Kapisi/roles/Sharingan/tasks/ids.yml

128 lines
2.5 KiB
YAML

---
- name: IDS packages
become: yes
register: package_install
package:
name:
- sshguard
- suricata
- oinkmaster
- rkhunter
state: present
# Network IPS
- name: sshguard config
become: yes
copy:
src: sshguard.conf
dest: /etc/sshguard.conf
owner: root
group: root
mode: 0600
- name: sshguard allowlist
become: yes
copy:
dest: /etc/sshguard.allowlist
content: |
"{{ router }}/{{ netmask }}"
owner: root
group: root
mode: 0600
- name: suricata config files
become: yes
copy:
src: suricata/
dest: /etc/suricata/
owner: root
group: root
mode: 0600
- name: suricata config template
become: yes
template:
src: suricata.yaml.j2
dest: /etc/suricata/suricata.yaml
owner: root
group: root
mode: 0600
# Host IDS
- name: Copy rkhunter service
register: rkhunter_conf
become: yes
copy:
src: rkhunter/rkhunter.conf
dest: "/etc/rkhunter.conf"
owner: root
group: root
mode: 0644
- name: Copy rkhunter service
register: rkhunter_service
become: yes
loop:
- rkhunter.service
- rkhunter.timer
copy:
src: "rkhunter/{{ item }}"
dest: "/usr/lib/systemd/system/{{ item }}"
owner: root
group: root
mode: 0644
# Network IDS
- name: Copy oinkmaster conf
register: oinkmaster_conf
become: yes
copy:
src: "oinkmaster/oinkmaster.conf"
dest: "/usr/lib/systemd/system/oinkmaster.conf"
owner: root
group: root
mode: 0644
- name: Copy oinkmaster service
register: oinkmaster_service
become: yes
loop:
- oinkmaster.service
- oinkmaster.timer
copy:
src: "oinkmaster/{{ item }}"
dest: "/usr/lib/systemd/system/{{ item }}"
owner: root
group: root
mode: 0644
- systemd:
daemon_reload: yes
become: yes
when: oinkmaster_service.changed or rkhunter_service.changed
- name: Update oinkmaster DB
become: yes
when: package_install.changed or oinkmaster_conf.changed
service:
name: oinkmaster.service
state: started
- name: Update rkhunter DB
become: yes
when: package_install.changed or rkhunter_conf.changed
command: "/bin/bash -c 'export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; rkhunter -C && rkhunter --propupd'"
- name: IDS services
become: yes
loop:
- suricata.service
- sshguard.service
- oinkmaster.timer
- rkhunter.timer
service:
name: "{{ item }}"
state: restarted
enabled: yes