Update to 2021-03-04 10:00

3 years ago · cf4e8273d1
parent 3b32e1147c
commit cf4e8273d1
16 changed files with 256 additions and 15 deletions
--- a/roles/crowdsec/tasks/conf.yml
+++ b/roles/crowdsec/tasks/conf.yml
@ -31,7 +31,7 @@
      register: cs_lapi_credentials
      delegate_to: "{{ cs_lapi_server }}"
    - set_fact: cs_lapi_credentials_yaml={{ cs_lapi_credentials.stdout | from_yaml }}
-    - copy: content={{ cs_lapi_credentials_yaml.password }} dest={{ cs_root_dir }}/meta/lapi_pass mode=600
+    - copy: content={{ cs_lapi_credentials_yaml.password }} dest=/etc/crowdsec/meta/lapi_pass mode=600
    - set_fact: cs_lapi_pass={{ cs_lapi_credentials_yaml.password }}
  tags: cs

@ -44,8 +44,8 @@
      command: cscli capi register -o raw -f /dev/stdout
      register: cs_capi_credentials
    - set_fact: cs_capi_credentials_yaml={{ cs_capi_credentials.stdout | from_yaml }}
-    - copy: content={{ cs_capi_credentials_yaml.login }} dest={{ cs_root_dir }}/meta/capi_user mode=600
-    - copy: content={{ cs_capi_credentials_yaml.password }} dest={{ cs_root_dir }}/meta/capi_pass mode=600
+    - copy: content={{ cs_capi_credentials_yaml.login }} dest=/etc/crowdsec/meta/capi_user mode=600
+    - copy: content={{ cs_capi_credentials_yaml.password }} dest=/etc/crowdsec/meta/capi_pass mode=600
    - set_fact: cs_capi_user={{ cs_capi_credentials_yaml.login }}
    - set_fact: cs_capi_pass={{ cs_capi_credentials_yaml.password }}
  tags: cs
--- a/roles/crowdsec/tasks/directories.yml
+++ b/roles/crowdsec/tasks/directories.yml
@ -6,8 +6,6 @@
    - dir: /etc/crowdsec
      mode: 755
    - dir: "{{ cs_root_dir }}"
-    - dir: "{{ cs_root_dir }}/meta"
-      mode: 700
    - dir: "{{ cs_root_dir }}/backup"
      mode: 700
    - dir: "{{ cs_root_dir }}/data"
@ -18,4 +16,6 @@
    - dir: /etc/crowdsec/postoverflows/s00-enrich
    - dir: /etc/crowdsec/postoverflows/s01-whitelist
    - dir: /etc/crowdsec/acquis
+    - dir: /etc/crowdsec/meta
+      mode: 700
  tags: cs
--- a/roles/crowdsec/tasks/facts.yml
+++ b/roles/crowdsec/tasks/facts.yml
@ -35,7 +35,7 @@
 - block:
    - import_tasks: ../includes/get_rand_pass.yml
      vars:
-        - pass_file: "{{ cs_root_dir }}/meta/ansible_db_pass"
+        - pass_file: "/etc/crowdsec/meta/ansible_db_pass"
        - complex: False
    - set_fact: cs_db_pass={{ rand_pass }}
  when:
@ -45,13 +45,13 @@

 # Check if local API credentials are available in the meta dir
 - name: Check local API credential files
-  stat: path={{ cs_root_dir }}/meta/lapi_pass
+  stat: path=/etc/crowdsec/meta/lapi_pass
  register: cs_lapi_pass_file
  tags: cs

 - name: Read the local API pass
  block:
-    - slurp: src={{ cs_root_dir }}/meta/lapi_pass
+    - slurp: src=/etc/crowdsec/meta/lapi_pass
      register: cs_lapi_pass_meta
    - set_fact: cs_lapi_pass={{ cs_lapi_pass_meta.content | b64decode | trim }}
  when: cs_lapi_pass is not defined and cs_lapi_pass_file.stat.exists
@ -60,15 +60,15 @@
 # Check if central API credentials are available in the meta dir
 - name: Check central API credential files
  block: 
-    - stat: path={{ cs_root_dir }}/meta/capi_user
+    - stat: path=/etc/crowdsec/meta/capi_user
      register: cs_capi_user_file
-    - stat: path={{ cs_root_dir }}/meta/capi_pass
+    - stat: path=/etc/crowdsec/meta/capi_pass
      register: cs_capi_pass_file
  tags: cs

 - name: Read the central API user
  block:
-    - slurp: src={{ cs_root_dir }}/meta/capi_user
+    - slurp: src=/etc/crowdsec/meta/capi_user
      register: cs_capi_user_meta
    - set_fact: cs_capi_user={{ cs_capi_user_meta.content | b64decode | trim }}
  when: cs_capi_user is not defined and cs_capi_user_file.stat.exists
@ -76,7 +76,7 @@

 - name: Read the central API pass
  block:
-    - slurp: src={{ cs_root_dir }}/meta/capi_pass
+    - slurp: src=/etc/crowdsec/meta/capi_pass
      register: cs_capi_pass_meta
    - set_fact: cs_capi_pass={{ cs_capi_pass_meta.content | b64decode | trim }}
  when: cs_capi_pass is not defined and cs_capi_pass_file.stat.exists
--- a/roles/crowdsec_firewall_bouncer/defaults/main.yml
+++ b/roles/crowdsec_firewall_bouncer/defaults/main.yml
@ -0,0 +1,15 @@
+---
+
+# Version of the firewall bouncer to install
+cs_fw_version: 0.0.10
+# URL of the firewall bouncer archive
+cs_fw_archive_url: https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v{{ cs_fw_version }}/cs-firewall-bouncer.tgz
+# Expected sha1 of the archive
+cs_fw_archive_sha1: 46863e95bdc8f48434583f55e89b7720fce5736d
+
+# API on which the bouncer should listen for alerts
+cs_fw_lapi_url: "{{ cs_lapi_url | default('http://localhost:8080/') }}"
+# If not defined, ansible will try to register the bouncer on the Local API server
+# cs_lapi_server must be defined in this case
+# cs_fw_lapi_key: aaabbbccc
+
--- a/roles/crowdsec_firewall_bouncer/handlers/main.yml
+++ b/roles/crowdsec_firewall_bouncer/handlers/main.yml
@ -0,0 +1,4 @@
+---
+
+- name: restart cs-firewall-bouncer
+  service: name=cs-firewall-bouncer state=restarted
--- a/roles/crowdsec_firewall_bouncer/tasks/cleanup.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/cleanup.yml
@ -0,0 +1,8 @@
+---
+
+- name: Remove temp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - /tmp/cs-firewall-bouncer.tgz
+    - /tmp/cs-firewall-bouncer-v{{ cs_fw_version }}
+  tags: cs
--- a/roles/crowdsec_firewall_bouncer/tasks/conf.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/conf.yml
@ -0,0 +1,6 @@
+---
+
+- name: Deploy configuration
+  template: src=cs-firewall-bouncer.yaml.j2 dest=/etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml mode=600
+  notify: restart cs-firewall-bouncer
+  tags: cs
--- a/roles/crowdsec_firewall_bouncer/tasks/directories.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/directories.yml
@ -0,0 +1,9 @@
+---
+
+- name: Create needed directories
+  file: path={{ item.dir }} state=directory mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /etc/crowdsec/cs-firewall-bouncer
+    - dir: /etc/crowdsec/meta
+      mode: 700
+  tags: cs
--- a/roles/crowdsec_firewall_bouncer/tasks/facts.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/facts.yml
@ -0,0 +1,72 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: cs
+
+- name: Check if API key is available
+  stat: path=/etc/crowdsec/meta/bouncer_fw_api_key
+  register: cs_fw_lapi_key_file
+  tags: cs
+
+- when: cs_fw_lapi_key is not defined and (not cs_fw_lapi_key_file.stat.exists or cs_fw_lapi_key_file.stat.size == 0)
+  block:
+    - name: Register the bouncer
+      shell: |
+        cscli bouncers list -o raw | grep -q -P '^{{ inventory_hostname }}-firewall' && cscli bouncers delete {{ inventory_hostname }}-firewall
+        cscli bouncers add {{ inventory_hostname }}-firewall -o raw
+      register: cs_bouncer_add
+      failed_when: cs_bouncer_add.rc not in [0,1]
+      changed_when: cs_bouncer_add.rc == 0
+      delegate_to: "{{ cs_lapi_server | default(inventory_hostname) }}"
+
+    - name: Record the API key for later use
+      copy: content={{ cs_bouncer_add.stdout }} dest=/etc/crowdsec/meta/bouncer_fw_api_key mode=600
+
+  tags: cs
+
+- when: cs_fw_lapi_key is not defined
+  block:
+    - name: Read the API key
+      slurp: src=/etc/crowdsec/meta/bouncer_fw_api_key
+      register: cs_fw_lapi_generated_key
+    - set_fact: cs_fw_lapi_key={{ cs_fw_lapi_generated_key.content | b64decode | trim }}
+  tags: cs
+
+- name: Set initial facts
+  block:
+    - set_fact: cs_fw_current_version=''
+    - set_fact: cs_fw_install_mode='none'
+  tags: cs
+
+- name: Check if the bouncer is installed
+  stat: path=/usr/local/bin/cs-firewall-bouncer
+  register: cs_fw_bin
+  tags: cs
+
+- when: cs_fw_bin.stat.exists
+  block:
+    - name: Detect installed version
+      shell: |
+        cs-firewall-bouncer -c /dev/null 2>&1 | perl -ne 'm/cs-firewall-bouncer v(\d+(\.\d+)*)/ && print $1'
+      register: cs_fw_current_version
+      changed_when: False
+
+    - set_fact: cs_fw_current_version={{ cs_fw_current_version.stdout }}
+  tags: cs
+
+- name: Set install mode
+  set_fact: cs_fw_install_mode='install'
+  when: not cs_fw_bin.stat.exists
+  tags: cs
+
+- name: Set upgrade mode
+  set_fact: cs_fw_install_mode='upgrade'
+  when:
+    - cs_fw_bin.stat.exists
+    - cs_fw_current_version != cs_fw_version
+  tags: cs
+
--- a/roles/crowdsec_firewall_bouncer/tasks/install.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/install.yml
@ -0,0 +1,70 @@
+---
+
+- name: Install needed tools
+  package:
+    name:
+      - ipset
+  tags: cs
+
+- when: cs_fw_install_mode != 'none'
+  block:
+
+    - name: Download the bouncer
+      get_url:
+        url: "{{ cs_fw_archive_url }}"
+        dest: /tmp
+        checksum: sha1:{{ cs_fw_archive_sha1 }}
+
+    - name: Extract the archive
+      unarchive:
+        src: /tmp/cs-firewall-bouncer.tgz
+        dest: /tmp
+        remote_src: True
+
+    - name: Install or upgrade
+      command: ./{{ cs_fw_install_mode }}.sh
+      args:
+        chdir: /tmp/cs-firewall-bouncer-v{{ cs_fw_version }}
+      notify: restart cs-firewall-bouncer
+
+  tags: cs
+
+- name: Create systemd unit snippet dir
+  file: path=/etc/systemd/system/cs-firewall-bouncer.service.d state=directory
+  tags: cs
+
+- name: Create iptables snippet dir
+  file: path=/etc/systemd/system/{{ cs_iptables_service }}.service.d state=directory
+  tags: cs
+
+- name: Create ipsets before iptables starts
+  copy:
+    content: |
+      [Service]
+      ExecStartPre=/usr/sbin/ipset -exist create crowdsec-blacklists nethash timeout 300
+      ExecStartPre=/usr/sbin/ipset -exist create crowdsec6-blacklists nethash timeout 300 family inet6
+    dest: /etc/systemd/system/{{ cs_iptables_service }}.service.d/cs-ipset.conf
+  register: cs_iptable_unit
+  tags: cs
+
+- name: Tune cs-firewall-bouncer service
+  copy:
+    content: |
+      [Unit]
+      # The bouncer should start after crowdsec to be able to register on the API
+      After=crowdsec.service
+
+      [Service]
+      # Restart on failure
+      Restart=on-failure
+      StartLimitInterval=0
+      RestartSec=30
+    dest: /etc/systemd/system/cs-firewall-bouncer.service.d/ansible.conf
+  register: crodwsec_fw_unit
+  notify: restart cs-firewall-bouncer
+  tags: cs
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: crodwsec_fw_unit.changed or cs_iptable_unit.changed
+  tags: cs
--- a/roles/crowdsec_firewall_bouncer/tasks/iptables.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/iptables.yml
@ -0,0 +1,17 @@
+---
+
+- name: Ensure ipsets exist
+  shell: |
+    ipset list crowdsec-blacklists || ipset create crowdsec-blacklists nethash timeout 300
+    ipset list crowdsec6-blacklists || ipset create crowdsec6-blacklists nethash timeout 300 family inet6
+  changed_when: False
+  tags: cs
+
+- name: Add DROP rules
+  iptables_raw:
+    name: cs_blacklist
+    weight: 9
+    rules: |
+      -A INPUT -m set --match-set crowdsec-blacklists src -j DROP
+      -A FORWARD -m set --match-set crowdsec-blacklists src -j DROP
+  tags: cs
--- a/roles/crowdsec_firewall_bouncer/tasks/main.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/main.yml
@ -0,0 +1,10 @@
+---
+
+- include: directories.yml
+- include: facts.yml
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml
+- include: cleanup.yml
--- a/roles/crowdsec_firewall_bouncer/tasks/services.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/services.yml
@ -0,0 +1,5 @@
+---
+
+- name: Start and enable the service
+  service: name=cs-firewall-bouncer state=started enabled=True
+  tags: cs
--- a/roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2
+++ b/roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2
@ -0,0 +1,12 @@
+---
+
+mode: iptables
+piddir: /var/run/
+update_frequency: 10s
+daemonize: true
+log_mode: stdout
+log_level: info
+api_url: {{ (cs_fw_lapi_url is search('/$')) | ternary(cs_fw_lapi_url,cs_fw_lapi_url ~ '/') }}
+api_key: {{ cs_fw_lapi_key }}
+disable_ipv6: false
+
--- a/roles/g2cs/files/g2cs.pl
+++ b/roles/g2cs/files/g2cs.pl
@ -38,13 +38,25 @@ my @ignored_syslog_id = qw(
  sudo
  zed
  zimbramon
+  systemd
+  systemd-logind
+  CROND
+  ttrss_1
+  turnserver
+  syncoid
+  influxd
 );
 # List of log files we're not interested in
 my @ignored_log_files = qw(
  /var/log/audit/audit.log
  /var/log/squid/cache.log
+  /var/log/squid/access.log
  /var/log/ufdbGuard/ufdbguardd.log
  /opt/zimbra/log/gc.log
+  /var/log/samba/json/auth.log
+  /var/log/samba/json/dsdb.log
+  /var/log/samba/json/dsdb_password.log
+  /var/log/samba/json/dsdb_transaction.log
 );

 print "Start listening on UDP port $port\n";
@ -111,12 +123,12 @@ while (1) {
    if ($fields->{log_file_path} eq '/var/log/pveproxy/access.log'){
      $logfile = $logdir . '/pveproxy/access.log';
      $msg = $fields->{msg};
-    } elsif ($fields->{log_file_path} eq '/var/log/squid/access.log'){
-      $logfile = $logdir . '/squid/access.log';
-      $msg = $fields->{msg};
    } elsif ($fields->{log_file_path} eq '/opt/zimbra/log/nginx.access.log'){
      $logfile = $logdir . '/nginx/access.log';
      $msg = $fields->{msg};
+    } elsif ($fields->{log_file_path} eq '/opt/zimbra/log/mailbox.log'){
+      $logfile = $logdir . '/zimbra/mailbox.log';
+      $msg = $fields->{msg};
    }
  } elsif (defined $fields->{application_name}){
    if ($fields->{application_name} eq 'nginx'){
--- a/roles/g2cs/tasks/install.yml
+++ b/roles/g2cs/tasks/install.yml
@ -9,6 +9,7 @@

 - name: Install main script
  copy: src=g2cs.pl dest=/usr/local/bin/g2cs mode=755
+  notify: restart g2cs
  tags: cs

 - name: Deploy systemd unit