diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index a318bad7b..86ccbd839 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -5,7 +5,7 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa -## Default variables +## Default variables for creation of ACL (pass it as a list) ```yaml --- aws_acl: @@ -15,33 +15,101 @@ aws_acl: region: "us-east-1" tags: {} rules: - rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking - botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) - + rate_limit: + value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + priority: 2 ip_sets: - - name: "Allowed-ips-example" + - name: "Allowed-ips" action: allow - list: [] + priority: 1 + list: [] # If the list is empty, ip set won't be recreated #- 1.1.1.1/32 # list of ip ranges #- 2.2.2.2/32 #- 3.3.3.3/32 - - name: "Blocked-ips-example" + - name: "Blocked-ips" action: block - list: [] + priority: 0 + list: [] # If the list is empty, ip set won't be recreated #- 4.4.4.4/32 # list of ip ranges #- 5.5.5.5/32 #- 6.6.6.6/32 - - cc_block_list: [] - + country_codes: + - name: "allowed-countries" + action: allow + priority: 7 + list: + - GB + - HR + - name: "blocked-countries" + action: block + priority: 8 + list: + - RU + - CN regular_rules: - name: allow_panels action: allow - string: "panels/ajax" - position: "CONTAINS" - -# cyber_sec: #Need to implement task + statements_type: "single" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + priority: 4 + statements: + - inspect: "UriPath" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "panels/ajax" + text_trans: "NONE" + - name: block_bots + action: block + statements_type: "or" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + priority: 5 + statements: + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "spider" + text_trans: "LOWERCASE" + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "bot" + text_trans: "LOWERCASE" + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "crawl" + text_trans: "LOWERCASE" + # AWS Managed rules + bot_control: + target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) + priority: 3 + cyber_sec: + enabled: true # Need to subscribe first in AWS + rule_list: [] + priority: 6 + amazon_ip_reputation: + enabled: true + rule_list: [] + priority: 9 + common_rule_set: + enabled: true + rule_list: [] + priority: 10 + php_rule_set: + enabled: true + rule_list: [] + priority: 11 + known_bad_inputs: + enabled: true + rule_list: [] + priority: 12 + anonymous_ip_list: + enabled: true + rule_list: [] + priority: 13 +``` +## Default variables for assigning ACL to CF or ALB +```yaml +--- +aws_acl: + name: example_master_acl # Name of the ACL to apply + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: "us-east-1" ``` diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index 7808982f8..786e5baf0 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -6,29 +6,90 @@ aws_acl: region: "us-east-1" tags: {} rules: - rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking - botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) - + rate_limit: + value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking + priority: 2 ip_sets: - - name: "Allowed-ips-example" + - name: "Allowed-ips" action: allow - list: [] + priority: 1 + list: [] # If the list is empty, ip set won't be recreated #- 1.1.1.1/32 # list of ip ranges #- 2.2.2.2/32 #- 3.3.3.3/32 - - name: "Blocked-ips-example" + - name: "Blocked-ips" action: block - list: [] + priority: 0 + list: [] # If the list is empty, ip set won't be recreated #- 4.4.4.4/32 # list of ip ranges #- 5.5.5.5/32 #- 6.6.6.6/32 - - cc_block_list: [] - + country_codes: + - name: "allowed-countries" + action: allow + priority: 7 + list: + - GB + - HR + - name: "blocked-countries" + action: block + priority: 8 + list: + - RU + - CN regular_rules: - name: allow_panels action: allow - string: "panels/ajax" - position: "CONTAINS" - -# cyber_sec: #Need to implement task + statements_type: "single" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + priority: 4 + statements: + - inspect: "UriPath" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "panels/ajax" + text_trans: "NONE" + - name: block_bots + action: block + statements_type: "or" # supported "and", "or" and "not" ("and" and "or" supports multiple statements) + priority: 5 + statements: + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "spider" + text_trans: "LOWERCASE" + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "bot" + text_trans: "LOWERCASE" + - inspect: "SingleHeader" # Aslo supported: "SingleHeader" + position: "CONTAINS" + string: "crawl" + text_trans: "LOWERCASE" + # Managed rules list + bot_control: + enabled: false + target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule) + priority: 3 + cyber_sec: + enabled: false # Need to subscribe first in AWS + rule_list: [] + priority: 6 + amazon_ip_reputation: + enabled: false + rule_list: [] + priority: 9 + common_rule_set: + enabled: false + rule_list: [] + priority: 10 + php_rule_set: + enabled: false + rule_list: [] + priority: 11 + known_bad_inputs: + enabled: false + rule_list: [] + priority: 12 + anonymous_ip_list: + enabled: false + rule_list: [] + priority: 13 diff --git a/roles/aws/aws_acl/tasks/amazon_ip_reputation.yml b/roles/aws/aws_acl/tasks/amazon_ip_reputation.yml new file mode 100644 index 000000000..a37559047 --- /dev/null +++ b/roles/aws/aws_acl/tasks/amazon_ip_reputation.yml @@ -0,0 +1,32 @@ +--- +- name: Create amazon ip reputation rule + ansible.builtin.set_fact: + amazon_ip_reputation: + name: "AWS-AWSManagedRulesAmazonIpReputationList" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "AWS-AWSManagedRulesAmazonIpReputationList" + statement: + managed_rule_group_statement: + vendor_name: "AWS" + name: "AWSManagedRulesAmazonIpReputationList" + rule_action_overrides: + - name: "AWSManagedIPDDoSList" + action_to_use: + challenge: {} + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.amazon_ip_reputation.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + amazon_ip_reputation: "{{ amazon_ip_reputation | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [amazon_ip_reputation] }}" diff --git a/roles/aws/aws_acl/tasks/anonymous_ip_list.yml b/roles/aws/aws_acl/tasks/anonymous_ip_list.yml new file mode 100644 index 000000000..7bd073202 --- /dev/null +++ b/roles/aws/aws_acl/tasks/anonymous_ip_list.yml @@ -0,0 +1,35 @@ +--- +- name: Create anonymous ip list rule + ansible.builtin.set_fact: + anonymous_ip_list: + name: "AWS-AWSManagedRulesAnonymousIpList" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "AWS-AWSManagedRulesAnonymousIpList" + statement: + managed_rule_group_statement: + vendor_name: "AWS" + name: "AWSManagedRulesAnonymousIpList" + rule_action_overrides: + - name: "AnonymousIPList" + action_to_use: + challenge: {} + - name: "HostingProviderIPList" + action_to_use: + captcha: {} + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.anonymous_ip_list.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + anonymous_ip_list: "{{ anonymous_ip_list | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [anonymous_ip_list] }}" diff --git a/roles/aws/aws_acl/tasks/bot_control.yml b/roles/aws/aws_acl/tasks/bot_control.yml index 5e8cdb730..4e8044175 100644 --- a/roles/aws/aws_acl/tasks/bot_control.yml +++ b/roles/aws/aws_acl/tasks/bot_control.yml @@ -71,7 +71,7 @@ inspection_level: "COMMON" - name: Define targeted actions rules - when: _acl.rules.botControl == "TARGETED" + when: _acl.rules.botControl.target == "TARGETED" block: - name: Define targeted actions ansible.builtin.set_fact: @@ -111,7 +111,7 @@ - name: Define Bot Control rule. ansible.builtin.set_fact: - bot_control: + bot_control_rule: name: bot_control override_action: none: {} @@ -126,13 +126,15 @@ managed_rule_group_configs: "{{ _rule_config }}" rule_action_overrides: "{{ _action_rules }}" +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ bot_control.priority }}" + - name: Append priority to rule. ansible.builtin.set_fact: - bot_control: "{{ bot_control | combine(_priority_dict) }}" + bot_control_rule: "{{ bot_control_rule | combine(_priority_dict) }}" - name: Add rule to list. ansible.builtin.set_fact: - _rules: "{{ _rules + [bot_control] }}" - -- name: Increase priority. - ansible.builtin.include_tasks: increase_priority.yml + _rules: "{{ _rules + [bot_control_rule] }}" diff --git a/roles/aws/aws_acl/tasks/cc_rules.yml b/roles/aws/aws_acl/tasks/cc_rules.yml new file mode 100644 index 000000000..b90d8af1c --- /dev/null +++ b/roles/aws/aws_acl/tasks/cc_rules.yml @@ -0,0 +1,30 @@ +--- +- name: Set action string + ansible.builtin.set_fact: + _action: "{ {{ _cc_set.action }}: {} }" + +- name: Create country block rule + ansible.builtin.set_fact: + cc_rule: + name: "{{ _cc_set.name }}" + action: "{{ _action | from_yaml }}" + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "{{ _cc_set.name }}" + statement: + geo_match_statement: + country_codes: "{{ _cc_set.list }}" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _cc_set.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + cc_rule: "{{ cc_rule | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [cc_rule] }}" diff --git a/roles/aws/aws_acl/tasks/common_rule_set.yml b/roles/aws/aws_acl/tasks/common_rule_set.yml new file mode 100644 index 000000000..463c27de6 --- /dev/null +++ b/roles/aws/aws_acl/tasks/common_rule_set.yml @@ -0,0 +1,28 @@ +--- +- name: Create common rule set rule + ansible.builtin.set_fact: + common_rule_set: + name: "AWS-AWSManagedRulesCommonRuleSet" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "AWS-AWSManagedRulesCommonRuleSet" + statement: + managed_rule_group_statement: + vendor_name: "AWS" + name: "AWSManagedRulesCommonRuleSet" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.common_rule_set.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + common_rule_set: "{{ common_rule_set | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [common_rule_set] }}" diff --git a/roles/aws/aws_acl/tasks/create_acl.yml b/roles/aws/aws_acl/tasks/create_acl.yml index 404bcc805..5a48ca9de 100644 --- a/roles/aws/aws_acl/tasks/create_acl.yml +++ b/roles/aws/aws_acl/tasks/create_acl.yml @@ -3,14 +3,10 @@ ansible.builtin.set_fact: _rules: [] -- name: Set priority counter +- name: Set priority dict set_fact: - _priority: 0 _priority_dict: {} -- name: Increase priority and set dict for 1st rule. - ansible.builtin.include_tasks: increase_priority.yml - - name: Create IP set rules. ansible.builtin.include_tasks: ip_sets.yml when: @@ -20,40 +16,19 @@ loop_control: loop_var: _ip_set -- name: Set country block rule. +- name: Create CC rule set. + ansible.builtin.include_tasks: cc_rules.yml when: - - _acl.rules.cc_block_list is defined - - _acl.rules.cc_block_list | length > 0 - block: - - name: Create country block rule - ansible.builtin.set_fact: - cc_block_rule: - name: block_countries - action: - block: {} - visibility_config: - sampled_requests_enabled: true - cloud_watch_metrics_enabled: true - metric_name: block_countries - statement: - geo_match_statement: - country_codes: "{{ _acl.rules.cc_block_list }}" - - - name: Append priority to rule. - ansible.builtin.set_fact: - cc_block_rule: "{{ cc_block_rule | combine(_priority_dict) }}" - - - name: Add rule to list - ansible.builtin.set_fact: - _rules: "{{ _rules + [cc_block_rule] }}" - - - name: Increase priority. - ansible.builtin.include_tasks: increase_priority.yml + - _acl.rules.country_codes is defined + - _acl.rules.country_codes | length > 0 + loop: "{{ _acl.rules.country_codes | list }}" + loop_control: + loop_var: _cc_set - name: Set rate limit variable. when: - _acl.rules.rate_limit is defined - - _acl.rules.rate_limit > 0 + - _acl.rules.rate_limit.value > 0 block: - name: Set rate based statement from template ansible.builtin.set_fact: @@ -69,9 +44,14 @@ sampled_requests_enabled: true cloud_watch_metrics_enabled: true metric_name: rate_limit - statement: + Statement: rate_based_statement: "{{ _rbs }}" + - name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.rate_limit.priority }}" + - name: Append priority to rule. ansible.builtin.set_fact: rate_rule: "{{ rate_rule | combine(_priority_dict) }}" @@ -80,13 +60,11 @@ ansible.builtin.set_fact: _rules: "{{ _rules + [rate_rule] }}" - - name: Increase priority. - ansible.builtin.include_tasks: increase_priority.yml - - name: Create Bot Control rule. - when: _acl.rules.botControl is defined - ansible.builtin.include_tasks: - file: bot_control.yml + ansible.builtin.include_tasks: bot_control.yml + when: + - _acl.rules.botControl is defined + - _acl.rules.botControl.enabled - name: Create regular rules. ansible.builtin.include_tasks: regular_rule.yml @@ -101,11 +79,45 @@ ansible.builtin.include_tasks: cyber_sec.yml when: - _acl.rules.cyber_sec is defined - - _acl.rules.cyber_sec + - _acl.rules.cyber_sec.enabled + +- name: Create Amazon IP reputation rule. + ansible.builtin.include_tasks: amazon_ip_reputation.yml + when: + - _acl.rules.amazon_ip_reputation is defined + - _acl.rules.amazon_ip_reputation.enabled + +- name: Create Common Rule Set rule. + ansible.builtin.include_tasks: common_rule_set.yml + when: + - _acl.rules.common_rule_set is defined + - _acl.rules.common_rule_set.enabled + +- name: Create PHP Rule Set rule. + ansible.builtin.include_tasks: php_rule_set.yml + when: + - _acl.rules.php_rule_set is defined + - _acl.rules.php_rule_set.enabled + +- name: Create Known Bad Inputs rule. + ansible.builtin.include_tasks: known_bad_inputs.yml + when: + - _acl.rules.known_bad_inputs is defined + - _acl.rules.known_bad_inputs.enabled + +- name: Create Anomymous IP List rule. + ansible.builtin.include_tasks: anonymous_ip_list.yml + when: + - _acl.rules.anonymous_ip_list is defined + - _acl.rules.anonymous_ip_list.enabled + +- name: Print the rules + ansible.builtin.debug: + msg: "{{ _rules }}" - name: Create web acl. community.aws.wafv2_web_acl: - name: "{{ _acl.name }}" + name: "{{ _acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ description: "{{ _acl.description }}" scope: "{{ _acl.scope }}" region: "{{ _acl.region }}" diff --git a/roles/aws/aws_acl/tasks/cyber_sec.yml b/roles/aws/aws_acl/tasks/cyber_sec.yml index deb556e3e..7850ed2b5 100644 --- a/roles/aws/aws_acl/tasks/cyber_sec.yml +++ b/roles/aws/aws_acl/tasks/cyber_sec.yml @@ -1,50 +1,55 @@ --- -- name: Create regular rule +- name: Create cyber security rule ansible.builtin.set_fact: cyber_sec_rule: - name: "CyberSecurityCloud-HighSecurityOWASPSet" - override_action: - none: {} - visibility_config: - sampled_requests_enabled: true - cloud_watch_metrics_enabled: true - metric_name: "CyberSecurityCloud-HighSecurityOWASPSet" - statement: - managed_rule_group_statement: - vendor_name: "Cyber Security Cloud Inc." - name: "CyberSecurityCloud-HighSecurityOWASPSet-" - excluded_rules: - - name: "bad_useragent-header-001" - - name: "cookie-body-001" - - name: "cookie-qs-001" - - name: "drupal-multi-001" - - name: "drupal-multi-002" - - name: "joomla-multi-001" - - name: "ldapi-url-001" - - name: "nosqli-body-001" - - name: "nosqli-qs-001" - - name: "oracle-multi-001" - - name: "oscommandi-body-001" - - name: "oscommandi-qs-001" - - name: "pathtraversal-body-001" - - name: "pathtraversal-qs-001" - - name: "pathtraversal-url-001" - - name: "rails-header-001" - - name: "sqli-body-001" - - name: "sqli-body-002" - - name: "sqli-qs-001" - - name: "sqli-qs-002" - - name: "sqli-url-001" - - name: "ssrf-multi-001" - - name: "struts-multi-001" - - name: "struts-multi-002" - - name: "struts-multi-003" - - name: "suspicious_access-url-001" - - name: "tomcat-multi-001" - - name: "xss-body-001" - - name: "xss-qs-001" - - name: "xxe-ssci-body-001" - - name: "xxe-ssci-qs-001" + name: "CyberSecurityCloud-HighSecurityOWASPSet" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "CyberSecurityCloud-HighSecurityOWASPSet" + statement: + managed_rule_group_statement: + vendor_name: "Cyber Security Cloud Inc." + name: "CyberSecurityCloud-HighSecurityOWASPSet-" + excluded_rules: + - name: "bad_useragent-header-001" + - name: "cookie-body-001" + - name: "cookie-qs-001" + - name: "drupal-multi-001" + - name: "drupal-multi-002" + - name: "joomla-multi-001" + - name: "ldapi-url-001" + - name: "nosqli-body-001" + - name: "nosqli-qs-001" + - name: "oracle-multi-001" + - name: "oscommandi-body-001" + - name: "oscommandi-qs-001" + - name: "pathtraversal-body-001" + - name: "pathtraversal-qs-001" + - name: "pathtraversal-url-001" + - name: "rails-header-001" + - name: "sqli-body-001" + - name: "sqli-body-002" + - name: "sqli-qs-001" + - name: "sqli-qs-002" + - name: "sqli-url-001" + - name: "ssrf-multi-001" + - name: "struts-multi-001" + - name: "struts-multi-002" + - name: "struts-multi-003" + - name: "suspicious_access-url-001" + - name: "tomcat-multi-001" + - name: "xss-body-001" + - name: "xss-qs-001" + - name: "xxe-ssci-body-001" + - name: "xxe-ssci-qs-001" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.cyber_sec.priority }}" - name: Append priority to rule. ansible.builtin.set_fact: @@ -53,6 +58,3 @@ - name: Add rule to list ansible.builtin.set_fact: _rules: "{{ _rules + [cyber_sec_rule] }}" - -- name: Increase priority. - ansible.builtin.include_tasks: increase_priority.yml diff --git a/roles/aws/aws_acl/tasks/ip_sets.yml b/roles/aws/aws_acl/tasks/ip_sets.yml index d4ba9b345..bd0ac1376 100644 --- a/roles/aws/aws_acl/tasks/ip_sets.yml +++ b/roles/aws/aws_acl/tasks/ip_sets.yml @@ -8,15 +8,24 @@ region: "{{ _acl.region }}" ip_address_version: IPV4 addresses: "{{ _ip_set.list }}" + when: _ip_set.list | length > 0 + register: _ip_set_info + +- name: Get IP set for WAF if. + community.aws.wafv2_ip_set_info: + name: "{{ _ip_set.name }}" + scope: "{{ _acl.scope }}" + region: "{{ _acl.region }}" + when: _ip_set.list | length == 0 register: _ip_set_info - name: Set action string ansible.builtin.set_fact: _action: "{ {{ _ip_set.action }}: {} }" -- name: Create IP block rule. +- name: Create IP set rule. ansible.builtin.set_fact: - ip_block_rule: + ip_set_rule: name: "{{ _ip_set.name }}" action: "{{ _action | from_yaml }}" visibility_config: @@ -27,13 +36,15 @@ ip_set_reference_statement: arn: "{{ _ip_set_info.arn }}" +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _ip_set.priority }}" + - name: Append priority to rule. ansible.builtin.set_fact: - ip_block_rule: "{{ ip_block_rule | combine(_priority_dict) }}" + ip_set_rule: "{{ ip_set_rule | combine(_priority_dict) }}" - name: Add rule to list. ansible.builtin.set_fact: - _rules: "{{ _rules + [ip_block_rule] }}" - -- name: Increase priority. - ansible.builtin.include_tasks: increase_priority.yml + _rules: "{{ _rules + [ip_set_rule] }}" diff --git a/roles/aws/aws_acl/tasks/known_bad_inputs.yml b/roles/aws/aws_acl/tasks/known_bad_inputs.yml new file mode 100644 index 000000000..88746b893 --- /dev/null +++ b/roles/aws/aws_acl/tasks/known_bad_inputs.yml @@ -0,0 +1,28 @@ +--- +- name: Create known bad inputs rule + ansible.builtin.set_fact: + known_bad_inputs: + name: "AWS-AWSManagedRulesKnownBadInputsRuleSet" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "AWS-AWSManagedRulesKnownBadInputsRuleSet" + statement: + managed_rule_group_statement: + vendor_name: "AWS" + name: "AWSManagedRulesKnownBadInputsRuleSet" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.known_bad_inputs.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + known_bad_inputs: "{{ known_bad_inputs | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [known_bad_inputs] }}" diff --git a/roles/aws/aws_acl/tasks/php_rule_set.yml b/roles/aws/aws_acl/tasks/php_rule_set.yml new file mode 100644 index 000000000..64a27e820 --- /dev/null +++ b/roles/aws/aws_acl/tasks/php_rule_set.yml @@ -0,0 +1,28 @@ +--- +- name: Create php rule set rule + ansible.builtin.set_fact: + php_rule_set: + name: "AWS-AWSManagedRulesPHPRuleSet" + override_action: + none: {} + visibility_config: + sampled_requests_enabled: true + cloud_watch_metrics_enabled: true + metric_name: "AWS-AWSManagedRulesPHPRuleSet" + statement: + managed_rule_group_statement: + vendor_name: "AWS" + name: "AWSManagedRulesPHPRuleSet" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _acl.rules.php_rule_set.priority }}" + +- name: Append priority to rule. + ansible.builtin.set_fact: + php_rule_set: "{{ php_rule_set | combine(_priority_dict) }}" + +- name: Add rule to list + ansible.builtin.set_fact: + _rules: "{{ _rules + [php_rule_set] }}" diff --git a/roles/aws/aws_acl/tasks/regular_rule.yml b/roles/aws/aws_acl/tasks/regular_rule.yml index f0a4ded0b..649a269a8 100644 --- a/roles/aws/aws_acl/tasks/regular_rule.yml +++ b/roles/aws/aws_acl/tasks/regular_rule.yml @@ -3,6 +3,24 @@ ansible.builtin.set_fact: _action: "{ {{ _reg_rule.action }}: {} }" +- name: Set statement string + ansible.builtin.set_fact: + _statements: "" + +- name: Create statements. + ansible.builtin.include_tasks: regular_rule_statements.yml + when: + - _reg_rule.statements is defined + - _reg_rule.statements | length > 0 + loop: "{{ _reg_rule.statements | list }}" + loop_control: + loop_var: _stat + +- name: Encapsulate statement with type + ansible.builtin.set_fact: + _statements: "{ {{ _reg_rule.statements_type }}_statement: { statements: [{{ _statements }}] } }" + when: _reg_rule.statements_type != "single" + - name: Create regular rule ansible.builtin.set_fact: regular_rule: @@ -12,15 +30,12 @@ sampled_requests_enabled: true cloud_watch_metrics_enabled: true metric_name: "{{ _reg_rule.name }}" - statement: - byte_match_statement: - field_to_match: - uri_path: {} - positional_constraint: "{{ _reg_rule.position }}" - search_string: "{{ _reg_rule.string }}" - text_transformations: - - type: "NONE" - priority: 0 + statement: "{{ _statements | from_yaml }}" + +- name: Set priority. + ansible.builtin.include_tasks: set_priority_dict.yml + vars: + _priority: "{{ _reg_rule.priority }}" - name: Append priority to rule. ansible.builtin.set_fact: @@ -29,6 +44,3 @@ - name: Add rule to list ansible.builtin.set_fact: _rules: "{{ _rules + [regular_rule] }}" - -- name: Increase priority. - ansible.builtin.include_tasks: increase_priority.yml diff --git a/roles/aws/aws_acl/tasks/regular_rule_statements.yml b/roles/aws/aws_acl/tasks/regular_rule_statements.yml new file mode 100644 index 000000000..ed75e92a5 --- /dev/null +++ b/roles/aws/aws_acl/tasks/regular_rule_statements.yml @@ -0,0 +1,19 @@ +--- +- name: Add comma if _statement already has element + ansible.builtin.set_fact: + _statements: "{{ _statements }}, " + when: _statements != '' + +- name: Set field match string for SingleHeader + ansible.builtin.set_fact: + _ftm: "{ single_header: { name: \"user-agent\"} }" + when: _stat.inspect == "SingleHeader" + +- name: Set field match string for SingleHeader + ansible.builtin.set_fact: + _ftm: "{ uri_path: {} }" + when: _stat.inspect == "UriPath" + +- name: Set statements string + ansible.builtin.set_fact: + _statements: "{{ _statements }}{ byte_match_statement: { search_string: {{ _stat.string }}, field_to_match: {{ _ftm }}, text_transformations: [{ priority: 0, type: {{ _stat.text_trans }} }], positional_constraint: {{ _stat.position }} } }" diff --git a/roles/aws/aws_acl/tasks/set_priority_dict.yml b/roles/aws/aws_acl/tasks/set_priority_dict.yml new file mode 100644 index 000000000..9ca723ea2 --- /dev/null +++ b/roles/aws/aws_acl/tasks/set_priority_dict.yml @@ -0,0 +1,8 @@ +--- +- name: Set dict string + ansible.builtin.set_fact: + _priority_dict_string: "{ priority: {{ _priority }} }" + +- name: Set dict + ansible.builtin.set_fact: + _priority_dict: "{{ _priority_dict_string | from_yaml }}" diff --git a/roles/aws/aws_acl/templates/rate_limit.j2 b/roles/aws/aws_acl/templates/rate_limit.j2 index 410b0026f..f29047667 100644 --- a/roles/aws/aws_acl/templates/rate_limit.j2 +++ b/roles/aws/aws_acl/templates/rate_limit.j2 @@ -1 +1 @@ -{ limit: {{ _acl.rules.rate_limit }}, aggregate_key_type: IP } +{ limit: {{ _acl.rules.rate_limit.value }}, aggregate_key_type: IP } diff --git a/roles/aws/aws_elb/tasks/main.yml b/roles/aws/aws_elb/tasks/main.yml index 39286bf35..969944ce7 100644 --- a/roles/aws/aws_elb/tasks/main.yml +++ b/roles/aws/aws_elb/tasks/main.yml @@ -94,7 +94,7 @@ - name: Add HTTP listeners. ansible.builtin.set_fact: - _aws_ec2_listeners: "{{ [ _aws_ec2_listeners_http ] }}" + _aws_ec2_listeners: "{{ [_aws_ec2_listeners_http] }}" when: _ssl_certificate_ARN | length < 1 - name: Add HTTPS Listener. diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index 2c2973e93..daf1ad759 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -12,4 +12,4 @@ - name: Register aws_iam_role results. ansible.builtin.set_fact: - aws_iam_role: "{{ aws_iam_role | combine({'_result': { aws_iam_role.name : _aws_iam_role_result}}) }}" + aws_iam_role: "{{ aws_iam_role | combine({'_result': {aws_iam_role.name: _aws_iam_role_result}}) }}" diff --git a/roles/aws/aws_rds/tasks/main.yml b/roles/aws/aws_rds/tasks/main.yml index bf4720f5e..704156805 100644 --- a/roles/aws/aws_rds/tasks/main.yml +++ b/roles/aws/aws_rds/tasks/main.yml @@ -18,7 +18,7 @@ description: "{{ aws_rds.db_parameter_group_description }}" engine: "{{ aws_rds.db_parameter_group_engine }}" params: "{{ aws_rds.db_parameters }}" - tags: "{{ aws_rds.tags | combine({ 'Name': aws_rds.name }) }}" + tags: "{{ aws_rds.tags | combine({'Name': aws_rds.name}) }}" when: - aws_rds.db_parameters is defined - aws_rds.db_parameters | length > 0 diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index 585384511..d4c131e68 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -109,29 +109,29 @@ wazuh: wazuh_manager_api: bind_addr: 0.0.0.0 port: 55000 - behind_proxy_server: no - https: yes + behind_proxy_server: "no" + https: "yes" https_key: "api/configuration/ssl/server.key" https_cert: "api/configuration/ssl/server.crt" - https_use_ca: False + https_use_ca: false https_ca: "api/configuration/ssl/ca.crt" logging_level: "info" logging_path: "logs/api.log" - cors: no + cors: "no" cors_source_route: "*" cors_expose_headers: "*" cors_allow_headers: "*" - cors_allow_credentials: no - cache: yes + cors_allow_credentials: "no" + cache: "yes" cache_time: 0.750 access_max_login_attempts: 5 access_block_time: 300 access_max_request_per_minute: 300 - drop_privileges: yes - experimental_features: no - remote_commands_localfile: yes + drop_privileges: "yes" + experimental_features: "no" + remote_commands_localfile: "yes" remote_commands_localfile_exceptions: [] - remote_commands_wodle: yes + remote_commands_wodle: "yes" remote_commands_wodle_exceptions: [] #wazuh_api_users: # - username: custom-user @@ -153,4 +153,4 @@ wazuh: password: "wazuh" dashboard_security: true dashboard_user: kibanaserver - dashboard_password: changeme \ No newline at end of file + dashboard_password: changeme