Install and config OSSEC-HIDS on MetaCPAN Servers

inventories/production/host_vars/hc-mc-03.metacpan.org.yaml

@@ -0,0 +1,2 @@
+---
+ossec_profile: server

playbooks/deploy_ossec.yml

@@ -0,0 +1,4 @@
+---
+- hosts: all
+  roles:
+    - ossec

roles/ossec/README.md

@@ -0,0 +1,39 @@
+ossec 
+=====
+
+Role to install OSSEC-HIDS agent and server
+
+Requirements
+------------
+
+No requirements outside ansible itself.
+
+Role Variables
+--------------
+
+* `ossec_profile`: Can be 'agent' or 'server', defaults to `agent`
+* `ossec_root_dir`: Defaults to `/var/ossec`
+
+Dependencies
+------------
+
+This role does not depend on other roles.
+
+Example Playbook
+----------------
+
+To apply the role:
+
+    - hosts: servers
+      roles:
+         - { role: ossec }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+Brad Lhotsky \<[email protected]>

roles/ossec/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# defaults file for ossec
+ossec_profile: "agent"
+ossec_root_dir: /var/ossec

roles/ossec/handlers/main.yml

@@ -0,0 +1,12 @@
+---
+# handlers file for ossec
+- name: "restart ossec"
+  become: true
+  service:
+    name: "ossec"
+    state: "restarted"
+
+- name: "reload systemd"
+  become: true
+  systemd:
+    daemon_reload: yes

roles/ossec/meta/main.yml

@@ -0,0 +1,5 @@
+---
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
+

roles/ossec/tasks/Debian/setup_repository.yaml

@@ -0,0 +1,13 @@
+---
+- name: "ossec | apt signing key"
+  become: true
+  apt_key:
+    url: https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt
+    state: present
+
+- name: "ossec | apt repository"
+  become: true
+  apt_repository:
+    repo: "deb https://updates.atomicorp.com/channels/atomic/{{ ansible_distribution|lower }} {{ ansible_distribution_release  }} main"
+    filename: ossec-hids
+    state: present

roles/ossec/tasks/RedHat/setup_repository.yaml

@@ -0,0 +1,16 @@
+---
+- name: "ossec | yum gpg key"
+  become: true
+  rpm_key:
+    key: https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt
+    state: present
+
+- name: "ossec | yum repository"
+  become: true
+  yum_repository:
+    name: ossec-hids
+    description: "Official OSSEC-HIDS Yum Repository"
+    gpgkey: https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt
+    gpgcheck: yes
+    mirrorlist: "https://updates.atomicorp.com/channels/mirrorlist/atomic/{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}"
+    state: present

roles/ossec/tasks/configure_systemd.yaml

@@ -0,0 +1,21 @@
+---
+- name: "ossec | install systemd service units"
+  become: true
+  template:
+    src: "systemd/service.j2"
+    dest: "/etc/systemd/system/{{ ossec_service.binary }}.service"
+    owner: root
+    mode: 0644
+  loop: "{{ ossec_services }}"
+  loop_control:
+    loop_var: "ossec_service"
+  notify: reload systemd
+
+- name: "ossec | install systemd ossec-hids target"
+  become: true
+  template:
+    src: "systemd/target.j2"
+    dest: "/etc/systemd/system/ossec-hids.target"
+    owner: root
+    mode: 0644
+  notify: reload systemd

roles/ossec/tasks/install_packages.yaml

@@ -0,0 +1,11 @@
+---
+- name: "ossec | setup repositories"
+  include_tasks: "{{ ansible_os_family }}/setup_repository.yaml"
+
+- name: "ossec | install packages"
+  become: true
+  package:
+    name: "ossec-hids-{{ ossec_profile }}"
+    state: latest
+  notify: "restart ossec"
+

roles/ossec/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: "ossec | load profile variables"
+  include_vars: "{{ ossec_profile }}.yaml"
+
+- name: "ossec | install relevant packages"
+  include_tasks: "install_packages.yaml"
+
+- name: "ossec | configure"
+  include_tasks: "configure_systemd.yaml"
+
+# TODO: rekey checks
+# TODO: build out ossec.conf
+# TODO: server key initialization
+# TODO: rules management for the server
+
+- name: "ossec | flush handlers"
+  meta: flush_handlers
+
+- name: "ossec | ensure the service is running"
+  become: true
+  service:
+    name: ossec
+    state: started
+    enabled: true

roles/ossec/templates/systemd/service.j2

@@ -0,0 +1,13 @@
+[Unit]
+Description=OSSEC {{ ossec_service.name }}
+PartOf=ossec-hids.target
+
+[Service]
+{% if 'type' in ossec_service -%}
+Type={{ ossec_service.type }}
+{% endif -%}
+EnvironmentFile=/etc/ossec-init.conf
+Environment=DIRECTORY={{ ossec_root_dir }}
+
+ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/{{ ossec_service.binary }} -t
+ExecStart=/usr/bin/env ${DIRECTORY}/bin/{{ ossec_service.binary }} -f

roles/ossec/templates/systemd/target.j2

@@ -0,0 +1,9 @@
+[Unit]
+Description=OSSEC HIDS {{ ossec_profile }}
+After=network.target
+{% for service in ossec_services -%}
+Requires={{ service.binary }}.service
+{% endfor -%}
+
+[Install]
+WantedBy=multi-user.target

roles/ossec/vars/agent.yaml

@@ -0,0 +1,10 @@
+---
+ossec_services:
+  - name: Agent
+    binary: ossec-agentd
+  - name: Execd
+    binary: ossec-execd
+  - name: Log Collector
+    binary: ossec-logcollector
+  - name: Syscheck
+    binary: ossec-syscheckd

roles/ossec/vars/main.yml

@@ -0,0 +1,4 @@
+---
+# vars file for ossec
+ossec_client_keys: "{{ ossec_root_dir }}/etc/client.keys"
+ossec_config: "{{ ossec_root_dir }}/etc/ossec.conf"

roles/ossec/vars/server.yaml

@@ -0,0 +1,25 @@
+---
+ossec_services:
+  #- name: Agentless
+    #binary: ossec-agentless
+  - name: Analysis
+    binary: ossec-analysisd
+  - name: Client Authentication
+    binary: ossec-authd
+  - name: Syslog Client
+    binary: ossec-csyslogd
+  #- name: Database
+    #binary: ossec-dbd
+  - name: Execd
+    binary: ossec-execd
+  - name: Log Collector
+    binary: ossec-logcollector
+  - name: Mailer
+    binary: ossec-maild
+  - name: Monitor
+    binary: ossec-monitord
+  - name: Remote Control
+    binary: ossec-remoted
+    type: forking
+  - name: Syscheck
+    binary: ossec-syscheckd