Kapisi/roles/Sharingan/tasks/ids.yml

---

 - name: IDS packages
   become: yes
   register: package_install
   package:
     name:
       - aide
       - sshguard
       - suricata
       - oinkmaster
       - rkhunter
       - sharingan-scripts
     state: present

 # Network IPS
 - name: sshguard config
   become: yes
   copy:
     src: sshguard.conf
     dest: /etc/sshguard.conf
     owner: root
     group: root
     mode: 0600

 - name: sshguard allowlist
   become: yes
   copy:
     dest: /etc/sshguard.allowlist
     content: |
       "{{ router }}/{{ netmask }}"
     owner: root
     group: root
     mode: 0600

 - name: suricata config files
   become: yes
   copy:
     src: suricata/
     dest: /etc/suricata/
     owner: root
     group: root
     mode: 0600

 - name: suricata config template
   become: yes
   template:
     src: suricata.yaml.j2
     dest: /etc/suricata/suricata.yaml
     owner: root
     group: root
     mode: 0600

 # Host IDS
 - name: Copy rkhunter service
   register: rkhunter_conf
   become: yes
   copy:
     src: rkhunter/rkhunter.conf
     dest: "/etc/rkhunter.conf"
     owner: root
     group: root
     mode: 0644

 - name: Copy rkhunter service
   register: rkhunter_service
   become: yes
   loop:
     - rkhunter.service
     - rkhunter.timer
   copy:
     src: "rkhunter/{{ item }}"
     dest: "/usr/lib/systemd/system/{{ item }}"
     owner: root
     group: root
     mode: 0644

 - name: Create aide conf folder
   become: yes
   copy:
     src: "aide/"
     dest: /etc/aide
     owner: root
     group: root
     mode: 0755

 # Network IDS
 - name: Copy oinkmaster conf
   register: oinkmaster_conf
   become: yes
   copy:
     src: "oinkmaster/oinkmaster.conf"
     dest: "/usr/lib/systemd/system/oinkmaster.conf"
     owner: root
     group: root
     mode: 0644

 - name: Copy oinkmaster service
   register: oinkmaster_service
   become: yes
   loop:
     - oinkmaster.service
     - oinkmaster.timer
   copy:
     src: "oinkmaster/{{ item }}"
     dest: "/usr/lib/systemd/system/{{ item }}"
     owner: root
     group: root
     mode: 0644

 - systemd:
     daemon_reload: yes
   become: yes
   when: oinkmaster_service.changed or rkhunter_service.changed

 - name: Update oinkmaster DB
   become: yes
   when: package_install.changed or oinkmaster_conf.changed
   service:
     name: oinkmaster.service
     state: started

 - name: Update rkhunter DB
   become: yes
   when: package_install.changed or rkhunter_conf.changed
   command: "/bin/bash -c 'export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; rkhunter -C && rkhunter --propupd'"

 - name: IDS services
   become: yes
   loop:
     - suricata.service
     - sshguard.service
     - oinkmaster.timer
     - rkhunter.timer
   service:
     name: "{{ item }}"
     state: restarted
     enabled: yes
Current state of Sharingan role -- still need to add rkhunter 2022-05-02 15:00:29 -05:00			`---`

Got rkhunter working for HIDS; operational fixes for Sharingan 2022-05-03 16:57:52 -05:00			`- name: IDS packages`
Current state of Sharingan role -- still need to add rkhunter 2022-05-02 15:00:29 -05:00			`become: yes`
Got rkhunter working for HIDS; operational fixes for Sharingan 2022-05-03 16:57:52 -05:00			`register: package_install`
Current state of Sharingan role -- still need to add rkhunter 2022-05-02 15:00:29 -05:00			`package:`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`name:`
Adding AIDE to HIDS tools 2025-04-12 04:36:22 -05:00			`- aide`
Current state of Sharingan role -- still need to add rkhunter 2022-05-02 15:00:29 -05:00			`- sshguard`
			`- suricata`
			`- oinkmaster`
Got rkhunter working for HIDS; operational fixes for Sharingan 2022-05-03 16:57:52 -05:00			`- rkhunter`
Catchup 2025-10-21 14:04:09 -05:00			`- sharingan-scripts`
Current state of Sharingan role -- still need to add rkhunter 2022-05-02 15:00:29 -05:00			`state: present`

Got rkhunter working for HIDS; operational fixes for Sharingan 2022-05-03 16:57:52 -05:00			`# Network IPS`
Current state of Sharingan role -- still need to add rkhunter 2022-05-02 15:00:29 -05:00			`- name: sshguard config`
			`become: yes`
			`copy:`
			`src: sshguard.conf`
			`dest: /etc/sshguard.conf`
			`owner: root`
			`group: root`
			`mode: 0600`

			`- name: sshguard allowlist`
			`become: yes`
			`copy:`
			`dest: /etc/sshguard.allowlist`
			`content: \|`
			`"{{ router }}/{{ netmask }}"`
			`owner: root`
			`group: root`
			`mode: 0600`

Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00			`- name: suricata config files`
			`become: yes`
			`copy:`
			`src: suricata/`
			`dest: /etc/suricata/`
			`owner: root`
			`group: root`
			`mode: 0600`

			`- name: suricata config template`
			`become: yes`
			`template:`
			`src: suricata.yaml.j2`
			`dest: /etc/suricata/suricata.yaml`
			`owner: root`
			`group: root`
			`mode: 0600`

Got rkhunter working for HIDS; operational fixes for Sharingan 2022-05-03 16:57:52 -05:00			`# Host IDS`
			`- name: Copy rkhunter service`
			`register: rkhunter_conf`
			`become: yes`
			`copy:`
			`src: rkhunter/rkhunter.conf`
			`dest: "/etc/rkhunter.conf"`
			`owner: root`
			`group: root`
			`mode: 0644`

			`- name: Copy rkhunter service`
			`register: rkhunter_service`
			`become: yes`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`loop:`
Got rkhunter working for HIDS; operational fixes for Sharingan 2022-05-03 16:57:52 -05:00			`- rkhunter.service`
			`- rkhunter.timer`
			`copy:`
			`src: "rkhunter/{{ item }}"`
			`dest: "/usr/lib/systemd/system/{{ item }}"`
			`owner: root`
			`group: root`
			`mode: 0644`

Adding AIDE to HIDS tools 2025-04-12 04:36:22 -05:00			`- name: Create aide conf folder`
			`become: yes`
			`copy:`
			`src: "aide/"`
			`dest: /etc/aide`
			`owner: root`
			`group: root`
			`mode: 0755`

Got rkhunter working for HIDS; operational fixes for Sharingan 2022-05-03 16:57:52 -05:00			`# Network IDS`
			`- name: Copy oinkmaster conf`
			`register: oinkmaster_conf`
			`become: yes`
			`copy:`
			`src: "oinkmaster/oinkmaster.conf"`
			`dest: "/usr/lib/systemd/system/oinkmaster.conf"`
			`owner: root`
			`group: root`
			`mode: 0644`

			`- name: Copy oinkmaster service`
			`register: oinkmaster_service`
			`become: yes`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`loop:`
Got rkhunter working for HIDS; operational fixes for Sharingan 2022-05-03 16:57:52 -05:00			`- oinkmaster.service`
			`- oinkmaster.timer`
			`copy:`
			`src: "oinkmaster/{{ item }}"`
			`dest: "/usr/lib/systemd/system/{{ item }}"`
			`owner: root`
			`group: root`
			`mode: 0644`

			`- systemd:`
			`daemon_reload: yes`
			`become: yes`
			`when: oinkmaster_service.changed or rkhunter_service.changed`

			`- name: Update oinkmaster DB`
			`become: yes`
			`when: package_install.changed or oinkmaster_conf.changed`
			`service:`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`name: oinkmaster.service`
Got rkhunter working for HIDS; operational fixes for Sharingan 2022-05-03 16:57:52 -05:00			`state: started`

			`- name: Update rkhunter DB`
			`become: yes`
			`when: package_install.changed or rkhunter_conf.changed`
			`command: "/bin/bash -c 'export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; rkhunter -C && rkhunter --propupd'"`
Current state of Sharingan role -- still need to add rkhunter 2022-05-02 15:00:29 -05:00
			`- name: IDS services`
			`become: yes`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`loop:`
Current state of Sharingan role -- still need to add rkhunter 2022-05-02 15:00:29 -05:00			`- suricata.service`
			`- sshguard.service`
Got rkhunter working for HIDS; operational fixes for Sharingan 2022-05-03 16:57:52 -05:00			`- oinkmaster.timer`
			`- rkhunter.timer`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`service:`
Current state of Sharingan role -- still need to add rkhunter 2022-05-02 15:00:29 -05:00			`name: "{{ item }}"`
			`state: restarted`
			`enabled: yes`