASE_OUT" "$DATABASE"
708 | fi
709 |
710 | onexit success
711 | exit 0
712 |
713 | # end of file
714 |
--------------------------------------------------------------------------------