Added alert_email variable for various e-mail alerts/notifications

README.md

@@ -248,6 +248,8 @@ Usage
 * :warning: **WARNING**: There is a hazard with immutable `loginuid` enabled in auditing in non-systemd systems (Slackware). See longer description of this in the [wiki](https://github.com/pyllyukko/harden.yml/wiki/PAM#pam_loginuidso).
 * :file_folder: Review `/etc/fstab.new` manually and deploy applicable changes to `/etc/fstab`
 * :bulb: Consider running a hardened kernel. For Slackware you can check out my other project [kspp\_confnbuild](https://github.com/pyllyukko/kspp_confnbuild) that has been (mostly) configured according to [KSPP](https://kspp.github.io/)'s [recommendations](https://kspp.github.io/Recommended_Settings). You can use [kernel-hardening-checker](https://github.com/a13xp0p0v/kernel-hardening-checker) to check your kernel configs.
+* :envelope: Make sure your system is able to send e-mails somehow. Many of the tools will be sending alerts about various anomalies.
+* :wood::eyes: Consider installing and configuring Logwatch
 
 ### Tags
 

tasks/aide.yml

@@ -25,10 +25,11 @@
     - name: Configure AIDE (/etc/default/aide)
       ansible.builtin.replace:
         path: /etc/default/aide
-        regexp: '^({{ item.key }}=).*$'
+        regexp: '^#?({{ item.key }}=).*$'
         replace: '\g<1>{{ item.value }}'
       with_dict:
         COPYNEWDB: ifnochange
+        MAILTO: '{{ email_alert }}'
       tags: configuration
       notify: "Create aide.db"
     - name: Exclude /net

tasks/debian_packages.yml

@@ -167,6 +167,18 @@
         vtype: select
         value: "{{ ansible_distribution_release }}"
       tags: configuration
+    - name: Configure debsecan MAILTO
+      tags:
+        - configuration
+      ansible.builtin.replace:
+        path: '{{ item }}'
+        regexp: '^(MAILTO)=.*$'
+        replace: '\g<1>={{ email_alert }}'
+        validate: '/bin/grep "^MAILTO={{ email_alert }}$" %s'
+        backup: true
+      with_items:
+        - /etc/default/debsecan
+        - /etc/cron.d/debsecan
 
 # debsums
 - name: debsums
@@ -215,9 +227,9 @@
         replace: '\g<1>{{ chkrootkit_conf_dir }}/chkrootkit.ignore'
     - name: Configure chkrootkit.conf
       tags: configuration
-      ansible.builtin.copy:
+      ansible.builtin.template:
         dest: "{{ chkrootkit_conf_dir }}/chkrootkit.conf"
-        src: chkrootkit.conf
+        src: chkrootkit.conf.j2
         owner: root
         group: root
         mode: '0600'
@@ -271,6 +283,20 @@
         group: root
         mode: '0644'
         force: false
+    - name: Configure email_address in /etc/apt/listchanges.conf
+      community.general.ini_file:
+        path: /etc/apt/listchanges.conf
+        section: apt
+        option: email_address
+        value: "{{ alert_email }}"
+        owner: root
+        group: root
+        mode: '0644'
+        create: false
+      register: result
+      failed_when:
+        - result.failed
+        - result.msg != "Destination /etc/apt/listchanges.conf does not exist!"
 
 # https://www.whonix.org/wiki/Packages_for_Debian_Hosts
 # https://www.kicksecure.com/wiki/Packages_for_Debian_Hosts#Supported_Packages

tasks/misc.yml

@@ -384,3 +384,36 @@
             # Let the user know this is a restricted environment.
             shopt restricted_shell
           fi
+  # </rbash>
+
+- name: Configure MAILADDR in /etc/cron.daily/certwatch
+  become: true
+  when: ansible_distribution == "Slackware"
+  tags:
+    - slackware
+    - configuration
+    - pki
+  ansible.builtin.replace:
+    path: /etc/cron.daily/certwatch
+    regexp: '^(MAILADDR)=.+$'
+    replace: '\g<1>={{ email_alert }}'
+    validate: '/bin/grep "^MAILADDR={{ email_alert }}$" %s'
+    backup: true
+  register: result
+  failed_when:
+    - result.failed == true
+    - result.msg != "Path /etc/cron.daily/certwatch does not exist !"
+- name: Configure MAILADDR in /etc/mdadm.conf
+  become: true
+  tags:
+    - configuration
+  ansible.builtin.replace:
+    path: /etc/mdadm.conf
+    regexp: '^#?(MAILADDR\s+).*$'
+    replace: '\g<1>{{ email_alert }}'
+    validate: '/bin/grep "^MAILADDR\s\+{{ email_alert }}$" %s'
+    backup: true
+  register: result
+  failed_when:
+    - result.failed == true
+    - result.msg != "Path /etc/mdadm.conf does not exist !"

files/chkrootkit.conf → templates/chkrootkit.conf.j2

@@ -63,7 +63,7 @@ IGNORE_FILE="/etc/chkrootkit/chkrootkit.ignore"
 ## Email address to which output is sent.
 #  If empty, no email is sent by chkrootkit-daily: output is left on stdout
 #  (if running under cron stdout may be emailed)
-MAILTO="root"
+MAILTO="{{ email_alert }}"
 
 
 ### The remaining options are commented out as the defaults are likely

templates/rkhunter.conf.j2

@@ -133,7 +133,7 @@
 #
 # Also see the MAIL_CMD option.
 #
-#MAIL-ON-WARNING=me@mydomain   root@mydomain
+MAIL-ON-WARNING={{ alert_email }}
 
 #
 # This option specifies the mail command to use if MAIL-ON-WARNING is set.

templates/sudoers.j2

@@ -34,6 +34,7 @@ Cmnd_Alias	NOIOLOG = /usr/bin/sudoreplay
 ##
 Defaults	secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
 Defaults	mail_badpass, mail_no_host, mail_no_perms, mail_no_user
+Defaults	mailto="{{ alert_email }}"
 Defaults	env_reset
 {% if ansible_distribution == "Slackware" %}
 Defaults	syslog=auth, syslog_pid

templates/tigerrc.j2

@@ -311,7 +311,7 @@ Tiger_Crack_Local=Y
 #
 # Who gets output from 'tigercron'?
 #
-Tiger_Mail_RCPT=root
+Tiger_Mail_RCPT={{ alert_email }}
 #
 # List of '/' separated filename globs (NOT pathnames) to look for
 # on the filesystems.

vars.yml

@@ -68,3 +68,4 @@ clamav: {
   'pid': "/run/clamav/clamd.pid"
 }
 logind_conf_location: '{% if ansible_distribution == "Slackware" %}/etc/elogind/logind.conf{% else %}/etc/systemd/logind.conf{% endif %}'
+alert_email: 'root'