equalitie / caislean Goto Github PK

Hello Equalit.ie team,

I'm testing Caislean on Debian 7 / Linode 4G VPS
I am having this error. Disappears the 2nd time I am pushing the playbook
TASK: [common | Install /etc/aliases] *****************************************
changed: [server.mydomain.com]
ERROR: change handler (update mail aliases) is not defined

Need to either use logrotate or deactivate it or have it use a bigger refresh interval

For better analyzing traffic after receiving a Suricata alert

For now nginx blocks everything but changepassword.

Such as barnyard2, sguil or snorby

This would avoid computing the base DN in every template file that needs it...

This is the way that is encouraged and the plaintext configuration may become deprecated. It is also the default way of storing config on Jessie.

We could encrypt the logs upon rotation with a predefined PGP key, to reduce the potential consequences in case the box is compromised. This is particularly true for the full packet collection.

The /proc fs can be mounted with the "hidepid" option, forbidding users to see information on processes they don't own.

See http://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/

Although the admin is warned by email when new packages can be upgraded, some of the upgrades could maybe be made fully automatic, if the risk of breaking anything is low.

SpamAssassin cron job fails to verify its update due to a GPG error.

Reproduction steps:

1. Install a fresh version of Debian 8 (Jessie) on the target machine
2. Run the common role against this machine

Expected results

The tasks in the sysctl.yml playbook complete successfully.

Actual results

The sysctl.yml tasks fail the first time they are run against a new installation, but succeed the second and subsequent times. Possible race condition or timing issue with the previous task?

Depending on the application used, the way to properly serve the right TLS certificate may vary.

For instance, some applications require the certificate file to only contain the server certificate while for others it is better to have the certificate chain up to the root CA.

In addition, for the XMPP server, the common name (or one SubjectAltName entry) must be the served domain rather than the hostname the server is running on.

So we should probably:

• create a file that has a concatenation of server + root CA cert
• document the use of SubjectAltName to make the cert valid for both host name, domain name and possibly IP address

nginx configuration needs some modifications to make Owncloud's WebDAV support work

Also do not inspect inbound UDP 1194 as it is used by OpenVPN and completely encrypted. This would save some CPU.

OpenLDAP extensions do exist to do that.

Hi
Not a blocking issue but worth mentionning :)

I tried to deploy Wordpress recipe with the following MySQL root password L7c%UU(T+n\t({*~][24,/y

It was probably cut at some point of the string, hence authenfication could not work for creating WordPress user.
Solution is to use a only alphanumeric password.

While Emerging Threats rules are quite complete, it would be interesting to be able to combine them with other sources, such as Snort community rules.

This however implies to find a way to solve conflicting files between rules archives, notably the file sid-msg.map.

It seems the current way it is done may lock the SSH connection down. Still needs to be confirmed/reproduced, as what state=reloaded does exactly is unsure.

Would it be a good idea to upload Caislean to Ansible galaxy once in a complete state?

This would avoid unforeseen downtime for users.

Using their hashes, at boot time as well as periodically.

Possibly using rkhunter, which has a this kind of feature.

As per the wiki. Any questions/requests/objections can live here.

We use debconf options to setup the slapd package before it is installed, which includes our domain (that sets our base DN) and the password for the administrator account. Reconfiguring the package after its installation and initial setup will need another method.

Reproduction steps

1. Complete all prerequisites for the openldap role.
2. Run the openldap role against a Debian 8 target machine.

Expected result

The openldap role completes successfully.

Actual result

The openldap role fails at the following task: Add organizationalUnit mail LDAP entry (1/2). This seems to be because the mail_ou.ldif.j2 template does not exist.

Using for instance Debian's checkrestart

This makes the playbook fail when trying to retrieve the local SID in order to populate the LDAP tree using smbldap-populate. Slapd should probably be force-restarted before retrieve it?

Reproduction steps

1. Run all wordpress role prerequisites, including openldap
2. Follow the manual steps in doc/role-doc/wordpress.md to install the wpDirAuth plugin for Wordpress
3. Go to the "Directory Auth." submenu in the Settings menu

Expected results

Directory Authentication Options are displayed

Actual results

Possible solution

Install the php5-ldap package iff the user indicates they wish to use LDAP authentication for Wordpress (maybe via a host_vars variable?)

At this moment, incremental remote backups with duplicity require the presence of the private key on the system, in order to decrypt the last remote backup and make the increment.

A way could be to:

• make a local backup, unencrypted
• use this local backup as a basis for the increments
• encrypt and send the backup to the remote system, which thus would not need the private key

Reproduction steps

1. Install the common, tls and nginx roles
2. Visit the default website over a TLS secured connection

Expected result

Browser warning about the self-signed certificate, but I can add an exception

Actual result

In Iceweasel (Firefox), I get a message that includes the paragraph, "This site uses HTTP Strict Transport Security (HSTS) to specify that Iceweasel only connect to it securely. As a result, it is not possible to add an exception for this certificate." The webpage cannot be displayed.

Workaround

Use the letsencrypt role to replace the tls role's self-signed certificates with ones trusted by most browsers.

Possible solution

Modify the nginx role to disable HSTS when using self-signed certificates.

It is safer to do it with a second, backup, public key (in case the in-production one gets compromised/canceled/etc.)

Now that we have the documentation in-repo in Markdown, should the old documentation and specifications on the wiki be deleted or migrated? It seems like documentation could bifurcate a bit with two systems in place.

Unfortunately, this seems to be caused by Duplicity being unable to parse an IPv6 address in a URI.

Rather than requiring manual generation by the admin, Diffie Hellmann (file /etc/ssl/dhparam.pem) parameters could be:

• autogenerated directly on the server if they don't exist yet;
• renewed every month or so through a Cron job

• they're in wp-config.php
• helps mitigating potentially compromised accounts

Need to change ownership of /etc/snort/rules as well as who executes the cron job

Hello

PHP 5.4 is EOL since Sept 15.

Otherwise samba play fails with setting directories ownerships.

To reduce the risks in case of compromission of the box, notaby if full packet logging is enabled.

Need to find a way so that Postfix:

1. looks up real users
2. looks up virtual users if no real one matches

• suricata listening on network interface
• a hidden process
• cron (and subprocesses) using a deleted file

When another server connects as a client using a 8192 bits long key, the SSL handshake fails with 'excessive message lenght' from SSL.