diff options
Diffstat (limited to 'roles/auditbeat')
| -rw-r--r-- | roles/auditbeat/README.md | 3 | ||||
| -rw-r--r-- | roles/auditbeat/handlers/main.yml | 7 | ||||
| -rw-r--r-- | roles/auditbeat/meta/main.yml | 5 | ||||
| -rw-r--r-- | roles/auditbeat/tasks/main.yml | 27 | ||||
| -rw-r--r-- | roles/auditbeat/templates/auditbeat.yml.j2 | 99 | ||||
| -rw-r--r-- | roles/auditbeat/vars/main/vars.yml | 7 | ||||
| -rw-r--r-- | roles/auditbeat/vars/main/vault.yml | 8 |
7 files changed, 0 insertions, 156 deletions
diff --git a/roles/auditbeat/README.md b/roles/auditbeat/README.md deleted file mode 100644 index da18eda..0000000 --- a/roles/auditbeat/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Role "auditbeat" - -The auditbeat role installs and configures the auditbeat reporting agent. diff --git a/roles/auditbeat/handlers/main.yml b/roles/auditbeat/handlers/main.yml deleted file mode 100644 index cda733c..0000000 --- a/roles/auditbeat/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: restart auditbeat - service: - name: auditbeat - state: restarted - tags: - - role::auditbeat diff --git a/roles/auditbeat/meta/main.yml b/roles/auditbeat/meta/main.yml deleted file mode 100644 index 522f87c..0000000 --- a/roles/auditbeat/meta/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -dependencies: - - role: elasticsearch-repos - tags: - - role::auditbeat diff --git a/roles/auditbeat/tasks/main.yml b/roles/auditbeat/tasks/main.yml deleted file mode 100644 index b928c4a..0000000 --- a/roles/auditbeat/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: Install Auditbeat - apt: - pkg: auditbeat - state: present - tags: - - role::auditbeat - -- name: Configure Auditbeat - template: - src: auditbeat.yml.j2 - dest: /etc/auditbeat/auditbeat.yml - mode: 0644 - owner: root - group: root - tags: - - role::auditbeat - notify: - - restart auditbeat - -- name: Start and enable Auditbeat - service: - name: auditbeat - state: started - enabled: true - tags: - - role::auditbeat diff --git a/roles/auditbeat/templates/auditbeat.yml.j2 b/roles/auditbeat/templates/auditbeat.yml.j2 deleted file mode 100644 index b779a05..0000000 --- a/roles/auditbeat/templates/auditbeat.yml.j2 +++ /dev/null @@ -1,99 +0,0 @@ -# You can find the full configuration reference here: -# https://www.elastic.co/guide/en/beats/auditbeat/index.html - -# =========================== Modules configuration ============================ -auditbeat.modules: - -- module: auditd - # Load audit rules from separate files. Same format as audit.rules(7). - audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ] - audit_rules: | - ## Define audit rules here. - ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these - ## examples or add your own rules. - - ## If you are on a 64 bit platform, everything should be running - ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls - ## because this might be a sign of someone exploiting a hole in the 32 - ## bit API. - #-a always,exit -F arch=b32 -S all -F key=32bit-abi - - ## Executions. - #-a always,exit -F arch=b64 -S execve,execveat -k exec - - ## External access (warning: these can be expensive to audit). - #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access - - ## Identity changes. - #-w /etc/group -p wa -k identity - #-w /etc/passwd -p wa -k identity - #-w /etc/gshadow -p wa -k identity - - ## Unauthorized access attempts. - #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access - #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access - -- module: file_integrity - paths: - - /bin - - /usr/bin - - /sbin - - /usr/sbin - - /etc - -- module: system - datasets: - - package # Installed, updated, and removed packages - - period: 2m # The frequency at which the datasets check for changes - -- module: system - datasets: - - host # General host information, e.g. uptime, IPs - - login # User logins, logouts, and system boots. - - process # Started and stopped processes - - socket # Opened and closed sockets - - user # User information - - # How often datasets send state updates with the - # current state of the system (e.g. all currently - # running processes, all open sockets). - state.period: 3h - - # Enabled by default. Auditbeat will read password fields in - # /etc/passwd and /etc/shadow and store a hash locally to - # detect any changes. - user.detect_password_changes: true - - # File patterns of the login record files. - login.wtmp_file_pattern: /var/log/wtmp* - login.btmp_file_pattern: /var/log/btmp* - -# ======================= Elasticsearch template setting ======================= -setup.template.settings: - index.number_of_shards: 1 - #index.codec: best_compression - #_source.enabled: false - -# ================================== Outputs =================================== - -# Configure what output to use when sending the data collected by the beat. - -# ---------------------------- Elasticsearch Output ---------------------------- -output.elasticsearch: - # Array of hosts to connect to. - hosts: ["{{ auditbeat_elasticsearch_host }}"] - - protocol: "https" - username: "{{ auditbeat_elastic_username }}" - password: "{{ auditbeat_elastic_password}}" - - ssl: - enabled: true - ca_trusted_fingerprint: "{{ auditbeat_elastic_fingerprint }}" - - -processors: - - add_host_metadata: ~ - - add_cloud_metadata: ~ - - add_docker_metadata: ~ diff --git a/roles/auditbeat/vars/main/vars.yml b/roles/auditbeat/vars/main/vars.yml deleted file mode 100644 index f7c6aa2..0000000 --- a/roles/auditbeat/vars/main/vars.yml +++ /dev/null @@ -1,7 +0,0 @@ -auditbeat_kibana_host: "http://10.5.0.0:5601" -auditbeat_elasticsearch_host: "10.5.0.0:9200" - -auditbeat_elastic_username: "pydis" -auditbeat_elastic_password: "{{ encrypted_auditbeat_elastic_password }}" -auditbeat_elastic_fingerprint: >- - e75cfe8591cb5d30ce31f9a094053f4e0090ebd057a120ac9dcbbf5754fb5a73 diff --git a/roles/auditbeat/vars/main/vault.yml b/roles/auditbeat/vars/main/vault.yml deleted file mode 100644 index e2443a1..0000000 --- a/roles/auditbeat/vars/main/vault.yml +++ /dev/null @@ -1,8 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -35633733373033323135653436373566666461363766646664313032316535313638353365333565 -6530393663656438653338333865396266306130613666630a633263373239626436633965346533 -66396166626231376564373462643065653261663362383762633234336234396566663937353864 -3733633736306237630a626639646437343735316331623361636333613932616439366336323035 -65636234366363663630363834633764613564366264663037386166633538303630343935383438 -38303838633632386164663265313430656535383761613936333861383138376139613533336264 -393131653033376537643138643635363765 |