deprec 2.1.8 → 2.1.10

data/lib/deprec/templates/stunnel/stunnel.conf-client

@@ -0,0 +1,70 @@
+; Sample stunnel configuration file by Michal Trojnara 2002-2006
+; Some options used here may not be adequate for your particular configuration
+; Please make sure you understand them (especially the effect of chroot jail)
+
+; Certificate/key is needed in server mode and optional in client mode
+; cert = /etc/stunnel/syslog-client.pem
+; key = /etc/stunnel/syslog-client.pem
+
+; Protocol version (all, SSLv2, SSLv3, TLSv1)
+sslVersion = SSLv3
+
+; Some security enhancements for UNIX systems - comment them out on Win32
+chroot = /var/lib/stunnel4/
+setuid = stunnel4
+setgid = stunnel4
+; PID is created inside chroot jail
+pid = /stunnel4.pid
+
+; Some performance tunings
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+;compression = rle
+
+; Workaround for Eudora bug
+;options = DONT_INSERT_EMPTY_FRAGMENTS
+
+; Authentication stuff
+;verify = 2
+; Don't forget to c_rehash CApath
+; CApath is located inside chroot jail
+;CApath = /certs
+; It's often easier to use CAfile
+;CAfile = /etc/stunnel/certs.pem
+; Don't forget to c_rehash CRLpath
+; CRLpath is located inside chroot jail
+;CRLpath = /crls
+; Alternatively you can use CRLfile
+;CRLfile = /etc/stunnel/crls.pem
+
+; Some debugging stuff useful for troubleshooting
+;debug = 7
+;output = /var/log/stunnel4/stunnel.log
+
+; Use it for client mode
+client = yes
+
+; Service-level configuration
+
+[5140]
+accept = 127.0.0.1:514
+connect = e10:5140
+
+;[pop3s]
+;accept  = 995
+;connect = 110
+
+;[imaps]
+;accept  = 993
+;connect = 143
+
+;[ssmtp]
+;accept  = 465
+;connect = 25
+
+;[https]
+;accept  = 443
+;connect = 80
+;TIMEOUTclose = 0
+
+; vim:ft=dosini

data/lib/deprec/templates/stunnel/stunnel.conf-orig

@@ -0,0 +1,66 @@
+; Sample stunnel configuration file by Michal Trojnara 2002-2006
+; Some options used here may not be adequate for your particular configuration
+; Please make sure you understand them (especially the effect of chroot jail)
+
+; Certificate/key is needed in server mode and optional in client mode
+cert = /etc/stunnel/mail.pem
+;key = /etc/stunnel/mail.pem
+
+; Protocol version (all, SSLv2, SSLv3, TLSv1)
+sslVersion = SSLv3
+
+; Some security enhancements for UNIX systems - comment them out on Win32
+chroot = /var/lib/stunnel4/
+setuid = stunnel4
+setgid = stunnel4
+; PID is created inside chroot jail
+pid = /stunnel4.pid
+
+; Some performance tunings
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+;compression = rle
+
+; Workaround for Eudora bug
+;options = DONT_INSERT_EMPTY_FRAGMENTS
+
+; Authentication stuff
+;verify = 2
+; Don't forget to c_rehash CApath
+; CApath is located inside chroot jail
+;CApath = /certs
+; It's often easier to use CAfile
+;CAfile = /etc/stunnel/certs.pem
+; Don't forget to c_rehash CRLpath
+; CRLpath is located inside chroot jail
+;CRLpath = /crls
+; Alternatively you can use CRLfile
+;CRLfile = /etc/stunnel/crls.pem
+
+; Some debugging stuff useful for troubleshooting
+;debug = 7
+;output = /var/log/stunnel4/stunnel.log
+
+; Use it for client mode
+;client = yes
+
+; Service-level configuration
+
+[pop3s]
+accept  = 995
+connect = 110
+
+[imaps]
+accept  = 993
+connect = 143
+
+[ssmtp]
+accept  = 465
+connect = 25
+
+;[https]
+;accept  = 443
+;connect = 80
+;TIMEOUTclose = 0
+
+; vim:ft=dosini

data/lib/deprec/templates/stunnel/stunnel.conf-server

@@ -0,0 +1,70 @@
+; Sample stunnel configuration file by Michal Trojnara 2002-2006
+; Some options used here may not be adequate for your particular configuration
+; Please make sure you understand them (especially the effect of chroot jail)
+
+; Certificate/key is needed in server mode and optional in client mode
+cert = /etc/stunnel/syslog-server.pem
+key = /etc/stunnel/syslog-server.pem
+
+; Protocol version (all, SSLv2, SSLv3, TLSv1)
+sslVersion = SSLv3
+
+; Some security enhancements for UNIX systems - comment them out on Win32
+chroot = /var/lib/stunnel4/
+setuid = stunnel4
+setgid = stunnel4
+; PID is created inside chroot jail
+pid = /stunnel4.pid
+
+; Some performance tunings
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+;compression = rle
+
+; Workaround for Eudora bug
+;options = DONT_INSERT_EMPTY_FRAGMENTS
+
+; Authentication stuff
+;verify = 2
+; Don't forget to c_rehash CApath
+; CApath is located inside chroot jail
+;CApath = /certs
+; It's often easier to use CAfile
+;CAfile = /etc/stunnel/certs.pem
+; Don't forget to c_rehash CRLpath
+; CRLpath is located inside chroot jail
+;CRLpath = /crls
+; Alternatively you can use CRLfile
+;CRLfile = /etc/stunnel/crls.pem
+
+; Some debugging stuff useful for troubleshooting
+;debug = 7
+;output = /var/log/stunnel4/stunnel.log
+
+; Use it for client mode
+;client = yes
+
+; Service-level configuration
+
+[syslog]
+accept = 5001
+connect = 5000
+
+;[pop3s]
+;accept  = 995
+;connect = 110
+
+;[imaps]
+;accept  = 993
+;connect = 143
+
+;[ssmtp]
+;accept  = 465
+;connect = 25
+
+;[https]
+;accept  = 443
+;connect = 80
+;TIMEOUTclose = 0
+
+; vim:ft=dosini

data/lib/deprec/templates/stunnel/stunnel4

@@ -0,0 +1,11 @@
+# /etc/default/stunnel
+# Julien LEMOINE <speedblue@debian.org>
+# September 2003
+
+# Change to one to enable stunnel
+ENABLED=1
+FILES="/etc/stunnel/*.conf"
+OPTIONS=""
+
+# Change to one to enable ppp restart scripts
+PPP_RESTART=0

data/lib/deprec/templates/stunnel/syslog-server.pem

@@ -0,0 +1,33 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDv1584Ckf7SBhNAvVmEhnMQImYQw3LzGj/qn8gpTsVknxJ1K9S
+d4A3MiRAMJ/3R2MPzb/298Wx4Ar4QljEavqNTaz9EQfGmCmVnL1mJS3Icin61D+2
+5R2KaSDA8xIjrQ+953K1MNFKMeBfzgzMm5ctqp2MJo9jDzx2taidTIS77wIDAQAB
+AoGAWDzcz/JAXzs77YFMJTw9j36i4Iiy16qhaoYgdTM01I/q+AKuacmbOzNQUOlS
+wNfboyHQIR0w92r0vjcyjzjIamO36n66yavg8cLeSwirFCxWyzUmkKFKVIgHC/ae
+IK/68VVdCha53pKySMkv31HJXvklmQTbQsKg3gh5PTRvDnECQQD5eNQqogWSp8YR
+y2PBSrrjgjAJt9BIkoozrL6DlflTZZle/AMOL92z5XgRftEjy737Ao1QzSmoG5u6
+6zoOARZHAkEA9h5JCwkh/A/ABZlM9+T/ZkxmqFLQuvEEJ5zCgr6LDcjrcG6h3yVS
+lEoC9Hhm69kPp74NiRYYrkJjpSNctQ55GQJAMrQkKyYTC+OdljBIbhjKM0NakB8T
+7iwaerY5YnUw34peybdex5ti7BVPef7UcvoN+t5h6nJIbSpvVGZKvl3qMQJBAMIP
+kTKVaemRFayUev7/3m3wEgXo/tJYVhlR3oEu8v/Ui+gkI5iKmjl4vim7ghO3HEP8
+dDnCZYWJrX45itDsb4kCQQDiaZ0M3ZFeTP5r/E2C8AazXurX2boakqxDj283laFR
+Hrq2P+6ZmIZYmcRksb0t1ag/PkUoiESavhUpuerU8v0l
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAjwCCQD8TuhpAlk4xDANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMC
+QVUxEzARBgNVBAgTClNvbWUtU3RhdGUxFjAUBgNVBAcTDVNvbWUtTG9jYWxpdHkx
+GTAXBgNVBAoTEE9uZSBPcmdhbml6YXRpb24xHjAcBgNVBAsTFU9uZSBPcmdhbml6
+YXRpb24gVW5pdDESMBAGA1UEAxMJbG9jYWxob3N0MSIwIAYJKoZIhvcNAQkBFhN3
+ZWJtYXN0ZXJAbG9jYWxob3N0MB4XDTEwMDkwMjA2MzAwM1oXDTEwMTAwMjA2MzAw
+M1owga0xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRYwFAYDVQQH
+Ew1Tb21lLUxvY2FsaXR5MRkwFwYDVQQKExBPbmUgT3JnYW5pemF0aW9uMR4wHAYD
+VQQLExVPbmUgT3JnYW5pemF0aW9uIFVuaXQxEjAQBgNVBAMTCWxvY2FsaG9zdDEi
+MCAGCSqGSIb3DQEJARYTd2VibWFzdGVyQGxvY2FsaG9zdDCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEA79efOApH+0gYTQL1ZhIZzECJmEMNy8xo/6p/IKU7FZJ8
+SdSvUneANzIkQDCf90djD82/9vfFseAK+EJYxGr6jU2s/REHxpgplZy9ZiUtyHIp
++tQ/tuUdimkgwPMSI60PvedytTDRSjHgX84MzJuXLaqdjCaPYw88drWonUyEu+8C
+AwEAATANBgkqhkiG9w0BAQUFAAOBgQBAfaORw+QL5srjuA8Te54DSeJAdvshwbCf
+FzDi/NXzNT5tPxqkGeVCvY1kE6dshLe38O00qmnux/Y5xurk7Olawvc13o68fCYZ
+Zk8tm14cVcOwC60CQi5WM04mFwNPIo6hN0ecSdunxQ+cJP/WgtEzNSKCeUAQVkTD
+A+aPr38GAw==
+-----END CERTIFICATE-----

data/lib/deprec/templates/syslog_ng/syslog-ng.conf-client

@@ -0,0 +1,363 @@
+#
+# Configuration file for syslog-ng under Debian
+#
+# attempts at reproducing default syslog behavior
+
+# the standard syslog levels are (in descending order of priority):
+# emerg alert crit err warning notice info debug
+# the aliases "error", "panic", and "warn" are deprecated
+# the "none" priority found in the original syslogd configuration is
+# only used in internal messages created by syslogd
+
+
+######
+# options
+
+options {
+        # disable the chained hostname format in logs
+        # (default is enabled)
+        chain_hostnames(0);
+
+        # the time to wait before a died connection is re-established
+        # (default is 60)
+        time_reopen(10);
+
+        # the time to wait before an idle destination file is closed
+        # (default is 60)
+        time_reap(360);
+
+        # the number of lines buffered before written to file
+        # you might want to increase this if your disk isn't catching with
+        # all the log messages you get or if you want less disk activity
+        # (say on a laptop)
+        # (default is 0)
+        #sync(0);
+
+        # the number of lines fitting in the output queue
+        log_fifo_size(2048);
+
+        # enable or disable directory creation for destination files
+        create_dirs(yes);
+
+        # default owner, group, and permissions for log files
+        # (defaults are 0, 0, 0600)
+        #owner(root);
+        group(adm);
+        perm(0640);
+
+        # default owner, group, and permissions for created directories
+        # (defaults are 0, 0, 0700)
+        #dir_owner(root);
+        #dir_group(root);
+        dir_perm(0755);
+
+        # enable or disable DNS usage
+        # syslog-ng blocks on DNS queries, so enabling DNS may lead to
+        # a Denial of Service attack
+        # (default is yes)
+        use_dns(no);
+
+        # maximum length of message in bytes
+        # this is only limited by the program listening on the /dev/log Unix
+        # socket, glibc can handle arbitrary length log messages, but -- for
+        # example -- syslogd accepts only 1024 bytes
+        # (default is 2048)
+        #log_msg_size(2048);
+
+	#Disable statistic log messages.
+	stats_freq(0);
+
+	# Some program send log messages through a private implementation.
+	# and sometimes that implementation is bad. If this happen syslog-ng
+	# may recognise the program name as hostname. Whit this option
+	# we tell the syslog-ng that if a hostname match this regexp than that
+	# is not a real hostname.
+	bad_hostname("^gconfd$");
+};
+
+
+######
+# sources
+
+# all known message sources
+source s_all {
+        # message generated by Syslog-NG
+        internal();
+        # standard Linux log source (this is the default place for the syslog()
+        # function to send logs to)
+        unix-stream("/dev/log");
+        # messages from the kernel
+        file("/proc/kmsg" log_prefix("kernel: "));
+        # use the following line if you want to receive remote UDP logging messages
+        # (this is equivalent to the "-r" syslogd flag)
+        udp();
+};
+
+
+######
+# destinations
+
+<% if syslog_ng_loghost_name and syslog_ng_loghost_name.to_s != '' %>
+destination loghost { tcp("<%= syslog_ng_loghost_name %>" port (<%= syslog_ng_loghost_port %>)); };
+<% end %>
+
+# some standard log files
+destination df_auth { file("/var/log/auth.log"); };
+destination df_syslog { file("/var/log/syslog"); };
+destination df_cron { file("/var/log/cron.log"); };
+destination df_daemon { file("/var/log/daemon.log"); };
+destination df_kern { file("/var/log/kern.log"); };
+destination df_lpr { file("/var/log/lpr.log"); };
+destination df_mail { file("/var/log/mail.log"); };
+destination df_user { file("/var/log/user.log"); };
+destination df_uucp { file("/var/log/uucp.log"); };
+
+# these files are meant for the mail system log files
+# and provide re-usable destinations for {mail,cron,...}.info,
+# {mail,cron,...}.notice, etc.
+destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
+destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };
+destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
+destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
+destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
+
+# these files are meant for the news system, and are kept separated
+# because they should be owned by "news" instead of "root"
+destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); };
+destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); };
+destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };
+
+# some more classical and useful files found in standard syslog configurations
+destination df_debug { file("/var/log/debug"); };
+destination df_messages { file("/var/log/messages"); };
+
+# pipes
+# a console to view log messages under X
+destination dp_xconsole { pipe("/dev/xconsole"); };
+
+# consoles
+# this will send messages to everyone logged in
+destination du_all { usertty("*"); };
+
+
+######
+# filters
+
+# all messages from the auth and authpriv facilities
+filter f_auth { facility(auth, authpriv); };
+
+# all messages except from the auth and authpriv facilities
+filter f_syslog { not facility(auth, authpriv); };
+
+# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
+# and uucp facilities
+filter f_cron { facility(cron); };
+filter f_daemon { facility(daemon); };
+filter f_kern { facility(kern); };
+filter f_lpr { facility(lpr); };
+filter f_mail { facility(mail); };
+filter f_news { facility(news); };
+filter f_user { facility(user); };
+filter f_uucp { facility(uucp); };
+
+# some filters to select messages of priority greater or equal to info, warn,
+# and err
+# (equivalents of syslogd's *.info, *.warn, and *.err)
+filter f_at_least_info { level(info..emerg); };
+filter f_at_least_notice { level(notice..emerg); };
+filter f_at_least_warn { level(warn..emerg); };
+filter f_at_least_err { level(err..emerg); };
+filter f_at_least_crit { level(crit..emerg); };
+
+# all messages of priority debug not coming from the auth, authpriv, news, and
+# mail facilities
+filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
+
+# all messages of info, notice, or warn priority not coming form the auth,
+# authpriv, cron, daemon, mail, and news facilities
+filter f_messages {
+        level(info,notice,warn)
+            and not facility(auth,authpriv,cron,daemon,mail,news);
+};
+
+# messages with priority emerg
+filter f_emerg { level(emerg); };
+
+# complex filter for messages usually sent to the xconsole
+filter f_xconsole {
+    facility(daemon,mail)
+        or level(debug,info,notice,warn)
+        or (facility(news)
+                and level(crit,err,notice));
+};
+
+
+######
+# logs
+# order matters if you use "flags(final);" to mark the end of processing in a
+# "log" statement
+
+# these rules provide the same behavior as the commented original syslogd rules
+
+
+<% if syslog_ng_loghost_name and syslog_ng_loghost_name.to_s != '' %>
+# Send to loghost
+log {
+  source(s_all);
+  # filter(notdebug);
+  destination(loghost);
+};
+<% end %>
+
+
+# auth,authpriv.*                 /var/log/auth.log
+log {
+        source(s_all);
+        filter(f_auth);
+        destination(df_auth);
+};
+
+# *.*;auth,authpriv.none          -/var/log/syslog
+log {
+        source(s_all);
+        filter(f_syslog);
+        destination(df_syslog);
+};
+
+# this is commented out in the default syslog.conf
+# cron.*                         /var/log/cron.log
+#log {
+#        source(s_all);
+#        filter(f_cron);
+#        destination(df_cron);
+#};
+
+# daemon.*                        -/var/log/daemon.log
+log {
+        source(s_all);
+        filter(f_daemon);
+        destination(df_daemon);
+};
+
+# kern.*                          -/var/log/kern.log
+log {
+        source(s_all);
+        filter(f_kern);
+        destination(df_kern);
+};
+
+# lpr.*                           -/var/log/lpr.log
+log {
+        source(s_all);
+        filter(f_lpr);
+        destination(df_lpr);
+};
+
+# mail.*                          -/var/log/mail.log
+log {
+        source(s_all);
+        filter(f_mail);
+        destination(df_mail);
+};
+
+# user.*                          -/var/log/user.log
+log {
+        source(s_all);
+        filter(f_user);
+        destination(df_user);
+};
+
+# uucp.*                          /var/log/uucp.log
+log {
+        source(s_all);
+        filter(f_uucp);
+        destination(df_uucp);
+};
+
+# mail.info                       -/var/log/mail.info
+log {
+        source(s_all);
+        filter(f_mail);
+        filter(f_at_least_info);
+        destination(df_facility_dot_info);
+};
+
+# mail.warn                       -/var/log/mail.warn
+log {
+        source(s_all);
+        filter(f_mail);
+        filter(f_at_least_warn);
+        destination(df_facility_dot_warn);
+};
+
+# mail.err                        /var/log/mail.err
+log {
+        source(s_all);
+        filter(f_mail);
+        filter(f_at_least_err);
+        destination(df_facility_dot_err);
+};
+
+# news.crit                       /var/log/news/news.crit
+log {
+        source(s_all);
+        filter(f_news);
+        filter(f_at_least_crit);
+        destination(df_news_dot_crit);
+};
+
+# news.err                        /var/log/news/news.err
+log {
+        source(s_all);
+        filter(f_news);
+        filter(f_at_least_err);
+        destination(df_news_dot_err);
+};
+
+# news.notice                     /var/log/news/news.notice
+log {
+        source(s_all);
+        filter(f_news);
+        filter(f_at_least_notice);
+        destination(df_news_dot_notice);
+};
+
+
+# *.=debug;\
+#         auth,authpriv.none;\
+#         news.none;mail.none     -/var/log/debug
+log {
+        source(s_all);
+        filter(f_debug);
+        destination(df_debug);
+};
+
+
+# *.=info;*.=notice;*.=warn;\
+#         auth,authpriv.none;\
+#         cron,daemon.none;\
+#         mail,news.none          -/var/log/messages
+log {
+        source(s_all);
+        filter(f_messages);
+        destination(df_messages);
+};
+
+# *.emerg                         *
+log {
+        source(s_all);
+        filter(f_emerg);
+        destination(du_all);
+};
+
+
+# daemon.*;mail.*;\
+#         news.crit;news.err;news.notice;\
+#         *.=debug;*.=info;\
+#         *.=notice;*.=warn       |/dev/xconsole
+log {
+        source(s_all);
+        filter(f_xconsole);
+        destination(dp_xconsole);
+};
+