chkrootkit: Conditional ignoring of /dev/shm/FTL-(overTime|queries)

pyllyukko · Feb 4, 2024 · 2ec527e · 2ec527e
1 parent deb1ad0
commit 2ec527e
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 11 deletions.
diff --git a/tasks/debian_packages.yml b/tasks/debian_packages.yml
@@ -179,23 +179,18 @@
     - debian
   block:
     # See https://github.com/pyllyukko/harden.yml/wiki/chkrootkit
+    - name: getent passwd
+      ansible.builtin.getent:
+        database: passwd
+      tags: check
     - name: Create /etc/chkrootkit/chkrootkit.ignore
       tags: configuration
-      ansible.builtin.copy:
+      ansible.builtin.template:
         dest: "{{ chkrootkit_conf_dir }}/chkrootkit.ignore"
+        src: chkrootkit.ignore.j2
         owner: root
         group: root
         mode: '0400'
-        content: |
-          ^/usr/lib/debug/\.build-id$
-          ^/usr/lib/libreoffice/share/\.registry$
-          ^/usr/lib/jvm/\.java-1\.17\.0-openjdk-arm(64|hf)\.jinfo$
-          ^/usr/lib/pypy/lib_pypy/ctypes_config_cache/\.empty$
-          ^/usr/lib/python3/dist-packages/numpy/(core/include/numpy/\.doxyfile|f2py/tests/src/(f2cmap/\.f2py_f2cmap|assumed_shape/\.f2py_f2cmap))$
-          ^/usr/lib/python3/dist-packages/matplotlib/tests/(tinypages/(_static/)?\.gitignore|baseline_images/\.keep)$
-          ^/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/\.(prettier(ignore|rc)|eslintrc\.js)$
-          ^/usr/lib/ruby/gems/3\.1\.0/gems/typeprof-0\.21\.2/vscode/.(gitignore|vscode(ignore)?)$
-          ^/usr/lib/ruby/vendor_ruby/rubygems/(optparse|ssl_certs|tsort)/\.document$
     - name: Configure /etc/cron.daily/chkrootkit to use chkrootkit.ignore
       tags: configuration
       ansible.builtin.replace:

diff --git a/templates/chkrootkit.ignore.j2 b/templates/chkrootkit.ignore.j2
@@ -0,0 +1,12 @@
+^/usr/lib/debug/\.build-id$
+^/usr/lib/libreoffice/share/\.registry$
+^/usr/lib/jvm/\.java-1\.17\.0-openjdk-arm(64|hf)\.jinfo$
+^/usr/lib/pypy/lib_pypy/ctypes_config_cache/\.empty$
+^/usr/lib/python3/dist-packages/numpy/(core/include/numpy/\.doxyfile|f2py/tests/src/(f2cmap/\.f2py_f2cmap|assumed_shape/\.f2py_f2cmap))$
+^/usr/lib/python3/dist-packages/matplotlib/tests/(tinypages/(_static/)?\.gitignore|baseline_images/\.keep)$
+^/usr/lib/python3/dist-packages/matplotlib/backends/web_backend/\.(prettier(ignore|rc)|eslintrc\.js)$
+^/usr/lib/ruby/gems/3\.1\.0/gems/typeprof-0\.21\.2/vscode/.(gitignore|vscode(ignore)?)$
+^/usr/lib/ruby/vendor_ruby/rubygems/(optparse|ssl_certs|tsort)/\.document$
+{% if getent_passwd.pihole is defined %}
+^/dev/shm/FTL-(overTime|queries)$
+{% endif %}