Commit d5ca24b5 authored by nono's avatar nono 💻
Browse files

Merge branch 'master' of git.laquadrature.net:lqdn-interne/piops-roles/security-lqdn

parents 72dd7ffd 38f83e29
Role Name
=========
A brief description of the role goes here.
Installation et configuration des protections appliquées aux serveurs de LQDN.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Aucunes.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
`keycloak_log_directory`
Où est le dossier dans lequel se trouve le log pour keycloak.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Aucunes.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
......
---
# tasks file for security-lqdn
# Configuration de sécurité
- name: Installation des paquets de sécurité
apt:
name: "{{ packages }}"
state: present
update_cache: yes
vars:
packages:
- fail2ban
- rkhunter
- portsentry
# Configuration des outils
# Fail2Ban
- name: Activation de fail2ban
systemd:
enabled: yes
name: fail2ban
- name: Configuration du fichier de configuration de fail2ban
template:
src: ../files/etc/fail2ban/fail2ban.conf.j2
dest: /etc/fail2ban/fail2ban.conf
owner: root
groupe: root
mode: 0644
- name: Configuration des prisons fail2ban
template:
src: ../files/etc/fail2ban/jail.local.j2
dest: /etc/fail2ban/jail.local
owner: root
groupe: root
mode: 0644
notify:
- Relance de fail2ban
# RKhunter
- name: Activation de rkhunter
systemd:
enabled: yes
name: rkhunter
- name: Configuration de rkhunter
template:
src: ../files/etc/rkhunter/rkhunter.conf.j2
dest: /etc/rkhunter.conf
owner: root
groupe: root
mode: 0644
notify:
- Relance de rkhunter
# Portsentry
- name: Configuration de /etc/portsentry/portsentry.conf
template:
src: ../files/etc/portsentry/portsentry.conf.j2
dest: /etc/portsentry/portsentry.conf
owner: root
group: root
mode: 0644
notify: Relance de portsentry
- name: Configuration de /etc/portsentry/portsentry.ignore.static
template:
src: ../files/etc/portsentry/portsentry.ignore.static.j2
dest: /etc/portsentry/portsentry.ignore.static
owner: root
group: root
mode: 0644
notify: Relance de portsentry
- name: Activation de portsentry
systemd:
enabled: yes
name: portsentry
......@@ -9,7 +9,7 @@
- name: Relance de rkhunter
systemd:
name: rsyslog
state: reload
state: restart
- name: Relance de portsentry
systemd:
......
......@@ -13,6 +13,7 @@
- fail2ban
- rkhunter
- portsentry
- lynis
# Configuration des outils
......@@ -26,35 +27,50 @@
- name: Configuration du fichier de configuration de fail2ban
template:
src: ../files/etc/fail2ban/fail2ban.conf.j2
src: fail2ban/fail2ban.conf.j2
dest: /etc/fail2ban/fail2ban.conf
owner: root
groupe: root
group: root
mode: 0644
- name: Configuration des prisons fail2ban
template:
src: ../files/etc/fail2ban/jail.local.j2
src: fail2ban/jail.local.j2
dest: /etc/fail2ban/jail.local
owner: root
groupe: root
group: root
mode: 0644
notify:
- Relance de fail2ban
# RKhunter
- name: Ajout des filtres en plus
template:
src: fail2ban/filter.keycloak.conf
dest: /etc/fail2ban/filter.d/keycloak.conf
owner: root
group: root
mode: 0644
notify:
- Relance de fail2ban
- name: Activation de rkhunter
systemd:
enabled: yes
name: rkhunter
- name: Ajout des prisons en plus
template:
src: fail2ban/jail.keycloak.conf.j2
dest: /etc/fail2ban/jail.d/keycloak.conf
owner: root
group: root
mode: 0644
notify:
- Relance de fail2ban
# RKhunter
- name: Configuration de rkhunter
template:
src: ../files/etc/rkhunter/rkhunter.conf.j2
src: rkhunter/rkhunter.conf.j2
dest: /etc/rkhunter.conf
owner: root
groupe: root
group: root
mode: 0644
notify:
- Relance de rkhunter
......@@ -63,7 +79,7 @@
- name: Configuration de /etc/portsentry/portsentry.conf
template:
src: ../files/etc/portsentry/portsentry.conf.j2
src: portsentry/portsentry.conf.j2
dest: /etc/portsentry/portsentry.conf
owner: root
group: root
......@@ -72,7 +88,7 @@
- name: Configuration de /etc/portsentry/portsentry.ignore.static
template:
src: ../files/etc/portsentry/portsentry.ignore.static.j2
src: portsentry/portsentry.ignore.static.j2
dest: /etc/portsentry/portsentry.ignore.static
owner: root
group: root
......
[INCLUDES]
before = common.conf
[Definition]
_threadName = [a-z][-_0-9a-z]*(\s[a-z][-_0-9a-z]*)*
_userId = (null|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})
_realmName = ([a-zA-Z][-_a-zA-Z0-9]*)
_clientId = (security-admin-console|null|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})
failregex =
^.*WARN\s+\[org\.keycloak\.events\]\s+\(%(_threadName)s\) type=LOGIN_ERROR, realmId=%(_realmName)s, clientId=%(_clientId)s, userId=%(_userId)s, ipAddress=<HOST>,
ignoreregex =
[keycloak]
enabled = true
port = https,8443
logpath = {{ keycloak_log_directory }}/server.log
maxretry = 6
findtime = 600
bantime = 600
......@@ -86,7 +86,8 @@ bantime.factor = 2
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = {{ serveur_bastion.ipv4_du_serveur }} 127.0.0.1/8 ::1
ignoreip = 127.0.0.1/8 91.194.60.0/23 193.56.58.0/24 185.34.32.0/22 212.83.165.226 10.0.0.0/8 ::1
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
......@@ -172,7 +173,7 @@ filter = %(__name__)s[mode=%(mode)s]
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = {{ sysadmin_email[0] }}
destemail = {{ sysadmin_email }}
# Sender email address used solely for some actions
sender = fail2ban@<fq-hostname>
......@@ -262,7 +263,7 @@ action_abuseipdb = abuseipdb
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)mwl
action = %(action_mwl)s
#
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment