Add Packetbeat

6 files changed, 300 insertions, 0 deletions

diff --git a/roles/packetbeat/README.md b/roles/packetbeat/README.md
new file mode 100644
index 0000000..14d54ae
--- /dev/null
+++ b/roles/packetbeat/README.md
@@ -0,0 +1,3 @@
+# Role "packetbeat"
+
+The packetbeat role installs and configures the packetbeat reporting agent.
diff --git a/roles/packetbeat/handlers/main.yml b/roles/packetbeat/handlers/main.yml
new file mode 100644
index 0000000..596958d
--- /dev/null
+++ b/roles/packetbeat/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: restart packetbeat
+  service:
+    name: packetbeat
+    state: restarted
+  tags:
+    - role::packetbeat
diff --git a/roles/packetbeat/tasks/main.yml b/roles/packetbeat/tasks/main.yml
new file mode 100644
index 0000000..8811373
--- /dev/null
+++ b/roles/packetbeat/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+- name: Install libpcap0.8
+  package:
+    name: libpcap0.8
+    state: present
+  tags:
+    - role::packetbeat
+
+- name: Install GPG
+  package:
+    name: gpg
+    state: present
+  tags:
+    - role::packetbeat
+
+- name: Install Elasticsearch signing key
+  shell: >-
+    wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch |
+    gpg --yes --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
+  args:
+    creates: /usr/share/keyrings/elasticsearch-keyring.gpg
+  tags:
+    - role::packetbeat
+
+- name: Add Elasticsearch repository to apt
+  copy:
+    content: >-
+      deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg]
+      https://artifacts.elastic.co/packages/8.x/apt stable main
+    dest: /etc/apt/sources.list.d/elastic-8.x.list
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - role::packetbeat
+  register: add_packetbeat_repo
+
+- name: Install Packetbeat
+  apt:
+    pkg: packetbeat
+    state: present
+    update_cache: "{{ add_packetbeat_repo.changed }}"
+  tags:
+    - role::packetbeat
+
+- name: Configure Packetbeat
+  template:
+    src: packetbeat.yml.j2
+    dest: /etc/packetbeat/packetbeat.yml
+    mode: 0644
+    owner: root
+    group: root
+  tags:
+    - role::packetbeat
+  notify:
+    - restart packetbeat
+
+- name: Start and enable Packetbeat
+  service:
+    name: packetbeat
+    state: started
+    enabled: true
+  tags:
+    - role::packetbeat
diff --git a/roles/packetbeat/templates/packetbeat.yml.j2 b/roles/packetbeat/templates/packetbeat.yml.j2
new file mode 100644
index 0000000..441d8bd
--- /dev/null
+++ b/roles/packetbeat/templates/packetbeat.yml.j2
@@ -0,0 +1,212 @@
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/packetbeat/index.html
+
+# =============================== Network device ===============================
+
+# Select the network interface to sniff the data. On Linux, you can use the
+# "any" keyword to sniff on all connected interfaces.
+packetbeat.interfaces.device: any
+
+# The network CIDR blocks that are considered "internal" networks for
+# the purpose of network perimeter boundary classification. The valid
+# values for internal_networks are the same as those that can be used
+# with processor network conditions.
+#
+# For a list of available values see:
+# https://www.elastic.co/guide/en/beats/packetbeat/current/defining-processors.html#condition-network
+packetbeat.interfaces.internal_networks:
+  - private
+
+# =================================== Flows ====================================
+
+# Set `enabled: false` or comment out all options to disable flows reporting.
+packetbeat.flows:
+  # Set network flow timeout. Flow is killed if no packet is received before being
+  # timed out.
+  timeout: 30s
+
+  # Configure reporting period. If set to -1, only killed flows will be reported
+  period: 10s
+
+# =========================== Transaction protocols ============================
+
+packetbeat.protocols:
+- type: icmp
+  # Enable ICMPv4 and ICMPv6 monitoring. The default is true.
+  enabled: true
+
+- type: amqp
+  # Configure the ports where to listen for AMQP traffic. You can disable
+  # the AMQP protocol by commenting out the list of ports.
+  ports: [5672]
+
+- type: cassandra
+  # Configure the ports where to listen for Cassandra traffic. You can disable
+  # the Cassandra protocol by commenting out the list of ports.
+  ports: [9042]
+
+- type: dhcpv4
+  # Configure the DHCP for IPv4 ports.
+  ports: [67, 68]
+
+- type: dns
+  # Configure the ports where to listen for DNS traffic. You can disable
+  # the DNS protocol by commenting out the list of ports.
+  ports: [53]
+
+- type: http
+  # Configure the ports where to listen for HTTP traffic. You can disable
+  # the HTTP protocol by commenting out the list of ports.
+  ports: [80, 8080, 8000, 5000, 8002]
+
+- type: memcache
+  # Configure the ports where to listen for memcache traffic. You can disable
+  # the Memcache protocol by commenting out the list of ports.
+  ports: [11211]
+
+- type: mysql
+  # Configure the ports where to listen for MySQL traffic. You can disable
+  # the MySQL protocol by commenting out the list of ports.
+  ports: [3306,3307]
+
+- type: pgsql
+  # Configure the ports where to listen for Pgsql traffic. You can disable
+  # the Pgsql protocol by commenting out the list of ports.
+  ports: [5432]
+
+- type: redis
+  # Configure the ports where to listen for Redis traffic. You can disable
+  # the Redis protocol by commenting out the list of ports.
+  ports: [6379]
+
+- type: thrift
+  # Configure the ports where to listen for Thrift-RPC traffic. You can disable
+  # the Thrift-RPC protocol by commenting out the list of ports.
+  ports: [9090]
+
+- type: mongodb
+  # Configure the ports where to listen for MongoDB traffic. You can disable
+  # the MongoDB protocol by commenting out the list of ports.
+  ports: [27017]
+
+- type: nfs
+  # Configure the ports where to listen for NFS traffic. You can disable
+  # the NFS protocol by commenting out the list of ports.
+  ports: [2049]
+
+- type: tls
+  # Configure the ports where to listen for TLS traffic. You can disable
+  # the TLS protocol by commenting out the list of ports.
+  ports:
+    - 443   # HTTPS
+    - 993   # IMAPS
+    - 995   # POP3S
+    - 5223  # XMPP over SSL
+    - 8443
+    - 8883  # Secure MQTT
+    - 9243  # Elasticsearch
+
+- type: sip
+  # Configure the ports where to listen for SIP traffic. You can disable
+  # the SIP protocol by commenting out the list of ports.
+  ports: [5060]
+
+# ======================= Elasticsearch template setting =======================
+
+setup.template.settings:
+  index.number_of_shards: 1
+  #index.codec: best_compression
+  #_source.enabled: false
+
+# ================================== General ===================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+#name:
+
+# A list of tags to include in every event. In the default configuration file
+# the forwarded tag causes Packetbeat to not add any host fields. If you are
+# monitoring a network tap or mirror port then add the forwarded tag.
+#tags: [forwarded]
+
+# Optional fields that you can specify to add additional information to the
+# output.
+#fields:
+#  env: staging
+
+# ================================= Dashboards =================================
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards is disabled by default and can be enabled either by setting the
+# options here or by using the `setup` command.
+#setup.dashboards.enabled: false
+
+# The URL from where to download the dashboards archive. By default this URL
+# has a value which is computed based on the Beat name and version. For released
+# versions, this URL points to the dashboard archive on the artifacts.elastic.co
+# website.
+#setup.dashboards.url:
+
+# =================================== Kibana ===================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+  # Kibana Host
+  # Scheme and port can be left out and will be set to the default (http and 5601)
+  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+  #host: "localhost:5601"
+
+  # Kibana Space ID
+  # ID of the Kibana Space into which the dashboards should be loaded. By default,
+  # the Default Space will be used.
+  #space.id:
+
+# =============================== Elastic Cloud ================================
+
+# These settings simplify using Packetbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+# ================================== Outputs ===================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+# ---------------------------- Elasticsearch Output ----------------------------
+
+output.elasticsearch:
+  # Array of hosts to connect to.
+  hosts: ["{{ packetbeat_elasticsearch_host }}"]
+
+  protocol: "https"
+  username: "{{ packetbeat_elastic_username }}"
+  password: "{{ packetbeat_elastic_password}}"
+
+  ssl:
+    enabled: true
+    ca_trusted_fingerprint: "{{ packetbeat_elastic_fingerprint }}"
+
+processors:
+  - # Add forwarded to tags when processing data from a network tap or mirror.
+    if.contains.tags: forwarded
+    then:
+      - drop_fields:
+          fields: [host]
+    else:
+      - add_host_metadata: ~
+  - add_cloud_metadata: ~
+  - add_docker_metadata: ~
+  - detect_mime_type:
+      field: http.request.body.content
+      target: http.request.mime_type
+  - detect_mime_type:
+      field: http.response.body.content
+      target: http.response.mime_type
diff --git a/roles/packetbeat/vars/main/vars.yml b/roles/packetbeat/vars/main/vars.yml
new file mode 100644
index 0000000..cad0514
--- /dev/null
+++ b/roles/packetbeat/vars/main/vars.yml
@@ -0,0 +1,6 @@
+packetbeat_elasticsearch_host: "10.5.0.0:9200"
+
+packetbeat_elastic_username: "pydis"
+packetbeat_elastic_password: "{{ encrypted_packetbeat_elastic_password }}"
+packetbeat_elastic_fingerprint: >-
+  e75cfe8591cb5d30ce31f9a094053f4e0090ebd057a120ac9dcbbf5754fb5a73
diff --git a/roles/packetbeat/vars/main/vault.yml b/roles/packetbeat/vars/main/vault.yml
new file mode 100644
index 0000000..ca476d4
--- /dev/null
+++ b/roles/packetbeat/vars/main/vault.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+61666235353637366266353437636237373538656435393466653566653432616631336662363638
+3033373166663265663334373739633238326336323539310a333262366432643161633935316135
+35353331666138613231313764366132393935303866383739663861333839373231636261646436
+3164313239633863300a343335383637366164643939376639663433336633616237623663366566
+39646433623065353537306562303363333162333061613130653361313835373930346461663961
+34646664333166653063626335616536396562393534386134643930373965303834633039333635
+616233636263623239323431643230656435