-
Notifications
You must be signed in to change notification settings - Fork 6
/
configure.yml
234 lines (188 loc) · 6.48 KB
/
configure.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
- hosts: all
remote_user: ubuntu
become: true
gather_facts: yes
vars_files:
- variables.yml
- elastic-cloud.yml
tasks:
# System
- name: Update and upgrade apt packages
apt: upgrade=dist force_apt_get=yes update_cache=yes
- name: Install auditd, which this example is about
apt: name=auditd
- name: Install NTP to avoid time drift and PIP to manage Python dependencies plus its build tools
apt:
name: [ 'ntp', 'ntpdate', 'python3-pip', 'build-essential', 'libssl-dev', 'libffi-dev', 'whois' ]
- name: Install the pyOpenSSL library, so Ansible can use it to check TLS certificates
pip: name=pyopenssl
# Add David
- name: Add David's user
user:
name: david
groups: sudo
shell: /bin/bash
state: present
- name: Placing key for David
authorized_key:
user: david
key: "{{ lookup('file', './files/david.pub') }}"
# SSH
- name: Allow passwordless sudo
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
- name: Add a group for developers
group:
name: developers
state: present
- name: Add a regular user
user:
name: elastic-user
password: $6$l7Sn6bScWFQXiC$YuhNHLTFpFrbKWu41aSGmgPkPYusesxsUEX01p8fkO2rApuVnutQVpx1JqJWXYS9eCrfo7oVsNT2PjLQ2lFOv1 #secret
groups: developers
shell: /bin/bash
state: present
- name: Create a file for that specific user only readable by them
template: src=templates/secret.txt dest=/home/elastic-user/secret.txt owner=elastic-user mode=0600
- name: Add a root user
user:
name: elastic-admin
password: $6$7z7Vma3Wv9Au$F2xYkqbDztG/o1sd7bHYeIq5.m73ueq1NmCd5mZMFIWg1ENgUFQK0FR01b3/DOX204KfZ1rH4z2Il1layxTgv1 #mysecret
groups: sudo
shell: /bin/bash
state: present
- name: Allow our users to log in via SSH
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^AllowUsers'
line: 'AllowUsers ubuntu david elastic-user elastic-admin'
state: present
- name: Restart SSH
service: name=ssh state=restarted
# Beats
- name: Stop Auditd since it cannot run in parallel with Auditbeat
service: name=auditd state=stopped
- name: Set the Elasticsearch password for Beats
lineinfile:
dest: /tmp/cred
line: "{{ elasticsearch_password }}"
state: present
create: yes
mode: 0600
- name: Get the Beats
apt: deb={{ elastic_download }}/downloads/beats/{{ item }}/{{ item }}-{{ elastic_version }}-amd64.deb force_apt_get=yes
loop:
- auditbeat
- filebeat
- heartbeat
- metricbeat
- packetbeat
- name: Change the Beats configuration
template: "src=templates/{{ item }}.yml dest=/etc/{{ item }}/{{ item }}.yml"
loop:
- auditbeat
- filebeat
- heartbeat
- metricbeat
- packetbeat
- name: Create the Beats keystores
command: "{{ item }} keystore create --force"
loop:
- auditbeat
- filebeat
- heartbeat
- metricbeat
- packetbeat
- name: Set the password in the Beats keystore files
shell: cat /tmp/cred | {{ item }} keystore add ES_PWD --stdin --force
loop:
- auditbeat
- filebeat
- heartbeat
- metricbeat
- packetbeat
- name: Remove the password file
file:
path: /tmp/cred
state: absent
- name: Run the setup for all the beats (except Heartbeat — not needed)
shell: "{{ item }} setup"
loop:
- auditbeat
- filebeat
- metricbeat
- packetbeat
- name: Restart and make sure the Beats autostart
service: name={{ item }} state=restarted enabled=yes
loop:
- auditbeat
- filebeat
- heartbeat-elastic
- metricbeat
- packetbeat
# nginx
- name: Install nginx
apt: name=nginx force_apt_get=yes
- name: Stop nginx so that Certbot can bind to port 80
service: name=nginx state=stopped
- name: Install certbot
apt: name=python3-certbot-nginx
- name: Add domains to the certificate
set_fact:
certificates:
- "{{ inventory_hostname }}"
- "{{ domain }}"
- "www.{{ domain }}"
- name: Create the certificate
command: >
certbot certonly --non-interactive --standalone
--agree-tos --email admin@{{ domain }}
-d {{ certificates | join(',') }}
creates=/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
- name: Add crontab to renew certificates every second month on Sunday night
cron:
name: Renew Let's Encrypt certificate
minute: "30"
hour: "3"
weekday: "0"
month: "*/2"
job: service nginx stop && certbot renew >> /var/log//var/log/letsencrypt/renew.log && service nginx start
- name: Generate strong dhparams, but only if the file doesn't exist
command: openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 creates=/etc/ssl/certs/dhparam.pem
- name: Set a global TLS configuration
template: src=templates/tls.conf dest=/etc/nginx/tls.conf
- name: Change the nginx configuration
template: src=templates/nginx.conf dest=/etc/nginx/sites-available/default
- name: Provide an HTML index
template: src=templates/index.html dest=/var/www/html/index.html
- name: Restart Auditbeat to make sure it picks up the newly monitored directory
service: name=auditbeat state=restarted
- name: Restart nginx and make sure it autostarts
service: name=nginx state=restarted enabled=yes
- name: Check HTTP
uri:
url: "http://{{ inventory_hostname }}"
follow_redirects: none
status_code: 301
register: response
retries: 3
delay: 2
delegate_to: 127.0.0.1
become: false
- name: Fail if HTTP is not being redirected to HTTPS
fail:
when: response.status != 301
- name: Check HTTPS
openssl_certificate:
path: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
provider: assertonly
subject_alt_name:
- "DNS:{{ inventory_hostname }}"
- "DNS:{{ domain }}"
# Get firejail for seccomp demos
- name: Get and install seccomp
apt: deb=https://github.com/netblue30/firejail/releases/download/0.9.64.4/firejail_0.9.64.4_1_amd64.deb