From 8d368437c5da537b79cdd8244e3ba46a716133aa Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Tue, 2 Mar 2021 09:00:08 +0100 Subject: [PATCH] Update to 2021-03-02 09:00 --- roles/crowdsec/defaults/main.yml | 43 ++++++++++++++++++++----------- roles/crowdsec/tasks/conf.yml | 7 +++++ roles/crowdsec/tasks/directories.yml | 7 +++-- roles/crowdsec/tasks/facts.yml | 14 +++++----- roles/crowdsec/tasks/install.yml | 15 +++++++++-- roles/crowdsec/tasks/main.yml | 1 + roles/crowdsec/tasks/user.yml | 6 +++++ roles/crowdsec/templates/config.yaml.j2 | 4 +-- roles/crowdsec/templates/dev.yaml.j2 | 8 +++--- roles/crowdsec/templates/post-backup.j2 | 2 +- roles/crowdsec/templates/pre-backup.j2 | 5 ++-- roles/crowdsec/templates/profiles.yaml.j2 | 26 +++++++++++++++++++ roles/g2cs/tasks/install.yml | 12 ++++----- roles/g2cs/tasks/iptables.yml | 2 +- roles/g2cs/tasks/main.yml | 1 + roles/g2cs/tasks/service.yml | 2 +- roles/g2cs/tasks/user.yml | 5 ++++ 17 files changed, 116 insertions(+), 44 deletions(-) create mode 100644 roles/crowdsec/tasks/user.yml create mode 100644 roles/g2cs/tasks/user.yml diff --git a/roles/crowdsec/defaults/main.yml b/roles/crowdsec/defaults/main.yml index e9027fc..0ddbc46 100644 --- a/roles/crowdsec/defaults/main.yml +++ b/roles/crowdsec/defaults/main.yml @@ -7,6 +7,14 @@ cs_archive_url: https://github.com/crowdsecurity/crowdsec/releases/download/v{{ # Expected sha1 of the archive cs_archive_sha1: 060782df0b6a8a799c1c0e6efc874b26ca9988e6 +# Crowdsec usually should run as root to be able to access all your logs +# but in some situations, when all your logs are readable by a less privileged user, you can run +# crowdsec as another user account, for better security +cs_user: root + +# Directory where data will be stored +cs_root_dir: /opt/crowdsec + # Can be sqlite or mysql cs_db_engine: sqlite # This is for mysql backend @@ -49,25 +57,30 @@ cs_prometheus_port: 6060 cs_prometheus_src_ip: [] # Default duration of a ban -cs_ban_duration: 15m +cs_trusted_countries: + - FR +# Duration of bans for attacks from trusted countries +cs_ban_trusted_duration: 15m +# Default duration of a ban +cs_ban_duration: 2h # List of parsers to install from the hub -cs_parsers: [] -# - crowdsecurity/syslog-logs -# - crowdsecurity/geoip-enrich -# - crowdsecurity/dateparse-enrich -# - crowdsecurity/whitelists -# - crowdsecurity/sshd-logs -# - crowdsecurity/iptables-logs +cs_parsers: + - crowdsecurity/syslog-logs + - crowdsecurity/geoip-enrich + - crowdsecurity/dateparse-enrich + - crowdsecurity/whitelists + - crowdsecurity/sshd-logs + - crowdsecurity/iptables-logs # List of scenarios to install from the hub -cs_scenarios: [] -# - crowdsecurity/ban-defcon-drop_range -# - crowdsecurity/ssh-bf +cs_scenarios: + - crowdsecurity/ban-defcon-drop_range + - crowdsecurity/ssh-bf # List of postoverflows to install from the hub -cs_postoverflows: [] -# - crowdsecurity/cdn-whitelist -# - crowdsecurity/rdns -# - crowdsecurity/seo-bots-whitelist +cs_postoverflows: + - crowdsecurity/cdn-whitelist + - crowdsecurity/rdns + - crowdsecurity/seo-bots-whitelist # If not set, crowdsec will look for yaml files in /etc/crowdsec/acquis/ # The default will only read syslog using journalctl diff --git a/roles/crowdsec/tasks/conf.yml b/roles/crowdsec/tasks/conf.yml index d903838..c87fadb 100644 --- a/roles/crowdsec/tasks/conf.yml +++ b/roles/crowdsec/tasks/conf.yml @@ -117,3 +117,10 @@ when: cs_install_mode == 'upgrade' notify: reload crowdsec tags: cs + +- name: Set permissions on conf and data directories + file: path={{ item }} owner={{ cs_user }} group={{ cs_user }} recurse=True + loop: + - /etc/crowdsec + - "{{ cs_root_dir }}/data" + tags: cs diff --git a/roles/crowdsec/tasks/directories.yml b/roles/crowdsec/tasks/directories.yml index 85bc09f..e5ddfdc 100644 --- a/roles/crowdsec/tasks/directories.yml +++ b/roles/crowdsec/tasks/directories.yml @@ -5,9 +5,12 @@ loop: - dir: /etc/crowdsec mode: 755 - - dir: /etc/crowdsec/meta + - dir: "{{ cs_root_dir }}" + - dir: "{{ cs_root_dir }}/meta" mode: 700 - - dir: /home/lbkp/crowdsec + - dir: "{{ cs_root_dir }}/backups" + mode: 700 + - dir: "{{ cs_root_dir }}/data" - dir: /etc/crowdsec/parsers/s00-raw - dir: /etc/crowdsec/parsers/s01-parse - dir: /etc/crowdsec/parsers/s02-enrich diff --git a/roles/crowdsec/tasks/facts.yml b/roles/crowdsec/tasks/facts.yml index 119ee78..a20a091 100644 --- a/roles/crowdsec/tasks/facts.yml +++ b/roles/crowdsec/tasks/facts.yml @@ -35,7 +35,7 @@ - block: - import_tasks: ../includes/get_rand_pass.yml vars: - - pass_file: "/etc/crowdsec/meta/ansible_db_pass" + - pass_file: "{{ cs_root_dir }}/meta/ansible_db_pass" - complex: False - set_fact: cs_db_pass={{ rand_pass }} when: @@ -45,13 +45,13 @@ # Check if local API credentials are available in the meta dir - name: Check local API credential files - stat: path=/etc/crowdsec/meta/lapi_pass + stat: path={{ cs_root_dir }}/meta/lapi_pass register: cs_lapi_pass_file tags: cs - name: Read the local API pass block: - - slurp: src=/etc/crowdsec/meta/lapi_pass + - slurp: src={{ cs_root_dir }}/meta/lapi_pass register: cs_lapi_pass_meta - set_fact: cs_lapi_pass={{ cs_lapi_pass_meta.content | b64decode | trim }} when: cs_lapi_pass is not defined and cs_lapi_pass_file.stat.exists @@ -60,15 +60,15 @@ # Check if central API credentials are available in the meta dir - name: Check central API credential files block: - - stat: path=/etc/crowdsec/meta/capi_user + - stat: path={{ cs_root_dir }}/meta/capi_user register: cs_capi_user_file - - stat: path=/etc/crowdsec/meta/capi_pass + - stat: path={{ cs_root_dir }}/meta/capi_pass register: cs_capi_pass_file tags: cs - name: Read the central API user block: - - slurp: src=/etc/crowdsec/meta/capi_user + - slurp: src={{ cs_root_dir }}/meta/capi_user register: cs_capi_user_meta - set_fact: cs_capi_user={{ cs_capi_user_meta.content | b64decode | trim }} when: cs_capi_user is not defined and cs_capi_user_file.stat.exists @@ -76,7 +76,7 @@ - name: Read the central API pass block: - - slurp: src=/etc/crowdsec/meta/capi_pass + - slurp: src={{ cs_root_dir }}/meta/capi_pass register: cs_capi_pass_meta - set_fact: cs_capi_pass={{ cs_capi_pass_meta.content | b64decode | trim }} when: cs_capi_pass is not defined and cs_capi_pass_file.stat.exists diff --git a/roles/crowdsec/tasks/install.yml b/roles/crowdsec/tasks/install.yml index 1d691e8..fb2063f 100644 --- a/roles/crowdsec/tasks/install.yml +++ b/roles/crowdsec/tasks/install.yml @@ -37,13 +37,24 @@ StartLimitInterval=0 RestartSec=30 dest: /etc/systemd/system/crowdsec.service.d/restart.conf - register: crodwsec_unit + register: crodwsec_unit_restart + notify: restart crowdsec + tags: cs + +- name: Set user account which runs the service + copy: + content: | + [Service] + User={{ cs_user }} + Group={{ cs_user }} + dest: /etc/systemd/system/crowdsec.service.d/user.conf + register: crodwsec_unit_user notify: restart crowdsec tags: cs - name: Reload systemd systemd: daemon_reload=True - when: crodwsec_unit.changed + when: crodwsec_unit_restart.changed or crodwsec_unit_user.changed tags: cs - name: Install pre and post backup hooks diff --git a/roles/crowdsec/tasks/main.yml b/roles/crowdsec/tasks/main.yml index 9575cea..23c1263 100644 --- a/roles/crowdsec/tasks/main.yml +++ b/roles/crowdsec/tasks/main.yml @@ -1,5 +1,6 @@ --- +- include: user.yml - include: directories.yml - include: facts.yml - include: install.yml diff --git a/roles/crowdsec/tasks/user.yml b/roles/crowdsec/tasks/user.yml new file mode 100644 index 0000000..bab2a0f --- /dev/null +++ b/roles/crowdsec/tasks/user.yml @@ -0,0 +1,6 @@ +--- + +- name: Create crowdsec user + user: name={{ cs_user }} system=True shell=/sbin/nologin + when: cs_user != 'root' + tags: cs diff --git a/roles/crowdsec/templates/config.yaml.j2 b/roles/crowdsec/templates/config.yaml.j2 index 246b6f6..c3112ea 100644 --- a/roles/crowdsec/templates/config.yaml.j2 +++ b/roles/crowdsec/templates/config.yaml.j2 @@ -7,7 +7,7 @@ common: config_paths: config_dir: /etc/crowdsec/ - data_dir: /var/lib/crowdsec/data/ + data_dir: {{ cs_root_dir }}/data/ simulation_path: /etc/crowdsec/simulation.yaml hub_dir: /etc/crowdsec/hub/ index_path: /etc/crowdsec/hub/.index.json @@ -34,7 +34,7 @@ db_config: host: {{ cs_db_server }} port: {{ cs_db_port }} {% else %} - db_path: /var/lib/crowdsec/data/crowdsec.db + db_path: {{ cs_root_dir }}/data/crowdsec.db {% endif %} flush: max_items: 100000 diff --git a/roles/crowdsec/templates/dev.yaml.j2 b/roles/crowdsec/templates/dev.yaml.j2 index abd5b45..db88c82 100644 --- a/roles/crowdsec/templates/dev.yaml.j2 +++ b/roles/crowdsec/templates/dev.yaml.j2 @@ -6,7 +6,7 @@ common: config_paths: config_dir: /etc/crowdsec/ - data_dir: /var/lib/crowdsec/data/ + data_dir: {{ cs_root_dir }}/data/ simulation_path: /etc/crowdsec/simulation.yaml hub_dir: /etc/crowdsec/hub/ index_path: /etc/crowdsec/hub/.index.json @@ -21,10 +21,10 @@ cscli: db_config: log_level: info - db_path: /var/lib/crowdsec/data/dev.db + db_path: {{ cs_root_dir }}/data/dev.db flush: - max_items: 100000 - max_age: 730d + max_items: 1000 + max_age: 30d api: client: diff --git a/roles/crowdsec/templates/post-backup.j2 b/roles/crowdsec/templates/post-backup.j2 index c90a5a1..8a75c62 100644 --- a/roles/crowdsec/templates/post-backup.j2 +++ b/roles/crowdsec/templates/post-backup.j2 @@ -1,3 +1,3 @@ #!/bin/bash -e -rm -f /home/lbkp/crowdsec/* +rm -f {{ cs_root_dir }}/backup/* diff --git a/roles/crowdsec/templates/pre-backup.j2 b/roles/crowdsec/templates/pre-backup.j2 index 58e9f7f..62a389c 100644 --- a/roles/crowdsec/templates/pre-backup.j2 +++ b/roles/crowdsec/templates/pre-backup.j2 @@ -1,6 +1,5 @@ #!/bin/bash -e -mkdir -p /home/lbkp/crowdsec/ {% if cs_lapi_enabled %} {% if cs_db_engine == 'mysql' %} /usr/bin/mysqldump \ @@ -11,8 +10,8 @@ mkdir -p /home/lbkp/crowdsec/ --port={{ cs_db_port | quote }} \ {% endif %} --quick --single-transaction \ - --add-drop-table {{ cs_db_name | quote }} | zstd -c > /home/lbkp/crowdsec/{{ cs_db_name }}.sql.zst + --add-drop-table {{ cs_db_name | quote }} | zstd -c > {{ cs_root_dir }}/backup/{{ cs_db_name }}.sql.zst {% else %} -sqlite3 /var/lib/crowdsec/data/crowdsec.db .dump | zstd -c > /home/lbkp/crowdsec/crowdsec.sql.zst +sqlite3 {{ cs_root_dir }}/data/crowdsec.db .dump | zstd -c > {{ cs_root_dir }}/backup/crowdsec.sql.zst {% endif %} {% endif %} diff --git a/roles/crowdsec/templates/profiles.yaml.j2 b/roles/crowdsec/templates/profiles.yaml.j2 index 3efa959..3f28bc6 100644 --- a/roles/crowdsec/templates/profiles.yaml.j2 +++ b/roles/crowdsec/templates/profiles.yaml.j2 @@ -1,3 +1,21 @@ +{% if cs_trusted_countries | length > 0 %} +name: trusted_countries_ip_remediation +filters: + - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.Source.Cn in ["{{ cs_trusted_countries | join('","') }}"] +decisions: + - type: ban + duration: {{ cs_ban_trusted_duration }} +on_success: break +--- +name: trusted_countries_range_remediation +filters: + - Alert.Remediation == true && Alert.GetScope() == "Range" && Alert.Source.Cn in ["{{ cs_trusted_countries | join('","') }}"] +decisions: + - type: ban + duration: {{ cs_ban_trusted_duration }} +on_success: break +--- +{% endif %} name: default_ip_remediation filters: - Alert.Remediation == true && Alert.GetScope() == "Ip" @@ -5,3 +23,11 @@ decisions: - type: ban duration: {{ cs_ban_duration }} on_success: break +--- +name: default_range_remediation +filters: + - Alert.Remediation == true && Alert.GetScope() == "Range" +decisions: + - type: ban + duration: {{ cs_ban_duration }} +on_success: break diff --git a/roles/g2cs/tasks/install.yml b/roles/g2cs/tasks/install.yml index 5245e92..8552d40 100644 --- a/roles/g2cs/tasks/install.yml +++ b/roles/g2cs/tasks/install.yml @@ -5,22 +5,22 @@ name: - perl-IO - perl-Getopt-Long - tags: g2cs + tags: cs - name: Install main script copy: src=g2cs.pl dest=/usr/local/bin/g2cs mode=755 - tags: g2cs + tags: cs - name: Deploy systemd unit template: src=g2cs.service.j2 dest=/etc/systemd/system/g2cs.service notify: restart g2cs register: g2cs_unit - tags: g2cs + tags: cs - name: Reload systemd systemd: daemon_reload=True when: g2cs_unit.changed - tags: g2cs + tags: cs - name: Deploy tmpfiles.d config copy: @@ -29,9 +29,9 @@ d /run/g2cs/logs 0700 g2cs g2cs - - dest: /etc/tmpfiles.d/g2cs.conf register: g2cs_tmpfiles - tags: g2cs + tags: cs - name: Create tmpfiles dir command: systemd-tmpfiles --create when: g2cs_tmpfiles.changed - tags: g2cs + tags: cs diff --git a/roles/g2cs/tasks/iptables.yml b/roles/g2cs/tasks/iptables.yml index 32a4676..cc3aa3f 100644 --- a/roles/g2cs/tasks/iptables.yml +++ b/roles/g2cs/tasks/iptables.yml @@ -5,4 +5,4 @@ name: g2cs_port state: "{{ (g2cs_src_ip | length > 0) | ternary('present','absent') }}" rules: "-A INPUT -p udp --dport {{ g2cs_port }} -s {{ g2cs_src_ip | join(',') }} -j ACCEPT" - tags: firewall,g2cs + tags: firewall,cs diff --git a/roles/g2cs/tasks/main.yml b/roles/g2cs/tasks/main.yml index 472b41c..e656205 100644 --- a/roles/g2cs/tasks/main.yml +++ b/roles/g2cs/tasks/main.yml @@ -1,5 +1,6 @@ --- +- include: user.yml - include: install.yml - include: iptables.yml when: iptables_manage | default(True) diff --git a/roles/g2cs/tasks/service.yml b/roles/g2cs/tasks/service.yml index 2d2324d..731357e 100644 --- a/roles/g2cs/tasks/service.yml +++ b/roles/g2cs/tasks/service.yml @@ -2,4 +2,4 @@ - name: Start and enable the service service: name=g2cs state=started enabled=True - tags: g2cs + tags: cs diff --git a/roles/g2cs/tasks/user.yml b/roles/g2cs/tasks/user.yml new file mode 100644 index 0000000..9e80d69 --- /dev/null +++ b/roles/g2cs/tasks/user.yml @@ -0,0 +1,5 @@ +--- + +- name: Create g2cs user account + user: name=g2cs system=True shell=/sbin/nologin + tags: cs