From f73a1d013f3dc420c206d8ba3acb200de8c6df4f Mon Sep 17 00:00:00 2001 From: Valentin Vidic Date: Thu, 17 Oct 2013 16:06:36 +0200 Subject: [PATCH] Update config files. --- files/etc/amavis/conf.d/15-av_scanners.expect | 342 ------------------------ files/etc/amavis/conf.d/15-av_scanners.restore | 342 ------------------------ files/etc/console-tools/config.expect | 78 ------ files/etc/console-tools/config.restore | 72 ----- files/etc/cron.d/amavisd-new.expect | 5 + files/etc/cron.d/amavisd-new.restore | 5 + files/etc/cron.daily/amavisd-new.expect | 6 - files/etc/cron.daily/amavisd-new.restore | 6 - files/etc/default/saslauthd.expect | 57 ++++ files/etc/default/saslauthd.restore | 55 ++++ files/etc/default/slapd.expect | 46 ---- files/etc/default/slapd.restore | 45 ---- files/etc/init.d/amavisd-cn.expect | 139 ---------- files/etc/init.d/amavisd-cn.restore | 167 ------------ files/etc/issue.expect | 2 +- files/etc/issue.expect.new | 2 +- files/etc/issue.net.expect | 2 +- files/etc/issue.net.expect.new | 2 +- files/etc/issue.net.restore | 2 +- files/etc/issue.restore | 2 +- files/etc/monit/monitrc.restore | 91 ++++--- files/etc/monit/monitrc.template | 4 +- files/etc/security/limits.conf.expect | 57 ---- files/etc/security/limits.conf.restore | 52 ---- files/etc/spamassassin/v310.pre.expect | 80 ------ files/etc/spamassassin/v310.pre.restore | 80 ------ files/etc/squirrelmail/apache.conf.expect | 66 ----- files/etc/squirrelmail/apache.conf.restore | 44 --- files/etc/sysctl.conf.expect | 37 --- files/etc/sysctl.conf.restore | 67 ----- files/etc/vsftpd.conf.expect | 15 +- files/etc/vsftpd.conf.restore | 15 +- files/var/ossec/rules/local_rules.xml.expect | 95 +++++++ files/var/ossec/rules/local_rules.xml.restore | 56 ++++ src/functions.sh | 62 +---- 35 files changed, 373 insertions(+), 1825 deletions(-) delete mode 100644 files/etc/amavis/conf.d/15-av_scanners.expect delete mode 100644 files/etc/amavis/conf.d/15-av_scanners.restore delete mode 100644 files/etc/console-tools/config.expect delete mode 100644 files/etc/console-tools/config.restore create mode 100644 files/etc/cron.d/amavisd-new.expect create mode 100644 files/etc/cron.d/amavisd-new.restore delete mode 100755 files/etc/cron.daily/amavisd-new.expect delete mode 100755 files/etc/cron.daily/amavisd-new.restore create mode 100644 files/etc/default/saslauthd.expect create mode 100644 files/etc/default/saslauthd.restore delete mode 100644 files/etc/default/slapd.expect delete mode 100644 files/etc/default/slapd.restore delete mode 100755 files/etc/init.d/amavisd-cn.expect delete mode 100755 files/etc/init.d/amavisd-cn.restore delete mode 100644 files/etc/security/limits.conf.expect delete mode 100644 files/etc/security/limits.conf.restore delete mode 100644 files/etc/spamassassin/v310.pre.expect delete mode 100644 files/etc/spamassassin/v310.pre.restore delete mode 100644 files/etc/squirrelmail/apache.conf.expect delete mode 100644 files/etc/squirrelmail/apache.conf.restore delete mode 100644 files/etc/sysctl.conf.expect delete mode 100644 files/etc/sysctl.conf.restore create mode 100644 files/var/ossec/rules/local_rules.xml.expect create mode 100644 files/var/ossec/rules/local_rules.xml.restore diff --git a/files/etc/amavis/conf.d/15-av_scanners.expect b/files/etc/amavis/conf.d/15-av_scanners.expect deleted file mode 100644 index e2751eb..0000000 --- a/files/etc/amavis/conf.d/15-av_scanners.expect +++ /dev/null @@ -1,342 +0,0 @@ -use strict; - -## -## AV Scanners (Debian version) -## - -@av_scanners = ( - -# ### http://www.vanja.com/tools/sophie/ -# ['Sophie', -# \&ask_daemon, ["{}/\n", '/var/run/sophie'], -# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, -# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], - -# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ -# ['Sophos SAVI', \&sophos_savi ], - - ### http://www.clamav.net/ - ['ClamAV-clamd', - \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"], - qr/\bOK$/, qr/\bFOUND$/, - qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], - # NOTE: remember to add the clamav user to the amavis group, and - # to properly set clamd to init supplementary groups - # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"], - -# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) -# ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/], - -# ### http://www.openantivirus.org/ -# ['OpenAntiVirus ScannerDaemon (OAV)', -# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], -# qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ], - -# ### http://www.vanja.com/tools/trophie/ -# ['Trophie', -# \&ask_daemon, ["{}/\n", '/var/run/trophie'], -# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, -# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], - -# ### http://www.grisoft.com/ -# ['AVG Anti-Virus', -# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], -# qr/^200/, qr/^403/, qr/^403 .*?: ([^\r\n]+)/ ], - -# ### http://www.f-prot.com/ -# ['FRISK F-Prot Daemon', -# \&ask_daemon, -# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", -# ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202', -# '127.0.0.1:10203','127.0.0.1:10204'] ], -# qr/(?i)]*>clean<\/summary>/, -# qr/(?i)]*>infected<\/summary>/, -# qr/(?i)(.+)<\/name>/ ], - -# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ -# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later -# [pack('N',1). # DRWEBD_SCAN_CMD -# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES -# pack('N', # path length -# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). -# '{}/*'. # path -# pack('N',0). # content size -# pack('N',0), -# '/var/drweb/run/drwebd.sock', -# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot -# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default -# # '127.0.0.1:3000', # or over an inet socket -# ], -# qr/\A\x00[\x10\x11][\x00\x10]\x00/s, # IS_CLEAN,EVAL_KEY; SKIPPED -# qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/s, # KNOWN_V,UNKNOWN_V,V._MODIF -# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s, -# ], -# # NOTE: If using amavis-milter, change length to: -# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). - - ### http://www.kaspersky.com/ (kav4mailservers) - ['KasperskyLab AVP - aveclient', - ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', - '/opt/kav/bin/aveclient','aveclient'], - '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/, - qr/(?:INFECTED|SUSPICION) (.+)/, - ], - - ### http://www.kaspersky.com/ - ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], - '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? - qr/infected: (.+)/, - sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, - sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, - ], - - ### The kavdaemon and AVPDaemonClient have been removed from Kasperky - ### products and replaced by aveserver and aveclient - ['KasperskyLab AVPDaemonClient', - [ '/opt/AVP/kavdaemon', 'kavdaemon', - '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', - '/opt/AVP/AvpTeamDream', 'AvpTeamDream', - '/opt/AVP/avpdc', 'avpdc' ], - "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ], - # change the startup-script in /etc/init.d/kavd to: - # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" - # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) - # adjusting /var/amavis above to match your $TEMPBASE. - # The '-f=/var/amavis' is needed if not running it as root, so it - # can find, read, and write its pid file, etc., see 'man kavdaemon'. - # defUnix.prf: there must be an entry "*/var/amavis" (or whatever - # directory $TEMPBASE specifies) in the 'Names=' section. - # cd /opt/AVP/DaemonClients; configure; cd Sample; make - # cp AvpDaemonClient /opt/AVP/ - # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" - - ### http://www.hbedv.com/ or http://www.centralcommand.com/ - ['H+BEDV AntiVir or CentralCommand Vexira Antivirus', - ['antivir','vexira'], - '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, - qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | - (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], - # NOTE: if you only have a demo version, remove -z and add 214, as in: - # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, - # According to the documentations, the new version of Vexira has - # reasonable defaults, one may consider: "--timeout=60 --temp=$TEMPBASE {}" - - ### http://www.commandsoftware.com/ - ['Command AntiVirus for Linux', 'csav', - '-all -archive -packed {}', [50], [51,52,53], - qr/Infection: (.+)/ ], - - ### http://www.symantec.com/ - ['Symantec CarrierScan via Symantec CommandLineScanner', - 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', - qr/^Files Infected:\s+0$/, qr/^Infected\b/, - qr/^(?:Info|Virus Name):\s+(.+)/ ], - - ### http://www.symantec.com/ - ['Symantec AntiVirus Scan Engine', - 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', - [0], qr/^Infected\b/, - qr/^(?:Info|Virus Name):\s+(.+)/ ], - # NOTE: check options and patterns to see which entry better applies - - ### http://www.f-secure.com/products/anti-virus/ - ['F-Secure Antivirus', 'fsav', - '--dumb --mime --archive {}', [0], [3,8], - qr/(?:infection|Infected|Suspected): (.+)/ ], - -# ### http://www.avast.com/ -# ['avast! Antivirus daemon', -# \&ask_daemon, # greets with 220, terminate with QUIT -# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'], -# qr/\t\[\+\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[ \t\015\012]+)/ ], - -# ### http://www.avast.com/ -# ['avast! Antivirus - Client/Server Version', 'avastlite', -# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], -# qr/\t\[L\]\t([^[ \t\015\012]+)/ ], - - ['CAI InoculateIT', 'inocucmd', # retired product - '-sec -nex {}', [0], [100], - qr/was infected by virus (.+)/ ], - # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html - - ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) - ['CAI eTrust Antivirus', 'etrust-wrapper', - '-arc -nex -spm h {}', [0], [101], - qr/is infected by virus: (.+)/ ], - # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer - # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 - - ### http://mks.com.pl/english.html - ['MkS_Vir for Linux (beta)', ['mks32','mks'], - '-s {}/*', [0], [1,2], - qr/--[ \t]*(.+)/ ], - - ### http://mks.com.pl/english.html - ['MkS_Vir daemon', 'mksscan', - '-s -q {}', [0], [1..7], - qr/^... (\S+)/ ], - - ### http://www.nod32.com/ - ['ESET Software NOD32 Command Line Interface v 2.51', 'nod32cli', - '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/ ], - -# ### http://www.nod32.com/ old -# ['ESET Software NOD32 - Client/Server Version', 'nod32cli', -# '-a -r -d recurse --heur standard {}', [0], [10,11], -# qr/^\S+\s+infected:\s+(.+)/ ], - -# ### http://www.nod32.com/ old -# ['ESET Software NOD32', 'nod32', -# '--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ], - -# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 -# ['ESET Software NOD32 Client/Server (NOD32SS)', -# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT -# ["SCAN {}/*\r\n", '127.0.0.1:8448' ], -# qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ], - - ### http://www.norman.com/products_nvc.shtml - ['Norman Virus Control v5 / Linux', 'nvcc', - '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], - qr/(?i).* virus in .* -> \'(.+)\'/ ], - - ### http://www.pandasoftware.com/ - ['Panda Antivirus for Linux', ['pavcl'], - '-aut -aex -heu -cmp -nbr -nor -nso -eng {}', - qr/Number of files infected[ .]*: 0+(?!\d)/, - qr/Number of files infected[ .]*: 0*[1-9]/, - qr/Found virus :\s*(\S+)/ ], - -# ### http://www.pandasoftware.com/ -# ['Panda Antivirus for Linux', ['pavcl'], -# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', -# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], -# qr/Found virus :\s*(\S+)/ ], - -# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. -# Check your RAV license terms before fiddling with the following two lines! -# ['GeCAD RAV AntiVirus 8', 'ravav', -# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ], -# # NOTE: the command line switches changed with scan engine 8.5 ! -# # (btw, assigning stdin to /dev/null causes RAV to fail) - - ### http://www.nai.com/ - ['NAI McAfee AntiVirus (uvscan)', 'uvscan', - '--secure -rv --mime --summary --noboot - {}', [0], [13], - qr/(?x) Found (?: - \ the\ (.+)\ (?:virus|trojan) | - \ (?:virus|trojan)\ or\ variant\ (.+?)\s*! | - :\ (.+)\ NOT\ a\ virus)/, - # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, - # sub {delete $ENV{LD_PRELOAD}}, - ], - # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before - # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 - # and then clear it when finished to avoid confusing anything else. - # NOTE2: to treat encrypted files as viruses replace the [13] with: - # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ - - ### http://www.virusbuster.hu/en/ - ['VirusBuster', ['vbuster', 'vbengcl'], - # VirusBuster Ltd. does not support the daemon version for the workstation - # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of - # binaries, some parameters AND return codes have changed (from 3 to 1). - "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], - qr/: '(.*)' - Virus/ ], - -# ### http://www.virusbuster.hu/en/ -# ['VirusBuster (Client + Daemon)', 'vbengd', -# # HINT: for an infected file it always returns 3, -# # although the man-page tells a different story -# '-f -log scandir {}', [0], [3], -# qr/Virus found = (.*);/ ], - - ### http://www.cyber.com/ - ['CyberSoft VFind', 'vfind', - '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/, - # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, - ], - - ### http://www.avast.com/ - ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], - '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/ ], - - ### http://www.ikarus-software.com/ - ['Ikarus AntiVirus for Linux', 'ikarus', - '{}', [0], [40], qr/Signature (.+) found/ ], - - ### http://www.bitdefender.com/ - ['BitDefender', 'bdc', - '--arc --mail {}', qr/^Infected files *:0+(?!\d)/, - qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, - qr/(?:suspected|infected): (.*)(?:\033|$)/ ], - # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may - # not apply to your version of bdc, check documentation and see 'bdc --help' - -# ['File::Scan', sub {Amavis::AV::ask_av(sub{ -# use File::Scan; my($fn)=@_; -# my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0); -# my($vname) = $f->scan($fn); -# $f->error ? (2,"Error: ".$f->error) -# : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) }, -# ["{}/*"], [0], [1], qr/^(.*) FOUND$/ ], - - ### example: fully-fledged checker for JPEG marker segments of invalid length - ['check-jpeg', - sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) }, - ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/ ], - # NOTE: place file JpegTester.pm somewhere where Perl can find it, - # for example in /usr/local/lib/perl5/site_perl - -); - - -@av_scanners_backup = ( - - ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV - ['ClamAV-clamscan', 'clamscan', - "--stdout --no-summary -r --tempdir=$TEMPBASE {}", - [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], - - ### http://www.f-prot.com/ - backs up F-Prot Daemon - ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], - '-dumb -archive -packed {}', [0,8], [3,6], - qr/Infection: (.+)/ ], - - ### http://www.trendmicro.com/ - backs up Trophie - ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], - '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], - - ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD - ['drweb - DrWeb Antivirus', - ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], - '-path={} -al -go -ot -cn -upn -ok-', - [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], - - ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'], - '-i1 -xp {}', [0,10,15], [5,20,21,25], - qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ , - sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, - sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, - ], - -# Commented out because the name 'sweep' clashes with Debian and FreeBSD -# package/port of an audio editor. Make sure the correct 'sweep' is found -# in the path when enabling. -# -# ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl -# ['Sophos Anti Virus (sweep)', 'sweep', -# '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}', -# [0,2], qr/Virus .*? found/, -# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/, -# ], -# # other options to consider: -mime -oe -idedir=/usr/local/sav - -# always succeeds (uncomment to consider mail clean if all other scanners fail) -# ['always-clean', sub {0}], - -); - - -1; # ensure a defined return diff --git a/files/etc/amavis/conf.d/15-av_scanners.restore b/files/etc/amavis/conf.d/15-av_scanners.restore deleted file mode 100644 index c5df2f4..0000000 --- a/files/etc/amavis/conf.d/15-av_scanners.restore +++ /dev/null @@ -1,342 +0,0 @@ -use strict; - -## -## AV Scanners (Debian version) -## - -@av_scanners = ( - -# ### http://www.vanja.com/tools/sophie/ -# ['Sophie', -# \&ask_daemon, ["{}/\n", '/var/run/sophie'], -# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, -# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], - -# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ -# ['Sophos SAVI', \&sophos_savi ], - - ### http://www.clamav.net/ - ['ClamAV-clamd', - \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"], - qr/\bOK$/, qr/\bFOUND$/, - qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], - # NOTE: remember to add the clamav user to the amavis group, and - # to properly set clamd to init supplementary groups - # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"], - -# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) -# ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/], - -# ### http://www.openantivirus.org/ -# ['OpenAntiVirus ScannerDaemon (OAV)', -# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], -# qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ], - -# ### http://www.vanja.com/tools/trophie/ -# ['Trophie', -# \&ask_daemon, ["{}/\n", '/var/run/trophie'], -# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, -# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], - -# ### http://www.grisoft.com/ -# ['AVG Anti-Virus', -# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], -# qr/^200/, qr/^403/, qr/^403 .*?: ([^\r\n]+)/ ], - -# ### http://www.f-prot.com/ -# ['FRISK F-Prot Daemon', -# \&ask_daemon, -# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", -# ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202', -# '127.0.0.1:10203','127.0.0.1:10204'] ], -# qr/(?i)]*>clean<\/summary>/, -# qr/(?i)]*>infected<\/summary>/, -# qr/(?i)(.+)<\/name>/ ], - -# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ -# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later -# [pack('N',1). # DRWEBD_SCAN_CMD -# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES -# pack('N', # path length -# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). -# '{}/*'. # path -# pack('N',0). # content size -# pack('N',0), -# '/var/drweb/run/drwebd.sock', -# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot -# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default -# # '127.0.0.1:3000', # or over an inet socket -# ], -# qr/\A\x00[\x10\x11][\x00\x10]\x00/s, # IS_CLEAN,EVAL_KEY; SKIPPED -# qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/s, # KNOWN_V,UNKNOWN_V,V._MODIF -# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s, -# ], -# # NOTE: If using amavis-milter, change length to: -# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). - - ### http://www.kaspersky.com/ (kav4mailservers) - ['KasperskyLab AVP - aveclient', - ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', - '/opt/kav/bin/aveclient','aveclient'], - '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/, - qr/(?:INFECTED|SUSPICION) (.+)/, - ], - - ### http://www.kaspersky.com/ - ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], - '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? - qr/infected: (.+)/, - sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, - sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, - ], - - ### The kavdaemon and AVPDaemonClient have been removed from Kasperky - ### products and replaced by aveserver and aveclient - ['KasperskyLab AVPDaemonClient', - [ '/opt/AVP/kavdaemon', 'kavdaemon', - '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', - '/opt/AVP/AvpTeamDream', 'AvpTeamDream', - '/opt/AVP/avpdc', 'avpdc' ], - "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ], - # change the startup-script in /etc/init.d/kavd to: - # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" - # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) - # adjusting /var/amavis above to match your $TEMPBASE. - # The '-f=/var/amavis' is needed if not running it as root, so it - # can find, read, and write its pid file, etc., see 'man kavdaemon'. - # defUnix.prf: there must be an entry "*/var/amavis" (or whatever - # directory $TEMPBASE specifies) in the 'Names=' section. - # cd /opt/AVP/DaemonClients; configure; cd Sample; make - # cp AvpDaemonClient /opt/AVP/ - # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" - - ### http://www.hbedv.com/ or http://www.centralcommand.com/ - ['H+BEDV AntiVir or CentralCommand Vexira Antivirus', - ['antivir','vexira'], - '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, - qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | - (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], - # NOTE: if you only have a demo version, remove -z and add 214, as in: - # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, - # According to the documentations, the new version of Vexira has - # reasonable defaults, one may consider: "--timeout=60 --temp=$TEMPBASE {}" - - ### http://www.commandsoftware.com/ - ['Command AntiVirus for Linux', 'csav', - '-all -archive -packed {}', [50], [51,52,53], - qr/Infection: (.+)/ ], - - ### http://www.symantec.com/ - ['Symantec CarrierScan via Symantec CommandLineScanner', - 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', - qr/^Files Infected:\s+0$/, qr/^Infected\b/, - qr/^(?:Info|Virus Name):\s+(.+)/ ], - - ### http://www.symantec.com/ - ['Symantec AntiVirus Scan Engine', - 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', - [0], qr/^Infected\b/, - qr/^(?:Info|Virus Name):\s+(.+)/ ], - # NOTE: check options and patterns to see which entry better applies - - ### http://www.f-secure.com/products/anti-virus/ - ['F-Secure Antivirus', 'fsav', - '--dumb --mime --archive {}', [0], [3,8], - qr/(?:infection|Infected|Suspected): (.+)/ ], - -# ### http://www.avast.com/ -# ['avast! Antivirus daemon', -# \&ask_daemon, # greets with 220, terminate with QUIT -# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'], -# qr/\t\[\+\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[ \t\015\012]+)/ ], - -# ### http://www.avast.com/ -# ['avast! Antivirus - Client/Server Version', 'avastlite', -# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], -# qr/\t\[L\]\t([^[ \t\015\012]+)/ ], - - ['CAI InoculateIT', 'inocucmd', # retired product - '-sec -nex {}', [0], [100], - qr/was infected by virus (.+)/ ], - # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html - - ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) - ['CAI eTrust Antivirus', 'etrust-wrapper', - '-arc -nex -spm h {}', [0], [101], - qr/is infected by virus: (.+)/ ], - # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer - # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 - - ### http://mks.com.pl/english.html - ['MkS_Vir for Linux (beta)', ['mks32','mks'], - '-s {}/*', [0], [1,2], - qr/--[ \t]*(.+)/ ], - - ### http://mks.com.pl/english.html - ['MkS_Vir daemon', 'mksscan', - '-s -q {}', [0], [1..7], - qr/^... (\S+)/ ], - - ### http://www.nod32.com/ - ['ESET Software NOD32 Command Line Interface v 2.51', 'nod32cli', - '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/ ], - -# ### http://www.nod32.com/ old -# ['ESET Software NOD32 - Client/Server Version', 'nod32cli', -# '-a -r -d recurse --heur standard {}', [0], [10,11], -# qr/^\S+\s+infected:\s+(.+)/ ], - -# ### http://www.nod32.com/ old -# ['ESET Software NOD32', 'nod32', -# '--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ], - -# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 -# ['ESET Software NOD32 Client/Server (NOD32SS)', -# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT -# ["SCAN {}/*\r\n", '127.0.0.1:8448' ], -# qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ], - - ### http://www.norman.com/products_nvc.shtml - ['Norman Virus Control v5 / Linux', 'nvcc', - '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], - qr/(?i).* virus in .* -> \'(.+)\'/ ], - - ### http://www.pandasoftware.com/ - ['Panda Antivirus for Linux', ['pavcl'], - '-aut -aex -heu -cmp -nbr -nor -nso -eng {}', - qr/Number of files infected[ .]*: 0+(?!\d)/, - qr/Number of files infected[ .]*: 0*[1-9]/, - qr/Found virus :\s*(\S+)/ ], - -# ### http://www.pandasoftware.com/ -# ['Panda Antivirus for Linux', ['pavcl'], -# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', -# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], -# qr/Found virus :\s*(\S+)/ ], - -# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. -# Check your RAV license terms before fiddling with the following two lines! -# ['GeCAD RAV AntiVirus 8', 'ravav', -# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ], -# # NOTE: the command line switches changed with scan engine 8.5 ! -# # (btw, assigning stdin to /dev/null causes RAV to fail) - - ### http://www.nai.com/ - ['NAI McAfee AntiVirus (uvscan)', 'uvscan', - '--secure -rv --mime --summary --noboot - {}', [0], [13], - qr/(?x) Found (?: - \ the\ (.+)\ (?:virus|trojan) | - \ (?:virus|trojan)\ or\ variant\ (.+?)\s*! | - :\ (.+)\ NOT\ a\ virus)/, - # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, - # sub {delete $ENV{LD_PRELOAD}}, - ], - # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before - # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 - # and then clear it when finished to avoid confusing anything else. - # NOTE2: to treat encrypted files as viruses replace the [13] with: - # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ - - ### http://www.virusbuster.hu/en/ - ['VirusBuster', ['vbuster', 'vbengcl'], - # VirusBuster Ltd. does not support the daemon version for the workstation - # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of - # binaries, some parameters AND return codes have changed (from 3 to 1). - "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], - qr/: '(.*)' - Virus/ ], - -# ### http://www.virusbuster.hu/en/ -# ['VirusBuster (Client + Daemon)', 'vbengd', -# # HINT: for an infected file it always returns 3, -# # although the man-page tells a different story -# '-f -log scandir {}', [0], [3], -# qr/Virus found = (.*);/ ], - - ### http://www.cyber.com/ - ['CyberSoft VFind', 'vfind', - '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/, - # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, - ], - - ### http://www.avast.com/ - ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], - '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/ ], - - ### http://www.ikarus-software.com/ - ['Ikarus AntiVirus for Linux', 'ikarus', - '{}', [0], [40], qr/Signature (.+) found/ ], - - ### http://www.bitdefender.com/ - ['BitDefender', 'bdc', - '--arc --mail {}', qr/^Infected files *:0+(?!\d)/, - qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, - qr/(?:suspected|infected): (.*)(?:\033|$)/ ], - # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may - # not apply to your version of bdc, check documentation and see 'bdc --help' - -# ['File::Scan', sub {Amavis::AV::ask_av(sub{ -# use File::Scan; my($fn)=@_; -# my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0); -# my($vname) = $f->scan($fn); -# $f->error ? (2,"Error: ".$f->error) -# : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) }, -# ["{}/*"], [0], [1], qr/^(.*) FOUND$/ ], - - ### example: fully-fledged checker for JPEG marker segments of invalid length - ['check-jpeg', - sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) }, - ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/ ], - # NOTE: place file JpegTester.pm somewhere where Perl can find it, - # for example in /usr/local/lib/perl5/site_perl - -); - - -@av_scanners_backup = ( - - ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV - ['ClamAV-clamscan', 'clamscan', - "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", - [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], - - ### http://www.f-prot.com/ - backs up F-Prot Daemon - ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], - '-dumb -archive -packed {}', [0,8], [3,6], - qr/Infection: (.+)/ ], - - ### http://www.trendmicro.com/ - backs up Trophie - ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], - '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], - - ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD - ['drweb - DrWeb Antivirus', - ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], - '-path={} -al -go -ot -cn -upn -ok-', - [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], - - ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'], - '-i1 -xp {}', [0,10,15], [5,20,21,25], - qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ , - sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, - sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, - ], - -# Commented out because the name 'sweep' clashes with Debian and FreeBSD -# package/port of an audio editor. Make sure the correct 'sweep' is found -# in the path when enabling. -# -# ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl -# ['Sophos Anti Virus (sweep)', 'sweep', -# '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}', -# [0,2], qr/Virus .*? found/, -# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/, -# ], -# # other options to consider: -mime -oe -idedir=/usr/local/sav - -# always succeeds (uncomment to consider mail clean if all other scanners fail) -# ['always-clean', sub {0}], - -); - - -1; # ensure a defined return diff --git a/files/etc/console-tools/config.expect b/files/etc/console-tools/config.expect deleted file mode 100644 index e5384f1..0000000 --- a/files/etc/console-tools/config.expect +++ /dev/null @@ -1,78 +0,0 @@ -# -# This files tells the console-tools package: -# -# - whether to load a specific font and boot (and maybe a screen-font map, -# but you should avoid that if possible). -# - whether to setup an Application-Charset Map other than the default CP437. -# - whether to start "vcstime" to have time on all text VC'S. -# -# You can also specify per-VC settings by suffixing variable names as in -# the examples below. This only works on framebuffer devices. -# -# CAVEATS: -# -# - When using the new framebuffer devices, the "global setting" for a font -# only affects the current console (ie., at boot-time, the first one) -# - ACM setting involves 2 steps (maybe loading a user ACM, and activating -# it on a given charset slot - see charset(1) for details), the 1st of which -# affects the entire system, but the 2nd of which only affects the current -# VC (ie., at boot-time, the first one). So that if you want to use the same -# ACM on all VCs, you have to specify "APP_CHARSET_MAP_vc=user" for all -# relevant values of . -# -# Example: -# -#SCREEN_FONT=iso01.f16 -#SCREEN_FONT_vc2=LatArCyrHeb-16 -# -#APP_CHARSET_MAP=iso05 -#APP_CHARSET_MAP_vc2=user -# -# Set the following - more euro-friendly default than kernel font. -# SCREEN_FONT=latcyrheb-sun16.psf - -#DO_VCSTIME=yes -# -# Forget this one unless you _know_ it is necessary for your font: -#SCREEN_FONT_MAP=iso01 - -# **** screen saver/DPMS settings: all VCs **** -# These settings are commented by default to avoid the chance of damage to -# very old monitors that don't support DPMS signalling. - -# screen blanking timeout. monitor remains on, but the screen is cleared to -# range: 0-60 min (0==never) kernels I've looked at default to 10 minutes. -# (see linux/drivers/char/console.c) -BLANK_TIME=30 - -# blanking method (VESA DPMS mode to use after BLANK_TIME, before powerdown): -# on: the default, no DPMS signalling. near instant powerup, no power saving -# vsync: DPMS Standby mode. nearly instant recovery, uses 110/120W (17" screen) -# hsync: DPMS Suspend mode. typically 3s recovery, uses 15/120W (17" screen) -# powerdown,off: DPMS Off mode, typ. 10s recovery, uses 5/120W (17" screen) - -# Those values are for my 17" Mag, but some monitors do suspend the same as -# standby. xset dpms force {off|standby|suspend|on} is useful for this, if X -# supports DPMS on your video card. Set X's DPMS screensaver with xset dpms -# or use option power_saver in XF86Config -# -# DPMS set by default to on, because hsync can cause problems on certain -# hardware, such as Armada E500 laptops -BLANK_DPMS=off - -# Powerdown time. The console will go to DPMS Off mode POWERDOWN_TIME -# minutes _after_ blanking. (POWERDOWN_TIME + BLANK_TIME after the last input) -POWERDOWN_TIME=30 - -# rate and delay can get only specific values, consult kbdrate(1) for help -#KEYBOARD_RATE="30" -#KEYBOARD_DELAY="250" - -# Turn on numlock by default -#LEDS=+num -SCREEN_FONT=lat0-sun16 -SCREEN_FONT_vc2=lat0-sun16 -SCREEN_FONT_vc3=lat0-sun16 -SCREEN_FONT_vc4=lat0-sun16 -SCREEN_FONT_vc5=lat0-sun16 -SCREEN_FONT_vc6=lat0-sun16 diff --git a/files/etc/console-tools/config.restore b/files/etc/console-tools/config.restore deleted file mode 100644 index cc27661..0000000 --- a/files/etc/console-tools/config.restore +++ /dev/null @@ -1,72 +0,0 @@ -# -# This files tells the console-tools package: -# -# - whether to load a specific font and boot (and maybe a screen-font map, -# but you should avoid that if possible). -# - whether to setup an Application-Charset Map other than the default CP437. -# - whether to start "vcstime" to have time on all text VC'S. -# -# You can also specify per-VC settings by suffixing variable names as in -# the examples below. This only works on framebuffer devices. -# -# CAVEATS: -# -# - When using the new framebuffer devices, the "global setting" for a font -# only affects the current console (ie., at boot-time, the first one) -# - ACM setting involves 2 steps (maybe loading a user ACM, and activating -# it on a given charset slot - see charset(1) for details), the 1st of which -# affects the entire system, but the 2nd of which only affects the current -# VC (ie., at boot-time, the first one). So that if you want to use the same -# ACM on all VCs, you have to specify "APP_CHARSET_MAP_vc=user" for all -# relevant values of . -# -# Example: -# -#SCREEN_FONT=iso01.f16 -#SCREEN_FONT_vc2=LatArCyrHeb-16 -# -#APP_CHARSET_MAP=iso05 -#APP_CHARSET_MAP_vc2=user -# -# Set the following - more euro-friendly default than kernel font. -# SCREEN_FONT=latcyrheb-sun16.psf - -#DO_VCSTIME=yes -# -# Forget this one unless you _know_ it is necessary for your font: -#SCREEN_FONT_MAP=iso01 - -# **** screen saver/DPMS settings: all VCs **** -# These settings are commented by default to avoid the chance of damage to -# very old monitors that don't support DPMS signalling. - -# screen blanking timeout. monitor remains on, but the screen is cleared to -# range: 0-60 min (0==never) kernels I've looked at default to 10 minutes. -# (see linux/drivers/char/console.c) -BLANK_TIME=30 - -# blanking method (VESA DPMS mode to use after BLANK_TIME, before powerdown): -# on: the default, no DPMS signalling. near instant powerup, no power saving -# vsync: DPMS Standby mode. nearly instant recovery, uses 110/120W (17" screen) -# hsync: DPMS Suspend mode. typically 3s recovery, uses 15/120W (17" screen) -# powerdown,off: DPMS Off mode, typ. 10s recovery, uses 5/120W (17" screen) - -# Those values are for my 17" Mag, but some monitors do suspend the same as -# standby. xset dpms force {off|standby|suspend|on} is useful for this, if X -# supports DPMS on your video card. Set X's DPMS screensaver with xset dpms -# or use option power_saver in XF86Config -# -# DPMS set by default to on, because hsync can cause problems on certain -# hardware, such as Armada E500 laptops -BLANK_DPMS=off - -# Powerdown time. The console will go to DPMS Off mode POWERDOWN_TIME -# minutes _after_ blanking. (POWERDOWN_TIME + BLANK_TIME after the last input) -POWERDOWN_TIME=30 - -# rate and delay can get only specific values, consult kbdrate(1) for help -#KEYBOARD_RATE="30" -#KEYBOARD_DELAY="250" - -# Turn on numlock by default -#LEDS=+num diff --git a/files/etc/cron.d/amavisd-new.expect b/files/etc/cron.d/amavisd-new.expect new file mode 100644 index 0000000..902e2d7 --- /dev/null +++ b/files/etc/cron.d/amavisd-new.expect @@ -0,0 +1,5 @@ +# +# SpamAssassin maintenance for amavisd-new +# +# m h dom mon dow user command +18 */3 * * * amavis test -e /usr/sbin/amavisd-new-cronjob && /usr/sbin/amavisd-new-cronjob sa-sync 1>/dev/null 2>&1 diff --git a/files/etc/cron.d/amavisd-new.restore b/files/etc/cron.d/amavisd-new.restore new file mode 100644 index 0000000..3baeee6 --- /dev/null +++ b/files/etc/cron.d/amavisd-new.restore @@ -0,0 +1,5 @@ +# +# SpamAssassin maintenance for amavisd-new +# +# m h dom mon dow user command +18 */3 * * * amavis test -e /usr/sbin/amavisd-new-cronjob && /usr/sbin/amavisd-new-cronjob sa-sync diff --git a/files/etc/cron.daily/amavisd-new.expect b/files/etc/cron.daily/amavisd-new.expect deleted file mode 100755 index d15c4da..0000000 --- a/files/etc/cron.daily/amavisd-new.expect +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -# -# Daily maintenance for amavisd-new -# $Id: amavisd-new.cron.daily 930 2006-08-10 13:38:45Z hmh $ -# -test -e /usr/sbin/amavisd-new-cronjob && exec /usr/sbin/amavisd-new-cronjob sa-clean 1>/dev/null 2>&1 diff --git a/files/etc/cron.daily/amavisd-new.restore b/files/etc/cron.daily/amavisd-new.restore deleted file mode 100755 index 8fc0199..0000000 --- a/files/etc/cron.daily/amavisd-new.restore +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -# -# Daily maintenance for amavisd-new -# $Id: amavisd-new.cron.daily 930 2006-08-10 13:38:45Z hmh $ -# -test -e /usr/sbin/amavisd-new-cronjob && exec /usr/sbin/amavisd-new-cronjob sa-clean diff --git a/files/etc/default/saslauthd.expect b/files/etc/default/saslauthd.expect new file mode 100644 index 0000000..dcbe615 --- /dev/null +++ b/files/etc/default/saslauthd.expect @@ -0,0 +1,57 @@ +# +# Settings for saslauthd daemon +# Please read /usr/share/doc/sasl2-bin/README.Debian for details. +# + +# Should saslauthd run automatically on startup? (default: no) +START=yes + +# Description of this saslauthd instance. Recommended. +# (suggestion: SASL Authentication Daemon) +DESC="SASL Authentication Daemon" + +# Short name of this saslauthd instance. Strongly recommended. +# (suggestion: saslauthd) +NAME="saslauthd" + +# Which authentication mechanisms should saslauthd use? (default: pam) +# +# Available options in this Debian package: +# getpwent -- use the getpwent() library function +# kerberos5 -- use Kerberos 5 +# pam -- use PAM +# rimap -- use a remote IMAP server +# shadow -- use the local shadow password file +# sasldb -- use the local sasldb database file +# ldap -- use LDAP (configuration is in /etc/saslauthd.conf) +# +# Only one option may be used at a time. See the saslauthd man page +# for more information. +# +# Example: MECHANISMS="pam" +MECHANISMS="pam" + +# Additional options for this mechanism. (default: none) +# See the saslauthd man page for information about mech-specific options. +MECH_OPTIONS="" + +# How many saslauthd processes should we run? (default: 5) +# A value of 0 will fork a new process for each connection. +THREADS=5 + +# Other options (default: -c -m /var/run/saslauthd) +# Note: You MUST specify the -m option or saslauthd won't run! +# +# WARNING: DO NOT SPECIFY THE -d OPTION. +# The -d option will cause saslauthd to run in the foreground instead of as +# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish +# to run saslauthd in debug mode, please run it by hand to be safe. +# +# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. +# See the saslauthd man page and the output of 'saslauthd -h' for general +# information about these options. +# +# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" +OPTIONS="-c -m /var/run/saslauthd" +OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" +[ ! -L /var/run/saslauthd -a -d /var/spool/postfix/var/run/saslauthd -a ! -d /var/run/saslauthd ] && ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd || true diff --git a/files/etc/default/saslauthd.restore b/files/etc/default/saslauthd.restore new file mode 100644 index 0000000..62f2792 --- /dev/null +++ b/files/etc/default/saslauthd.restore @@ -0,0 +1,55 @@ +# +# Settings for saslauthd daemon +# Please read /usr/share/doc/sasl2-bin/README.Debian for details. +# + +# Should saslauthd run automatically on startup? (default: no) +START=no + +# Description of this saslauthd instance. Recommended. +# (suggestion: SASL Authentication Daemon) +DESC="SASL Authentication Daemon" + +# Short name of this saslauthd instance. Strongly recommended. +# (suggestion: saslauthd) +NAME="saslauthd" + +# Which authentication mechanisms should saslauthd use? (default: pam) +# +# Available options in this Debian package: +# getpwent -- use the getpwent() library function +# kerberos5 -- use Kerberos 5 +# pam -- use PAM +# rimap -- use a remote IMAP server +# shadow -- use the local shadow password file +# sasldb -- use the local sasldb database file +# ldap -- use LDAP (configuration is in /etc/saslauthd.conf) +# +# Only one option may be used at a time. See the saslauthd man page +# for more information. +# +# Example: MECHANISMS="pam" +MECHANISMS="pam" + +# Additional options for this mechanism. (default: none) +# See the saslauthd man page for information about mech-specific options. +MECH_OPTIONS="" + +# How many saslauthd processes should we run? (default: 5) +# A value of 0 will fork a new process for each connection. +THREADS=5 + +# Other options (default: -c -m /var/run/saslauthd) +# Note: You MUST specify the -m option or saslauthd won't run! +# +# WARNING: DO NOT SPECIFY THE -d OPTION. +# The -d option will cause saslauthd to run in the foreground instead of as +# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish +# to run saslauthd in debug mode, please run it by hand to be safe. +# +# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. +# See the saslauthd man page and the output of 'saslauthd -h' for general +# information about these options. +# +# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" +OPTIONS="-c -m /var/run/saslauthd" diff --git a/files/etc/default/slapd.expect b/files/etc/default/slapd.expect deleted file mode 100644 index 9cdf1c3..0000000 --- a/files/etc/default/slapd.expect +++ /dev/null @@ -1,46 +0,0 @@ -# Default location of the slapd.conf file. If empty, use the compiled-in -# default (/etc/ldap/slapd.conf). If using the cn=config backend to store -# configuration in LDIF, set this variable to the directory containing the -# cn=config data. -SLAPD_CONF= - -# System account to run the slapd server under. If empty the server -# will run as root. -SLAPD_USER="openldap" - -# System group to run the slapd server under. If empty the server will -# run in the primary group of its user. -SLAPD_GROUP="openldap" - -# Path to the pid file of the slapd server. If not set the init.d script -# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by -# default) -SLAPD_PIDFILE= - -# slapd normally serves ldap only on all TCP-ports 389. slapd can also -# service requests on TCP-port 636 (ldaps) and requests via unix -# sockets. -# Example usage: -# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" - -# If SLAPD_NO_START is set, the init script will not start or restart -# slapd (but stop will still work). Uncomment this if you are -# starting slapd via some other means or if you don't want slapd normally -# started at boot. -#SLAPD_NO_START=1 - -# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, -# the init script will not start or restart slapd (but stop will still -# work). Use this for temporarily disabling startup of slapd (when doing -# maintenance, for example, or through a configuration management system) -# when you don't want to edit a configuration file. -SLAPD_SENTINEL_FILE=/etc/ldap/noslapd - -# For Kerberos authentication (via SASL), slapd by default uses the system -# keytab file (/etc/krb5.keytab). To use a different keytab file, -# uncomment this line and change the path. -#export KRB5_KTNAME=/etc/krb5.keytab - -# Additional options to pass to slapd -SLAPD_OPTIONS="" -SLURPD_START=auto diff --git a/files/etc/default/slapd.restore b/files/etc/default/slapd.restore deleted file mode 100644 index e1f5539..0000000 --- a/files/etc/default/slapd.restore +++ /dev/null @@ -1,45 +0,0 @@ -# Default location of the slapd.conf file. If empty, use the compiled-in -# default (/etc/ldap/slapd.conf). If using the cn=config backend to store -# configuration in LDIF, set this variable to the directory containing the -# cn=config data. -SLAPD_CONF= - -# System account to run the slapd server under. If empty the server -# will run as root. -SLAPD_USER="openldap" - -# System group to run the slapd server under. If empty the server will -# run in the primary group of its user. -SLAPD_GROUP="openldap" - -# Path to the pid file of the slapd server. If not set the init.d script -# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by -# default) -SLAPD_PIDFILE= - -# slapd normally serves ldap only on all TCP-ports 389. slapd can also -# service requests on TCP-port 636 (ldaps) and requests via unix -# sockets. -# Example usage: -# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" - -# If SLAPD_NO_START is set, the init script will not start or restart -# slapd (but stop will still work). Uncomment this if you are -# starting slapd via some other means or if you don't want slapd normally -# started at boot. -#SLAPD_NO_START=1 - -# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, -# the init script will not start or restart slapd (but stop will still -# work). Use this for temporarily disabling startup of slapd (when doing -# maintenance, for example, or through a configuration management system) -# when you don't want to edit a configuration file. -SLAPD_SENTINEL_FILE=/etc/ldap/noslapd - -# For Kerberos authentication (via SASL), slapd by default uses the system -# keytab file (/etc/krb5.keytab). To use a different keytab file, -# uncomment this line and change the path. -#export KRB5_KTNAME=/etc/krb5.keytab - -# Additional options to pass to slapd -SLAPD_OPTIONS="" diff --git a/files/etc/init.d/amavisd-cn.expect b/files/etc/init.d/amavisd-cn.expect deleted file mode 100755 index 5ca8c67..0000000 --- a/files/etc/init.d/amavisd-cn.expect +++ /dev/null @@ -1,139 +0,0 @@ -#!/bin/sh - -set -e - -# options for daemons: -# name init.d/script user ps name for pgrep -f pidfile, relative to /var/run num-fds last-fd-name -options=' -clamd clamav-daemon clamav /usr/sbin/clamd clamav/clamd.pid 5 clamav.log -amavis amavis.amavisd-new amavis amavisd \\(master\\) amavis/amavisd.pid 5 socket -' -# note: pgrep -f takes a regexp, and this is shell expanded once, hence \\ - -start () { - local daemon IFSOLD name script user psname pidfile num fdname - daemon="$1" - IFSOLD="$IFS" - IFS=" " # tab - read name script user psname pidfile num fdname <<-EOPTS - $(echo "$options" | sed 's/ */ /g' | grep ^$daemon) - EOPTS - IFS="$IFSOLD" - /etc/init.d/$script start - wait_for_fds "$daemon" -} - -stop () { - local daemon IFSOLD name script user psname pidfile num fdname - daemon="$1" - n=10 - IFSOLD="$IFS" - IFS=" " # tab - read name script user psname pidfile num fdname <<-EOPTS - $(echo "$options" | sed 's/ */ /g' | grep ^$daemon) - EOPTS - IFS="$IFSOLD" - /etc/init.d/$script stop - pkill -u $user -f "$psname" > /dev/null || true - while pgrep -u $user -f "$psname" > /dev/null && [ "$n" -gt 0 ] - do - sleep 1 - n=$(($n-1)) - done - pkill -9 -u $user -f "$psname" > /dev/null || true - #pkill -9 -u $user -x "$daemon" - if pgrep -u $user -f "$psname" > /dev/null; then # still there? - return 1 - fi -} - -wait_for_fds () { - # wait until process shows some I/O readiness :) - local name IFSOLD num sleep maxtry script user psname pidfile fdname - name="$1" - [ -z "$name" ] && return 1 - IFSOLD="$IFS" - IFS=" " # tab - read name script user psname pidfile num fdname <<-EOPTS - $(echo "$options" | sed 's/ */ /g' | grep ^$name) - EOPTS - IFS="$IFSOLD" - num=${num:-4} - sleep=${sleep:-1} - maxtry=${maxtry:-90} - if [ -n "$pidfile" ]; then - pidfile=/var/run/$pidfile - findpid="[ -f $pidfile ] && cat $pidfile || true" - else - findpid="pgrep -u $user -f \"$psname\" -P 1 | head -1" - fi - - # loop the loop the loop - try=1 - while /bin/true - do - sleep $sleep # 1st, give it a chance to run - pid=`eval $findpid` # 2nd: find it - if [ ! -z "$pid" ]; then - count=`ls -1 /proc/$pid/fd 2>/dev/null| wc -l` # 3rd: count all it's worth - [ "$count" -ge "$num" ] && ls -l /proc/$pid/fd | grep -q $fdname \ - && return # success -- release - fi - try=$(($try+1)) - [ "0$try" -ge "0$maxtry" ] && return 1 # no luck this time - done -} - -# if we're called as amavisd-cn or amavis with start argument, -# act like one; otherwise, pass the call down -case "$(basename $0)" in - amavisd-cn) - arg="i$1" - ;; - amavis) - if [ "$1" = start ]; then - arg="i$1" - else - arg="$1" - fi - ;; - *) - arg="$1" - ;; -esac - -# If there's no diversion, play possum -[ -x /etc/init.d/amavis.amavisd-new ] || exit 0 - -mta=postfix - -case "$arg" in - start|stop|restart|reload|force-reload|debug) - /etc/init.d/amavis.amavisd-new "$arg" - ;; - - istart) - start clamd - start amavis - /etc/init.d/$mta start - ;; - - istop) - /etc/init.d/$mta stop - stop amavis - stop clamd - ;; - - irestart|ireload|iforce-reload) - $0 stop - sleep 2 - $0 start - ;; - - *) - echo "Usage: $0 {start|stop|restart|reload|force-reload}" >&2 - exit 1 - ;; -esac - -exit 0 diff --git a/files/etc/init.d/amavisd-cn.restore b/files/etc/init.d/amavisd-cn.restore deleted file mode 100755 index 3f1b26a..0000000 --- a/files/etc/init.d/amavisd-cn.restore +++ /dev/null @@ -1,167 +0,0 @@ -#!/bin/sh - -# amavisd-cn /etc/init.d/ initscript wrapper for CARNetized amavisd-new -# -# Start and stop Amavis, ClamAV and Postfix/Sendmail - -### BEGIN INIT INFO -# Provides: amavisd-cn -# Required-Start: $local_fs $remote_fs $syslog $named $network $time -# Required-Stop: $local_fs $remote_fs $syslog $named $network -# Should-Start: -# Should-Stop: -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: start and stop Amavis, ClamAV and Postfix/Sendmail -# Description: wrapper for starting/stopping MTA and related services -### END INIT INFO - -set -e - -# options for daemons: -# name init.d/script user ps name for pgrep -f pidfile, relative to /var/run num-fds last-fd-name -options=' -clamd clamav-daemon clamav /usr/sbin/clamd clamav/clamd.pid 5 clamav.log -amavis amavis.amavisd-new amavis amavisd \\(master\\) amavis/amavisd.pid 5 socket -' -# note: pgrep -f takes a regexp, and this is shell expanded once, hence \\ - -start () { - local daemon IFSOLD name script user psname pidfile num fdname - daemon="$1" - IFSOLD="$IFS" - IFS=" " # tab - read name script user psname pidfile num fdname <<-EOPTS - $(echo "$options" | sed 's/ */ /g' | grep ^$daemon) - EOPTS - IFS="$IFSOLD" - /etc/init.d/$script start - wait_for_fds "$daemon" -} - -stop () { - local daemon IFSOLD name script user psname pidfile num fdname - daemon="$1" - n=10 - IFSOLD="$IFS" - IFS=" " # tab - read name script user psname pidfile num fdname <<-EOPTS - $(echo "$options" | sed 's/ */ /g' | grep ^$daemon) - EOPTS - IFS="$IFSOLD" - /etc/init.d/$script stop - pkill -u $user -f "$psname" > /dev/null || true - while pgrep -u $user -f "$psname" > /dev/null && [ "$n" -gt 0 ] - do - sleep 1 - n=$(($n-1)) - done - pkill -9 -u $user -f "$psname" > /dev/null || true - #pkill -9 -u $user -x "$daemon" - if pgrep -u $user -f "$psname" > /dev/null; then # still there? - return 1 - fi -} - -wait_for_fds () { - # wait until process shows some I/O readiness :) - local name IFSOLD num sleep maxtry script user psname pidfile fdname - name="$1" - [ -z "$name" ] && return 1 - IFSOLD="$IFS" - IFS=" " # tab - read name script user psname pidfile num fdname <<-EOPTS - $(echo "$options" | sed 's/ */ /g' | grep ^$name) - EOPTS - IFS="$IFSOLD" - num=${num:-4} - sleep=${sleep:-1} - maxtry=${maxtry:-90} - if [ -n "$pidfile" ]; then - pidfile=/var/run/$pidfile - findpid="[ -f $pidfile ] && cat $pidfile || true" - else - findpid="pgrep -u $user -f \"$psname\" -P 1 | head -1" - fi - - # loop the loop the loop - try=1 - while /bin/true - do - sleep $sleep # 1st, give it a chance to run - pid=`eval $findpid` # 2nd: find it - if [ ! -z "$pid" ]; then - count=`ls -1 /proc/$pid/fd 2>/dev/null| wc -l` # 3rd: count all it's worth - [ "$count" -ge "$num" ] && ls -l /proc/$pid/fd | grep -q $fdname \ - && return # success -- release - fi - try=$(($try+1)) - [ "0$try" -ge "0$maxtry" ] && return 1 # no luck this time - done -} - -# if we're called as amavisd-cn or amavis with start argument, -# act like one; otherwise, pass the call down -case "$(basename $0)" in - amavisd-cn) - arg="i$1" - ;; - amavis) - if [ "$1" = start ]; then - arg="i$1" - else - arg="$1" - fi - ;; - *) - arg="$1" - ;; -esac - -# If there's no diversion, play possum -[ -x /etc/init.d/amavis.amavisd-new ] || exit 0 - -mta=postfix - -case "$arg" in - start|stop|restart|reload|force-reload|debug) - /etc/init.d/amavis.amavisd-new "$arg" - ;; - - istart) - start clamd - start amavis - if [ -x "/etc/init.d/$mta" ]; then - if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then - invoke-rc.d $mta start - else - /etc/init.d/$mta start - fi - fi - ;; - - istop) - if [ -x "/etc/init.d/$mta" ]; then - if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then - invoke-rc.d $mta stop - else - /etc/init.d/$mta stop - fi - fi - stop amavis - stop clamd - ;; - - irestart|ireload|iforce-reload) - $0 stop - sleep 2 - $0 start - ;; - - *) - echo "Usage: $0 {start|stop|restart|reload|force-reload}" >&2 - exit 1 - ;; -esac - -exit 0 diff --git a/files/etc/issue.expect b/files/etc/issue.expect index b5ec188..39eb007 100644 --- a/files/etc/issue.expect +++ b/files/etc/issue.expect @@ -1 +1 @@ -Debian GNU/Linux 5.0 (CARNet Debian 5.0) \n \l +Debian GNU/Linux 6.0 (CARNet Debian 6.0) \n \l diff --git a/files/etc/issue.expect.new b/files/etc/issue.expect.new index 9d52ed2..efc8255 100644 --- a/files/etc/issue.expect.new +++ b/files/etc/issue.expect.new @@ -1,2 +1,2 @@ -Debian GNU/Linux 6.0 \n \l +Debian GNU/Linux 7 \n \l diff --git a/files/etc/issue.net.expect b/files/etc/issue.net.expect index b6022f9..c82d0ef 100644 --- a/files/etc/issue.net.expect +++ b/files/etc/issue.net.expect @@ -1 +1 @@ -Debian GNU/Linux 5.0 (CARNet Debian 5.0) %h +Debian GNU/Linux 6 (CARNet Debian 6) %h diff --git a/files/etc/issue.net.expect.new b/files/etc/issue.net.expect.new index 6a11f39..3310237 100644 --- a/files/etc/issue.net.expect.new +++ b/files/etc/issue.net.expect.new @@ -1 +1 @@ -Debian GNU/Linux 6.0 +Debian GNU/Linux 7 diff --git a/files/etc/issue.net.restore b/files/etc/issue.net.restore index ac469c2..748a8db 100644 --- a/files/etc/issue.net.restore +++ b/files/etc/issue.net.restore @@ -1 +1 @@ -Debian GNU/Linux 5.0 +Debian GNU/Linux 6 diff --git a/files/etc/issue.restore b/files/etc/issue.restore index b797604..2f52d50 100644 --- a/files/etc/issue.restore +++ b/files/etc/issue.restore @@ -1,2 +1,2 @@ -Debian GNU/Linux 5.0 \n \l +Debian GNU/Linux 6 \n \l diff --git a/files/etc/monit/monitrc.restore b/files/etc/monit/monitrc.restore index 4a5dacc..c961500 100644 --- a/files/etc/monit/monitrc.restore +++ b/files/etc/monit/monitrc.restore @@ -6,38 +6,53 @@ ## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'. ## ## Below you will find examples of some frequently used statements. For -## information about the control file, a complete list of statements and -## options please have a look in the monit manual. +## information about the control file and a complete list of statements and +## options, please have a look in the Monit manual. ## ## ############################################################################### ## Global section ############################################################################### ## -## Start monit in the background (run as a daemon) and check services at -## 2-minute intervals. +## Start Monit in the background (run as a daemon): # -# set daemon 120 +# set daemon 120 # check services at 2-minute intervals +# with start delay 240 # optional: delay the first check by 4-minutes (by +# # default Monit check immediately after Monit start) # # ## Set syslog logging with the 'daemon' facility. If the FACILITY option is -## omitted, monit will use 'user' facility by default. If you want to log to -## a stand alone log file instead, specify the path to a log file +## omitted, Monit will use 'user' facility by default. If you want to log to +## a standalone log file instead, specify the full path to the log file # # set logfile syslog facility log_daemon # # +### Set the location of the Monit id file which stores the unique id for the +### Monit instance. The id is generated and stored on first Monit start. By +### default the file is placed in $HOME/.monit.id. +# +# set idfile /var/.monit.id +# +### Set the location of the Monit state file which saves monitoring states +### on each cycle. By default the file is placed in $HOME/.monit.state. If +### the state file is stored on a persistent filesystem, Monit will recover +### the monitoring state across reboots. If it is on temporary filesystem, the +### state will be lost on reboot which may be convenient in some situations. +# +# set statefile /var/.monit.state +# ## Set the list of mail servers for alert delivery. Multiple servers may be -## specified using comma separator. By default monit uses port 25 - this -## is possible to override with the PORT option. +## specified using a comma separator. By default Monit uses port 25 - it is +## possible to override this with the PORT option. # # set mailserver mail.bar.baz, # primary mailserver # backup.bar.baz port 10025, # backup mailserver on port 10025 # localhost # fallback relay # # -## By default monit will drop alert events if no mail servers are available. -## If you want to keep the alerts for a later delivery retry, you can use the +## By default Monit will drop alert events if no mail servers are available. +## If you want to keep the alerts for later delivery retry, you can use the ## EVENTQUEUE statement. The base directory where undelivered alerts will be ## stored is specified by the BASEDIR option. You can limit the maximal queue ## size using the SLOTS option (if omitted, the queue is limited by space @@ -45,7 +60,13 @@ # # set eventqueue # basedir /var/monit # set the base directory where events will be stored -# slots 100 # optionaly limit the queue size +# slots 100 # optionally limit the queue size +# +# +## Send status and events to M/Monit (for more informations about M/Monit +## see http://mmonit.com/). +# +# set mmonit http://monit:monit@192.168.1.10:8080/collector # # ## Monit by default uses the following alert mail format: @@ -62,17 +83,17 @@ ## Description: $DESCRIPTION # ## # ## Your faithful employee, # -## monit # +## Monit # ## --8<-- ## ## You can override this message format or parts of it, such as subject ## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc. -## are expanded at runtime. For example, to override the sender: +## are expanded at runtime. For example, to override the sender, use: # # set mail-format { from: monit@foo.bar } # # -## You can set alert recipients here whom will receive alerts if/when a +## You can set alert recipients whom will receive alerts if/when a ## service defined in this file has errors. Alerts may be restricted on ## events by using a filter as in the second example below. # @@ -82,13 +103,15 @@ # # ## Monit has an embedded web server which can be used to view status of -## services monitored, the current configuration, actual services parameters -## and manage services from a web interface. +## services monitored and manage services from a web interface. See the +## Monit Wiki if you want to enable SSL for the web server. # # set httpd port 2812 and # use address localhost # only accept connection from localhost # allow localhost # allow localhost to connect to the server and # allow admin:monit # require user 'admin' with password 'monit' +# allow @monit # allow users of group 'monit' to connect (rw) +# allow @users readonly # allow users of group 'users' to connect readonly # # ############################################################################### @@ -109,9 +132,10 @@ # # ## Check a file for existence, checksum, permissions, uid and gid. In addition -## to alert recipients in the global section, customized alert will be sent to +## to alert recipients in the global section, customized alert can be sent to ## additional recipients by specifying a local alert handler. The service may -## be grouped using the GROUP option. +## be grouped using the GROUP option. More than one group can be specified by +## repeating the 'group name' statement. # # check file apache_bin with path /usr/local/apache/bin/httpd # if failed checksum and @@ -127,14 +151,14 @@ # ## Check that a process is running, in this case Apache, and that it respond ## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory, -## and number of children. If the process is not running, monit will restart -## it by default. In case the service was restarted very often and the +## and number of children. If the process is not running, Monit will restart +## it by default. In case the service is restarted very often and the ## problem remains, it is possible to disable monitoring using the TIMEOUT ## statement. This service depends on another service (apache_bin) which ## is defined above. # # check process apache with pidfile /usr/local/apache/logs/httpd.pid -# start program = "/etc/init.d/httpd start" +# start program = "/etc/init.d/httpd start" with timeout 60 seconds # stop program = "/etc/init.d/httpd stop" # if cpu > 60% for 2 cycles then alert # if cpu > 80% for 5 cycles then restart @@ -142,7 +166,7 @@ # if children > 250 then restart # if loadavg(5min) greater than 10 for 8 cycles then stop # if failed host www.tildeslash.com port 80 protocol http -# and request "/monit/doc/next.php" +# and request "/somefile.html" # then restart # if failed port 443 type tcpssl protocol http # with timeout 15 seconds @@ -152,12 +176,12 @@ # group server # # -## Check device permissions, uid, gid, space and inode usage. Other services, +## Check filesystem permissions, uid, gid, space and inode usage. Other services, ## such as databases, may depend on this resource and an automatically graceful ## stop may be cascaded to them before the filesystem will become full and data ## lost. # -# check device datafs with path /dev/sdb1 +# check filesystem datafs with path /dev/sdb1 # start program = "/bin/mount /data" # stop program = "/bin/umount /data" # if failed permission 660 then unmonitor @@ -179,7 +203,7 @@ # if failed uid data then alert # if failed gid data then alert # if timestamp > 15 minutes then alert -# if size > 100 MB then exec "/my/cleanup/script" +# if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba # # ## Check directory permission, uid and gid. An event is triggered if the @@ -192,15 +216,14 @@ # if failed gid 0 then unmonitor # # -## Check a remote host network services availability using a ping test and -## check response content from a web server. Up to three pings are sent and -## connection to a port and a application level network check is performed. +## Check a remote host availability by issuing a ping test and check the +## content of a response from a web server. Up to three pings are sent and +## connection to a port and an application level network check is performed. # # check host myserver with address 192.168.1.1 # if failed icmp type echo count 3 with timeout 3 seconds then alert # if failed port 3306 protocol mysql with timeout 15 seconds then alert -# if failed url -# http://user:password@www.foo.bar:8080/?querystring +# if failed url http://user:password@192.168.1.1:8080/?querystring # and content == 'action="j_security_check"' # then alert # @@ -212,6 +235,6 @@ ## It is possible to include additional configuration parts from other files or ## directories. # -# include /etc/monit.d/* -# -# + +include /etc/monit/conf.d/* + diff --git a/files/etc/monit/monitrc.template b/files/etc/monit/monitrc.template index baf3fc9..689e5ed 100644 --- a/files/etc/monit/monitrc.template +++ b/files/etc/monit/monitrc.template @@ -4,12 +4,12 @@ set daemon 900 set logfile syslog facility log_daemon set mail-format { - from: monit@localhost + from: monit@squeeze-amd64.local subject: $SERVICE $EVENT at $DATE message: monit $ACTION $SERVICE at $DATE on $HOST } set mailserver 127.0.0.1 -set alert root@localhost only on { uid, gid, size, nonexist, data, icmp, instance, invalid, exec, timeout, resource, checksum, match, timestamp, connection, permission } +set alert root@localhost but not on { instance } #set httpd port 2812 and use address 127.0.0.1 #allow localhost diff --git a/files/etc/security/limits.conf.expect b/files/etc/security/limits.conf.expect deleted file mode 100644 index de0a011..0000000 --- a/files/etc/security/limits.conf.expect +++ /dev/null @@ -1,57 +0,0 @@ -# /etc/security/limits.conf -# -#Each line describes a limit for a user in the form: -# -# -# -#Where: -# can be: -# - an user name -# - a group name, with @group syntax -# - the wildcard *, for default entry -# - the wildcard %, can be also used with %group syntax, -# for maxlogin limit -# -# can have the two values: -# - "soft" for enforcing the soft limits -# - "hard" for enforcing hard limits -# -# can be one of the following: -# - core - limits the core file size (KB) -# - data - max data size (KB) -# - fsize - maximum filesize (KB) -# - memlock - max locked-in-memory address space (KB) -# - nofile - max number of open files -# - rss - max resident set size (KB) -# - stack - max stack size (KB) -# - cpu - max CPU time (MIN) -# - nproc - max number of processes -# - as - address space limit (KB) -# - maxlogins - max number of logins for this user -# - maxsyslogins - max number of logins on the system -# - priority - the priority to run user process with -# - locks - max number of file locks the user can hold -# - sigpending - max number of pending signals -# - msgqueue - max memory used by POSIX message queues (bytes) -# - nice - max nice priority allowed to raise to values: [-20, 19] -# - rtprio - max realtime priority -# - chroot - change root to directory (Debian-specific) -# -# -# - -#* soft core 0 -#* hard rss 10000 -#@student hard nproc 20 -#@faculty soft nproc 20 -#@faculty hard nproc 50 -#ftp hard nproc 0 -#ftp - chroot /ftp -#@student - maxlogins 4 - -# End of file -# Begin update by CARNet package kernel-2.6-cn -- DO NOT DELETE THIS LINE! -* soft core 0 -* hard nofile 4096 -* soft nofile 4096 -# End update by CARNet package kernel-2.6-cn -- DO NOT DELETE THIS LINE! diff --git a/files/etc/security/limits.conf.restore b/files/etc/security/limits.conf.restore deleted file mode 100644 index 9ab8ae2..0000000 --- a/files/etc/security/limits.conf.restore +++ /dev/null @@ -1,52 +0,0 @@ -# /etc/security/limits.conf -# -#Each line describes a limit for a user in the form: -# -# -# -#Where: -# can be: -# - an user name -# - a group name, with @group syntax -# - the wildcard *, for default entry -# - the wildcard %, can be also used with %group syntax, -# for maxlogin limit -# -# can have the two values: -# - "soft" for enforcing the soft limits -# - "hard" for enforcing hard limits -# -# can be one of the following: -# - core - limits the core file size (KB) -# - data - max data size (KB) -# - fsize - maximum filesize (KB) -# - memlock - max locked-in-memory address space (KB) -# - nofile - max number of open files -# - rss - max resident set size (KB) -# - stack - max stack size (KB) -# - cpu - max CPU time (MIN) -# - nproc - max number of processes -# - as - address space limit (KB) -# - maxlogins - max number of logins for this user -# - maxsyslogins - max number of logins on the system -# - priority - the priority to run user process with -# - locks - max number of file locks the user can hold -# - sigpending - max number of pending signals -# - msgqueue - max memory used by POSIX message queues (bytes) -# - nice - max nice priority allowed to raise to values: [-20, 19] -# - rtprio - max realtime priority -# - chroot - change root to directory (Debian-specific) -# -# -# - -#* soft core 0 -#* hard rss 10000 -#@student hard nproc 20 -#@faculty soft nproc 20 -#@faculty hard nproc 50 -#ftp hard nproc 0 -#ftp - chroot /ftp -#@student - maxlogins 4 - -# End of file diff --git a/files/etc/spamassassin/v310.pre.expect b/files/etc/spamassassin/v310.pre.expect deleted file mode 100644 index c626972..0000000 --- a/files/etc/spamassassin/v310.pre.expect +++ /dev/null @@ -1,80 +0,0 @@ -# This is the right place to customize your installation of SpamAssassin. -# -# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be -# tweaked. -# -# This file was installed during the installation of SpamAssassin 3.1.0, -# and contains plugin loading commands for the new plugins added in that -# release. It will not be overwritten during future SpamAssassin installs, -# so you can modify it to enable some disabled-by-default plugins below, -# if you so wish. -# -# There are now multiple files read to enable plugins in the -# /etc/mail/spamassassin directory; previously only one, "init.pre" was -# read. Now both "init.pre", "v310.pre", and any other files ending in -# ".pre" will be read. As future releases are made, new plugins will be -# added to new files, named according to the release they're added in. -########################################################################### - -# DCC - perform DCC message checks. -# -# DCC is disabled here because it is not open source. See the DCC -# license for more details. -# -#loadplugin Mail::SpamAssassin::Plugin::DCC - -# Pyzor - perform Pyzor message checks. -# -#loadplugin Mail::SpamAssassin::Plugin::Pyzor - -# Razor2 - perform Razor2 message checks. -# -loadplugin Mail::SpamAssassin::Plugin::Razor2 - -# SpamCop - perform SpamCop message reporting -# -loadplugin Mail::SpamAssassin::Plugin::SpamCop - -# AntiVirus - some simple anti-virus checks, this is not a replacement -# for an anti-virus filter like Clam AntiVirus -# -#loadplugin Mail::SpamAssassin::Plugin::AntiVirus - -# AWL - do auto-whitelist checks -# -loadplugin Mail::SpamAssassin::Plugin::AWL - -# AutoLearnThreshold - threshold-based discriminator for Bayes auto-learning -# -loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold - -# TextCat - language guesser -# -#loadplugin Mail::SpamAssassin::Plugin::TextCat - -# AccessDB - lookup from-addresses in access database -# -#loadplugin Mail::SpamAssassin::Plugin::AccessDB - -# WhitelistSubject - Whitelist/Blacklist certain subject regular expressions -# -loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject - -########################################################################### -# experimental plugins - -# DomainKeys - perform DomainKeys verification -# -# External modules required for use, see INSTALL for more information. -# Note that this may be redundant if you also plan to use the DKIM plugin. -# -#loadplugin Mail::SpamAssassin::Plugin::DomainKeys - -# MIMEHeader - apply regexp rules against MIME headers in the message -# -loadplugin Mail::SpamAssassin::Plugin::MIMEHeader - -# ReplaceTags -# -loadplugin Mail::SpamAssassin::Plugin::ReplaceTags - diff --git a/files/etc/spamassassin/v310.pre.restore b/files/etc/spamassassin/v310.pre.restore deleted file mode 100644 index b74f9ef..0000000 --- a/files/etc/spamassassin/v310.pre.restore +++ /dev/null @@ -1,80 +0,0 @@ -# This is the right place to customize your installation of SpamAssassin. -# -# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be -# tweaked. -# -# This file was installed during the installation of SpamAssassin 3.1.0, -# and contains plugin loading commands for the new plugins added in that -# release. It will not be overwritten during future SpamAssassin installs, -# so you can modify it to enable some disabled-by-default plugins below, -# if you so wish. -# -# There are now multiple files read to enable plugins in the -# /etc/mail/spamassassin directory; previously only one, "init.pre" was -# read. Now both "init.pre", "v310.pre", and any other files ending in -# ".pre" will be read. As future releases are made, new plugins will be -# added to new files, named according to the release they're added in. -########################################################################### - -# DCC - perform DCC message checks. -# -# DCC is disabled here because it is not open source. See the DCC -# license for more details. -# -#loadplugin Mail::SpamAssassin::Plugin::DCC - -# Pyzor - perform Pyzor message checks. -# -loadplugin Mail::SpamAssassin::Plugin::Pyzor - -# Razor2 - perform Razor2 message checks. -# -loadplugin Mail::SpamAssassin::Plugin::Razor2 - -# SpamCop - perform SpamCop message reporting -# -loadplugin Mail::SpamAssassin::Plugin::SpamCop - -# AntiVirus - some simple anti-virus checks, this is not a replacement -# for an anti-virus filter like Clam AntiVirus -# -#loadplugin Mail::SpamAssassin::Plugin::AntiVirus - -# AWL - do auto-whitelist checks -# -loadplugin Mail::SpamAssassin::Plugin::AWL - -# AutoLearnThreshold - threshold-based discriminator for Bayes auto-learning -# -loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold - -# TextCat - language guesser -# -#loadplugin Mail::SpamAssassin::Plugin::TextCat - -# AccessDB - lookup from-addresses in access database -# -#loadplugin Mail::SpamAssassin::Plugin::AccessDB - -# WhitelistSubject - Whitelist/Blacklist certain subject regular expressions -# -loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject - -########################################################################### -# experimental plugins - -# DomainKeys - perform DomainKeys verification -# -# External modules required for use, see INSTALL for more information. -# Note that this may be redundant if you also plan to use the DKIM plugin. -# -#loadplugin Mail::SpamAssassin::Plugin::DomainKeys - -# MIMEHeader - apply regexp rules against MIME headers in the message -# -loadplugin Mail::SpamAssassin::Plugin::MIMEHeader - -# ReplaceTags -# -loadplugin Mail::SpamAssassin::Plugin::ReplaceTags - diff --git a/files/etc/squirrelmail/apache.conf.expect b/files/etc/squirrelmail/apache.conf.expect deleted file mode 100644 index 79df266..0000000 --- a/files/etc/squirrelmail/apache.conf.expect +++ /dev/null @@ -1,66 +0,0 @@ -# Begin update by CARNet package squirrelmail-cn -- DO NOT DELETE THIS LINE! -# Force SSL for /webmail -> you can still use /squirrelmail -Alias /webmail /usr/share/squirrelmail - - - - - RewriteEngine on - RewriteCond %{HTTPS} !=on - RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L] - - - - -# -# WARNING: This file is automatically included in each VirtualHost -# entry you might have. Do not enable the VirtualHost example provided -# in this file, it WILL break your Apache configuration. Copy the -# VirtualHost section to the standard webserver configuration file -# instead. -# -# End update by CARNet package squirrelmail-cn -- DO NOT DELETE THIS LINE! -Alias /squirrelmail /usr/share/squirrelmail - - - Options Indexes FollowSymLinks - - php_flag register_globals off - - - php_flag register_globals off - - - DirectoryIndex index.php - - - # access to configtest is limited by default to prevent information leak - - order deny,allow - deny from all - allow from 127.0.0.1 - - - -# users will prefer a simple URL like http://webmail.example.com -# -# DocumentRoot /usr/share/squirrelmail -# ServerName webmail.example.com -# - -# redirect to https when available (thanks omen@descolada.dartmouth.edu) -# -# Note: There are multiple ways to do this, and which one is suitable for -# your site's configuration depends. Consult the apache documentation if -# you're unsure, as this example might not work everywhere. -# -# -# -# -# RewriteEngine on -# RewriteCond %{HTTPS} !^on$ [NC] -# RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L] -# -# -# - diff --git a/files/etc/squirrelmail/apache.conf.restore b/files/etc/squirrelmail/apache.conf.restore deleted file mode 100644 index d594d27..0000000 --- a/files/etc/squirrelmail/apache.conf.restore +++ /dev/null @@ -1,44 +0,0 @@ -Alias /squirrelmail /usr/share/squirrelmail - - - Options Indexes FollowSymLinks - - php_flag register_globals off - - - php_flag register_globals off - - - DirectoryIndex index.php - - - # access to configtest is limited by default to prevent information leak - - order deny,allow - deny from all - allow from 127.0.0.1 - - - -# users will prefer a simple URL like http://webmail.example.com -# -# DocumentRoot /usr/share/squirrelmail -# ServerName webmail.example.com -# - -# redirect to https when available (thanks omen@descolada.dartmouth.edu) -# -# Note: There are multiple ways to do this, and which one is suitable for -# your site's configuration depends. Consult the apache documentation if -# you're unsure, as this example might not work everywhere. -# -# -# -# -# RewriteEngine on -# RewriteCond %{HTTPS} !^on$ [NC] -# RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L] -# -# -# - diff --git a/files/etc/sysctl.conf.expect b/files/etc/sysctl.conf.expect deleted file mode 100644 index 14e08b0..0000000 --- a/files/etc/sysctl.conf.expect +++ /dev/null @@ -1,37 +0,0 @@ -# -# /etc/sysctl.conf - Configuration file for setting system variables -# See sysctl.conf (5) for information. -# -#kernel.domainname=example.com -#kernel.printk=4 4 1 7 -#net.ipv4.conf.all.accept_redirects=0 -#net.ipv4.conf.all.accept_source_route=0 -#net.ipv4.conf.all.log_martians=1 -#net.ipv4.conf.all.rp_filter=1 -#net.ipv4.conf.all.send_redirects=0 -#net.ipv4.conf.default.rp_filter=1 -#net.ipv4.icmp_echo_ignore_broadcasts=1 -#net.ipv4.icmp_ignore_bogus_error_responses=1 -#net.ipv4.ip_forward=1 -#net.ipv6.conf.all.accept_redirects=0 -#net.ipv6.conf.all.accept_source_route=0 -#net.ipv6.conf.all.forwarding=1 -kernel.maps_protect=1 -net.core.rmem_default=1048576 -net.core.wmem_default=1048576 -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.all.accept_source_route=0 -net.ipv4.conf.all.log_martians=1 -net.ipv4.conf.all.rp_filter=1 -net.ipv4.conf.all.secure_redirects=1 -net.ipv4.conf.all.send_redirects=0 -net.ipv4.icmp_echo_ignore_broadcasts=1 -net.ipv4.icmp_ignore_bogus_error_responses=1 -net.ipv4.ip_forward=0 -net.ipv4.ip_local_port_range=10000 65000 -net.ipv4.tcp_ecn=0 -net.ipv4.tcp_max_syn_backlog=1024 -net.ipv4.tcp_retries1=2 -net.ipv4.tcp_rfc1337=1 -net.ipv4.tcp_syncookies=1 -vm.mmap_min_addr=65536 diff --git a/files/etc/sysctl.conf.restore b/files/etc/sysctl.conf.restore deleted file mode 100644 index 6cd0aeb..0000000 --- a/files/etc/sysctl.conf.restore +++ /dev/null @@ -1,67 +0,0 @@ -# -# /etc/sysctl.conf - Configuration file for setting system variables -# See /etc/sysctl.d/ for additonal system variables -# See sysctl.conf (5) for information. -# - -#kernel.domainname = example.com - -# Uncomment the following to stop low-level messages on console -#kernel.printk = 4 4 1 7 - -##############################################################3 -# Functions previously found in netbase -# - -# Uncomment the next two lines to enable Spoof protection (reverse-path filter) -# Turn on Source Address Verification in all interfaces to -# prevent some spoofing attacks -#net.ipv4.conf.default.rp_filter=1 -#net.ipv4.conf.all.rp_filter=1 - -# Uncomment the next line to enable TCP/IP SYN cookies -# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167), -# and is not recommended. -#net.ipv4.tcp_syncookies=1 - -# Uncomment the next line to enable packet forwarding for IPv4 -#net.ipv4.ip_forward=1 - -# Uncomment the next line to enable packet forwarding for IPv6 -#net.ipv6.conf.all.forwarding=1 - - -################################################################### -# Additional settings - these settings can improve the network -# security of the host and prevent against some network attacks -# including spoofing attacks and man in the middle attacks through -# redirection. Some network environments, however, require that these -# settings are disabled so review and enable them as needed. -# -# Ignore ICMP broadcasts -#net.ipv4.icmp_echo_ignore_broadcasts = 1 -# -# Ignore bogus ICMP errors -#net.ipv4.icmp_ignore_bogus_error_responses = 1 -# -# Do not accept ICMP redirects (prevent MITM attacks) -#net.ipv4.conf.all.accept_redirects = 0 -#net.ipv6.conf.all.accept_redirects = 0 -# _or_ -# Accept ICMP redirects only for gateways listed in our default -# gateway list (enabled by default) -# net.ipv4.conf.all.secure_redirects = 1 -# -# Do not send ICMP redirects (we are not a router) -#net.ipv4.conf.all.send_redirects = 0 -# -# Do not accept IP source route packets (we are not a router) -#net.ipv4.conf.all.accept_source_route = 0 -#net.ipv6.conf.all.accept_source_route = 0 -# -# Log Martian Packets -#net.ipv4.conf.all.log_martians = 1 -# -# The contents of /proc//maps and smaps files are only visible to -# readers that are allowed to ptrace() the process -# kernel.maps_protect = 1 diff --git a/files/etc/vsftpd.conf.expect b/files/etc/vsftpd.conf.expect index 107c7f4..e2c9b7f 100644 --- a/files/etc/vsftpd.conf.expect +++ b/files/etc/vsftpd.conf.expect @@ -45,6 +45,12 @@ local_umask=022 # go into a certain directory. dirmessage_enable=YES # +# If enabled, vsftpd will display directory listings with the time +# in your local time zone. The default is to display GMT. The +# times returned by the MDTM FTP command are also affected by this +# option. +use_localtime=YES +# # Activate logging of uploads/downloads. xferlog_enable=YES # @@ -61,7 +67,8 @@ connect_from_port_20=YES # below. #xferlog_file=/var/log/vsftpd.log # -# If you want, you can have your log file in standard ftpd xferlog format +# If you want, you can have your log file in standard ftpd xferlog format. +# Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # # You may change the default value for timing out an idle session. @@ -107,6 +114,7 @@ connect_from_port_20=YES # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). +#chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list @@ -117,7 +125,6 @@ connect_from_port_20=YES # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # -# # Debian customization # # Some of vsftpd's settings don't fit the Debian filesystem layout by @@ -127,11 +134,11 @@ connect_from_port_20=YES # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail at times vsftpd does not require filesystem # access. -secure_chroot_dir=/var/run/vsftpd +secure_chroot_dir=/var/run/vsftpd/empty # # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd # # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. -rsa_cert_file=/etc/ssl/certs/vsftpd.pem +rsa_cert_file=/etc/ssl/private/vsftpd.pem diff --git a/files/etc/vsftpd.conf.restore b/files/etc/vsftpd.conf.restore index b39aef2..51d1d33 100644 --- a/files/etc/vsftpd.conf.restore +++ b/files/etc/vsftpd.conf.restore @@ -45,6 +45,12 @@ anonymous_enable=YES # go into a certain directory. dirmessage_enable=YES # +# If enabled, vsftpd will display directory listings with the time +# in your local time zone. The default is to display GMT. The +# times returned by the MDTM FTP command are also affected by this +# option. +use_localtime=YES +# # Activate logging of uploads/downloads. xferlog_enable=YES # @@ -61,7 +67,8 @@ connect_from_port_20=YES # below. #xferlog_file=/var/log/vsftpd.log # -# If you want, you can have your log file in standard ftpd xferlog format +# If you want, you can have your log file in standard ftpd xferlog format. +# Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # # You may change the default value for timing out an idle session. @@ -107,6 +114,7 @@ connect_from_port_20=YES # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). +#chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list @@ -117,7 +125,6 @@ connect_from_port_20=YES # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # -# # Debian customization # # Some of vsftpd's settings don't fit the Debian filesystem layout by @@ -127,11 +134,11 @@ connect_from_port_20=YES # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail at times vsftpd does not require filesystem # access. -secure_chroot_dir=/var/run/vsftpd +secure_chroot_dir=/var/run/vsftpd/empty # # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd # # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. -rsa_cert_file=/etc/ssl/certs/vsftpd.pem +rsa_cert_file=/etc/ssl/private/vsftpd.pem diff --git a/files/var/ossec/rules/local_rules.xml.expect b/files/var/ossec/rules/local_rules.xml.expect new file mode 100644 index 0000000..71762d2 --- /dev/null +++ b/files/var/ossec/rules/local_rules.xml.expect @@ -0,0 +1,95 @@ + + + + + + + + + + 5711 + 1.1.1.1 + Example of rule that will ignore sshd + failed logins from IP 1.1.1.1. + + + + + + + + + + + + + + + + + + 1002 + rsync + Events ignored + + + + 1002 + ^sophie|^smartd + Ignore Sophie/SMARTd + + + + 3303 + Events ignored + + + + 3356 + Ignore blacklisted mail + + + + 1002 + cache + ^named + Ignore BIND cache warnings + + + + 2933 + Updated timestamp for job + ^anacron + Ignore Anacron warnings + + + diff --git a/files/var/ossec/rules/local_rules.xml.restore b/files/var/ossec/rules/local_rules.xml.restore new file mode 100644 index 0000000..f953404 --- /dev/null +++ b/files/var/ossec/rules/local_rules.xml.restore @@ -0,0 +1,56 @@ + + + + + + + + + + 5711 + 1.1.1.1 + Example of rule that will ignore sshd + failed logins from IP 1.1.1.1. + + + + + + + + + + + + + + diff --git a/src/functions.sh b/src/functions.sh index 1e831f4..ed78332 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -695,78 +695,42 @@ restore_configs () { local hostname domain config_new memtotal memlimit # restore simple configs - if pkg ntp-cn && pkg ntp lt 1:4.2.6.p2+dfsg-1+b1; then + if pkg ntp-cn && pkg ntp lt 1:4.2.6.p5+dfsg-2; then if restore_file /etc/ntp.conf; then postupgrade_reconfigure ntp-cn fi fi - if pkg kernel-2.6-cn && pkg procps lt 1:3.2.8-9; then - if restore_file /etc/sysctl.conf; then - postupgrade_reconfigure kernel-2.6-cn - fi - fi - - if pkg kernel-2.6-cn && pkg libpam-modules lt 1.1.1-6.1; then - if restore_file /etc/security/limits.conf; then - postupgrade_reconfigure kernel-2.6-cn - fi - fi - - if pkg vsftpd-cn && pkg vsftpd lt 2.3.2-3+squeeze2; then + if pkg vsftpd-cn && pkg vsftpd lt 2.3.5-3; then if restore_file /etc/vsftpd.conf; then postupgrade_reconfigure vsftpd-cn fi fi - if pkg squirrelmail-cn && pkg squirrelmail lt 2:1.4.21-2; then - if restore_file /etc/squirrelmail/apache.conf; then - postupgrade_reconfigure squirrelmail-cn + if pkg amavisd-cn && pkg amavisd-new lt 1:2.7.1-2; then + if restore_file /etc/cron.d/amavisd-new; then + rm -f /etc/cron.d/amavisd-new.$backup_ext + postupgrade_reconfigure amavisd-cn fi fi - if pkg spamassassin-cn && pkg spamassassin lt 3.3.1-1; then - if restore_file /etc/spamassassin/v310.pre; then - postupgrade_reconfigure spamassassin-cn + if pkg ossec-hids lt 2.7-1; then + if restore_file /var/ossec/rules/local_rules.xml; then + postupgrade_reconfigure ossec-hids-cn fi fi - if pkg amavisd-cn && pkg amavisd-new lt 1:2.6.4-3; then - if restore_file /etc/cron.daily/amavisd-new; then - rm -f /etc/cron.daily/amavisd-new.$backup_ext - postupgrade_reconfigure amavisd-cn + if pkg sasl2-bin lt 2.1.25.dfsg1-6+deb7u1; then + if restore_file /etc/default/saslauthd; then + postupgrade_reconfigure postfix-cn fi - - if restore_file /etc/amavis/conf.d/15-av_scanners; then - rm -f /etc/amavis/conf.d/15-av_scanners.$backup_ext - postupgrade_reconfigure amavisd-cn - fi - fi - - if pkg amavisd-cn lt 3:2.6.5; then - restore_file /etc/init.d/amavisd-cn - rm -f /etc/init.d/amavisd-cn.$backup_ext - fi - - if pkg console-tools lt 1:0.2.3dbs-69.1; then - restore_file /etc/console-tools/config fi - if pkg base-files lt 6.0squeeze2; then + if pkg base-files lt 7.1wheezy2; then restore_file /etc/issue restore_file /etc/issue.net fi - if pkg slapd lt 2.4.23-7.2; then - restore_file /etc/default/slapd - fi - - # dovecot won't start with these options - if pkg dovecot-cn && pkg dovecot-common lt 1:1.2.15-7; then - sed -i 's/^\( *\)\(sieve\(_storage\)\?=.*\)/\1#\2/' \ - /etc/dovecot/dovecot.conf - fi - # check if monitrc is template based if [ -e /etc/monit/monitrc ]; then # monit is removed at this point # regenerate config from template -- 1.7.10.4