138 lines
2.7 KiB
YAML
138 lines
2.7 KiB
YAML
---
|
|
|
|
- name: IDS packages
|
|
become: yes
|
|
register: package_install
|
|
package:
|
|
name:
|
|
- aide
|
|
- sshguard
|
|
- suricata
|
|
- oinkmaster
|
|
- rkhunter
|
|
state: present
|
|
|
|
# Network IPS
|
|
- name: sshguard config
|
|
become: yes
|
|
copy:
|
|
src: sshguard.conf
|
|
dest: /etc/sshguard.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
|
|
- name: sshguard allowlist
|
|
become: yes
|
|
copy:
|
|
dest: /etc/sshguard.allowlist
|
|
content: |
|
|
"{{ router }}/{{ netmask }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
|
|
- name: suricata config files
|
|
become: yes
|
|
copy:
|
|
src: suricata/
|
|
dest: /etc/suricata/
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
|
|
- name: suricata config template
|
|
become: yes
|
|
template:
|
|
src: suricata.yaml.j2
|
|
dest: /etc/suricata/suricata.yaml
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
|
|
# Host IDS
|
|
- name: Copy rkhunter service
|
|
register: rkhunter_conf
|
|
become: yes
|
|
copy:
|
|
src: rkhunter/rkhunter.conf
|
|
dest: "/etc/rkhunter.conf"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
- name: Copy rkhunter service
|
|
register: rkhunter_service
|
|
become: yes
|
|
loop:
|
|
- rkhunter.service
|
|
- rkhunter.timer
|
|
copy:
|
|
src: "rkhunter/{{ item }}"
|
|
dest: "/usr/lib/systemd/system/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
- name: Create aide conf folder
|
|
become: yes
|
|
copy:
|
|
src: "aide/"
|
|
dest: /etc/aide
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
|
|
# Network IDS
|
|
- name: Copy oinkmaster conf
|
|
register: oinkmaster_conf
|
|
become: yes
|
|
copy:
|
|
src: "oinkmaster/oinkmaster.conf"
|
|
dest: "/usr/lib/systemd/system/oinkmaster.conf"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
- name: Copy oinkmaster service
|
|
register: oinkmaster_service
|
|
become: yes
|
|
loop:
|
|
- oinkmaster.service
|
|
- oinkmaster.timer
|
|
copy:
|
|
src: "oinkmaster/{{ item }}"
|
|
dest: "/usr/lib/systemd/system/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
- systemd:
|
|
daemon_reload: yes
|
|
become: yes
|
|
when: oinkmaster_service.changed or rkhunter_service.changed
|
|
|
|
- name: Update oinkmaster DB
|
|
become: yes
|
|
when: package_install.changed or oinkmaster_conf.changed
|
|
service:
|
|
name: oinkmaster.service
|
|
state: started
|
|
|
|
- name: Update rkhunter DB
|
|
become: yes
|
|
when: package_install.changed or rkhunter_conf.changed
|
|
command: "/bin/bash -c 'export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; rkhunter -C && rkhunter --propupd'"
|
|
|
|
- name: IDS services
|
|
become: yes
|
|
loop:
|
|
- suricata.service
|
|
- sshguard.service
|
|
- oinkmaster.timer
|
|
- rkhunter.timer
|
|
service:
|
|
name: "{{ item }}"
|
|
state: restarted
|
|
enabled: yes
|