diff --git a/inventories/production/host_vars/hc-mc-03.metacpan.org.yaml b/inventories/production/host_vars/hc-mc-03.metacpan.org.yaml new file mode 100644 index 0000000..74dcc09 --- /dev/null +++ b/inventories/production/host_vars/hc-mc-03.metacpan.org.yaml @@ -0,0 +1,2 @@ +--- +ossec_profile: server diff --git a/playbooks/deploy_ossec.yml b/playbooks/deploy_ossec.yml new file mode 100644 index 0000000..b3b7be3 --- /dev/null +++ b/playbooks/deploy_ossec.yml @@ -0,0 +1,4 @@ +--- +- hosts: all + roles: + - ossec diff --git a/roles/ossec/README.md b/roles/ossec/README.md new file mode 100644 index 0000000..294a933 --- /dev/null +++ b/roles/ossec/README.md @@ -0,0 +1,39 @@ +ossec +===== + +Role to install OSSEC-HIDS agent and server + +Requirements +------------ + +No requirements outside ansible itself. + +Role Variables +-------------- + +* `ossec_profile`: Can be 'agent' or 'server', defaults to `agent` +* `ossec_root_dir`: Defaults to `/var/ossec` + +Dependencies +------------ + +This role does not depend on other roles. + +Example Playbook +---------------- + +To apply the role: + + - hosts: servers + roles: + - { role: ossec } + +License +------- + +BSD + +Author Information +------------------ + +Brad Lhotsky \ diff --git a/roles/ossec/defaults/main.yml b/roles/ossec/defaults/main.yml new file mode 100644 index 0000000..4d23b79 --- /dev/null +++ b/roles/ossec/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# defaults file for ossec +ossec_profile: "agent" +ossec_root_dir: /var/ossec diff --git a/roles/ossec/handlers/main.yml b/roles/ossec/handlers/main.yml new file mode 100644 index 0000000..2f34ee8 --- /dev/null +++ b/roles/ossec/handlers/main.yml @@ -0,0 +1,12 @@ +--- +# handlers file for ossec +- name: "restart ossec" + become: true + service: + name: "ossec" + state: "restarted" + +- name: "reload systemd" + become: true + systemd: + daemon_reload: yes diff --git a/roles/ossec/meta/main.yml b/roles/ossec/meta/main.yml new file mode 100644 index 0000000..b893732 --- /dev/null +++ b/roles/ossec/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. + diff --git a/roles/ossec/tasks/Debian/setup_repository.yaml b/roles/ossec/tasks/Debian/setup_repository.yaml new file mode 100644 index 0000000..fdd359a --- /dev/null +++ b/roles/ossec/tasks/Debian/setup_repository.yaml @@ -0,0 +1,13 @@ +--- +- name: "ossec | apt signing key" + become: true + apt_key: + url: https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt + state: present + +- name: "ossec | apt repository" + become: true + apt_repository: + repo: "deb https://updates.atomicorp.com/channels/atomic/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} main" + filename: ossec-hids + state: present diff --git a/roles/ossec/tasks/RedHat/setup_repository.yaml b/roles/ossec/tasks/RedHat/setup_repository.yaml new file mode 100644 index 0000000..bc504bd --- /dev/null +++ b/roles/ossec/tasks/RedHat/setup_repository.yaml @@ -0,0 +1,16 @@ +--- +- name: "ossec | yum gpg key" + become: true + rpm_key: + key: https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt + state: present + +- name: "ossec | yum repository" + become: true + yum_repository: + name: ossec-hids + description: "Official OSSEC-HIDS Yum Repository" + gpgkey: https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt + gpgcheck: yes + mirrorlist: "https://updates.atomicorp.com/channels/mirrorlist/atomic/{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}" + state: present diff --git a/roles/ossec/tasks/configure_systemd.yaml b/roles/ossec/tasks/configure_systemd.yaml new file mode 100644 index 0000000..5487d5b --- /dev/null +++ b/roles/ossec/tasks/configure_systemd.yaml @@ -0,0 +1,21 @@ +--- +- name: "ossec | install systemd service units" + become: true + template: + src: "systemd/service.j2" + dest: "/etc/systemd/system/{{ ossec_service.binary }}.service" + owner: root + mode: 0644 + loop: "{{ ossec_services }}" + loop_control: + loop_var: "ossec_service" + notify: reload systemd + +- name: "ossec | install systemd ossec-hids target" + become: true + template: + src: "systemd/target.j2" + dest: "/etc/systemd/system/ossec-hids.target" + owner: root + mode: 0644 + notify: reload systemd diff --git a/roles/ossec/tasks/install_packages.yaml b/roles/ossec/tasks/install_packages.yaml new file mode 100644 index 0000000..2a3b8ae --- /dev/null +++ b/roles/ossec/tasks/install_packages.yaml @@ -0,0 +1,11 @@ +--- +- name: "ossec | setup repositories" + include_tasks: "{{ ansible_os_family }}/setup_repository.yaml" + +- name: "ossec | install packages" + become: true + package: + name: "ossec-hids-{{ ossec_profile }}" + state: latest + notify: "restart ossec" + diff --git a/roles/ossec/tasks/main.yml b/roles/ossec/tasks/main.yml new file mode 100644 index 0000000..4173930 --- /dev/null +++ b/roles/ossec/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: "ossec | load profile variables" + include_vars: "{{ ossec_profile }}.yaml" + +- name: "ossec | install relevant packages" + include_tasks: "install_packages.yaml" + +- name: "ossec | configure" + include_tasks: "configure_systemd.yaml" + +# TODO: rekey checks +# TODO: build out ossec.conf +# TODO: server key initialization +# TODO: rules management for the server + +- name: "ossec | flush handlers" + meta: flush_handlers + +- name: "ossec | ensure the service is running" + become: true + service: + name: ossec + state: started + enabled: true diff --git a/roles/ossec/templates/systemd/service.j2 b/roles/ossec/templates/systemd/service.j2 new file mode 100644 index 0000000..e699601 --- /dev/null +++ b/roles/ossec/templates/systemd/service.j2 @@ -0,0 +1,13 @@ +[Unit] +Description=OSSEC {{ ossec_service.name }} +PartOf=ossec-hids.target + +[Service] +{% if 'type' in ossec_service -%} +Type={{ ossec_service.type }} +{% endif -%} +EnvironmentFile=/etc/ossec-init.conf +Environment=DIRECTORY={{ ossec_root_dir }} + +ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/{{ ossec_service.binary }} -t +ExecStart=/usr/bin/env ${DIRECTORY}/bin/{{ ossec_service.binary }} -f diff --git a/roles/ossec/templates/systemd/target.j2 b/roles/ossec/templates/systemd/target.j2 new file mode 100644 index 0000000..9f9f8a7 --- /dev/null +++ b/roles/ossec/templates/systemd/target.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=OSSEC HIDS {{ ossec_profile }} +After=network.target +{% for service in ossec_services -%} +Requires={{ service.binary }}.service +{% endfor -%} + +[Install] +WantedBy=multi-user.target diff --git a/roles/ossec/vars/agent.yaml b/roles/ossec/vars/agent.yaml new file mode 100644 index 0000000..f536637 --- /dev/null +++ b/roles/ossec/vars/agent.yaml @@ -0,0 +1,10 @@ +--- +ossec_services: + - name: Agent + binary: ossec-agentd + - name: Execd + binary: ossec-execd + - name: Log Collector + binary: ossec-logcollector + - name: Syscheck + binary: ossec-syscheckd diff --git a/roles/ossec/vars/main.yml b/roles/ossec/vars/main.yml new file mode 100644 index 0000000..aa9d188 --- /dev/null +++ b/roles/ossec/vars/main.yml @@ -0,0 +1,4 @@ +--- +# vars file for ossec +ossec_client_keys: "{{ ossec_root_dir }}/etc/client.keys" +ossec_config: "{{ ossec_root_dir }}/etc/ossec.conf" diff --git a/roles/ossec/vars/server.yaml b/roles/ossec/vars/server.yaml new file mode 100644 index 0000000..4e60752 --- /dev/null +++ b/roles/ossec/vars/server.yaml @@ -0,0 +1,25 @@ +--- +ossec_services: + #- name: Agentless + #binary: ossec-agentless + - name: Analysis + binary: ossec-analysisd + - name: Client Authentication + binary: ossec-authd + - name: Syslog Client + binary: ossec-csyslogd + #- name: Database + #binary: ossec-dbd + - name: Execd + binary: ossec-execd + - name: Log Collector + binary: ossec-logcollector + - name: Mailer + binary: ossec-maild + - name: Monitor + binary: ossec-monitord + - name: Remote Control + binary: ossec-remoted + type: forking + - name: Syscheck + binary: ossec-syscheckd