Added alert_email variable for various e-mail alerts/notifications

pyllyukko · Feb 22, 2025 · b6963cf · b6963cf
1 parent bc44a3e
commit b6963cf
Show file tree

Hide file tree

Showing 10 changed files with 71 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -248,6 +248,8 @@ Usage
 * :warning: **WARNING**: There is a hazard with immutable `loginuid` enabled in auditing in non-systemd systems (Slackware). See longer description of this in the [wiki](https://github.com/pyllyukko/harden.yml/wiki/PAM#pam_loginuidso).
 * :file_folder: Review `/etc/fstab.new` manually and deploy applicable changes to `/etc/fstab`
 * :bulb: Consider running a hardened kernel. For Slackware you can check out my other project [kspp\_confnbuild](https://github.com/pyllyukko/kspp_confnbuild) that has been (mostly) configured according to [KSPP](https://kspp.github.io/)'s [recommendations](https://kspp.github.io/Recommended_Settings). You can use [kernel-hardening-checker](https://github.com/a13xp0p0v/kernel-hardening-checker) to check your kernel configs.
+* :envelope: Make sure your system is able to send e-mails somehow. Many of the tools will be sending alerts about various anomalies.
+* :wood::eyes: Consider installing and configuring Logwatch
 
 ### Tags
 

diff --git a/molecule/debian/verify.yml b/molecule/debian/verify.yml
@@ -38,7 +38,7 @@
         /etc/default/rkhunter: 8d1603fb5894d72ed80c49fe983b4b7a1d30f88d40348455c0c21c79cbc015e24f06882cb7242b535e27461d6060198007910e693f89e5877b6e6be73816771a
         /etc/default/useradd: 90cb716a702d9c5955d13db2328b7fc31f82fbcf3e5addb02ff0f43472260ffe162c3f7bbf53630b8a81d90c34950d59c2d8aa43543e2640ccafa236b9aa4bde
         /etc/default/debsums: 8264b7fbaf38963d8463dba850661eca8ff6d4ef684d159c95354a1080f0b5480a2ab125d6b503a9ec21e7d7d8509d718effb94047c3eb5d62669056a3c7ac50
-        /etc/default/aide: c3369fc5c53630b13e90328aa73bd7fa4b7b951fb70178c57a43d37fe029928bdeb34da01f20e41e059a115f25cab1e8f0026352b6318cee5230e4d7b8ec73c1
+        /etc/default/aide: e35721ceb3a9259c146ba11a2e419511180171e81436ac331ee6411552ab477932d74d87c263277adae1d3f87d712bee27e1f0bc6903823ae3c698ced16269aa
         /etc/sysctl.d/network.conf: 584a05f1886a0c5b71e017502824795a391f97ecf5a6e28933d10a009963fcb59fc979e728cd2e731682572cd77c057fcd0e5b4170662c55f354b0e9903a2c74
         /etc/sysctl.d/sysctl.conf: 82d72a45f0c21cd10f4486c08af05f6e8df7836c2692b648d44dc2955b36f527c140e048675d21b7c8b25b7fc801e3a3b89d0f03df63009d667f7480f2e8be56
         /usr/lib/sysctl.d/10-hardening.conf: 785a4578cb11ee470beecc75ca0a76988d3b81b9752cf787eff931e317b4303a58c7d57c1d4a4ea5b7e7422d0617a80ebea0d82d7409ddd04f7780d49bd67728

diff --git a/tasks/aide.yml b/tasks/aide.yml
@@ -25,10 +25,11 @@
     - name: Configure AIDE (/etc/default/aide)
       ansible.builtin.replace:
         path: /etc/default/aide
-        regexp: '^({{ item.key }}=).*$'
+        regexp: '^#?({{ item.key }}=).*$'
         replace: '\g<1>{{ item.value }}'
       with_dict:
         COPYNEWDB: ifnochange
+        MAILTO: '{{ alert_email }}'
       tags: configuration
       notify: "Create aide.db"
     - name: Exclude /net

diff --git a/tasks/debian_packages.yml b/tasks/debian_packages.yml
@@ -167,6 +167,18 @@
         vtype: select
         value: "{{ ansible_distribution_release }}"
       tags: configuration
+    - name: Configure debsecan MAILTO
+      tags:
+        - configuration
+      ansible.builtin.replace:
+        path: '{{ item }}'
+        regexp: '^(MAILTO)=.*$'
+        replace: '\g<1>={{ alert_email }}'
+        validate: '/bin/grep "^MAILTO={{ alert_email }}$" %s'
+        backup: true
+      with_items:
+        - /etc/default/debsecan
+        - /etc/cron.d/debsecan
 
 # debsums
 - name: debsums
@@ -215,9 +227,9 @@
         replace: '\g<1>{{ chkrootkit_conf_dir }}/chkrootkit.ignore'
     - name: Configure chkrootkit.conf
       tags: configuration
-      ansible.builtin.copy:
+      ansible.builtin.template:
         dest: "{{ chkrootkit_conf_dir }}/chkrootkit.conf"
-        src: chkrootkit.conf
+        src: chkrootkit.conf.j2
         owner: root
         group: root
         mode: '0600'
@@ -271,6 +283,20 @@
         group: root
         mode: '0644'
         force: false
+    - name: Configure email_address in /etc/apt/listchanges.conf
+      community.general.ini_file:
+        path: /etc/apt/listchanges.conf
+        section: apt
+        option: email_address
+        value: "{{ alert_email }}"
+        owner: root
+        group: root
+        mode: '0644'
+        create: false
+      register: result
+      failed_when:
+        - result.failed
+        - result.msg != "Destination /etc/apt/listchanges.conf does not exist!"
 
 # https://www.whonix.org/wiki/Packages_for_Debian_Hosts
 # https://www.kicksecure.com/wiki/Packages_for_Debian_Hosts#Supported_Packages

diff --git a/tasks/misc.yml b/tasks/misc.yml
@@ -384,3 +384,36 @@
             # Let the user know this is a restricted environment.
             shopt restricted_shell
           fi
+  # </rbash>
+
+- name: Configure MAILADDR in /etc/cron.daily/certwatch
+  become: true
+  when: ansible_distribution == "Slackware"
+  tags:
+    - slackware
+    - configuration
+    - pki
+  ansible.builtin.replace:
+    path: /etc/cron.daily/certwatch
+    regexp: '^(MAILADDR)=.+$'
+    replace: '\g<1>={{ alert_email }}'
+    validate: '/bin/grep "^MAILADDR={{ alert_email }}$" %s'
+    backup: true
+  register: result
+  failed_when:
+    - result.failed == true
+    - result.msg != "Path /etc/cron.daily/certwatch does not exist !"
+- name: Configure MAILADDR in /etc/mdadm.conf
+  become: true
+  tags:
+    - configuration
+  ansible.builtin.replace:
+    path: /etc/mdadm.conf
+    regexp: '^#?(MAILADDR\s+).*$'
+    replace: '\g<1>{{ alert_email }}'
+    validate: '/bin/grep "^MAILADDR\s\+{{ alert_email }}$" %s'
+    backup: true
+  register: result
+  failed_when:
+    - result.failed == true
+    - result.msg != "Path /etc/mdadm.conf does not exist !"
diff --git a/files/chkrootkit.conf → templates/chkrootkit.conf.j2 b/files/chkrootkit.conf → templates/chkrootkit.conf.j2
@@ -63,7 +63,7 @@ IGNORE_FILE="/etc/chkrootkit/chkrootkit.ignore"
 ## Email address to which output is sent.
 #  If empty, no email is sent by chkrootkit-daily: output is left on stdout
 #  (if running under cron stdout may be emailed)
-MAILTO="root"
+MAILTO="{{ alert_email }}"
 
 
 ### The remaining options are commented out as the defaults are likely

diff --git a/templates/rkhunter.conf.j2 b/templates/rkhunter.conf.j2
@@ -133,7 +133,7 @@
 #
 # Also see the MAIL_CMD option.
 #
-#MAIL-ON-WARNING=me@mydomain   root@mydomain
+MAIL-ON-WARNING={{ alert_email }}
 
 #
 # This option specifies the mail command to use if MAIL-ON-WARNING is set.

diff --git a/templates/sudoers.j2 b/templates/sudoers.j2
@@ -34,6 +34,7 @@ Cmnd_Alias	NOIOLOG = /usr/bin/sudoreplay
 ##
 Defaults	secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
 Defaults	mail_badpass, mail_no_host, mail_no_perms, mail_no_user
+Defaults	mailto="{{ alert_email }}"
 Defaults	env_reset
 {% if ansible_distribution == "Slackware" %}
 Defaults	syslog=auth, syslog_pid

diff --git a/templates/tigerrc.j2 b/templates/tigerrc.j2
@@ -311,7 +311,7 @@ Tiger_Crack_Local=Y
 #
 # Who gets output from 'tigercron'?
 #
-Tiger_Mail_RCPT=root
+Tiger_Mail_RCPT={{ alert_email }}
 #
 # List of '/' separated filename globs (NOT pathnames) to look for
 # on the filesystems.

diff --git a/vars.yml b/vars.yml
@@ -68,3 +68,4 @@ clamav: {
   'pid': "/run/clamav/clamd.pid"
 }
 logind_conf_location: '{% if ansible_distribution == "Slackware" %}/etc/elogind/logind.conf{% else %}/etc/systemd/logind.conf{% endif %}'
+alert_email: 'root'