Merge pull request #1094 from edx/derf/ids_roles

IDS roles

Merge pull request #1094 from edx/derf/ids_roles
IDS roles
a4dd2927 · Fred Smith · b818dd00 · 9e71a3d9 · a4dd2927 · a4dd2927
Commit a4dd2927 authored May 20, 2014 by Fred Smith
9 changed files
--- a/playbooks/roles/aide/defaults/main.yml
+++ b/playbooks/roles/aide/defaults/main.yml
+
+---
+
+AIDE_REPORT_EMAIL: 'root'
--- a/playbooks/roles/aide/tasks/main.yml
+++ b/playbooks/roles/aide/tasks/main.yml
+---
+# install and configure aide IDS
+#
+
+- name: install aide
+  apt: pkg="aide" state="present"
+
+- name: configure aide defaults
+  template: >
+    src=etc/default/aide.j2 dest=/etc/default/aide
+    owner=root group=root mode=0644
+
+- name: aide initial scan (this can take a long time)
+  command: >
+    aideinit -y -f
+    creates=/var/lib/aide/aide.db
+  sudo: yes
--- a/playbooks/roles/aide/templates/etc/default/aide.j2
+++ b/playbooks/roles/aide/templates/etc/default/aide.j2
+# These settings are mainly for the wrapper scripts around aide,
+# such as aideinit and /etc/cron.daily/aide
+
+# This is used as the host name in the AIDE reports that are sent out
+# via e-mail. It defaults to the output of $(hostname --fqdn), but can
+# be set to arbitrary values.
+# FQDN=
+
+# This is used as the subject for the e-mail reports.
+# If your mail system only threads by subject, you might want to add
+# some variable content here (for example $(date +%Y-%m-%d)).
+MAILSUBJ="Daily AIDE report for $FQDN"
+
+# This is the email address reports get mailed to
+# default is root
+# This variable is expanded before it is used, so you can use variables
+# here. For example, MAILTO=$FQDN-aide@domain.example will send the
+# report to host.name.example-aide@domain.example is the local FQDN is
+# host.name.example.
+MAILTO={{ AIDE_REPORT_EMAIL }}
+
+# Set this to yes to suppress mailings when no changes have been
+# detected during the AIDE run and no error output was given.
+#QUIETREPORTS=no
+
+# This parameter defines which AIDE command to run from the cron script.
+# Sensible values are "update" and "check".
+# Default is "check", ensuring backwards compatibility.
+# Since "update" does not take any longer, it is recommended to use "update",
+# so that a new database is created every day. The new database needs to be
+# manually copied over the current one, though.
+COMMAND=update
+
+# This parameter defines what to do with a new database created by
+# COMMAND=update. It is ignored if COMMAND!=update.
+# no: Do not copy new database to old database. This is the default.
+# yes: Copy new database to old database. This means that changes to the
+#   file system are only reported once. Possibly dangerous.
+# ifnochange: Copy new database to old database if no changes have
+#   been reported. This is needed for ANF/ARF to work reliably.
+COPYNEWDB=no
+
+# Set this to yes to truncate the detailed changes part in the mail. The full
+# output will still be listed in the log file.
+TRUNCATEDETAILS=yes
+
+# Set this to yes to suppress file changes by package and security
+# updates from appearing in the e-mail report. Filtered file changes will
+# still be listed in the log file. This option parses the /var/log/dpkg.log
+# file and implies TRUNCATEDETAILS=yes
+FILTERUPDATES=yes
+
+# Set this to yes to suppress file changes by package installations
+# from appearing in the e-mail report. Filtered file changes will still
+# be listed in the log file. This option parses the /var/log/dpkg.log file and
+# implies TRUNCATEDETAILS=yes.
+FILTERINSTALLATIONS=yes
+
+# This parameter defines how many lines to return per e-mail. Output longer
+# than this value will be truncated in the e-mail sent out.
+# Set value to "0" to disable this option.
+LINES=1000
+
+# This parameter gives a grep regular expression. If given, all output lines
+# that _don't_ match the regexp are listed first in the script's output. This
+# allows to easily remove noise from the AIDE report.
+NOISE=""
+
+# This parameter defines which options are given to aide in the daily
+# cron job. The default is "-V4".
+AIDEARGS=""
+
+# These parameters control update-aide.conf and give the defaults for
+# the --confdir, --confd and --settingsd options
+# UPAC_CONFDIR="/etc/aide"
+# UPAC_CONFD="$UPAC_CONFDIR/aide.conf.d"
+# UPAC_SETTINGSD="$UPAC_CONFDIR/aide.settings.d"
--- a/playbooks/roles/snort/defaults/main.yml
+++ b/playbooks/roles/snort/defaults/main.yml
+
+---
+
+SNORT_OINKCODE: 'oinkcode'
--- a/playbooks/roles/snort/tasks/main.yml
+++ b/playbooks/roles/snort/tasks/main.yml
+---
+# install and configure snort IDS
+#
+
+- name: install snort
+  apt: pkg={{ item }} state="present"
+  with_items:
+    - snort
+    - oinkmaster
+
+- name: configure snort
+  template: >
+    src=etc/snort/snort.conf.j2 dest=/etc/snort/snort.conf
+    owner=root group=root mode=0644
+
+- name: configure snort (debian)
+  template: >
+    src=etc/snort/snort.debian.conf.j2 dest=/etc/snort/snort.debian.conf
+    owner=root group=root mode=0644
+
+- name: configure oinkmaster
+  template: >
+    src=etc/oinkmaster.conf.j2 dest=/etc/oinkmaster.conf
+    owner=root group=root mode=0644
+
+- name: update snort
+  shell: oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules/ 
+  sudo: yes
+
+- name: snort service 
+  service: >
+    name="snort" 
+    state="started"
+
+- name: open read permissions on snort logs
+  file: >
+    name="/var/log/snort"
+    state="directory"
+    mode="755"
+
+- name: install oinkmaster cronjob
+  template: >
+    src=etc/cron.daily/oinkmaster.j2 dest=/etc/cron.daily/oinkmaster
+    owner=root group=root mode=0755
+
+
+
--- a/playbooks/roles/snort/templates/etc/cron.daily/oinkmaster.j2
+++ b/playbooks/roles/snort/templates/etc/cron.daily/oinkmaster.j2
+#! /bin/bash
+
+oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules/ > /dev/null
+service snort restart
--- a/playbooks/roles/snort/templates/etc/oinkmaster.conf.j2
+++ b/playbooks/roles/snort/templates/etc/oinkmaster.conf.j2
--- a/playbooks/roles/snort/templates/etc/snort/snort.conf.j2
+++ b/playbooks/roles/snort/templates/etc/snort/snort.conf.j2
--- a/playbooks/roles/snort/templates/etc/snort/snort.debian.conf.j2
+++ b/playbooks/roles/snort/templates/etc/snort/snort.debian.conf.j2
+# snort.debian.config (Debian Snort configuration file)
+#
+# This file was generated by the post-installation script of the snort
+# package using values from the debconf database.
+#
+# It is used for options that are changed by Debian to leave
+# the original configuration files untouched.
+#
+# This file is automatically updated on upgrades of the snort package
+# *only* if it has not been modified since the last upgrade of that package.
+#
+# If you have edited this file but would like it to be automatically updated
+# again, run the following command as root:
+#   dpkg-reconfigure snort
+
+DEBIAN_SNORT_STARTUP="boot"
+DEBIAN_SNORT_HOME_NET=""
+DEBIAN_SNORT_OPTIONS=""
+DEBIAN_SNORT_INTERFACE="eth0"
+DEBIAN_SNORT_SEND_STATS="true"
+DEBIAN_SNORT_STATS_RCPT="root"
+DEBIAN_SNORT_STATS_THRESHOLD="1"