--- - name: IDS packages become: yes register: package_install package: name: - sshguard - suricata - oinkmaster - rkhunter state: present # Network IPS - name: sshguard config become: yes copy: src: sshguard.conf dest: /etc/sshguard.conf owner: root group: root mode: 0600 - name: sshguard allowlist become: yes copy: dest: /etc/sshguard.allowlist content: | "{{ router }}/{{ netmask }}" owner: root group: root mode: 0600 # Host IDS - name: Copy rkhunter service register: rkhunter_conf become: yes copy: src: rkhunter/rkhunter.conf dest: "/etc/rkhunter.conf" owner: root group: root mode: 0644 - name: Copy rkhunter service register: rkhunter_service become: yes loop: - rkhunter.service - rkhunter.timer copy: src: "rkhunter/{{ item }}" dest: "/usr/lib/systemd/system/{{ item }}" owner: root group: root mode: 0644 # Network IDS - name: Copy oinkmaster conf register: oinkmaster_conf become: yes copy: src: "oinkmaster/oinkmaster.conf" dest: "/usr/lib/systemd/system/oinkmaster.conf" owner: root group: root mode: 0644 - name: Copy oinkmaster service register: oinkmaster_service become: yes loop: - oinkmaster.service - oinkmaster.timer copy: src: "oinkmaster/{{ item }}" dest: "/usr/lib/systemd/system/{{ item }}" owner: root group: root mode: 0644 - systemd: daemon_reload: yes become: yes when: oinkmaster_service.changed or rkhunter_service.changed - name: Update oinkmaster DB become: yes when: package_install.changed or oinkmaster_conf.changed service: name: oinkmaster.service state: started - name: Update rkhunter DB become: yes when: package_install.changed or rkhunter_conf.changed command: "/bin/bash -c 'export PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; rkhunter -C && rkhunter --propupd'" - name: IDS services become: yes loop: - suricata.service - sshguard.service - oinkmaster.timer - rkhunter.timer service: name: "{{ item }}" state: restarted enabled: yes