-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Integrated IDPS setup with IDEAM installation (#64)
Bugfix: Reordered tasks in ansible playbook Signed off by: Poorna Chandra Tejasvi<pct960@gmail.com>
- Loading branch information
1 parent
d2afd26
commit 3a4964f
Showing
3 changed files
with
182 additions
and
56 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| --- | ||
| - hosts: 127.0.0.1 | ||
| connection: local | ||
| become: yes | ||
| become_method: sudo | ||
|
|
||
| tasks: | ||
| - name: Install python3 | ||
| apt: pkg=python3 state=installed update_cache=true | ||
|
|
||
| - name: Ensure packages are installed | ||
| apt: name={{item}} | ||
| with_items: | ||
| - postgresql-9.5 | ||
| - libpq-dev | ||
| - python3-psycopg2 | ||
| - postgresql-contrib | ||
|
|
||
| - name: Delete default Postgresql configuration file | ||
| shell: rm /etc/postgresql/9.3/main/pg_hba.conf | ||
| ignore_errors: yes | ||
|
|
||
| - name: Copy postgresql config file | ||
| copy: src={{item.src}} dest={{item.dest}} | ||
| with_items: | ||
| - {src: './config/idps/pg_hba.conf', dest: '/etc/postgresql/9.3/main/'} | ||
|
|
||
| - name: Install supervisor | ||
| apt: pkg=supervisor state=installed update_cache=true | ||
|
|
||
| - name: Get current working directory | ||
| shell: "pwd" | ||
| register: dir | ||
|
|
||
| - name: Update python script location in supervisor conf | ||
| lineinfile: | ||
| path: ./config/idps/log_parser.conf | ||
| regexp: '^command=' | ||
| line: 'command=python3 {{dir.stdout}}/config/idps/log_parser.py {{dir.stdout}}' | ||
|
|
||
| - name: Copy supervisor config file | ||
| copy: src={{ item.src }} dest={{ item.dest }} | ||
| with_items: | ||
| - { src: './config/idps/log_parser.conf', dest: '/etc/supervisor/conf.d/' } | ||
|
|
||
| - name: Register service with supervisor | ||
| command: supervisorctl reread | ||
|
|
||
| - name: Update supervisorctl | ||
| command: supervisorctl update | ||
|
|
||
| - name: Restart Supervisor | ||
| service: name=supervisor state=restarted | ||
| become: yes | ||
|
|
||
| - name: Install Fail2ban | ||
| apt: pkg=fail2ban state=installed update_cache=true | ||
|
|
||
| - name: Copy configuration files | ||
| copy: src={{ item.src }} dest={{ item.dest }} | ||
| with_items: | ||
| - { src: './config/idps/jail.local', dest: '/etc/fail2ban/' } | ||
| - { src: './config/idps/middleware.conf', dest: '/etc/fail2ban/filter.d/' } | ||
| - { src: './config/idps/iptables-middleware.conf', dest: '/etc/fail2ban/action.d/' } | ||
|
|
||
| become: yes | ||
|
|
||
| - name: Restart Fail2ban | ||
| service: name=fail2ban state=restarted | ||
| become: yes | ||
|
|
||
| - name: Ensure apt cache is up to date | ||
| apt: update_cache=yes | ||
|
|
||
|
|
||
| - hosts: 127.0.0.1 | ||
| connection: local | ||
| become: yes | ||
| become_user: postgres | ||
| gather_facts: no | ||
|
|
||
| vars_files: | ||
| - host_vars/idps | ||
|
|
||
| vars: | ||
| dbname: postgres | ||
| dbuser: postgres | ||
|
|
||
| tasks: | ||
|
|
||
| - name: Ensure database is created | ||
| postgresql_db: name={{dbname}} | ||
|
|
||
| - name: Ensure user has access to database | ||
| postgresql_user: db={{dbname}} name={{dbuser}} password={{db_password}} priv=ALL | ||
|
|
||
| - debug: | ||
| msg: "{{db_password}}" | ||
|
|
||
| - name: Ensure user does not have unnecessary privilege | ||
| postgresql_user: name={{dbuser}} role_attr_flags=SUPERUSER,CREATEDB | ||
|
|
||
| - name: Ensure no other user can access the database | ||
| postgresql_privs: db={{dbname}} role=PUBLIC type=database priv=ALL state=absent | ||
|
|
||
| - name: Install pgcrypto module | ||
| shell: "psql -d {{dbname}} -c 'create extension if not exists pgcrypto;'" | ||
|
|
||
| - name: Create table for storing logs | ||
| shell: "psql -U {{dbuser}} -d {{dbname}} -c 'CREATE TABLE IF NOT EXISTS logs(id serial NOT NULL,logline text,hash text,CONSTRAINT logs_pkey PRIMARY KEY (id))WITH (OIDS=FALSE);ALTER TABLE logs OWNER TO postgres;'" | ||
|
|
||
| - name: Create a PLSQL procedure to add hashes | ||
| shell: "psql -d {{dbname}} -f ./config/idps/function.sql" | ||
|
|
||
| - name: Create a trigger for insert | ||
| shell: "psql -d {{dbname}} -f ./config/idps/trigger.sql" | ||
|
|
||
|
|
||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters