Update to 2021-03-02 09:00

3 years ago · 8d368437c5
parent 0d2cff0d96
commit 8d368437c5
17 changed files with 116 additions and 44 deletions
--- a/roles/crowdsec/defaults/main.yml
+++ b/roles/crowdsec/defaults/main.yml
@ -7,6 +7,14 @@ cs_archive_url: https://github.com/crowdsecurity/crowdsec/releases/download/v{{
 # Expected sha1 of the archive
 cs_archive_sha1: 060782df0b6a8a799c1c0e6efc874b26ca9988e6

+# Crowdsec usually should run as root to be able to access all your logs
+# but in some situations, when all your logs are readable by a less privileged user, you can run
+# crowdsec as another user account, for better security
+cs_user: root
+
+# Directory where data will be stored
+cs_root_dir: /opt/crowdsec
+
 # Can be sqlite or mysql
 cs_db_engine: sqlite
 # This is for mysql backend
@ -49,25 +57,30 @@ cs_prometheus_port: 6060
 cs_prometheus_src_ip: []

 # Default duration of a ban
-cs_ban_duration: 15m
+cs_trusted_countries:
+  - FR
+# Duration of bans for attacks from trusted countries
+cs_ban_trusted_duration: 15m
+# Default duration of a ban
+cs_ban_duration: 2h

 # List of parsers to install from the hub
-cs_parsers: []
-#  - crowdsecurity/syslog-logs
-#  - crowdsecurity/geoip-enrich
-#  - crowdsecurity/dateparse-enrich
-#  - crowdsecurity/whitelists
-#  - crowdsecurity/sshd-logs
-#  - crowdsecurity/iptables-logs
+cs_parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/geoip-enrich
+  - crowdsecurity/dateparse-enrich
+  - crowdsecurity/whitelists
+  - crowdsecurity/sshd-logs
+  - crowdsecurity/iptables-logs
 # List of scenarios to install from the hub
-cs_scenarios: []
-#  - crowdsecurity/ban-defcon-drop_range
-#  - crowdsecurity/ssh-bf
+cs_scenarios:
+  - crowdsecurity/ban-defcon-drop_range
+  - crowdsecurity/ssh-bf
 # List of postoverflows to install from the hub
-cs_postoverflows: []
-#  - crowdsecurity/cdn-whitelist
-#  - crowdsecurity/rdns
-#  - crowdsecurity/seo-bots-whitelist
+cs_postoverflows:
+  - crowdsecurity/cdn-whitelist
+  - crowdsecurity/rdns
+  - crowdsecurity/seo-bots-whitelist

 # If not set, crowdsec will look for yaml files in /etc/crowdsec/acquis/
 # The default will only read syslog using journalctl
--- a/roles/crowdsec/tasks/conf.yml
+++ b/roles/crowdsec/tasks/conf.yml
@ -117,3 +117,10 @@
  when: cs_install_mode == 'upgrade'
  notify: reload crowdsec
  tags: cs
+
+- name: Set permissions on conf and data directories
+  file: path={{ item }} owner={{ cs_user }} group={{ cs_user }} recurse=True
+  loop:
+    - /etc/crowdsec
+    - "{{ cs_root_dir }}/data"
+  tags: cs
--- a/roles/crowdsec/tasks/directories.yml
+++ b/roles/crowdsec/tasks/directories.yml
@ -5,9 +5,12 @@
  loop:
    - dir: /etc/crowdsec
      mode: 755
-    - dir: /etc/crowdsec/meta
+    - dir: "{{ cs_root_dir }}"
+    - dir: "{{ cs_root_dir }}/meta"
      mode: 700
-    - dir: /home/lbkp/crowdsec
+    - dir: "{{ cs_root_dir }}/backups"
+      mode: 700
+    - dir: "{{ cs_root_dir }}/data"
    - dir: /etc/crowdsec/parsers/s00-raw
    - dir: /etc/crowdsec/parsers/s01-parse
    - dir: /etc/crowdsec/parsers/s02-enrich
--- a/roles/crowdsec/tasks/facts.yml
+++ b/roles/crowdsec/tasks/facts.yml
@ -35,7 +35,7 @@
 - block:
    - import_tasks: ../includes/get_rand_pass.yml
      vars:
-        - pass_file: "/etc/crowdsec/meta/ansible_db_pass"
+        - pass_file: "{{ cs_root_dir }}/meta/ansible_db_pass"
        - complex: False
    - set_fact: cs_db_pass={{ rand_pass }}
  when:
@ -45,13 +45,13 @@

 # Check if local API credentials are available in the meta dir
 - name: Check local API credential files
-  stat: path=/etc/crowdsec/meta/lapi_pass
+  stat: path={{ cs_root_dir }}/meta/lapi_pass
  register: cs_lapi_pass_file
  tags: cs

 - name: Read the local API pass
  block:
-    - slurp: src=/etc/crowdsec/meta/lapi_pass
+    - slurp: src={{ cs_root_dir }}/meta/lapi_pass
      register: cs_lapi_pass_meta
    - set_fact: cs_lapi_pass={{ cs_lapi_pass_meta.content | b64decode | trim }}
  when: cs_lapi_pass is not defined and cs_lapi_pass_file.stat.exists
@ -60,15 +60,15 @@
 # Check if central API credentials are available in the meta dir
 - name: Check central API credential files
  block: 
-    - stat: path=/etc/crowdsec/meta/capi_user
+    - stat: path={{ cs_root_dir }}/meta/capi_user
      register: cs_capi_user_file
-    - stat: path=/etc/crowdsec/meta/capi_pass
+    - stat: path={{ cs_root_dir }}/meta/capi_pass
      register: cs_capi_pass_file
  tags: cs

 - name: Read the central API user
  block:
-    - slurp: src=/etc/crowdsec/meta/capi_user
+    - slurp: src={{ cs_root_dir }}/meta/capi_user
      register: cs_capi_user_meta
    - set_fact: cs_capi_user={{ cs_capi_user_meta.content | b64decode | trim }}
  when: cs_capi_user is not defined and cs_capi_user_file.stat.exists
@ -76,7 +76,7 @@

 - name: Read the central API pass
  block:
-    - slurp: src=/etc/crowdsec/meta/capi_pass
+    - slurp: src={{ cs_root_dir }}/meta/capi_pass
      register: cs_capi_pass_meta
    - set_fact: cs_capi_pass={{ cs_capi_pass_meta.content | b64decode | trim }}
  when: cs_capi_pass is not defined and cs_capi_pass_file.stat.exists
--- a/roles/crowdsec/tasks/install.yml
+++ b/roles/crowdsec/tasks/install.yml
@ -37,13 +37,24 @@
      StartLimitInterval=0
      RestartSec=30
    dest: /etc/systemd/system/crowdsec.service.d/restart.conf
-  register: crodwsec_unit
+  register: crodwsec_unit_restart
+  notify: restart crowdsec
+  tags: cs
+
+- name: Set user account which runs the service
+  copy:
+    content: |
+      [Service]
+      User={{ cs_user }}
+      Group={{ cs_user }}
+    dest: /etc/systemd/system/crowdsec.service.d/user.conf
+  register: crodwsec_unit_user
  notify: restart crowdsec
  tags: cs

 - name: Reload systemd
  systemd: daemon_reload=True
-  when: crodwsec_unit.changed
+  when: crodwsec_unit_restart.changed or crodwsec_unit_user.changed
  tags: cs

 - name: Install pre and post backup hooks
--- a/roles/crowdsec/tasks/main.yml
+++ b/roles/crowdsec/tasks/main.yml
@ -1,5 +1,6 @@
 ---

+- include: user.yml
 - include: directories.yml
 - include: facts.yml
 - include: install.yml
--- a/roles/crowdsec/tasks/user.yml
+++ b/roles/crowdsec/tasks/user.yml
@ -0,0 +1,6 @@
+---
+
+- name: Create crowdsec user
+  user: name={{ cs_user }} system=True shell=/sbin/nologin
+  when: cs_user != 'root'
+  tags: cs
--- a/roles/crowdsec/templates/config.yaml.j2
+++ b/roles/crowdsec/templates/config.yaml.j2
@ -7,7 +7,7 @@ common:

 config_paths:
  config_dir: /etc/crowdsec/
-  data_dir: /var/lib/crowdsec/data/
+  data_dir: {{ cs_root_dir }}/data/
  simulation_path: /etc/crowdsec/simulation.yaml
  hub_dir: /etc/crowdsec/hub/
  index_path: /etc/crowdsec/hub/.index.json
@ -34,7 +34,7 @@ db_config:
  host: {{ cs_db_server }}
  port: {{ cs_db_port }}
 {% else %}
-  db_path: /var/lib/crowdsec/data/crowdsec.db
+  db_path: {{ cs_root_dir }}/data/crowdsec.db
 {% endif %}
  flush:
    max_items: 100000
--- a/roles/crowdsec/templates/dev.yaml.j2
+++ b/roles/crowdsec/templates/dev.yaml.j2
@ -6,7 +6,7 @@ common:

 config_paths:
  config_dir: /etc/crowdsec/
-  data_dir: /var/lib/crowdsec/data/
+  data_dir: {{ cs_root_dir }}/data/
  simulation_path: /etc/crowdsec/simulation.yaml
  hub_dir: /etc/crowdsec/hub/
  index_path: /etc/crowdsec/hub/.index.json
@ -21,10 +21,10 @@ cscli:

 db_config:
  log_level: info
-  db_path: /var/lib/crowdsec/data/dev.db
+  db_path: {{ cs_root_dir }}/data/dev.db
  flush:
-    max_items: 100000
-    max_age: 730d
+    max_items: 1000
+    max_age: 30d

 api:
  client:
--- a/roles/crowdsec/templates/post-backup.j2
+++ b/roles/crowdsec/templates/post-backup.j2
@ -1,3 +1,3 @@
 #!/bin/bash -e

-rm -f /home/lbkp/crowdsec/*
+rm -f {{ cs_root_dir }}/backup/*
--- a/roles/crowdsec/templates/pre-backup.j2
+++ b/roles/crowdsec/templates/pre-backup.j2
@ -1,6 +1,5 @@
 #!/bin/bash -e

-mkdir -p /home/lbkp/crowdsec/
 {% if cs_lapi_enabled %}
 {% if cs_db_engine == 'mysql' %}
 /usr/bin/mysqldump \
@ -11,8 +10,8 @@ mkdir -p /home/lbkp/crowdsec/
  --port={{ cs_db_port | quote }} \
 {% endif %}
  --quick --single-transaction \
-  --add-drop-table {{ cs_db_name | quote }} | zstd -c > /home/lbkp/crowdsec/{{ cs_db_name }}.sql.zst
+  --add-drop-table {{ cs_db_name | quote }} | zstd -c > {{ cs_root_dir }}/backup/{{ cs_db_name }}.sql.zst
 {% else %}
-sqlite3 /var/lib/crowdsec/data/crowdsec.db .dump | zstd -c > /home/lbkp/crowdsec/crowdsec.sql.zst
+sqlite3 {{ cs_root_dir }}/data/crowdsec.db .dump | zstd -c > {{ cs_root_dir }}/backup/crowdsec.sql.zst
 {% endif %}
 {% endif %}
--- a/roles/crowdsec/templates/profiles.yaml.j2
+++ b/roles/crowdsec/templates/profiles.yaml.j2
@ -1,3 +1,21 @@
+{% if cs_trusted_countries | length > 0 %}
+name: trusted_countries_ip_remediation
+filters:
+  - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.Source.Cn in ["{{ cs_trusted_countries | join('","') }}"]
+decisions:
+ - type: ban
+   duration: {{ cs_ban_trusted_duration }}
+on_success: break
+---
+name: trusted_countries_range_remediation
+filters:
+  - Alert.Remediation == true && Alert.GetScope() == "Range" && Alert.Source.Cn in ["{{ cs_trusted_countries | join('","') }}"]
+decisions:
+ - type: ban
+   duration: {{ cs_ban_trusted_duration }}
+on_success: break
+---
+{% endif %}
 name: default_ip_remediation
 filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
@ -5,3 +23,11 @@ decisions:
 - type: ban
   duration: {{ cs_ban_duration }}
 on_success: break
+---
+name: default_range_remediation
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Range"
+decisions:
+ - type: ban
+   duration: {{ cs_ban_duration }}
+on_success: break
--- a/roles/g2cs/tasks/install.yml
+++ b/roles/g2cs/tasks/install.yml
@ -5,22 +5,22 @@
    name:
      - perl-IO
      - perl-Getopt-Long
-  tags: g2cs
+  tags: cs

 - name: Install main script
  copy: src=g2cs.pl dest=/usr/local/bin/g2cs mode=755
-  tags: g2cs
+  tags: cs

 - name: Deploy systemd unit
  template: src=g2cs.service.j2 dest=/etc/systemd/system/g2cs.service
  notify: restart g2cs
  register: g2cs_unit
-  tags: g2cs
+  tags: cs

 - name: Reload systemd
  systemd: daemon_reload=True
  when: g2cs_unit.changed
-  tags: g2cs
+  tags: cs

 - name: Deploy tmpfiles.d config
  copy:
@ -29,9 +29,9 @@
      d /run/g2cs/logs 0700 g2cs g2cs - -
    dest: /etc/tmpfiles.d/g2cs.conf
  register: g2cs_tmpfiles
-  tags: g2cs
+  tags: cs

 - name: Create tmpfiles dir
  command: systemd-tmpfiles --create
  when: g2cs_tmpfiles.changed
-  tags: g2cs
+  tags: cs
--- a/roles/g2cs/tasks/iptables.yml
+++ b/roles/g2cs/tasks/iptables.yml
@ -5,4 +5,4 @@
    name: g2cs_port
    state: "{{ (g2cs_src_ip | length > 0) | ternary('present','absent') }}"
    rules: "-A INPUT -p udp --dport {{ g2cs_port }} -s {{ g2cs_src_ip | join(',') }} -j ACCEPT"
-  tags: firewall,g2cs
+  tags: firewall,cs
--- a/roles/g2cs/tasks/main.yml
+++ b/roles/g2cs/tasks/main.yml
@ -1,5 +1,6 @@
 ---

+- include: user.yml
 - include: install.yml
 - include: iptables.yml
  when: iptables_manage | default(True)
--- a/roles/g2cs/tasks/service.yml
+++ b/roles/g2cs/tasks/service.yml
@ -2,4 +2,4 @@

 - name: Start and enable the service
  service: name=g2cs state=started enabled=True
-  tags: g2cs
+  tags: cs
--- a/roles/g2cs/tasks/user.yml
+++ b/roles/g2cs/tasks/user.yml
@ -0,0 +1,5 @@
+---
+
+- name: Create g2cs user account
+  user: name=g2cs system=True shell=/sbin/nologin
+  tags: cs