diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/auditbeat/README.md | 3 | ||||
| -rw-r--r-- | roles/auditbeat/handlers/main.yml | 7 | ||||
| -rw-r--r-- | roles/auditbeat/meta/main.yml | 5 | ||||
| -rw-r--r-- | roles/auditbeat/tasks/main.yml | 27 | ||||
| -rw-r--r-- | roles/auditbeat/templates/auditbeat.yml.j2 | 99 | ||||
| -rw-r--r-- | roles/auditbeat/vars/main/vars.yml | 7 | ||||
| -rw-r--r-- | roles/auditbeat/vars/main/vault.yml | 8 | ||||
| -rw-r--r-- | roles/filebeat/templates/filebeat.yml.j2 | 2 |
8 files changed, 158 insertions, 0 deletions
diff --git a/roles/auditbeat/README.md b/roles/auditbeat/README.md new file mode 100644 index 0000000..da18eda --- /dev/null +++ b/roles/auditbeat/README.md @@ -0,0 +1,3 @@ +# Role "auditbeat" + +The auditbeat role installs and configures the auditbeat reporting agent. diff --git a/roles/auditbeat/handlers/main.yml b/roles/auditbeat/handlers/main.yml new file mode 100644 index 0000000..cda733c --- /dev/null +++ b/roles/auditbeat/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: restart auditbeat + service: + name: auditbeat + state: restarted + tags: + - role::auditbeat diff --git a/roles/auditbeat/meta/main.yml b/roles/auditbeat/meta/main.yml new file mode 100644 index 0000000..522f87c --- /dev/null +++ b/roles/auditbeat/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - role: elasticsearch-repos + tags: + - role::auditbeat diff --git a/roles/auditbeat/tasks/main.yml b/roles/auditbeat/tasks/main.yml new file mode 100644 index 0000000..b928c4a --- /dev/null +++ b/roles/auditbeat/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Install Auditbeat + apt: + pkg: auditbeat + state: present + tags: + - role::auditbeat + +- name: Configure Auditbeat + template: + src: auditbeat.yml.j2 + dest: /etc/auditbeat/auditbeat.yml + mode: 0644 + owner: root + group: root + tags: + - role::auditbeat + notify: + - restart auditbeat + +- name: Start and enable Auditbeat + service: + name: auditbeat + state: started + enabled: true + tags: + - role::auditbeat diff --git a/roles/auditbeat/templates/auditbeat.yml.j2 b/roles/auditbeat/templates/auditbeat.yml.j2 new file mode 100644 index 0000000..b779a05 --- /dev/null +++ b/roles/auditbeat/templates/auditbeat.yml.j2 @@ -0,0 +1,99 @@ +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/auditbeat/index.html + +# =========================== Modules configuration ============================ +auditbeat.modules: + +- module: auditd + # Load audit rules from separate files. Same format as audit.rules(7). + audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ] + audit_rules: | + ## Define audit rules here. + ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these + ## examples or add your own rules. + + ## If you are on a 64 bit platform, everything should be running + ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls + ## because this might be a sign of someone exploiting a hole in the 32 + ## bit API. + #-a always,exit -F arch=b32 -S all -F key=32bit-abi + + ## Executions. + #-a always,exit -F arch=b64 -S execve,execveat -k exec + + ## External access (warning: these can be expensive to audit). + #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access + + ## Identity changes. + #-w /etc/group -p wa -k identity + #-w /etc/passwd -p wa -k identity + #-w /etc/gshadow -p wa -k identity + + ## Unauthorized access attempts. + #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access + #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access + +- module: file_integrity + paths: + - /bin + - /usr/bin + - /sbin + - /usr/sbin + - /etc + +- module: system + datasets: + - package # Installed, updated, and removed packages + + period: 2m # The frequency at which the datasets check for changes + +- module: system + datasets: + - host # General host information, e.g. uptime, IPs + - login # User logins, logouts, and system boots. + - process # Started and stopped processes + - socket # Opened and closed sockets + - user # User information + + # How often datasets send state updates with the + # current state of the system (e.g. all currently + # running processes, all open sockets). + state.period: 3h + + # Enabled by default. Auditbeat will read password fields in + # /etc/passwd and /etc/shadow and store a hash locally to + # detect any changes. + user.detect_password_changes: true + + # File patterns of the login record files. + login.wtmp_file_pattern: /var/log/wtmp* + login.btmp_file_pattern: /var/log/btmp* + +# ======================= Elasticsearch template setting ======================= +setup.template.settings: + index.number_of_shards: 1 + #index.codec: best_compression + #_source.enabled: false + +# ================================== Outputs =================================== + +# Configure what output to use when sending the data collected by the beat. + +# ---------------------------- Elasticsearch Output ---------------------------- +output.elasticsearch: + # Array of hosts to connect to. + hosts: ["{{ auditbeat_elasticsearch_host }}"] + + protocol: "https" + username: "{{ auditbeat_elastic_username }}" + password: "{{ auditbeat_elastic_password}}" + + ssl: + enabled: true + ca_trusted_fingerprint: "{{ auditbeat_elastic_fingerprint }}" + + +processors: + - add_host_metadata: ~ + - add_cloud_metadata: ~ + - add_docker_metadata: ~ diff --git a/roles/auditbeat/vars/main/vars.yml b/roles/auditbeat/vars/main/vars.yml new file mode 100644 index 0000000..f7c6aa2 --- /dev/null +++ b/roles/auditbeat/vars/main/vars.yml @@ -0,0 +1,7 @@ +auditbeat_kibana_host: "http://10.5.0.0:5601" +auditbeat_elasticsearch_host: "10.5.0.0:9200" + +auditbeat_elastic_username: "pydis" +auditbeat_elastic_password: "{{ encrypted_auditbeat_elastic_password }}" +auditbeat_elastic_fingerprint: >- + e75cfe8591cb5d30ce31f9a094053f4e0090ebd057a120ac9dcbbf5754fb5a73 diff --git a/roles/auditbeat/vars/main/vault.yml b/roles/auditbeat/vars/main/vault.yml new file mode 100644 index 0000000..e2443a1 --- /dev/null +++ b/roles/auditbeat/vars/main/vault.yml @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.1;AES256 +35633733373033323135653436373566666461363766646664313032316535313638353365333565 +6530393663656438653338333865396266306130613666630a633263373239626436633965346533 +66396166626231376564373462643065653261663362383762633234336234396566663937353864 +3733633736306237630a626639646437343735316331623361636333613932616439366336323035 +65636234366363663630363834633764613564366264663037386166633538303630343935383438 +38303838633632386164663265313430656535383761613936333861383138376139613533336264 +393131653033376537643138643635363765 diff --git a/roles/filebeat/templates/filebeat.yml.j2 b/roles/filebeat/templates/filebeat.yml.j2 index c2b48f7..5a84729 100644 --- a/roles/filebeat/templates/filebeat.yml.j2 +++ b/roles/filebeat/templates/filebeat.yml.j2 @@ -36,6 +36,8 @@ filebeat.inputs: #fields: # level: debug # review: 1 +- type: journald + id: everything # ============================== Filebeat modules ============================== |