As a side note: this is just a thread part of my
main thread which is destinated at securing debian!
Before you start with the logrotation stuff you should
reconfigure syslog!
This customizing has not really something to do with security, it just eases system administration:
Code:
----------------------------------------------------------------------
customized deluser [ /etc/deluser.conf ]
----------------------------------------------------------------------
REMOVE_HOME = 1
REMOVE_ALL_FILES = 1
BACKUP = 1
----------------------------------------------------------------------
----------------------------------------------------------------------
expanded skeleton for new users [ /etc/skel ]
----------------------------------------------------------------------
created bash logout script
created mutt configuration
mkdir /etc/skel/.ssh
touch /etc/skel/.ssh/authorized_keys
chmod go-rx -R /etc/skel
chmod 750 /etc/skel/.bash_logout
----------------------------------------------------------------------
So when you now delete a user home directory and all files belonging to that user will be removed but it will be backuped - just to be on the safe side.
When you create a new users a authorized_keys file will also be created (besides mutt configuration stuff, etc). This file will be used for public/private key authentification which provides a greater security than password authentification.
I like and sometimes even require log files to be rotated at midnight. For that reason I decided to change logrotation:
Code:
----------------------------------------------------------------------
changed logrotate default configuration [ /etc/logrotate.conf ]
----------------------------------------------------------------------
rotate 12 keep 12 weeks worth of backlogs
compress logfiles are compressed
create 0640 root adm very strict file permissions
/var/log/wtmp {
prerotate
chattr -u /var/log/wtmp
endscript
create 0660 root utmp
postrotate
chattr +u /var/log/wtmp
endscript
}
----------------------------------------------------------------------
----------------------------------------------------------------------
modified logrotation
----------------------------------------------------------------------
log files need to be rotated at midnight (accounting, etc),
thus adjusting the time for cron.daily or seperating the
logrotate job is required.
I decided for seperating the logrotate job since it provides
a more clean solution IMHO.
rm /etc/cron.daily/logrotate
created /etc/cron.d/logrotate
00 00 * * * root /usr/sbin/logrotate /etc/logrotate.conf
----------------------------------------------------------------------
----------------------------------------------------------------------
adjusted syslog logrotation
----------------------------------------------------------------------
created /etc/logrotate.d/syslog:
/var/log/auth.log
/var/log/cron.log
/var/log/daemon.log
/var/log/kern.log
/var/log/lpr.log
/var/log/user.log
/var/log/uucp.log
{
weekly
sharedscripts
prerotate
chattr -a \
/var/log/auth.log \
/var/log/cron.log \
/var/log/daemon.log \
/var/log/kern.log \
/var/log/lpr.log \
/var/log/user.log \
/var/log/uucp.log
endscript
rotate 12
postrotate
/usr/bin/killall -HUP syslogd
chattr +a \
/var/log/auth.log \
/var/log/cron.log \
/var/log/daemon.log \
/var/log/kern.log \
/var/log/lpr.log \
/var/log/user.log \
/var/log/uucp.log
endscript
}
/var/log/critical.log
/var/log/emergency.log
/var/log/error.log
/var/log/info.log {
daily
sharedscripts
prerotate
chattr -a \
/var/log/critical.log \
/var/log/emergency.log \
/var/log/error.log \
/var/log/info.log
endscript
rotate 7
postrotate
/usr/bin/killall -HUP syslogd
chattr +a \
/var/log/critical.log \
/var/log/emergency.log \
/var/log/error.log \
/var/log/info.log
endscript
}
/var/log/mail.log {
monthly
sharedscripts
prerotate
chattr -a \
/var/log/mail.log
endscript
rotate 12
postrotate
/usr/bin/killall -HUP syslogd
chattr +a \
/var/log/mail.log
endscript
}
removed old syslog logrotation scripts
rm /etc/cron.daily/sysklogd
rm /etc/cron.weekly/sysklogd
removed no longer required files (old logfiles)
rm -f /var/log/*
recreating logfiles and adjusting permissions
touch /var/log/wtmp
/etc/init.d/syslog/restart
/usr/sbin/logrotate /etc/logrotate.conf
----------------------------------------------------------------------
This sets more restrictive permissions on logfiles. Different logs make it easier for scripts to parse through them ... and easier to check out what when wrong in case of something alike - at least IMHO.
And since I'm a lazy person I like to automate tasks like ntp time sync, etc:
Code:
----------------------------------------------------------------------
created ntp time sync job and script
----------------------------------------------------------------------
cronjob to adjust time daily at 03:01
[ /etc/cron.d/ntp_time_sync ]
01 03 * * * root \
/usr/local/sbin/system/ntp_time_sync.sh
created ntp_time_sync script
[ /usr/local/sbin/ntp_time_sync.sh ]
#! /bin/sh
test -f /usr/sbin/ntpdate || exit 0
test -f /etc/default/ntp-servers || exit 0
. /etc/default/ntp-servers
test -n "$NTPSERVERS" || exit 0
/usr/sbin/ntpdate -u -b -s $NTPSERVERS
----------------------------------------------------------------------
----------------------------------------------------------------------
created tmp cleanup script [ /etc/cron.daily/tmp_cleanup.sh ]
----------------------------------------------------------------------
#!/bin/sh
# clean up /tmp and /var/tmp
if [ -d /tmp -a -d /var/tmp ]
then
find /tmp -type f -atime +3 -exec rm {} \;
find /var/tmp -type f -atime +3 -exec rm {} \;
fi
----------------------------------------------------------------------
----------------------------------------------------------------------
built PHP for use at command line [ /usr/local/bin/php ]
----------------------------------------------------------------------
compiled at other host with configure options:
./configure \
--prefix=/usr/local \
--enable-force-cgi-redirect \
--enable-discard-path \
--disable-path-info-check \
--enable-safe-mode \
--disable-rpath \
--disable-short-tags \
--enable-bcmath \
--enable-dio \
--enable-ftp \
--disable-session \
--enable-sockets \
--enable-memory-limit
only members of group php_cmd should have access to it:
groupadd php_cmd
chown root:php_cmd /usr/local/bin/php
chmod 750 /usr/local/bin/php
----------------------------------------------------------------------
You might not need PHP for your system. I just prefer it over using Perl-DBI for database stuff. I'm no perl expert and that's why the scripts which will create all the configuration data from the database be written in PHP. One of that scripts will for instance read out the zone data and construct the files for BIND, another one will create the users/password for SMTP AUTH, etc.
In case I need to switch off the system one I want it to shut down properly:
Code:
----------------------------------------------------------------------
configured modules [ /etc/modules ]
----------------------------------------------------------------------
apm power_off=1 power down
----------------------------------------------------------------------
I also like to have a central place (as much as possible) for email addresses, like in all of the scripts I code this file will be read out:
Code:
----------------------------------------------------------------------
created default file for SuK scripts [ /etc/default/suk_scripts ]
----------------------------------------------------------------------
# settings for scripts coded by Markus Welsch for SuK
ROOTMAIL="linux-admins@example.com"
----------------------------------------------------------------------
At the end of the boot process I like to clear the screen ... nobody needs to know what happend before :-)
Code:
----------------------------------------------------------------------
screen clearing startup script [ /etc/init.d/clear_screen ]
----------------------------------------------------------------------
created /etc/init.d/clear_screen:
#!/bin/sh
# clear screen after boot process finished
#
# Markus Welsch <linux@markus-welsch.de>
clear
implemented script in boot process (last stage before login):
update-rc.d clear_screen start 98 2 3 4 5 .
----------------------------------------------------------------------
----------------------------------------------------------------------
created .bash_logout script for root [ /root/.bash_logout ]
----------------------------------------------------------------------
#!/bin/bash
clear
----------------------------------------------------------------------
Do you like statistics? Well at least monthly I'd like to get mail statistics:
Code:
----------------------------------------------------------------------
implemented monthly mail report script
----------------------------------------------------------------------
created /usr/local/sbin/mail_report_monthly.sh
#!/bin/sh
if [ -f /etc/default/suk_scripts ]; then
. /etc/default/suk_scripts;
else
ROOTMAIL="root@`hostname --fqdn`"
fi
if [ -f /var/log/mail.log.1.gz ]; then
gunzip --stdout /var/log/mail.log.1.gz |
grep "^`date -d '1 month ago' +%b`" |
/usr/sbin/pflogsumm.pl \
-h 10\
--ignore_case \
--no_bounce_detail \
--no_deferral_detail \
--no_reject_detail \
-u 10 \
--zero_fill |
/usr/bin/mailx \
-s "mail report for `hostname --fqdn`\
(`date -d '1 month ago' +'%b %Y'`)" \
${ROOTMAIL}
fi
added as monthly cronjob [ /etc/cron.d/mail_report_monthly ]:
00 02 1 * * root \
/usr/local/sbin/mail_report_monthly.sh
----------------------------------------------------------------------
This relies on pflogsumm 1.0.10. I'm using a Beta version here since I'm using a backported Postfix 2 package (for it's improved LMTP support).
If you have questions to any of the above just post :-)