From cf4e8273d1b553e1b7fded0e007dafb5c0369b60 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Thu, 4 Mar 2021 10:00:09 +0100
Subject: [PATCH] Update to 2021-03-04 10:00

---
 roles/crowdsec/tasks/conf.yml                      |  6 +-
 roles/crowdsec/tasks/directories.yml               |  4 +-
 roles/crowdsec/tasks/facts.yml                     | 14 ++---
 roles/crowdsec_firewall_bouncer/defaults/main.yml  | 15 +++++
 roles/crowdsec_firewall_bouncer/handlers/main.yml  |  4 ++
 roles/crowdsec_firewall_bouncer/tasks/cleanup.yml  |  8 +++
 roles/crowdsec_firewall_bouncer/tasks/conf.yml     |  6 ++
 .../tasks/directories.yml                          |  9 +++
 roles/crowdsec_firewall_bouncer/tasks/facts.yml    | 72 ++++++++++++++++++++++
 roles/crowdsec_firewall_bouncer/tasks/install.yml  | 70 +++++++++++++++++++++
 roles/crowdsec_firewall_bouncer/tasks/iptables.yml | 17 +++++
 roles/crowdsec_firewall_bouncer/tasks/main.yml     | 10 +++
 roles/crowdsec_firewall_bouncer/tasks/services.yml |  5 ++
 .../templates/cs-firewall-bouncer.yaml.j2          | 12 ++++
 roles/g2cs/files/g2cs.pl                           | 18 +++++-
 roles/g2cs/tasks/install.yml                       |  1 +
 16 files changed, 256 insertions(+), 15 deletions(-)
 create mode 100644 roles/crowdsec_firewall_bouncer/defaults/main.yml
 create mode 100644 roles/crowdsec_firewall_bouncer/handlers/main.yml
 create mode 100644 roles/crowdsec_firewall_bouncer/tasks/cleanup.yml
 create mode 100644 roles/crowdsec_firewall_bouncer/tasks/conf.yml
 create mode 100644 roles/crowdsec_firewall_bouncer/tasks/directories.yml
 create mode 100644 roles/crowdsec_firewall_bouncer/tasks/facts.yml
 create mode 100644 roles/crowdsec_firewall_bouncer/tasks/install.yml
 create mode 100644 roles/crowdsec_firewall_bouncer/tasks/iptables.yml
 create mode 100644 roles/crowdsec_firewall_bouncer/tasks/main.yml
 create mode 100644 roles/crowdsec_firewall_bouncer/tasks/services.yml
 create mode 100644 roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2

diff --git a/roles/crowdsec/tasks/conf.yml b/roles/crowdsec/tasks/conf.yml
index d818049..c87fadb 100644
--- a/roles/crowdsec/tasks/conf.yml
+++ b/roles/crowdsec/tasks/conf.yml
@@ -31,7 +31,7 @@
       register: cs_lapi_credentials
       delegate_to: "{{ cs_lapi_server }}"
     - set_fact: cs_lapi_credentials_yaml={{ cs_lapi_credentials.stdout | from_yaml }}
-    - copy: content={{ cs_lapi_credentials_yaml.password }} dest={{ cs_root_dir }}/meta/lapi_pass mode=600
+    - copy: content={{ cs_lapi_credentials_yaml.password }} dest=/etc/crowdsec/meta/lapi_pass mode=600
     - set_fact: cs_lapi_pass={{ cs_lapi_credentials_yaml.password }}
   tags: cs
 
@@ -44,8 +44,8 @@
       command: cscli capi register -o raw -f /dev/stdout
       register: cs_capi_credentials
     - set_fact: cs_capi_credentials_yaml={{ cs_capi_credentials.stdout | from_yaml }}
-    - copy: content={{ cs_capi_credentials_yaml.login }} dest={{ cs_root_dir }}/meta/capi_user mode=600
-    - copy: content={{ cs_capi_credentials_yaml.password }} dest={{ cs_root_dir }}/meta/capi_pass mode=600
+    - copy: content={{ cs_capi_credentials_yaml.login }} dest=/etc/crowdsec/meta/capi_user mode=600
+    - copy: content={{ cs_capi_credentials_yaml.password }} dest=/etc/crowdsec/meta/capi_pass mode=600
     - set_fact: cs_capi_user={{ cs_capi_credentials_yaml.login }}
     - set_fact: cs_capi_pass={{ cs_capi_credentials_yaml.password }}
   tags: cs
diff --git a/roles/crowdsec/tasks/directories.yml b/roles/crowdsec/tasks/directories.yml
index 5184210..2c3bbbd 100644
--- a/roles/crowdsec/tasks/directories.yml
+++ b/roles/crowdsec/tasks/directories.yml
@@ -6,8 +6,6 @@
     - dir: /etc/crowdsec
       mode: 755
     - dir: "{{ cs_root_dir }}"
-    - dir: "{{ cs_root_dir }}/meta"
-      mode: 700
     - dir: "{{ cs_root_dir }}/backup"
       mode: 700
     - dir: "{{ cs_root_dir }}/data"
@@ -18,4 +16,6 @@
     - dir: /etc/crowdsec/postoverflows/s00-enrich
     - dir: /etc/crowdsec/postoverflows/s01-whitelist
     - dir: /etc/crowdsec/acquis
+    - dir: /etc/crowdsec/meta
+      mode: 700
   tags: cs
diff --git a/roles/crowdsec/tasks/facts.yml b/roles/crowdsec/tasks/facts.yml
index a20a091..119ee78 100644
--- a/roles/crowdsec/tasks/facts.yml
+++ b/roles/crowdsec/tasks/facts.yml
@@ -35,7 +35,7 @@
 - block:
     - import_tasks: ../includes/get_rand_pass.yml
       vars:
-        - pass_file: "{{ cs_root_dir }}/meta/ansible_db_pass"
+        - pass_file: "/etc/crowdsec/meta/ansible_db_pass"
         - complex: False
     - set_fact: cs_db_pass={{ rand_pass }}
   when:
@@ -45,13 +45,13 @@
 
 # Check if local API credentials are available in the meta dir
 - name: Check local API credential files
-  stat: path={{ cs_root_dir }}/meta/lapi_pass
+  stat: path=/etc/crowdsec/meta/lapi_pass
   register: cs_lapi_pass_file
   tags: cs
 
 - name: Read the local API pass
   block:
-    - slurp: src={{ cs_root_dir }}/meta/lapi_pass
+    - slurp: src=/etc/crowdsec/meta/lapi_pass
       register: cs_lapi_pass_meta
     - set_fact: cs_lapi_pass={{ cs_lapi_pass_meta.content | b64decode | trim }}
   when: cs_lapi_pass is not defined and cs_lapi_pass_file.stat.exists
@@ -60,15 +60,15 @@
 # Check if central API credentials are available in the meta dir
 - name: Check central API credential files
   block: 
-    - stat: path={{ cs_root_dir }}/meta/capi_user
+    - stat: path=/etc/crowdsec/meta/capi_user
       register: cs_capi_user_file
-    - stat: path={{ cs_root_dir }}/meta/capi_pass
+    - stat: path=/etc/crowdsec/meta/capi_pass
       register: cs_capi_pass_file
   tags: cs
 
 - name: Read the central API user
   block:
-    - slurp: src={{ cs_root_dir }}/meta/capi_user
+    - slurp: src=/etc/crowdsec/meta/capi_user
       register: cs_capi_user_meta
     - set_fact: cs_capi_user={{ cs_capi_user_meta.content | b64decode | trim }}
   when: cs_capi_user is not defined and cs_capi_user_file.stat.exists
@@ -76,7 +76,7 @@
 
 - name: Read the central API pass
   block:
-    - slurp: src={{ cs_root_dir }}/meta/capi_pass
+    - slurp: src=/etc/crowdsec/meta/capi_pass
       register: cs_capi_pass_meta
     - set_fact: cs_capi_pass={{ cs_capi_pass_meta.content | b64decode | trim }}
   when: cs_capi_pass is not defined and cs_capi_pass_file.stat.exists
diff --git a/roles/crowdsec_firewall_bouncer/defaults/main.yml b/roles/crowdsec_firewall_bouncer/defaults/main.yml
new file mode 100644
index 0000000..d8d5c91
--- /dev/null
+++ b/roles/crowdsec_firewall_bouncer/defaults/main.yml
@@ -0,0 +1,15 @@
+---
+
+# Version of the firewall bouncer to install
+cs_fw_version: 0.0.10
+# URL of the firewall bouncer archive
+cs_fw_archive_url: https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v{{ cs_fw_version }}/cs-firewall-bouncer.tgz
+# Expected sha1 of the archive
+cs_fw_archive_sha1: 46863e95bdc8f48434583f55e89b7720fce5736d
+
+# API on which the bouncer should listen for alerts
+cs_fw_lapi_url: "{{ cs_lapi_url | default('http://localhost:8080/') }}"
+# If not defined, ansible will try to register the bouncer on the Local API server
+# cs_lapi_server must be defined in this case
+# cs_fw_lapi_key: aaabbbccc
+
diff --git a/roles/crowdsec_firewall_bouncer/handlers/main.yml b/roles/crowdsec_firewall_bouncer/handlers/main.yml
new file mode 100644
index 0000000..c8c6d1e
--- /dev/null
+++ b/roles/crowdsec_firewall_bouncer/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: restart cs-firewall-bouncer
+  service: name=cs-firewall-bouncer state=restarted
diff --git a/roles/crowdsec_firewall_bouncer/tasks/cleanup.yml b/roles/crowdsec_firewall_bouncer/tasks/cleanup.yml
new file mode 100644
index 0000000..59e3129
--- /dev/null
+++ b/roles/crowdsec_firewall_bouncer/tasks/cleanup.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Remove temp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - /tmp/cs-firewall-bouncer.tgz
+    - /tmp/cs-firewall-bouncer-v{{ cs_fw_version }}
+  tags: cs
diff --git a/roles/crowdsec_firewall_bouncer/tasks/conf.yml b/roles/crowdsec_firewall_bouncer/tasks/conf.yml
new file mode 100644
index 0000000..b1485ec
--- /dev/null
+++ b/roles/crowdsec_firewall_bouncer/tasks/conf.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Deploy configuration
+  template: src=cs-firewall-bouncer.yaml.j2 dest=/etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml mode=600
+  notify: restart cs-firewall-bouncer
+  tags: cs
diff --git a/roles/crowdsec_firewall_bouncer/tasks/directories.yml b/roles/crowdsec_firewall_bouncer/tasks/directories.yml
new file mode 100644
index 0000000..36ba46e
--- /dev/null
+++ b/roles/crowdsec_firewall_bouncer/tasks/directories.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Create needed directories
+  file: path={{ item.dir }} state=directory mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /etc/crowdsec/cs-firewall-bouncer
+    - dir: /etc/crowdsec/meta
+      mode: 700
+  tags: cs
diff --git a/roles/crowdsec_firewall_bouncer/tasks/facts.yml b/roles/crowdsec_firewall_bouncer/tasks/facts.yml
new file mode 100644
index 0000000..d9e19c0
--- /dev/null
+++ b/roles/crowdsec_firewall_bouncer/tasks/facts.yml
@@ -0,0 +1,72 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: cs
+
+- name: Check if API key is available
+  stat: path=/etc/crowdsec/meta/bouncer_fw_api_key
+  register: cs_fw_lapi_key_file
+  tags: cs
+
+- when: cs_fw_lapi_key is not defined and (not cs_fw_lapi_key_file.stat.exists or cs_fw_lapi_key_file.stat.size == 0)
+  block:
+    - name: Register the bouncer
+      shell: |
+        cscli bouncers list -o raw | grep -q -P '^{{ inventory_hostname }}-firewall' && cscli bouncers delete {{ inventory_hostname }}-firewall
+        cscli bouncers add {{ inventory_hostname }}-firewall -o raw
+      register: cs_bouncer_add
+      failed_when: cs_bouncer_add.rc not in [0,1]
+      changed_when: cs_bouncer_add.rc == 0
+      delegate_to: "{{ cs_lapi_server | default(inventory_hostname) }}"
+
+    - name: Record the API key for later use
+      copy: content={{ cs_bouncer_add.stdout }} dest=/etc/crowdsec/meta/bouncer_fw_api_key mode=600
+
+  tags: cs
+
+- when: cs_fw_lapi_key is not defined
+  block:
+    - name: Read the API key
+      slurp: src=/etc/crowdsec/meta/bouncer_fw_api_key
+      register: cs_fw_lapi_generated_key
+    - set_fact: cs_fw_lapi_key={{ cs_fw_lapi_generated_key.content | b64decode | trim }}
+  tags: cs
+
+- name: Set initial facts
+  block:
+    - set_fact: cs_fw_current_version=''
+    - set_fact: cs_fw_install_mode='none'
+  tags: cs
+
+- name: Check if the bouncer is installed
+  stat: path=/usr/local/bin/cs-firewall-bouncer
+  register: cs_fw_bin
+  tags: cs
+
+- when: cs_fw_bin.stat.exists
+  block:
+    - name: Detect installed version
+      shell: |
+        cs-firewall-bouncer -c /dev/null 2>&1 | perl -ne 'm/cs-firewall-bouncer v(\d+(\.\d+)*)/ && print $1'
+      register: cs_fw_current_version
+      changed_when: False
+
+    - set_fact: cs_fw_current_version={{ cs_fw_current_version.stdout }}
+  tags: cs
+
+- name: Set install mode
+  set_fact: cs_fw_install_mode='install'
+  when: not cs_fw_bin.stat.exists
+  tags: cs
+
+- name: Set upgrade mode
+  set_fact: cs_fw_install_mode='upgrade'
+  when:
+    - cs_fw_bin.stat.exists
+    - cs_fw_current_version != cs_fw_version
+  tags: cs
+
diff --git a/roles/crowdsec_firewall_bouncer/tasks/install.yml b/roles/crowdsec_firewall_bouncer/tasks/install.yml
new file mode 100644
index 0000000..b9c2ee1
--- /dev/null
+++ b/roles/crowdsec_firewall_bouncer/tasks/install.yml
@@ -0,0 +1,70 @@
+---
+
+- name: Install needed tools
+  package:
+    name:
+      - ipset
+  tags: cs
+
+- when: cs_fw_install_mode != 'none'
+  block:
+
+    - name: Download the bouncer
+      get_url:
+        url: "{{ cs_fw_archive_url }}"
+        dest: /tmp
+        checksum: sha1:{{ cs_fw_archive_sha1 }}
+
+    - name: Extract the archive
+      unarchive:
+        src: /tmp/cs-firewall-bouncer.tgz
+        dest: /tmp
+        remote_src: True
+
+    - name: Install or upgrade
+      command: ./{{ cs_fw_install_mode }}.sh
+      args:
+        chdir: /tmp/cs-firewall-bouncer-v{{ cs_fw_version }}
+      notify: restart cs-firewall-bouncer
+
+  tags: cs
+
+- name: Create systemd unit snippet dir
+  file: path=/etc/systemd/system/cs-firewall-bouncer.service.d state=directory
+  tags: cs
+
+- name: Create iptables snippet dir
+  file: path=/etc/systemd/system/{{ cs_iptables_service }}.service.d state=directory
+  tags: cs
+
+- name: Create ipsets before iptables starts
+  copy:
+    content: |
+      [Service]
+      ExecStartPre=/usr/sbin/ipset -exist create crowdsec-blacklists nethash timeout 300
+      ExecStartPre=/usr/sbin/ipset -exist create crowdsec6-blacklists nethash timeout 300 family inet6
+    dest: /etc/systemd/system/{{ cs_iptables_service }}.service.d/cs-ipset.conf
+  register: cs_iptable_unit
+  tags: cs
+
+- name: Tune cs-firewall-bouncer service
+  copy:
+    content: |
+      [Unit]
+      # The bouncer should start after crowdsec to be able to register on the API
+      After=crowdsec.service
+
+      [Service]
+      # Restart on failure
+      Restart=on-failure
+      StartLimitInterval=0
+      RestartSec=30
+    dest: /etc/systemd/system/cs-firewall-bouncer.service.d/ansible.conf
+  register: crodwsec_fw_unit
+  notify: restart cs-firewall-bouncer
+  tags: cs
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: crodwsec_fw_unit.changed or cs_iptable_unit.changed
+  tags: cs
diff --git a/roles/crowdsec_firewall_bouncer/tasks/iptables.yml b/roles/crowdsec_firewall_bouncer/tasks/iptables.yml
new file mode 100644
index 0000000..14d27f0
--- /dev/null
+++ b/roles/crowdsec_firewall_bouncer/tasks/iptables.yml
@@ -0,0 +1,17 @@
+---
+
+- name: Ensure ipsets exist
+  shell: |
+    ipset list crowdsec-blacklists || ipset create crowdsec-blacklists nethash timeout 300
+    ipset list crowdsec6-blacklists || ipset create crowdsec6-blacklists nethash timeout 300 family inet6
+  changed_when: False
+  tags: cs
+
+- name: Add DROP rules
+  iptables_raw:
+    name: cs_blacklist
+    weight: 9
+    rules: |
+      -A INPUT -m set --match-set crowdsec-blacklists src -j DROP
+      -A FORWARD -m set --match-set crowdsec-blacklists src -j DROP
+  tags: cs
diff --git a/roles/crowdsec_firewall_bouncer/tasks/main.yml b/roles/crowdsec_firewall_bouncer/tasks/main.yml
new file mode 100644
index 0000000..9575cea
--- /dev/null
+++ b/roles/crowdsec_firewall_bouncer/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+
+- include: directories.yml
+- include: facts.yml
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml
+- include: cleanup.yml
diff --git a/roles/crowdsec_firewall_bouncer/tasks/services.yml b/roles/crowdsec_firewall_bouncer/tasks/services.yml
new file mode 100644
index 0000000..dc01f70
--- /dev/null
+++ b/roles/crowdsec_firewall_bouncer/tasks/services.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Start and enable the service
+  service: name=cs-firewall-bouncer state=started enabled=True
+  tags: cs
diff --git a/roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2 b/roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2
new file mode 100644
index 0000000..7d60022
--- /dev/null
+++ b/roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2
@@ -0,0 +1,12 @@
+---
+
+mode: iptables
+piddir: /var/run/
+update_frequency: 10s
+daemonize: true
+log_mode: stdout
+log_level: info
+api_url: {{ (cs_fw_lapi_url is search('/$')) | ternary(cs_fw_lapi_url,cs_fw_lapi_url ~ '/') }}
+api_key: {{ cs_fw_lapi_key }}
+disable_ipv6: false
+
diff --git a/roles/g2cs/files/g2cs.pl b/roles/g2cs/files/g2cs.pl
index ddd01dc..20a1cad 100644
--- a/roles/g2cs/files/g2cs.pl
+++ b/roles/g2cs/files/g2cs.pl
@@ -38,13 +38,25 @@ my @ignored_syslog_id = qw(
   sudo
   zed
   zimbramon
+  systemd
+  systemd-logind
+  CROND
+  ttrss_1
+  turnserver
+  syncoid
+  influxd
 );
 # List of log files we're not interested in
 my @ignored_log_files = qw(
   /var/log/audit/audit.log
   /var/log/squid/cache.log
+  /var/log/squid/access.log
   /var/log/ufdbGuard/ufdbguardd.log
   /opt/zimbra/log/gc.log
+  /var/log/samba/json/auth.log
+  /var/log/samba/json/dsdb.log
+  /var/log/samba/json/dsdb_password.log
+  /var/log/samba/json/dsdb_transaction.log
 );
 
 print "Start listening on UDP port $port\n";
@@ -111,12 +123,12 @@ while (1) {
     if ($fields->{log_file_path} eq '/var/log/pveproxy/access.log'){
       $logfile = $logdir . '/pveproxy/access.log';
       $msg = $fields->{msg};
-    } elsif ($fields->{log_file_path} eq '/var/log/squid/access.log'){
-      $logfile = $logdir . '/squid/access.log';
-      $msg = $fields->{msg};
     } elsif ($fields->{log_file_path} eq '/opt/zimbra/log/nginx.access.log'){
       $logfile = $logdir . '/nginx/access.log';
       $msg = $fields->{msg};
+    } elsif ($fields->{log_file_path} eq '/opt/zimbra/log/mailbox.log'){
+      $logfile = $logdir . '/zimbra/mailbox.log';
+      $msg = $fields->{msg};
     }
   } elsif (defined $fields->{application_name}){
     if ($fields->{application_name} eq 'nginx'){
diff --git a/roles/g2cs/tasks/install.yml b/roles/g2cs/tasks/install.yml
index 8552d40..692ab7d 100644
--- a/roles/g2cs/tasks/install.yml
+++ b/roles/g2cs/tasks/install.yml
@@ -9,6 +9,7 @@
 
 - name: Install main script
   copy: src=g2cs.pl dest=/usr/local/bin/g2cs mode=755
+  notify: restart g2cs
   tags: cs
 
 - name: Deploy systemd unit