Update to 2021-03-04 10:00

4 years ago · cf4e8273d1
parent 3b32e1147c
commit cf4e8273d1
16 changed files with 256 additions and 15 deletions
--- a/roles/crowdsec/tasks/conf.yml
+++ b/roles/crowdsec/tasks/conf.yml
@ -31,7 +31,7 @@
      register: cs_lapi_credentials
      delegate_to: "{{ cs_lapi_server }}"
    - set_fact: cs_lapi_credentials_yaml={{ cs_lapi_credentials.stdout | from_yaml }}
-    - copy: content={{ cs_lapi_credentials_yaml.password }} dest={{ cs_root_dir }}/meta/lapi_pass mode=600
+    - copy: content={{ cs_lapi_credentials_yaml.password }} dest=/etc/crowdsec/meta/lapi_pass mode=600
    - set_fact: cs_lapi_pass={{ cs_lapi_credentials_yaml.password }}
  tags: cs
@ -44,8 +44,8 @@
      command: cscli capi register -o raw -f /dev/stdout
      register: cs_capi_credentials
    - set_fact: cs_capi_credentials_yaml={{ cs_capi_credentials.stdout | from_yaml }}
-    - copy: content={{ cs_capi_credentials_yaml.login }} dest={{ cs_root_dir }}/meta/capi_user mode=600
+    - copy: content={{ cs_capi_credentials_yaml.login }} dest=/etc/crowdsec/meta/capi_user mode=600
-    - copy: content={{ cs_capi_credentials_yaml.password }} dest={{ cs_root_dir }}/meta/capi_pass mode=600
+    - copy: content={{ cs_capi_credentials_yaml.password }} dest=/etc/crowdsec/meta/capi_pass mode=600
    - set_fact: cs_capi_user={{ cs_capi_credentials_yaml.login }}
    - set_fact: cs_capi_pass={{ cs_capi_credentials_yaml.password }}
  tags: cs
--- a/roles/crowdsec/tasks/directories.yml
+++ b/roles/crowdsec/tasks/directories.yml
@ -6,8 +6,6 @@
    - dir: /etc/crowdsec
      mode: 755
    - dir: "{{ cs_root_dir }}"
    - dir: "{{ cs_root_dir }}/meta"
      mode: 700
    - dir: "{{ cs_root_dir }}/backup"
      mode: 700
    - dir: "{{ cs_root_dir }}/data"
@ -18,4 +16,6 @@
    - dir: /etc/crowdsec/postoverflows/s00-enrich
    - dir: /etc/crowdsec/postoverflows/s01-whitelist
    - dir: /etc/crowdsec/acquis
    - dir: /etc/crowdsec/meta
      mode: 700
  tags: cs
--- a/roles/crowdsec/tasks/facts.yml
+++ b/roles/crowdsec/tasks/facts.yml
@ -35,7 +35,7 @@
 - block:
    - import_tasks: ../includes/get_rand_pass.yml
      vars:
-        - pass_file: "{{ cs_root_dir }}/meta/ansible_db_pass"
+        - pass_file: "/etc/crowdsec/meta/ansible_db_pass"
        - complex: False
    - set_fact: cs_db_pass={{ rand_pass }}
  when:
@ -45,13 +45,13 @@
 # Check if local API credentials are available in the meta dir
 - name: Check local API credential files
-  stat: path={{ cs_root_dir }}/meta/lapi_pass
+  stat: path=/etc/crowdsec/meta/lapi_pass
  register: cs_lapi_pass_file
  tags: cs
 - name: Read the local API pass
  block:
-    - slurp: src={{ cs_root_dir }}/meta/lapi_pass
+    - slurp: src=/etc/crowdsec/meta/lapi_pass
      register: cs_lapi_pass_meta
    - set_fact: cs_lapi_pass={{ cs_lapi_pass_meta.content | b64decode | trim }}
  when: cs_lapi_pass is not defined and cs_lapi_pass_file.stat.exists
@ -60,15 +60,15 @@
 # Check if central API credentials are available in the meta dir
 - name: Check central API credential files
  block: 
-    - stat: path={{ cs_root_dir }}/meta/capi_user
+    - stat: path=/etc/crowdsec/meta/capi_user
      register: cs_capi_user_file
-    - stat: path={{ cs_root_dir }}/meta/capi_pass
+    - stat: path=/etc/crowdsec/meta/capi_pass
      register: cs_capi_pass_file
  tags: cs
 - name: Read the central API user
  block:
-    - slurp: src={{ cs_root_dir }}/meta/capi_user
+    - slurp: src=/etc/crowdsec/meta/capi_user
      register: cs_capi_user_meta
    - set_fact: cs_capi_user={{ cs_capi_user_meta.content | b64decode | trim }}
  when: cs_capi_user is not defined and cs_capi_user_file.stat.exists
@ -76,7 +76,7 @@
 - name: Read the central API pass
  block:
-    - slurp: src={{ cs_root_dir }}/meta/capi_pass
+    - slurp: src=/etc/crowdsec/meta/capi_pass
      register: cs_capi_pass_meta
    - set_fact: cs_capi_pass={{ cs_capi_pass_meta.content | b64decode | trim }}
  when: cs_capi_pass is not defined and cs_capi_pass_file.stat.exists
--- a/roles/crowdsec_firewall_bouncer/defaults/main.yml
+++ b/roles/crowdsec_firewall_bouncer/defaults/main.yml
@ -0,0 +1,15 @@
 ---
 # Version of the firewall bouncer to install
 cs_fw_version: 0.0.10
 # URL of the firewall bouncer archive
 cs_fw_archive_url: https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v{{ cs_fw_version }}/cs-firewall-bouncer.tgz
 # Expected sha1 of the archive
 cs_fw_archive_sha1: 46863e95bdc8f48434583f55e89b7720fce5736d
 # API on which the bouncer should listen for alerts
 cs_fw_lapi_url: "{{ cs_lapi_url | default('http://localhost:8080/') }}"
 # If not defined, ansible will try to register the bouncer on the Local API server
 # cs_lapi_server must be defined in this case
 # cs_fw_lapi_key: aaabbbccc
--- a/roles/crowdsec_firewall_bouncer/handlers/main.yml
+++ b/roles/crowdsec_firewall_bouncer/handlers/main.yml
@ -0,0 +1,4 @@
 ---
 - name: restart cs-firewall-bouncer
  service: name=cs-firewall-bouncer state=restarted
--- a/roles/crowdsec_firewall_bouncer/tasks/cleanup.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/cleanup.yml
@ -0,0 +1,8 @@
 ---
 - name: Remove temp and obsolete files
  file: path={{ item }} state=absent
  loop:
    - /tmp/cs-firewall-bouncer.tgz
    - /tmp/cs-firewall-bouncer-v{{ cs_fw_version }}
  tags: cs
--- a/roles/crowdsec_firewall_bouncer/tasks/conf.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/conf.yml
@ -0,0 +1,6 @@
 ---
 - name: Deploy configuration
  template: src=cs-firewall-bouncer.yaml.j2 dest=/etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml mode=600
  notify: restart cs-firewall-bouncer
  tags: cs
--- a/roles/crowdsec_firewall_bouncer/tasks/directories.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/directories.yml
@ -0,0 +1,9 @@
 ---
 - name: Create needed directories
  file: path={{ item.dir }} state=directory mode={{ item.mode | default(omit) }}
  loop:
    - dir: /etc/crowdsec/cs-firewall-bouncer
    - dir: /etc/crowdsec/meta
      mode: 700
  tags: cs
--- a/roles/crowdsec_firewall_bouncer/tasks/facts.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/facts.yml
@ -0,0 +1,72 @@
 ---
 - include_vars: "{{ item }}"
  with_first_found:
    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
    - vars/{{ ansible_distribution }}.yml
    - vars/{{ ansible_os_family }}.yml
  tags: cs
 - name: Check if API key is available
  stat: path=/etc/crowdsec/meta/bouncer_fw_api_key
  register: cs_fw_lapi_key_file
  tags: cs
 - when: cs_fw_lapi_key is not defined and (not cs_fw_lapi_key_file.stat.exists or cs_fw_lapi_key_file.stat.size == 0)
  block:
    - name: Register the bouncer
      shell: |
        cscli bouncers list -o raw | grep -q -P '^{{ inventory_hostname }}-firewall' && cscli bouncers delete {{ inventory_hostname }}-firewall
        cscli bouncers add {{ inventory_hostname }}-firewall -o raw
      register: cs_bouncer_add
      failed_when: cs_bouncer_add.rc not in [0,1]
      changed_when: cs_bouncer_add.rc == 0
      delegate_to: "{{ cs_lapi_server | default(inventory_hostname) }}"
    - name: Record the API key for later use
      copy: content={{ cs_bouncer_add.stdout }} dest=/etc/crowdsec/meta/bouncer_fw_api_key mode=600
  tags: cs
 - when: cs_fw_lapi_key is not defined
  block:
    - name: Read the API key
      slurp: src=/etc/crowdsec/meta/bouncer_fw_api_key
      register: cs_fw_lapi_generated_key
    - set_fact: cs_fw_lapi_key={{ cs_fw_lapi_generated_key.content | b64decode | trim }}
  tags: cs
 - name: Set initial facts
  block:
    - set_fact: cs_fw_current_version=''
    - set_fact: cs_fw_install_mode='none'
  tags: cs
 - name: Check if the bouncer is installed
  stat: path=/usr/local/bin/cs-firewall-bouncer
  register: cs_fw_bin
  tags: cs
 - when: cs_fw_bin.stat.exists
  block:
    - name: Detect installed version
      shell: |
        cs-firewall-bouncer -c /dev/null 2>&1 | perl -ne 'm/cs-firewall-bouncer v(\d+(\.\d+)*)/ && print $1'
      register: cs_fw_current_version
      changed_when: False
    - set_fact: cs_fw_current_version={{ cs_fw_current_version.stdout }}
  tags: cs
 - name: Set install mode
  set_fact: cs_fw_install_mode='install'
  when: not cs_fw_bin.stat.exists
  tags: cs
 - name: Set upgrade mode
  set_fact: cs_fw_install_mode='upgrade'
  when:
    - cs_fw_bin.stat.exists
    - cs_fw_current_version != cs_fw_version
  tags: cs
--- a/roles/crowdsec_firewall_bouncer/tasks/install.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/install.yml
@ -0,0 +1,70 @@
 ---
 - name: Install needed tools
  package:
    name:
      - ipset
  tags: cs
 - when: cs_fw_install_mode != 'none'
  block:
    - name: Download the bouncer
      get_url:
        url: "{{ cs_fw_archive_url }}"
        dest: /tmp
        checksum: sha1:{{ cs_fw_archive_sha1 }}
    - name: Extract the archive
      unarchive:
        src: /tmp/cs-firewall-bouncer.tgz
        dest: /tmp
        remote_src: True
    - name: Install or upgrade
      command: ./{{ cs_fw_install_mode }}.sh
      args:
        chdir: /tmp/cs-firewall-bouncer-v{{ cs_fw_version }}
      notify: restart cs-firewall-bouncer
  tags: cs
 - name: Create systemd unit snippet dir
  file: path=/etc/systemd/system/cs-firewall-bouncer.service.d state=directory
  tags: cs
 - name: Create iptables snippet dir
  file: path=/etc/systemd/system/{{ cs_iptables_service }}.service.d state=directory
  tags: cs
 - name: Create ipsets before iptables starts
  copy:
    content: |
      [Service]
      ExecStartPre=/usr/sbin/ipset -exist create crowdsec-blacklists nethash timeout 300
      ExecStartPre=/usr/sbin/ipset -exist create crowdsec6-blacklists nethash timeout 300 family inet6
    dest: /etc/systemd/system/{{ cs_iptables_service }}.service.d/cs-ipset.conf
  register: cs_iptable_unit
  tags: cs
 - name: Tune cs-firewall-bouncer service
  copy:
    content: |
      [Unit]
      # The bouncer should start after crowdsec to be able to register on the API
      After=crowdsec.service
      [Service]
      # Restart on failure
      Restart=on-failure
      StartLimitInterval=0
      RestartSec=30
    dest: /etc/systemd/system/cs-firewall-bouncer.service.d/ansible.conf
  register: crodwsec_fw_unit
  notify: restart cs-firewall-bouncer
  tags: cs
 - name: Reload systemd
  systemd: daemon_reload=True
  when: crodwsec_fw_unit.changed or cs_iptable_unit.changed
  tags: cs
--- a/roles/crowdsec_firewall_bouncer/tasks/iptables.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/iptables.yml
@ -0,0 +1,17 @@
 ---
 - name: Ensure ipsets exist
  shell: |
    ipset list crowdsec-blacklists || ipset create crowdsec-blacklists nethash timeout 300
    ipset list crowdsec6-blacklists || ipset create crowdsec6-blacklists nethash timeout 300 family inet6
  changed_when: False
  tags: cs
 - name: Add DROP rules
  iptables_raw:
    name: cs_blacklist
    weight: 9
    rules: |
      -A INPUT -m set --match-set crowdsec-blacklists src -j DROP
      -A FORWARD -m set --match-set crowdsec-blacklists src -j DROP
  tags: cs
--- a/roles/crowdsec_firewall_bouncer/tasks/main.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/main.yml
@ -0,0 +1,10 @@
 ---
 - include: directories.yml
 - include: facts.yml
 - include: install.yml
 - include: conf.yml
 - include: iptables.yml
  when: iptables_manage | default(True)
 - include: services.yml
 - include: cleanup.yml
--- a/roles/crowdsec_firewall_bouncer/tasks/services.yml
+++ b/roles/crowdsec_firewall_bouncer/tasks/services.yml
@ -0,0 +1,5 @@
 ---
 - name: Start and enable the service
  service: name=cs-firewall-bouncer state=started enabled=True
  tags: cs
--- a/roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2
+++ b/roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2
@ -0,0 +1,12 @@
 ---
 mode: iptables
 piddir: /var/run/
 update_frequency: 10s
 daemonize: true
 log_mode: stdout
 log_level: info
 api_url: {{ (cs_fw_lapi_url is search('/$')) | ternary(cs_fw_lapi_url,cs_fw_lapi_url ~ '/') }}
 api_key: {{ cs_fw_lapi_key }}
 disable_ipv6: false
--- a/roles/g2cs/files/g2cs.pl
+++ b/roles/g2cs/files/g2cs.pl
@ -38,13 +38,25 @@ my @ignored_syslog_id = qw(
  sudo
  zed
  zimbramon
  systemd
  systemd-logind
  CROND
  ttrss_1
  turnserver
  syncoid
  influxd
 );
 # List of log files we're not interested in
 my @ignored_log_files = qw(
  /var/log/audit/audit.log
  /var/log/squid/cache.log
  /var/log/squid/access.log
  /var/log/ufdbGuard/ufdbguardd.log
  /opt/zimbra/log/gc.log
  /var/log/samba/json/auth.log
  /var/log/samba/json/dsdb.log
  /var/log/samba/json/dsdb_password.log
  /var/log/samba/json/dsdb_transaction.log
 );
 print "Start listening on UDP port $port\n";
@ -111,12 +123,12 @@ while (1) {
    if ($fields->{log_file_path} eq '/var/log/pveproxy/access.log'){
      $logfile = $logdir . '/pveproxy/access.log';
      $msg = $fields->{msg};
    } elsif ($fields->{log_file_path} eq '/var/log/squid/access.log'){
      $logfile = $logdir . '/squid/access.log';
      $msg = $fields->{msg};
    } elsif ($fields->{log_file_path} eq '/opt/zimbra/log/nginx.access.log'){
      $logfile = $logdir . '/nginx/access.log';
      $msg = $fields->{msg};
    } elsif ($fields->{log_file_path} eq '/opt/zimbra/log/mailbox.log'){
      $logfile = $logdir . '/zimbra/mailbox.log';
      $msg = $fields->{msg};
    }
  } elsif (defined $fields->{application_name}){
    if ($fields->{application_name} eq 'nginx'){
--- a/roles/g2cs/tasks/install.yml
+++ b/roles/g2cs/tasks/install.yml
@ -9,6 +9,7 @@
 - name: Install main script
  copy: src=g2cs.pl dest=/usr/local/bin/g2cs mode=755
  notify: restart g2cs
  tags: cs
 - name: Deploy systemd unit