Update to 2021-03-02 09:00

master
Daniel Berteaud 4 years ago
parent 0d2cff0d96
commit 8d368437c5
  1. 43
      roles/crowdsec/defaults/main.yml
  2. 7
      roles/crowdsec/tasks/conf.yml
  3. 7
      roles/crowdsec/tasks/directories.yml
  4. 14
      roles/crowdsec/tasks/facts.yml
  5. 15
      roles/crowdsec/tasks/install.yml
  6. 1
      roles/crowdsec/tasks/main.yml
  7. 6
      roles/crowdsec/tasks/user.yml
  8. 4
      roles/crowdsec/templates/config.yaml.j2
  9. 8
      roles/crowdsec/templates/dev.yaml.j2
  10. 2
      roles/crowdsec/templates/post-backup.j2
  11. 5
      roles/crowdsec/templates/pre-backup.j2
  12. 26
      roles/crowdsec/templates/profiles.yaml.j2
  13. 12
      roles/g2cs/tasks/install.yml
  14. 2
      roles/g2cs/tasks/iptables.yml
  15. 1
      roles/g2cs/tasks/main.yml
  16. 2
      roles/g2cs/tasks/service.yml
  17. 5
      roles/g2cs/tasks/user.yml

@ -7,6 +7,14 @@ cs_archive_url: https://github.com/crowdsecurity/crowdsec/releases/download/v{{
# Expected sha1 of the archive # Expected sha1 of the archive
cs_archive_sha1: 060782df0b6a8a799c1c0e6efc874b26ca9988e6 cs_archive_sha1: 060782df0b6a8a799c1c0e6efc874b26ca9988e6
# Crowdsec usually should run as root to be able to access all your logs
# but in some situations, when all your logs are readable by a less privileged user, you can run
# crowdsec as another user account, for better security
cs_user: root
# Directory where data will be stored
cs_root_dir: /opt/crowdsec
# Can be sqlite or mysql # Can be sqlite or mysql
cs_db_engine: sqlite cs_db_engine: sqlite
# This is for mysql backend # This is for mysql backend
@ -49,25 +57,30 @@ cs_prometheus_port: 6060
cs_prometheus_src_ip: [] cs_prometheus_src_ip: []
# Default duration of a ban # Default duration of a ban
cs_ban_duration: 15m cs_trusted_countries:
- FR
# Duration of bans for attacks from trusted countries
cs_ban_trusted_duration: 15m
# Default duration of a ban
cs_ban_duration: 2h
# List of parsers to install from the hub # List of parsers to install from the hub
cs_parsers: [] cs_parsers:
# - crowdsecurity/syslog-logs - crowdsecurity/syslog-logs
# - crowdsecurity/geoip-enrich - crowdsecurity/geoip-enrich
# - crowdsecurity/dateparse-enrich - crowdsecurity/dateparse-enrich
# - crowdsecurity/whitelists - crowdsecurity/whitelists
# - crowdsecurity/sshd-logs - crowdsecurity/sshd-logs
# - crowdsecurity/iptables-logs - crowdsecurity/iptables-logs
# List of scenarios to install from the hub # List of scenarios to install from the hub
cs_scenarios: [] cs_scenarios:
# - crowdsecurity/ban-defcon-drop_range - crowdsecurity/ban-defcon-drop_range
# - crowdsecurity/ssh-bf - crowdsecurity/ssh-bf
# List of postoverflows to install from the hub # List of postoverflows to install from the hub
cs_postoverflows: [] cs_postoverflows:
# - crowdsecurity/cdn-whitelist - crowdsecurity/cdn-whitelist
# - crowdsecurity/rdns - crowdsecurity/rdns
# - crowdsecurity/seo-bots-whitelist - crowdsecurity/seo-bots-whitelist
# If not set, crowdsec will look for yaml files in /etc/crowdsec/acquis/ # If not set, crowdsec will look for yaml files in /etc/crowdsec/acquis/
# The default will only read syslog using journalctl # The default will only read syslog using journalctl

@ -117,3 +117,10 @@
when: cs_install_mode == 'upgrade' when: cs_install_mode == 'upgrade'
notify: reload crowdsec notify: reload crowdsec
tags: cs tags: cs
- name: Set permissions on conf and data directories
file: path={{ item }} owner={{ cs_user }} group={{ cs_user }} recurse=True
loop:
- /etc/crowdsec
- "{{ cs_root_dir }}/data"
tags: cs

@ -5,9 +5,12 @@
loop: loop:
- dir: /etc/crowdsec - dir: /etc/crowdsec
mode: 755 mode: 755
- dir: /etc/crowdsec/meta - dir: "{{ cs_root_dir }}"
- dir: "{{ cs_root_dir }}/meta"
mode: 700 mode: 700
- dir: /home/lbkp/crowdsec - dir: "{{ cs_root_dir }}/backups"
mode: 700
- dir: "{{ cs_root_dir }}/data"
- dir: /etc/crowdsec/parsers/s00-raw - dir: /etc/crowdsec/parsers/s00-raw
- dir: /etc/crowdsec/parsers/s01-parse - dir: /etc/crowdsec/parsers/s01-parse
- dir: /etc/crowdsec/parsers/s02-enrich - dir: /etc/crowdsec/parsers/s02-enrich

@ -35,7 +35,7 @@
- block: - block:
- import_tasks: ../includes/get_rand_pass.yml - import_tasks: ../includes/get_rand_pass.yml
vars: vars:
- pass_file: "/etc/crowdsec/meta/ansible_db_pass" - pass_file: "{{ cs_root_dir }}/meta/ansible_db_pass"
- complex: False - complex: False
- set_fact: cs_db_pass={{ rand_pass }} - set_fact: cs_db_pass={{ rand_pass }}
when: when:
@ -45,13 +45,13 @@
# Check if local API credentials are available in the meta dir # Check if local API credentials are available in the meta dir
- name: Check local API credential files - name: Check local API credential files
stat: path=/etc/crowdsec/meta/lapi_pass stat: path={{ cs_root_dir }}/meta/lapi_pass
register: cs_lapi_pass_file register: cs_lapi_pass_file
tags: cs tags: cs
- name: Read the local API pass - name: Read the local API pass
block: block:
- slurp: src=/etc/crowdsec/meta/lapi_pass - slurp: src={{ cs_root_dir }}/meta/lapi_pass
register: cs_lapi_pass_meta register: cs_lapi_pass_meta
- set_fact: cs_lapi_pass={{ cs_lapi_pass_meta.content | b64decode | trim }} - set_fact: cs_lapi_pass={{ cs_lapi_pass_meta.content | b64decode | trim }}
when: cs_lapi_pass is not defined and cs_lapi_pass_file.stat.exists when: cs_lapi_pass is not defined and cs_lapi_pass_file.stat.exists
@ -60,15 +60,15 @@
# Check if central API credentials are available in the meta dir # Check if central API credentials are available in the meta dir
- name: Check central API credential files - name: Check central API credential files
block: block:
- stat: path=/etc/crowdsec/meta/capi_user - stat: path={{ cs_root_dir }}/meta/capi_user
register: cs_capi_user_file register: cs_capi_user_file
- stat: path=/etc/crowdsec/meta/capi_pass - stat: path={{ cs_root_dir }}/meta/capi_pass
register: cs_capi_pass_file register: cs_capi_pass_file
tags: cs tags: cs
- name: Read the central API user - name: Read the central API user
block: block:
- slurp: src=/etc/crowdsec/meta/capi_user - slurp: src={{ cs_root_dir }}/meta/capi_user
register: cs_capi_user_meta register: cs_capi_user_meta
- set_fact: cs_capi_user={{ cs_capi_user_meta.content | b64decode | trim }} - set_fact: cs_capi_user={{ cs_capi_user_meta.content | b64decode | trim }}
when: cs_capi_user is not defined and cs_capi_user_file.stat.exists when: cs_capi_user is not defined and cs_capi_user_file.stat.exists
@ -76,7 +76,7 @@
- name: Read the central API pass - name: Read the central API pass
block: block:
- slurp: src=/etc/crowdsec/meta/capi_pass - slurp: src={{ cs_root_dir }}/meta/capi_pass
register: cs_capi_pass_meta register: cs_capi_pass_meta
- set_fact: cs_capi_pass={{ cs_capi_pass_meta.content | b64decode | trim }} - set_fact: cs_capi_pass={{ cs_capi_pass_meta.content | b64decode | trim }}
when: cs_capi_pass is not defined and cs_capi_pass_file.stat.exists when: cs_capi_pass is not defined and cs_capi_pass_file.stat.exists

@ -37,13 +37,24 @@
StartLimitInterval=0 StartLimitInterval=0
RestartSec=30 RestartSec=30
dest: /etc/systemd/system/crowdsec.service.d/restart.conf dest: /etc/systemd/system/crowdsec.service.d/restart.conf
register: crodwsec_unit register: crodwsec_unit_restart
notify: restart crowdsec
tags: cs
- name: Set user account which runs the service
copy:
content: |
[Service]
User={{ cs_user }}
Group={{ cs_user }}
dest: /etc/systemd/system/crowdsec.service.d/user.conf
register: crodwsec_unit_user
notify: restart crowdsec notify: restart crowdsec
tags: cs tags: cs
- name: Reload systemd - name: Reload systemd
systemd: daemon_reload=True systemd: daemon_reload=True
when: crodwsec_unit.changed when: crodwsec_unit_restart.changed or crodwsec_unit_user.changed
tags: cs tags: cs
- name: Install pre and post backup hooks - name: Install pre and post backup hooks

@ -1,5 +1,6 @@
--- ---
- include: user.yml
- include: directories.yml - include: directories.yml
- include: facts.yml - include: facts.yml
- include: install.yml - include: install.yml

@ -0,0 +1,6 @@
---
- name: Create crowdsec user
user: name={{ cs_user }} system=True shell=/sbin/nologin
when: cs_user != 'root'
tags: cs

@ -7,7 +7,7 @@ common:
config_paths: config_paths:
config_dir: /etc/crowdsec/ config_dir: /etc/crowdsec/
data_dir: /var/lib/crowdsec/data/ data_dir: {{ cs_root_dir }}/data/
simulation_path: /etc/crowdsec/simulation.yaml simulation_path: /etc/crowdsec/simulation.yaml
hub_dir: /etc/crowdsec/hub/ hub_dir: /etc/crowdsec/hub/
index_path: /etc/crowdsec/hub/.index.json index_path: /etc/crowdsec/hub/.index.json
@ -34,7 +34,7 @@ db_config:
host: {{ cs_db_server }} host: {{ cs_db_server }}
port: {{ cs_db_port }} port: {{ cs_db_port }}
{% else %} {% else %}
db_path: /var/lib/crowdsec/data/crowdsec.db db_path: {{ cs_root_dir }}/data/crowdsec.db
{% endif %} {% endif %}
flush: flush:
max_items: 100000 max_items: 100000

@ -6,7 +6,7 @@ common:
config_paths: config_paths:
config_dir: /etc/crowdsec/ config_dir: /etc/crowdsec/
data_dir: /var/lib/crowdsec/data/ data_dir: {{ cs_root_dir }}/data/
simulation_path: /etc/crowdsec/simulation.yaml simulation_path: /etc/crowdsec/simulation.yaml
hub_dir: /etc/crowdsec/hub/ hub_dir: /etc/crowdsec/hub/
index_path: /etc/crowdsec/hub/.index.json index_path: /etc/crowdsec/hub/.index.json
@ -21,10 +21,10 @@ cscli:
db_config: db_config:
log_level: info log_level: info
db_path: /var/lib/crowdsec/data/dev.db db_path: {{ cs_root_dir }}/data/dev.db
flush: flush:
max_items: 100000 max_items: 1000
max_age: 730d max_age: 30d
api: api:
client: client:

@ -1,3 +1,3 @@
#!/bin/bash -e #!/bin/bash -e
rm -f /home/lbkp/crowdsec/* rm -f {{ cs_root_dir }}/backup/*

@ -1,6 +1,5 @@
#!/bin/bash -e #!/bin/bash -e
mkdir -p /home/lbkp/crowdsec/
{% if cs_lapi_enabled %} {% if cs_lapi_enabled %}
{% if cs_db_engine == 'mysql' %} {% if cs_db_engine == 'mysql' %}
/usr/bin/mysqldump \ /usr/bin/mysqldump \
@ -11,8 +10,8 @@ mkdir -p /home/lbkp/crowdsec/
--port={{ cs_db_port | quote }} \ --port={{ cs_db_port | quote }} \
{% endif %} {% endif %}
--quick --single-transaction \ --quick --single-transaction \
--add-drop-table {{ cs_db_name | quote }} | zstd -c > /home/lbkp/crowdsec/{{ cs_db_name }}.sql.zst --add-drop-table {{ cs_db_name | quote }} | zstd -c > {{ cs_root_dir }}/backup/{{ cs_db_name }}.sql.zst
{% else %} {% else %}
sqlite3 /var/lib/crowdsec/data/crowdsec.db .dump | zstd -c > /home/lbkp/crowdsec/crowdsec.sql.zst sqlite3 {{ cs_root_dir }}/data/crowdsec.db .dump | zstd -c > {{ cs_root_dir }}/backup/crowdsec.sql.zst
{% endif %} {% endif %}
{% endif %} {% endif %}

@ -1,3 +1,21 @@
{% if cs_trusted_countries | length > 0 %}
name: trusted_countries_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.Source.Cn in ["{{ cs_trusted_countries | join('","') }}"]
decisions:
- type: ban
duration: {{ cs_ban_trusted_duration }}
on_success: break
---
name: trusted_countries_range_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Range" && Alert.Source.Cn in ["{{ cs_trusted_countries | join('","') }}"]
decisions:
- type: ban
duration: {{ cs_ban_trusted_duration }}
on_success: break
---
{% endif %}
name: default_ip_remediation name: default_ip_remediation
filters: filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" - Alert.Remediation == true && Alert.GetScope() == "Ip"
@ -5,3 +23,11 @@ decisions:
- type: ban - type: ban
duration: {{ cs_ban_duration }} duration: {{ cs_ban_duration }}
on_success: break on_success: break
---
name: default_range_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
- type: ban
duration: {{ cs_ban_duration }}
on_success: break

@ -5,22 +5,22 @@
name: name:
- perl-IO - perl-IO
- perl-Getopt-Long - perl-Getopt-Long
tags: g2cs tags: cs
- name: Install main script - name: Install main script
copy: src=g2cs.pl dest=/usr/local/bin/g2cs mode=755 copy: src=g2cs.pl dest=/usr/local/bin/g2cs mode=755
tags: g2cs tags: cs
- name: Deploy systemd unit - name: Deploy systemd unit
template: src=g2cs.service.j2 dest=/etc/systemd/system/g2cs.service template: src=g2cs.service.j2 dest=/etc/systemd/system/g2cs.service
notify: restart g2cs notify: restart g2cs
register: g2cs_unit register: g2cs_unit
tags: g2cs tags: cs
- name: Reload systemd - name: Reload systemd
systemd: daemon_reload=True systemd: daemon_reload=True
when: g2cs_unit.changed when: g2cs_unit.changed
tags: g2cs tags: cs
- name: Deploy tmpfiles.d config - name: Deploy tmpfiles.d config
copy: copy:
@ -29,9 +29,9 @@
d /run/g2cs/logs 0700 g2cs g2cs - - d /run/g2cs/logs 0700 g2cs g2cs - -
dest: /etc/tmpfiles.d/g2cs.conf dest: /etc/tmpfiles.d/g2cs.conf
register: g2cs_tmpfiles register: g2cs_tmpfiles
tags: g2cs tags: cs
- name: Create tmpfiles dir - name: Create tmpfiles dir
command: systemd-tmpfiles --create command: systemd-tmpfiles --create
when: g2cs_tmpfiles.changed when: g2cs_tmpfiles.changed
tags: g2cs tags: cs

@ -5,4 +5,4 @@
name: g2cs_port name: g2cs_port
state: "{{ (g2cs_src_ip | length > 0) | ternary('present','absent') }}" state: "{{ (g2cs_src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -p udp --dport {{ g2cs_port }} -s {{ g2cs_src_ip | join(',') }} -j ACCEPT" rules: "-A INPUT -p udp --dport {{ g2cs_port }} -s {{ g2cs_src_ip | join(',') }} -j ACCEPT"
tags: firewall,g2cs tags: firewall,cs

@ -1,5 +1,6 @@
--- ---
- include: user.yml
- include: install.yml - include: install.yml
- include: iptables.yml - include: iptables.yml
when: iptables_manage | default(True) when: iptables_manage | default(True)

@ -2,4 +2,4 @@
- name: Start and enable the service - name: Start and enable the service
service: name=g2cs state=started enabled=True service: name=g2cs state=started enabled=True
tags: g2cs tags: cs

@ -0,0 +1,5 @@
---
- name: Create g2cs user account
user: name=g2cs system=True shell=/sbin/nologin
tags: cs
Loading…
Cancel
Save