Initial commit

.gitignore

@@ -0,0 +1 @@
+roles/common/data/user/*

activate

@@ -0,0 +1 @@
+../ansible-source/activate

ansible.cfg

@@ -0,0 +1,137 @@
+# config file for ansible -- http://ansible.github.com
+# nearly all parameters can be overridden in ansible-playbook or with command line flags
+# ansible will read ~/.ansible.cfg or /etc/ansible/ansible.cfg, whichever it finds first
+
+[defaults]
+
+# location of inventory file, eliminates need to specify -i
+
+hostfile = /etc/ansible/hosts
+
+# location of ansible library, eliminates need to specify --module-path
+
+library = /usr/share/ansible
+
+# default module name used in /usr/bin/ansible when -m is not specified
+
+module_name = command
+
+# home directory where temp files are stored on remote systems.  Should
+# almost always contain $HOME or be a directory writeable by all users
+
+remote_tmp = $HOME/.ansible/tmp
+
+# the default pattern for ansible-playbooks ("hosts:")
+
+pattern = *
+
+# the default number of forks (parallelism) to be used.  Usually you
+# can crank this up.
+
+forks=5
+
+# the timeout used by various connection types.  Usually this corresponds
+# to an SSH timeout
+
+timeout=10
+
+# when using --poll or "poll:" in an ansible playbook, and not specifying
+# an explicit poll interval, use this interval
+
+poll_interval=15
+
+# when specifying --sudo to /usr/bin/ansible or "sudo:" in a playbook,
+# and not specifying "--sudo-user" or "sudo_user" respectively, sudo
+# to this user account
+
+sudo_user=root
+
+# the following forces ansible to always ask for the sudo password (instead of having
+# to add -K to the commandline). Or you can use the environment variable (ANSIBLE_ASK_SUDO_PASS)
+
+#ask_sudo_pass=True
+
+# the following forces ansible to always ask for the ssh-password (-k)
+# can also be set by the environment variable ANSIBLE_ASK_PASS
+
+#ask_pass=True
+
+# connection to use when -c <connection_type> is not specified
+
+transport=paramiko
+
+# remote SSH port to be used when --port or "port:" or an equivalent inventory
+# variable is not specified.
+
+remote_port=22
+
+# if set, always run /usr/bin/ansible commands as this user, and assume this value
+# if "user:" is not set in a playbook.  If not set, use the current Unix user
+# as the default
+
+#remote_user=root
+
+# the default sudo executable. If a sudo alternative with a sudo-compatible interface
+# is used, specify its executable name as the default
+
+sudo_exe=sudo
+
+# the default flags passed to sudo
+# sudo_flags=-H
+
+# how to handle hash defined in several places
+# hash can be merged, or replaced
+# if you use replace, and have multiple hashes named 'x', the last defined
+# will override the previously defined one
+# if you use merge here, hash will cumulate their keys, but keys will still
+# override each other
+# replace is the default value, and is how ansible always handled hash variables
+#
+# hash_behaviour=replace
+
+# if you need to use jinja2 extensions, you can list them here
+# use a coma to separate extensions, e.g. :
+# jinja2_extensions=jinja2.ext.do,jinja2.ext.i18n
+# no extensions are loaded by default
+
+#jinja2_extensions=
+
+# if set, always use this private key file for authentication, same as if passing
+# --private-key to ansible or ansible-playbook
+
+#private_key_file=/path/to/file
+
+# format of string $ansible_managed available within Jinja2 templates, replacing
+# {file}, {host} and {uid} with template filename, host and owner respectively.
+# The resulting string is passed through strftime(3) so it may contain any
+# time-formatting specifiers.
+#
+# Example: ansible_managed = DONT TOUCH {file}: call {uid} at {host} for changes
+ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
+
+# additional plugin paths for non-core plugins
+
+action_plugins     = /usr/share/ansible_plugins/action_plugins
+callback_plugins   = /usr/share/ansible_plugins/callback_plugins
+connection_plugins = /usr/share/ansible_plugins/connection_plugins
+lookup_plugins     = /usr/share/ansible_plugins/lookup_plugins
+vars_plugins       = /usr/share/ansible_plugins/vars_plugins
+filter_plugins     = /usr/share/ansible_plugins/filter_plugins
+
+[paramiko_connection]
+
+# nothing to configure yet
+
+[ssh_connection]
+
+# if uncommented, sets the ansible ssh arguments to the following.  Leaving off ControlPersist
+# will result in poor performance, so use transport=paramiko on older platforms rather than
+# removing it
+
+ssh_args=-o PasswordAuthentication=no -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/tmp/ansible-ssh-%h-%p-%r
+
+# the following makes ansible use scp if the connection type is ssh (default is sftp)
+
+#scp_if_ssh=True
+
+

common.yml

@@ -0,0 +1,4 @@
+- hosts: all
+  roles:
+    - common
+

group_vars/all

@@ -0,0 +1,30 @@
+#
+# Default variables
+#
+
+ansible_prolog: True
+
+ansible_master_user: $PIPE(whoami)
+#ansible_master_hostname: $PIPE(hostname --fqdn)
+ansible_master_hostname: master.openics.org
+ansible_master_ip: $PIPE(hostname --ip)
+
+admin_fullname: Emmanuel Bouthenot
+admin_user: manu
+admin_email: kolter@openics.org
+
+hosts_deny_nfs: False
+
+with_logcheck: True
+with_rkhunter: True
+with_chkrootkit: True
+
+with_smartd: False
+
+with_smtp: False
+
+with_ssh: True
+ssh_port: 2222
+ssh_ecdsa_key: True
+
+# vim: ft=yaml

group_vars/monitoring

@@ -0,0 +1,15 @@
+#
+# Default variables for monitoring
+#
+
+with_mon: False
+
+with_munin: False
+with_munin_node: False
+munin_master_vhostname: localhost
+munin_masters:
+  - 127.0.0.1
+munin_nodes:
+  - 127.0.0.1
+
+# vim: ft=yaml

group_vars/webserver

@@ -0,0 +1,9 @@
+#
+# Default variables for webservers
+#
+
+with_apache2: False
+with_apache2_modphp5: False
+with_nginx: False
+
+# vim: ft=yaml

host_vars/.gitkeeper

@@ -0,0 +1 @@
+# keep my parent directory tracked by git

monitoring.yml

@@ -0,0 +1,4 @@
+- hosts: monitoring
+  roles:
+    - monitoring
+

roles/common/data/.gitkeeper

@@ -0,0 +1 @@
+# keep my parent directory tracked by git

roles/common/data/users/.gitkeeper

@@ -0,0 +1 @@
+# keep my parent directory tracked by git

roles/common/files/logcheck/ansible_local

@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([^:]+): 

roles/common/files/logcheck/bind_local

@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: DNS format error from [.:[:xdigit:]]+#[[:digit:]]+ resolving [^[:space:]]+ for client [.:[:xdigit:]]+#[[:digit:]]+: (invalid response|reply has no answer|non-improving referral)$

roles/common/files/logcheck/dovecot_local

@@ -0,0 +1,2 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: user=<.+>, method=.+, rip=[0-9:\.]+, lip=[0-9:\.]+, mpid=[0-9]+, .+, session=<.+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)\(.*\): (Connection closed|Disconnected: Logged out) in=[0-9]+ out=[0-9]+$

roles/common/files/logcheck/dropbear_local

@@ -0,0 +1 @@
+^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dropbear\[[[:digit:]]+\]: Exit before auth: Exited normally$

roles/common/files/logcheck/ipmi_local

@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? IPMI message handler: BMC returned incorrect response, expected netfn 2d cmd 0, got netfn 2c cmd 0$

roles/common/files/logcheck/libpam-modules_local

@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: pam_limits\(cron:session\): Unknown kernel rlimit 'Max realtime timeout' ignored$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: pam_limits\(sshd:session\): Unknown kernel rlimit 'Max realtime timeout' ignored$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_limits\(sudo:session\): Unknown kernel rlimit 'Max realtime timeout' ignored$

roles/common/files/logcheck/mon_local

@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mon\[[0-9]+\]: client connection from 
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mon\[[0-9]+\]: (finished )?client command "(list (disabled|state|watch|opstatus|descriptions)|protid [0-9]+)"$

roles/common/files/logcheck/noip2_local

@@ -0,0 +1,2 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ noip2\[[0-9]+\]: Can't connect to dynupdate\.no-ip\.com \(Connection refused\) $
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ noip2\[[0-9]+\]: Can't get our visible IP address from ip[0-9]+\.dynupdate\.no-ip\.com $

roles/common/files/logcheck/ntp_local

@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status change [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: step-systime: Operation not permitted$

roles/common/files/logcheck/openvpn_local

@@ -0,0 +1,13 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: VERIFY OK: depth=[0-9]+, C=.+, ST=.+, L=.+, O=.+, CN=.+, emailAddress=.+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: VERIFY OK: nsCertType=SERVER$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: TLS: tls_process: killed expiring key$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: TLS: soft reset sec=[0-9]+ bytes=[0-9]+/[0-9]+ pkts=[0-9]+/[0-9]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: Data Channel Encrypt: Cipher '.+' initialized with [0-9]+ bit key$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: Data Channel Encrypt: Using [0-9]+ bit message hash '.+' for .* authentication$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: Control Channel: .*, cipher .*, [0-9]+ bit .+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: NOTE: OpenVPN [.0-9]+ requires '--script-security 2' or higher to call user-defined scripts or executables$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: read UDPv4 \[ENETUNREACH\]: Network is unreachable \(code=101\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: Socket Buffers: R=\[[0-9]+->[0-9]+\] S=\[[0-9]+->[0-9]+\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: UDPv4 link remote: \[AF_INET\].+:.+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: TLS: Initial packet from \[AF_INET\].+:.+, sid=.+ .+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]: \[server\] Peer Connection Initiated with \[AF_INET\].+:.+$

roles/common/files/logcheck/php_local

@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [^[:space:]\[]+: PHP (Warning|Deprecated|Notice|Strict Standards):

roles/common/files/logcheck/postfix_local

@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: warning: hostname .+ does not resolve to address .+(: Name or service not known)?$

roles/common/files/logcheck/pure-ftpd_local

@@ -0,0 +1,5 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Anonymous user logged in$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES128-SHA, 128 secret bits cipher$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Logout.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([?.[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\] Can't create directory: File exists$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] Restarting at [0-9]+$

roles/common/files/logcheck/redir_local

@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ redir\[[0-9]+\]: connect from .+ \(.+\)$

roles/common/files/logcheck/rsyslog_local

@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$

roles/common/files/logcheck/smartd_local

@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[[:digit:]]+\]: Device: /dev/[^[:space:]]+( \[[_/[:alnum:][:space:]]+\])?, offline data collection was (abort|suspend)ed by an interrupting command from host \(auto:on\)$

roles/common/files/logcheck/spamd_local

@@ -0,0 +1,3 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: adjust: [0-9]+ idle children (less|more) than [0-9]+ (max|min)imum idle children. (In|De)creasing spamd children: [0-9]+ (start|kill)ed\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: handled cleanup of child pid \[[0-9]+\] due to SIGCHLD: interrupted, signal [0-9]+ \([0-9]+\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: handled cleanup of child pid \[[0-9]+\] due to SIGCHLD: exit [0-9]+$

roles/common/files/logcheck/sshd_local

@@ -0,0 +1,2 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from .*: [0-9]+: disconnected by user$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: subsystem request for sftp by user .+$

roles/common/files/logcheck/svn_local

@@ -0,0 +1 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ svn: DIGEST-MD5 common mech free$

roles/common/files/logcheck/sympa_local

@@ -0,0 +1,76 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ archived\[[0-9]+\]: notice Archiving .* for list
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: notice task_manager exited normally due to signal$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: notice main::execute\(\) Running task .*, line [0-9]+ with vars \)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: notice main::purge_logs_table\(\) purge_logs_table\(\): logs purged$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: notice main::next_cmd\(\) line [0-9]+ of [_a-z]+ : next \([0-9]+, ACTION\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: notice main::next_cmd\(\) --> new task [_a-z]+ \(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: notice main::create\(\) creation of .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: notice main::create\(\) with model .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: notice main::execute\(\) Running task .*, line [0-9]+ with vars \)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: notice main::purge_tables\(\) [0-9]+ rows removed in bulkspool_table$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: notice main::purge_session_table\(\) purge_session_table\(\): [0-9]+ row removed in session_table$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: notice main::purge_one_time_ticket_table\(\) purge_one_time_ticket_table\(\): [0-9]+ row removed in one_time_ticket_table$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: info main::eval_bouncers\(\) eval_bouncers\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: info main::purge_tables\(\) task_manager::purge_tables\(\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: info main::purge_session_table\(\) task_manager::purge_session_table\(\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: info main::purge_one_time_ticket_table\(\) task_manager::purge_one_time_ticket_table\(\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: info Configuration file read, default log level [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: info SympaSession::purge_old_sessions\(\) SympaSession::purge_old_sessions\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: info SympaSession::purge_old_tickets\(\) SympaSession::purge_old_tickets\(.*\)$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: notice List::load_topics\(\) No topic defined in 
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info WWSympa started$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[list .*\] main::do_loginrequest\(\) do_loginrequest$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[list .*\] main::do_info\(\) do_info$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[user .*\] \[list .*\] main::do_admin\(\) do_admin$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[user .*\] \[list .*\] main::do_edit_list_request\(\) do_edit_list_request\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[user .*\] \[list .*\] main::do_review\(\) do_review\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[user .*\] \[list .*\] main::do_add_request\(\) do_add_request\(\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[user .*\] \[list .*\] main::do_viewlogs\(\) do_viewlogs\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[user .*\] \[list .*\] main::do_add\(\) do_add\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[user .*\] \[list .*\] main::do_signoff\(\) do_signoff$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[user .*\] \[list .*\] main::do_home\(\) do_home$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] main::do_home\(\) do_home$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[user .*\] \[list .*\] main::do_arc\(\) do_arc\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[list .*\] main::do_arc\(\) do_arc\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] main::do_lists\(\) do_lists\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[list .*\] main::do_info\(\) do_info$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] main::do_help\(\) do_help\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] main::do_(first|renew)passwd\(\) do_(first|renew)passwd\(\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[list .*\] main::do_(first|renew)passwd\(\) do_(first|renew)passwd\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] main::do_login\(\) do_login\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[list .*\] main::do_login\(\) do_login\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[list .*\] main::do_login\(\) do_login\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[rss\] main::do_lists\(\) do_lists\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[rss\] main::do_latest_lists\(\) do_latest_lists\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[rss\] main::do_active_lists\(\) do_active_lists\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[list .*\] main::do_subscribe\(\) do_subscribe\(\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[list .*\] main::do_subrequest\(\) do_subrequest\(.*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[list .*\] main::do_rss_request\(\) do_rss_request$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info List::insert_delete_exclusion\(.*, .*, .*, .*\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[list .*\] main::check_authz\(\) check_authz: access denied in do_arc for
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: err Scenario::new\(\) Missing parameter$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: err Scenario::request_action\(\) Failed to load scenario for '.*'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: err \[robot .*\] \[session [0-9]+\] \[client [.0-9]+\] \[list .*\] main::check_action_parameters\(\) user not logged in$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: err List::delete_subscription_request\(\) No pending subscription was found for users 
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: notice tools::CleanSpool\(\) Deleting old (file|directory)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: notice main::DoFile\(\) Processing .* ; sender: .*#[0-9]+ ; message-id: <.*>#[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: notice main::DoMessage\(\) Message for .* from .* kept for authentication with key \w+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: notice main::DoCommand\(\) Multipart message changed to singlepart$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: notice Commands::parse\(\) Parsing: C(ONFIRM|onfirm) \w+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: info main::DoMessage\(\) Processing message for .* with priority [0-9]+, <.*>#[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: info main::DoMessage\(\) Processing message for .* with priority [0-9]+, <.*>#[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: info main::DoMessage\(\) Message for .* from .* accepted \([0-9]+ seconds, [0-9]+ sessions, [0-9]+ subscribers\), message-id=<.*>#[0-9]+, size=[0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: info Commands::confirm\(\) CONFIRM [a-z0-9]+ from .* for list .* accepted \([0-9]+ seconds\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sympa\[[0-9]+\]: err List::get_subscriber\(\) Unable to retrieve information from database for user 
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ bulk\[[0-9]+\]: notice Done sending message (<.*>)? to list .* \(priority [0-9]+\) in [0-9]+ seconds since scheduled expedition date\.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ bulk\[[0-9]+\]: info Workload increased: [0-9]+ packets to process. Creating [0-9]+ child bulks to increase sending rate.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ bulk\[[0-9]+\]: info Bulk slave daemon started with pid [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ bulk\[[0-9]+\]: info Starting bulk child daemon, pid [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ bulk\[[0-9]+\]: info Process [0-9]+ didn't send any message since [0-9]+ seconds, exiting.$
+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wwsympa.fcgi: err wwslib::load_config\(\) Unknown parameter ldap_force_canonical_email in 
+

roles/common/handlers/base.yml

@@ -0,0 +1,5 @@
+- name: Reload apt cache
+  action: command apt-get update
+
+- name: Update motd
+  action: shell toilet -f future ${ansible_fqdn} > /var/run/motd && echo >> /var/run/motd && uname -snrvm >> /var/run/motd && echo >> /var/run/motd

roles/common/handlers/main.yml

@@ -0,0 +1,4 @@
+- include: base.yml
+- include: smtp.yml
+- include: ssh.yml
+- include: smartd.yml

roles/common/handlers/smartd.yml

@@ -0,0 +1,2 @@
+- name: Restart smartmontools
+  action: service name=smartmontools state=restarted

roles/common/handlers/smtp.yml

@@ -0,0 +1,5 @@
+- name: Regenerate aliases cache
+  action: command newaliases
+
+- name: Restart postfix
+  action: service name=postfix state=restarted

roles/common/handlers/ssh.yml

@@ -0,0 +1,2 @@
+- name: Restart ssh
+  action: service name=ssh state=restarted

roles/common/tasks/base.yml

@@ -0,0 +1,52 @@
+- name: Write /etc/apt/sources.list
+  action: template src=apt/sources.${ansible_lsb.codename}.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
+  notify:
+    - Reload apt cache
+
+- name: Write /etc/apt/apt.conf.d configuration files
+  action: template src=apt/${item}.j2 dest=/etc/apt/apt.conf.d/${item} owner=root group=root mode=0644
+  with_items:
+    - local-recommends
+    - local-pdiffs
+
+- name: Install base packages
+  action: ${ansible_pkg_mgr} pkg=${item} install_recommends=no state=installed update_cache=yes
+  with_items:
+    - apticron
+    - locales-all
+    - lsb-release
+    - ntp
+    - toilet
+    - toilet-fonts
+    - facter
+    - zsh
+    - git-core
+    - vim-nox
+    - ccze
+    - tree
+    - pydf
+    - htop
+    - sudo
+
+- name: Install hosts file
+  action: template src=hosts.j2 dest=/etc/hosts owner=root group=root mode=0644
+  notify:
+    - Update motd
+
+- name: Install hosts.deny file
+  action: template src=hosts.deny.j2 dest=/etc/hosts.deny owner=root group=root mode=0644
+
+- name: Install sudo configuration
+  action: template src=sudo/local-admin.j2 dest=/etc/sudoers.d/local-admin owner=root group=root mode=0440
+
+- name: Install unprivileged user
+  action: user name="${admin_user}" comment="${admin_fullname}" groups=adm,operator,sudo append=yes shell=/bin/zsh state=present
+
+- name: Install configuration files for user
+  action: git repo=git://git.openics.org/kolter-dotfiles.git dest=/home/${admin_user}
+
+- name: Install SSH key for unprivileged user
+  action: authorized_key user="${admin_user}" key="$FILE(roles/common/data/users/${admin_user}/id_rsa.pub)" state=present
+
+- name: Install SSH key for root
+  action: authorized_key user=root key="$FILE(roles/common/data/users/${admin_user}/id_rsa.pub)" state=present

roles/common/tasks/main.yml

@@ -0,0 +1,5 @@
+- include: base.yml
+- include: security.yml
+- include: smtp.yml
+- include: ssh.yml
+- include: smartd.yml

roles/common/tasks/security.yml

@@ -0,0 +1,47 @@
+- name: Install logcheck packages
+  action: ${ansible_pkg_mgr} pkg=${item} state=installed update_cache=yes
+  with_items:
+    - logcheck
+    - logcheck-database
+  when_boolean: ${with_logcheck}
+
+- name: Install local configuration files for logcheck
+  action: copy src=logcheck/${item}_local dest=/etc/logcheck/ignore.d.server/${item}_local owner=root group=root mode=0644
+  with_items:
+    - ansible
+    - bind
+    - dovecot
+    - dropbear
+    - ipmi
+    - libpam-modules
+    - mon
+    - noip2
+    - ntp
+    - openvpn
+    - php
+    - postfix
+    - pure-ftpd
+    - redir
+    - rsyslog
+    - smartd
+    - spamd
+    - sshd
+    - svn
+    - sympa
+  when_boolean: ${with_logcheck}
+
+- name: Update logcheck cron job
+  action: template src=cron/logcheck.j2 dest=/etc/cron.d/logcheck owner=root group=root mode=0644
+  when_boolean: ${with_logcheck}
+
+- name: Update rkhunter default/init parameters
+  action: template src=rkhunter/default.j2 dest=/etc/default/rkhunter owner=root group=root mode=0644
+  when_boolean: ${with_rkhunter}
+
+- name: Update rkhunter configuration
+  action: template src=rkhunter/${ansible_lsb.codename}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644
+  when_boolean: ${with_rkhunter}
+
+- name: Update chkrootkit configuration
+  action: template src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644
+  when_boolean: ${with_chkrootkit}

roles/common/tasks/smartd.yml

@@ -0,0 +1,22 @@
+- name: Install smartmontools package
+  action: ${ansible_pkg_mgr} pkg=smartmontools state=installed update_cache=yes
+  when_boolean: ${with_smartd}
+
+- name: Install smartd configuration
+  action: template dest=/etc/smartd.conf owner=root group=root mode=0644
+  first_available_file:
+    - smartd/smartd.{{ ansible_hostname }}.conf.j2
+    - smartd/smartd.conf.j2
+  notify:
+    - Restart smartmontools
+  when_boolean: ${with_smartd}
+
+- name: Update smartmontools default/init parameters
+  action: template src=smartd/default.j2 dest=/etc/default/smartmontools owner=root group=root mode=0644
+  notify:
+    - Restart smartmontools
+  when_boolean: ${with_smartd}
+
+- name: Ensure smartmontools is running
+  action: service name=smartmontools state=started
+  when_boolean: ${with_smartd}

roles/common/tasks/smtp.yml

@@ -0,0 +1,15 @@
+- name: Install postfix packages
+  action: apt pkg=postfix state=installed update_cache=yes
+  when_boolean: ${with_smtp}
+
+- name: Install mail aliases file
+  action: template src=aliases.j2 dest=/etc/aliases owner=root group=root mode=0644
+  notify:
+    - Regenerate aliases cache
+  when_boolean: ${with_smtp}
+
+- name: Install postfix main configuration
+  action: template src=postfix/main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=0644
+  notify:
+    - Restart postfix
+  when_boolean: ${with_smtp}

roles/common/tasks/ssh.yml

@@ -0,0 +1,16 @@
+- name: Install ssh packages
+  action: ${ansible_pkg_mgr} pkg=${item} state=installed update_cache=yes
+  with_items:
+    - openssh-server
+    - openssh-client
+  when_boolean: ${with_ssh}
+
+- name: Install sshd configuration
+  action: template src=ssh/sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
+  notify:
+    - Restart ssh
+  when_boolean: ${with_ssh}
+
+- name: Ensure ssh is running
+  action: service name=ssh state=started
+  when_boolean: ${with_ssh}

roles/common/templates/aliases.j2

@@ -0,0 +1,18 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+
+mailer-daemon:  postmaster
+postmaster:     root
+nobody:         root
+webmaster:      root
+www-data:       root
+abuse:          root
+noc:            root
+security:       root
+logcheck:       root
+
+{% if admin_email is defined %}
+root:           {{ admin_email }}
+{% endif %}

roles/common/templates/apt/local-pdiffs.j2

@@ -0,0 +1,5 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog('//') }}
+{% endif -%}
+Acquire::Pdiffs "false";

roles/common/templates/apt/local-recommends.j2

@@ -0,0 +1,6 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog('//') }}
+{% endif -%}
+APT::Install-Recommends "false";
+APT::Install-Suggests "false";

roles/common/templates/apt/sources.lenny.list.j2

@@ -0,0 +1,18 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+deb http://archive.debian.org/debian lenny main contrib non-free
+#deb-src http://archive.debian.org/debian lenny main contrib non-free
+
+deb http://archive.debian.org/debian-security lenny/updates main contrib non-free
+#deb-src http://archive.debian.org/debian-security lenny/updates main contrib non-free
+
+deb http://archive.debian.org/debian-volatile lenny/volatile main contrib non-free
+#deb-src http://archive.debian.org/debian-volatile lenny/volatile main contrib non-free
+
+deb http://archive.debian.org/debian-backports lenny-backports main contrib non-free
+#deb-src http://archive.debian.org/debian-backports lenny-backports main contrib non-free
+
+deb http://archive.debian.org/debian-backports lenny-backports-sloppy main contrib non-free
+#deb-src http://archive.debian.org/debian-backports lenny-backports-sloppy main contrib non-free

roles/common/templates/apt/sources.sid.list.j2

@@ -0,0 +1,9 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+deb http://ftp.fr.debian.org/debian/ sid main contrib non-free
+deb-src http://ftp.fr.debian.org/debian/ sid main contrib non-free
+
+deb http://ftp.fr.debian.org/debian/ experimental main contrib non-free
+deb-src http://ftp.fr.debian.org/debian/ experimental main contrib non-free

roles/common/templates/apt/sources.squeeze.list.j2

@@ -0,0 +1,18 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+deb http://ftp.fr.debian.org/debian/ squeeze main contrib non-free
+#deb-src http://ftp.fr.debian.org/debian/ squeeze main contrib non-free
+
+deb http://ftp.fr.debian.org/debian/ squeeze-updates main contrib non-free
+#deb-src http://ftp.fr.debian.org/debian/ squeeze-updates main contrib non-free
+
+deb http://security.debian.org/ squeeze/updates main contrib non-free
+#deb-src http://security.debian.org/ squeeze/updates main contrib non-free
+
+deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free
+#deb-src http://backports.debian.org/debian-backports squeeze-backports main contrib non-free
+
+deb http://backports.debian.org/debian-backports squeeze-backports-sloppy main contrib non-free
+#deb-src http://backports.debian.org/debian-backports squeeze-backports-sloppy main contrib non-free

roles/common/templates/apt/sources.wheezy.list.j2

@@ -0,0 +1,15 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
+#deb-src http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
+
+deb http://ftp.fr.debian.org/debian/ wheezy-updates main contrib non-free
+#deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main contrib non-free
+
+deb http://security.debian.org/ wheezy/updates main contrib non-free
+#deb-src http://security.debian.org/ wheezy/updates main contrib non-free
+
+deb http://ftp.fr.debian.org/debian/ wheezy-backports main contrib non-free
+#deb-src http://ftp.fr.debian.org/debian/ wheezy-backports main contrib non-free

roles/common/templates/chkrootkit/chkrootkit.conf.j2

@@ -0,0 +1,7 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+RUN_DAILY="false"
+RUN_DAILY_OPTS="-q"
+DIFF_MODE="false"

roles/common/templates/cron/logcheck.j2

@@ -0,0 +1,13 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# /etc/cron.d/logcheck: crontab entries for the logcheck package
+
+PATH=/bin:/sbin:/usr/bin:/usr/sbin
+MAILTO=root
+
+@reboot             logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi
+31 6,13,21 * * *    logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
+
+# EOF

roles/common/templates/hosts.deny.j2

@@ -0,0 +1,31 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
+#                  See the manual pages hosts_access(5) and hosts_options(5).
+#
+# Example:    ALL: some.host.name, .some.domain
+#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
+#
+# If you're going to protect the portmapper use the name "portmap" for the
+# daemon name. Remember that you can only use the keyword "ALL" and IP
+# addresses (NOT host or domain names) for the portmapper, as well as for
+# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
+# for further information.
+#
+# The PARANOID wildcard matches any host whose name does not match its
+# address.
+#
+# You may wish to enable this to ensure any programs that don't
+# validate looked up hostnames still leave understandable logs. In past
+# versions of Debian this has been the default.
+# ALL: PARANOID
+ALL: PARANOID
+{% if hosts_deny_nfs %}
+portmap: ALL
+lockd: ALL
+mountd: ALL
+rquotad: ALL
+statd: ALL
+{% endif %}

roles/common/templates/hosts.j2

@@ -0,0 +1,15 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+
+127.0.0.1       localhost
+{{ ansible_default_ipv4.address }}  {{ ansible_fqdn }}  {{ ansible_hostname }}
+
+# The following lines are desirable for IPv6 capable hosts
+::1             localhost       ip6-localhost   ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts

roles/common/templates/postfix/main.cf.j2

@@ -0,0 +1,81 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+
+smtpd_banner = $myhostname ESMTP $mail_name
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+myhostname = {{ ansible_fqdn }}
+myorigin = $myhostname
+mydomain = $myhostname
+mydestination = {{ ansible_fqdn }} {{ ansible_hostname }}
+
+alias_maps = hash:/etc/aliases
+alias_database = $alias_maps
+
+{% if smtp_relay is defined %}
+relayhost = {{ smtp_relay }}
+{% endif %}
+
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+
+mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+
+message_size_limit = 0
+
+recipient_delimiter = +
+inet_interfaces = all
+
+disable_vrfy_command = yes
+
+smtpd_recipient_restrictions =
+    permit_mynetworks,
+    reject_non_fqdn_sender,
+    reject_unauth_pipelining,
+    reject_non_fqdn_recipient,
+    reject_unknown_sender_domain,
+    reject_unauth_destination,
+    reject_unknown_recipient_domain,
+    permit
+
+smtpd_client_restrictions =
+    permit_mynetworks,
+    reject_unauth_destination
+
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+    permit_mynetworks,
+    reject_non_fqdn_helo_hostname
+
+smtpd_sender_restrictions =
+    permit_mynetworks,
+    reject_non_fqdn_sender,
+    reject_unknown_sender_domain
+
+

roles/common/templates/rkhunter/default.j2

@@ -0,0 +1,38 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# Defaults for rkhunter automatic tasks
+# sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter
+#
+# This is a POSIX shell fragment
+#
+
+# Set this to yes to enable rkhunter daily runs
+# (default: true)
+CRON_DAILY_RUN="yes"
+
+# Set this to yes to enable rkhunter weekly database updates
+# (default: true)
+CRON_DB_UPDATE="yes"
+
+# Set this to yes to enable reports of weekly database updates
+# (default: false)
+DB_UPDATE_EMAIL="no"
+
+# Set this to the email address where reports and run output should be sent
+# (default: root)
+REPORT_EMAIL="root"
+
+# Set this to yes to enable automatic database updates
+# (default: false)
+APT_AUTOGEN="true"
+
+# Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable)
+# (default: 0)
+NICE="0"
+
+# Should daily check be run when running on battery
+# powermgmt-base is required to detect if running on battery or on AC power
+# (default: false)
+RUN_CHECK_ON_BATTERY="false"

roles/common/templates/rkhunter/lenny.conf.j2

@@ -0,0 +1,592 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+#
+# This is the configuration file for Rootkit Hunter.
+#
+# Please modify it to your own requirements.
+# Please review the documentation before posting bug reports or questions.
+# To report bugs, obtain updates, or provide patches or comments, please go to:
+# http://rkhunter.sourceforge.net
+#
+# To ask questions about rkhunter, please use the rkhunter-users mailing list.
+# Note this is a moderated list: please subscribe before posting.
+#
+# Lines beginning with a hash (#), and blank lines, will be ignored.
+#
+# Most of the following options need only be specified once. If
+# they appear more than once, then the last one seen will be used.
+# Some options are allowed to appear more than once, and the text
+# describing the option will say if this is so.
+#
+
+
+#
+# If this option is set to 1, it specifies that the mirrors file, which
+# is used when the '--update' and '--versioncheck' options are used, is
+# to be rotated. Rotating the entries in the file allows a basic form
+# of load-balancing between the mirror sites whenever the above options
+# are used.
+# If the option is set to 0, then the mirrors will be treated as if in
+# a priority list. That is, the first mirror will always be used. The
+# second mirror will only be used if the first mirror fails, then the
+# third mirror will be used if the second fails and so on.
+#
+ROTATE_MIRRORS=1
+
+#
+# If this option is set to 1, it specifies that when the '--update'
+# option is used, then the mirrors file is to be checked for updates
+# as well. If the current mirrors file contains any local mirrors,
+# these will be prepended to the updated file.
+# If this option is set to 0, the mirrors file can only be updated
+# manually. This may be useful if only using local mirrors.
+#
+UPDATE_MIRRORS=1
+
+#
+# The MIRRORS_MODE option tells rkhunter which mirrors are to be
+# used when the '--update' or '--versioncheck' command-line options
+# are given. Possible values are:
+#     0 - use any mirror (the default)
+#     1 - only use local mirrors
+#     2 - only use remote mirrors
+#
+# Local and remote mirrors can be defined in the mirrors.dat file
+# by using the 'local=' and 'remote=' keywords respectively.
+#
+MIRRORS_MODE=0
+
+#
+# Email a message to this address if a warning is found when the
+# system is being checked. Multiple addresses may be specified
+# simply be separating them with a space.
+#
+#MAIL-ON-WARNING=me@mydomain   root@mydomain
+
+#
+# Specify the mail command to use if MAIL-ON-WARNING is set.
+# NOTE: Double quotes are not required around the command, but
+# are required around the subject line if it contains spaces.
+#
+MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
+
+#
+# Specify the temporary directory to use.
+#
+# NOTE: Do not use /tmp as your temporary directory. Some
+# important files will be written to this directory, so be
+# sure that the directory permissions are tight.
+#
+TMPDIR=/var/lib/rkhunter/tmp
+
+#
+# Specify the database directory to use.
+#
+DBDIR=/var/lib/rkhunter/db
+
+#
+# Specify the script directory to use.
+#
+SCRIPTDIR=/usr/share/rkhunter/scripts
+
+#
+# Specify the root directory to use.
+#
+#ROOTDIR=""
+
+#
+# Specify the command directories to be checked. This is a
+# space-separated list of directories.
+#
+BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
+
+#
+# Specify the language to use. This should be similar
+# to the ISO 639 language code.
+#
+# NOTE: Please ensure that the language you specify is supported.
+#       For a list of supported languages use the following command:
+#
+#           rkhunter --lang en --list languages
+#
+#LANGUAGE=en
+
+#
+# Specify the log file pathname.
+#
+LOGFILE=/var/log/rkhunter.log
+
+#
+# Set the following option to 1 if the log file is to be appended to
+# whenever rkhunter is run.
+#
+APPEND_LOG=0
+
+#
+# Set the following option to enable the rkhunter check start and finish
+# times to be logged by syslog. Warning messages will also be logged.
+# The value of the option must be a standard syslog facility and
+# priority, separated by a dot.
+#
+# For example: USE_SYSLOG=authpriv.warning
+#
+# Setting the value to 'none', or just leaving the option commented out,
+# disables the use of syslog.
+#
+#USE_SYSLOG=authpriv.notice
+
+#
+# Set the following option to 1 if the second colour set is to be used.
+# This can be useful if your screen uses black characters on a white
+# background (for example, a PC instead of a server).
+#
+COLOR_SET2=0
+
+#
+# Set the following option to 0 if rkhunter should not detect if X is
+# being used. If X is detected as being used, then the second colour
+# set will automatically be used.
+#
+AUTO_X_DETECT=1
+
+#
+# The following option is checked against the SSH configuration file
+# 'PermitRootLogin' option. A warning will be displayed if they do not
+# match. However, if a value has not been set in the SSH configuration
+# file, then a value here of 'yes' or 'unset' will not cause a warning.
+# This option has a default value of 'no'.
+#
+ALLOW_SSH_ROOT_USER=without-password
+
+#
+# Set this option to '1' to allow the use of the SSH-1 protocol, but note
+# that theoretically it is weaker, and therefore less secure, than the
+# SSH-2 protocol. Do not modify this option unless you have good reasons
+# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
+# authentication). If the 'Protocol' option has not been set in the SSH
+# configuration file, then a value of '2' may be set here in order to
+# suppress a warning message. This option has a default value of '0'.
+#
+ALLOW_SSH_PROT_V1=0
+
+#
+# This setting tells rkhunter the directory containing the SSH configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set.
+#
+#SSH_CONFIG_DIR=/etc/ssh
+
+#
+# These two options determine which tests are to be performed.
+# The ENABLE_TESTS option can use the word 'all' to refer to all the
+# available tests. The DISABLE_TESTS option can use the word 'none' to
+# mean that no tests are disabled. The list of disabled tests is applied to
+# the list of enabled tests. Both options are space-separated lists of test
+# names. The currently available test names can be seen by using the command
+# 'rkhunter --list tests'.
+#
+# The program defaults are to enable all tests and disable none. However, if
+# either option is specified in this file, then it overrides the program
+# default. The supplied rkhunter.conf file has some tests already disabled,
+# and these are tests that will be used only incidentally, can be considered
+# "advanced" or those that are prone to produce more than the "average" number
+# of "false positives".
+#
+# Please read the README file for more details about enabling and disabling
+# tests, the test names, and how rkhunter behaves when these options are used.
+#
+# hidden_procs test requires the unhide command which is part of the unhide
+# package in Debian.
+ENABLE_TESTS="all"
+{% set disable_tests = [] %}
+{% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'guest' -%}
+  {% if disable_tests.append('os_specific') %}{% endif %}
+{%- endif %}
+{% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'host' -%}
+    {% if disable_tests.append('promisc') %}{% endif %}
+{%- endif %}
+DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps {{ disable_tests|join(' ') }}"
+
+#
+# The HASH_FUNC option can be used to specify the command to use
+# for the file hash value check. It can be specified as just
+# the command name or the full pathname. Systems using prelinking
+# are restricted to using either SHA1 or MD5 functions. To get rkhunter
+# to look for the sha1(sum)/md5(sum) command, or to use the supplied
+# perl scripts, simply specify this option as 'SHA1' or 'MD5' in
+# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found.
+#
+# A value of 'NONE' (in uppercase) can be specified to indicate that
+# no hash function should be used. Rootkit Hunter will detect this and
+# automatically disable the file hash checks.
+#
+# Examples:
+#   For Solaris 9 : HASH_FUNC=gmd5sum
+#   For Solaris 10: HASH_FUNC=sha1sum
+#   For AIX (>5.2): HASH_FUNC="csum -hMD5"
+#   For NetBSD    : HASH_FUNC="cksum -a sha512"
+#
+# NOTE: If the hash function is changed then you MUST run rkhunter with
+#       the '--propupd' option to rebuild the file properties database.
+#
+#HASH_FUNC=sha1sum
+
+#
+# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
+# command output contains the hash value. The fields are assumed to
+# be space-separated. The default value is one, but for *BSD users
+# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
+# has not been set. The option value must be a positive integer.
+#
+#HASH_FLD_IDX=4
+
+#
+# The PKGMGR option tells rkhunter to use the specified package manager
+# to obtain the file property information. This is used when updating
+# the file properties file 'rkhunter.dat', and when running the file
+# properties check. For RedHat/RPM-based systems, 'RPM' can be used
+# to get information from the RPM database. For Debian-based systems
+# 'DPKG' can be used, and for *BSD systems 'BSD' can be used.
+# No value, or a value of 'NONE', indicates that no package manager
+# is to be used. The default is 'NONE'.
+#
+# The current package managers store the file hash values using an
+# MD5 hash function.
+#
+# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
+# The 'RPM' package manager additionally provides values for the inode,
+# file permissions, uid, gid and other values.
+#
+# For any file not part of a package, rkhunter will revert to using
+# the HASH_FUNC hash function instead.
+#
+# NONE is the default for Debian as well, as running --propupd takes
+# about 4 times longer when it's set to DPKG
+#
+#PKGMGR=NONE
+
+#
+# Whitelist various attributes of the specified files.
+# The attributes are those of the 'attributes' test.
+# Specifying a file name here does not include it being
+# whitelisted for the write permission test below.
+# One command per line (use multiple ATTRWHITELIST lines).
+#
+#ATTRWHITELIST=/bin/ps
+
+#
+# Allow the specified commands to have the 'others'
+# (world) permission have the write-bit set.
+#
+# For example, files with permissions r-xr-xrwx
+# or rwxrwxrwx.
+#
+# One command per line (use multiple WRITEWHITELIST lines).
+#
+#WRITEWHITELIST=/bin/ps
+
+#
+# Allow the specified commands to be scripts.
+# One command per line (use multiple SCRIPTWHITELIST lines).
+#
+SCRIPTWHITELIST=/bin/egrep
+SCRIPTWHITELIST=/bin/fgrep
+SCRIPTWHITELIST=/bin/which
+SCRIPTWHITELIST=/usr/bin/groups
+SCRIPTWHITELIST=/usr/bin/ldd
+SCRIPTWHITELIST=/usr/bin/lwp-request
+SCRIPTWHITELIST=/usr/sbin/adduser
+SCRIPTWHITELIST=/usr/sbin/prelink
+
+#
+# Allow the specified commands to have the immutable attribute set.
+# One command per line (use multiple IMMUTWHITELIST lines).
+#
+#IMMUTWHITELIST=/sbin/ifup
+
+#
+# Allow the specified hidden directories.
+# One directory per line (use multiple ALLOWHIDDENDIR lines).
+#
+#ALLOWHIDDENDIR=/etc/.java
+#ALLOWHIDDENDIR=/dev/.udev
+#ALLOWHIDDENDIR=/dev/.udevdb
+#ALLOWHIDDENDIR=/dev/.udev.tdb
+#ALLOWHIDDENDIR=/dev/.static
+#ALLOWHIDDENDIR=/dev/.initramfs
+#ALLOWHIDDENDIR=/dev/.SRC-unix
+ALLOWHIDDENDIR=/dev/.mdadm
+ALLOWHIDDENDIR=/dev/.git
+
+#
+# Allow the specified hidden files.
+# One file per line (use multiple ALLOWHIDDENFILE lines).
+# 
+#ALLOWHIDDENFILE=/etc/.java
+#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
+#ALLOWHIDDENFILE=/etc/.pwd.lock
+#ALLOWHIDDENFILE=/etc/.init.state
+ALLOWHIDDENFILE=/etc/.etckeeper
+ALLOWHIDDENFILE=/etc/.gitignore
+
+#
+# Allow the specified processes to use deleted files.
+# One process per line (use multiple ALLOWPROCDELFILE lines).
+#
+#ALLOWPROCDELFILE=/sbin/cardmgr
+#ALLOWPROCDELFILE=/usr/sbin/gpm
+#ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2
+#ALLOWPROCDELFILE=/usr/sbin/mysqld
+#ALLOWPROCDELFILE=/usr/lib/iceweasel/firefox-bin
+#ALLOWPROCDELFILE=/usr/bin/file-roller
+
+#
+# Allow the specified processes to listen on any network interface.
+# One process per line (use multiple ALLOWPROCLISTEN lines).
+#
+#ALLOWPROCLISTEN=/sbin/dhclient
+#ALLOWPROCLISTEN=/sbin/dhclient3
+#ALLOWPROCLISTEN=/sbin/dhcpcd
+#ALLOWPROCLISTEN=/usr/sbin/pppoe
+#ALLOWPROCLISTEN=/usr/sbin/tcpdump
+#ALLOWPROCLISTEN=/usr/sbin/snort-plain
+#ALLOWPROCLISTEN=/sbin/wpa_supplicant
+
+#
+# SCAN_MODE_DEV governs how we scan /dev for suspicious files.
+# The two allowed options are: THOROUGH or LAZY.
+# If commented out we do a THOROUGH scan which will increase the runtime.
+# Even though this adds to the running time it is highly recommended to
+# leave it like this.
+#
+#SCAN_MODE_DEV=THOROUGH
+
+#
+# Allow the specified files to be present in the /dev directory,
+# and not regarded as suspicious. One file per line (use multiple
+# ALLOWDEVFILE lines).
+#
+#ALLOWDEVFILE=/dev/abc
+#ALLOWDEVFILE=/dev/shm/pulse-shm-*
+ALLOWDEVFILE=/dev/shm/network/ifstate
+
+#
+# This setting tells rkhunter where the inetd configuration
+# file is located.
+#
+#INETD_CONF_PATH=/etc/inetd.conf
+
+#
+# Allow the following enabled inetd services.
+# Only one service per line (use multiple INETD_ALLOWED_SVC lines).
+#
+# Below are some Solaris 9 and 10 services that may want to be whitelisted.
+#
+#INETD_ALLOWED_SVC=echo
+#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd
+#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto
+#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd
+#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad
+#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd
+#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd
+#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd
+#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd
+#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd
+#INETD_ALLOWED_SVC=/usr/lib/gss/gssd
+#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader
+#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd
+#INETD_ALLOWED_SVC=/network/rpc/mdcomm
+#INETD_ALLOWED_SVC=/network/rpc/meta
+#INETD_ALLOWED_SVC=/network/rpc/metamed
+#INETD_ALLOWED_SVC=/network/rpc/metamh
+#INETD_ALLOWED_SVC=/network/security/ktkt_warn
+#INETD_ALLOWED_SVC=/application/x11/xfs
+#INETD_ALLOWED_SVC=/application/print/rfc1179
+#INETD_ALLOWED_SVC=/application/font/stfsloader
+#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
+#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp
+#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp
+#INETD_ALLOWED_SVC=/usr/sbin/tcpd
+
+#
+# This setting tells rkhunter where the xinetd configuration
+# file is located.
+#
+#XINETD_CONF_PATH=/etc/xinetd.conf
+
+#
+# Allow the following enabled xinetd services. Whilst it would be
+# nice to use the service names themselves, at the time of testing
+# we only have the pathname available. As such, these entries are
+# the xinetd file pathnames.
+# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines).
+#
+#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
+
+#
+# This setting tells rkhunter the local system startup file pathnames.
+# More than one file may be present on the system, and so this option
+# can be a space-separated list. This setting will be worked out by
+# rkhunter, and so should not usually need to be set.
+#
+# If the system uses a directory of local startup scripts, then rather
+# that setting all the file names here, leave this setting blank, and
+# specify the directory name in SYSTEM_RC_DIR instead.
+#
+# If the system does not use a local startup script at all, then this
+# setting can be set to 'none'. Without this, rkhunter would give a
+# warning that no local startup script could be found.
+#
+#LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit"
+
+#
+# This setting tells rkhunter the local system startup file directory.
+# This setting will be worked out by rkhunter, and so should not usually
+# need to be set.
+#
+#SYSTEM_RC_DIR=/etc/rc.d
+
+#
+# This setting tells rkhunter the pathname to the file containing the
+# user account passwords. This setting will be worked out by rkhunter,
+# and so should not usually need to be set.
+#
+#PASSWORD_FILE=/etc/shadow
+
+#
+# Allow the following accounts to be root equivalent. These accounts
+# will have a UID value of zero. This option is a space-separated list
+# of account names. The 'root' account does not need to be listed as it
+# is automatically whitelisted.
+#
+# Note: For *BSD systems you may need to enable this for the 'toor' account.
+#
+#UID0_ACCOUNTS="toor rooty sashroot"
+
+#
+# Allow the following accounts to have no password. This option is a
+# space-separated list of account names. NIS/YP entries do not need to
+# be listed as they are automatically whitelisted.
+#
+#PWDLESS_ACCOUNTS="abc"
+
+#
+# This setting tells rkhunter the pathname to the syslog configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set.
+#
+#SYSLOG_CONFIG_FILE=/etc/syslog.conf
+
+#
+# This option permits the use of syslog remote logging.
+#
+ALLOW_SYSLOG_REMOTE_LOGGING=0
+
+#
+# Allow the following applications, or a specific version of an application,
+# to be whitelisted. This option is a space-separated list consisting of the
+# application names. If a specific version is to be whitelisted, then the
+# name must be followed by a colon and then the version number.
+#
+# For example: APP_WHITELIST="openssl:0.9.7d gpg"
+#
+#APP_WHITELIST=""
+
+# 
+# Scan for suspicious files in directories containing temporary files and
+# directories posing a relatively higher risk due to user write access.
+# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
+# producing false positives. Do review all settings before usage.
+# Also be aware that running suspscan in combination with verbose logging on,
+# RKH's default, will show all ignored files.
+# Please consider adding all directories the user the (web)server runs as has 
+# write access to including the document root (example: "/var/www") and log
+# directories (example: "/var/log/httpd"). 
+#
+# A space-separated list of directories to scan.
+#
+SUSPSCAN_DIRS="/tmp /var/tmp"
+
+#
+# Directory for temporary files. A memory-based one is better (faster).
+# Do not use a directory name that is listed in SUSPSCAN_DIRS.
+# Please make sure you have a tempfs mounted and the directory exists.
+#
+SUSPSCAN_TEMP=/dev/shm
+
+#
+# Maximum filesize in bytes. Files larger than this will not be inspected.
+# Do make sure you have enough space left in your temporary files directory.
+#
+SUSPSCAN_MAXSIZE=10240000
+
+#
+# Score threshold. Below this value no hits will be reported.
+# A value of "200" seems "good" after testing on malware. Please adjust
+# locally if necessary. 
+#
+SUSPSCAN_THRESH=200
+
+#
+# The following option can be used to whitelist network ports which
+# are known to have been used by malware. The option is a space-
+# separated list of one or more of three types of whitelisting.
+# These are:
+#
+#   1) a 'protocol:port' pair       (e.g. TCP:25)
+#   2) a pathname to an executable  (e.g. /usr/sbin/squid)
+#   3) an asterisk ('*')
+#
+# Only the UDP or TCP protocol may be specified, and the port number
+# must be between 1 and 65535 inclusive.
+#
+# The asterisk can be used to indicate that any executable in a trusted
+# path directory will be whitelisted. A trusted path directory is one which
+# rkhunter uses to locate commands. It is composed of the root PATH
+# environment variable, and the BINDIR command-line or configuration
+# file option.
+#
+# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
+#
+#PORT_WHITELIST=""
+
+#
+# The following option can be used to tell rkhunter where the operating
+# system 'release' file is located. This file contains information
+# specifying the current O/S version. RKH will store this information
+# itself, and check to see if it has changed between each run. If it has
+# changed, then the user is warned that RKH may issue warning messages
+# until RKH has been run with the '--propupd' option.
+#
+# Since the contents of the file vary according to the O/S distribution,
+# RKH will perform different actions when it detects the file itself. As
+# such, this option should not be set unless necessary. If this option is
+# specified, then RKH will assume the O/S release information is on the
+# first non-blank line of the file.
+#
+#OS_VERSION_FILE="/etc/release"
+
+#
+# The following two options can be used to whitelist files and directories
+# that would normally be flagged with a warning during the rootkit checks.
+# If the file or directory name contains a space, then the percent character
+# ('%') must be used instead. Only existing files and directories can be
+# specified.
+#
+#RTKT_DIR_WHITELIST=""
+#RTKT_FILE_WHITELIST=""
+
+#
+# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
+# command, then the following two options can be used. The value must be
+# set to 'BUILTIN'.
+#
+# NOTE: IRIX users will probably need to enable STAT_CMD.
+#
+#STAT_CMD=BUILTIN
+#READLINK_CMD=BUILTIN
+
+INSTALLDIR="/usr"
+

roles/common/templates/rkhunter/sid.conf.j2

@@ -0,0 +1,1020 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+#
+# This is the main configuration file for Rootkit Hunter.
+#
+# You can either modify this file directly, or you can create a local
+# configuration file. The local file must be named 'rkhunter.conf.local',
+# and must reside in the same directory as this file. Please modify one
+# or both files to your own requirements. It is suggested that the
+# command 'rkhunter -C' is run after any changes have been made.
+#
+# Please review the documentation before posting bug reports or questions.
+# To report bugs, obtain updates, or provide patches or comments, please go to:
+# http://rkhunter.sourceforge.net
+#
+# To ask questions about rkhunter, please use the rkhunter-users mailing list.
+# Note this is a moderated list: please subscribe before posting.
+#
+# Lines beginning with a hash (#), and blank lines, are ignored.
+# End-of-line comments are not supported.
+#
+# Most of the following options need only be specified once. If
+# they appear more than once, then the last one seen will be used.
+# Some options are allowed to appear more than once, and the text
+# describing the option will say if this is so.
+#
+# Some of the options are space-separated lists of pathnames. If
+# wildcard characters (globbing) are allowed in the list, then the
+# text describing the option will say so.
+#
+# Space-separated lists may be enclosed by quotes, but these must only
+# appear at the start and end of the list, not in the middle.
+#
+# For example:    XXX="abc  def  gh"        (correct)
+#                 XXX="abc"  "def"  "gh"    (incorrect)
+#
+
+
+#
+# If this option is set to 1, it specifies that the mirrors file
+# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
+# options are used, is to be rotated. Rotating the entries in the file
+# allows a basic form of load-balancing between the mirror sites whenever
+# the above options are used.
+# If the option is set to 0, then the mirrors will be treated as if in
+# a priority list. That is, the first mirror listed will always be used
+# first. The second mirror will only be used if the first mirror fails,
+# the third mirror will only be used if the second mirror fails, and so on.
+#
+# If the mirrors file is read-only, then the '--versioncheck' command-line
+# option can only be used if this option is set to 0.
+#
+ROTATE_MIRRORS=1
+
+#
+# If this option is set to 1, it specifies that when the '--update'
+# option is used, then the mirrors file is to be checked for updates
+# as well. If the current mirrors file contains any local mirrors,
+# these will be prepended to the updated file.
+# If this option is set to 0, the mirrors file can only be updated
+# manually. This may be useful if only using local mirrors.
+#
+UPDATE_MIRRORS=1
+
+#
+# The MIRRORS_MODE option tells rkhunter which mirrors are to be
+# used when the '--update' or '--versioncheck' command-line options
+# are given. Possible values are:
+#     0 - use any mirror (the default)
+#     1 - only use local mirrors
+#     2 - only use remote mirrors
+#
+# Local and remote mirrors can be defined in the mirrors file
+# by using the 'local=' and 'remote=' keywords respectively.
+#
+MIRRORS_MODE=0
+
+#
+# Email a message to this address if a warning is found when the
+# system is being checked. Multiple addresses may be specified
+# simply be separating them with a space. Setting this option to
+# null disables the option.
+#
+# NOTE: This option should be present in the configuration file.
+#
+#MAIL-ON-WARNING=me@mydomain   root@mydomain
+MAIL-ON-WARNING=""
+
+#
+# Specify the mail command to use if MAIL-ON-WARNING is set.
+#
+# NOTE: Double quotes are not required around the command, but
+# are required around the subject line if it contains spaces.
+#
+MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
+
+#
+# Specify the temporary directory to use.
+#
+# NOTE: Do not use /tmp as your temporary directory. Some
+# important files will be written to this directory, so be
+# sure that the directory permissions are tight.
+#
+TMPDIR=/var/lib/rkhunter/tmp
+
+#
+# Specify the database directory to use.
+#
+DBDIR=/var/lib/rkhunter/db
+
+#
+# Specify the script directory to use.
+#
+SCRIPTDIR=/usr/share/rkhunter/scripts
+
+#
+# This option can be used to modify the command directory list used
+# by rkhunter to locate commands (that is, its PATH). By default
+# this will be the root PATH, and an internal list of some common
+# command directories.
+#
+# Any directories specified here will, by default, be appended to the
+# default list. However, if a directory name begins with the '+'
+# character, then that directory will be prepended to the list (that
+# is, it will be put at the start of the list).
+#
+# This is a space-separated list of directory names. The option may
+# be specified more than once.
+#
+#BINDIR="/bin /usr/bin /sbin /usr/sbin"
+#BINDIR="+/usr/local/bin +/usr/local/sbin"
+
+#
+# Specify the default language to use. This should be similar
+# to the ISO 639 language code.
+#
+# NOTE: Please ensure that the language you specify is supported.
+# For a list of supported languages use the following command:
+#
+#       rkhunter --lang en --list languages
+#
+#LANGUAGE=en
+
+#
+# This option is a space-separated list of the languages that are to
+# be updated when the '--update' option is used. If unset, then all
+# the languages will be updated. If none of the languages are to be
+# updated, then set this option to just 'en'.
+#
+# The default is for all the languages to be updated. The default
+# language, specified above, and the English (en) language file will
+# always be updated regardless of this option.
+#
+UPDATE_LANG=""
+
+#
+# Specify the log file pathname.
+#
+# NOTE: This option should be present in the configuration file.
+#
+LOGFILE=/var/log/rkhunter.log
+
+#
+# Set the following option to 1 if the log file is to be appended to
+# whenever rkhunter is run.
+#
+APPEND_LOG=0
+
+#
+# Set the following option to 1 if the log file is to be copied when
+# rkhunter finishes and an error or warning has occurred. The copied
+# log file name will be appended with the current date and time
+# (in YYYY-MM-DD_HH:MM:SS format).
+# For example: rkhunter.log.2009-04-21_00:57:51
+#
+COPY_LOG_ON_ERROR=0
+
+#
+# Set the following option to enable the rkhunter check start and finish
+# times to be logged by syslog. Warning messages will also be logged.
+# The value of the option must be a standard syslog facility and
+# priority, separated by a dot.  For example:
+#
+#     USE_SYSLOG=authpriv.warning
+#
+# Setting the value to 'none', or just leaving the option commented out,
+# disables the use of syslog.
+#
+#USE_SYSLOG=authpriv.notice
+
+#
+# Set the following option to 1 if the second colour set is to be used.
+# This can be useful if your screen uses black characters on a white
+# background (for example, a PC instead of a server).
+#
+COLOR_SET2=0
+
+#
+# Set the following option to 0 if rkhunter should not detect if X is
+# being used. If X is detected as being used, then the second colour
+# set will automatically be used.
+#
+AUTO_X_DETECT=1
+
+#
+# Set the following option to 1 if it is wanted that any 'Whitelisted'
+# results are shown in white rather than green. For colour set 2 users,
+# setting this option will cause the result to be shown in black.
+#
+WHITELISTED_IS_WHITE=0
+
+#
+# The following option is checked against the SSH configuration file
+# 'PermitRootLogin' option. A warning will be displayed if they do not
+# match. However, if a value has not been set in the SSH configuration
+# file, then a value here of 'unset' can be used to avoid warning messages.
+# This option has a default value of 'no'.
+#
+ALLOW_SSH_ROOT_USER=without-password
+
+#
+# Set this option to '1' to allow the use of the SSH-1 protocol, but note
+# that theoretically it is weaker, and therefore less secure, than the
+# SSH-2 protocol. Do not modify this option unless you have good reasons
+# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
+# authentication). If the 'Protocol' option has not been set in the SSH
+# configuration file, then a value of '2' may be set here in order to
+# suppress a warning message. This option has a default value of '0'.
+#
+ALLOW_SSH_PROT_V1=0
+
+#
+# This setting tells rkhunter the directory containing the SSH configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set.
+#
+#SSH_CONFIG_DIR=/etc/ssh
+
+#
+# These two options determine which tests are to be performed.
+# The ENABLE_TESTS option can use the word 'all' to refer to all the
+# available tests. The DISABLE_TESTS option can use the word 'none' to
+# mean that no tests are disabled. The list of disabled tests is applied to
+# the list of enabled tests. Both options are space-separated lists of test
+# names. The currently available test names can be seen by using the command
+# 'rkhunter --list tests'.
+#
+# The program defaults are to enable all tests and disable none. However, if
+# either of the options below are specified, then they will override the
+# program defaults.
+#
+# The supplied configuration file has some tests already disabled, and these
+# are tests that will be used only occasionally, can be considered
+# "advanced" or that are prone to produce more than the average number of
+# false-positives.
+#
+# Please read the README file for more details about enabling and disabling
+# tests, the test names, and how rkhunter behaves when these options are used.
+#
+# hidden_procs test requires the unhide command which is part of the unhide
+# package in Debian.
+#
+# apps test is disabled by default as it triggers warnings about outdated 
+# applications (and warns about possible security risk: we better trust
+# the Debian Security Team).
+#
+ENABLE_TESTS="all"
+{% set disable_tests = [] %}
+{% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'guest' -%}
+  {% if disable_tests.append('os_specific') %}{% endif %}
+{%- endif %}
+{% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'host' -%}
+    {% if disable_tests.append('promisc') %}{% endif %}
+{%- endif %}
+DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps {{ disable_tests|join(' ') }}"
+
+#
+# The HASH_FUNC option can be used to specify the command to use
+# for the file hash value check. It can be specified as just the
+# command name or the full pathname. If just the command name is
+# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or
+# SHA512, then rkhunter will first look for the relevant command,
+# such as 'sha256sum', and then for 'sha256'. If neither of these
+# are found, it will then look to see if a perl module has been
+# installed which will support the relevant hash function. To see
+# which perl modules have been installed use the command
+# 'rkhunter --list perl'.
+#
+# The default is SHA1, or MD5 if SHA1 cannot be found.
+#
+# Systems using prelinking are restricted to using either the
+# SHA1 or MD5 function.
+#
+# A value of 'NONE' (in uppercase) can be specified to indicate that
+# no hash function should be used. Rootkit Hunter will detect this and
+# automatically disable the file hash checks.
+#
+# Examples:
+#   For Solaris 9 : HASH_FUNC=gmd5sum
+#   For Solaris 10: HASH_FUNC=sha1sum
+#   For AIX (>5.2): HASH_FUNC="csum -hMD5"
+#   For NetBSD    : HASH_FUNC="cksum -a sha512"
+#
+# NOTE: If the hash function is changed then you MUST run rkhunter with
+# the '--propupd' option to rebuild the file properties database.
+#
+#HASH_FUNC=sha1sum
+
+#
+# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
+# command output contains the hash value. The fields are assumed to
+# be space-separated. The default value is 1, but for *BSD users
+# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
+# has not been set. The option value must be an integer greater
+# than zero.
+#
+#HASH_FLD_IDX=4
+
+#
+# The PKGMGR option tells rkhunter to use the specified package manager
+# to obtain the file property information. This is used when updating
+# the file properties file ('rkhunter.dat'), and when running the file
+# properties check. For RedHat/RPM-based systems, 'RPM' can be used to
+# get information from the RPM database. For Debian-based systems 'DPKG'
+# can be used, for *BSD systems 'BSD' can be used, and for Solaris
+# systems 'SOLARIS' can be used. No value, or a value of 'NONE',
+# indicates that no package manager is to be used. The default is 'NONE'.
+#
+# The current package managers, except 'SOLARIS', store the file hash
+# values using an MD5 hash function. The Solaris package manager includes
+# a checksum value, but this is not used by default (see USE_SUNSUM below).
+#
+# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
+# The 'RPM' package manager additionally provides values for the inode,
+# file permissions, uid, gid and other values. The 'SOLARIS' also provides
+# most of the values, similar to 'RPM', but not the inode number.
+#
+# For any file not part of a package, rkhunter will revert to using the
+# HASH_FUNC hash function instead.
+#
+# Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+# NONE is the default for Debian as well, as running --propupd takes
+# about 4 times longer when it's set to DPKG
+#
+#PKGMGR=NONE
+
+#
+# It is possible that a file which is part of a package may be modified
+# by the administrator. Typically this occurs for configuration files.
+# However, the package manager may list the file as being modified. For
+# the RPM package manager this may well depend on how the package was
+# built. This option specifies those pathnames which are to be exempt
+# from the package manager verification process, and which will be treated
+# as non-packaged files. As such, the file properties are still checked.
+#
+# This option only takes effect if the PKGMGR option has been set, and
+# is not 'NONE'.
+#
+# This is a space-separated list of pathnames. The option may
+# be specified more than once.
+#
+# Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+#PKGMGR_NO_VRFY=""
+
+#
+# This option can be used to tell rkhunter to ignore any prelink
+# dependency errors for the given commands. However, a warning will also
+# be issued if the error does not occur for a given command. As such
+# this option must only be used on commands which experience a persistent
+# problem.
+#
+# Short-term prelink dependency errors can usually be resolved simply by
+# running the 'prelink' command on the given pathname.
+#
+# NOTE: The command 'rkhunter --propupd' must be run whenever this option
+# is changed.
+#
+# This is a space-separated list of command pathnames. The option can be
+# specified more than once.
+#
+#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top"
+
+#
+# If the 'SOLARIS' package manager is used, then it is possible to use
+# the checksum (hash) value stored for a file. However, this is only a
+# 16-bit checksum, and as such is not nearly as secure as, for example,
+# a SHA-2 value. For that reason, the checksum is not used by default,
+# and the hash function given by HASH_FUNC is used instead. To enable
+# this option, set its value to 1. The Solaris 'sum' command must be
+# present on the system if this option is used.
+#
+#USE_SUNSUM=0
+
+#
+# This option is a space-separated list of commands, directories and file
+# pathnames which will be included in the file properties checks.
+# This option can be specified more than once.
+#
+# Whenever this option is changed, 'rkhunter --propupd' must be run.
+#
+# Simple command names - for example, 'top' - and directory names are
+# added to the internal list of directories to be searched for each of
+# the command names in the command list. Additionally, full pathnames
+# to files, which need not be commands, may be given. Any files or
+# directories which are already part of the internal lists will be
+# silently ignored from the configuration.
+#
+# Normal globbing wildcards are allowed, except for simple command names.
+# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
+#
+# Specific files may be excluded by preceding their name with an
+# exclamation mark (!). For example, '!/opt/top'. By combining this
+# with wildcarding, whole directories can be excluded. For example,
+# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first
+# two directory levels of '/etc'. However, anything in '/etc/rc0.d',
+# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded.
+#
+# NOTE: Only files and directories which have been added by the user,
+# and are not part of the internal lists, can be excluded. So, for
+# example, it is not possible to exclude the 'ps' command by using
+# '!/bin/ps'. These will be silently ignored from the configuration.
+#
+#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*"
+#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
+#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local"
+#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*"
+#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat"
+#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*"
+#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*"
+
+#
+# This option whitelists files and directories from existing,
+# or not existing, on the system at the time of testing. This
+# option is used when the configuration file options themselves
+# are checked, and during the file properties check, the hidden
+# files and directories checks, and the filesystem check of the
+# '/dev' directory.
+#
+# This is a space-separated list of pathnames. The option may be
+# specified more than once. The option may use wildcard characters,
+# but be aware that this is probably not what you want to do as the
+# wildcarding will be expanded after files have been deleted. As
+# such deleted files won't be whitelisted if wildcarded.
+#
+# NOTE: The user must take into consideration how often the file will
+# appear and disappear from the system in relation to how often
+# rkhunter is run. If the file appears, and disappears, too often
+# then rkhunter may not notice this. All it will see is that the file
+# has changed. The inode-number and DTM will certainly be different
+# for each new file, and rkhunter will report this.
+#
+#EXISTWHITELIST=""
+
+#
+# Whitelist various attributes of the specified files.
+# The attributes are those of the 'attributes' test.
+# Specifying a file name here does not include it being
+# whitelisted for the write permission test (see below).
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+#ATTRWHITELIST="/bin/ps /usr/bin/date"
+
+#
+# Allow the specified commands to have the 'others'
+# (world) permission have the write-bit set.
+#
+# For example, files with permissions r-xr-xrwx
+# or rwxrwxrwx.
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+#WRITEWHITELIST="/bin/ps /usr/bin/date"
+
+#
+# Allow the specified commands to be scripts.
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+SCRIPTWHITELIST=/bin/egrep
+SCRIPTWHITELIST=/bin/fgrep
+SCRIPTWHITELIST=/bin/which
+SCRIPTWHITELIST=/usr/bin/groups
+SCRIPTWHITELIST=/usr/bin/ldd
+SCRIPTWHITELIST=/usr/bin/lwp-request
+SCRIPTWHITELIST=/usr/sbin/adduser
+SCRIPTWHITELIST=/usr/sbin/prelink
+
+#
+# Allow the specified commands to have the immutable attribute set.
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+#IMMUTWHITELIST="/sbin/ifup /sbin/ifdown"
+
+#
+# If this option is set to 1, then the immutable-bit test is
+# reversed. That is, the files are expected to have the bit set.
+#
+IMMUTABLE_SET=0
+
+#
+# Allow the specified hidden directories to be whitelisted.
+#
+# This is a space-separated list of directory pathnames.
+# The option may be specified more than once. The option
+# may use wildcard characters.
+#
+ALLOWHIDDENDIR="/etc/.java"
+ALLOWHIDDENDIR="/dev/.udev"
+#ALLOWHIDDENDIR="/dev/.static"
+ALLOWHIDDENDIR="/dev/.initramfs"
+#ALLOWHIDDENDIR="/dev/.SRC-unix"
+ALLOWHIDDENDIR="/dev/.mdadm"
+ALLOWHIDDENDIR="/etc/.git"
+
+#
+# Allow the specified hidden files to be whitelisted.
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+# 
+#ALLOWHIDDENFILE="/etc/.java"
+#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
+#ALLOWHIDDENFILE="/etc/.pwd.lock"
+#ALLOWHIDDENFILE="/etc/.init.state"
+#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac"
+#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac"
+#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
+#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
+#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac"
+#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac"
+#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac"
+#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac"
+#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac"
+#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
+#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
+#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
+#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
+#ALLOWHIDDENFILE="/etc/.gitignore"
+#ALLOWHIDDENFILE="/etc/.bzrignore"
+ALLOWHIDDENFILE="/etc/.etckeeper"
+ALLOWHIDDENFILE="/etc/.gitignore"
+
+#
+# Allow the specified processes to use deleted files. The
+# process name may be followed by a colon-separated list of
+# full pathnames. The process will then only be whitelisted
+# if it is using one of the given files. For example:
+#
+#     ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz"
+#
+# This is a space-separated list of process names. The option
+# may be specified more than once. The option may use wildcard
+# characters, but only in the file names.
+#
+#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
+#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2"
+#ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*"
+#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin"
+#ALLOWPROCDELFILE="/usr/bin/file-roller"
+
+#
+# Allow the specified processes to listen on any network interface.
+#
+# This is a space-separated list of process names. The option
+# may be specified more than once.
+#
+#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd"
+#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump"
+#ALLOWPROCLISTEN="/usr/sbin/snort-plain"
+
+#
+# Allow the specified network interfaces to be in promiscuous mode.
+#
+# This is a space-separated list of interface names. The option may
+# be specified more than once.
+#
+#ALLOWPROMISCIF="eth0"
+
+#
+# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
+# The two allowed options are: THOROUGH or LAZY.
+# If commented out we do a THOROUGH scan which will increase the runtime.
+# Even though this adds to the running time it is highly recommended to
+# leave it like this.
+#
+#SCAN_MODE_DEV=THOROUGH
+
+#
+# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to
+# perform a basic check, or a more thorough check. If the option is set to 0,
+# then a basic check is performed. If it is set to 1, then all the directries
+# in the /etc and /usr directories are scanned. The default value is 0. Users
+# should note that setting this option to 1 will cause the test to take longer
+# to complete.
+#
+PHALANX2_DIRTEST=0
+
+#
+# Allow the specified files to be present in the /dev directory,
+# and not regarded as suspicious.
+#
+# This is a space-separated list of pathnames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+ALLOWDEVFILE=/dev/shm/network/ifstate
+#ALLOWDEVFILE="/dev/shm/pulse-shm-*"
+#ALLOWDEVFILE="/dev/shm/sem.ADBE_*"
+
+#
+# This setting tells rkhunter where the inetd configuration
+# file is located.
+#
+#INETD_CONF_PATH=/etc/inetd.conf
+
+#
+# Allow the following enabled inetd services.
+#
+# This is a space-separated list of service names. The option may
+# be specified more than once.
+#
+# For non-Solaris users the simple service name should be used.
+# For example:
+#
+#     INETD_ALLOWED_SVC=echo
+#
+# For Solaris 9 users the simple service name should also be used, but
+# if it is an RPC service, then the executable pathname should be used.
+# For example:
+#
+#     INETD_ALLOWED_SVC=imaps
+#     INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd"
+#
+# For Solaris 10 users the service/FMRI name should be used. For example:
+#
+#     INETD_ALLOWED_SVC=/network/rpc/meta
+#     INETD_ALLOWED_SVC=/network/rpc/metamed
+#     INETD_ALLOWED_SVC=/application/font/stfsloader
+#     INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
+#
+#INETD_ALLOWED_SVC=echo
+
+#
+# This setting tells rkhunter where the xinetd configuration
+# file is located.
+#
+#XINETD_CONF_PATH=/etc/xinetd.conf
+
+#
+# Allow the following enabled xinetd services. Whilst it would be
+# nice to use the service names themselves, at the time of testing
+# we only have the pathname available. As such, these entries are
+# the xinetd file pathnames.
+#
+# This is a space-separated list of service names. The option may
+# be specified more than once.
+#
+#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
+
+#
+# This option tells rkhunter the local system startup file pathnames.
+# The directories will be searched for files. By default rkhunter
+# will use certain filenames and directories. If the option is set
+# to 'none', then certain tests will be skipped.
+#
+# This is a space-separated list of file and directory pathnames.
+# The option may be specified more than once. The option may use
+# wildcard characters.
+#
+#STARTUP_PATHS="/etc/init.d /etc/rc.local"
+
+#
+# This setting tells rkhunter the pathname to the file containing the
+# user account passwords. This setting will be worked out by rkhunter,
+# and so should not usually need to be set. Users of TCB shadow files
+# should not set this option.
+#
+#PASSWORD_FILE=/etc/shadow
+
+#
+# Allow the following accounts to be root equivalent. These accounts
+# will have a UID value of zero. The 'root' account does not need to
+# be listed as it is automatically whitelisted.
+#
+# This is a space-separated list of account names. The option may
+# be specified more than once.
+#
+# NOTE: For *BSD systems you will probably need to use this option
+# for the 'toor' account.
+#
+#UID0_ACCOUNTS="toor rooty sashroot"
+
+#
+# Allow the following accounts to have no password. NIS/YP entries do
+# not need to be listed as they are automatically whitelisted.
+#
+# This is a space-separated list of account names. The option may
+# be specified more than once.
+#
+#PWDLESS_ACCOUNTS="abc"
+
+#
+# This setting tells rkhunter the pathname to the syslog configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set. A value of 'NONE' can be used to indicate
+# that there is no configuration file, but that the syslog daemon process
+# may be running.
+#
+# This is a space-separated list of pathnames. The option may
+# be specified more than once.
+#
+#SYSLOG_CONFIG_FILE=/etc/syslog.conf
+
+#
+# This option permits the use of syslog remote logging.
+#
+ALLOW_SYSLOG_REMOTE_LOGGING=0
+
+#
+# Allow the following applications, or a specific version of an application,
+# to be whitelisted. This option may be specified more than once, and is a
+# space-separated list consisting of the application names. If a specific
+# version is to be whitelisted, then the name must be followed by a colon
+# and then the version number. For example:
+#
+#     APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29"
+#
+# Note above that for the Apache web server, the name 'httpd' is used.
+#
+#APP_WHITELIST=""
+
+# 
+# Scan for suspicious files in directories containing temporary files and
+# directories posing a relatively higher risk due to user write access.
+# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
+# producing false positives. Do review all settings before usage.
+# Also be aware that running suspscan in combination with verbose logging on,
+# RKH's default, will show all ignored files.
+# Please consider adding all directories the user the (web)server runs as has 
+# write access to including the document root (example: "/var/www") and log
+# directories (example: "/var/log/httpd"). 
+#
+# This is a space-separated list of directory pathnames.
+# The option may be specified more than once.
+#
+SUSPSCAN_DIRS="/tmp /var/tmp"
+
+#
+# Directory for temporary files. A memory-based one is better (faster).
+# Do not use a directory name that is listed in SUSPSCAN_DIRS.
+# Please make sure you have a tempfs mounted and the directory exists.
+#
+SUSPSCAN_TEMP=/dev/shm
+
+#
+# Maximum filesize in bytes. Files larger than this will not be inspected.
+# Do make sure you have enough space left in your temporary files directory.
+#
+SUSPSCAN_MAXSIZE=10240000
+
+#
+# Score threshold. Below this value no hits will be reported.
+# A value of "200" seems "good" after testing on malware. Please adjust
+# locally if necessary. 
+#
+SUSPSCAN_THRESH=200
+
+#
+# The following option can be used to whitelist network ports which
+# are known to have been used by malware. This option may be specified
+# more than once. The option is a space-separated list of one or more
+# of four types of whitelisting. These are:
+#
+#   1) a 'protocol:port' pair       (e.g. TCP:25)
+#   2) a pathname to an executable  (e.g. /usr/sbin/squid)
+#   3) a combined pathname, protocol and port
+#                                   (e.g. /usr/sbin/squid:TCP:3801)
+#   4) an asterisk ('*')
+#
+# Only the UDP or TCP protocol may be specified, and the port number
+# must be between 1 and 65535 inclusive.
+#
+# The asterisk can be used to indicate that any executable which rkhunter
+# can locate as a command, is whitelisted. (See BINDIR in this file.)
+#
+# For example:
+#
+#     PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
+#
+# NOTE: In order to whitelist a pathname, or use the asterisk option,
+# the 'lsof' command must be present.
+#
+#PORT_WHITELIST=""
+
+#
+# The following option can be used to tell rkhunter where the operating
+# system 'release' file is located. This file contains information
+# specifying the current O/S version. RKH will store this information
+# itself, and check to see if it has changed between each run. If it has
+# changed, then the user is warned that RKH may issue warning messages
+# until RKH has been run with the '--propupd' option.
+#
+# Since the contents of the file vary according to the O/S distribution,
+# RKH will perform different actions when it detects the file itself. As
+# such, this option should not be set unless necessary. If this option is
+# specified, then RKH will assume the O/S release information is on the
+# first non-blank line of the file.
+#
+#OS_VERSION_FILE="/etc/debian_version"
+
+#
+# The following two options can be used to whitelist files and directories
+# that would normally be flagged with a warning during the various rootkit
+# and malware checks. If the file or directory name contains a space, then
+# the percent character ('%') must be used instead. Only existing files and
+# directories can be specified, and these must be full pathnames not links.
+#
+# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
+# file name (separated by a colon). This will then only whitelist that string
+# in that file (as part of the malware checks). For example:
+#
+#     RTKT_FILE_WHITELIST="/etc/rc.local:hdparm"
+#
+# If the option list includes the filename on its own as well, then the file
+# will be whitelisted from rootkit checks of the files existence, but still
+# only the specific string within the file will be whitelisted. For example:
+#
+#     RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local"
+#
+# To whitelist a file from the existence checks, but not from the strings
+# checks, then include the filename on its own and on its own but with
+# just a colon appended. For example:
+#
+#     RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:"
+#
+# NOTE: It is recommended that if you whitelist any files, then you include
+# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
+# configuration option.
+#
+# These are space-separated lists of file and directory pathnames.
+# The options may be specified more than once.
+#
+#RTKT_DIR_WHITELIST=""
+#RTKT_FILE_WHITELIST=""
+
+#
+# The following option can be used to whitelist shared library files that would
+# normally be flagged with a warning during the preloaded shared library check.
+# These library pathnames usually exist in the '/etc/ld.so.preload' file or in
+# the LD_PRELOAD environment variable.
+#
+# NOTE: It is recommended that if you whitelist any files, then you include
+# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
+# configuration option.
+#
+# This is a space-separated list of library pathnames.
+# The option may be specified more than once.
+#
+#SHARED_LIB_WHITELIST="/lib/snoopy.so"
+
+#
+# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
+# command, then the following two options can be used. The value must be
+# set to 'BUILTIN'.
+#
+# NOTE: IRIX users will probably need to enable STAT_CMD.
+#
+#STAT_CMD=BUILTIN
+#READLINK_CMD=BUILTIN
+
+#
+# In the file properties test any modification date/time is displayed as the
+# number of epoch seconds. Rkhunter will try and use the 'date' command, or
+# failing that the 'perl' command, to display the date and time in a
+# human-readable format as well. This option may be used if some other command
+# should be used instead. The given command must understand the '%s' and
+# 'seconds ago' options found in the GNU date command.
+#
+# A value of 'NONE' may be used to request that only the epoch seconds be shown.
+# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
+# it is present.
+#
+#EPOCH_DATE_CMD=""
+
+#
+# This setting tells rkhunter the directory containing the available
+# Linux kernel modules. This setting will be worked out by rkhunter,
+# and so should not usually need to be set.
+#
+#MODULES_DIR=""
+
+#
+# The following option can be set to a command which rkhunter will use when
+# downloading files from the Internet - that is, when the '--update' or
+# '--versioncheck' option is used. The command can take options.
+#
+# This allows the user to use a command other than the one automatically
+# selected by rkhunter, but still one which it already knows about.
+# For example:
+#
+#     WEB_CMD=curl
+#
+# Alternatively, the user may specify a completely new command. However, note
+# that rkhunter expects the downloaded file to be written to stdout, and that
+# everything written to stderr is ignored. For example:
+#
+#     WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
+#
+# *BSD users may want to use the 'ftp' command, provided that it supports
+# the HTTP protocol:
+#
+#     WEB_CMD="ftp -o -"
+#
+#WEB_CMD=""
+
+#
+# Set the following option to 0 if you do not want to receive a warning if
+# any O/S information has changed since the last run of 'rkhunter --propupd'.
+# The warnings occur during the file properties check. The default is to
+# issue a warning if something has changed.
+#
+#WARN_ON_OS_CHANGE=1
+
+#
+# Set the following option to 1 if you want rkhunter to automatically run
+# a file properties update ('--propupd') if the O/S has changed. Detection
+# of an O/S change occurs during the file properties check. The default is
+# not to do an automatic update.
+#
+# WARNING: Only set this option if you are sure that the update will work
+# correctly. That is, that the database directory is writeable, that a valid
+# hash function is available, and so on. This can usually be checked simply
+# by running 'rkhunter --propupd' at least once.
+#
+#UPDT_ON_OS_CHANGE=0
+
+#
+# Set the following option to 1 if locking is to be used when rkhunter runs.
+# The lock is set just before logging starts, and is removed when the program
+# ends. It is used to prevent items such as the log file, and the file
+# properties file, from becoming corrupted if rkhunter is running more than
+# once. The mechanism used is to simply create a lock file in the TMPDIR
+# directory. If the lock file already exists, because rkhunter is already
+# running, then the current process simply loops around sleeping for 10 seconds
+# and then retrying the lock.
+#
+# The default is not to use locking.
+#
+USE_LOCKING=0
+
+#
+# If locking is used, then rkhunter may have to wait to get the lock file.
+# This option sets the total amount of time, in seconds, that rkhunter should
+# wait. It will retry the lock every 10 seconds, until either it obtains the
+# lock or the timeout value has been reached. If no value is set, then a
+# default of 300 seconds (5 minutes) is used.
+#
+LOCK_TIMEOUT=300
+
+#
+# If locking is used, then rkhunter may be doing nothing for some time if it
+# has to wait for the lock. Some simple messages are echo'd to the users screen
+# to let them know that rkhunter is waiting for the lock. Set this option to 0
+# if the messages are not to be displayed. The default is to show them.
+#
+SHOW_LOCK_MSGS=1
+
+#
+# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
+# will search (on a per rootkit basis) for filenames in all of the directories (as defined
+# by the result of running 'find / -xdev'). While still not optimal, as it 
+# still searches for only file names as opposed to file contents, this is one step away
+# from the rigidity of searching in known (evidence) or default (installation) locations.
+#
+# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
+#
+# You should only activate this feature as part of a more thorough investigation which
+# should be based on relevant best practices and procedures. 
+#
+# Enabling this feature implies you have the knowledge to interpret the results properly. 
+#
+#SCANROOTKITMODE=THOROUGH
+
+#
+# The following option can be set to the name(s) of the tests the 'unhide' command is
+# to use. In order to maintain compatibility with older versions of 'unhide', this
+# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but
+# will only take effect when they are seen. The test names are a space-separated list,
+# and will be executed in the order given.
+#
+#UNHIDE_TESTS="sys"
+
+#
+# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it
+# is possible to disable the execution of one of the programs if desired. By default
+# rkhunter will look for both programs, and execute each of them as they are found.
+# If the value of this option is 0, then both programs will be executed if they are
+# present. A value of 1 will disable execution of the C 'unhide' program, and a value
+# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable
+# both programs, then disable the 'hidden_procs' test.
+#
+DISABLE_UNHIDE=1
+
+INSTALLDIR="/usr"
+

roles/common/templates/rkhunter/squeeze.conf.j2

@@ -0,0 +1,860 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+#
+# This is the main configuration file for Rootkit Hunter.
+#
+# You can either modify this file directly, or you can create a local
+# configuration file. The local file must be named 'rkhunter.conf.local',
+# and must reside in the same directory as this file. Please modify one
+# or both files to your own requirements.
+#
+# Please review the documentation before posting bug reports or questions.
+# To report bugs, obtain updates, or provide patches or comments, please go to:
+# http://rkhunter.sourceforge.net
+#
+# To ask questions about rkhunter, please use the rkhunter-users mailing list.
+# Note this is a moderated list: please subscribe before posting.
+#
+# Lines beginning with a hash (#), and blank lines, are ignored.
+# End-of-line comments are not supported.
+#
+# Most of the following options need only be specified once. If
+# they appear more than once, then the last one seen will be used.
+# Some options are allowed to appear more than once, and the text
+# describing the option will say if this is so.
+#
+
+
+#
+# If this option is set to 1, it specifies that the mirrors file
+# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
+# options are used, is to be rotated. Rotating the entries in the file
+# allows a basic form of load-balancing between the mirror sites whenever
+# the above options are used.
+# If the option is set to 0, then the mirrors will be treated as if in
+# a priority list. That is, the first mirror listed will always be used
+# first. The second mirror will only be used if the first mirror fails,
+# the third mirror will only be used if the second mirror fails, and so on.
+#
+# If the mirrors file is read-only, then the '--versioncheck' command-line
+# option can only be used if this option is set to 0.
+#
+ROTATE_MIRRORS=1
+
+#
+# If this option is set to 1, it specifies that when the '--update'
+# option is used, then the mirrors file is to be checked for updates
+# as well. If the current mirrors file contains any local mirrors,
+# these will be prepended to the updated file.
+# If this option is set to 0, the mirrors file can only be updated
+# manually. This may be useful if only using local mirrors.
+#
+UPDATE_MIRRORS=1
+
+#
+# The MIRRORS_MODE option tells rkhunter which mirrors are to be
+# used when the '--update' or '--versioncheck' command-line options
+# are given. Possible values are:
+#     0 - use any mirror (the default)
+#     1 - only use local mirrors
+#     2 - only use remote mirrors
+#
+# Local and remote mirrors can be defined in the mirrors file
+# by using the 'local=' and 'remote=' keywords respectively.
+#
+MIRRORS_MODE=0
+
+#
+# Email a message to this address if a warning is found when the
+# system is being checked. Multiple addresses may be specified
+# simply be separating them with a space. Setting this option to
+# null disables the option.
+#
+# NOTE: This option should be present in the configuration file.
+#
+#MAIL-ON-WARNING=me@mydomain   root@mydomain
+MAIL-ON-WARNING=""
+
+#
+# Specify the mail command to use if MAIL-ON-WARNING is set.
+# NOTE: Double quotes are not required around the command, but
+# are required around the subject line if it contains spaces.
+#
+MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
+
+#
+# Specify the temporary directory to use.
+#
+# NOTE: Do not use /tmp as your temporary directory. Some
+# important files will be written to this directory, so be
+# sure that the directory permissions are tight.
+#
+TMPDIR=/var/lib/rkhunter/tmp
+
+#
+# Specify the database directory to use.
+#
+DBDIR=/var/lib/rkhunter/db
+
+#
+# Specify the script directory to use.
+#
+SCRIPTDIR=/usr/share/rkhunter/scripts
+
+#
+# Specify the root directory to use.
+#
+#ROOTDIR=""
+
+#
+# Specify the command directories to be checked. This is a
+# space-separated list of directories.
+#
+BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
+
+#
+# Specify the default language to use. This should be similar
+# to the ISO 639 language code.
+#
+# NOTE: Please ensure that the language you specify is supported.
+#       For a list of supported languages use the following command:
+#
+#           rkhunter --lang en --list languages
+#
+#LANGUAGE=en
+
+#
+# This option is a space-separated list of the languages that are to
+# be updated when the '--update' option is used. If unset, then all
+# the languages will be updated. If none of the languages are to be
+# updated, then set this option to just 'en'.
+#
+# The default is for all the languages to be updated. The default
+# language, specified above, and the English (en) language file will
+# always be updated regardless of this option.
+#
+UPDATE_LANG=""
+
+#
+# Specify the log file pathname.
+#
+# NOTE: This option should be present in the configuration file.
+#
+LOGFILE=/var/log/rkhunter.log
+
+#
+# Set the following option to 1 if the log file is to be appended to
+# whenever rkhunter is run.
+#
+APPEND_LOG=0
+
+#
+# Set the following option to 1 if the log file is to be copied when
+# rkhunter finishes and an error or warning has occurred. The copied
+# log file name will be appended with the current date and time
+# (in YYYY-MM-DD_HH:MM:SS format).
+# For example: rkhunter.log.2009-04-21_00:57:51
+#
+COPY_LOG_ON_ERROR=0
+
+#
+# Set the following option to enable the rkhunter check start and finish
+# times to be logged by syslog. Warning messages will also be logged.
+# The value of the option must be a standard syslog facility and
+# priority, separated by a dot.
+#
+# For example: USE_SYSLOG=authpriv.warning
+#
+# Setting the value to 'none', or just leaving the option commented out,
+# disables the use of syslog.
+#
+#USE_SYSLOG=authpriv.notice
+
+#
+# Set the following option to 1 if the second colour set is to be used.
+# This can be useful if your screen uses black characters on a white
+# background (for example, a PC instead of a server).
+#
+COLOR_SET2=0
+
+#
+# Set the following option to 0 if rkhunter should not detect if X is
+# being used. If X is detected as being used, then the second colour
+# set will automatically be used.
+#
+AUTO_X_DETECT=1
+
+#
+# Set the following option to 1 if it is wanted that any 'Whitelisted'
+# results are shown in white rather than green. For colour set 2 users,
+# setting this option will cause the result to be shown in black.
+#
+WHITELISTED_IS_WHITE=0
+
+#
+# The following option is checked against the SSH configuration file
+# 'PermitRootLogin' option. A warning will be displayed if they do not
+# match. However, if a value has not been set in the SSH configuration
+# file, then a value here of 'yes' or 'unset' will not cause a warning.
+# This option has a default value of 'no'.
+#
+ALLOW_SSH_ROOT_USER=without-password
+
+#
+# Set this option to '1' to allow the use of the SSH-1 protocol, but note
+# that theoretically it is weaker, and therefore less secure, than the
+# SSH-2 protocol. Do not modify this option unless you have good reasons
+# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
+# authentication). If the 'Protocol' option has not been set in the SSH
+# configuration file, then a value of '2' may be set here in order to
+# suppress a warning message. This option has a default value of '0'.
+#
+ALLOW_SSH_PROT_V1=0
+
+#
+# This setting tells rkhunter the directory containing the SSH configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set.
+#
+#SSH_CONFIG_DIR=/etc/ssh
+
+#
+# These two options determine which tests are to be performed.
+# The ENABLE_TESTS option can use the word 'all' to refer to all the
+# available tests. The DISABLE_TESTS option can use the word 'none' to
+# mean that no tests are disabled. The list of disabled tests is applied to
+# the list of enabled tests. Both options are space-separated lists of test
+# names. The currently available test names can be seen by using the command
+# 'rkhunter --list tests'.
+#
+# The program defaults are to enable all tests and disable none. However, if
+# either option is specified in this file, then it overrides the program
+# default. The supplied rkhunter.conf file has some tests already disabled,
+# and these are tests that will be used only incidentally, can be considered
+# "advanced" or those that are prone to produce more than the "average" number
+# of "false positives".
+#
+# Please read the README file for more details about enabling and disabling
+# tests, the test names, and how rkhunter behaves when these options are used.
+#
+# hidden_procs test requires the unhide command which is part of the unhide
+# package in Debian.
+#
+# apps test is disabled by default as it triggers warnings about outdated 
+# applications (and warns about possible security risk: we better trust
+# the Debian Security Team).
+#
+ENABLE_TESTS="all"
+{% set disable_tests = [] %}
+{% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'guest' -%}
+  {% if disable_tests.append('os_specific') %}{% endif %}
+{%- endif %}
+{% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'host' -%}
+    {% if disable_tests.append('promisc') %}{% endif %}
+{%- endif %}
+DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps {{ disable_tests|join(' ') }}"
+
+#
+# The HASH_FUNC option can be used to specify the command to use
+# for the file hash value check. It can be specified as just the
+# command name or the full pathname. If just the command name is
+# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or
+# SHA512, then rkhunter will first look for the relevant command,
+# such as 'sha256sum', and then for 'sha256'. If neither of these
+# are found, it will then look to see if a perl module has been
+# installed which will support the relevant hash function.
+#
+# The default is SHA1, or MD5 if SHA1 cannot be found.
+#
+# Systems using prelinking are restricted to using either the
+# SHA1 or MD5 function.
+#
+# A value of 'NONE' (in uppercase) can be specified to indicate that
+# no hash function should be used. Rootkit Hunter will detect this and
+# automatically disable the file hash checks.
+#
+# Examples:
+#   For Solaris 9 : HASH_FUNC=gmd5sum
+#   For Solaris 10: HASH_FUNC=sha1sum
+#   For AIX (>5.2): HASH_FUNC="csum -hMD5"
+#   For NetBSD    : HASH_FUNC="cksum -a sha512"
+#
+# NOTE: If the hash function is changed then you MUST run rkhunter with
+#       the '--propupd' option to rebuild the file properties database.
+#
+#HASH_FUNC=sha1sum
+
+#
+# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
+# command output contains the hash value. The fields are assumed to
+# be space-separated. The default value is one, but for *BSD users
+# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
+# has not been set. The option value must be a positive integer.
+#
+#HASH_FLD_IDX=4
+
+#
+# The PKGMGR option tells rkhunter to use the specified package manager
+# to obtain the file property information. This is used when updating
+# the file properties file ('rkhunter.dat'), and when running the file
+# properties check. For RedHat/RPM-based systems, 'RPM' can be used
+# to get information from the RPM database. For Debian-based systems
+# 'DPKG' can be used, and for *BSD systems 'BSD' can be used.
+# No value, or a value of 'NONE', indicates that no package manager
+# is to be used. The default is 'NONE'.
+#
+# The current package managers store the file hash values using an
+# MD5 hash function.
+#
+# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
+# The 'RPM' package manager additionally provides values for the inode,
+# file permissions, uid, gid and other values.
+#
+# For any file not part of a package, rkhunter will revert to using
+# the HASH_FUNC hash function instead.
+#
+# Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+# NONE is the default for Debian as well, as running --propupd takes
+# about 4 times longer when it's set to DPKG
+#
+#PKGMGR=NONE
+
+#
+# It is possible that a file which is part of a package may be modified
+# by the administrator. Typically this occurs for configuration files.
+# However, the RPM verify function may list the file as being modified,
+# it does for some but not for others depending on how the package was
+# built. The PKGMGR_NO_VRFY option is a space-separated list of file
+# pathnames which are to be exempt from the package manager verification
+# process, and which will be treated as non-packaged files. As such, the
+# files properties are still checked.
+#
+# This option may be used more than once. It only takes effect if the
+# PKGMGR option has been set, and is not 'NONE'.
+#
+# Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+#PKGMGR_NO_VRFY=""
+
+#
+# This option is a space-separated list of command pathnames. Rkhunter will
+# ignore any prelink dependency errors for the given files. However, a
+# warning will be issued if the error does not occur. As such this option
+# must only be used on commands which experience a persistent problem.
+#
+# Short-term prelink dependency errors can usually be resolved simply by
+# running the prelink command on the given pathname.
+#
+# NOTE: The command 'rkhunter --propupd' must be run whenever this option
+# is changed.
+#
+#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top"
+
+#
+# This option is a space-separated list of commands, directories and file
+# pathnames. This option can be specified more than once.
+#
+# Whenever this option is changed, 'rkhunter --propupd' must be run.
+#
+# Simple command names - for example, 'top' - and directory names are
+# added to the internal list of directories to be searched for each of
+# the command names in the command list. Additionally, full pathnames
+# to files, which need not be commands, may be given. Any files or
+# directories which are already part of the internal lists will be
+# silently ignored from the configuration.
+#
+# Normal globbing wildcards are allowed, except for simple command names.
+# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
+#
+# Specific files may be excluded by preceding their name with an
+# exclamation mark (!). For example, '!/opt/top'. By combining this
+# with wildcarding, whole directories can be excluded. For example,
+# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first
+# two directory levels of '/etc'. However, anything in '/etc/rc0.d',
+# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded.
+#
+# NOTE: Only files and directories which have been added by the user,
+# and are not part of the internal lists, can be excluded. So, for
+# example, it is not possible to exclude the 'ps' command by using
+# '!/bin/ps'. These will be silently ignored from the configuration.
+#
+#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*"
+#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
+#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local"
+#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*"
+#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat"
+#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*"
+#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*"
+
+#
+# Whitelist various attributes of the specified files.
+# The attributes are those of the 'attributes' test.
+# Specifying a file name here does not include it being
+# whitelisted for the write permission test below.
+# One command per line (use multiple ATTRWHITELIST lines).
+#
+#ATTRWHITELIST=/bin/ps
+
+#
+# Allow the specified commands to have the 'others'
+# (world) permission have the write-bit set.
+#
+# For example, files with permissions r-xr-xrwx
+# or rwxrwxrwx.
+#
+# One command per line (use multiple WRITEWHITELIST lines).
+#
+#WRITEWHITELIST=/bin/ps
+
+#
+# Allow the specified commands to be scripts.
+# One command per line (use multiple SCRIPTWHITELIST lines).
+#
+SCRIPTWHITELIST=/bin/egrep
+SCRIPTWHITELIST=/bin/fgrep
+SCRIPTWHITELIST=/bin/which
+SCRIPTWHITELIST=/usr/bin/groups
+SCRIPTWHITELIST=/usr/bin/ldd
+SCRIPTWHITELIST=/usr/bin/lwp-request
+SCRIPTWHITELIST=/usr/sbin/adduser
+SCRIPTWHITELIST=/usr/sbin/prelink
+
+#
+# Allow the specified commands to have the immutable attribute set.
+# One command per line (use multiple IMMUTWHITELIST lines).
+#
+#IMMUTWHITELIST=/sbin/ifup
+
+#
+# Allow the specified hidden directories.
+# One directory per line (use multiple ALLOWHIDDENDIR lines).
+#
+ALLOWHIDDENDIR=/etc/.java
+ALLOWHIDDENDIR=/dev/.udev
+#ALLOWHIDDENDIR=/dev/.udevdb
+#ALLOWHIDDENDIR=/dev/.udev.tdb
+#ALLOWHIDDENDIR=/dev/.static
+ALLOWHIDDENDIR=/dev/.initramfs
+#ALLOWHIDDENDIR=/dev/.SRC-unix
+ALLOWHIDDENDIR=/dev/.mdadm
+ALLOWHIDDENDIR=/dev/.git
+
+#
+# Allow the specified hidden files.
+# One file per line (use multiple ALLOWHIDDENFILE lines).
+# 
+#ALLOWHIDDENFILE=/etc/.java
+#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
+#ALLOWHIDDENFILE=/etc/.pwd.lock
+#ALLOWHIDDENFILE=/etc/.init.state
+#ALLOWHIDDENFILE=/lib/.libcrypto.so.0.9.8e.hmac
+#ALLOWHIDDENFILE=/lib/.libcrypto.so.6.hmac
+#ALLOWHIDDENFILE=/lib/.libssl.so.0.9.8e.hmac
+#ALLOWHIDDENFILE=/lib/.libssl.so.6.hmac
+#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
+#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
+#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac
+#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.hmac
+#ALLOWHIDDENFILE=/usr/lib/.libgcrypt.so.11.hmac
+#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
+#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
+#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha384hmac.hmac
+#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha512hmac.hmac
+#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
+#ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
+ALLOWHIDDENFILE=/etc/.etckeeper
+ALLOWHIDDENFILE=/etc/.gitignore
+
+#
+# Allow the specified processes to use deleted files.
+# One process per line (use multiple ALLOWPROCDELFILE lines).
+#
+# The process name may be followed by a colon-separated list
+# of full pathnames. The process will then only be whitelisted
+# if it is using one of the given files. For example:
+#
+#     ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz
+#
+#ALLOWPROCDELFILE=/sbin/cardmgr
+#ALLOWPROCDELFILE=/usr/sbin/gpm
+#ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2
+#ALLOWPROCDELFILE=/usr/sbin/mysqld
+#ALLOWPROCDELFILE=/usr/lib/iceweasel/firefox-bin
+#ALLOWPROCDELFILE=/usr/bin/file-roller
+
+#
+# Allow the specified network interfaces to be in promiscuous mode.
+# This is a space-separated list of interface names.
+#
+#ALLOWPROMISCIF="eth0"
+
+#
+# Allow the specified processes to listen on any network interface.
+# One process per line (use multiple ALLOWPROCLISTEN lines).
+#
+#ALLOWPROCLISTEN=/usr/sbin/pppoe
+#ALLOWPROCLISTEN=/usr/sbin/tcpdump
+#ALLOWPROCLISTEN=/usr/sbin/snort-plain
+#ALLOWPROCLISTEN=/sbin/dhclient3
+#ALLOWPROCLISTEN=/sbin/dhcpcd
+
+#
+# SCAN_MODE_DEV governs how we scan /dev for suspicious files.
+# The two allowed options are: THOROUGH or LAZY.
+# If commented out we do a THOROUGH scan which will increase the runtime.
+# Even though this adds to the running time it is highly recommended to
+# leave it like this.
+#
+#SCAN_MODE_DEV=THOROUGH
+
+#
+# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to
+# perform a basic check, or a more thorough check. If the option is set to 0,
+# then a basic check is performed. If it is set to 1, then all the directries
+# in the /etc and /usr directories are scanned. The default value is 0. Users
+# should note that setting this option to 1 will cause the test to take longer
+# to complete.
+#
+#PHALANX2_DIRTEST=0
+
+#
+# Allow the specified files to be present in the /dev directory,
+# and not regarded as suspicious. One file per line (use multiple
+# ALLOWDEVFILE lines).
+#
+ALLOWDEVFILE=/dev/shm/network/ifstate
+#ALLOWDEVFILE=/dev/abc
+#ALLOWDEVFILE=/dev/shm/pulse-shm-*
+#ALLOWDEVFILE=/dev/shm/sem.ADBE_ReadPrefs_*
+#ALLOWDEVFILE=/dev/shm/sem.ADBE_REL_*
+#ALLOWDEVFILE=/dev/shm/sem.ADBE_WritePrefs_*
+
+#
+# This setting tells rkhunter where the inetd configuration
+# file is located.
+#
+#INETD_CONF_PATH=/etc/inetd.conf
+
+#
+# Allow the following enabled inetd services.
+# Only one service per line (use multiple INETD_ALLOWED_SVC lines).
+#
+# For non-Solaris users the simple service name should be used.
+# For example:
+#
+#     INETD_ALLOWED_SVC=echo
+#
+# For Solaris 9 users the simple service name should also be used, but
+# if it is an RPC service, then the executable pathname should be used.
+# For example:
+#
+#     INETD_ALLOWED_SVC=imaps
+#     INETD_ALLOWED_SVC=/usr/sbin/rpc.metad
+#     INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd
+#
+# For Solaris 10 users the service/FMRI name should be used. For example:
+#
+#     INETD_ALLOWED_SVC=/network/rpc/meta
+#     INETD_ALLOWED_SVC=/network/rpc/metamed
+#     INETD_ALLOWED_SVC=/application/font/stfsloader
+#     INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
+#
+#INETD_ALLOWED_SVC=echo
+#INETD_ALLOWED_SVC=/usr/sbin/tcpd
+
+#
+# This setting tells rkhunter where the xinetd configuration
+# file is located.
+#
+#XINETD_CONF_PATH=/etc/xinetd.conf
+
+#
+# Allow the following enabled xinetd services. Whilst it would be
+# nice to use the service names themselves, at the time of testing
+# we only have the pathname available. As such, these entries are
+# the xinetd file pathnames.
+# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines).
+#
+#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
+
+#
+# This option tells rkhunter the local system startup file pathnames.
+# It is a space-separated list of files and directories. The directories
+# will be searched for files. By default rkhunter will use certain
+# filenames and directories. If the option is set to 'none', then
+# certain tests will be skipped.
+#
+#STARTUP_PATHS="/etc/init.d /etc/rc.local"
+
+#
+# This setting tells rkhunter the pathname to the file containing the
+# user account passwords. This setting will be worked out by rkhunter,
+# and so should not usually need to be set. Users of TCB shadow files
+# should not set this option.
+#
+#PASSWORD_FILE=/etc/shadow
+
+#
+# Allow the following accounts to be root equivalent. These accounts
+# will have a UID value of zero. This option is a space-separated list
+# of account names. The 'root' account does not need to be listed as it
+# is automatically whitelisted.
+#
+# NOTE: For *BSD systems you may need to enable this for the 'toor' account.
+#
+#UID0_ACCOUNTS="toor rooty sashroot"
+
+#
+# Allow the following accounts to have no password. This option is a
+# space-separated list of account names. NIS/YP entries do not need to
+# be listed as they are automatically whitelisted.
+#
+#PWDLESS_ACCOUNTS="abc"
+
+#
+# This setting tells rkhunter the pathname to the syslog configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set. A value of 'NONE' can be used to indicate
+# that there is no configuration file, but that the syslog daemon process
+# may be running.
+#
+#SYSLOG_CONFIG_FILE=/etc/syslog.conf
+
+#
+# This option permits the use of syslog remote logging.
+#
+ALLOW_SYSLOG_REMOTE_LOGGING=0
+
+#
+# Allow the following applications, or a specific version of an application,
+# to be whitelisted. This option is a space-separated list consisting of the
+# application names. If a specific version is to be whitelisted, then the
+# name must be followed by a colon and then the version number.
+#
+# For example: APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29"
+#
+# Note above that for the Apache web server, the name 'httpd' is used.
+#
+#APP_WHITELIST=""
+
+# 
+# Scan for suspicious files in directories containing temporary files and
+# directories posing a relatively higher risk due to user write access.
+# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
+# producing false positives. Do review all settings before usage.
+# Also be aware that running suspscan in combination with verbose logging on,
+# RKH's default, will show all ignored files.
+# Please consider adding all directories the user the (web)server runs as has 
+# write access to including the document root (example: "/var/www") and log
+# directories (example: "/var/log/httpd"). 
+#
+# A space-separated list of directories to scan.
+#
+SUSPSCAN_DIRS="/tmp /var/tmp"
+
+#
+# Directory for temporary files. A memory-based one is better (faster).
+# Do not use a directory name that is listed in SUSPSCAN_DIRS.
+# Please make sure you have a tempfs mounted and the directory exists.
+#
+SUSPSCAN_TEMP=/dev/shm
+
+#
+# Maximum filesize in bytes. Files larger than this will not be inspected.
+# Do make sure you have enough space left in your temporary files directory.
+#
+SUSPSCAN_MAXSIZE=10240000
+
+#
+# Score threshold. Below this value no hits will be reported.
+# A value of "200" seems "good" after testing on malware. Please adjust
+# locally if necessary. 
+#
+SUSPSCAN_THRESH=200
+
+#
+# The following option can be used to whitelist network ports which
+# are known to have been used by malware. The option is a space-
+# separated list of one or more of three types of whitelisting.
+# These are:
+#
+#   1) a 'protocol:port' pair       (e.g. TCP:25)
+#   2) a pathname to an executable  (e.g. /usr/sbin/squid)
+#   3) an asterisk ('*')
+#
+# Only the UDP or TCP protocol may be specified, and the port number
+# must be between 1 and 65535 inclusive.
+#
+# The asterisk can be used to indicate that any executable in a trusted
+# path directory will be whitelisted. A trusted path directory is one which
+# rkhunter uses to locate commands. It is composed of the root PATH
+# environment variable, and the BINDIR command-line or configuration
+# file option.
+#
+# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
+#
+#PORT_WHITELIST=""
+
+#
+# The following option can be used to tell rkhunter where the operating
+# system 'release' file is located. This file contains information
+# specifying the current O/S version. RKH will store this information
+# itself, and check to see if it has changed between each run. If it has
+# changed, then the user is warned that RKH may issue warning messages
+# until RKH has been run with the '--propupd' option.
+#
+# Since the contents of the file vary according to the O/S distribution,
+# RKH will perform different actions when it detects the file itself. As
+# such, this option should not be set unless necessary. If this option is
+# specified, then RKH will assume the O/S release information is on the
+# first non-blank line of the file.
+#
+#OS_VERSION_FILE="/etc/debian_version"
+
+#
+# The following two options can be used to whitelist files and directories
+# that would normally be flagged with a warning during the rootkit and
+# malware checks. They are both space-separated lists, and as such if the
+# file or directory name contains a space, then the percent character ('%')
+# must be used instead. Only existing files and directories can be specified,
+# and these must be full pathnames not links.
+#
+# NOTE: It is recommended that if you whitelist any files, then you include
+# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
+# configuration option.
+#
+#RTKT_DIR_WHITELIST=""
+#RTKT_FILE_WHITELIST=""
+
+#
+# The following option can be used to whitelist shared library files that would
+# normally be flagged with a warning during the preloaded shared library check.
+# These library pathnames usually exist in the '/etc/ld.so.preload' file. This is
+# a space-separated list of library pathnames.
+#
+# NOTE: It is recommended that if you whitelist any files, then you include
+# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
+# configuration option.
+#
+#SHARED_LIB_WHITELIST="/lib/snoopy.so"
+
+#
+# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
+# command, then the following two options can be used. The value must be
+# set to 'BUILTIN'.
+#
+# NOTE: IRIX users will probably need to enable STAT_CMD.
+#
+#STAT_CMD=BUILTIN
+#READLINK_CMD=BUILTIN
+
+#
+# In the file properties test any modification date/time is displayed as the
+# number of epoch seconds. Rkhunter will try and use the 'date' command, or
+# failing that the 'perl' command, to display the date and time in a
+# human-readable format as well. This option may be used if some other command
+# should be used instead. The given command must understand the '%s' and
+# 'seconds ago' options found in the GNU date command.
+#
+# A value of 'NONE' may be used to request that only the epoch seconds be shown.
+# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
+# it is present.
+#
+#EPOCH_DATE_CMD=""
+
+#
+# This setting tells rkhunter the directory containing the available
+# kernel modules. This setting will be worked out by rkhunter, and
+# so should not usually need to be set.
+#
+#MODULES_DIR=""
+
+#
+# The following option can be set to a command which rkhunter will use when
+# downloading files from the Internet - that is, when the '--update' or
+# '--versioncheck' option is used. The command can take options.
+#
+# This allows the user to use a command other than the one automatically
+# selected by rkhunter, but still one which it already knows about.
+#
+# For example: WEBCMD=curl
+#
+# Alternatively, the user may specify a completely new command. However, note
+# that rkhunter expects the downloaded file to be written to stdout, and that
+# everything written to stderr is ignored.
+#
+# For example: WEBCMD="/opt/bin/dlfile --timeout 5m -q"
+#
+#WEBCMD=""
+
+#
+# Set the following option to 0 if you do not want to receive a warning if
+# any O/S information has changed since the last run of 'rkhunter --propupd'.
+# The warnings occur during the file properties check. The default is to
+# issue a warning if something has changed.
+#
+#WARN_ON_OS_CHANGE=1
+
+#
+# Set the following option to 1 if you want rkhunter to automatically run
+# a file properties update ('--propupd') if the O/S has changed. Detection
+# of an O/S change occurs during the file properties check. The default is
+# not to do an automatic update.
+#
+# WARNING: Only set this option if you are sure that the update will work
+# correctly. That is, that the database directory is writeable, that a valid
+# hash function is available, and so on. This can usually be checked simply
+# by running 'rkhunter --propupd' at least once.
+#
+#UPDT_ON_OS_CHANGE=0
+
+#
+# Set the following option to 1 if locking is to be used when rkhunter runs.
+# The lock is set just before logging starts, and is removed when the program
+# ends. It is used to prevent items such as the log file, and the file
+# properties file, from becoming corrupted if rkhunter is running more than
+# once. The mechanism used is to simply create a lock file in the TMPDIR
+# directory. If the lock file already exists, because rkhunter is already
+# running, then the current process simply loops around sleeping for 10 seconds
+# and then retrying the lock.
+#
+# The default is not to use locking.
+#
+USE_LOCKING=0
+
+#
+# If locking is used, then rkhunter may have to wait to get the lock file.
+# This option sets the total amount of time, in seconds, that rkhunter should
+# wait. It will retry the lock every 10 seconds, until either it obtains the
+# lock or the timeout value has been reached. If no value is set, then a
+# default of 300 seconds (5 minutes) is used.
+#
+LOCK_TIMEOUT=300
+
+#
+# If locking is used, then rkhunter may be doing nothing for some time if it
+# has to wait for the lock. Some simple messages are echo'd to the users screen
+# to let them know that rkhunter is waiting for the lock. Set this option to 0
+# if the messages are not to be displayed. The default is to show them.
+#
+SHOW_LOCK_MSGS=1
+
+#
+# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit()  function
+# will search (on a per rootkit basis) for filenames in all of the directories (as defined
+# by the result of running 'find "${RKHROOTDIR}/" -xdev'). While still not optimal, as it 
+# still searches for only file names as opposed to file contents, this is one step away
+# from the rigidity of searching in known (evidence) or default (installation) locations.
+#
+# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT
+# You should only activate this feature as part of a more thorough investigation which
+# should be based on relevant best practices and procedures. 
+# Enabling this feature implies you have the knowledge to interprete results properly. 
+#
+#SCANROOTKITMODE=THOROUGH
+
+INSTALLDIR="/usr"
+

roles/common/templates/rkhunter/wheezy.conf.j2

@@ -0,0 +1,1020 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+#
+# This is the main configuration file for Rootkit Hunter.
+#
+# You can either modify this file directly, or you can create a local
+# configuration file. The local file must be named 'rkhunter.conf.local',
+# and must reside in the same directory as this file. Please modify one
+# or both files to your own requirements. It is suggested that the
+# command 'rkhunter -C' is run after any changes have been made.
+#
+# Please review the documentation before posting bug reports or questions.
+# To report bugs, obtain updates, or provide patches or comments, please go to:
+# http://rkhunter.sourceforge.net
+#
+# To ask questions about rkhunter, please use the rkhunter-users mailing list.
+# Note this is a moderated list: please subscribe before posting.
+#
+# Lines beginning with a hash (#), and blank lines, are ignored.
+# End-of-line comments are not supported.
+#
+# Most of the following options need only be specified once. If
+# they appear more than once, then the last one seen will be used.
+# Some options are allowed to appear more than once, and the text
+# describing the option will say if this is so.
+#
+# Some of the options are space-separated lists of pathnames. If
+# wildcard characters (globbing) are allowed in the list, then the
+# text describing the option will say so.
+#
+# Space-separated lists may be enclosed by quotes, but these must only
+# appear at the start and end of the list, not in the middle.
+#
+# For example:    XXX="abc  def  gh"        (correct)
+#                 XXX="abc"  "def"  "gh"    (incorrect)
+#
+
+
+#
+# If this option is set to 1, it specifies that the mirrors file
+# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
+# options are used, is to be rotated. Rotating the entries in the file
+# allows a basic form of load-balancing between the mirror sites whenever
+# the above options are used.
+# If the option is set to 0, then the mirrors will be treated as if in
+# a priority list. That is, the first mirror listed will always be used
+# first. The second mirror will only be used if the first mirror fails,
+# the third mirror will only be used if the second mirror fails, and so on.
+#
+# If the mirrors file is read-only, then the '--versioncheck' command-line
+# option can only be used if this option is set to 0.
+#
+ROTATE_MIRRORS=1
+
+#
+# If this option is set to 1, it specifies that when the '--update'
+# option is used, then the mirrors file is to be checked for updates
+# as well. If the current mirrors file contains any local mirrors,
+# these will be prepended to the updated file.
+# If this option is set to 0, the mirrors file can only be updated
+# manually. This may be useful if only using local mirrors.
+#
+UPDATE_MIRRORS=1
+
+#
+# The MIRRORS_MODE option tells rkhunter which mirrors are to be
+# used when the '--update' or '--versioncheck' command-line options
+# are given. Possible values are:
+#     0 - use any mirror (the default)
+#     1 - only use local mirrors
+#     2 - only use remote mirrors
+#
+# Local and remote mirrors can be defined in the mirrors file
+# by using the 'local=' and 'remote=' keywords respectively.
+#
+MIRRORS_MODE=0
+
+#
+# Email a message to this address if a warning is found when the
+# system is being checked. Multiple addresses may be specified
+# simply be separating them with a space. Setting this option to
+# null disables the option.
+#
+# NOTE: This option should be present in the configuration file.
+#
+#MAIL-ON-WARNING=me@mydomain   root@mydomain
+MAIL-ON-WARNING=""
+
+#
+# Specify the mail command to use if MAIL-ON-WARNING is set.
+#
+# NOTE: Double quotes are not required around the command, but
+# are required around the subject line if it contains spaces.
+#
+MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
+
+#
+# Specify the temporary directory to use.
+#
+# NOTE: Do not use /tmp as your temporary directory. Some
+# important files will be written to this directory, so be
+# sure that the directory permissions are tight.
+#
+TMPDIR=/var/lib/rkhunter/tmp
+
+#
+# Specify the database directory to use.
+#
+DBDIR=/var/lib/rkhunter/db
+
+#
+# Specify the script directory to use.
+#
+SCRIPTDIR=/usr/share/rkhunter/scripts
+
+#
+# This option can be used to modify the command directory list used
+# by rkhunter to locate commands (that is, its PATH). By default
+# this will be the root PATH, and an internal list of some common
+# command directories.
+#
+# Any directories specified here will, by default, be appended to the
+# default list. However, if a directory name begins with the '+'
+# character, then that directory will be prepended to the list (that
+# is, it will be put at the start of the list).
+#
+# This is a space-separated list of directory names. The option may
+# be specified more than once.
+#
+#BINDIR="/bin /usr/bin /sbin /usr/sbin"
+#BINDIR="+/usr/local/bin +/usr/local/sbin"
+
+#
+# Specify the default language to use. This should be similar
+# to the ISO 639 language code.
+#
+# NOTE: Please ensure that the language you specify is supported.
+# For a list of supported languages use the following command:
+#
+#       rkhunter --lang en --list languages
+#
+#LANGUAGE=en
+
+#
+# This option is a space-separated list of the languages that are to
+# be updated when the '--update' option is used. If unset, then all
+# the languages will be updated. If none of the languages are to be
+# updated, then set this option to just 'en'.
+#
+# The default is for all the languages to be updated. The default
+# language, specified above, and the English (en) language file will
+# always be updated regardless of this option.
+#
+UPDATE_LANG=""
+
+#
+# Specify the log file pathname.
+#
+# NOTE: This option should be present in the configuration file.
+#
+LOGFILE=/var/log/rkhunter.log
+
+#
+# Set the following option to 1 if the log file is to be appended to
+# whenever rkhunter is run.
+#
+APPEND_LOG=0
+
+#
+# Set the following option to 1 if the log file is to be copied when
+# rkhunter finishes and an error or warning has occurred. The copied
+# log file name will be appended with the current date and time
+# (in YYYY-MM-DD_HH:MM:SS format).
+# For example: rkhunter.log.2009-04-21_00:57:51
+#
+COPY_LOG_ON_ERROR=0
+
+#
+# Set the following option to enable the rkhunter check start and finish
+# times to be logged by syslog. Warning messages will also be logged.
+# The value of the option must be a standard syslog facility and
+# priority, separated by a dot.  For example:
+#
+#     USE_SYSLOG=authpriv.warning
+#
+# Setting the value to 'none', or just leaving the option commented out,
+# disables the use of syslog.
+#
+#USE_SYSLOG=authpriv.notice
+
+#
+# Set the following option to 1 if the second colour set is to be used.
+# This can be useful if your screen uses black characters on a white
+# background (for example, a PC instead of a server).
+#
+COLOR_SET2=0
+
+#
+# Set the following option to 0 if rkhunter should not detect if X is
+# being used. If X is detected as being used, then the second colour
+# set will automatically be used.
+#
+AUTO_X_DETECT=1
+
+#
+# Set the following option to 1 if it is wanted that any 'Whitelisted'
+# results are shown in white rather than green. For colour set 2 users,
+# setting this option will cause the result to be shown in black.
+#
+WHITELISTED_IS_WHITE=0
+
+#
+# The following option is checked against the SSH configuration file
+# 'PermitRootLogin' option. A warning will be displayed if they do not
+# match. However, if a value has not been set in the SSH configuration
+# file, then a value here of 'unset' can be used to avoid warning messages.
+# This option has a default value of 'no'.
+#
+ALLOW_SSH_ROOT_USER=without-password
+
+#
+# Set this option to '1' to allow the use of the SSH-1 protocol, but note
+# that theoretically it is weaker, and therefore less secure, than the
+# SSH-2 protocol. Do not modify this option unless you have good reasons
+# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
+# authentication). If the 'Protocol' option has not been set in the SSH
+# configuration file, then a value of '2' may be set here in order to
+# suppress a warning message. This option has a default value of '0'.
+#
+ALLOW_SSH_PROT_V1=0
+
+#
+# This setting tells rkhunter the directory containing the SSH configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set.
+#
+#SSH_CONFIG_DIR=/etc/ssh
+
+#
+# These two options determine which tests are to be performed.
+# The ENABLE_TESTS option can use the word 'all' to refer to all the
+# available tests. The DISABLE_TESTS option can use the word 'none' to
+# mean that no tests are disabled. The list of disabled tests is applied to
+# the list of enabled tests. Both options are space-separated lists of test
+# names. The currently available test names can be seen by using the command
+# 'rkhunter --list tests'.
+#
+# The program defaults are to enable all tests and disable none. However, if
+# either of the options below are specified, then they will override the
+# program defaults.
+#
+# The supplied configuration file has some tests already disabled, and these
+# are tests that will be used only occasionally, can be considered
+# "advanced" or that are prone to produce more than the average number of
+# false-positives.
+#
+# Please read the README file for more details about enabling and disabling
+# tests, the test names, and how rkhunter behaves when these options are used.
+#
+# hidden_procs test requires the unhide command which is part of the unhide
+# package in Debian.
+#
+# apps test is disabled by default as it triggers warnings about outdated 
+# applications (and warns about possible security risk: we better trust
+# the Debian Security Team).
+#
+ENABLE_TESTS="all"
+{% set disable_tests = [] %}
+{% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'guest' -%}
+  {% if disable_tests.append('os_specific') %}{% endif %}
+{%- endif %}
+{% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'host' -%}
+    {% if disable_tests.append('promisc') %}{% endif %}
+{%- endif %}
+DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps {{ disable_tests|join(' ') }}"
+
+#
+# The HASH_FUNC option can be used to specify the command to use
+# for the file hash value check. It can be specified as just the
+# command name or the full pathname. If just the command name is
+# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or
+# SHA512, then rkhunter will first look for the relevant command,
+# such as 'sha256sum', and then for 'sha256'. If neither of these
+# are found, it will then look to see if a perl module has been
+# installed which will support the relevant hash function. To see
+# which perl modules have been installed use the command
+# 'rkhunter --list perl'.
+#
+# The default is SHA1, or MD5 if SHA1 cannot be found.
+#
+# Systems using prelinking are restricted to using either the
+# SHA1 or MD5 function.
+#
+# A value of 'NONE' (in uppercase) can be specified to indicate that
+# no hash function should be used. Rootkit Hunter will detect this and
+# automatically disable the file hash checks.
+#
+# Examples:
+#   For Solaris 9 : HASH_FUNC=gmd5sum
+#   For Solaris 10: HASH_FUNC=sha1sum
+#   For AIX (>5.2): HASH_FUNC="csum -hMD5"
+#   For NetBSD    : HASH_FUNC="cksum -a sha512"
+#
+# NOTE: If the hash function is changed then you MUST run rkhunter with
+# the '--propupd' option to rebuild the file properties database.
+#
+#HASH_FUNC=sha1sum
+
+#
+# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
+# command output contains the hash value. The fields are assumed to
+# be space-separated. The default value is 1, but for *BSD users
+# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
+# has not been set. The option value must be an integer greater
+# than zero.
+#
+#HASH_FLD_IDX=4
+
+#
+# The PKGMGR option tells rkhunter to use the specified package manager
+# to obtain the file property information. This is used when updating
+# the file properties file ('rkhunter.dat'), and when running the file
+# properties check. For RedHat/RPM-based systems, 'RPM' can be used to
+# get information from the RPM database. For Debian-based systems 'DPKG'
+# can be used, for *BSD systems 'BSD' can be used, and for Solaris
+# systems 'SOLARIS' can be used. No value, or a value of 'NONE',
+# indicates that no package manager is to be used. The default is 'NONE'.
+#
+# The current package managers, except 'SOLARIS', store the file hash
+# values using an MD5 hash function. The Solaris package manager includes
+# a checksum value, but this is not used by default (see USE_SUNSUM below).
+#
+# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
+# The 'RPM' package manager additionally provides values for the inode,
+# file permissions, uid, gid and other values. The 'SOLARIS' also provides
+# most of the values, similar to 'RPM', but not the inode number.
+#
+# For any file not part of a package, rkhunter will revert to using the
+# HASH_FUNC hash function instead.
+#
+# Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+# NONE is the default for Debian as well, as running --propupd takes
+# about 4 times longer when it's set to DPKG
+#
+#PKGMGR=NONE
+
+#
+# It is possible that a file which is part of a package may be modified
+# by the administrator. Typically this occurs for configuration files.
+# However, the package manager may list the file as being modified. For
+# the RPM package manager this may well depend on how the package was
+# built. This option specifies those pathnames which are to be exempt
+# from the package manager verification process, and which will be treated
+# as non-packaged files. As such, the file properties are still checked.
+#
+# This option only takes effect if the PKGMGR option has been set, and
+# is not 'NONE'.
+#
+# This is a space-separated list of pathnames. The option may
+# be specified more than once.
+#
+# Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+#PKGMGR_NO_VRFY=""
+
+#
+# This option can be used to tell rkhunter to ignore any prelink
+# dependency errors for the given commands. However, a warning will also
+# be issued if the error does not occur for a given command. As such
+# this option must only be used on commands which experience a persistent
+# problem.
+#
+# Short-term prelink dependency errors can usually be resolved simply by
+# running the 'prelink' command on the given pathname.
+#
+# NOTE: The command 'rkhunter --propupd' must be run whenever this option
+# is changed.
+#
+# This is a space-separated list of command pathnames. The option can be
+# specified more than once.
+#
+#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top"
+
+#
+# If the 'SOLARIS' package manager is used, then it is possible to use
+# the checksum (hash) value stored for a file. However, this is only a
+# 16-bit checksum, and as such is not nearly as secure as, for example,
+# a SHA-2 value. For that reason, the checksum is not used by default,
+# and the hash function given by HASH_FUNC is used instead. To enable
+# this option, set its value to 1. The Solaris 'sum' command must be
+# present on the system if this option is used.
+#
+#USE_SUNSUM=0
+
+#
+# This option is a space-separated list of commands, directories and file
+# pathnames which will be included in the file properties checks.
+# This option can be specified more than once.
+#
+# Whenever this option is changed, 'rkhunter --propupd' must be run.
+#
+# Simple command names - for example, 'top' - and directory names are
+# added to the internal list of directories to be searched for each of
+# the command names in the command list. Additionally, full pathnames
+# to files, which need not be commands, may be given. Any files or
+# directories which are already part of the internal lists will be
+# silently ignored from the configuration.
+#
+# Normal globbing wildcards are allowed, except for simple command names.
+# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
+#
+# Specific files may be excluded by preceding their name with an
+# exclamation mark (!). For example, '!/opt/top'. By combining this
+# with wildcarding, whole directories can be excluded. For example,
+# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first
+# two directory levels of '/etc'. However, anything in '/etc/rc0.d',
+# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded.
+#
+# NOTE: Only files and directories which have been added by the user,
+# and are not part of the internal lists, can be excluded. So, for
+# example, it is not possible to exclude the 'ps' command by using
+# '!/bin/ps'. These will be silently ignored from the configuration.
+#
+#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*"
+#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
+#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local"
+#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*"
+#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat"
+#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*"
+#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*"
+
+#
+# This option whitelists files and directories from existing,
+# or not existing, on the system at the time of testing. This
+# option is used when the configuration file options themselves
+# are checked, and during the file properties check, the hidden
+# files and directories checks, and the filesystem check of the
+# '/dev' directory.
+#
+# This is a space-separated list of pathnames. The option may be
+# specified more than once. The option may use wildcard characters,
+# but be aware that this is probably not what you want to do as the
+# wildcarding will be expanded after files have been deleted. As
+# such deleted files won't be whitelisted if wildcarded.
+#
+# NOTE: The user must take into consideration how often the file will
+# appear and disappear from the system in relation to how often
+# rkhunter is run. If the file appears, and disappears, too often
+# then rkhunter may not notice this. All it will see is that the file
+# has changed. The inode-number and DTM will certainly be different
+# for each new file, and rkhunter will report this.
+#
+#EXISTWHITELIST=""
+
+#
+# Whitelist various attributes of the specified files.
+# The attributes are those of the 'attributes' test.
+# Specifying a file name here does not include it being
+# whitelisted for the write permission test (see below).
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+#ATTRWHITELIST="/bin/ps /usr/bin/date"
+
+#
+# Allow the specified commands to have the 'others'
+# (world) permission have the write-bit set.
+#
+# For example, files with permissions r-xr-xrwx
+# or rwxrwxrwx.
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+#WRITEWHITELIST="/bin/ps /usr/bin/date"
+
+#
+# Allow the specified commands to be scripts.
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+SCRIPTWHITELIST=/bin/egrep
+SCRIPTWHITELIST=/bin/fgrep
+SCRIPTWHITELIST=/bin/which
+SCRIPTWHITELIST=/usr/bin/groups
+SCRIPTWHITELIST=/usr/bin/ldd
+SCRIPTWHITELIST=/usr/bin/lwp-request
+SCRIPTWHITELIST=/usr/sbin/adduser
+SCRIPTWHITELIST=/usr/sbin/prelink
+
+#
+# Allow the specified commands to have the immutable attribute set.
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+#IMMUTWHITELIST="/sbin/ifup /sbin/ifdown"
+
+#
+# If this option is set to 1, then the immutable-bit test is
+# reversed. That is, the files are expected to have the bit set.
+#
+IMMUTABLE_SET=0
+
+#
+# Allow the specified hidden directories to be whitelisted.
+#
+# This is a space-separated list of directory pathnames.
+# The option may be specified more than once. The option
+# may use wildcard characters.
+#
+ALLOWHIDDENDIR="/etc/.java"
+ALLOWHIDDENDIR="/dev/.udev"
+#ALLOWHIDDENDIR="/dev/.static"
+ALLOWHIDDENDIR="/dev/.initramfs"
+#ALLOWHIDDENDIR="/dev/.SRC-unix"
+ALLOWHIDDENDIR="/dev/.mdadm"
+ALLOWHIDDENDIR="/etc/.git"
+
+#
+# Allow the specified hidden files to be whitelisted.
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+# 
+#ALLOWHIDDENFILE="/etc/.java"
+#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
+#ALLOWHIDDENFILE="/etc/.pwd.lock"
+#ALLOWHIDDENFILE="/etc/.init.state"
+#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac"
+#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac"
+#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
+#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
+#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac"
+#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac"
+#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac"
+#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac"
+#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac"
+#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
+#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
+#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
+#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
+#ALLOWHIDDENFILE="/etc/.gitignore"
+#ALLOWHIDDENFILE="/etc/.bzrignore"
+ALLOWHIDDENFILE="/etc/.etckeeper"
+ALLOWHIDDENFILE="/etc/.gitignore"
+
+#
+# Allow the specified processes to use deleted files. The
+# process name may be followed by a colon-separated list of
+# full pathnames. The process will then only be whitelisted
+# if it is using one of the given files. For example:
+#
+#     ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz"
+#
+# This is a space-separated list of process names. The option
+# may be specified more than once. The option may use wildcard
+# characters, but only in the file names.
+#
+#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
+#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2"
+#ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*"
+#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin"
+#ALLOWPROCDELFILE="/usr/bin/file-roller"
+
+#
+# Allow the specified processes to listen on any network interface.
+#
+# This is a space-separated list of process names. The option
+# may be specified more than once.
+#
+#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd"
+#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump"
+#ALLOWPROCLISTEN="/usr/sbin/snort-plain"
+
+#
+# Allow the specified network interfaces to be in promiscuous mode.
+#
+# This is a space-separated list of interface names. The option may
+# be specified more than once.
+#
+#ALLOWPROMISCIF="eth0"
+
+#
+# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
+# The two allowed options are: THOROUGH or LAZY.
+# If commented out we do a THOROUGH scan which will increase the runtime.
+# Even though this adds to the running time it is highly recommended to
+# leave it like this.
+#
+#SCAN_MODE_DEV=THOROUGH
+
+#
+# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to
+# perform a basic check, or a more thorough check. If the option is set to 0,
+# then a basic check is performed. If it is set to 1, then all the directries
+# in the /etc and /usr directories are scanned. The default value is 0. Users
+# should note that setting this option to 1 will cause the test to take longer
+# to complete.
+#
+PHALANX2_DIRTEST=0
+
+#
+# Allow the specified files to be present in the /dev directory,
+# and not regarded as suspicious.
+#
+# This is a space-separated list of pathnames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+ALLOWDEVFILE=/dev/shm/network/ifstate
+#ALLOWDEVFILE="/dev/shm/pulse-shm-*"
+#ALLOWDEVFILE="/dev/shm/sem.ADBE_*"
+
+#
+# This setting tells rkhunter where the inetd configuration
+# file is located.
+#
+#INETD_CONF_PATH=/etc/inetd.conf
+
+#
+# Allow the following enabled inetd services.
+#
+# This is a space-separated list of service names. The option may
+# be specified more than once.
+#
+# For non-Solaris users the simple service name should be used.
+# For example:
+#
+#     INETD_ALLOWED_SVC=echo
+#
+# For Solaris 9 users the simple service name should also be used, but
+# if it is an RPC service, then the executable pathname should be used.
+# For example:
+#
+#     INETD_ALLOWED_SVC=imaps
+#     INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd"
+#
+# For Solaris 10 users the service/FMRI name should be used. For example:
+#
+#     INETD_ALLOWED_SVC=/network/rpc/meta
+#     INETD_ALLOWED_SVC=/network/rpc/metamed
+#     INETD_ALLOWED_SVC=/application/font/stfsloader
+#     INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
+#
+#INETD_ALLOWED_SVC=echo
+
+#
+# This setting tells rkhunter where the xinetd configuration
+# file is located.
+#
+#XINETD_CONF_PATH=/etc/xinetd.conf
+
+#
+# Allow the following enabled xinetd services. Whilst it would be
+# nice to use the service names themselves, at the time of testing
+# we only have the pathname available. As such, these entries are
+# the xinetd file pathnames.
+#
+# This is a space-separated list of service names. The option may
+# be specified more than once.
+#
+#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
+
+#
+# This option tells rkhunter the local system startup file pathnames.
+# The directories will be searched for files. By default rkhunter
+# will use certain filenames and directories. If the option is set
+# to 'none', then certain tests will be skipped.
+#
+# This is a space-separated list of file and directory pathnames.
+# The option may be specified more than once. The option may use
+# wildcard characters.
+#
+#STARTUP_PATHS="/etc/init.d /etc/rc.local"
+
+#
+# This setting tells rkhunter the pathname to the file containing the
+# user account passwords. This setting will be worked out by rkhunter,
+# and so should not usually need to be set. Users of TCB shadow files
+# should not set this option.
+#
+#PASSWORD_FILE=/etc/shadow
+
+#
+# Allow the following accounts to be root equivalent. These accounts
+# will have a UID value of zero. The 'root' account does not need to
+# be listed as it is automatically whitelisted.
+#
+# This is a space-separated list of account names. The option may
+# be specified more than once.
+#
+# NOTE: For *BSD systems you will probably need to use this option
+# for the 'toor' account.
+#
+#UID0_ACCOUNTS="toor rooty sashroot"
+
+#
+# Allow the following accounts to have no password. NIS/YP entries do
+# not need to be listed as they are automatically whitelisted.
+#
+# This is a space-separated list of account names. The option may
+# be specified more than once.
+#
+#PWDLESS_ACCOUNTS="abc"
+
+#
+# This setting tells rkhunter the pathname to the syslog configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set. A value of 'NONE' can be used to indicate
+# that there is no configuration file, but that the syslog daemon process
+# may be running.
+#
+# This is a space-separated list of pathnames. The option may
+# be specified more than once.
+#
+#SYSLOG_CONFIG_FILE=/etc/syslog.conf
+
+#
+# This option permits the use of syslog remote logging.
+#
+ALLOW_SYSLOG_REMOTE_LOGGING=0
+
+#
+# Allow the following applications, or a specific version of an application,
+# to be whitelisted. This option may be specified more than once, and is a
+# space-separated list consisting of the application names. If a specific
+# version is to be whitelisted, then the name must be followed by a colon
+# and then the version number. For example:
+#
+#     APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29"
+#
+# Note above that for the Apache web server, the name 'httpd' is used.
+#
+#APP_WHITELIST=""
+
+# 
+# Scan for suspicious files in directories containing temporary files and
+# directories posing a relatively higher risk due to user write access.
+# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
+# producing false positives. Do review all settings before usage.
+# Also be aware that running suspscan in combination with verbose logging on,
+# RKH's default, will show all ignored files.
+# Please consider adding all directories the user the (web)server runs as has 
+# write access to including the document root (example: "/var/www") and log
+# directories (example: "/var/log/httpd"). 
+#
+# This is a space-separated list of directory pathnames.
+# The option may be specified more than once.
+#
+SUSPSCAN_DIRS="/tmp /var/tmp"
+
+#
+# Directory for temporary files. A memory-based one is better (faster).
+# Do not use a directory name that is listed in SUSPSCAN_DIRS.
+# Please make sure you have a tempfs mounted and the directory exists.
+#
+SUSPSCAN_TEMP=/dev/shm
+
+#
+# Maximum filesize in bytes. Files larger than this will not be inspected.
+# Do make sure you have enough space left in your temporary files directory.
+#
+SUSPSCAN_MAXSIZE=10240000
+
+#
+# Score threshold. Below this value no hits will be reported.
+# A value of "200" seems "good" after testing on malware. Please adjust
+# locally if necessary. 
+#
+SUSPSCAN_THRESH=200
+
+#
+# The following option can be used to whitelist network ports which
+# are known to have been used by malware. This option may be specified
+# more than once. The option is a space-separated list of one or more
+# of four types of whitelisting. These are:
+#
+#   1) a 'protocol:port' pair       (e.g. TCP:25)
+#   2) a pathname to an executable  (e.g. /usr/sbin/squid)
+#   3) a combined pathname, protocol and port
+#                                   (e.g. /usr/sbin/squid:TCP:3801)
+#   4) an asterisk ('*')
+#
+# Only the UDP or TCP protocol may be specified, and the port number
+# must be between 1 and 65535 inclusive.
+#
+# The asterisk can be used to indicate that any executable which rkhunter
+# can locate as a command, is whitelisted. (See BINDIR in this file.)
+#
+# For example:
+#
+#     PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
+#
+# NOTE: In order to whitelist a pathname, or use the asterisk option,
+# the 'lsof' command must be present.
+#
+#PORT_WHITELIST=""
+
+#
+# The following option can be used to tell rkhunter where the operating
+# system 'release' file is located. This file contains information
+# specifying the current O/S version. RKH will store this information
+# itself, and check to see if it has changed between each run. If it has
+# changed, then the user is warned that RKH may issue warning messages
+# until RKH has been run with the '--propupd' option.
+#
+# Since the contents of the file vary according to the O/S distribution,
+# RKH will perform different actions when it detects the file itself. As
+# such, this option should not be set unless necessary. If this option is
+# specified, then RKH will assume the O/S release information is on the
+# first non-blank line of the file.
+#
+#OS_VERSION_FILE="/etc/debian_version"
+
+#
+# The following two options can be used to whitelist files and directories
+# that would normally be flagged with a warning during the various rootkit
+# and malware checks. If the file or directory name contains a space, then
+# the percent character ('%') must be used instead. Only existing files and
+# directories can be specified, and these must be full pathnames not links.
+#
+# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
+# file name (separated by a colon). This will then only whitelist that string
+# in that file (as part of the malware checks). For example:
+#
+#     RTKT_FILE_WHITELIST="/etc/rc.local:hdparm"
+#
+# If the option list includes the filename on its own as well, then the file
+# will be whitelisted from rootkit checks of the files existence, but still
+# only the specific string within the file will be whitelisted. For example:
+#
+#     RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local"
+#
+# To whitelist a file from the existence checks, but not from the strings
+# checks, then include the filename on its own and on its own but with
+# just a colon appended. For example:
+#
+#     RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:"
+#
+# NOTE: It is recommended that if you whitelist any files, then you include
+# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
+# configuration option.
+#
+# These are space-separated lists of file and directory pathnames.
+# The options may be specified more than once.
+#
+#RTKT_DIR_WHITELIST=""
+#RTKT_FILE_WHITELIST=""
+
+#
+# The following option can be used to whitelist shared library files that would
+# normally be flagged with a warning during the preloaded shared library check.
+# These library pathnames usually exist in the '/etc/ld.so.preload' file or in
+# the LD_PRELOAD environment variable.
+#
+# NOTE: It is recommended that if you whitelist any files, then you include
+# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
+# configuration option.
+#
+# This is a space-separated list of library pathnames.
+# The option may be specified more than once.
+#
+#SHARED_LIB_WHITELIST="/lib/snoopy.so"
+
+#
+# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
+# command, then the following two options can be used. The value must be
+# set to 'BUILTIN'.
+#
+# NOTE: IRIX users will probably need to enable STAT_CMD.
+#
+#STAT_CMD=BUILTIN
+#READLINK_CMD=BUILTIN
+
+#
+# In the file properties test any modification date/time is displayed as the
+# number of epoch seconds. Rkhunter will try and use the 'date' command, or
+# failing that the 'perl' command, to display the date and time in a
+# human-readable format as well. This option may be used if some other command
+# should be used instead. The given command must understand the '%s' and
+# 'seconds ago' options found in the GNU date command.
+#
+# A value of 'NONE' may be used to request that only the epoch seconds be shown.
+# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
+# it is present.
+#
+#EPOCH_DATE_CMD=""
+
+#
+# This setting tells rkhunter the directory containing the available
+# Linux kernel modules. This setting will be worked out by rkhunter,
+# and so should not usually need to be set.
+#
+#MODULES_DIR=""
+
+#
+# The following option can be set to a command which rkhunter will use when
+# downloading files from the Internet - that is, when the '--update' or
+# '--versioncheck' option is used. The command can take options.
+#
+# This allows the user to use a command other than the one automatically
+# selected by rkhunter, but still one which it already knows about.
+# For example:
+#
+#     WEB_CMD=curl
+#
+# Alternatively, the user may specify a completely new command. However, note
+# that rkhunter expects the downloaded file to be written to stdout, and that
+# everything written to stderr is ignored. For example:
+#
+#     WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
+#
+# *BSD users may want to use the 'ftp' command, provided that it supports
+# the HTTP protocol:
+#
+#     WEB_CMD="ftp -o -"
+#
+#WEB_CMD=""
+
+#
+# Set the following option to 0 if you do not want to receive a warning if
+# any O/S information has changed since the last run of 'rkhunter --propupd'.
+# The warnings occur during the file properties check. The default is to
+# issue a warning if something has changed.
+#
+#WARN_ON_OS_CHANGE=1
+
+#
+# Set the following option to 1 if you want rkhunter to automatically run
+# a file properties update ('--propupd') if the O/S has changed. Detection
+# of an O/S change occurs during the file properties check. The default is
+# not to do an automatic update.
+#
+# WARNING: Only set this option if you are sure that the update will work
+# correctly. That is, that the database directory is writeable, that a valid
+# hash function is available, and so on. This can usually be checked simply
+# by running 'rkhunter --propupd' at least once.
+#
+#UPDT_ON_OS_CHANGE=0
+
+#
+# Set the following option to 1 if locking is to be used when rkhunter runs.
+# The lock is set just before logging starts, and is removed when the program
+# ends. It is used to prevent items such as the log file, and the file
+# properties file, from becoming corrupted if rkhunter is running more than
+# once. The mechanism used is to simply create a lock file in the TMPDIR
+# directory. If the lock file already exists, because rkhunter is already
+# running, then the current process simply loops around sleeping for 10 seconds
+# and then retrying the lock.
+#
+# The default is not to use locking.
+#
+USE_LOCKING=0
+
+#
+# If locking is used, then rkhunter may have to wait to get the lock file.
+# This option sets the total amount of time, in seconds, that rkhunter should
+# wait. It will retry the lock every 10 seconds, until either it obtains the
+# lock or the timeout value has been reached. If no value is set, then a
+# default of 300 seconds (5 minutes) is used.
+#
+LOCK_TIMEOUT=300
+
+#
+# If locking is used, then rkhunter may be doing nothing for some time if it
+# has to wait for the lock. Some simple messages are echo'd to the users screen
+# to let them know that rkhunter is waiting for the lock. Set this option to 0
+# if the messages are not to be displayed. The default is to show them.
+#
+SHOW_LOCK_MSGS=1
+
+#
+# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
+# will search (on a per rootkit basis) for filenames in all of the directories (as defined
+# by the result of running 'find / -xdev'). While still not optimal, as it 
+# still searches for only file names as opposed to file contents, this is one step away
+# from the rigidity of searching in known (evidence) or default (installation) locations.
+#
+# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
+#
+# You should only activate this feature as part of a more thorough investigation which
+# should be based on relevant best practices and procedures. 
+#
+# Enabling this feature implies you have the knowledge to interpret the results properly. 
+#
+#SCANROOTKITMODE=THOROUGH
+
+#
+# The following option can be set to the name(s) of the tests the 'unhide' command is
+# to use. In order to maintain compatibility with older versions of 'unhide', this
+# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but
+# will only take effect when they are seen. The test names are a space-separated list,
+# and will be executed in the order given.
+#
+#UNHIDE_TESTS="sys"
+
+#
+# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it
+# is possible to disable the execution of one of the programs if desired. By default
+# rkhunter will look for both programs, and execute each of them as they are found.
+# If the value of this option is 0, then both programs will be executed if they are
+# present. A value of 1 will disable execution of the C 'unhide' program, and a value
+# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable
+# both programs, then disable the 'hidden_procs' test.
+#
+DISABLE_UNHIDE=1
+
+INSTALLDIR="/usr"
+

roles/common/templates/smartd/default.j2

@@ -0,0 +1,16 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# Defaults for smartmontools initscript (/etc/init.d/smartmontools)
+# This is a POSIX shell fragment
+
+# List of devices you want to explicitly enable S.M.A.R.T. for
+# Not needed (and not recommended) if the device is monitored by smartd
+#enable_smart="/dev/hda /dev/hdb"
+
+# uncomment to start smartd on system startup
+start_smartd=yes
+
+# uncomment to pass additional options to smartd on startup
+#smartd_opts="--interval=1800"

roles/common/templates/smartd/smartd.asuka.conf.j2

@@ -0,0 +1,155 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# /etc/smartd.conf
+# Configuration file for smartd. Use "man smartd.conf" for more information.
+
+# Home page is: http://smartmontools.sourceforge.net
+
+# smartd will re-read the configuration file if it receives a HUP
+# signal
+
+# The file gives a list of devices to monitor using smartd, with one
+# device per line. Text after a hash (#) is ignored, and you may use
+# spaces and tabs for white space. You may use '\' to continue lines.
+
+# You can usually identify which hard disks are on your system by
+# looking in /proc/ide and in /proc/scsi.
+
+# The word DEVICESCAN will cause any remaining lines in this
+# configuration file to be ignored: it tells smartd to scan for all
+# ATA and SCSI devices.  DEVICESCAN may be followed by any of the
+# Directives listed below, which will be applied to all devices that
+# are found.  Most users should comment out DEVICESCAN and explicitly
+# list the devices that they wish to monitor.
+#DEVICESCAN -d removable -n standby -m root -M exec /usr/share/smartmontools/smartd-runner
+/dev/sg0 -H -l error -l selftest -t -f -m root -M exec /usr/share/smartmontools/smartd-runner -s (S/../.././02|L/../../6/03)
+/dev/sg2 -H -l error -l selftest -t -f -m root -M exec /usr/share/smartmontools/smartd-runner -s (S/../.././02|L/../../6/03)
+
+# Alternative setting to ignore temperature and power-on hours reports
+# in syslog.
+#DEVICESCAN -I 194 -I 231 -I 9
+
+# Alternative setting to report more useful raw temperature in syslog.
+#DEVICESCAN -R 194 -R 231 -I 9
+
+# Alternative setting to report raw temperature changes >= 5 Celsius
+# and min/max temperatures.
+#DEVICESCAN -I 194 -I 231 -I 9 -W 5
+
+# First (primary) ATA/IDE hard disk.  Monitor all attributes, enable
+# automatic online data collection, automatic Attribute autosave, and
+# start a short self-test every day between 2-3am, and a long self test
+# Saturdays between 3-4am.
+#/dev/hda -a -o on -S on -s (S/../.././02|L/../../6/03)
+
+# Monitor SMART status, ATA Error Log, Self-test log, and track
+# changes in all attributes except for attribute 194
+#/dev/hdb -H -l error -l selftest -t -I 194 
+
+# Monitor all attributes except normalized Temperature (usually 194),
+# but track Temperature changes >= 4 Celsius, report Temperatures
+# >= 45 Celsius and changes in Raw value of Reallocated_Sector_Ct (5).
+# Send mail on SMART failures or when Temperature is >= 55 Celsius.
+#/dev/hdc -a -I 194 -W 4,45,55 -R 5 -m admin@example.com
+
+# An ATA disk may appear as a SCSI device to the OS. If a SCSI to
+# ATA Translation (SAT) layer is between the OS and the device then
+# this can be flagged with the '-d sat' option. This situation may
+# become common with SATA disks in SAS and FC environments.
+# /dev/sda -a -d sat
+
+# A very silent check.  Only report SMART health status if it fails
+# But send an email in this case
+#/dev/hdc -H -C 0 -U 0 -m admin@example.com
+
+# First two SCSI disks.  This will monitor everything that smartd can
+# monitor.  Start extended self-tests Wednesdays between 6-7pm and
+# Sundays between 1-2 am
+#/dev/sda -d scsi -s L/../../3/18
+#/dev/sdb -d scsi -s L/../../7/01
+
+# Monitor 4 ATA disks connected to a 3ware 6/7/8000 controller which uses
+# the 3w-xxxx driver. Start long self-tests Sundays between 1-2, 2-3, 3-4, 
+# and 4-5 am.
+# NOTE: starting with the Linux 2.6 kernel series, the /dev/sdX interface
+# is DEPRECATED.  Use the /dev/tweN character device interface instead.
+# For example /dev/twe0, /dev/twe1, and so on.
+#/dev/sdc -d 3ware,0 -a -s L/../../7/01
+#/dev/sdc -d 3ware,1 -a -s L/../../7/02
+#/dev/sdc -d 3ware,2 -a -s L/../../7/03
+#/dev/sdc -d 3ware,3 -a -s L/../../7/04
+
+# Monitor 2 ATA disks connected to a 3ware 9000 controller which
+# uses the 3w-9xxx driver (Linux, FreeBSD). Start long self-tests Tuesdays
+# between 1-2 and 3-4 am.
+#/dev/twa0 -d 3ware,0 -a -s L/../../2/01
+#/dev/twa0 -d 3ware,1 -a -s L/../../2/03
+
+# Monitor 2 SATA (not SAS) disks connected to a 3ware 9000 controller which
+# uses the 3w-sas driver (Linux, FreeBSD). Start long self-tests Tuesdays
+# between 1-2 and 3-4 am.
+#/dev/twl0 -d 3ware,0 -a -s L/../../2/01
+#/dev/twa0 -d 3ware,1 -a -s L/../../2/03
+
+# Same as above for Windows. Option '-d 3ware,N' is not necessary,
+# disk (port) number is specified in device name.
+# NOTE: On Windows, DEVICESCAN works also for 3ware controllers.
+#/dev/hdc,0 -a -s L/../../2/01
+#/dev/hdc,1 -a -s L/../../2/03
+#
+# Monitor 2 disks connected to the first HP SmartArray controller which
+# uses the cciss driver. Start long tests on Sunday nights and short
+# self-tests every night and send errors to root
+#/dev/cciss/c0d0 -d cciss,0 -a -s (L/../../7/02|S/../.././02) -m root
+#/dev/cciss/c0d0 -d cciss,1 -a -s (L/../../7/03|S/../.././03) -m root
+
+# Monitor 3 ATA disks directly connected to a HighPoint RocketRAID. Start long
+# self-tests Sundays between 1-2, 2-3, and 3-4 am. 
+#/dev/sdd -d hpt,1/1 -a -s L/../../7/01
+#/dev/sdd -d hpt,1/2 -a -s L/../../7/02
+#/dev/sdd -d hpt,1/3 -a -s L/../../7/03
+
+# Monitor 2 ATA disks connected to the same PMPort which connected to the
+# HighPoint RocketRAID. Start long self-tests Tuesdays between 1-2 and 3-4 am
+#/dev/sdd -d hpt,1/4/1 -a -s L/../../2/01
+#/dev/sdd -d hpt,1/4/2 -a -s L/../../2/03
+
+# HERE IS A LIST OF DIRECTIVES FOR THIS CONFIGURATION FILE.
+# PLEASE SEE THE smartd.conf MAN PAGE FOR DETAILS
+#
+#   -d TYPE Set the device type: ata, scsi, marvell, removable, 3ware,N, hpt,L/M/N
+#   -T TYPE set the tolerance to one of: normal, permissive
+#   -o VAL  Enable/disable automatic offline tests (on/off)
+#   -S VAL  Enable/disable attribute autosave (on/off)
+#   -n MODE No check. MODE is one of: never, sleep, standby, idle
+#   -H      Monitor SMART Health Status, report if failed
+#   -l TYPE Monitor SMART log.  Type is one of: error, selftest
+#   -f      Monitor for failure of any 'Usage' Attributes
+#   -m ADD  Send warning email to ADD for -H, -l error, -l selftest, and -f
+#   -M TYPE Modify email warning behavior (see man page)
+#   -s REGE Start self-test when type/date matches regular expression (see man page)
+#   -p      Report changes in 'Prefailure' Normalized Attributes
+#   -u      Report changes in 'Usage' Normalized Attributes
+#   -t      Equivalent to -p and -u Directives
+#   -r ID   Also report Raw values of Attribute ID with -p, -u or -t
+#   -R ID   Track changes in Attribute ID Raw value with -p, -u or -t
+#   -i ID   Ignore Attribute ID for -f Directive
+#   -I ID   Ignore Attribute ID for -p, -u or -t Directive
+#   -C ID   Report if Current Pending Sector count non-zero
+#   -U ID   Report if Offline Uncorrectable count non-zero
+#   -W D,I,C Monitor Temperature D)ifference, I)nformal limit, C)ritical limit
+#   -v N,ST Modifies labeling of Attribute N (see man page)
+#   -a      Default: equivalent to -H -f -t -l error -l selftest -C 197 -U 198
+#   -F TYPE Use firmware bug workaround. Type is one of: none, samsung
+#   -P TYPE Drive-specific presets: use, ignore, show, showall
+#    #      Comment: text after a hash sign is ignored
+#    \      Line continuation character
+# Attribute ID is a decimal integer 1 <= ID <= 255
+# except for -C and -U, where ID = 0 turns them off.
+# All but -d, -m and -M Directives are only implemented for ATA devices
+#
+# If the test string DEVICESCAN is the first uncommented text
+# then smartd will scan for devices /dev/hd[a-l] and /dev/sd[a-z]
+# DEVICESCAN may be followed by any desired Directives.

roles/common/templates/smartd/smartd.conf.j2

@@ -0,0 +1,154 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# /etc/smartd.conf
+# Configuration file for smartd. Use "man smartd.conf" for more information.
+
+# Home page is: http://smartmontools.sourceforge.net
+
+# smartd will re-read the configuration file if it receives a HUP
+# signal
+
+# The file gives a list of devices to monitor using smartd, with one
+# device per line. Text after a hash (#) is ignored, and you may use
+# spaces and tabs for white space. You may use '\' to continue lines.
+
+# You can usually identify which hard disks are on your system by
+# looking in /proc/ide and in /proc/scsi.
+
+# The word DEVICESCAN will cause any remaining lines in this
+# configuration file to be ignored: it tells smartd to scan for all
+# ATA and SCSI devices.  DEVICESCAN may be followed by any of the
+# Directives listed below, which will be applied to all devices that
+# are found.  Most users should comment out DEVICESCAN and explicitly
+# list the devices that they wish to monitor.
+#DEVICESCAN -d removable -n standby -m root -M exec /usr/share/smartmontools/smartd-runner
+DEVICESCAN -H -l error -l selftest -t -f -m root -M exec /usr/share/smartmontools/smartd-runner -s (S/../.././02|L/../../6/03)
+
+# Alternative setting to ignore temperature and power-on hours reports
+# in syslog.
+#DEVICESCAN -I 194 -I 231 -I 9
+
+# Alternative setting to report more useful raw temperature in syslog.
+#DEVICESCAN -R 194 -R 231 -I 9
+
+# Alternative setting to report raw temperature changes >= 5 Celsius
+# and min/max temperatures.
+#DEVICESCAN -I 194 -I 231 -I 9 -W 5
+
+# First (primary) ATA/IDE hard disk.  Monitor all attributes, enable
+# automatic online data collection, automatic Attribute autosave, and
+# start a short self-test every day between 2-3am, and a long self test
+# Saturdays between 3-4am.
+#/dev/hda -a -o on -S on -s (S/../.././02|L/../../6/03)
+
+# Monitor SMART status, ATA Error Log, Self-test log, and track
+# changes in all attributes except for attribute 194
+#/dev/hdb -H -l error -l selftest -t -I 194 
+
+# Monitor all attributes except normalized Temperature (usually 194),
+# but track Temperature changes >= 4 Celsius, report Temperatures
+# >= 45 Celsius and changes in Raw value of Reallocated_Sector_Ct (5).
+# Send mail on SMART failures or when Temperature is >= 55 Celsius.
+#/dev/hdc -a -I 194 -W 4,45,55 -R 5 -m admin@example.com
+
+# An ATA disk may appear as a SCSI device to the OS. If a SCSI to
+# ATA Translation (SAT) layer is between the OS and the device then
+# this can be flagged with the '-d sat' option. This situation may
+# become common with SATA disks in SAS and FC environments.
+# /dev/sda -a -d sat
+
+# A very silent check.  Only report SMART health status if it fails
+# But send an email in this case
+#/dev/hdc -H -C 0 -U 0 -m admin@example.com
+
+# First two SCSI disks.  This will monitor everything that smartd can
+# monitor.  Start extended self-tests Wednesdays between 6-7pm and
+# Sundays between 1-2 am
+#/dev/sda -d scsi -s L/../../3/18
+#/dev/sdb -d scsi -s L/../../7/01
+
+# Monitor 4 ATA disks connected to a 3ware 6/7/8000 controller which uses
+# the 3w-xxxx driver. Start long self-tests Sundays between 1-2, 2-3, 3-4, 
+# and 4-5 am.
+# NOTE: starting with the Linux 2.6 kernel series, the /dev/sdX interface
+# is DEPRECATED.  Use the /dev/tweN character device interface instead.
+# For example /dev/twe0, /dev/twe1, and so on.
+#/dev/sdc -d 3ware,0 -a -s L/../../7/01
+#/dev/sdc -d 3ware,1 -a -s L/../../7/02
+#/dev/sdc -d 3ware,2 -a -s L/../../7/03
+#/dev/sdc -d 3ware,3 -a -s L/../../7/04
+
+# Monitor 2 ATA disks connected to a 3ware 9000 controller which
+# uses the 3w-9xxx driver (Linux, FreeBSD). Start long self-tests Tuesdays
+# between 1-2 and 3-4 am.
+#/dev/twa0 -d 3ware,0 -a -s L/../../2/01
+#/dev/twa0 -d 3ware,1 -a -s L/../../2/03
+
+# Monitor 2 SATA (not SAS) disks connected to a 3ware 9000 controller which
+# uses the 3w-sas driver (Linux, FreeBSD). Start long self-tests Tuesdays
+# between 1-2 and 3-4 am.
+#/dev/twl0 -d 3ware,0 -a -s L/../../2/01
+#/dev/twa0 -d 3ware,1 -a -s L/../../2/03
+
+# Same as above for Windows. Option '-d 3ware,N' is not necessary,
+# disk (port) number is specified in device name.
+# NOTE: On Windows, DEVICESCAN works also for 3ware controllers.
+#/dev/hdc,0 -a -s L/../../2/01
+#/dev/hdc,1 -a -s L/../../2/03
+#
+# Monitor 2 disks connected to the first HP SmartArray controller which
+# uses the cciss driver. Start long tests on Sunday nights and short
+# self-tests every night and send errors to root
+#/dev/cciss/c0d0 -d cciss,0 -a -s (L/../../7/02|S/../.././02) -m root
+#/dev/cciss/c0d0 -d cciss,1 -a -s (L/../../7/03|S/../.././03) -m root
+
+# Monitor 3 ATA disks directly connected to a HighPoint RocketRAID. Start long
+# self-tests Sundays between 1-2, 2-3, and 3-4 am. 
+#/dev/sdd -d hpt,1/1 -a -s L/../../7/01
+#/dev/sdd -d hpt,1/2 -a -s L/../../7/02
+#/dev/sdd -d hpt,1/3 -a -s L/../../7/03
+
+# Monitor 2 ATA disks connected to the same PMPort which connected to the
+# HighPoint RocketRAID. Start long self-tests Tuesdays between 1-2 and 3-4 am
+#/dev/sdd -d hpt,1/4/1 -a -s L/../../2/01
+#/dev/sdd -d hpt,1/4/2 -a -s L/../../2/03
+
+# HERE IS A LIST OF DIRECTIVES FOR THIS CONFIGURATION FILE.
+# PLEASE SEE THE smartd.conf MAN PAGE FOR DETAILS
+#
+#   -d TYPE Set the device type: ata, scsi, marvell, removable, 3ware,N, hpt,L/M/N
+#   -T TYPE set the tolerance to one of: normal, permissive
+#   -o VAL  Enable/disable automatic offline tests (on/off)
+#   -S VAL  Enable/disable attribute autosave (on/off)
+#   -n MODE No check. MODE is one of: never, sleep, standby, idle
+#   -H      Monitor SMART Health Status, report if failed
+#   -l TYPE Monitor SMART log.  Type is one of: error, selftest
+#   -f      Monitor for failure of any 'Usage' Attributes
+#   -m ADD  Send warning email to ADD for -H, -l error, -l selftest, and -f
+#   -M TYPE Modify email warning behavior (see man page)
+#   -s REGE Start self-test when type/date matches regular expression (see man page)
+#   -p      Report changes in 'Prefailure' Normalized Attributes
+#   -u      Report changes in 'Usage' Normalized Attributes
+#   -t      Equivalent to -p and -u Directives
+#   -r ID   Also report Raw values of Attribute ID with -p, -u or -t
+#   -R ID   Track changes in Attribute ID Raw value with -p, -u or -t
+#   -i ID   Ignore Attribute ID for -f Directive
+#   -I ID   Ignore Attribute ID for -p, -u or -t Directive
+#   -C ID   Report if Current Pending Sector count non-zero
+#   -U ID   Report if Offline Uncorrectable count non-zero
+#   -W D,I,C Monitor Temperature D)ifference, I)nformal limit, C)ritical limit
+#   -v N,ST Modifies labeling of Attribute N (see man page)
+#   -a      Default: equivalent to -H -f -t -l error -l selftest -C 197 -U 198
+#   -F TYPE Use firmware bug workaround. Type is one of: none, samsung
+#   -P TYPE Drive-specific presets: use, ignore, show, showall
+#    #      Comment: text after a hash sign is ignored
+#    \      Line continuation character
+# Attribute ID is a decimal integer 1 <= ID <= 255
+# except for -C and -U, where ID = 0 turns them off.
+# All but -d, -m and -M Directives are only implemented for ATA devices
+#
+# If the test string DEVICESCAN is the first uncommented text
+# then smartd will scan for devices /dev/hd[a-l] and /dev/sd[a-z]
+# DEVICESCAN may be followed by any desired Directives.

roles/common/templates/smartd/smartd.rmll0.conf.j2

@@ -0,0 +1,155 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# /etc/smartd.conf
+# Configuration file for smartd. Use "man smartd.conf" for more information.
+
+# Home page is: http://smartmontools.sourceforge.net
+
+# smartd will re-read the configuration file if it receives a HUP
+# signal
+
+# The file gives a list of devices to monitor using smartd, with one
+# device per line. Text after a hash (#) is ignored, and you may use
+# spaces and tabs for white space. You may use '\' to continue lines.
+
+# You can usually identify which hard disks are on your system by
+# looking in /proc/ide and in /proc/scsi.
+
+# The word DEVICESCAN will cause any remaining lines in this
+# configuration file to be ignored: it tells smartd to scan for all
+# ATA and SCSI devices.  DEVICESCAN may be followed by any of the
+# Directives listed below, which will be applied to all devices that
+# are found.  Most users should comment out DEVICESCAN and explicitly
+# list the devices that they wish to monitor.
+#DEVICESCAN -d removable -n standby -m root -M exec /usr/share/smartmontools/smartd-runner
+/dev/twe0 -d 3ware,0 -H -l error -l selftest -t -f -m root -M exec /usr/share/smartmontools/smartd-runner -s (S/../.././02|L/../../6/03)
+/dev/twe0 -d 3ware,1 -H -l error -l selftest -t -f -m root -M exec /usr/share/smartmontools/smartd-runner -s (S/../.././02|L/../../6/03)
+
+# Alternative setting to ignore temperature and power-on hours reports
+# in syslog.
+#DEVICESCAN -I 194 -I 231 -I 9
+
+# Alternative setting to report more useful raw temperature in syslog.
+#DEVICESCAN -R 194 -R 231 -I 9
+
+# Alternative setting to report raw temperature changes >= 5 Celsius
+# and min/max temperatures.
+#DEVICESCAN -I 194 -I 231 -I 9 -W 5
+
+# First (primary) ATA/IDE hard disk.  Monitor all attributes, enable
+# automatic online data collection, automatic Attribute autosave, and
+# start a short self-test every day between 2-3am, and a long self test
+# Saturdays between 3-4am.
+#/dev/hda -a -o on -S on -s (S/../.././02|L/../../6/03)
+
+# Monitor SMART status, ATA Error Log, Self-test log, and track
+# changes in all attributes except for attribute 194
+#/dev/hdb -H -l error -l selftest -t -I 194 
+
+# Monitor all attributes except normalized Temperature (usually 194),
+# but track Temperature changes >= 4 Celsius, report Temperatures
+# >= 45 Celsius and changes in Raw value of Reallocated_Sector_Ct (5).
+# Send mail on SMART failures or when Temperature is >= 55 Celsius.
+#/dev/hdc -a -I 194 -W 4,45,55 -R 5 -m admin@example.com
+
+# An ATA disk may appear as a SCSI device to the OS. If a SCSI to
+# ATA Translation (SAT) layer is between the OS and the device then
+# this can be flagged with the '-d sat' option. This situation may
+# become common with SATA disks in SAS and FC environments.
+# /dev/sda -a -d sat
+
+# A very silent check.  Only report SMART health status if it fails
+# But send an email in this case
+#/dev/hdc -H -C 0 -U 0 -m admin@example.com
+
+# First two SCSI disks.  This will monitor everything that smartd can
+# monitor.  Start extended self-tests Wednesdays between 6-7pm and
+# Sundays between 1-2 am
+#/dev/sda -d scsi -s L/../../3/18
+#/dev/sdb -d scsi -s L/../../7/01
+
+# Monitor 4 ATA disks connected to a 3ware 6/7/8000 controller which uses
+# the 3w-xxxx driver. Start long self-tests Sundays between 1-2, 2-3, 3-4, 
+# and 4-5 am.
+# NOTE: starting with the Linux 2.6 kernel series, the /dev/sdX interface
+# is DEPRECATED.  Use the /dev/tweN character device interface instead.
+# For example /dev/twe0, /dev/twe1, and so on.
+#/dev/sdc -d 3ware,0 -a -s L/../../7/01
+#/dev/sdc -d 3ware,1 -a -s L/../../7/02
+#/dev/sdc -d 3ware,2 -a -s L/../../7/03
+#/dev/sdc -d 3ware,3 -a -s L/../../7/04
+
+# Monitor 2 ATA disks connected to a 3ware 9000 controller which
+# uses the 3w-9xxx driver (Linux, FreeBSD). Start long self-tests Tuesdays
+# between 1-2 and 3-4 am.
+#/dev/twa0 -d 3ware,0 -a -s L/../../2/01
+#/dev/twa0 -d 3ware,1 -a -s L/../../2/03
+
+# Monitor 2 SATA (not SAS) disks connected to a 3ware 9000 controller which
+# uses the 3w-sas driver (Linux, FreeBSD). Start long self-tests Tuesdays
+# between 1-2 and 3-4 am.
+#/dev/twl0 -d 3ware,0 -a -s L/../../2/01
+#/dev/twa0 -d 3ware,1 -a -s L/../../2/03
+
+# Same as above for Windows. Option '-d 3ware,N' is not necessary,
+# disk (port) number is specified in device name.
+# NOTE: On Windows, DEVICESCAN works also for 3ware controllers.
+#/dev/hdc,0 -a -s L/../../2/01
+#/dev/hdc,1 -a -s L/../../2/03
+#
+# Monitor 2 disks connected to the first HP SmartArray controller which
+# uses the cciss driver. Start long tests on Sunday nights and short
+# self-tests every night and send errors to root
+#/dev/cciss/c0d0 -d cciss,0 -a -s (L/../../7/02|S/../.././02) -m root
+#/dev/cciss/c0d0 -d cciss,1 -a -s (L/../../7/03|S/../.././03) -m root
+
+# Monitor 3 ATA disks directly connected to a HighPoint RocketRAID. Start long
+# self-tests Sundays between 1-2, 2-3, and 3-4 am. 
+#/dev/sdd -d hpt,1/1 -a -s L/../../7/01
+#/dev/sdd -d hpt,1/2 -a -s L/../../7/02
+#/dev/sdd -d hpt,1/3 -a -s L/../../7/03
+
+# Monitor 2 ATA disks connected to the same PMPort which connected to the
+# HighPoint RocketRAID. Start long self-tests Tuesdays between 1-2 and 3-4 am
+#/dev/sdd -d hpt,1/4/1 -a -s L/../../2/01
+#/dev/sdd -d hpt,1/4/2 -a -s L/../../2/03
+
+# HERE IS A LIST OF DIRECTIVES FOR THIS CONFIGURATION FILE.
+# PLEASE SEE THE smartd.conf MAN PAGE FOR DETAILS
+#
+#   -d TYPE Set the device type: ata, scsi, marvell, removable, 3ware,N, hpt,L/M/N
+#   -T TYPE set the tolerance to one of: normal, permissive
+#   -o VAL  Enable/disable automatic offline tests (on/off)
+#   -S VAL  Enable/disable attribute autosave (on/off)
+#   -n MODE No check. MODE is one of: never, sleep, standby, idle
+#   -H      Monitor SMART Health Status, report if failed
+#   -l TYPE Monitor SMART log.  Type is one of: error, selftest
+#   -f      Monitor for failure of any 'Usage' Attributes
+#   -m ADD  Send warning email to ADD for -H, -l error, -l selftest, and -f
+#   -M TYPE Modify email warning behavior (see man page)
+#   -s REGE Start self-test when type/date matches regular expression (see man page)
+#   -p      Report changes in 'Prefailure' Normalized Attributes
+#   -u      Report changes in 'Usage' Normalized Attributes
+#   -t      Equivalent to -p and -u Directives
+#   -r ID   Also report Raw values of Attribute ID with -p, -u or -t
+#   -R ID   Track changes in Attribute ID Raw value with -p, -u or -t
+#   -i ID   Ignore Attribute ID for -f Directive
+#   -I ID   Ignore Attribute ID for -p, -u or -t Directive
+#   -C ID   Report if Current Pending Sector count non-zero
+#   -U ID   Report if Offline Uncorrectable count non-zero
+#   -W D,I,C Monitor Temperature D)ifference, I)nformal limit, C)ritical limit
+#   -v N,ST Modifies labeling of Attribute N (see man page)
+#   -a      Default: equivalent to -H -f -t -l error -l selftest -C 197 -U 198
+#   -F TYPE Use firmware bug workaround. Type is one of: none, samsung
+#   -P TYPE Drive-specific presets: use, ignore, show, showall
+#    #      Comment: text after a hash sign is ignored
+#    \      Line continuation character
+# Attribute ID is a decimal integer 1 <= ID <= 255
+# except for -C and -U, where ID = 0 turns them off.
+# All but -d, -m and -M Directives are only implemented for ATA devices
+#
+# If the test string DEVICESCAN is the first uncommented text
+# then smartd will scan for devices /dev/hd[a-l] and /dev/sd[a-z]
+# DEVICESCAN may be followed by any desired Directives.

roles/common/templates/ssh/sshd_config.j2

@@ -0,0 +1,107 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+{% if ssh_port is defined %}
+Port {{ ssh_port }}
+{% else %}
+Port 22
+{% endif %}
+{% if ssh_ports_extra is defined %}
+{% for port in ssh_ports_extra %}
+Port {{ port }}
+{% endfor %}
+{% endif %}
+
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+{% if ssh_ecdsa_key %}
+HostKey /etc/ssh/ssh_host_ecdsa_key
+{% endif %}
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+# Define users groups allowed to login
+AllowGroups root operator ssh
+

roles/common/templates/sudo/local-admin.j2

@@ -0,0 +1,10 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+#
+# sudo configuration for local admins
+#
+
+# Debian apt configuration
+%operator ALL=NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade

roles/monitoring/files/mon/dns.monitor

@@ -0,0 +1,519 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 1998 David Eckelkamp
+# Copyright (C) 2002-2006 Carnegie Mellon University
+#
+#    This program is free software; you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation; either version 2 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, write to the Free Software
+#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# $Id: dns.monitor,v 1.3 2006/09/05 12:52:37 vitroth Exp $
+#
+=head1 NAME
+
+dns.monitor - Monitor DNS servers for the "mon" system
+
+=head1 SYNOPSIS
+
+B<dns.monitor> 
+
+
+=over 12
+
+( [ I<-zone zone [-zone zone ...]> 
+
+
+=over 4
+
+
+I<-master server [-master server ...]>
+
+I<[-serial_threshold num]> 
+
+I<[-failsingle]> ]
+
+=back
+
+| [ I<-caching_only> 
+
+=over 4
+
+I<-query record[:type[:value]] [-query record[:type[:value]] ...]> ] )
+
+=back
+
+I<[-tcp]> 
+
+I<[-retry num]> 
+
+I<[-retransmit num]> 
+
+I<[-timeout num]> 
+
+I<[-debug num]>
+
+I<server [server ...]>
+
+=back
+
+=head1 DESCRIPTION
+
+B<dns.monitor> will make several DNS queries to verify that a server is
+operating correctly
+
+In normal mode, B<dns.monitor> will compare the zones between a master
+server and one or more slave servers.  The I<zone> argument is the
+zone to check. There can be multiple I<zone> arguments. The I<master>
+argument is the master server for the I<zone>.  There can be multiple
+I<master> arguments.  The master server(s) will be queried for the
+base information.  If the I<serial_threshold> argument is provided,
+the serials collected from the I<master> servers are checked to be
+within I<serial_threshold>.  The greatest serial of all of the
+I<master> servers is chosen for comparison.  Then each I<server> will
+be queried to verify that it has the correct answers.  If the
+I<serial_threshold> argument is provided, the slave servers must
+return a zone whose serial number is no more than the threshold from
+the serial number of the zone on the master.  (Zone serial numbers may
+not be identical during zone propagation, or on Dynamic DNS zones
+which may be updated hundreds or thousands of times an hour) It is
+assumed that each I<server> is supposed to be authoritative for the
+I<zone>. The I<-tcp> option will cause lookups to be done via TCP
+instead of the default UDP.
+
+In caching mode, specified via the I<-caching_only> switch,
+B<dns.monitor> will perform a set of DNS queries to one or more
+servers.  The I<query> argument is the query to perform.  The query
+may have an optional query type specified as I<:type> on the end of
+the query.  I.e your.zone.com:MX will cause B<dns.monitor> to fetch
+the MX records for your.zone.com.  There can be multiple I<query>
+arguments.  The query type may also have an optional result specified
+as I<:value> on the end of the query (type must also be specified).
+Each I<server> will be contacted to verify that it returns a valid
+response to the query.  If a query result is specified B<dns.monitor>
+will return an error is the DNS query returns an answer which differs
+from the supplied result.  If you wish to use B<dns.monitor> to verify
+that a caching DNS server is actually fetching fresh data from other
+servers successfully, it is recommended that the DNS records you query
+should have very short TTLs.
+
+The exit code of B<dns.monitor> will be the highest number of servers
+which failed on a single zone/query, 0 if no problems occurred, or -1
+if an error with the script arguments was detected.  If all of the
+I<master> servers fail, the return code will be 252.  If using the
+I<failsingle> option and any I<master> server fails, the return code
+will be 251.
+
+=head1 AUTHOR
+
+The script was originally written by David Eckelkamp <davide@tradewave.com>
+
+The script was modified to support Caching DNS servers, configurable
+retry/timeout parameters, multiple DNS Master servers, and
+configurable Zone serials by David Nolan <vitroth@cmu.edu> and Jason
+Carr <jcarr@andrew.cmu.edu> from Carnegie Mellon University.
+
+=cut
+    
+use strict;
+use Getopt::Long;
+use English;
+use File::Basename;
+use Net::DNS::Resolver;
+use Net::DNS::Packet;
+use Net::DNS::RR;
+use Data::Dumper;
+
+my($Program) = basename($0);
+my(@Zones)   = ();
+my(@Queries)   = ();
+my(@Master)  = ();
+my($SerialThreshold) = (0);
+my($CachingServer) = (0);
+my($UseTCP) = (0);
+my ($retries, $retrans, $timeout) = ( 2, 5, undef );
+my $debug = 0;
+my $failsingle = 0;
+
+my(%OptVars) = (
+		"master" => \@Master,
+		"zone" => \@Zones,
+                "serial_threshold" => \$SerialThreshold,
+	        "caching_only" => \$CachingServer,
+		"query" => \@Queries,
+		"retry" => \$retries,
+		"retransmit" => \$retrans,
+		"timeout" => \$timeout,
+		"tcp" => \$UseTCP,
+		"debug" => \$debug,
+		"failsingle" => \$failsingle
+	       );
+
+if (!GetOptions(\%OptVars, "master=s@", "zone=s@", "serial_threshold=s", "caching_only", "tcp", "query=s@", "retry=i", "retransmit=i", "timeout=i", "debug", "failsingle")) {
+    print STDERR "Problems with Options, sorry\n";
+    exit -1;
+}
+if ( $#ARGV < 0 ) {
+    print STDERR "$Program: at least one server must be specified\n";
+    usage();
+    exit -1;
+}
+if (!$CachingServer) {
+    if (! @Master) {
+        print STDERR "$Program: The zone master server must be specified\n";
+	usage();
+        exit -1;
+    }
+    if (! @Zones) {
+        print STDERR "$Program: At least one zone must be specified\n";
+	usage();
+        exit -1;
+    }
+} else {
+    if (! @Queries) {
+        print STDERR "$Program: At least one query must be specified\n";
+	usage();
+        exit -1;
+    }
+}
+
+
+if (!$CachingServer) {
+    my($err_cnt) = 0;
+    my($bad_servers, $reason, $failcount, @FailedZones, @FailedServers, @Reasons);
+    my($zone, $line, $i);
+    foreach $zone (@Zones) {
+	($bad_servers, $reason, $failcount) = dns_verify($zone, \@Master, \@ARGV);
+	if (defined($bad_servers)) {
+	    $err_cnt = $failcount if ($failcount > $err_cnt);
+	    push(@FailedZones, $zone);
+	    push(@FailedServers, $bad_servers);
+	    push(@Reasons, $reason);
+	}
+    }
+    
+    @FailedServers=split(' ',join(" ",@FailedServers));
+    my (@UniqFailedServers, %saw);
+    @saw{@FailedServers} = ();
+    @UniqFailedServers = keys %saw;
+    
+    if ($err_cnt > 0) {
+	print join(" ", @UniqFailedServers); 
+	print "\n";
+	
+	# Now print the detail lines
+	for ($i=0; $i<=$#FailedZones; $i++) {
+	    print "Zone '$FailedZones[$i]': failed servers: $FailedServers[$i]\n";
+	    print "Diagnostics:\n";
+	    foreach $line (split("\n", $Reasons[$i])) {
+		print "     $line\n";
+	    }
+	    print "\n";
+	}
+    }
+
+    exit $err_cnt;
+} else {
+    my($err_cnt) = 0;
+    my($bad_servers, $reason, $failcount, @FailedQuerys, @FailedServers, @Reasons);
+    my($query, $type, $line, $i, $target);
+    foreach (@Queries) {
+	($query, $type, $target) = split /:/;
+	$type = 'A' if ($type eq "");
+	($bad_servers, $reason, $failcount) = dns_test($query, $type, $target, @ARGV);
+	if (defined($bad_servers)) {
+	    $err_cnt = $failcount if ($failcount > $err_cnt);
+ 	    push(@FailedQuerys, "$query $type") if (!$target);
+ 	    push(@FailedQuerys, "$query $type == $target $type") if ($target);
+	    push(@FailedServers, $bad_servers);
+	    push(@Reasons, $reason);
+	}
+    }
+    
+    @FailedServers=split(' ',join(" ",@FailedServers));
+    my (@UniqFailedServers, %saw);
+    @saw{@FailedServers} = ();
+    @UniqFailedServers = keys %saw;
+    
+    if ($err_cnt > 0) {
+	print join(" ", @UniqFailedServers); 
+	print "\n";
+	
+	# Now print the detail lines
+	for ($i=0; $i<=$#FailedQuerys; $i++) {
+	    print "Query '$FailedQuerys[$i]': failed servers: $FailedServers[$i]\n";
+	    print "Diagnostics:\n";
+	    foreach $line (split("\n", $Reasons[$i])) {
+		print "     $line\n";
+	    }
+	    print "\n";
+	}
+    }
+
+    exit $err_cnt;
+}
+
+    
+# dns_verify($zone, \@master, \@Servers)
+
+# This subroutine takes 3 or more arguments. The first argument is the name of
+# the DNS zone/domain to check.  The second argument is the name of the DNS
+# server you consider to be the master of the given zone. The subroutine
+# will make a DNS query to the the master to get the SOA for the zone and
+# extract the serial number.  The third and rest of the arguments are taken as
+# names of slave DNS servers.  Each server will be queried for the SOA of the
+# given zone and the serial number will be checked against that found in the
+# SOA record on the master server. By default the zone serials must be 
+# the same.  This may be overridden by the serial_threshold command line 
+# argument.
+
+# The return value is a 3 element list. The first element is a space delimited
+# string containing the names of the slave servers that did not match the
+# master zone.  The second element is a string containing the diagnostic
+# output that should explain the problem encountered.  The third element is a count 
+# of how many servers failed, which will be used as the exit code.
+
+sub dns_verify {
+    # First verify that we have enough arguments.
+    my($Zone) = shift;
+    my(@Master) = @{shift()};
+    my(@Servers) = @{shift()};
+    my($result) = undef;
+    my(@failed, $res, $soa_req, $Serial, $error_cnt, $server);
+
+    my(%serials) = ();
+    my(%errors) = ();
+
+    # Query the $Master for the SOA of $Zone and get the serial number.
+    $res = new Net::DNS::Resolver;
+    $res->usevc(1) if ($UseTCP);
+    $res->defnames(0);		# don't append default zone
+    $res->recurse(0);		# no recursion
+    $res->retry($retries);		# retries before failure
+    $res->retrans($retrans);    # retransmission interval
+    $res->udp_timeout($timeout); # set udp timeout
+    $res->tcp_timeout($timeout); # set tcp timeout
+
+    $error_cnt=0;
+
+    # Loop through each master server
+    foreach my $qs (@Master) {
+	$res->nameservers($qs);
+	$soa_req = $res->query($Zone, "SOA");
+	if (!defined($soa_req) || ($soa_req->header->ancount <= 0)) {
+	    $error_cnt++;
+	    $errors{$qs} = sprintf("SOA query for $Zone from $qs failed %s\n", $res->errorstring);
+	    if ($res->errorstring eq 'NOERROR') {
+		$errors{$qs} .= sprintf("    Empty answer received.  (No zone on server?)\n")
+	    }
+	    if ($failsingle) { return ($qs, $errors{$qs}, 251); }
+	    next;
+	}
+	unless ($soa_req->header->aa) {
+	    $error_cnt++;
+	    $errors{$qs} = sprintf("$qs is not authoritative for $Zone\n");
+	    if ($failsingle) { return ($qs, $errors{$qs}, 251); }
+	    next;
+	}
+	unless ($soa_req->header->ancount == 1) {
+	    $error_cnt++;
+	    $errors{$qs} = sprintf("Too many answers for SOA query to %s for %s\n", $qs, $Zone);
+	    if ($failsingle) { return ($qs, $errors{$qs}, 251); }
+	    next;
+	}
+	unless (($soa_req->answer)[0]->type eq "SOA") {
+	    $error_cnt++;
+	    $errors{$qs} = printf("Query for SOA for %s from %s failed: " . "return type = %s\n", $Zone, $qs, ($soa_req->answer)[0]->type);
+	    if ($failsingle) { return ($qs, $errors{$qs}, 251); }
+	    next;
+	}
+
+	$serials{$qs} = ($soa_req->answer)[0]->serial;
+    }
+
+
+    if ($debug >= 2) {
+	print Data::Dumper->Dump([\%serials], ['serials']);
+    }
+
+	
+    if ($error_cnt == scalar @Master) {
+	# all masters errored
+	return("", values %errors, 251);
+    }
+	
+    my $maxvalue = undef;
+    my $minvalue = undef;
+    my $maxkey   = undef;
+    my $minkey   = undef;
+
+    foreach my $key (keys %serials) {
+	if ($serials{$key} > $maxvalue) {
+	    $maxvalue = $serials{$key};
+	    $maxkey = $key;
+	}
+
+	if (($serials{$key} < $minvalue) || (!defined $minkey)) {
+	    $minvalue = $serials{$key};
+	    $minkey = $key;
+	}
+    }	
+	
+    if (abs($maxvalue - $minvalue) > $SerialThreshold) {
+	return ($minkey, "\nQuery to $minkey about $Zone failed\n" .
+		"Serial number = $minvalue, should have been $maxvalue\n", 252)
+    }
+	
+    $Serial = $maxvalue;
+
+    return ("", "\nNo SOA Serial found for $Zone!?!?", 252) if (!$Serial);
+
+    # Now, foreach server given on the command line, get the serial number from
+    # the SOA and compare it to the master.
+    $error_cnt = 0;
+    foreach $server (@Servers) {
+	$res = new Net::DNS::Resolver;
+	$res->usevc(1) if ($UseTCP);
+	$res->defnames(0);		# don't append default zone
+	$res->recurse(0);		# no recursion
+	$res->retry($retries);		
+	$res->retrans($retrans);
+	$res->udp_timeout($timeout);
+	$res->tcp_timeout($timeout);
+
+	$res->nameservers($server);
+	$soa_req = $res->query($Zone, "SOA");
+	if (!defined($soa_req) || ($soa_req->header->ancount <= 0)) {
+	    $error_cnt++;
+	    push(@failed, $server);
+	    $result .= sprintf("\nSOA query for $Zone from $server failed %s\n",
+			       $res->errorstring);
+	    if ($res->errorstring eq 'NOERROR') {
+		$result .= sprintf("    Empty answer received.  (No zone on server?)\n");
+	    }
+	    next;
+	}
+	unless($soa_req->header->aa 
+	       && $soa_req->header->ancount == 1 
+	       && ($soa_req->answer)[0]->type eq "SOA" 
+	       && ((abs(($soa_req->answer)[0]->serial - $Serial)) <= $SerialThreshold)) {
+	    $error_cnt++;
+	    push(@failed, $server);
+	    $result .= sprintf("\nQuery to $server about $Zone failed\n" . 
+			       "Authoritative = %s\n" . 
+			       "Answer count = %d\n" . 
+			       "Answer Type = %s\n" .
+			       "Serial number = %s, should have been %s\n" ,
+			       $soa_req->header->aa ? "yes" : "no",
+			       $soa_req->header->ancount,
+			       ($soa_req->answer)[0]->type,
+			       ($soa_req->answer)[0]->serial, 
+			       $Serial);
+	    next;
+	}
+    }
+    if ($error_cnt == 0) {
+	return(undef, undef, undef);
+    } else {
+	return("@failed", $result, $error_cnt);
+    }
+}
+
+
+# dns_test($query, $type, $target, $server, ...)
+
+# This subroutine takes 4 or more arguments. The first argument is the name of
+# the DNS record to query.  The second argument is the type of the DNS
+# query to perform. The third argument is the name of a second DNS record to query,
+# whose results should match the first query.  The fourth and rest of the arguments are 
+# taken as names of caching DNS servers.  Each server will be queried for the 
+# given record and type
+
+# The return value is a 3 element list. The first element is a space delimited
+# string containing the names of the servers that failed to respond to the
+# query.  The second element is a string containing the diagnostic
+# output that should explain the problem encountered.  The third element is the
+# count of how many servers failed, which will be used as the exit code.
+
+sub dns_test {
+    # First verify that we have enough arguments.
+    my($Query, $type, $target, @Servers) = @_;
+    my($result) = undef;
+    my(@failed, $res, $req, $treq, $Serial, $error_cnt, $server);
+
+    # Now, foreach server given on the command line, 
+    # make the query
+    $error_cnt = 0;
+    foreach $server (@Servers) {
+        $res = new Net::DNS::Resolver;
+        $res->defnames(0);              # don't append default zone
+        $res->retry($retries);          # 2 retries before failure
+        $res->retrans($retrans);
+        $res->udp_timeout($timeout);
+        $res->tcp_timeout($timeout);
+        $res->nameservers($server);
+        $req = $res->query($Query, $type);
+        if (!defined($req) || ($req->header->ancount <= 0)) {
+            $error_cnt++;
+            push(@failed, $server);
+            $result .= sprintf("\n$type query for $Query from $server failed %s\n",
+                               $res->errorstring);
+            next;
+          } elsif ($target) {
+            $treq = $res->query($target, $type);
+            my $status = 0;
+            foreach my $qans ($req->answer) {
+              print STDERR $qans->string."\n" if ($debug);
+              print STDERR $qans->rdatastr."\n" if ($debug);
+              foreach my $tans ($treq->answer) {
+                print STDERR "target\n" if ($debug);
+                print STDERR $tans->string."\n" if ($debug);
+                print STDERR $tans->rdatastr."\n" if ($debug);
+                if ($tans->rdatastr eq $qans->rdatastr) {
+                  print STDERR "match found\n" if ($debug);
+                  $status = 1;
+                  last;
+                }
+              }
+              last if ($status);
+            }
+            if (!$status) {
+              $error_cnt++;
+              push @failed, $server;
+              $result .= "Query $Query:$type failed to match $target\n";
+            }
+          }
+      }
+    if ($error_cnt == 0) {
+        return(undef, undef, undef);
+    } else {
+        return("@failed", $result, $error_cnt);
+    }
+}
+
+sub usage {
+  print STDERR <<END_USAGE;
+Usage: dns.monitor -zone zone [-zone zone ...] 
+                   -master master 
+                   [-serial_threshold num] 
+                   server [server ...]
+   or: dns.monitor -caching_only 
+                   -query record[:type] [-query record[:type] ...] 
+                   server [server ...]
+Optional Arguments for either mode:
+       -retry num
+       -retransmit num
+       -timeout num
+       -debug num
+       
+END_USAGE
+}

roles/monitoring/files/mon/https.monitor

@@ -0,0 +1,126 @@
+#!/usr/bin/perl
+#
+# $Id: https.monitor,v 1.15 2000/02/04 23:34:03 andrewr Exp $
+#
+# An extremely simple https monitor for mon.
+#
+# Code structure based on Jon Meek & Jim Trocki's http.monitor program.
+#
+# https code taken from the get_page.pl function from the
+# Net::SSLeay distribution by Sampo Kellomaki <sampo@iki.fi>
+#
+# It makes use of the Net::SSLeay library and the OpenSSL package
+# (www.openssl.org).
+#
+# To get around the problem that Net::SSLeay carps to STDERR
+# uncontrollably about a number of things (e.g. connection refused),
+# we get around this by running the actual ssl get as an escaped
+# perl program and dropping the stderr of that instance. Gross, but
+# strangely effective.
+#
+# Use the -v option if you actually want to see the full result and
+# all headers. You'd never use this from mon, since it provides
+# non-mon-compliant output, but it can be interesting from the command
+# line.
+#
+#
+#
+#     Distribution and use of this program is under the same terms
+#     as the OpenSSL package itself (i.e. free, but mandatory
+#     attribution; NO WARRANTY). Please consult COPYRIGHT file in
+#     the root of the SSLeay distribution.
+#
+
+use strict;
+
+use Socket;
+use Net::SSLeay qw(die_now die_if_ssl_error) ;
+use Getopt::Std;
+
+#
+use English;
+
+
+#Net::SSLeay::load_error_strings();
+#Net::SSLeay::SSLeay_add_ssl_algorithms();
+
+# Comment this out since on systems without a /dev/[u]random this
+# line causes an unneccesary carp which will confuse mon.
+# If you use Linux or BSD or other OS which supports a random device,
+# feel free to uncomment this line.
+#Net::SSLeay::randomize();
+
+use vars qw($opt_p $opt_t $opt_u $opt_v);
+getopts ("vp:t:u:");
+my $PORT = $opt_p || 443;
+my $TIMEOUT = $opt_t || 30;
+my $URL = $opt_u || "/";
+my $perl = "/usr/bin/perl";      # where you keep perl
+my $field_delim = "<>";          # html field delimiter
+
+my @failures = ();
+my @detail = ();
+
+
+my ($host, $OK, $default_header, $auth_header, $end_header, $request_header, $msg);
+my ($dest_ip, $dest_serv, $sockaddr_template, $dest_serv_params, $ctx, $ssl, $res, $reply, $got, $ServerOK);
+
+foreach $host (@ARGV) {
+
+    $OK = &httpsGET($host, $PORT, $URL);
+
+    if (!defined ($OK) || $OK == 0) {
+        push (@failures, $host);
+    }
+}
+
+if (@failures == 0) {
+    exit 0;
+}
+
+print "@failures\n";
+print join(";",@detail);
+
+exit 1;
+
+
+
+#  Main function begins here
+sub httpsGET {
+    my ($site, $port, $path) = (@_);
+    my $total_bytes = 0;       #set total bytes transferred to 0
+    my ($page, $result, %headers);
+
+#    print "attempting to contact site $site on port $port with path $path\n";
+
+    eval {
+    local $SIG{ALRM} = sub { die "Timeout Alarm" };
+        alarm $TIMEOUT;
+
+    $result = `$perl -e'use Net::SSLeay ; Net::SSLeay::SSLeay_add_ssl_algorithms() ; print join("$field_delim",Net::SSLeay::get_https("$site", "$port", "$path"))' 2>/dev/null`;
+    alarm 0; #cancel the alarm
+
+    ($page, $result, %headers) = split ("<>",$result);
+    print "Result was `$result'\n" if $opt_v;
+    foreach my $h (sort keys %headers) {
+        print "Header `$h'\tvalue `$headers{$h}'\n" if $opt_v;
+    }
+
+    if ($result =~ /^HTTP\/([\d\.]+)\s+(200|301|302)\b/) {
+            $ServerOK = 1;
+        } else {
+            $ServerOK = 0;
+        push(@detail,"$result");
+        }
+
+    };
+
+    if ($EVAL_ERROR and ($EVAL_ERROR eq 'Timeout Alarm')) {
+        print "**** Time Out\n";
+        return 0;
+    }
+
+    return $ServerOK;
+
+}
+

roles/monitoring/files/mon/imaps.monitor

@@ -0,0 +1,199 @@
+#!/usr/bin/perl
+#
+# Use try to connect to an IMAP server, and
+# wait for the right output.
+#
+# For use with "mon".
+#
+# Arguments are "-p port -t timeout host [host...]"
+#
+# Adapted from "http.monitor" by
+# Jim Trocki, trockij@transmeta.com
+#
+# http.monitor written by
+#
+# Jon Meek
+# American Cyanamid Company
+# Princeton, NJ
+#
+# $Id: imap.monitor,v 1.3 2005/08/20 15:27:56 vitroth Exp $
+#
+#    Copyright (C) 1998, Jim Trocki
+#
+#    This program is free software; you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation; either version 2 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, write to the Free Software
+#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+use Getopt::Std;
+use English;
+use Net::SSLeay::Handle;
+
+getopts ("m:p:t:u:w:s");
+$PORT = $opt_p || 143;
+$TIMEOUT = $opt_t || 30;
+$MAILBOX=$opt_m || undef;
+$USERNAME=$opt_u || 'ANONYMOUS';
+$PASSWORD=$opt_w || 'ANONYMOUS';
+
+@failures = ();
+
+foreach $host (@ARGV) {
+
+    if (! &imapGET($host, $PORT)) {
+    push (@failures, $host);
+    }
+}
+
+if (@failures == 0) {
+    exit 0;
+}
+
+print join (" ", sort @failures), "\n\n", join ("\n", @longerr), "\n";
+
+exit 1;
+
+
+sub imapGET {
+    use Socket;
+    use Sys::Hostname;
+
+    my($Server, $Port) = @_;
+    my($ServerOK, $TheContent, $cmd);
+
+    $ServerOK = 0;
+
+    $TheContent = '';
+
+    $Path = '/';
+
+###############################################################
+    eval {
+
+    local $SIG{ALRM} = sub { die "Timeout Alarm" };
+    alarm $TIMEOUT;
+    $result = &OpenSocket($Server, $Port); # Open a connection to the server
+    if ($result == 0) { # Failure to open the socket
+        push @longerr, "$Server: Unable to connect";
+        return '';
+    }
+
+    $in = <S>;
+    if ($in !~ /^\* (OK|PREAUTH|BYE)/) {
+        alarm 0;
+        push @longerr, "$Server: No IMAP banner received";
+        return 0;
+    }
+
+        $cmd="login";
+    print S "A1 LOGIN ", $USERNAME, " ", $PASSWORD, "\r\n";
+
+    while (defined($in=<S>)) {
+        if ($in =~ /^A1 (\w+) (.*)/) {
+                if ($1 eq "OK") {
+                $ServerOK = 1;
+                } else {
+                    $errmsg="$1 $2";
+                }
+        last;
+        }
+    }
+
+        if ($ServerOK && $MAILBOX) {
+           $cmd="examine";
+           $ServerOK=0;
+       print S "A2 EXAMINE $MAILBOX\r\n";
+
+       while (defined($in=<S>)) {
+           if ($in =~ /^A2 (\w+) (.*)/) {
+                   if ($1 eq "OK") {
+                   $ServerOK = 1;
+                   } else {
+                       $errmsg="$1 $2";
+                   }
+           last;
+           }
+       }
+    }
+
+        if ($ServerOK) {
+           $cmd="logout";
+           $ServerOK=0;
+       print S "A3 LOGOUT\r\n";
+
+       while (defined($in=<S>)) {
+           if ($in =~ /^A3 (\w+) (.*)/) {
+                   if ($1 eq "OK") {
+                   $ServerOK = 1;
+                   } else {
+                       $errmsg="$1 $2";
+                   }
+           last;
+           }
+       }
+    }
+    if (!$ServerOK) {
+          if ($errmsg) {
+         push @longerr, "$Server: bad response to $cmd: $errmsg";
+          } else {
+         push @longerr, "$Server: No response to $cmd";
+          }
+    }
+
+
+    close(S);
+    alarm 0; # Cancel the alarm
+
+    };
+
+    if ($EVAL_ERROR and ($EVAL_ERROR =~ /^Timeout Alarm/)) {
+    push @longerr, "$Server: **** Time Out\n";
+    return 0;
+    } elsif ($EVAL_ERROR) {
+        push @longerr, "$Server: $EVAL_ERROR";
+        return 0;
+    }
+    return $ServerOK;
+
+}
+
+sub OpenSocket {
+#
+# Make a Berkeley socket connection between this program and a TCP port
+#  on another (or this) host. Port can be a number or a named service
+#
+    local($OtherHostname, $Port) = @_;
+    local($OurHostname, $sockaddr, $name, $aliases, $proto, $type, $len,
+      $ThisAddr, $that);
+    $OurHostname = &hostname;
+
+    ($name, $aliases, $proto) = getprotobyname('tcp');
+    ($name, $aliases, $Port) = getservbyname($Port, 'tcp') unless $Port =~ /^\d+$/;
+    ($name, $aliases, $type, $len, $ThisAddr) = gethostbyname($OurHostname);
+    ($name, $aliases, $type, $len, $OtherHostAddr) = gethostbyname($OtherHostname);
+
+    my $that = sockaddr_in ($Port, $OtherHostAddr);
+
+    if ($opt_s)
+    {
+        tie(*S, "Net::SSLeay::Handle", $OtherHostname, $Port) ||
+            return undef;
+    }
+    else
+    {
+        $result = socket(S, &PF_INET, &SOCK_STREAM, $proto) || return undef;
+
+        $result = connect(S, $that) || return undef;
+    }
+    select(S); $| = 1; select(STDOUT);      # set S to be un-buffered
+    return 1;                               # success
+}

roles/monitoring/handlers/main.yml

@@ -0,0 +1,2 @@
+- include: munin.yml
+- include: mon.yml

roles/monitoring/handlers/mon.yml

@@ -0,0 +1,2 @@
+- name: Restart mon
+  action: service name=mon state=restarted

roles/monitoring/handlers/munin.yml

@@ -0,0 +1,5 @@
+- name: Restart munin-node
+  action: service name=munin-node state=restarted
+
+- name: Reload nginx for munin
+  action: service name=nginx state=reloaded

roles/monitoring/tasks/main.yml

@@ -0,0 +1,2 @@
+- include: munin.yml
+- include: mon.yml

roles/monitoring/tasks/mon.yml

@@ -0,0 +1,45 @@
+- name: Install mon packages
+  action: ${ansible_pkg_mgr} pkg=mon state=installed update_cache=yes
+  when_boolean: ${with_mon}
+
+- name: Create need directory for mon configuration
+  action: file path=/etc/mon/mon.d state=directory owner=root group=root mode=0755
+  when_boolean: ${with_mon}
+
+- name: Install mon configuration
+  action: template src=mon/${ansible_hostname}.conf.j2 dest=/etc/mon/mon.cf owner=root group=root mode=0644
+  notify:
+    - Restart mon
+  when_boolean: ${with_mon}
+
+- name: Install mon (default) configuration
+  action: template src=mon/default.j2 dest=/etc/default/mon owner=root group=root mode=0644
+  notify:
+    - Restart mon
+  when_boolean: ${with_mon}
+
+- name: Install custom mon plugins
+  action: copy src=mon/${item}.monitor dest=/etc/mon/mon.d/${item}.monitor owner=root group=root mode=0755
+  with_items:
+    - https
+    - imaps
+    - dns
+  notify:
+    - Restart mon
+  when_boolean: ${with_mon}
+
+- name: Install mon plugins
+  action: file src=/usr/lib/mon/mon.d/${item}.monitor path=/etc/mon/mon.d/${item}.monitor state=link
+  with_items:
+    - fping
+    - http
+    - smtp
+    - imap
+    - tcp
+  notify:
+    - Restart mon
+  when_boolean: ${with_mon}
+
+- name: Ensure mon is running
+  action: service name=mon state=started
+  when_boolean: ${with_mon}

roles/monitoring/tasks/munin.yml

@@ -0,0 +1,59 @@
+- name: Install munin packages
+  action: ${ansible_pkg_mgr} pkg=munin state=installed update_cache=yes
+  when_boolean: ${with_munin}
+
+- name: Install munin configuration
+  action: template src=munin/munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
+  when_boolean: ${with_munin}
+
+- name: Install munin nginx virtual host (sites-available)
+  action: template src=munin/nginx_vhost.j2 dest=/etc/nginx/sites-available/munin owner=root group=root mode=0644
+  notify:
+    - Reload nginx for munin
+  when_boolean: ${with_munin}
+
+- name: Install munin nginx virtual host (sites-enabled)
+  action: file src=/etc/nginx/sites-available/munin path=/etc/nginx/sites-enabled/munin state=link
+  notify:
+    - Reload nginx for munin
+  when_boolean: ${with_munin}
+
+- name: Install munin-node packages
+  action: ${ansible_pkg_mgr} pkg=${item} state=installed update_cache=yes
+  with_items:
+    - munin-node
+    - munin-plugins-extra
+    - libnet-cidr-perl
+    - libcache-cache-perl
+    - libdbd-pg-perl
+    - libdbd-mysql-perl
+  when_boolean: ${with_munin_node}
+
+- name: Create need directories for munin-node configuration
+  action: file path=/etc/munin/${item} state=directory owner=root group=root mode=0755
+  with_items:
+    - plugins
+    - plugin-conf.d
+  when_boolean: ${with_munin_node}
+
+- name: Install munin node configuration
+  action: template src=munin/munin-node.conf.j2 dest=/etc/munin/munin-node.conf owner=root group=root mode=0644
+  notify:
+    - Restart munin-node
+  when_boolean: ${with_munin_node}
+
+- name: Install munin node plugins configuration
+  action: template src=munin/munin-node.conf.plugins.j2 dest=/etc/munin/plugin-conf.d/munin-node owner=root group=root mode=0644
+  notify:
+    - Restart munin-node
+  when_boolean: ${with_munin_node}
+
+- name: Autoconfigure munin-node plugins
+  action: munin_node_autoconf families=auto,manual,contrib excludes=apc_nis,apt,apt_all,port_,ipmi_fans,ipmi_power,ipmi_temp,ntp_,ircu,ntp_kernel_err,ntp_kernel_pll_freq,ntp_kernel_pll_off,ntp_offset,ntp_states
+  notify:
+    - Restart munin-node
+  when_boolean: ${with_munin_node}
+
+- name: Ensure munin-node is running
+  action: service name=munin-node state=started
+  when_boolean: ${with_munin_node}

roles/monitoring/templates/mon/default.j2

@@ -0,0 +1,30 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# Defaults for mon initscript
+# Created by Dario Minnucci <midget@debian.org>
+
+# Master system-wide mon switch.
+# The initscript will not run if ENABLED is set·
+# to values other than: "yes", "true" or "1".
+ENABLED="yes"
+
+# Configuration file
+CONFIGFILE="/etc/mon/mon.cf"
+# Auth file
+#AUTHFILE="/etc/mon/auth.cf"
+
+# Base configuration directory
+CFBASEDIR="/etc/mon"
+# Alerts directory
+ALERTSDIR="/usr/lib/mon/alert.d"
+# Monitors directory
+MONITORSDIR="/etc/mon/mon.d"
+# State directory
+STATEDIR="/var/lib/mon"
+# Logging directory
+LOGDIR="/var/log/mon"
+
+# Deamon options
+DAEMON_OPTS="-B ${CFBASEDIR} -a ${ALERTSDIR} -s ${MONITORSDIR} -D ${STATEDIR} -L ${LOGDIR} -f -c ${CONFIGFILE}"

roles/monitoring/templates/mon/slave.conf.j2

@@ -0,0 +1,366 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+#
+# Mon config file
+#
+
+#
+# Global options
+#
+alertdir        = /usr/lib/mon/alert.d
+mondir          = /usr/lib/mon/mon.d
+logdir          = /var/log/mon
+historicfile    = /var/log/mon/history.log
+maxprocs        = 20
+histlength      = 100
+randstart       = 60s
+dtlogging       = yes
+dtlogfile       = dtlog
+
+#
+# Define groups of hosts to monitor
+#
+
+########
+# PING #
+########
+
+hostgroup pingd
+#
+# openics network
+#
+asuka.asyd.net gendo.asyd.net hosting.asyd.net
+dev.openics.org test.openics.org
+thor.openics.org
+kwak.netleaks.nl
+#
+# abul network
+#
+hiero.abul.org
+instabul.abul.org
+madness.abul.org
+mehyt.abul.org
+osiris.abul.org
+pra.abul.org
+rabalot.abul.org
+aquiforge.abul.org
+skara.abul.org
+#kbsd.abul.org
+#
+# rmll network
+#
+rmll0.rmll.info
+rmll1.rmll.info
+rmll2.rmll.info
+rmll3.rmll.info
+rmll4.rmll.info
+#
+# Rotex network
+#
+singa.rotary1690.org
+#
+# SOo network
+#
+listes.sud-ouest.org
+
+#######
+# SSH #
+#######
+
+hostgroup sshd
+#
+# openics network
+#
+#asuka.asyd.net
+gendo.asyd.net hosting.asyd.net
+dev.openics.org test.openics.org
+thor.openics.org
+kwak.netleaks.nl
+#
+# abul network
+#
+hiero.abul.org
+instabul.abul.org
+madness.abul.org
+mehyt.abul.org
+osiris.abul.org
+pra.abul.org
+rabalot.abul.org
+aquiforge.abul.org
+skara.abul.org
+#kbsd.abul.org
+#
+# rmll network
+#
+rmll0.rmll.info
+rmll1.rmll.info
+rmll2.rmll.info
+rmll3.rmll.info
+rmll4.rmll.info
+#
+# Rotex network
+#
+singa.rotary1690.org
+
+#########
+# HTTPS #
+#########
+
+hostgroup httpsd
+#
+# openics network
+#
+openics.org
+homogeno.us
+#
+# rmll network
+#
+reservation.rmll.info
+admin.rmll.info
+pad.rmll.info
+#
+# Rotary/Rotex network
+#
+www.rotex1690.org
+reservations.rotary1690.org
+
+########
+# HTTP #
+########
+
+hostgroup httpd
+#
+# openics network
+#
+kolter.blog.openics.org
+gallery.openics.org
+git.openics.org
+ge.openics.org
+geraldine.openics.org
+marks.openics.org
+#
+# abul network
+#
+abul.org
+ftp.abul.org
+ftp.abuledu.org
+aquiforge.abul.org
+gilantoli.com
+#
+# rmll network
+#
+rmll.info
+call.rmll.info
+listes.rmll.info
+#
+# SOo network
+#
+listes.sud-ouest.org
+#
+# Rotary/Rotex network
+#
+www.rotex1690.org
+listes.rotary1690.org
+listes.rotex1690.org
+
+########
+# SMTP #
+########
+
+hostgroup smtpd
+#
+# openics network
+#
+gendo.asyd.net
+kwak.netleaks.nl
+#
+# abul network
+#
+hiero.abul.org
+osiris.abul.org
+#
+# rmll network
+#
+rmll1.rmll.info
+rmll3.rmll.info
+#
+# SOo network
+#
+listes.sud-ouest.org
+#
+# Rotary/Rotex network
+#
+singa.rotary1690.org
+
+#########
+# IMAPS #
+#########
+
+hostgroup imapsd
+#
+# openics network
+#
+gendo.asyd.net
+
+#######
+# DNS #
+#######
+
+hostgroup dnsd_openics
+#
+# openics network
+#
+88.191.237.102
+188.241.113.39
+
+hostgroup dnsd_abul
+#
+# abul network
+#
+195.214.228.104
+147.210.68.129
+
+hostgroup dnsd_rmll
+#
+# rmll network
+#
+80.67.169.65
+#173.230.154.187
+
+#
+# Define watches
+#
+watch pingd
+    service ping
+        description Responses to ping
+        interval 5m
+        monitor fping.monitor
+        period
+            numalerts 50
+            alertevery 10m
+            alert mail.alert root
+            alert irc.alert -j -c openics -S chat.freenode.net -U OpenicsBot -n openicsbot -d
+            upalert mail.alert root
+
+watch httpsd
+    service https
+        description HTTP service
+        interval 5m
+        monitor https.monitor
+        period
+            numalerts 50
+            alertevery 10m
+            alert mail.alert root
+            alert irc.alert -j -c openics -S chat.freenode.net -U OpenicsBot -n openicsbot -d
+            upalert mail.alert root
+
+watch httpd
+    service http
+        description HTTP service
+        interval 5m
+        monitor http.monitor
+        period
+            numalerts 50
+            alertevery 10m
+            alert mail.alert root
+            alert irc.alert -j -c openics -S chat.freenode.net -U OpenicsBot -n openicsbot -d
+            upalert mail.alert root
+
+watch smtpd
+    service smtp
+        description SMTP service
+        interval 5m
+        monitor smtp.monitor -t 60
+        period
+            numalerts 50
+            alertevery 10m
+            alert mail.alert root
+            alert irc.alert -j -c openics -S chat.freenode.net -U OpenicsBot -n openicsbot -d
+            upalert mail.alert root
+
+watch imapsd
+    service imaps
+        description IMAP service
+        interval 5m
+        monitor tcp.monitor -t 60 -p 143
+        period
+            numalerts 50
+            alertevery 10m
+            alert mail.alert root
+            alert irc.alert -j -c openics -S chat.freenode.net -U OpenicsBot -n openicsbot -d
+            upalert mail.alert root
+
+watch sshd
+    service ssh
+        description SSH service
+        interval 5m
+        monitor tcp.monitor -t 60 -p 2222
+        period
+            numalerts 50
+            alertevery 10m
+            alert mail.alert root
+            alert irc.alert -j -c openics -S chat.freenode.net -U OpenicsBot -n openicsbot -d
+            upalert mail.alert root
+
+watch dnsd_openics
+    service dns
+        description DNS service - openics
+        interval 5m
+        monitor dns.monitor -zone openics.org -zone bouthenot.name -zone homogeno.us -master 88.191.237.102
+        period
+            numalerts 50
+            alertevery 10m
+            alert mail.alert root
+            alert irc.alert -j -c openics -S chat.freenode.net -U OpenicsBot -n openicsbot -d
+            upalert mail.alert root
+
+watch dnsd_abul
+    service dns
+        description DNS service - abul
+        interval 5m
+        monitor dns.monitor -zone abul.org -zone libresoftwaremeeting.org -zone rencontresmondiales.org -master 195.214.228.104
+        period
+            numalerts 50
+            alertevery 10m
+            alert mail.alert root
+            alert irc.alert -j -c openics -S chat.freenode.net -U OpenicsBot -n openicsbot -d
+            upalert mail.alert root
+
+watch dnsd_rmll
+    service dns
+        description DNS service
+        interval 5m
+        monitor dns.monitor -zone rmll.info -master 80.67.169.65
+        period
+            numalerts 50
+            alertevery 10m
+            alert mail.alert root
+            alert irc.alert -j -c openics -S chat.freenode.net -U OpenicsBot -n openicsbot -d
+            upalert mail.alert root
+
+#   service pop3
+#       description POP3 service
+#       interval 10m
+#       monitor pop3.monitor
+#       period
+#           numalerts 10
+#           alert mail.alert root
+#           upalert mail.alert root
+#   service imap
+#       description IMAP service
+#       interval 10m
+#       monitor imap.monitor -t 60
+#       period
+#           numalerts 10
+#           alert mail.alert root
+#           upalert mail.alert root
+#   service telnet
+#       description TELNET service
+#       interval 10m
+#       monitor telnet.monitor
+#       period wd {Mon-Fri} hr {7am-10pm}
+#           alertevery 1h
+#           alertafter 2 30m
+#           alert mail.alert root

roles/monitoring/templates/munin/munin-node.conf.j2

@@ -0,0 +1,70 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+#
+# Example config-file for munin-node
+#
+
+log_level 4
+log_file /var/log/munin/munin-node.log
+pid_file /var/run/munin/munin-node.pid
+
+background 1
+setsid 1
+
+user root
+group root
+
+# Regexps for files to ignore
+{% if ansible_lsb.codename != 'lenny' and ansible_lsb.codename != 'squeeze' %}
+ignore_file [\#~]$
+{% endif %}
+ignore_file DEADJOE$
+ignore_file \.bak$
+ignore_file %$
+ignore_file \.dpkg-(tmp|new|old|dist)$
+ignore_file \.rpm(save|new)$
+ignore_file \.pod$
+
+# Set this if the client doesn't report the correct hostname when
+# telnetting to localhost, port 4949
+#
+#host_name localhost.localdomain
+host_name {{ ansible_fqdn }}
+
+# A list of addresses that are allowed to connect.  This must be a
+# regular expression, since Net::Server does not understand CIDR-style
+# network notation unless the perl module Net::CIDR is installed.  You
+# may repeat the allow line as many times as you'd like
+
+allow ^127\.0\.0\.1$
+allow ^::1$
+
+# If you have installed the Net::CIDR perl module, you can use one or more
+# cidr_allow and cidr_deny address/mask patterns.  A connecting client must
+# match any cidr_allow, and not match any cidr_deny.  Note that a netmask
+# *must* be provided, even if it's /32
+#
+# Example:
+#
+# cidr_allow 127.0.0.1/32
+# cidr_allow 192.0.2.0/24
+# cidr_deny  192.0.2.42/32
+{% if munin_masters is defined %}
+{% for master in munin_masters %}
+cidr_allow {{ master }}
+{% endfor %}
+{% endif %}
+
+# Which address to bind to;
+host *
+# host 127.0.0.1
+
+# And which port
+port 4949
+
+{% if munin_node_timeout is defined %}
+# Timeout
+timeout = {{ munin_node_timeout }}
+{% endif %}

roles/monitoring/templates/munin/munin-node.conf.plugins.j2

@@ -0,0 +1,129 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# This file is used to configure how the plugins are invoked.
+# Place in /etc/munin/plugin-conf.d/ or corresponding directory.
+#
+# PLEASE NOTE: Changes in the plugin-conf.d directory are only
+# read at munin-node startup, so restart at any changes.
+#
+# user <user>         # Set the user to run the plugin as.
+# group <group>       # Set the group to run the plugin as.
+# command <command>   # Run <command> instead of the plugin. %c expands to
+#                       what would normally be run.
+# env.<variable> <value> # Sets <variable> in the plugin's environment, see the
+#                       individual plugins to find out which variables they
+#                       care about.
+
+[amavis]
+group adm
+env.MUNIN_MKTEMP /bin/mktemp -p /tmp/ $1
+env.amavislog /var/log/mail.info
+
+[apt]
+user root
+
+[courier_mta_mailqueue]
+group daemon
+
+[courier_mta_mailstats]
+group adm
+
+[courier_mta_mailvolume]
+group adm
+
+[cps*]
+user root
+
+[df*]
+env.exclude none unknown iso9660 squashfs udf romfs ramfs debugfs
+env.warning 92
+env.critical 98
+
+[exim_mailqueue]
+group adm, (Debian-exim)
+
+[exim_mailstats]
+group adm, (Debian-exim)
+env.logdir /var/log/exim4/
+env.logname mainlog
+
+[fw_conntrack]
+user root
+
+[fw_forwarded_local]
+user root
+
+[hddtemp_smartctl]
+user root
+
+[hddtemp2]
+user root
+
+[if_*]
+user root
+
+[if_err_*]
+user nobody
+
+[ip_*]
+user root
+
+[ipmi_*]
+user root
+
+[mysql*]
+user root
+env.mysqlopts --defaults-file=/etc/mysql/debian.cnf
+env.mysqluser debian-sys-maint
+env.mysqlconnection DBI:mysql:mysql;mysql_read_default_file=/etc/mysql/debian.cnf
+
+[mysql_innodb]
+env.warning 0
+env.critical 0
+
+[postfix_mailqueue]
+user postfix
+
+[postfix_mailstats]
+group adm
+
+[postfix_mailvolume]
+group adm
+env.logfile mail.log
+
+[smart_*]
+user root
+
+[vlan*]
+user root
+
+[ejabberd*]
+user ejabberd
+env.statuses available away chat xa
+env.days 1 7 30
+
+[dhcpd3]
+user root
+env.leasefile /var/lib/dhcp3/dhcpd.leases
+env.configfile /etc/dhcp3/dhcpd.conf
+
+[jmx_*]
+env.ip 127.0.0.1
+env.port 5400
+
+[samba]
+user root
+
+[munin_stats]
+user munin
+group munin
+
+[postgres_*]
+user postgres
+env.PGUSER postgres
+env.PGPORT 5432
+
+[fail2ban]
+user root

roles/monitoring/templates/munin/munin.conf.j2

@@ -0,0 +1,118 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# Example configuration file for Munin, generated by 'make build'
+
+# The next three variables specifies where the location of the RRD
+# databases, the HTML output, logs and the lock/pid files.  They all
+# must be writable by the user running munin-cron.  They are all
+# defaulted to the values you see here.
+#
+# dbdir /var/lib/munin
+# htmldir /var/cache/munin/www
+# logdir /var/log/munin
+# rundir  /var/run/munin
+#
+# Where to look for the HTML templates
+# tmpldir   /etc/munin/templates
+
+# (Exactly one) directory to include all files from.
+#
+includedir /etc/munin/munin-conf.d
+
+# Make graphs show values per minute instead of per second
+#graph_period minute
+
+# Graphics files are normaly generated by munin-graph, no matter if
+# the graphs are used or not.  You can change this to
+# on-demand-graphing by following the instructions in
+# http://munin.projects.linpro.no/wiki/CgiHowto
+#
+#graph_strategy cgi
+
+# munin-cgi-graph is invoked by the web server up to very many times at the
+# same time.  This is not optimal since it results in high CPU and memory
+# consumption to the degree that the system can thrash.  Again the default is
+# 6.  Most likely the optimal number for max_cgi_graph_jobs is the same as
+# max_graph_jobs.
+#
+#munin_cgi_graph_jobs 6
+
+# If the automatic CGI url is wrong for your system override it here:
+#
+#cgiurl_graph /cgi-bin/munin-cgi-graph
+
+# munin-graph runs in parallel, the number of concurrent processes is
+# 6.  If you want munin-graph to not be parallel set to 0.  If set too
+# high it will slow down munin-graph.  Some experiments are needed to
+# determine how many are optimal on your system.  On a multi-core
+# system with good SCSI disks the number can probably be quite high.
+# 
+#max_graph_jobs 6
+
+# Drop somejuser@fnord.comm and anotheruser@blibb.comm an email everytime 
+# something changes (OK -> WARNING, CRITICAL -> OK, etc)
+#contact.someuser.command mail -s "Munin notification" somejuser@fnord.comm
+#contact.anotheruser.command mail -s "Munin notification" anotheruser@blibb.comm
+#
+# For those with Nagios, the following might come in handy. In addition,
+# the services must be defined in the Nagios server as well.
+#contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf
+
+# a simple host tree
+{% if munin_nodes is defined %}
+{% for node in munin_nodes %}
+[{{ node.node }}]
+{% if node.address is defined %}
+    address {{ node.address }}
+{% else %}
+    address {{ node.node }}
+{% endif %}
+    use_node_name yes
+{% if node.port is defined %}
+    port {{ node.port }}
+{% endif %}
+{% endfor %}
+{% endif %}
+
+#
+# A more complex example of a host tree
+#
+## First our "normal" host.
+# [fii.foo.com]
+#       address foo
+#
+## Then our other host...
+# [fay.foo.com]
+#       address fay
+#
+## Then we want totals...
+# [foo.com;Totals] #Force it into the "foo.com"-domain...
+#       update no   # Turn off data-fetching for this "host".
+#
+#   # The graph "load1". We want to see the loads of both machines... 
+#   # "fii=fii.foo.com:load.load" means "label=machine:graph.field"
+#       load1.graph_title Loads side by side
+#       load1.graph_order fii=fii.foo.com:load.load fay=fay.foo.com:load.load
+#
+#   # The graph "load2". Now we want them stacked on top of each other.
+#       load2.graph_title Loads on top of each other
+#       load2.dummy_field.stack fii=fii.foo.com:load.load fay=fay.foo.com:load.load
+#       load2.dummy_field.draw AREA # We want area instead the default LINE2.
+#       load2.dummy_field.label dummy # This is needed. Silly, really.
+#
+#   # The graph "load3". Now we want them summarised into one field
+#       load3.graph_title Loads summarised
+#       load3.combined_loads.sum fii.foo.com:load.load fay.foo.com:load.load
+#       load3.combined_loads.label Combined loads # Must be set, as this is
+#                                                 # not a dummy field!
+#
+## ...and on a side note, I want them listen in another order (default is
+## alphabetically)
+#
+# # Since [foo.com] would be interpreted as a host in the domain "com", we
+# # specify that this is a domain by adding a semicolon.
+# [foo.com;]
+#       node_order Totals fii.foo.com fay.foo.com
+#

roles/monitoring/templates/munin/nginx_vhost.j2

@@ -0,0 +1,18 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# Nginx vhost for munin master
+
+server {
+    server_name {{ munin_master_vhostname }}
+    listen 80;
+
+    access_log  /var/log/nginx/munin.access.log;
+    error_log   /var/log/nginx/munin.error.log;
+
+    location / {
+        root /var/cache/munin/www/;
+        break;
+    }
+}

roles/webserver/handlers/apache2.yml

@@ -0,0 +1,5 @@
+- name: Reload apache2
+  action: service name=apache2 state=reloaded
+
+- name: Restart apache2
+  action: service name=apache2 state=restarted

roles/webserver/handlers/main.yml

@@ -0,0 +1,2 @@
+- include: apache2.yml
+- include: nginx.yml

roles/webserver/handlers/nginx.yml

@@ -0,0 +1,5 @@
+- name: Reload nginx
+  action: service name=nginx state=reloaded
+
+- name: Restart nginx
+  action: service name=nginx state=restarted

roles/webserver/tasks/apache2.yml

@@ -0,0 +1,26 @@
+- name: Install apache2 packages
+  action: ${ansible_pkg_mgr} pkg=apache2 state=installed update_cache=yes
+  when_boolean: ${with_apache2}
+
+- name: Install apache2 basic security configuration
+  action: template src=apache2/conf.d/security.j2 dest=/etc/apache2/conf.d/security owner=root group=root mode=0644
+  notify:
+    - Reload apache2
+  when_boolean: ${with_apache2}
+
+- name: Install mod_php5 packages for apache2
+  action: ${ansible_pkg_mgr} pkg=apache2 state=installed update_cache=yes
+  when_boolean: ${with_apache2} and ${with_apache2_modphp5}
+
+- name: Install php5 basic security configuration
+  action: template dest=/etc/php5/apache2/conf.d/security-local.ini owner=root group=root mode=0644
+  first_available_file:
+    - apache2/php5/security-local.${ansible_hostname}.ini.j2
+    - apache2/php5/security-local.ini.j2
+  notify:
+    - Reload apache2
+  when_boolean: ${with_apache2} and ${with_apache2_modphp5}
+
+- name: Ensure apache2 is running
+  action: service name=apache2 state=started
+  when_boolean: ${with_apache2}

roles/webserver/tasks/main.yml

@@ -0,0 +1,2 @@
+- include: apache2.yml
+- include: nginx.yml

roles/webserver/tasks/nginx.yml

@@ -0,0 +1,13 @@
+- name: Install nginx package
+  action: ${ansible_pkg_mgr} pkg=nginx state=installed update_cache=yes
+  when_boolean: ${with_nginx}
+
+- name: Install nginx status configuration
+  action: template src=nginx/status.conf.j2 dest=/etc/nginx/conf.d/status.conf owner=root group=root mode=0644
+  notify:
+    - Reload nginx
+  when_boolean: ${with_nginx}
+
+- name: Ensure nginx is running
+  action: service name=nginx state=started
+  when_boolean: ${with_nginx}

roles/webserver/templates/apache2/conf.d/security.j2

@@ -0,0 +1,89 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+#
+# Disable access to the entire file system except for the directories that
+# are explicitly allowed later.
+#
+# This currently breaks the configurations that come with some web application
+# Debian packages.
+#
+#<Directory />
+#   AllowOverride None
+#   Order Deny,Allow
+#   Deny from all
+#</Directory>
+
+
+# Changing the following options will not really affect the security of the
+# server, but might make attacks slightly more difficult in some cases.
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#
+#ServerTokens Minimal
+ServerTokens OS
+#ServerTokens Full
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#
+#ServerSignature Off
+ServerSignature Off
+
+#
+# Allow TRACE method
+#
+# Set to "extended" to also reflect the request body (only for testing and
+# diagnostic purposes).
+#
+# Set to one of:  On | Off | extended
+#
+TraceEnable Off
+#TraceEnable On
+
+#
+# Forbid access to version control directories
+#
+# If you use version control systems in your document root, you should
+# probably deny access to their directories. For example, for subversion:
+#
+<DirectoryMatch "/\.(svn|git)">
+    Deny from all
+    Satisfy all
+</DirectoryMatch>
+
+#
+# Setting this header will prevent MSIE from interpreting files as something
+# else than declared by the content type in the HTTP headers.
+# Requires mod_headers to be enabled.
+#
+#Header set X-Content-Type-Options: "nosniff"
+
+#
+# Some browsers have a built-in XSS filter that will detect some cross site
+# scripting attacks. By default, these browsers modify the suspicious part of
+# the page and display the result. This behavior can create various problems
+# including new security issues. This header will tell the XSS filter to
+# completely block access to the page instead.
+# Requires mod_headers to be enabled.
+#
+#Header set X-XSS-Protection: "1; mode=block"
+
+#
+# Setting this header will prevent other sites from embedding pages from this
+# site as frames. This defends against clickjacking attacks.
+# Requires mod_headers to be enabled.
+#
+#Header set X-Frame-Options: "sameorigin"

roles/webserver/templates/apache2/php5/security-local.ini.j2

@@ -0,0 +1,12 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog(';') }}
+{% endif -%}
+short_open_tag  =   Off
+open_basedir    =   /var/www:/tmp
+upload_tmp_dir  =   /tmp
+display_errors  =   Off
+log_errors      =   On
+error_log       =   syslog
+enable_dl       =   Off
+expose_php      =   Off

roles/webserver/templates/apache2/php5/security-local.rmll1.ini.j2

@@ -0,0 +1,9 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog(';') }}
+{% endif -%}
+display_errors  =   Off
+log_errors      =   On
+error_log       =   syslog
+enable_dl       =   Off
+expose_php      =   Off

roles/webserver/templates/nginx/status.conf.j2

@@ -0,0 +1,9 @@
+server {
+    server_name localhost;
+    location /nginx_status {
+        stub_status on;
+        access_log off;
+        allow 127.0.0.1;
+        deny all;
+    }
+}

site.yml

@@ -0,0 +1,3 @@
+- include: common.yml
+- include: webserver.yml
+- include: monitoring.yml

templates/ansible/prolog.j2

@@ -0,0 +1,8 @@
+{% macro prolog(C='#') -%}
+{{ C }}
+{{ C }} THIS FILE IS UNDER ANSIBLE CONTROL. DON'T EDIT IT HERE.
+{{ C }}
+{{ C }} Generated By: {{ ansible_master_user }}@{{ ansible_master_hostname }}[{{ ansible_master_ip}}]
+{{ C }} Last Update: {{ template_mtime }}
+{{ C }}
+{%- endmacro %}

webserver.yml

@@ -0,0 +1,4 @@
+- hosts: webserver
+  roles:
+    - webserver
+