AniNIX/Kapisi
3
0
Fork 0
Code Issues 27 Pull Requests Projects 1 Releases Wiki Activity

Current state of Sharingan role -- still need to add rkhunter

Browse Source
This commit is contained in:
DarkFeather
2022-05-02 15:00:29 -05:00
parent 1c2f4266ad
commit d0146770a4
45 changed files with 4004 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

153
roles/Sharingan/tasks/data.yml Normal file
View File

@@ -0,0 +1,153 @@
---
- name: Sharingan data packages
become: yes
package:
state: present
name:
- syslog-ng
- monit
- monitoring-plugins
- name: Sharingan-Data apps dir
become: yes
file:
path: /etc/syslog-ng/apps.d
state: directory
- name: Sharingan-Data include apps dir
become: yes
register: base_config
lineinfile:
path: /etc/syslog-ng/syslog-ng.conf
line: "{{ item }}"
loop:
- '# Allow compartmentalization of config'
- '@include "apps.d/*.conf"'
- name: Sharingan-Data conf
become: yes
template:
src: graylog.conf.j2
dest: /etc/syslog-ng/apps.d/graylog.conf
owner: root
group: root
mode: 0750
- name: Sharingan-Data service conf
become: yes
copy:
src: syslog-ng@sharingan-data
dest: /etc/default/syslog-ng@sharingan-data
owner: root
group: root
mode: 0655
- name: Sharingan-Data filer service
become: yes
register: data_service
copy:
src: "sharingan-data.service/{{ ansible_os_family }}"
dest: /usr/lib/systemd/system/sharingan-data.service
owner: root
group: root
mode: 0750
- name: Sharingan-Eval service
become: yes
register: eval_service
copy:
src: sharingan-eval.service
dest: /usr/lib/systemd/system/sharingan-eval.service
owner: root
group: root
mode: 0750
- name: Sharingan-Eval monitrc
become: yes
template:
src: monitrc.j2
dest: /etc/monitrc
owner: root
group: root
mode: 0700
- name: Sharingan-Eval includes dir
become: yes
file:
path: /etc/monit.d
state: directory
- name: Sharingan-Eval monit templates
become: yes
copy:
src: templates
dest: /etc/monit.d/templates
owner: root
group: root
mode: 0700
- name: Sharingan-Eval monit scripts
become: yes
copy:
src: templates
dest: /etc/monit.d/scripts
owner: root
group: root
mode: 0700
- name: Sharingan-Eval monit host config
become: yes
copy:
src: "{{ inventory_hostname }}"
dest: "/etc/monit.d/{{ inventory_hostname }}"
owner: root
group: root
mode: 0700
- name: Sharingan-Heartbeat service
become: yes
register: heartbeat_service
copy:
src: "{{ item }}"
dest: /usr/lib/systemd/system
owner: root
group: root
mode: 0750
loop:
- sharingan-heartbeat.timer
- sharingan-heartbeat.service
- name: Sharingan-Data heartbeat timer
become: yes
copy:
src: sharingan-heartbeat.timer
dest: /usr/lib/systemd/system
owner: root
group: root
mode: 0750
- systemd:
daemon_reload: yes
become: yes
when: data_service.changed or eval_service.changed or heartbeat_service.changed
- name: Start Sharingan-Data services
become: yes
service:
name: "{{ item }}"
state: restarted
enabled: yes
loop:
- sharingan-data.service
- sharingan-heartbeat.timer
- sharingan-eval.service
- name: Disable default service
become: yes
ignore_errors: yes
service:
name: syslog-ng@default.service
state: stopped
enabled: no

59
roles/Sharingan/tasks/ids.yml Normal file
View File

@@ -0,0 +1,59 @@
---
- name: sshguard package
become: yes
package:
name:
- sshguard
- suricata
- oinkmaster
state: present
- name: sshguard config
become: yes
copy:
src: sshguard.conf
dest: /etc/sshguard.conf
owner: root
group: root
mode: 0600
- name: sshguard allowlist
become: yes
copy:
dest: /etc/sshguard.allowlist
content: |
"{{ router }}/{{ netmask }}"
owner: root
group: root
mode: 0600
# - name: Copy oinkmaster service
# register: oinkmaster_service
# become: yes
# loop:
# - oinkmaster.service
# - oinkmaster.timer
# copy:
# src: "{{ item }}"
# dest: "/usr/lib/systemd/system/{{ item }}"
# owner: root
# group: root
# mode: 0644
#
# - systemd:
# daemon_reload: yes
# become: yes
# when: oinkmaster_service.changed
- name: IDS services
become: yes
loop:
- suricata.service
- sshguard.service
# - oinkmaster.timer
service:
name: "{{ item }}"
state: restarted
enabled: yes

21
roles/Sharingan/tasks/main.yml
View File

@@ -1,11 +1,12 @@
---
- name: Sharingan packages
become: yes
package:
name:
- openvas
- greenbone-security-assistant
- elasticsearch6
- mongodb
- graylog
---
- import_tasks: ../roles/Sharingan/tasks/siem.yml
when: siem is defined
- import_tasks: ../roles/Sharingan/tasks/ids.yml
when: secdetection is defined
- import_tasks: ../roles/Sharingan/tasks/vulns.yml
when: ansible_os_family == "Archlinux"
- import_tasks: ../roles/Sharingan/tasks/data.yml

33
roles/Sharingan/tasks/siem.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- name: Sharingan packages
become: yes
register: sharingan_packages
package:
name:
- elasticsearch
- mongodb
- graylog
state: present
- name: Sharingan services
become: yes
loop:
- elasticsearch
- mongodb
- graylog
service:
name: "{{ item }}"
state: started
enabled: yes
- name: Sharingan backups directory
become: yes
file:
path: /usr/local/backups/elasticsearch
state: directory
owner: elasticsearch
group: elasticsearch
mode: 0770
- name: Set Sharingan backups
command: "curl -X PUT localhost:9200/_snapshot/my_backup?pretty -H 'Content-Type: application/json' -d '{ type: fs, settings: { location: /usr/local/backup/elasticsearch, compress: true } }'"

45
roles/Sharingan/tasks/vulns.yml Normal file
View File

@@ -0,0 +1,45 @@
---
- name: Install lynis
register: lynis_pkg
become: yes
package:
name:
- lynis
- arch-audit
- clamav
state: present
- name: lynis config
register: lynis_conf
become: yes
copy:
src: lynis/custom.prf
dest: /etc/lynis/custom.prf
owner: root
group: root
mode: 0600
- name: lynis services
become: yes
copy:
src: "lynis/{{ item }}"
dest: /usr/lib/systemd/system/
owner: root
group: root
mode: 0664
loop:
- sharingan-vulns.service
- sharingan-vulns.timer
- freshclam.service
- freshclam.timer
- name: Enable timers
become: yes
loop:
- freshclam.timer
- sharingan-vulns.timer
service:
name: "{{ item }}"
state: restarted
enabled: yes