Commit a01a5453 authored by nono's avatar nono 💻
Browse files

Mise à jour du README, et configuration de nouveaux outils ( WIP )

parent d5ca24b5
......@@ -3,6 +3,19 @@ Role Name
Installation et configuration des protections appliquées aux serveurs de LQDN.
Ce rôle va installer les paquets de sécurité suivant :
- fail2ban : limite les accès réseaux et détecte les attaques
- portsentry : surveillance des ports réseaux des machines
- rkhunter : surveillance des binaires et des modifications de la machine.
- tripwire : surveillance des binaires et des modifications de la machine.
- auditd : garder une trace de toutes les modifications de la machine.
- lynis : un outil de vérification de la sécurité de la machine.
et les configurer par défaut. Chaque service va ensuite pouvoir (re) définir des variables, pour être effectif au maximum.
Par exemple, les ports étant surveillé par portsentry, ou fail2ban, les fichiers surveillé par tripwire ou fail2ban.
Requirements
------------
......
# Fail2Ban
- name: Activation de fail2ban
systemd:
enabled: yes
name: fail2ban
- name: Configuration du fichier de configuration de fail2ban
template:
src: fail2ban/fail2ban.conf.j2
dest: /etc/fail2ban/fail2ban.conf
owner: root
group: root
mode: 0644
- name: Configuration des prisons fail2ban
template:
src: fail2ban/jail.local.j2
dest: /etc/fail2ban/jail.local
owner: root
group: root
mode: 0644
notify:
- Relance de fail2ban
- name: Ajout des filtres en plus
template:
src: fail2ban/filter.keycloak.conf
dest: /etc/fail2ban/filter.d/keycloak.conf
owner: root
group: root
mode: 0644
notify:
- Relance de fail2ban
- name: Ajout des prisons en plus
template:
src: fail2ban/jail.keycloak.conf.j2
dest: /etc/fail2ban/jail.d/keycloak.conf
owner: root
group: root
mode: 0644
notify:
- Relance de fail2ban
# Lynis
- name: Configuration de /etc/lynis/custom.prf
template:
src: lynis/custom.prf.j2
dest: /etc/lynis/custom.prj
owner: root
group: root
mode: 0644
......@@ -14,88 +14,12 @@
- rkhunter
- portsentry
- lynis
- tripwire
# Configuration des outils
# Fail2Ban
- name: Activation de fail2ban
systemd:
enabled: yes
name: fail2ban
- name: Configuration du fichier de configuration de fail2ban
template:
src: fail2ban/fail2ban.conf.j2
dest: /etc/fail2ban/fail2ban.conf
owner: root
group: root
mode: 0644
- name: Configuration des prisons fail2ban
template:
src: fail2ban/jail.local.j2
dest: /etc/fail2ban/jail.local
owner: root
group: root
mode: 0644
notify:
- Relance de fail2ban
- name: Ajout des filtres en plus
template:
src: fail2ban/filter.keycloak.conf
dest: /etc/fail2ban/filter.d/keycloak.conf
owner: root
group: root
mode: 0644
notify:
- Relance de fail2ban
- name: Ajout des prisons en plus
template:
src: fail2ban/jail.keycloak.conf.j2
dest: /etc/fail2ban/jail.d/keycloak.conf
owner: root
group: root
mode: 0644
notify:
- Relance de fail2ban
# RKhunter
- name: Configuration de rkhunter
template:
src: rkhunter/rkhunter.conf.j2
dest: /etc/rkhunter.conf
owner: root
group: root
mode: 0644
notify:
- Relance de rkhunter
# Portsentry
- name: Configuration de /etc/portsentry/portsentry.conf
template:
src: portsentry/portsentry.conf.j2
dest: /etc/portsentry/portsentry.conf
owner: root
group: root
mode: 0644
notify: Relance de portsentry
- name: Configuration de /etc/portsentry/portsentry.ignore.static
template:
src: portsentry/portsentry.ignore.static.j2
dest: /etc/portsentry/portsentry.ignore.static
owner: root
group: root
mode: 0644
notify: Relance de portsentry
- name: Activation de portsentry
systemd:
enabled: yes
name: portsentry
include: fail2ban.yml
include: rkhunter.yml
include: portsentry.yml
include: lynis.yml
include: tripwire.yml
# Portsentry
- name: Configuration de /etc/portsentry/portsentry.conf
template:
src: portsentry/portsentry.conf.j2
dest: /etc/portsentry/portsentry.conf
owner: root
group: root
mode: 0644
notify: Relance de portsentry
- name: Configuration de /etc/portsentry/portsentry.ignore.static
template:
src: portsentry/portsentry.ignore.static.j2
dest: /etc/portsentry/portsentry.ignore.static
owner: root
group: root
mode: 0644
notify: Relance de portsentry
- name: Activation de portsentry
systemd:
enabled: yes
name: portsentry
# RKhunter
- name: Configuration de rkhunter
template:
src: rkhunter/rkhunter.conf.j2
dest: /etc/rkhunter.conf
owner: root
group: root
mode: 0644
notify:
- Relance de rkhunter
This diff is collapsed.
---
# vars file for security-lqdn
## Portsentry
portsentry_tcp_ports: >-
1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,
27665,31337,32771,32772,32773,32774,40421,49724,54320
......@@ -19,3 +22,11 @@ portsentry_kill_route: /sbin/iptables -I INPUT -s $TARGET$ -j DROP
portsentry_scan_trigger: 0
portsentry_ignore_static: []
## Fail2ban
## Auditd
## rkhunter
## Lynis
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment