Got rkhunter working for HIDS; operational fixes for Sharingan
This commit is contained in:
parent
d0146770a4
commit
01dde4008d
@ -1,9 +0,0 @@
|
|||||||
check program anixix-HTTP with path "/usr/lib/monitoring-plugins/check_http -H aninix.net -e 301"
|
|
||||||
if status == 1 then exec "/usr/bin/bash /etc/monit.d/scripts/notify aninix.net HTTP is CRITICAL"
|
|
||||||
|
|
||||||
check program anixix-HTTPS with path "/usr/lib/monitoring-plugins/check_http -S -H aninix.net -e 200"
|
|
||||||
if status == 1 then exec "/usr/bin/bash /etc/monit.d/scripts/notify aninix.net HTTPS is CRITICAL"
|
|
||||||
|
|
||||||
check program foundation-HTTPS with path "/usr/lib/monitoring-plugins/check_http -S -H foundation.aninix.net -e 200"
|
|
||||||
if status == 1 then exec "/usr/bin/bash /etc/monit.d/scripts/notify aninix.net HTTPS is CRITICAL"
|
|
||||||
|
|
16
roles/Sharingan/files/lynis/sharingan-scan.service
Normal file
16
roles/Sharingan/files/lynis/sharingan-scan.service
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Sharingan-IDS | Vulnerability scanning
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Nice=19
|
||||||
|
IOSchedulingClass=best-effort
|
||||||
|
IOSchedulingPriority=7
|
||||||
|
Type=simple
|
||||||
|
ExecStartPre=clamscan -r / -i --exclude-dir="/srv/ygddrasil" --exclude-dir="/dev" --exclude-dir="/sys" --exclude-dir="/proc" --exclude-dir="/media/Infected/" --exclude-dir="/etc/snort/rules" --exclude-dir="/etc/suricata/rules"
|
||||||
|
ExecStart=lynis audit system
|
||||||
|
ExecStartPost=systemd-cat -t sharingan-vulns arch-audit
|
||||||
|
User=root
|
||||||
|
group=root
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
@ -1,5 +1,5 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Sharingan-IDS | rkhunter timer
|
Description=Sharingan-IDS | Vulnerability scanning
|
||||||
|
|
||||||
[Timer]
|
[Timer]
|
||||||
OnCalendar=15:00
|
OnCalendar=15:00
|
@ -1,14 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=Sharingan-IDS | rkhunter HIDS
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Nice=19
|
|
||||||
IOSchedulingClass=best-effort
|
|
||||||
IOSchedulingPriority=7
|
|
||||||
Type=simple
|
|
||||||
ExecStart=rkhunter --check --sk
|
|
||||||
User=root
|
|
||||||
group=root
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
33
roles/Sharingan/files/monit/checks/system
Normal file
33
roles/Sharingan/files/monit/checks/system
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
###############################################################################
|
||||||
|
## Services
|
||||||
|
###############################################################################
|
||||||
|
#
|
||||||
|
## Check general system resources such as load average, cpu and memory
|
||||||
|
## usage. Each test specifies a resource, conditions and the action to be
|
||||||
|
## performed should a test fail.
|
||||||
|
check system $HOST
|
||||||
|
if loadavg (1min) per core > 2 for 5 cycles then exec "/etc/monit.d/scripts/critical Load average is high"
|
||||||
|
if memory usage > 75% then exec "/etc/monit.d/scripts/critical Memory is overused."
|
||||||
|
if swap usage > 25% then exec "/etc/monit.d/scripts/critical Swap is overused."
|
||||||
|
group system
|
||||||
|
#
|
||||||
|
## Check filesystem permissions, uid, gid, space usage, inode usage and disk I/O.
|
||||||
|
## Other services, such as databases, may depend on this resource and an automatically
|
||||||
|
## graceful stop may be cascaded to them before the filesystem will become full and data
|
||||||
|
## lost.
|
||||||
|
check filesystem rootfs with path /
|
||||||
|
if space usage > 80% for 5 times within 15 cycles then exec "/etc/monit.d/scripts/critical Root filesystem is too full."
|
||||||
|
if read rate > 500 operations/s for 5 cycles then exec "/etc/monit.d/scripts/critical Too many reads on root filesystem."
|
||||||
|
if write rate > 500 operations/s for 5 cycles then exec "/etc/monit.d/scripts/critical Too many writes on root filesystem."
|
||||||
|
if service time > 50 milliseconds for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical Root filesystem performing slowly -- check iostat."
|
||||||
|
group system
|
||||||
|
#
|
||||||
|
## Check a network link status (up/down), link capacity changes, saturation
|
||||||
|
## and bandwidth usage.
|
||||||
|
#
|
||||||
|
# check network public with interface eth0
|
||||||
|
# if failed link then alert
|
||||||
|
# if changed link then alert
|
||||||
|
# if saturation > 90% then alert
|
||||||
|
# if download > 10 MB/s then alert
|
||||||
|
# if total uploaded > 1 GB in last hour then alert
|
29
roles/Sharingan/files/monit/checks/vips
Normal file
29
roles/Sharingan/files/monit/checks/vips
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
check program https_aninix with path "/usr/lib/monitoring-plugins/check_http --ssl -H aninix.net"
|
||||||
|
if status != 0 then exec "/etc/monit.d/scripts/critical aninix.net not reporting OK"
|
||||||
|
|
||||||
|
check program https_foundation with path "/usr/lib/monitoring-plugins/check_http --ssl -H foundation.aninix.net"
|
||||||
|
if status != 0 then exec "/etc/monit.d/scripts/critical foundation.aninix.net not reporting OK"
|
||||||
|
|
||||||
|
check program https_geth with path "/usr/lib/monitoring-plugins/check_http --ssl -H geth.aninix.net"
|
||||||
|
if status != 0 then exec "/etc/monit.d/scripts/critical geth.aninix.net not reporting OK"
|
||||||
|
|
||||||
|
check program https_lykos with path "/usr/lib/monitoring-plugins/check_http --ssl -H lykos.aninix.net"
|
||||||
|
if status != 0 then exec "/etc/monit.d/scripts/critical lykos.aninix.net not reporting OK"
|
||||||
|
|
||||||
|
check program https_maat with path "/usr/lib/monitoring-plugins/check_http --ssl -H maat.aninix.net -r PASS"
|
||||||
|
if status != 0 then exec "/etc/monit.d/scripts/critical maat.aninix.net not reporting OK"
|
||||||
|
|
||||||
|
check program https_password with path "/usr/lib/monitoring-plugins/check_http --ssl -H password.aninix.net"
|
||||||
|
if status != 0 then exec "/etc/monit.d/scripts/critical password.aninix.net not reporting OK"
|
||||||
|
|
||||||
|
check program https_sharingan with path "/usr/lib/monitoring-plugins/check_http --ssl -H sharingan.aninix.net"
|
||||||
|
if status != 0 then exec "/etc/monit.d/scripts/critical sharingan.aninix.net not reporting OK"
|
||||||
|
|
||||||
|
check program https_singularity with path "/usr/lib/monitoring-plugins/check_http --ssl -H singularity.aninix.net"
|
||||||
|
if status != 0 then exec "/etc/monit.d/scripts/critical singularity.aninix.net not reporting OK"
|
||||||
|
|
||||||
|
check program https_wolfpack with path "/usr/lib/monitoring-plugins/check_http --ssl -H wolfpack.aninix.net"
|
||||||
|
if status != 0 then exec "/etc/monit.d/scripts/critical wolfpack.aninix.net not reporting OK"
|
||||||
|
|
||||||
|
#check program https_yggdrasil with path "/usr/lib/monitoring-plugins/check_http --ssl -u /web/index.html -H yggdrasil.aninix.net"
|
||||||
|
# if status != 0 then exec "/etc/monit.d/scripts/critical yggdrasil.aninix.net not reporting OK"
|
1
roles/Sharingan/files/monit/hostdefs/Core
Normal file
1
roles/Sharingan/files/monit/hostdefs/Core
Normal file
@ -0,0 +1 @@
|
|||||||
|
include "/etc/monit.d/checks/system"
|
1
roles/Sharingan/files/monit/hostdefs/DarkNet
Normal file
1
roles/Sharingan/files/monit/hostdefs/DarkNet
Normal file
@ -0,0 +1 @@
|
|||||||
|
include "/etc/monit.d/checks/system"
|
1
roles/Sharingan/files/monit/hostdefs/Geth-Hub-1
Normal file
1
roles/Sharingan/files/monit/hostdefs/Geth-Hub-1
Normal file
@ -0,0 +1 @@
|
|||||||
|
include "/etc/monit.d/checks/system"
|
1
roles/Sharingan/files/monit/hostdefs/Geth-Hub-2
Normal file
1
roles/Sharingan/files/monit/hostdefs/Geth-Hub-2
Normal file
@ -0,0 +1 @@
|
|||||||
|
include "/etc/monit.d/checks/system"
|
1
roles/Sharingan/files/monit/hostdefs/Geth-Hub-3
Normal file
1
roles/Sharingan/files/monit/hostdefs/Geth-Hub-3
Normal file
@ -0,0 +1 @@
|
|||||||
|
include "/etc/monit.d/checks/system"
|
1
roles/Sharingan/files/monit/hostdefs/Maat
Normal file
1
roles/Sharingan/files/monit/hostdefs/Maat
Normal file
@ -0,0 +1 @@
|
|||||||
|
include "/etc/monit.d/checks/system"
|
1
roles/Sharingan/files/monit/hostdefs/Nazara
Normal file
1
roles/Sharingan/files/monit/hostdefs/Nazara
Normal file
@ -0,0 +1 @@
|
|||||||
|
include "/etc/monit.d/checks/system"
|
1
roles/Sharingan/files/monit/hostdefs/Node0
Normal file
1
roles/Sharingan/files/monit/hostdefs/Node0
Normal file
@ -0,0 +1 @@
|
|||||||
|
include "/etc/monit.d/checks/system"
|
3
roles/Sharingan/files/monit/hostdefs/Sharingan
Normal file
3
roles/Sharingan/files/monit/hostdefs/Sharingan
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
include "/etc/monit.d/checks/system"
|
||||||
|
include "/etc/monit.d/checks/vips"
|
||||||
|
|
2
roles/Sharingan/files/monit/scripts/critical
Executable file
2
roles/Sharingan/files/monit/scripts/critical
Executable file
@ -0,0 +1,2 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
/usr/bin/systemd-cat -t sharingan-eval echo CRITICAL: "$@"
|
2
roles/Sharingan/files/monit/scripts/notify
Executable file
2
roles/Sharingan/files/monit/scripts/notify
Executable file
@ -0,0 +1,2 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
/usr/bin/systemd-cat -t sharingan-eval echo INFO: "$@"
|
@ -1,425 +0,0 @@
|
|||||||
# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ #
|
|
||||||
|
|
||||||
# This file is pretty big by default, but don't worry.
|
|
||||||
# The only things required are "path" and "update_files". You must also
|
|
||||||
# set "url" to point to the correct rules archive for your version of
|
|
||||||
# Snort, unless you prefer to specify this on the command line.
|
|
||||||
# The rest in here is just a few recommended defaults, and examples
|
|
||||||
# how to use all the other optional features and give some ideas how they
|
|
||||||
# could be used.
|
|
||||||
|
|
||||||
# Remember not to let untrusted users edit Oinkmaster configuration
|
|
||||||
# files, as things like the PATH to use during execution is defined
|
|
||||||
# in here.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Use "url = <url>" to specify the location of the rules archive to
|
|
||||||
# download. The url must begin with http://, https://, ftp://, file://
|
|
||||||
# or scp:// and end with .tar.gz or .tgz, and the file must be a
|
|
||||||
# gzipped tarball what contains a directory named "rules".
|
|
||||||
# You can also point to a local directory with dir://<directory>.
|
|
||||||
# Multiple "url = <url>" lines can be specified to grab multiple rules
|
|
||||||
# archives from different locations.
|
|
||||||
#
|
|
||||||
# Note: if URL is specified on the command line, it overrides all
|
|
||||||
# possible URLs specified in the configuration file(s).
|
|
||||||
#
|
|
||||||
# The location of the official Snort rules you should use depends
|
|
||||||
# on which Snort version you run. Basically, you should go to
|
|
||||||
# http://www.snort.org/rules/ and follow the instructions
|
|
||||||
# there to pick the right URL for your version of Snort
|
|
||||||
# (and remember to update the URL when upgrading Snort in the
|
|
||||||
# future). You can of course also specify locations to third party
|
|
||||||
# rules.
|
|
||||||
#
|
|
||||||
# As of March 2005, you must register on the Snort site to get access
|
|
||||||
# to the official Snort rules. This will get you an "oinkcode".
|
|
||||||
# You then specify the URL as
|
|
||||||
# http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename>
|
|
||||||
# For example, if your code is 5a081649c06a277e1022e1284b and
|
|
||||||
# you use Snort 2.4, the url to use would be (without the wrap):
|
|
||||||
# http://www.snort.org/pub-bin/oinkmaster.cgi/
|
|
||||||
# 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz
|
|
||||||
# See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for
|
|
||||||
# more information.
|
|
||||||
|
|
||||||
|
|
||||||
# URL examples follows. Replace <oinkcode> with the code you get on the
|
|
||||||
# Snort site in your registered user profile.
|
|
||||||
|
|
||||||
# Example for Snort
|
|
||||||
# url = http://www.snort.org/pub-bin/oinkmaster.cgi/157f1670c58caa1bcb3e4de0d68e96c7e12a08ca/snortrules-snapshot-2976.tar.gz
|
|
||||||
|
|
||||||
# Suricata
|
|
||||||
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
|
|
||||||
|
|
||||||
# Example for Community rules
|
|
||||||
# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz
|
|
||||||
|
|
||||||
# Example for rules from the Bleeding Snort project
|
|
||||||
# url = http://www.bleedingsnort.com/bleeding.rules.tar.gz
|
|
||||||
|
|
||||||
# If you prefer to download the rules archive from outside Oinkmaster,
|
|
||||||
# you can then point to the file on your local filesystem by using
|
|
||||||
# file://<filename>, for example:
|
|
||||||
# url = file:///tmp/snortrules.tar.gz
|
|
||||||
|
|
||||||
# In rare cases you may want to grab the rules directly from a
|
|
||||||
# local directory (don't confuse this with the output directory).
|
|
||||||
# url = dir:///etc/snort/src/rules
|
|
||||||
|
|
||||||
# Example to use scp to copy the rules archive from another host.
|
|
||||||
# Only OpenSSH is tested. See the FAQ for more information.
|
|
||||||
# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz
|
|
||||||
|
|
||||||
# If you use -u scp://... and need to specify a private ssh key (passed
|
|
||||||
# as -i <key> to the scp command) you can specify it here or add an
|
|
||||||
# entry in ~/.ssh/config for the Oinkmaster user as described in the
|
|
||||||
# OpenSSH manual.
|
|
||||||
# scp_key = /home/oinkmaster/oinkmaster_privkey
|
|
||||||
|
|
||||||
|
|
||||||
# The PATH to use during execution. If you prefer to use external
|
|
||||||
# binaries (i.e. use_external_bins=1, see below), tar and gzip must be
|
|
||||||
# found, and also wget if downloading via ftp, http or https. All with
|
|
||||||
# optional .exe suffix. If you're on Cygwin, make sure that the path
|
|
||||||
# contains the Cygwin binaries and not the native Win32 binaries or
|
|
||||||
# you will get problems.
|
|
||||||
# Assume UNIX style by default:
|
|
||||||
path = /bin:/usr/bin:/usr/local/bin
|
|
||||||
|
|
||||||
# Example if running native Win32 or standalone Cygwin:
|
|
||||||
# path = c:\oinkmaster;c:\oinkmaster\bin
|
|
||||||
|
|
||||||
# Example if running standalone Cygwin and you prefer Cygwin style path:
|
|
||||||
# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin
|
|
||||||
|
|
||||||
|
|
||||||
# We normally use external binaries (wget, tar and gzip) since they're
|
|
||||||
# already available on most systems and do a good job. If you have the
|
|
||||||
# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
|
|
||||||
# those instead if you like. You can set use_external_bins below to
|
|
||||||
# choose which method you prefer. It's set to 0 by default on Win32
|
|
||||||
# (i.e. use Perl modules), and 1 on other systems (i.e. use external
|
|
||||||
# binaries). The reason for that is that the required Perl modules
|
|
||||||
# are included on Windows/ActivePerl 5.8.1+, so it's easier to use
|
|
||||||
# those than to install the ported Unix tools. (Note that if you're
|
|
||||||
# using scp to download the archive, external scp binary is still
|
|
||||||
# used.)
|
|
||||||
# use_external_bins = 0
|
|
||||||
|
|
||||||
|
|
||||||
# Temporary directory to use. This directory must exist when starting and
|
|
||||||
# Oinkmaster will then create a temporary sub directory in here.
|
|
||||||
# Keep it as a #comment if you want to use the default.
|
|
||||||
# The default will be checked for in the environment variables TMP,
|
|
||||||
# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set.
|
|
||||||
|
|
||||||
# Example for UNIX.
|
|
||||||
# tmpdir = /home/oinkmaster/tmp/
|
|
||||||
|
|
||||||
# Example if running native Win32 or Cygwin.
|
|
||||||
# tmpdir = c:\tmp
|
|
||||||
|
|
||||||
# Example if running Cygwin and you prefer Cygwin style path.
|
|
||||||
# tmpdir = /cygdrive/c/tmp
|
|
||||||
|
|
||||||
|
|
||||||
# The umask to use during execution if you want it to be something
|
|
||||||
# else than the current value when starting Oinkmaster.
|
|
||||||
# This will affect the mode bits when writing new files.
|
|
||||||
# Keep it commented out to keep your system's current umask.
|
|
||||||
# umask = 0027
|
|
||||||
|
|
||||||
|
|
||||||
# Files in the archive(s) matching this regular expression will be
|
|
||||||
# checked for changes, and then updated or added if needed.
|
|
||||||
# All other files will be ignored. You can then choose to skip
|
|
||||||
# individual files by specifying the "skipfile" keyword below.
|
|
||||||
# Normally you shouldn't need to change this one.
|
|
||||||
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
|
|
||||||
|
|
||||||
|
|
||||||
# Regexp of keywords that starts a Snort rule.
|
|
||||||
# May be useful if you create your own ruletypes and want those
|
|
||||||
# lines to be regarded as rules as well.
|
|
||||||
# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic
|
|
||||||
|
|
||||||
|
|
||||||
# If the number of rules files in the downloaded archive matching the
|
|
||||||
# 'update_files' regexp is below min_files, or if the number
|
|
||||||
# of rules is below min_rules, the rules are regarded as broken
|
|
||||||
# and the update is aborted with an error message.
|
|
||||||
# Both are set to 1 by default (i.e. the archive is only regarded as
|
|
||||||
# broken if it's totally empty).
|
|
||||||
# If you download from multiple URLs, the count is the total number
|
|
||||||
# of files/rules across all archives.
|
|
||||||
# min_files = 1
|
|
||||||
# min_rules = 1
|
|
||||||
|
|
||||||
|
|
||||||
# By default, a basic sanity check is performed on most paths/filenames
|
|
||||||
# to see if they contain illegal characters that may screw things up.
|
|
||||||
# If this check is too strict for your system (e.g. you get bogus
|
|
||||||
# "illegal characters in filename" errors because of your local language
|
|
||||||
# etc) and you're sure you want to disable the checks completely,
|
|
||||||
# set use_path_checks to 0.
|
|
||||||
# use_path_checks = 1
|
|
||||||
|
|
||||||
|
|
||||||
# If you want Oinkmaster to send a User-Agent HTTP header string
|
|
||||||
# other than the default one for wget/LWP, set this variable.
|
|
||||||
# user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
|
|
||||||
|
|
||||||
|
|
||||||
# You can include other files anywhere in here by using
|
|
||||||
# "include <file>". <file> will be parsed just like a regular
|
|
||||||
# oinkmaster.conf as soon as the include statement is seen, and then
|
|
||||||
# return and continue parsing the rest of the original file. If an
|
|
||||||
# option is redefined, it will override the previous value. You can use
|
|
||||||
# as many "include" statements as you wish, and also include even more
|
|
||||||
# files from included files. Example to load stuff from "/etc/foo.conf".
|
|
||||||
# include /etc/foo.conf
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# Files to totally skip (i.e. never update or check for changes) #
|
|
||||||
# #
|
|
||||||
# Syntax: skipfile filename #
|
|
||||||
# or: skipfile filename1, filename2, filename3, ... #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
# Ignore local.rules from the rules archive by default since we might
|
|
||||||
# have put some local rules in our own local.rules and we don't want it
|
|
||||||
# to get overwritten by the empty one from the archive after each
|
|
||||||
# update.
|
|
||||||
skipfile local.rules
|
|
||||||
|
|
||||||
# The file deleted.rules contains rules that have been deleted from
|
|
||||||
# other files, so there is usually no point in updating it.
|
|
||||||
skipfile deleted.rules
|
|
||||||
|
|
||||||
# Also skip snort.conf by default since we don't want to overwrite our
|
|
||||||
# own snort.conf if we have it in the same directory as the rules. If
|
|
||||||
# you have your own production copy of snort.conf in another directory,
|
|
||||||
# it may be really nice to check for changes in this file though,
|
|
||||||
# especially since variables are sometimes added or modified and
|
|
||||||
# new/old files are included/excluded.
|
|
||||||
skipfile snort.conf
|
|
||||||
|
|
||||||
# You may want to consider ignoring threshold.conf for the same reasons
|
|
||||||
# as for snort.conf, i.e. if you customize it locally and don't want it
|
|
||||||
# to become overwritten by the default one. It may be better to put
|
|
||||||
# local thresholding/suppressing in some local file and still update
|
|
||||||
# and use the official one though, in case important stuff is added to
|
|
||||||
# it some day. We do update it by default, but it's your call.
|
|
||||||
# skipfile threshold.conf
|
|
||||||
|
|
||||||
# If you update from multiple URLs at the same time you may need to
|
|
||||||
# ignore the sid-msg.map (and generate it yourself if you need one) as
|
|
||||||
# it's usually included in each rules tarball. See the FAQ for more info.
|
|
||||||
# skipfile sid-msg.map
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
##########################################################################
|
|
||||||
# SIDs to modify after each update (only for the skilled/stupid/brave). #
|
|
||||||
# Don't use it unless you have to. There is nothing that stops you from #
|
|
||||||
# modifying rules in such ways that they become invalid or generally #
|
|
||||||
# break things. You have been warned. #
|
|
||||||
# If you just want to disable SIDs, please skip this section and have a #
|
|
||||||
# look at the "disablesid" keyword below. #
|
|
||||||
# #
|
|
||||||
# You may specify multiple modifysid directives for the same SID (they #
|
|
||||||
# will be processed in order of appearance), and you may also specify a #
|
|
||||||
# list of SIDs on which the substitution should be applied. #
|
|
||||||
# If the argument is in the form something.something it's regarded #
|
|
||||||
# as a filename and the substitution will apply on all rules in that #
|
|
||||||
# file. The wildcard ("*") can be used to apply the substitution on all #
|
|
||||||
# rules regardless of the SID or file. Please avoid using #comments #
|
|
||||||
# at the end of modifysid lines, they may confuse the parser in some #
|
|
||||||
# situations. #
|
|
||||||
# #
|
|
||||||
# Syntax: #
|
|
||||||
# modifysid SID "replacethis" | "withthis" #
|
|
||||||
# or: #
|
|
||||||
# modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" #
|
|
||||||
# or: #
|
|
||||||
# modifysid file "replacethis" | "withthis" #
|
|
||||||
# or: #
|
|
||||||
# modifysid * "replacethis" | "withthis" #
|
|
||||||
# #
|
|
||||||
# The strings within the quotes will basically be passed to a #
|
|
||||||
# s/replacethis/withthis/ statement in Perl, so they must be valid #
|
|
||||||
# regular expressions. The strings are case-insensitive and only the #
|
|
||||||
# first occurrence will be replaced. If there are multiple occurrences #
|
|
||||||
# you want to replace, simply repeat the same modifysid line. #
|
|
||||||
# As the strings are regular expressions, you MUST escape special #
|
|
||||||
# characters like $ \ / ( ) | by prepending a "\" to them. #
|
|
||||||
# #
|
|
||||||
# If you specify a modifysid statement for a multi-line rule, Oinkmaster #
|
|
||||||
# will first translate the rule into a single-line version and then #
|
|
||||||
# perform the substitution, so you don't have to care about the trailing #
|
|
||||||
# backslashes and newlines. #
|
|
||||||
# #
|
|
||||||
# If you use backreference variables in the substitution expression, #
|
|
||||||
# it's strongly recommended to specify them as ${1} instead of $1 and so #
|
|
||||||
# on, to avoid parsing confusion with unexpected results in some #
|
|
||||||
# situations. Note that modifysid statements will process both active #
|
|
||||||
# and inactive (disabled) rules. #
|
|
||||||
# #
|
|
||||||
# You may want to check out README.templates and template-examples.conf #
|
|
||||||
# to find how you can simplify the modifysid usage by using templates. #
|
|
||||||
##########################################################################
|
|
||||||
|
|
||||||
# Example to enable a rule (in this case SID 1325) that is disabled by
|
|
||||||
# default, by simply replacing leading "#alert" with "alert".
|
|
||||||
# (You should really use 'enablesid' for this though.)
|
|
||||||
# Oinkmaster removes whitespaces next to the leading "#" so you don't
|
|
||||||
# have to worry about that, but be careful about possible whitespace in
|
|
||||||
# other places when writing the regexps.
|
|
||||||
# modifysid 1325 "^#alert" | "alert"
|
|
||||||
|
|
||||||
# You could also do this to enable it no matter what type of rule it is
|
|
||||||
# (alert, log, pass, etc).
|
|
||||||
# modifysid 1325 "^#" | ""
|
|
||||||
|
|
||||||
# Example to add "tag" stuff to SID 1325.
|
|
||||||
# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
|
|
||||||
|
|
||||||
# Example to make SID 1378 a 'drop' rule (valid if you're running
|
|
||||||
# Snort_inline).
|
|
||||||
# modifysid 1378 "^alert" | "drop"
|
|
||||||
|
|
||||||
# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
|
|
||||||
# in SID 302.
|
|
||||||
# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"
|
|
||||||
|
|
||||||
# You can also specify that a substitution should apply on multiple SIDs.
|
|
||||||
# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"
|
|
||||||
|
|
||||||
# You can take advantage of the fact that it's regular expressions and
|
|
||||||
# do more complex stuff. This example (for Snort_inline) adds a 'replace'
|
|
||||||
# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh".
|
|
||||||
# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
|
|
||||||
# "${1} replace:"\/foo\/sh";"
|
|
||||||
|
|
||||||
# If you for some reason would like to add a comment inside the actual
|
|
||||||
# rules file, like the reason why you disabled this rule, you can do
|
|
||||||
# like this (you would normally add such comments in oinkmaster.conf
|
|
||||||
# though).
|
|
||||||
# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"
|
|
||||||
|
|
||||||
# Here is an example that is actually useful. Let's say you don't care
|
|
||||||
# about incoming welchia pings (detected by SID 483 at the time of
|
|
||||||
# writing) but you want to know when infected hosts on your network
|
|
||||||
# scans hosts on the outside. (Remember that watching for outgoing
|
|
||||||
# malicious packets is often just as important as watching for incoming
|
|
||||||
# ones, especially in this case.) The rule currently looks like
|
|
||||||
# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
|
|
||||||
# but we want to switch that so it becomes
|
|
||||||
# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...".
|
|
||||||
# Here is how it could be done.
|
|
||||||
# modifysid 483 \
|
|
||||||
# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
|
|
||||||
# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
|
|
||||||
|
|
||||||
# The wildcard (modifysid * ...) can be used to do all kinds of
|
|
||||||
# interesting things. The substitution expression will be applied on all
|
|
||||||
# matching rules. First, a silly example to replace "foo" with "bar" in
|
|
||||||
# all rules (that have the string "foo" in them, that is.)
|
|
||||||
# modifysid * "foo" | "bar"
|
|
||||||
|
|
||||||
# If you for some reason don't want to use the stream preprocessor to
|
|
||||||
# match established streams, you may want to replace the 'flow'
|
|
||||||
# statement with 'flags:A+;' in all those rules.
|
|
||||||
# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"
|
|
||||||
|
|
||||||
# Example to convert all rules of classtype attempted-admin to 'drop'
|
|
||||||
# rules (for Snort_inline only, obviously).
|
|
||||||
# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
|
|
||||||
|
|
||||||
# This one will append some text to the 'msg' string for all rules that
|
|
||||||
# have the 'tag' keyword in them.
|
|
||||||
# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
|
|
||||||
# "${1}, going to tag this baby"${2}"
|
|
||||||
|
|
||||||
# There may be times when you want to replace multiple occurrences of a
|
|
||||||
# certain keyword/string in a rule and not just the first one. To
|
|
||||||
# replace the first two occurrences of "foo" with "bar" in SID 100,
|
|
||||||
# simply repeat the modifysid statement:
|
|
||||||
# modifysid 100 "foo" | "bar"
|
|
||||||
# modifysid 100 "foo" | "bar"
|
|
||||||
|
|
||||||
# Or you can even specify a SID list but repeat the same SID as many
|
|
||||||
# times as required, like:
|
|
||||||
# modifysid 100,100,100 "foo" | "bar"
|
|
||||||
|
|
||||||
# Enable all rules in the file exploit.rules.
|
|
||||||
# modifysid exploit.rules "^#" | ""
|
|
||||||
|
|
||||||
# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171.
|
|
||||||
# modifysid exploit.rules, snmp.rules, 1171 "^#" | ""
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
########################################################################
|
|
||||||
# SIDs that we don't want to update. #
|
|
||||||
# If you for some reason don't want a specific rule to be updated #
|
|
||||||
# (e.g. you made local modifications to it and you never want to #
|
|
||||||
# update it and don't care about changes in the official version), you #
|
|
||||||
# can specify a "localsid" statement for it. This means that the old #
|
|
||||||
# version of the rule (i.e. the one in the rules file on your #
|
|
||||||
# harddrive) is always kept, regardless if the official version has #
|
|
||||||
# been updated. Please do not use this feature unless in special #
|
|
||||||
# cases as it's easy to end up with many signatures that aren't #
|
|
||||||
# maintained anymore. See the FAQ for details about this and hints #
|
|
||||||
# about better solutions regarding customization of rules. #
|
|
||||||
# #
|
|
||||||
# Syntax: localsid SID #
|
|
||||||
# or: localsid SID1, SID2, SID3, ... #
|
|
||||||
########################################################################
|
|
||||||
|
|
||||||
# Example to never update SID 1325.
|
|
||||||
# localsid 1325
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
########################################################################
|
|
||||||
# SIDs to enable after each update. #
|
|
||||||
# Will simply remove all the leading '#' for a specified SID (if it's #
|
|
||||||
# a multi-line rule, the leading '#' for all lines are removed.) #
|
|
||||||
# These will be processed after all the modifysid and disablesid #
|
|
||||||
# statements. Using 'enablesid' on a rule that is not disabled is a #
|
|
||||||
# NOOP. #
|
|
||||||
# #
|
|
||||||
# Syntax: enablesid SID #
|
|
||||||
# or: enablesid SID1, SID2, SID3, ... #
|
|
||||||
########################################################################
|
|
||||||
|
|
||||||
# Example to enable SID 1325.
|
|
||||||
# enablesid 1325
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
########################################################################
|
|
||||||
# SIDs to comment out, i.e. disable, after each update by placing a #
|
|
||||||
# '#' in front of the rule (if it's a multi-line rule, it will be put #
|
|
||||||
# in front of all lines). #
|
|
||||||
# #
|
|
||||||
# Syntax: disablesid SID #
|
|
||||||
# or: disablesid SID1, SID2, SID3, ... #
|
|
||||||
########################################################################
|
|
||||||
|
|
||||||
# You can specify one SID per line.
|
|
||||||
# disablesid 1
|
|
||||||
# disablesid 2
|
|
||||||
# disablesid 3
|
|
||||||
|
|
||||||
# And also as comma-separated lists.
|
|
||||||
# disablesid 4,5,6
|
|
||||||
|
|
||||||
# It's a good idea to also add comment about why you disable the sid:
|
|
||||||
# disablesid 1324 # 20020101: disabled this SID just because I can
|
|
@ -191,8 +191,6 @@
|
|||||||
#
|
#
|
||||||
# The default value is based on the root account PATH environment variable.
|
# The default value is based on the root account PATH environment variable.
|
||||||
#
|
#
|
||||||
#BINDIR=/bin /usr/bin /sbin /usr/sbin
|
|
||||||
#BINDIR=+/usr/local/bin +/usr/local/sbin
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# This option specifies the default language to use. This should be similar to
|
# This option specifies the default language to use. This should be similar to
|
||||||
@ -1339,4 +1337,11 @@ SCRIPTWHITELIST=/usr/bin/egrep
|
|||||||
SCRIPTWHITELIST=/usr/bin/fgrep
|
SCRIPTWHITELIST=/usr/bin/fgrep
|
||||||
SCRIPTWHITELIST=/usr/bin/ldd
|
SCRIPTWHITELIST=/usr/bin/ldd
|
||||||
SCRIPTWHITELIST=/usr/bin/vendor_perl/GET
|
SCRIPTWHITELIST=/usr/bin/vendor_perl/GET
|
||||||
|
BINDIR=/bin /usr/bin /sbin /usr/sbin
|
||||||
|
BINDIR=+/usr/local/bin +/usr/local/sbin
|
||||||
|
# Allowlist for false postives
|
||||||
|
ALLOWPROCLISTEN=/usr/bin/inspircd
|
||||||
|
PORT_WHITELIST=TCP:6667
|
||||||
|
ALLOWDEVFILE=/dev/shm/PostgreSQL*
|
||||||
|
ALLOWDEVFILE=/dev/shm/mono*
|
||||||
|
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
systemd-cat -t sharingan-eval "$@"
|
|
@ -37,7 +37,7 @@
|
|||||||
- name: Sharingan-Data service conf
|
- name: Sharingan-Data service conf
|
||||||
become: yes
|
become: yes
|
||||||
copy:
|
copy:
|
||||||
src: syslog-ng@sharingan-data
|
src: syslog-ng/syslog-ng@sharingan-data
|
||||||
dest: /etc/default/syslog-ng@sharingan-data
|
dest: /etc/default/syslog-ng@sharingan-data
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
@ -47,107 +47,8 @@
|
|||||||
become: yes
|
become: yes
|
||||||
register: data_service
|
register: data_service
|
||||||
copy:
|
copy:
|
||||||
src: "sharingan-data.service/{{ ansible_os_family }}"
|
src: "syslog-ng/sharingan-data.service/{{ ansible_os_family }}"
|
||||||
dest: /usr/lib/systemd/system/sharingan-data.service
|
dest: /usr/lib/systemd/system/sharingan-data.service
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0750
|
mode: 0750
|
||||||
|
|
||||||
- name: Sharingan-Eval service
|
|
||||||
become: yes
|
|
||||||
register: eval_service
|
|
||||||
copy:
|
|
||||||
src: sharingan-eval.service
|
|
||||||
dest: /usr/lib/systemd/system/sharingan-eval.service
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0750
|
|
||||||
|
|
||||||
- name: Sharingan-Eval monitrc
|
|
||||||
become: yes
|
|
||||||
template:
|
|
||||||
src: monitrc.j2
|
|
||||||
dest: /etc/monitrc
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0700
|
|
||||||
|
|
||||||
- name: Sharingan-Eval includes dir
|
|
||||||
become: yes
|
|
||||||
file:
|
|
||||||
path: /etc/monit.d
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Sharingan-Eval monit templates
|
|
||||||
become: yes
|
|
||||||
copy:
|
|
||||||
src: templates
|
|
||||||
dest: /etc/monit.d/templates
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0700
|
|
||||||
|
|
||||||
- name: Sharingan-Eval monit scripts
|
|
||||||
become: yes
|
|
||||||
copy:
|
|
||||||
src: templates
|
|
||||||
dest: /etc/monit.d/scripts
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0700
|
|
||||||
|
|
||||||
|
|
||||||
- name: Sharingan-Eval monit host config
|
|
||||||
become: yes
|
|
||||||
copy:
|
|
||||||
src: "{{ inventory_hostname }}"
|
|
||||||
dest: "/etc/monit.d/{{ inventory_hostname }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0700
|
|
||||||
|
|
||||||
- name: Sharingan-Heartbeat service
|
|
||||||
become: yes
|
|
||||||
register: heartbeat_service
|
|
||||||
copy:
|
|
||||||
src: "{{ item }}"
|
|
||||||
dest: /usr/lib/systemd/system
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0750
|
|
||||||
loop:
|
|
||||||
- sharingan-heartbeat.timer
|
|
||||||
- sharingan-heartbeat.service
|
|
||||||
|
|
||||||
- name: Sharingan-Data heartbeat timer
|
|
||||||
become: yes
|
|
||||||
copy:
|
|
||||||
src: sharingan-heartbeat.timer
|
|
||||||
dest: /usr/lib/systemd/system
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0750
|
|
||||||
|
|
||||||
- systemd:
|
|
||||||
daemon_reload: yes
|
|
||||||
become: yes
|
|
||||||
when: data_service.changed or eval_service.changed or heartbeat_service.changed
|
|
||||||
|
|
||||||
- name: Start Sharingan-Data services
|
|
||||||
become: yes
|
|
||||||
service:
|
|
||||||
name: "{{ item }}"
|
|
||||||
state: restarted
|
|
||||||
enabled: yes
|
|
||||||
loop:
|
|
||||||
- sharingan-data.service
|
|
||||||
- sharingan-heartbeat.timer
|
|
||||||
- sharingan-eval.service
|
|
||||||
|
|
||||||
- name: Disable default service
|
|
||||||
become: yes
|
|
||||||
ignore_errors: yes
|
|
||||||
service:
|
|
||||||
name: syslog-ng@default.service
|
|
||||||
state: stopped
|
|
||||||
enabled: no
|
|
||||||
|
59
roles/Sharingan/tasks/eval.yml
Normal file
59
roles/Sharingan/tasks/eval.yml
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Sharingan-Eval service
|
||||||
|
become: yes
|
||||||
|
register: eval_service
|
||||||
|
copy:
|
||||||
|
src: monit/sharingan-eval.service
|
||||||
|
dest: /usr/lib/systemd/system/sharingan-eval.service
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0750
|
||||||
|
|
||||||
|
- name: Sharingan-Eval monitrc
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: monitrc.j2
|
||||||
|
dest: /etc/monitrc
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0700
|
||||||
|
|
||||||
|
- name: Sharingan-Eval includes dir
|
||||||
|
become: yes
|
||||||
|
loop:
|
||||||
|
- "/etc/monit.d/"
|
||||||
|
- "/etc/monit.d/scripts"
|
||||||
|
- "/etc/monit.d/checks"
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Sharingan-Eval monit templates
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
src: monit/checks/
|
||||||
|
dest: /etc/monit.d/checks
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0700
|
||||||
|
|
||||||
|
- name: Sharingan-Eval monit scripts
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
src: monit/scripts/
|
||||||
|
dest: /etc/monit.d/scripts
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0700
|
||||||
|
|
||||||
|
- name: Sharingan-Eval monit host config
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
src: "monit/hostdefs/{{ inventory_hostname }}"
|
||||||
|
dest: "/etc/monit.d/{{ inventory_hostname }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0700
|
||||||
|
|
||||||
|
|
48
roles/Sharingan/tasks/heartbeat.yml
Normal file
48
roles/Sharingan/tasks/heartbeat.yml
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Sharingan-Heartbeat service
|
||||||
|
become: yes
|
||||||
|
register: heartbeat_service
|
||||||
|
copy:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: /usr/lib/systemd/system
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0750
|
||||||
|
loop:
|
||||||
|
- sharingan-heartbeat.timer
|
||||||
|
- sharingan-heartbeat.service
|
||||||
|
|
||||||
|
- name: Sharingan-Data heartbeat timer
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
src: sharingan-heartbeat.timer
|
||||||
|
dest: /usr/lib/systemd/system
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0750
|
||||||
|
|
||||||
|
- systemd:
|
||||||
|
daemon_reload: yes
|
||||||
|
become: yes
|
||||||
|
when: data_service.changed or eval_service.changed or heartbeat_service.changed
|
||||||
|
|
||||||
|
- name: Start Sharingan-Data services
|
||||||
|
become: yes
|
||||||
|
service:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: restarted
|
||||||
|
enabled: yes
|
||||||
|
loop:
|
||||||
|
- sharingan-data.service
|
||||||
|
- sharingan-heartbeat.timer
|
||||||
|
- sharingan-eval.service
|
||||||
|
|
||||||
|
- name: Disable default service
|
||||||
|
become: yes
|
||||||
|
ignore_errors: yes
|
||||||
|
service:
|
||||||
|
name: syslog-ng@default.service
|
||||||
|
state: stopped
|
||||||
|
enabled: no
|
||||||
|
|
@ -1,14 +1,17 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: sshguard package
|
- name: IDS packages
|
||||||
become: yes
|
become: yes
|
||||||
|
register: package_install
|
||||||
package:
|
package:
|
||||||
name:
|
name:
|
||||||
- sshguard
|
- sshguard
|
||||||
- suricata
|
- suricata
|
||||||
- oinkmaster
|
- oinkmaster
|
||||||
|
- rkhunter
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
# Network IPS
|
||||||
- name: sshguard config
|
- name: sshguard config
|
||||||
become: yes
|
become: yes
|
||||||
copy:
|
copy:
|
||||||
@ -28,32 +31,79 @@
|
|||||||
group: root
|
group: root
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
|
||||||
# - name: Copy oinkmaster service
|
# Host IDS
|
||||||
# register: oinkmaster_service
|
- name: Copy rkhunter service
|
||||||
# become: yes
|
register: rkhunter_conf
|
||||||
# loop:
|
become: yes
|
||||||
# - oinkmaster.service
|
copy:
|
||||||
# - oinkmaster.timer
|
src: rkhunter/rkhunter.conf
|
||||||
# copy:
|
dest: "/etc/rkhunter.conf"
|
||||||
# src: "{{ item }}"
|
owner: root
|
||||||
# dest: "/usr/lib/systemd/system/{{ item }}"
|
group: root
|
||||||
# owner: root
|
mode: 0644
|
||||||
# group: root
|
|
||||||
# mode: 0644
|
- name: Copy rkhunter service
|
||||||
#
|
register: rkhunter_service
|
||||||
# - systemd:
|
become: yes
|
||||||
# daemon_reload: yes
|
loop:
|
||||||
# become: yes
|
- rkhunter.service
|
||||||
# when: oinkmaster_service.changed
|
- rkhunter.timer
|
||||||
|
copy:
|
||||||
|
src: "rkhunter/{{ item }}"
|
||||||
|
dest: "/usr/lib/systemd/system/{{ item }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
# Network IDS
|
||||||
|
- name: Copy oinkmaster conf
|
||||||
|
register: oinkmaster_conf
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
src: "oinkmaster/oinkmaster.conf"
|
||||||
|
dest: "/usr/lib/systemd/system/oinkmaster.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Copy oinkmaster service
|
||||||
|
register: oinkmaster_service
|
||||||
|
become: yes
|
||||||
|
loop:
|
||||||
|
- oinkmaster.service
|
||||||
|
- oinkmaster.timer
|
||||||
|
copy:
|
||||||
|
src: "oinkmaster/{{ item }}"
|
||||||
|
dest: "/usr/lib/systemd/system/{{ item }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- systemd:
|
||||||
|
daemon_reload: yes
|
||||||
|
become: yes
|
||||||
|
when: oinkmaster_service.changed or rkhunter_service.changed
|
||||||
|
|
||||||
|
- name: Update oinkmaster DB
|
||||||
|
become: yes
|
||||||
|
when: package_install.changed or oinkmaster_conf.changed
|
||||||
|
service:
|
||||||
|
name: oinkmaster.service
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Update rkhunter DB
|
||||||
|
become: yes
|
||||||
|
when: package_install.changed or rkhunter_conf.changed
|
||||||
|
command: "/bin/bash -c 'export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; rkhunter -C && rkhunter --propupd'"
|
||||||
|
|
||||||
- name: IDS services
|
- name: IDS services
|
||||||
become: yes
|
become: yes
|
||||||
loop:
|
loop:
|
||||||
- suricata.service
|
- suricata.service
|
||||||
- sshguard.service
|
- sshguard.service
|
||||||
# - oinkmaster.timer
|
- oinkmaster.timer
|
||||||
|
- rkhunter.timer
|
||||||
service:
|
service:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
state: restarted
|
state: restarted
|
||||||
enabled: yes
|
enabled: yes
|
||||||
|
|
||||||
|
@ -1,12 +1,15 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
|
- import_tasks: ../roles/Sharingan/tasks/data.yml
|
||||||
|
- import_tasks: ../roles/Sharingan/tasks/eval.yml
|
||||||
|
- import_tasks: ../roles/Sharingan/tasks/heartbeat.yml
|
||||||
|
|
||||||
- import_tasks: ../roles/Sharingan/tasks/siem.yml
|
- import_tasks: ../roles/Sharingan/tasks/siem.yml
|
||||||
when: siem is defined
|
when: siem is defined
|
||||||
|
|
||||||
- import_tasks: ../roles/Sharingan/tasks/ids.yml
|
- import_tasks: ../roles/Sharingan/tasks/ids.yml
|
||||||
when: secdetection is defined
|
when: secdetection is defined
|
||||||
|
|
||||||
- import_tasks: ../roles/Sharingan/tasks/vulns.yml
|
- import_tasks: ../roles/Sharingan/tasks/scans.yml
|
||||||
when: ansible_os_family == "Archlinux"
|
when: ansible_os_family == "Archlinux"
|
||||||
|
|
||||||
- import_tasks: ../roles/Sharingan/tasks/data.yml
|
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
group: root
|
group: root
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
|
||||||
- name: lynis services
|
- name: Scanning services
|
||||||
become: yes
|
become: yes
|
||||||
copy:
|
copy:
|
||||||
src: "lynis/{{ item }}"
|
src: "lynis/{{ item }}"
|
||||||
@ -29,8 +29,18 @@
|
|||||||
group: root
|
group: root
|
||||||
mode: 0664
|
mode: 0664
|
||||||
loop:
|
loop:
|
||||||
- sharingan-vulns.service
|
- sharingan-scan.service
|
||||||
- sharingan-vulns.timer
|
- sharingan-scan.timer
|
||||||
|
|
||||||
|
- name: Scanning services
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
src: "clamav/{{ item }}"
|
||||||
|
dest: /usr/lib/systemd/system/
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0664
|
||||||
|
loop:
|
||||||
- freshclam.service
|
- freshclam.service
|
||||||
- freshclam.timer
|
- freshclam.timer
|
||||||
|
|
||||||
@ -38,7 +48,7 @@
|
|||||||
become: yes
|
become: yes
|
||||||
loop:
|
loop:
|
||||||
- freshclam.timer
|
- freshclam.timer
|
||||||
- sharingan-vulns.timer
|
- sharingan-scan.timer
|
||||||
service:
|
service:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
state: restarted
|
state: restarted
|
Loading…
Reference in New Issue
Block a user