From e75d03a313e2244141b7e6a2330259d41a837382 Mon Sep 17 00:00:00 2001 From: DarkFeather Date: Thu, 7 Mar 2024 12:27:21 -0600 Subject: [PATCH] Update for automated response around poorly behaving archlinux-keyring weekly timer; rename Sora role to Password --- README.md | 6 +- roles/{Sora => Password}/README.md | 0 roles/Password/bin/sora-dump-config | 3 + roles/Password/files/sora-base-config | 119 ++++++++++++++++++ roles/Password/package/Makefile | 26 ++++ roles/Password/package/PKGBUILD | 46 +++++++ .../files => Password/package}/ldap-adduser | 5 +- .../files => Password/package}/ldap-resetpass | 6 +- .../package}/ldap-userreport | 17 +-- roles/Password/package/sample-user.ldif | 21 ++++ roles/Password/tasks/daemon.yml | 35 ++++++ roles/Password/tasks/login.yml | 17 +++ roles/Password/tasks/main.yml | 13 ++ roles/Password/tasks/web.yml | 24 ++++ .../files/monit/checks/automated_response | 3 + roles/Sharingan/files/monit/hostdefs/DarkNet | 1 + roles/Sharingan/files/monit/hostdefs/Maat | 1 + roles/Sharingan/files/monit/hostdefs/Nodelet0 | 1 + roles/Sharingan/files/monit/hostdefs/Nodelet1 | 1 + roles/Sharingan/files/monit/hostdefs/Nodelet2 | 1 + roles/Sharingan/files/monit/hostdefs/Nodelet3 | 1 + roles/Sharingan/files/monit/hostdefs/Nodelet4 | 1 + .../Sharingan/files/monit/hostdefs/Sharingan | 1 + .../Sharingan/files/monit/hostdefs/Yggdrasil | 1 + roles/Sharingan/tasks/scans.yml | 26 +--- roles/Sharingan/tasks/siem.yml | 3 +- roles/Sharingan/tasks/vscan.yml | 26 ++++ roles/Sora/tasks/main.yml | 7 -- roles/Vanik/tasks/main.yml | 12 -- 29 files changed, 360 insertions(+), 64 deletions(-) rename roles/{Sora => Password}/README.md (100%) create mode 100755 roles/Password/bin/sora-dump-config create mode 100644 roles/Password/files/sora-base-config create mode 100644 roles/Password/package/Makefile create mode 100644 roles/Password/package/PKGBUILD rename roles/{Sora/files => Password/package}/ldap-adduser (89%) rename roles/{Sora/files => Password/package}/ldap-resetpass (75%) rename roles/{Sora/files => Password/package}/ldap-userreport (74%) create mode 100644 roles/Password/package/sample-user.ldif create mode 100644 roles/Password/tasks/daemon.yml create mode 100644 roles/Password/tasks/login.yml create mode 100644 roles/Password/tasks/main.yml create mode 100644 roles/Password/tasks/web.yml create mode 100644 roles/Sharingan/files/monit/checks/automated_response create mode 100644 roles/Sharingan/files/monit/hostdefs/Nodelet0 create mode 100644 roles/Sharingan/files/monit/hostdefs/Nodelet1 create mode 100644 roles/Sharingan/files/monit/hostdefs/Nodelet2 create mode 100644 roles/Sharingan/files/monit/hostdefs/Nodelet3 create mode 100644 roles/Sharingan/files/monit/hostdefs/Nodelet4 create mode 100644 roles/Sharingan/tasks/vscan.yml delete mode 100644 roles/Sora/tasks/main.yml delete mode 100644 roles/Vanik/tasks/main.yml diff --git a/README.md b/README.md index f0be996..14769e9 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,9 @@ This project is our Infrastructure-as-Code solution, detailing the deployment & # Etymology -It is named after the fictional Star Wars Imperial Intelligence organization that oversaw the various divisions of Intelligence and orchestrated their operations. Like its namesake, this project oversees the various tools within our ecosystem and enforces compliance with standards. +It is named after flagship carrier Kapisi from the game [Homeworld: Deserts of Kharak](https://store.steampowered.com/app/281610?snr=5000_5100___primarylinks). The carrier was the command and production center of Operation Khadiim, an expedition to understand an anomaly on their world & escape the fanaticism of their Gaalsien rivals. The S'jet were able to succeed in this mission not only due to the military efficacy of their forces but also through the research and production capabilities available to the Kapisi. + +This project seeks to give other admins and engineers to launch their own infrastructures and break out of any strangleholds that may have entangled them, whether that is tribalism, vendor lock, or stigma. # Relevant Files and Software @@ -12,7 +14,7 @@ export ANSIBLE_VAULT_PASSWORD_FILE=$HOME/password-store/${organization}.vault.pa export ANSIBLE_VAULT_FILE=$HOME/password-store/${organization}.vault ``` -Take a look at `examples/msn0.yml` as an example inventory -- make sure you populate one of your own. +Take a look at `examples/msn0.yml` as an example inventory -- make sure you populate one of your own. The scripts here expect inventories to have layers of groups -- the top group under `all` must be managed vs. unmanaged. The rest of the scripts use YAMLPath to sort out the rest of the groups. Once you have your vault and inventory, use [AniNIX/ShadowArch](/AniNIX/ShadowArch) with your hypervisor to provision the base image for your machines, or [Raspbian](https://www.raspberrypi.org/). diff --git a/roles/Sora/README.md b/roles/Password/README.md similarity index 100% rename from roles/Sora/README.md rename to roles/Password/README.md diff --git a/roles/Password/bin/sora-dump-config b/roles/Password/bin/sora-dump-config new file mode 100755 index 0000000..adb3ca9 --- /dev/null +++ b/roles/Password/bin/sora-dump-config @@ -0,0 +1,3 @@ +#!/bin/bash + +slapcat -a "(!(entryDN:dnSubtreeMatch:=ou=People,dc=aninix,dc=net))" diff --git a/roles/Password/files/sora-base-config b/roles/Password/files/sora-base-config new file mode 100644 index 0000000..3c2fb63 --- /dev/null +++ b/roles/Password/files/sora-base-config @@ -0,0 +1,119 @@ +dn: dc=aninix,dc=net +objectClass: dcObject +objectClass: organization +dc: aninix +o: AniNIXUsers +description: AniNIX::LDAP Crediential Directory +structuralObjectClass: organization +entryUUID: a521b05a-3532-4042-bf8f-3631a1e51b94 +creatorsName: cn=root,dc=aninix,dc=net +createTimestamp: 20160901205333Z +entryCSN: 20160901205333.449191Z#000000#000#000000 +modifiersName: cn=root,dc=aninix,dc=net +modifyTimestamp: 20160901205333Z + +dn: cn=root,dc=aninix,dc=net +objectClass: organizationalRole +cn: root +description: Directory Manager +structuralObjectClass: organizationalRole +entryUUID: 9e4273d9-d002-4015-a774-bed02afd6cc9 +creatorsName: cn=root,dc=aninix,dc=net +createTimestamp: 20160901205333Z +pwdLastSuccess: 20220918222625Z +entryCSN: 20220918222625.132392Z#000000#000#000000 +modifiersName: cn=root,dc=aninix,dc=net +modifyTimestamp: 20220918222625Z + +dn: ou=Group,dc=aninix,dc=net +ou: Group +objectClass: top +objectClass: organizationalUnit +structuralObjectClass: organizationalUnit +entryUUID: 475e1ae1-d992-4a9a-85de-e7f71974ac03 +creatorsName: cn=root,dc=aninix,dc=net +createTimestamp: 20160901214257Z +entryCSN: 20160901214257.941445Z#000000#000#000000 +modifiersName: cn=root,dc=aninix,dc=net +modifyTimestamp: 20160901214257Z + +dn: cn=ldapuser,ou=Group,dc=aninix,dc=net +cn: ldapuser +gidNumber: 10000 +objectClass: posixGroup +objectClass: top +structuralObjectClass: posixGroup +entryUUID: dc17d42d-fae9-496d-b362-82f27679476c +creatorsName: cn=root,dc=aninix,dc=net +createTimestamp: 20160903051753Z +entryCSN: 20160903051753.156600Z#000000#000#000000 +modifiersName: cn=root,dc=aninix,dc=net +modifyTimestamp: 20160903051753Z + +dn: cn=hypervisorauth,ou=Group,dc=aninix,dc=net +cn: hypervisorauth +gidNumber: 10001 +objectClass: posixGroup +objectClass: top +structuralObjectClass: posixGroup +entryUUID: 88cb5e2c-ee93-4d62-a83a-63ceff9ceba0 +creatorsName: cn=root,dc=aninix,dc=net +createTimestamp: 20160903061147Z +memberUid: lurso3 +entryCSN: 20160903061653.689826Z#000000#000#000000 +modifiersName: cn=root,dc=aninix,dc=net +modifyTimestamp: 20160903061653Z + +dn: ou=pwpolicies,dc=aninix,dc=net +ou: pwpolicies +objectClass: top +objectClass: organizationalUnit +structuralObjectClass: organizationalUnit +entryUUID: ee2c6fc6-a40a-4d6f-992e-c1a04439f022 +creatorsName: cn=root,dc=aninix,dc=net +createTimestamp: 20161029155416Z +entryCSN: 20161029155416.247439Z#000000#000#000000 +modifiersName: cn=root,dc=aninix,dc=net +modifyTimestamp: 20161029155416Z + +dn: cn=default,ou=pwpolicies,dc=aninix,dc=net +objectClass: pwdPolicy +objectClass: person +objectClass: top +cn: default +sn: Default +pwdAttribute: userPassword +pwdMaxAge: 31536000 +pwdExpireWarning: 604800 +pwdInHistory: 12 +pwdCheckQuality: 1 +pwdMaxFailure: 5 +pwdLockout: TRUE +pwdLockoutDuration: 86400 +pwdGraceAuthNLimit: 3 +pwdFailureCountInterval: 3600 +pwdMustChange: TRUE +pwdMinLength: 8 +pwdAllowUserChange: TRUE +pwdSafeModify: FALSE +structuralObjectClass: person +entryUUID: f983ea45-deca-4b8f-8e55-cebbacf392ba +creatorsName: cn=root,dc=aninix,dc=net +createTimestamp: 20161029171109Z +entryCSN: 20161029171109.930559Z#000000#000#000000 +modifiersName: cn=root,dc=aninix,dc=net +modifyTimestamp: 20161029171109Z + +dn: cn=DarkFeather,ou=Group,dc=aninix,dc=net +cn: DarkFeather +gidNumber: 10002 +objectClass: posixGroup +objectClass: top +memberUid: DarkFeather +structuralObjectClass: posixGroup +entryUUID: 1f333fb2-0611-4235-ba07-aa9fa0edb439 +creatorsName: cn=root,dc=aninix,dc=net +createTimestamp: 20201018201805Z +entryCSN: 20201018201805.104347Z#000000#000#000000 +modifiersName: cn=root,dc=aninix,dc=net +modifyTimestamp: 20201018201805Z diff --git a/roles/Password/package/Makefile b/roles/Password/package/Makefile new file mode 100644 index 0000000..c4ee0fb --- /dev/null +++ b/roles/Password/package/Makefile @@ -0,0 +1,26 @@ +binlist = ldap-adduser ldap-userreport ldap-resetpass +filelist = sample-user.ldif + +compile: + @echo Nothing to do + +install: clean ${binlist} ${filelist} + mkdir -p ${pkgdir}/opt/aninix/Password/ + for i in ${filelist}; do install -m 0640 -o ldap -g ldap $$i ${pkgdir}/opt/aninix/Password/; done + mkdir -p ${pkgdir}/usr/local/sbin/ + for i in ${binlist}; do install -m 0750 -o root -g root $$i ${pkgdir}/usr/local/sbin; done + +test: compile + @echo Nothing to do + +clean: + @echo Nothing to do. + +diff: + @echo Nothing to do. + +reverse: + @echo Nothing to do. + +checkperm: + @echo Nothing to do. diff --git a/roles/Password/package/PKGBUILD b/roles/Password/package/PKGBUILD new file mode 100644 index 0000000..5a63ba3 --- /dev/null +++ b/roles/Password/package/PKGBUILD @@ -0,0 +1,46 @@ +depends=('bash>=4.4' 'openldap') +makedepends=('make>=4.2') +checkdepends=() +optdepends=() +pkgname="Password-Scripts" +pkgver="$(git describe --tag --abbrev=0)"."$(git rev-parse --short HEAD)" +pkgrel=1 +pkgrel() { + echo $(( `git log "$(git describe --tag --abbrev=0)"..HEAD | grep -c commit` + 1 )) +} +epoch="$(git log | grep -c commit)" +pkgdesc="AniNIX/Password Scripts" +arch=("x86_64") +url="$(git config remote.origin.url | sed 's/.git$//')" +license=('custom') +groups=() +provides=("${pkgname}") +conflicts=() +replaces=("${pkgname,,}" "aninix-${pkgname,,}") +backup=() +options=() +install= +changelog= +source=() +noextract=() +md5sums=() +validpgpkeys=() + +prepare() { + git pull || true +} + +build() { + make -C .. +} + +check() { + chmod -R u+r ../pkg + make -C .. test +} + +package() { + export pkgdir="${pkgdir}" + make -C .. install + install -D -m644 ../../../../LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" +} diff --git a/roles/Sora/files/ldap-adduser b/roles/Password/package/ldap-adduser similarity index 89% rename from roles/Sora/files/ldap-adduser rename to roles/Password/package/ldap-adduser index ef1e41b..9751cd0 100755 --- a/roles/Sora/files/ldap-adduser +++ b/roles/Password/package/ldap-adduser @@ -43,16 +43,15 @@ if [ "$?" -eq 0 ]; then read answer if [ "$answer" == "YES" ]; then file="/etc/openldap/users.d/$username.ldif" - cp /usr/local/src/ConfigPackages/Sora/sample-user.ldif "$file" + cp /opt/aninix/Password/sample-user.ldif "$file" line="$(grep -E '^uid: ' "$file")"; sed -i "s/$line/uid: $username/" "$file" line="$(grep -E '^dn: ' "$file" | cut -f 2 -d ' ' | cut -f 1 -d ',')"; sed -i "s/$line/uid=$username/" "$file" line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /home/$username/#" "$file" line="$(grep -E '^cn: ' "$file")"; sed -i "s/$line/cn: $username/" "$file" line="$(grep -E '^mail: ' "$file")"; sed -i "s#$line#mail: ircs://aninix.net:6697/$username#" "$file" line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file" - ldapadd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass -f "$file" + ldapadd -D 'cn=root,dc=aninix,dc=net' -W -f "$file" ldap-resetpass "$username" - # usermod -a -G ssh-allow,passwdchange "$username" fi rmdir "$lockfile" exit 0; diff --git a/roles/Sora/files/ldap-resetpass b/roles/Password/package/ldap-resetpass similarity index 75% rename from roles/Sora/files/ldap-resetpass rename to roles/Password/package/ldap-resetpass index 301ef54..9a4ca49 100755 --- a/roles/Sora/files/ldap-resetpass +++ b/roles/Password/package/ldap-resetpass @@ -7,11 +7,11 @@ if [ -z "$uid" ]; then exit 1 fi -ldappasswd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass "uid=$uid,ou=People,dc=aninix,dc=net" +ldappasswd -D 'cn=root,dc=aninix,dc=net' -W "uid=$uid,ou=People,dc=aninix,dc=net" if [ `ldapsearch -x "(uid=$uid)" + \* | grep -c shadowLastChange\:` -ne 0 ]; then - (printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null; + (printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -W &>/dev/null; fi -(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null; +(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -W &>/dev/null; exit $? diff --git a/roles/Sora/files/ldap-userreport b/roles/Password/package/ldap-userreport similarity index 74% rename from roles/Sora/files/ldap-userreport rename to roles/Password/package/ldap-userreport index fbc979b..a40f9e2 100755 --- a/roles/Sora/files/ldap-userreport +++ b/roles/Password/package/ldap-userreport @@ -8,17 +8,9 @@ function shortshow() { echo ${user}": "$email } -function queryLDAPAttribute() { - ldapsearch -x "$1" "$2" | grep -E "${2}: " | sed "s/^${2}: //" -} - basedn=`ldapsearch -x '(cn=root)' dn | grep -E ^dn:\ | sed 's/dn: cn=root,//'` -maxAge="$(queryLDAPAttribute '(cn=default)' pwdMaxAge)" -changeAge=$(( $maxAge - 2592000 )) -deleteAge=$(( 2 * $maxAge )) - -for user in `queryLDAPAttribute '(uid=*)' uid`; do +for user in `ldapsearch -x -b "ou=People,$basedn" '(uid=*)' uid | grep -E ^uid:\ | sed 's/^uid: //'`; do # Pull changed stats lastChanged=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep pwdChangedTime | cut -f 2 -d ' '` @@ -45,7 +37,7 @@ for user in `queryLDAPAttribute '(uid=*)' uid`; do if [ "$lastChanged" == "$errortext" ]; then shortshow else - if [ $delta -gt "$changeAge" ] && [ $delta -lt "$maxAge" ]; then shortshow; fi + if [ $delta -gt 28512000 ] && [ $delta -lt 31536000 ]; then shortshow; fi fi ;; "--expired") @@ -53,11 +45,6 @@ for user in `queryLDAPAttribute '(uid=*)' uid`; do shortshow; fi ;; - "--removeable") - if [ "$lastChanged" != "$errortext" ] && [ "$delta" -ge "$deleteAge" ]; then - shortshow; - fi - ;; *) cat ;; diff --git a/roles/Password/package/sample-user.ldif b/roles/Password/package/sample-user.ldif new file mode 100644 index 0000000..becc196 --- /dev/null +++ b/roles/Password/package/sample-user.ldif @@ -0,0 +1,21 @@ +dn: uid=testuser,ou=People,dc=aninix,dc=net +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: shadowAccount +uid: testuser +cn: Test User +sn: User +givenName: Test +title: User +telephoneNumber: +0 000 000 0000 +mobile: +0 000 000 0000 +postalAddress: AddressLine1$AddressLine2$AddressLine3 +loginShell: /bin/bash +uidNumber: 10006 +gidNumber: 10000 +homeDirectory: /home/testuser +description: Work contact +mail: testuser@aninix.net diff --git a/roles/Password/tasks/daemon.yml b/roles/Password/tasks/daemon.yml new file mode 100644 index 0000000..31e4d2c --- /dev/null +++ b/roles/Password/tasks/daemon.yml @@ -0,0 +1,35 @@ +--- + - name: Create the base config + become: yes + template: + src: slapd.ldif + dest: /etc/openldap/slapd.ldif + owner: ldap + group: ldap + mode: 0640 + + - name: Create the directories + file: + path: "{{ item }}" + owner: ldap + group: ldap + mode: 0700 + loop: + - /var/lib/openldap/openldap-data/ + - /etc/openldap + - /etc/openldap/users.d + - /etc/openldap/groups.d + - /etc/openldap/slapd.d + + - name: Initialize the instance + become: yes + command: + cmd: slapadd -n 0 -F /etc/openldap/slapd.d/ -l /etc/openldap/config.ldif && chown -R ldap: /etc/openldap + creates: /etc/openldap/slapd.d/cn=config + + - name: Ensure the service + become: yes + service: + name: slapd + state: restarted + enabled: yes diff --git a/roles/Password/tasks/login.yml b/roles/Password/tasks/login.yml new file mode 100644 index 0000000..91551f2 --- /dev/null +++ b/roles/Password/tasks/login.yml @@ -0,0 +1,17 @@ +--- + + - name: Set login config + become: yes + template: + src: nslcd.conf.j2 + dest: /etc/nslcd.conf + owner: nslcd + group: nslcd + mode: 0600 + + - name: Ensure login service + become: yes + service: + name: nslcd + state: restarted + enabled: yes diff --git a/roles/Password/tasks/main.yml b/roles/Password/tasks/main.yml new file mode 100644 index 0000000..bbc0117 --- /dev/null +++ b/roles/Password/tasks/main.yml @@ -0,0 +1,13 @@ +--- + - name: Sora packages + become: yes + package: + name: + - openldap + - Password-Scripts + + - include_tasks: daemon.yml + + - include_tasks: login.yml + + - include_tasks: web.yml diff --git a/roles/Password/tasks/web.yml b/roles/Password/tasks/web.yml new file mode 100644 index 0000000..e27714f --- /dev/null +++ b/roles/Password/tasks/web.yml @@ -0,0 +1,24 @@ +--- + + - name: Clone the web portal + become: yes + git: + repo: https://github.com/ltb-project/self-service-password + dest: /usr/share/webapps/self-service-password + + - name: Ensure web portal ownership + file: + state: directory + owner: http + group: http + path: /usr/share/webapps/self-service-password + recurse: true + + - name: Web portal config + become: yes + template: + src: config.inc.php.j2 + dest: /usr/share/webapps/self-service-password/conf/config.inc.php + owner: http + group: http + mode: 0600 diff --git a/roles/Sharingan/files/monit/checks/automated_response b/roles/Sharingan/files/monit/checks/automated_response new file mode 100644 index 0000000..33a415b --- /dev/null +++ b/roles/Sharingan/files/monit/checks/automated_response @@ -0,0 +1,3 @@ +check program check_archlinux_wkd with path "/usr/bin/systemctl is-failed archlinux-keyring-wkd-sync.service" + if status == 0 for 1 times within 5 cycles then exec "/usr/bin/systemctl reset-failed archlinux-keyring-wkd-sync.service" + if status == 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical CRITICAL: Archlinux Keyring WKD Sync has failed and automated remediation has not solved it." diff --git a/roles/Sharingan/files/monit/hostdefs/DarkNet b/roles/Sharingan/files/monit/hostdefs/DarkNet index 4229188..5f05c91 100644 --- a/roles/Sharingan/files/monit/hostdefs/DarkNet +++ b/roles/Sharingan/files/monit/hostdefs/DarkNet @@ -1 +1,2 @@ include "/etc/monit.d/checks/system" +include "/etc/monit.d/checks/automated_response" diff --git a/roles/Sharingan/files/monit/hostdefs/Maat b/roles/Sharingan/files/monit/hostdefs/Maat index 4229188..5f05c91 100644 --- a/roles/Sharingan/files/monit/hostdefs/Maat +++ b/roles/Sharingan/files/monit/hostdefs/Maat @@ -1 +1,2 @@ include "/etc/monit.d/checks/system" +include "/etc/monit.d/checks/automated_response" diff --git a/roles/Sharingan/files/monit/hostdefs/Nodelet0 b/roles/Sharingan/files/monit/hostdefs/Nodelet0 new file mode 100644 index 0000000..4229188 --- /dev/null +++ b/roles/Sharingan/files/monit/hostdefs/Nodelet0 @@ -0,0 +1 @@ +include "/etc/monit.d/checks/system" diff --git a/roles/Sharingan/files/monit/hostdefs/Nodelet1 b/roles/Sharingan/files/monit/hostdefs/Nodelet1 new file mode 100644 index 0000000..4229188 --- /dev/null +++ b/roles/Sharingan/files/monit/hostdefs/Nodelet1 @@ -0,0 +1 @@ +include "/etc/monit.d/checks/system" diff --git a/roles/Sharingan/files/monit/hostdefs/Nodelet2 b/roles/Sharingan/files/monit/hostdefs/Nodelet2 new file mode 100644 index 0000000..4229188 --- /dev/null +++ b/roles/Sharingan/files/monit/hostdefs/Nodelet2 @@ -0,0 +1 @@ +include "/etc/monit.d/checks/system" diff --git a/roles/Sharingan/files/monit/hostdefs/Nodelet3 b/roles/Sharingan/files/monit/hostdefs/Nodelet3 new file mode 100644 index 0000000..4229188 --- /dev/null +++ b/roles/Sharingan/files/monit/hostdefs/Nodelet3 @@ -0,0 +1 @@ +include "/etc/monit.d/checks/system" diff --git a/roles/Sharingan/files/monit/hostdefs/Nodelet4 b/roles/Sharingan/files/monit/hostdefs/Nodelet4 new file mode 100644 index 0000000..4229188 --- /dev/null +++ b/roles/Sharingan/files/monit/hostdefs/Nodelet4 @@ -0,0 +1 @@ +include "/etc/monit.d/checks/system" diff --git a/roles/Sharingan/files/monit/hostdefs/Sharingan b/roles/Sharingan/files/monit/hostdefs/Sharingan index c3b9b60..d376d44 100644 --- a/roles/Sharingan/files/monit/hostdefs/Sharingan +++ b/roles/Sharingan/files/monit/hostdefs/Sharingan @@ -1,3 +1,4 @@ include "/etc/monit.d/checks/system" include "/etc/monit.d/checks/vips" include "/etc/monit.d/checks/availability" +include "/etc/monit.d/checks/automated_response" diff --git a/roles/Sharingan/files/monit/hostdefs/Yggdrasil b/roles/Sharingan/files/monit/hostdefs/Yggdrasil index 4415ee4..14f12ab 100644 --- a/roles/Sharingan/files/monit/hostdefs/Yggdrasil +++ b/roles/Sharingan/files/monit/hostdefs/Yggdrasil @@ -2,3 +2,4 @@ include "/etc/monit.d/checks/system" include "/etc/monit.d/checks/watcher-of-watchers" include "/etc/monit.d/checks/warrant-canary" include "/etc/monit.d/checks/grimoire" +include "/etc/monit.d/checks/automated_response" diff --git a/roles/Sharingan/tasks/scans.yml b/roles/Sharingan/tasks/scans.yml index 2a5a079..260878d 100644 --- a/roles/Sharingan/tasks/scans.yml +++ b/roles/Sharingan/tasks/scans.yml @@ -33,33 +33,17 @@ - sharingan-scan.service - sharingan-scan.timer - - name: Scanning services - become: yes - register: clam_svc - copy: - src: "clamav/{{ item }}" - dest: /usr/lib/systemd/system/ - owner: root - group: root - mode: 0664 - loop: - - freshclam.service - - freshclam.timer - - clamscan.service - - clamscan.timer - - systemd: daemon_reload: yes become: yes - when: clam_svc.changed or lynis_svc.changed - + when: lynis_svc.changed - name: Enable timers become: yes - loop: - - freshclam.timer - - sharingan-scan.timer service: - name: "{{ item }}" + name: sharingan-scan.timer state: restarted enabled: yes + + - import_tasks: "./vscan.yml" + when: vscan_enabled is defined diff --git a/roles/Sharingan/tasks/siem.yml b/roles/Sharingan/tasks/siem.yml index 95cbb7a..f9c96be 100644 --- a/roles/Sharingan/tasks/siem.yml +++ b/roles/Sharingan/tasks/siem.yml @@ -5,7 +5,8 @@ package: name: - elasticsearch - - mongodb44-bin # Temporarily pinned for extensions + - mongodb-bin + - mongodb-tools-bin - graylog state: present diff --git a/roles/Sharingan/tasks/vscan.yml b/roles/Sharingan/tasks/vscan.yml new file mode 100644 index 0000000..4379e7d --- /dev/null +++ b/roles/Sharingan/tasks/vscan.yml @@ -0,0 +1,26 @@ +--- + + - name: Virus scanning services + become: yes + register: clam_svc + copy: + src: "clamav/{{ item }}" + dest: /usr/lib/systemd/system/ + owner: root + group: root + mode: 0664 + loop: + - freshclam.service + - freshclam.timer + - clamscan.service + - clamscan.timer + + - name: Enable timers + become: yes + loop: + - freshclam.timer + - clamscan.timer + service: + name: "{{ item }}" + state: restarted + enabled: yes diff --git a/roles/Sora/tasks/main.yml b/roles/Sora/tasks/main.yml deleted file mode 100644 index ecf73fa..0000000 --- a/roles/Sora/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - - name: Sora packages - become: yes - package: - name: - - openldap - diff --git a/roles/Vanik/tasks/main.yml b/roles/Vanik/tasks/main.yml deleted file mode 100644 index 0d6a860..0000000 --- a/roles/Vanik/tasks/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- - - - command: ./scripts/generate-dhcp.py - delegate_to: localhost - run_once: true - name: Generate DHCP leases. - - - command: ./scripts/generate-dns.py - delegate_to: localhost - run_once: true - name: Generate DNS entries -