Mise à jour du README, et configuration de nouveaux outils ( WIP )

README.md

@@ -3,6 +3,19 @@ Role Name
 
 Installation et configuration des protections appliquées aux serveurs de LQDN.
 
+Ce rôle va installer les paquets de sécurité suivant :
+
+- fail2ban : limite les accès réseaux et détecte les attaques
+- portsentry : surveillance des ports réseaux des machines
+- rkhunter : surveillance des binaires et des modifications de la machine.
+- tripwire : surveillance des binaires et des modifications de la machine.
+- auditd : garder une trace de toutes les modifications de la machine.
+- lynis : un outil de vérification de la sécurité de la machine.
+
+et les configurer par défaut. Chaque service va ensuite pouvoir (re) définir des variables, pour être effectif au maximum.
+
+Par exemple, les ports étant surveillé par portsentry, ou fail2ban, les fichiers surveillé par tripwire ou fail2ban.
+
 Requirements
 ------------
 

tasks/fail2ban.yml

+# Fail2Ban
+
+- name: Activation de fail2ban
+  systemd:
+    enabled: yes
+    name: fail2ban
+
+
+- name: Configuration du fichier de configuration de fail2ban
+  template:
+    src: fail2ban/fail2ban.conf.j2
+    dest: /etc/fail2ban/fail2ban.conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Configuration des prisons fail2ban
+  template:
+    src: fail2ban/jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Relance de fail2ban
+
+- name: Ajout des filtres en plus
+  template:
+    src: fail2ban/filter.keycloak.conf
+    dest: /etc/fail2ban/filter.d/keycloak.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Relance de fail2ban
+
+- name: Ajout des prisons en plus
+  template:
+    src: fail2ban/jail.keycloak.conf.j2
+    dest: /etc/fail2ban/jail.d/keycloak.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Relance de fail2ban

tasks/lynis.yml

+# Lynis
+
+- name: Configuration de /etc/lynis/custom.prf
+  template:
+    src: lynis/custom.prf.j2
+    dest: /etc/lynis/custom.prj
+    owner: root
+    group: root
+    mode: 0644

tasks/main.yml

@@ -14,88 +14,12 @@
         - rkhunter
         - portsentry
         - lynis
+        - tripwire
 
 # Configuration des outils
 
-# Fail2Ban
-
-- name: Activation de fail2ban
-  systemd:
-    enabled: yes
-    name: fail2ban
-
-
-- name: Configuration du fichier de configuration de fail2ban
-  template:
-    src: fail2ban/fail2ban.conf.j2
-    dest: /etc/fail2ban/fail2ban.conf
-    owner: root
-    group: root
-    mode: 0644
-
-- name: Configuration des prisons fail2ban
-  template:
-    src: fail2ban/jail.local.j2
-    dest: /etc/fail2ban/jail.local
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - Relance de fail2ban
-
-- name: Ajout des filtres en plus
-  template:
-    src: fail2ban/filter.keycloak.conf
-    dest: /etc/fail2ban/filter.d/keycloak.conf
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - Relance de fail2ban
-
-- name: Ajout des prisons en plus
-  template:
-    src: fail2ban/jail.keycloak.conf.j2
-    dest: /etc/fail2ban/jail.d/keycloak.conf
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - Relance de fail2ban
-
-# RKhunter
-
-- name: Configuration de rkhunter
-  template:
-    src: rkhunter/rkhunter.conf.j2
-    dest: /etc/rkhunter.conf
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - Relance de rkhunter
-
-# Portsentry
-
-- name: Configuration de /etc/portsentry/portsentry.conf
-  template:
-    src: portsentry/portsentry.conf.j2
-    dest: /etc/portsentry/portsentry.conf
-    owner: root
-    group: root
-    mode: 0644
-  notify: Relance de portsentry
-
-- name: Configuration de /etc/portsentry/portsentry.ignore.static
-  template:
-    src: portsentry/portsentry.ignore.static.j2
-    dest: /etc/portsentry/portsentry.ignore.static
-    owner: root
-    group: root
-    mode: 0644
-  notify: Relance de portsentry
-
-- name: Activation de portsentry
-  systemd:
-    enabled: yes
-    name: portsentry
+include: fail2ban.yml
+include: rkhunter.yml
+include: portsentry.yml
+include: lynis.yml
+include: tripwire.yml

tasks/portsentry.yml

+# Portsentry
+
+- name: Configuration de /etc/portsentry/portsentry.conf
+  template:
+    src: portsentry/portsentry.conf.j2
+    dest: /etc/portsentry/portsentry.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Relance de portsentry
+
+- name: Configuration de /etc/portsentry/portsentry.ignore.static
+  template:
+    src: portsentry/portsentry.ignore.static.j2
+    dest: /etc/portsentry/portsentry.ignore.static
+    owner: root
+    group: root
+    mode: 0644
+  notify: Relance de portsentry
+
+- name: Activation de portsentry
+  systemd:
+    enabled: yes
+    name: portsentry

tasks/rkhunter.yml

+# RKhunter
+
+- name: Configuration de rkhunter
+  template:
+    src: rkhunter/rkhunter.conf.j2
+    dest: /etc/rkhunter.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Relance de rkhunter

vars/main.yml

 ---
 # vars file for security-lqdn
 
+
+## Portsentry
+
 portsentry_tcp_ports: >-
   1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,
   27665,31337,32771,32772,32773,32774,40421,49724,54320
@@ -19,3 +22,11 @@ portsentry_kill_route: /sbin/iptables -I INPUT -s $TARGET$ -j DROP
 portsentry_scan_trigger: 0
 
 portsentry_ignore_static: []
+
+## Fail2ban
+
+## Auditd
+
+## rkhunter
+
+## Lynis