├── .gitignore ├── README.md ├── group_vars └── all.yml ├── host_vars └── example.sharknet.us ├── production.hosts ├── roles ├── auditd │ ├── files │ │ ├── auditd.conf │ │ └── syslog.conf │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── audit.rules.j2 ├── base │ ├── files │ │ ├── RPM-GPG-KEY-EPEL-6 │ │ ├── bashrc │ │ ├── clock │ │ ├── control-alt-delete.override │ │ ├── csh.cshrc │ │ ├── disabled.conf │ │ ├── i18n │ │ ├── issue │ │ ├── keyboard │ │ ├── limits.conf │ │ ├── login.defs │ │ ├── maintenance.daily │ │ ├── maintenance.weekly │ │ ├── system-auth │ │ └── useradd │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── CentOS-Base.repo.j2 │ │ ├── epel.repo.j2 │ │ ├── sysctl.conf.j2 │ │ └── yum.conf.j2 ├── clamav │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── freshclam.conf.j2 ├── dhcp-server │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── 111_dhcp_server.j2 │ │ ├── dhcpd.conf.j2 │ │ └── dhcpd.j2 ├── end │ └── tasks │ │ └── main.yml ├── iptables │ ├── files │ │ └── 999_end │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── ferm.conf.j2 │ │ └── ferm6.conf.j2 ├── kickstart-server │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── host.cfg.j2 ├── mysql-server │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── 110_mysql_server.j2 │ │ └── my.cnf.j2 ├── network │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── ifcfg-eth.j2 │ │ ├── network.j2 │ │ ├── resolv.j2 │ │ ├── route-eth.j2 │ │ ├── rt_tables.j2 │ │ └── rule-eth.j2 ├── nginx-server │ ├── files │ │ ├── 120_web_server │ │ └── collectd_nginx_server │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── nginx.conf.j2 ├── ntp-client │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── ntp.conf.j2 ├── ntp-server │ ├── files │ │ └── 110_ntp_server │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ └── ntp.conf.j2 ├── ossec-client │ ├── files │ │ └── RPM-GPG-KEY.art.txt │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── atomic.repo.j2 │ │ └── ossec-agent.conf.j2 ├── ossec-server │ ├── files │ │ ├── RPM-GPG-KEY.art.txt │ │ └── local_rules.xml │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── 100_ossec_server.j2 │ │ ├── atomic.repo.j2 │ │ ├── ossec-authd.j2 │ │ └── ossec-server.conf.j2 ├── squid-server │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── 108_squid_server.j2 │ │ └── squid.conf.j2 ├── ssh │ ├── files │ │ └── sshd_config │ ├── handlers │ │ └── main.yml │ └── tasks │ │ └── main.yml ├── syslog-ng-client │ ├── files │ │ ├── iptables.conf │ │ ├── iptables.logrotate │ │ ├── modules.conf │ │ └── syslog.logrotate │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── logrotate.conf.j2 │ │ └── syslog-ng.conf.j2 ├── syslog-ng-relay │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── 107_log_server.j2 │ │ ├── relay.conf.j2 │ │ └── syslog_server.rotate.j2 ├── syslog-ng-server │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── 107_log_server.j2 │ │ ├── server.conf.j2 │ │ └── syslog_server.rotate.j2 └── vm │ └── tasks │ ├── copy_vm.yml │ ├── create_vm.yml │ └── main.yml └── site.yml /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled source # 2 | ################### 3 | *.com 4 | *.class 5 | *.dll 6 | *.exe 7 | *.o 8 | *.so 9 | 10 | # Packages # 11 | ############ 12 | # it's better to unpack these files and commit the raw source 13 | # git has its own built in compression methods 14 | *.7z 15 | *.dmg 16 | *.gz 17 | *.iso 18 | *.jar 19 | *.rar 20 | *.tar 21 | *.zip 22 | 23 | # Logs and databases # 24 | ###################### 25 | *.log 26 | *.sql 27 | *.sqlite 28 | 29 | # OS generated files # 30 | ###################### 31 | .DS_Store 32 | .DS_Store? 33 | ._* 34 | .Spotlight-V100 35 | .Trashes 36 | ehthumbs.db 37 | Thumbs.db 38 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Management 2 | 3 | ## Introduction 4 | 5 | This is the Ansible playbook for my infrastructure. I'm sharing it so that it will save you some time and so that you will critique it. I'd like this playbook to eventually become a *best practice* configuration for CentOS servers. 6 | 7 | It's not entirely plug-n-play. My goal is that you can use these roles yourself unmodified by only changing the values in the `groups_vars/all` file. 8 | 9 | To run these plays I use the following Ansible command: `ansible-playbook -i production.hosts site.yml -K -k` 10 | 11 | ## Infrastructure Assumptions 12 | This playbook assumes several things about the IT infrastructure. It assumes a largely homogeneous set of servers that run only CentOS 6. These servers are VMs running in XenServer 6.2. The CentOS servers are hardened according to the US DISA STIG for RHEL 6. 13 | 14 | I also locally mirror the default and EPEL repositories. It doesn't take that much space but adds to the speed, stability, and security of my infrastructure. The way yum selects mirrors can product odd results. And I do not trust all mirrors equally. 15 | 16 | Even though your infrastructure is likely different than mine, many of these roles should work for you. Please check these closely before using them in your own environment. And please offer suggestions and improvements. 17 | 18 | ## Layout 19 | 20 | My goal is that the only configuration you have to do is to change the variable in the `group_vars/all` file and in the `host_vars/hostname` file. The group variables should define your network. The host variables configure an individual server. 21 | 22 | I use small roles to make the playbook more modular. I don't use role variables, only host and global ones. 23 | 24 | ## Roles 25 | Role specific considerations are found here. 26 | 27 | ### VM 28 | A play to create a Xen VM. 29 | 30 | ### Base 31 | The CentOS 6.5 configuration. This is fully SCAP (DISA STIG) compliant except for AIDE. I use OSSEC instead. It disables IPv6. It adds the EPEL repository in an unorthodox but well performing way. I mirror the CentOS and EPEL repos locally for speed and security. 32 | 33 | ### network 34 | A play to configure CentOS ethernet interfaces. See my [blog post](http://wp.me/p4iDAr-7V) for details. 35 | 36 | ### clamav 37 | This role runs clamav once per day via cron. It also updates the signatures once per day. It does not run the clamav daemon. 38 | 39 | ### iptables 40 | This role uses a helper application called 'ferm' to manage iptables. 41 | 42 | ### auditd 43 | This role uses the default CentOS configuration plus the DISA STIG settings. I have not added anything additional customizations. 44 | 45 | ### dhcp-server 46 | A basic ISC DHCP server configuration. 47 | 48 | ### kickstart-server 49 | This is meant to be run by the server that stores the kickstart files and serves them from the web. The interesting thing here is the kickstart template. It is SCAP compliant and Xen specific. 50 | 51 | ### mysql-server 52 | A basic mysql server setup. Automating the mysql post configuration was a huge challenge. I found bits and pieces on this on the web and put them togther. I'm grateful to those whol posted them. 53 | 54 | ### nginx-server 55 | A basic nginx web server setup. I include the collectd plugin. 56 | 57 | ### ntp-client 58 | A complete NTP client. 59 | 60 | ### ntp-server 61 | A, hopefully, well tuned NTP server configuration. I still want to look into crypto for this. 62 | 63 | ### ssh 64 | An basic OpenSSH server configuration that conforms to the DISA STIG. See the `tasks/main.yml` file for a few variable you have to set. Change the `authorized_key` line to point to the path where you have the public key file for passwordless SSH. 65 | 66 | ### ossec-client 67 | A basic OSSEC client configuration. Uses out-of-the-box settings with the addition of a few simple extra rules to monitor IPtable and network ports. In your plays make sure the OSSEC server is running before you run the clients. The clients need to register with the server. 68 | 69 | ### ossec-server 70 | A basic OSSEC server using ut-of-the-box settings. This role is designed to serve as a relay for network devices that only speak syslog. The devices connect to syslog-ng on this server and their logs are stored as files for the OSSEC engine. The logs are then forwarded to the central logging server for archiving. 71 | 72 | See this [blog post](http://sharknet.us/2014/04/15/ansible-ossec-role) for details. 73 | 74 | ### squid-server 75 | A simple but functional squid server configuration. 76 | 77 | ### syslog-ng-client 78 | This role replace rsyslog with syslog-ng. It is a drop-in replacement for rsyslog. It also forwards logs to a central log server. I intend to add SSL to this role in the near future so that all log traffic is encrypted. 79 | 80 | ### syslog-ng-relay 81 | This is designed to be used with the `ossec-server` role. It listens for syslog for network traffic and does two things with it: stores it in a local file and forwards it to another syslog-ng server. 82 | 83 | ### syslog-ng-server 84 | This role allows the server to act as a central log archive. All device and host logs are sent to this server and stored as files, one per host. The raw logs are stored and could also be sent to a structured storage engine such as Elasticsearch. 85 | 86 | ### end 87 | As you may have guessed from its name, this role should run at the very end. It allows you to follow the Unix `directory.d` pattern. Roles can add files to a `dir.d` folder and then this role will cause the daemon being configured to restart. This is needed for iptables, collectd, and others. It makes up for the lack of support by Ansible for global handlers. -------------------------------------------------------------------------------- /group_vars/all.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | 4 | ####################################### 5 | # XenServer 6 | ####################################### 7 | centos_template_uuid: 8ad91af3-0075-f996-9c8b-d9301d4aa802 8 | primary_sr_uuid: 1b6766ac-9ed1-7300-aa11-2f2b7382ffe2 9 | vm_model_uuid: c8a1bf58-9d75-0601-ebde-ee18820819a3 10 | 11 | pool_master: example.sharknet.us 12 | 13 | 14 | ####################################### 15 | # General network 16 | ####################################### 17 | domain: sharknet.us 18 | centos_series: 6 19 | centos_version: 6.5 20 | centos_architecture: x86_64 21 | admin_email_address: 22 | language: en_US.UTF-8 23 | timezone: America/New_York 24 | keyboard: us 25 | 26 | ####################################### 27 | # Local subnets 28 | ####################################### 29 | subnets: 30 | - name: dev 31 | address: 192.168.11.0 32 | prefix: 24 33 | netmask: 255.255.255.0 34 | gateway: 192.168.11.1 35 | vlan_id: 11 36 | dhcp_start_address: 192.168.11.150 37 | dhcp_end_address: 192.168.11.200 38 | xen_uuid: 66eee33d-c564-2249-fdff-b1544250f342 39 | 40 | - name: staging 41 | address: 192.168.12.0 42 | prefix: 24 43 | netmask: 255.255.255.0 44 | gateway: 192.168.12.1 45 | vlan_id: 12 46 | dhcp_start_address: 192.168.12.150 47 | dhcp_end_address: 192.168.12.200 48 | xen_uuid: c0f140f4-02ba-45c3-3105-c73bea861c44 49 | 50 | - name: production 51 | address: 192.168.13.0 52 | prefix: 24 53 | netmask: 255.255.255.0 54 | gateway: 192.168.13.1 55 | vlan_id: 13 56 | dhcp_start_address: 192.168.13.150 57 | dhcp_end_address: 192.168.13.200 58 | xen_uuid: 0f14ef4d-1fa9-b0a1-7310-92e8c66f1494 59 | 60 | ####################################### 61 | # Squid proxy settings 62 | ####################################### 63 | web_proxy_hostname: example.sharknet.us 64 | web_proxy_ip_address: 192.168.x.x 65 | web_proxy_port: 3128 66 | web_proxy_cache_size: 2048 67 | 68 | ####################################### 69 | # SSH 70 | ####################################### 71 | admin_network: 192.168.x.x 72 | admin_network_CIDR: 24 73 | ssh_port: 22 74 | 75 | ####################################### 76 | # OSSEC 77 | ####################################### 78 | ossec_server_ip: 192.168.x.x 79 | ossec_authd_port: 1515 80 | ossec_server_port: 1514 81 | ossec_from_email: ossec@example.com 82 | ossec_server_hostname: ossec-server 83 | 84 | ####################################### 85 | # Repository configuration 86 | ####################################### 87 | default_repository_mirror_hostname: rsync://mirrors.usc.edu 88 | epel_repository_mirror_hostname: rsync://mirror.pnl.gov 89 | default_repository_hostname: example.sharknet.us 90 | epel_repository_hostname: example.sharknet.us 91 | kickstart_repository_hostname: example.sharknet.us 92 | 93 | default_repository_url: http://{{ default_repository_hostname }}/CentOS/{{ centos_series }}/os/{{ centos_architecture }}/ 94 | kickstart_url: http://{{ kickstart_repository_hostname }}/CentOS/kickstart 95 | epel_repository_url: http://{{ epel_repository_hostname }}/epel/{{ centos_series }}/ 96 | 97 | xen_tools_gzip_file_url: "{{ default_repository_hostname }}/XenServer-6.2.0/tools/xen_tools.tar.gz" 98 | 99 | mount_point: /mnt/storage/ 100 | storage_root: /mnt/storage/example 101 | 102 | repository_http_port: 80 103 | 104 | ####################################### 105 | # Server IP addresess 106 | ####################################### 107 | dns1_server_ip: 192.168.x.x 108 | dns2_server_ip: 192.168.x.x 109 | ossec_server_ip: 192.168.x.x 110 | collectd_server_ip: 192.168.x.x 111 | ntp_server_ip: 192.168.x.x 112 | email_server_relay_hostname: example.sharknet.us 113 | iscsi_server_ip: 192.168.x.x 114 | 115 | ####################################### 116 | # DHCP 117 | ####################################### 118 | dhcp_arguments: eth0 119 | 120 | ####################################### 121 | # Cron Scheduling 122 | ####################################### 123 | epel_repository_server_sync: 124 | hour: 1 125 | minute: 0 126 | 127 | default_repository_server_sync: 128 | hour: 2 129 | minute: 0 130 | 131 | clamav_scan: 132 | hour: 3 133 | minute: 0 134 | 135 | clamav_official_db_update: 136 | hour: 2 137 | minute: 0 138 | 139 | clamav_unofficial_db_update: 140 | hour: 2 141 | minute: 30 142 | 143 | ####################################### 144 | # NTP, Squid allowed nets 145 | ####################################### 146 | 147 | allowed_networks: 148 | - network: 192.168.x.x 149 | netmask: 255.255.255.0 150 | cidr: 24 151 | - network: 192.168.x.x 152 | netmask: 255.255.255.0 153 | cidr: 24 154 | 155 | 156 | ####################################### 157 | # SCAP 158 | ####################################### 159 | setuid_programs: 160 | - /sbin/netreport 161 | - /sbin/pam_timestamp_check 162 | - /sbin/unix_chkpwd 163 | - /usr/sbin/usernetctl 164 | - /usr/sbin/userhelper 165 | - /usr/bin/newgrp 166 | - /usr/bin/at 167 | - /usr/bin/pkexec 168 | - /usr/bin/gpasswd 169 | - /usr/bin/chsh 170 | - /usr/bin/crontab 171 | - /usr/bin/chfn 172 | - /usr/bin/sudo 173 | - /usr/bin/chage 174 | - /usr/bin/passwd 175 | - /usr/libexec/polkit-1/polkit-agent-helper-1 176 | - /usr/libexec/pt_chown 177 | - /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache 178 | - /usr/libexec/utempter/utempter 179 | - /usr/libexec/openssh/ssh-keysign 180 | - /bin/su 181 | - /bin/mount 182 | - /bin/umount 183 | - /bin/ping6 184 | - /bin/ping 185 | 186 | ####################################### 187 | # Logging 188 | ####################################### 189 | 190 | log_server_ip: 192.168.x.x 191 | syslog_tcp_port: 514 192 | syslog_udp_port: 514 193 | remote_log_path: /var/log/remote 194 | ossec_server_hostname: example 195 | 196 | device_clients: 197 | - switch 198 | - router 199 | - wap 200 | - nas 201 | 202 | ####################################### 203 | # mySQL 204 | ####################################### 205 | mysql_server: example.sharknet.us 206 | mysql_tcp_port: 3306 207 | databases: 208 | - db1 209 | - db2 210 | 211 | 212 | ###################################################### 213 | # Passwords & Confidential Data: Going to vault soon. 214 | ##################################################### 215 | root_password_sha512_hash: 216 | admin_password_sha512_hash: 217 | mysql_root_password: 218 | 219 | mysql_users: 220 | - name: admin 221 | host: "%" 222 | password: 223 | priv: "db1.*:ALL/db2.*:ALL" 224 | - name: jiradbuser 225 | host: "%" 226 | password: 227 | priv: "jiradb.*:SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,INDEX" 228 | -------------------------------------------------------------------------------- /host_vars/example.sharknet.us: -------------------------------------------------------------------------------- 1 | --- 2 | # Role: NTP server 3 | 4 | hostname: example 5 | ram: 1GiB 6 | vcpus: 1 7 | storage: 40GiB 8 | default_gateway: 192.168.x.1 9 | dns: 10 | - "{{ dns1_server_ip }}" 11 | - "{{ dns2_server_ip }}" 12 | networks: 13 | - device_id: 0 14 | boot_protocol: none 15 | is_vlan: false 16 | configure_advanced_networking: false 17 | 18 | - device_id: 0 19 | boot_protocol: none 20 | ip_address: 192.168.13.13 21 | subnet_name: production 22 | vlan_id: .13 23 | prefix: 24 24 | is_vlan: true 25 | configure_advanced_networking: true 26 | 27 | - device_id: 0 28 | boot_protocol: none 29 | subnet_name: dev 30 | ip_address: 192.168.11.12 31 | vlan_id: .11 32 | prefix: 24 33 | is_vlan: true 34 | configure_advanced_networking: true 35 | 36 | partitions: 37 | var_size: 4096 38 | home_size: 5120 39 | -------------------------------------------------------------------------------- /production.hosts: -------------------------------------------------------------------------------- 1 | [vms] 2 | example.sharknet.us 3 | 4 | -------------------------------------------------------------------------------- /roles/auditd/files/auditd.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This file controls the configuration of the audit daemon 3 | # 4 | 5 | log_file = /var/log/audit/audit.log 6 | log_format = RAW 7 | log_group = root 8 | priority_boost = 4 9 | flush = INCREMENTAL 10 | freq = 20 11 | num_logs = 5 12 | disp_qos = lossy 13 | dispatcher = /sbin/audispd 14 | name_format = NONE 15 | ##name = mydomain 16 | max_log_file = 6 17 | max_log_file_action = ROTATE 18 | space_left = 75 19 | space_left_action = EMAIL 20 | action_mail_acct = root 21 | admin_space_left = 50 22 | admin_space_left_action = SINGLE 23 | disk_full_action = SYSLOG 24 | disk_error_action = SYSLOG 25 | ##tcp_listen_port = 26 | tcp_listen_queue = 5 27 | tcp_max_per_addr = 1 28 | ##tcp_client_ports = 1024-65535 29 | tcp_client_max_idle = 0 30 | enable_krb5 = no 31 | krb5_principal = auditd 32 | ##krb5_key_file = /etc/audit/audit.key 33 | -------------------------------------------------------------------------------- /roles/auditd/files/syslog.conf: -------------------------------------------------------------------------------- 1 | # This file controls the configuration of the syslog plugin. 2 | # It simply takes events and writes them to syslog. The 3 | # arguments provided can be the default priority that you 4 | # want the events written with. And optionally, you can give 5 | # a second argument indicating the facility that you want events 6 | # logged to. Valid options are LOG_LOCAL0 through 7. 7 | 8 | active = yes 9 | direction = out 10 | path = builtin_syslog 11 | type = builtin 12 | args = LOG_INFO 13 | format = string -------------------------------------------------------------------------------- /roles/auditd/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart auditd 4 | service: name=auditd state=restarted -------------------------------------------------------------------------------- /roles/auditd/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Set auditd configuration 4 | copy: src=auditd.conf dest=/etc/audit/auditd.conf owner=root group=root mode=0640 5 | notify: 6 | - restart auditd 7 | 8 | - name: Set audit rules 9 | template: src=audit.rules.j2 dest=/etc/audit/audit.rules owner=root group=root mode=0640 10 | notify: 11 | - restart auditd 12 | 13 | - name: Enable syslog plugin 14 | copy: src=syslog.conf 15 | dest=/etc/audisp/plugins.d/syslog.conf 16 | owner=root 17 | group=root 18 | mode=0640 19 | 20 | - name: Enable auditing 21 | service: name=auditd 22 | state=started 23 | enabled=yes -------------------------------------------------------------------------------- /roles/auditd/templates/audit.rules.j2: -------------------------------------------------------------------------------- 1 | # This file contains the auditctl rules that are loaded 2 | # whenever the audit daemon is started via the initscripts. 3 | # The rules are simply the parameters that would be passed 4 | # to auditctl. 5 | 6 | # First rule - delete all 7 | -D 8 | 9 | # Increase the buffers to survive stress events. 10 | # Make this bigger for busy systems 11 | -b 320 12 | 13 | # Feel free to add below this line. See auditctl man page 14 | 15 | # audit_time_rules 16 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules 17 | -w /etc/localtime -p wa -k audit_time_rules 18 | 19 | # audit_account_changes 20 | -w /etc/group -p wa -k audit_account_changes 21 | -w /etc/passwd -p wa -k audit_account_changes 22 | -w /etc/gshadow -p wa -k audit_account_changes 23 | -w /etc/shadow -p wa -k audit_account_changes 24 | -w /etc/security/opasswd -p wa -k audit_account_changes 25 | 26 | # audit_network_modifications 27 | -a exit,always -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications 28 | -w /etc/issue -p wa -k audit_network_modifications 29 | -w /etc/issue.net -p wa -k audit_network_modifications 30 | -w /etc/hosts -p wa -k audit_network_modifications 31 | -w /etc/sysconfig/network -p wa -k audit_network_modifications 32 | 33 | # SELinux 34 | -w /etc/selinux/ -p wa -k MAC-policy 35 | 36 | -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod 37 | -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod 38 | -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod 39 | -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 40 | -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod 41 | -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod 42 | -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 43 | -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod 44 | -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 45 | -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 46 | -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod 47 | -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 48 | -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod 49 | 50 | # Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) 51 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 52 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 53 | 54 | # Ensure auditd Collects Information on the Use of Privileged Commands 55 | {% for item in setuid_programs %} 56 | -a always,exit -F path={{ item }} -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 57 | {% endfor %} 58 | 59 | # Ensure auditd Collects Information on Exporting to Media (successful) 60 | -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export 61 | 62 | # Ensure auditd Collects File Deletion Events by User 63 | -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 64 | 65 | # Ensure auditd Collects System Administrator Actions 66 | -w /etc/sudoers -p wa -k actions 67 | 68 | # Ensure auditd Collects Information on Kernel Module Loading and Unloading 69 | -w /sbin/insmod -p x -k modules 70 | -w /sbin/rmmod -p x -k modules 71 | -w /sbin/modprobe -p x -k modules 72 | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules 73 | 74 | # Audit setuid programs 75 | -a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -------------------------------------------------------------------------------- /roles/base/files/RPM-GPG-KEY-EPEL-6: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | Version: GnuPG v1.4.5 (GNU/Linux) 3 | 4 | mQINBEvSKUIBEADLGnUj24ZVKW7liFN/JA5CgtzlNnKs7sBg7fVbNWryiE3URbn1 5 | JXvrdwHtkKyY96/ifZ1Ld3lE2gOF61bGZ2CWwJNee76Sp9Z+isP8RQXbG5jwj/4B 6 | M9HK7phktqFVJ8VbY2jfTjcfxRvGM8YBwXF8hx0CDZURAjvf1xRSQJ7iAo58qcHn 7 | XtxOAvQmAbR9z6Q/h/D+Y/PhoIJp1OV4VNHCbCs9M7HUVBpgC53PDcTUQuwcgeY6 8 | pQgo9eT1eLNSZVrJ5Bctivl1UcD6P6CIGkkeT2gNhqindRPngUXGXW7Qzoefe+fV 9 | QqJSm7Tq2q9oqVZ46J964waCRItRySpuW5dxZO34WM6wsw2BP2MlACbH4l3luqtp 10 | Xo3Bvfnk+HAFH3HcMuwdaulxv7zYKXCfNoSfgrpEfo2Ex4Im/I3WdtwME/Gbnwdq 11 | 3VJzgAxLVFhczDHwNkjmIdPAlNJ9/ixRjip4dgZtW8VcBCrNoL+LhDrIfjvnLdRu 12 | vBHy9P3sCF7FZycaHlMWP6RiLtHnEMGcbZ8QpQHi2dReU1wyr9QgguGU+jqSXYar 13 | 1yEcsdRGasppNIZ8+Qawbm/a4doT10TEtPArhSoHlwbvqTDYjtfV92lC/2iwgO6g 14 | YgG9XrO4V8dV39Ffm7oLFfvTbg5mv4Q/E6AWo/gkjmtxkculbyAvjFtYAQARAQAB 15 | tCFFUEVMICg2KSA8ZXBlbEBmZWRvcmFwcm9qZWN0Lm9yZz6JAjYEEwECACAFAkvS 16 | KUICGw8GCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRA7Sd8qBgi4lR/GD/wLGPv9 17 | qO39eyb9NlrwfKdUEo1tHxKdrhNz+XYrO4yVDTBZRPSuvL2yaoeSIhQOKhNPfEgT 18 | 9mdsbsgcfmoHxmGVcn+lbheWsSvcgrXuz0gLt8TGGKGGROAoLXpuUsb1HNtKEOwP 19 | Q4z1uQ2nOz5hLRyDOV0I2LwYV8BjGIjBKUMFEUxFTsL7XOZkrAg/WbTH2PW3hrfS 20 | WtcRA7EYonI3B80d39ffws7SmyKbS5PmZjqOPuTvV2F0tMhKIhncBwoojWZPExft 21 | HpKhzKVh8fdDO/3P1y1Fk3Cin8UbCO9MWMFNR27fVzCANlEPljsHA+3Ez4F7uboF 22 | p0OOEov4Yyi4BEbgqZnthTG4ub9nyiupIZ3ckPHr3nVcDUGcL6lQD/nkmNVIeLYP 23 | x1uHPOSlWfuojAYgzRH6LL7Idg4FHHBA0to7FW8dQXFIOyNiJFAOT2j8P5+tVdq8 24 | wB0PDSH8yRpn4HdJ9RYquau4OkjluxOWf0uRaS//SUcCZh+1/KBEOmcvBHYRZA5J 25 | l/nakCgxGb2paQOzqqpOcHKvlyLuzO5uybMXaipLExTGJXBlXrbbASfXa/yGYSAG 26 | iVrGz9CE6676dMlm8F+s3XXE13QZrXmjloc6jwOljnfAkjTGXjiB7OULESed96MR 27 | XtfLk0W5Ab9pd7tKDR6QHI7rgHXfCopRnZ2VVQ== 28 | =V/6I 29 | -----END PGP PUBLIC KEY BLOCK----- 30 | -------------------------------------------------------------------------------- /roles/base/files/bashrc: -------------------------------------------------------------------------------- 1 | # /etc/bashrc 2 | 3 | # System wide functions and aliases 4 | # Environment stuff goes in /etc/profile 5 | 6 | # It's NOT a good idea to change this file unless you know what you 7 | # are doing. It's much better to create a custom.sh shell script in 8 | # /etc/profile.d/ to make custom changes to your environment, as this 9 | # will prevent the need for merging in future updates. 10 | 11 | # are we an interactive shell? 12 | if [ "$PS1" ]; then 13 | if [ -z "$PROMPT_COMMAND" ]; then 14 | case $TERM in 15 | xterm*) 16 | if [ -e /etc/sysconfig/bash-prompt-xterm ]; then 17 | PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm 18 | else 19 | PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"' 20 | fi 21 | ;; 22 | screen) 23 | if [ -e /etc/sysconfig/bash-prompt-screen ]; then 24 | PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen 25 | else 26 | PROMPT_COMMAND='printf "\033]0;%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"' 27 | fi 28 | ;; 29 | *) 30 | [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default 31 | ;; 32 | esac 33 | fi 34 | # Turn on checkwinsize 35 | shopt -s checkwinsize 36 | [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ " 37 | # You might want to have e.g. tty in prompt (e.g. more virtual machines) 38 | # and console windows 39 | # If you want to do so, just add e.g. 40 | # if [ "$PS1" ]; then 41 | # PS1="[\u@\h:\l \W]\\$ " 42 | # fi 43 | # to your custom modification shell script in /etc/profile.d/ directory 44 | fi 45 | 46 | if ! shopt -q login_shell ; then # We're not a login shell 47 | # Need to redefine pathmunge, it get's undefined at the end of /etc/profile 48 | pathmunge () { 49 | case ":${PATH}:" in 50 | *:"$1":*) 51 | ;; 52 | *) 53 | if [ "$2" = "after" ] ; then 54 | PATH=$PATH:$1 55 | else 56 | PATH=$1:$PATH 57 | fi 58 | esac 59 | } 60 | 61 | # By default, we want umask to get set. This sets it for non-login shell. 62 | # Current threshold for system reserved uid/gids is 200 63 | # You could check uidgid reservation validity in 64 | # /usr/share/doc/setup-*/uidgid file 65 | #if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then 66 | # umask 002 67 | #else 68 | # umask 022 69 | #fi 70 | umask 077 71 | 72 | # Only display echos from profile.d scripts if we are no login shell 73 | # and interactive - otherwise just process them to set envvars 74 | for i in /etc/profile.d/*.sh; do 75 | if [ -r "$i" ]; then 76 | if [ "$PS1" ]; then 77 | . "$i" 78 | else 79 | . "$i" >/dev/null 2>&1 80 | fi 81 | fi 82 | done 83 | 84 | unset i 85 | unset pathmunge 86 | fi 87 | # vim:ts=4:sw=4 88 | -------------------------------------------------------------------------------- /roles/base/files/clock: -------------------------------------------------------------------------------- 1 | ZONE="America/New_York" -------------------------------------------------------------------------------- /roles/base/files/control-alt-delete.override: -------------------------------------------------------------------------------- 1 | exec /usr/bin/logger -p security.info "Ctrl-Alt-Delete pressed" -------------------------------------------------------------------------------- /roles/base/files/csh.cshrc: -------------------------------------------------------------------------------- 1 | # /etc/cshrc 2 | # 3 | # csh configuration for all shell invocations. 4 | 5 | # By default, we want this to get set. 6 | # Even for non-interactive, non-login shells. 7 | # Current threshold for system reserved uid/gids is 200 8 | # You could check uidgid reservation validity in 9 | # /usr/share/doc/setup-*/uidgid file 10 | #if ($uid > 199 && "`id -gn`" == "`id -un`") then 11 | # umask 077 12 | #else 13 | # umask 077 14 | #endif 15 | umask 077 16 | 17 | if ($?prompt) then 18 | if ($?tcsh) then 19 | set promptchars='$#' 20 | set prompt='[%n@%m %c]%# ' 21 | # make completion work better by default 22 | set autolist 23 | else 24 | set prompt=\[$user@`hostname -s`\]\$\ 25 | endif 26 | endif 27 | 28 | if ( $?tcsh ) then 29 | bindkey "^[[3~" delete-char 30 | endif 31 | 32 | bindkey "^R" i-search-back 33 | set echo_style = both 34 | set histdup = erase 35 | set savehist = (1024 merge) 36 | 37 | if ($?prompt) then 38 | if ($?TERM) then 39 | switch($TERM) 40 | case xterm*: 41 | if ($?tcsh) then 42 | set prompt='%{\033]0;%n@%m:%c\007%}[%n@%m %c]%# ' 43 | endif 44 | breaksw 45 | case screen: 46 | if ($?tcsh) then 47 | set prompt='%{\033_%n@%m:%c\033\\%}[%n@%m %c]%# ' 48 | endif 49 | breaksw 50 | default: 51 | breaksw 52 | endsw 53 | endif 54 | endif 55 | 56 | setenv MAIL "/var/spool/mail/$USER" 57 | 58 | # Check if we aren't a loginshell and do stuff if we aren't 59 | if (! $?loginsh) then 60 | if ( -d /etc/profile.d ) then 61 | set nonomatch 62 | foreach i ( /etc/profile.d/*.csh ) 63 | if ( -r "$i" ) then 64 | if ($?prompt) then 65 | source "$i" 66 | else 67 | source "$i" >&/dev/null 68 | endif 69 | endif 70 | end 71 | unset i nonomatch 72 | endif 73 | endif 74 | -------------------------------------------------------------------------------- /roles/base/files/disabled.conf: -------------------------------------------------------------------------------- 1 | install cramfs /bin/true 2 | install freevxfs /bin/true 3 | install jffs2 /bin/true 4 | install hfs /bin/true 5 | install hfsplus /bin/true 6 | install squashfs /bin/true 7 | install udf /bin/true 8 | 9 | install dccp /bin/false 10 | install sctp /bin/false 11 | install rds /bin/false 12 | install tipc /bin/false 13 | 14 | install usb-storage /bin/false 15 | install net-pf-31 /bin/false 16 | install bluetooth /bin/false 17 | 18 | options ipv6 disable=1 19 | -------------------------------------------------------------------------------- /roles/base/files/i18n: -------------------------------------------------------------------------------- 1 | LANG="en_US.UTF-8" 2 | SUPPORTED="en_US.UTF-8:en_US:en" 3 | SYSFONT="latarcyrheb-sun16" -------------------------------------------------------------------------------- /roles/base/files/issue: -------------------------------------------------------------------------------- 1 | -- WARNING -- 2 | This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials. 3 | -- WARNING -- 4 | 5 | -------------------------------------------------------------------------------- /roles/base/files/keyboard: -------------------------------------------------------------------------------- 1 | KEYTABLE="us" 2 | MODEL="pc105+inet" 3 | LAYOUT="us" 4 | KEYBOARDTYPE="pc" -------------------------------------------------------------------------------- /roles/base/files/limits.conf: -------------------------------------------------------------------------------- 1 | # /etc/security/limits.conf 2 | # 3 | #Each line describes a limit for a user in the form: 4 | # 5 | # 6 | # 7 | #Where: 8 | # can be: 9 | # - an user name 10 | # - a group name, with @group syntax 11 | # - the wildcard *, for default entry 12 | # - the wildcard %, can be also used with %group syntax, 13 | # for maxlogin limit 14 | # 15 | # can have the two values: 16 | # - "soft" for enforcing the soft limits 17 | # - "hard" for enforcing hard limits 18 | # 19 | # can be one of the following: 20 | # - core - limits the core file size (KB) 21 | # - data - max data size (KB) 22 | # - fsize - maximum filesize (KB) 23 | # - memlock - max locked-in-memory address space (KB) 24 | # - nofile - max number of open files 25 | # - rss - max resident set size (KB) 26 | # - stack - max stack size (KB) 27 | # - cpu - max CPU time (MIN) 28 | # - nproc - max number of processes 29 | # - as - address space limit (KB) 30 | # - maxlogins - max number of logins for this user 31 | # - maxsyslogins - max number of logins on the system 32 | # - priority - the priority to run user process with 33 | # - locks - max number of file locks the user can hold 34 | # - sigpending - max number of pending signals 35 | # - msgqueue - max memory used by POSIX message queues (bytes) 36 | # - nice - max nice priority allowed to raise to values: [-20, 19] 37 | # - rtprio - max realtime priority 38 | # 39 | # 40 | # 41 | 42 | #* soft core 0 43 | #* hard rss 10000 44 | #@student hard nproc 20 45 | #@faculty soft nproc 20 46 | #@faculty hard nproc 50 47 | #ftp hard nproc 0 48 | #@student - maxlogins 4 49 | 50 | # End of file 51 | * hard core 0 52 | * hard maxlogins 10 -------------------------------------------------------------------------------- /roles/base/files/login.defs: -------------------------------------------------------------------------------- 1 | # 2 | # Please note that the parameters in this configuration file control the 3 | # behavior of the tools from the shadow-utils component. None of these 4 | # tools uses the PAM mechanism, and the utilities that use PAM (such as the 5 | # passwd command) should therefore be configured elsewhere. Refer to 6 | # /etc/pam.d/system-auth for more information. 7 | # 8 | 9 | # *REQUIRED* 10 | # Directory where mailboxes reside, _or_ name of file, relative to the 11 | # home directory. If you _do_ define both, MAIL_DIR takes precedence. 12 | # QMAIL_DIR is for Qmail 13 | # 14 | #QMAIL_DIR Maildir 15 | MAIL_DIR /var/spool/mail 16 | #MAIL_FILE .mail 17 | 18 | # Password aging controls: 19 | # 20 | # PASS_MAX_DAYS Maximum number of days a password may be used. 21 | # PASS_MIN_DAYS Minimum number of days allowed between password changes. 22 | # PASS_MIN_LEN Minimum acceptable password length. 23 | # PASS_WARN_AGE Number of days warning given before a password expires. 24 | # 25 | PASS_MAX_DAYS 60 26 | PASS_MIN_DAYS 1 27 | PASS_MIN_LEN 14 28 | PASS_WARN_AGE 7 29 | 30 | # 31 | # Min/max values for automatic uid selection in useradd 32 | # 33 | UID_MIN 500 34 | UID_MAX 60000 35 | 36 | # 37 | # Min/max values for automatic gid selection in groupadd 38 | # 39 | GID_MIN 500 40 | GID_MAX 60000 41 | 42 | # 43 | # If defined, this command is run when removing a user. 44 | # It should remove any at/cron/print jobs etc. owned by 45 | # the user to be removed (passed as the first argument). 46 | # 47 | #USERDEL_CMD /usr/sbin/userdel_local 48 | 49 | # 50 | # If useradd should create home directories for users by default 51 | # On RH systems, we do. This option is overridden with the -m flag on 52 | # useradd command line. 53 | # 54 | CREATE_HOME yes 55 | 56 | # The permission mask is initialized to this value. If not specified, 57 | # the permission mask will be initialized to 022. 58 | UMASK 077 59 | 60 | # This enables userdel to remove user groups if no members exist. 61 | # 62 | USERGROUPS_ENAB yes 63 | 64 | # Use SHA512 to encrypt password. 65 | #ENCRYPT_METHOD MD5 66 | #MD5_CRYPT_ENAB yes 67 | 68 | ENCRYPT_METHOD SHA512 69 | MD5_CRYPT_ENAB no -------------------------------------------------------------------------------- /roles/base/files/maintenance.daily: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Updated packages 4 | yum -y update 5 | 6 | # 1.1.17 Set Sticky Bit on All World-Writable Directories 7 | find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print0| xargs -0 chmod +t 8 | 9 | # 1.2.4 Verify Package Integrity Using RPM 10 | rpm -qVa | awk '$2 != "c" { print $0}'| logger -p local0.warn -t RPM-Package 11 | 12 | # 2.1.3.2.b. Verify File Hashes with RPM 13 | rpm -Va | grep '^..5' | logger -p local0.warn -t RPM-Hash 14 | 15 | #2.2.3.c. Ensure All SGID Executables Are Authorized 16 | df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print| logger -p local0.warn -t File-SGID 17 | 18 | # 2.2.3.d. Ensure All SUID Executables Are Authorized 19 | df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print| logger -p local0.warn -t File-SUID 20 | 21 | -------------------------------------------------------------------------------- /roles/base/files/maintenance.weekly: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Clean up yum 4 | yum clean packages 5 | yum clean metadata 6 | yum clean dbcache 7 | yum clean all 8 | yum makecache 9 | 10 | # Delete old kernels 11 | # package-cleanup --oldkernels --count=1 -y 12 | -------------------------------------------------------------------------------- /roles/base/files/system-auth: -------------------------------------------------------------------------------- 1 | auth required pam_env.so 2 | auth sufficient pam_fprintd.so 3 | auth sufficient pam_unix.so try_first_pass 4 | auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 5 | auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 6 | auth requisite pam_succeed_if.so uid >= 500 quiet 7 | auth required pam_deny.so 8 | 9 | account required pam_unix.so 10 | account sufficient pam_localuser.so 11 | account sufficient pam_succeed_if.so uid < 500 quiet 12 | account required pam_permit.so 13 | 14 | password requisite pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 15 | password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=24 16 | password required pam_deny.so 17 | 18 | session optional pam_keyinit.so revoke 19 | session required pam_limits.so 20 | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 21 | session required pam_lastlog.so showfailed 22 | session required pam_unix.so 23 | -------------------------------------------------------------------------------- /roles/base/files/useradd: -------------------------------------------------------------------------------- 1 | # useradd defaults file 2 | GROUP=100 3 | HOME=/home 4 | INACTIVE=35 5 | EXPIRE= 6 | SHELL=/bin/bash 7 | SKEL=/etc/skel 8 | CREATE_MAIL_SPOOL=yes -------------------------------------------------------------------------------- /roles/base/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart crond 4 | service: name=crond state=restarted 5 | 6 | - name: restart network 7 | service: name=network state=restarted 8 | 9 | - name: reload sysctl.conf 10 | command: /sbin/sysctl -p 11 | 12 | - name: reload init 13 | command: initctl reload-configuration -------------------------------------------------------------------------------- /roles/base/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | ########################### 4 | # Packages 5 | ########################### 6 | - name: Enable libselinux-python for Ansible 7 | yum: name=libselinux-python state=installed 8 | 9 | - name: Set yum configuration 10 | template: src=yum.conf.j2 11 | dest=/etc/yum.conf 12 | 13 | - name: Copy local repo conf file 14 | template: src=CentOS-Base.repo.j2 dest=/etc/yum.repos.d/CentOS-Base.repo owner=root group=root mode=0644 15 | 16 | - name: Copy local epel repo 17 | template: src=epel.repo.j2 dest=/etc/yum.repos.d/epel.repo owner=root group=root mode=0644 18 | 19 | # http://mirror.pnl.gov/epel/RPM-GPG-KEY-EPEL-6 20 | - name: Add EPEL GPG key 21 | copy: src=RPM-GPG-KEY-EPEL-6 22 | dest=/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 23 | owner=root 24 | group=root 25 | mode=0644 26 | 27 | - name: Disable fastest mirror plugin 28 | lineinfile: dest=/etc/yum/pluginconf.d/fastestmirror.conf regexp=^enabled line='enabled = 0' 29 | 30 | - name: Install core packages 31 | yum: name={{ item }} state=installed 32 | with_items: 33 | - yum-plugin-protectbase.noarch 34 | - yum-plugin-security 35 | - mlocate 36 | - vim-minimal 37 | - mailx 38 | - ntp 39 | - wget 40 | - screen 41 | - psacct 42 | 43 | - name: Remove uneeded packages 44 | yum: name={{ item }} state=absent 45 | with_items: 46 | - setroubleshoot 47 | - mcstrans 48 | - telnet-server 49 | - telnet 50 | - rsh-server 51 | - rsh 52 | - ypbind 53 | - ypserv 54 | - tftp 55 | - tftp-server 56 | - talk 57 | - talk-server 58 | - xinetd 59 | - chargen-dgram 60 | - chargen-stream 61 | - daytime-dgram 62 | - daytime-stream 63 | - echo-dgram 64 | - echo-stream 65 | - tcpmux-server 66 | - autofs 67 | - wireless-tools 68 | - avahi-libs 69 | - abrt 70 | - polkit 71 | - dbus 72 | 73 | - name: Remove X Windows package 74 | yum: name="@X Window System" state=absent 75 | 76 | 77 | ########################### 78 | # Basic System 79 | ########################### 80 | # - name: Set timezone to eastern 81 | # command: ln -s /usr/share/zoneinfo/US/Eastern /etc/localtime 82 | 83 | - name: Set clock 84 | copy: src=clock dest=/etc/sysconfig/clock owner=root group=root 85 | 86 | - name: Set languages 87 | copy: src=i18n dest=/etc/sysconfig/i18n owner=root group=root 88 | 89 | - name: Set boot mode to verbose. 90 | lineinfile: dest=/etc/sysconfig/init regexp=^BOOTUP line='BOOTUP=verbose' 91 | 92 | - name: Set high resolution console mode. Turn on advanced boot screen. 93 | command: sed -i 's/rhgb quiet/vga=791/g' /etc/grub.conf 94 | 95 | - name: Set keyboard options 96 | copy: src=keyboard dest=/etc/sysconfig/keyboard owner=root group=root 97 | 98 | ########################### 99 | # Kernel 100 | ########################### 101 | - name: Disable unneeded kernel modules 102 | copy: src=disabled.conf dest=/etc/modprobe.d/disabled.conf owner=root group=root 103 | 104 | - name: Set kernel configuration 105 | template: src=sysctl.conf.j2 106 | dest=/etc/sysctl.conf 107 | owner=root 108 | group=root 109 | notify: 110 | - reload sysctl.conf 111 | 112 | - name: Disable kdump 113 | service: name=kdump state=stopped enabled=no 114 | ignore_errors: yes 115 | 116 | ########################### 117 | # Maintenance 118 | ########################### 119 | - name: Set daily maintenance tasks 120 | copy: src=maintenance.daily dest=/etc/cron.daily/maintenance.daily owner=root group=root mode=0700 121 | 122 | - name: Set weekly maintenance tasks 123 | copy: src=maintenance.weekly dest=/etc/cron.weekly/maintenance.weekly owner=root group=root mode=0700 124 | 125 | ########################### 126 | # SELinux 127 | ########################### 128 | 129 | - name: Enable SELinux 130 | selinux: policy=targeted state=enforcing 131 | 132 | - name: Enable the SELinux Context Restoration Service (restorecond) 133 | service: name=restorecond state=started enabled=yes 134 | 135 | ########################### 136 | # Basic Security 137 | ########################### 138 | 139 | - name: Ensure grub.conf has correct file permissions 140 | file: path=/etc/grub.conf owner=root group=root mode=0600 141 | 142 | - name: Ensure boot is password protected 143 | lineinfile: dest=/etc/grub.conf regexp=^password line='password --encrypted $6$p5lIqMXvh0h06WQM$8uBgmOVe..2sy7lFHfifxwddW7cnER2mFYGIBddEixFGWGOojqbgzOcVSEpwQBMC.9cvkp3jp1WelqDsmJxBI.' 144 | 145 | - name: Enable Auditing for Processes Which Start Prior to the Audit Daemon 146 | command: sed -i '/kernel/ {/audit=1/! s/.*/& audit=1/}' /etc/grub.conf 147 | 148 | - name: Ensure single user mode requires a password 149 | lineinfile: dest=/etc/sysconfig/init regexp=^SINGLE line='SINGLE=/sbin/sulogin' 150 | 151 | - name: Disable interactive boot 152 | lineinfile: dest=/etc/sysconfig/init regexp=^PROMPT line='PROMPT=no' 153 | 154 | - name: Restrict Core Dumps 155 | lineinfile: dest=/etc/security/limits.conf regexp='^\* hard' line='* hard core 0' 156 | 157 | - name: Ensure /etc/shadow is owned by root 158 | file: path=/etc/shadow owner=root group=root mode=0000 159 | 160 | - name: Ensure /etc/group is owned by root 161 | file: path=/etc/group owner=root group=root mode=0644 162 | 163 | - name: Ensure /etc/gshadow is owned by root 164 | file: path=/etc/gshadow owner=root group=root mode=0000 165 | 166 | - name: Ensure /etc/passwd is owned by root 167 | file: path=/etc/passwd owner=root group=root mode=0644 168 | 169 | - name: Verify that Shared Library Files Have Root Ownership 170 | file: path={{ item }} owner=root group=root state=directory recurse=yes 171 | with_items: 172 | - /lib 173 | - /lib64 174 | - /usr/lib 175 | - /usr/lib64 176 | 177 | - name: Verify that Shared Executable Files Have Root Ownership 178 | file: path={{ item }} owner=root group=root state=directory recurse=yes 179 | with_items: 180 | - /bin 181 | - /usr/bin 182 | - /usr/local/bin 183 | - /sbin 184 | - /usr/sbin 185 | - /usr/local/sbin 186 | 187 | - name: Verify that System Executables Have Restrictive Permissions 188 | file: path={{ item }} owner=root group=root state=directory mode=0555 189 | with_items: 190 | - /bin 191 | - /usr/bin 192 | - /usr/local/bin 193 | - /sbin 194 | - /usr/sbin 195 | - /usr/local/sbin 196 | 197 | - name: Set Daemon Umask 198 | lineinfile: dest=/etc/sysconfig/init regexp=^umask line='umask 027' 199 | 200 | - name: Verify prelink file has the correct permissions 201 | file: path=/etc/sysconfig/prelink owner=root group=root mode=0600 202 | 203 | - name: Disable prelinking 204 | lineinfile: dest=/etc/sysconfig/prelink regexp='^PRELINKING' line='PRELINKING=no' 205 | ignore_errors: yes 206 | 207 | - name: Disable abrtd 208 | service: name=abrtd state=stopped enabled=no 209 | ignore_errors: yes 210 | 211 | - name: Disable atd 212 | service: name=atd state=stopped enabled=no 213 | ignore_errors: yes 214 | 215 | - name: Restrict Virtual Console Root Logins 216 | lineinfile: dest=/etc/securetty regexp='^vc' state=absent 217 | 218 | - name: Restrict Serial Port Root Logins 219 | lineinfile: dest=/etc/securetty regexp='^tty' state=absent 220 | 221 | - name: Prevent Log In to Accounts With Empty Password 222 | copy: src=system-auth dest=/etc/pam.d/system-auth-ac owner=root group=root mode=0644 223 | 224 | - name: Set Password Attributes 225 | copy: src=login.defs dest=/etc/login.defs owner=root group=root mode=0644 226 | 227 | - name: Set Password Hashing Algorithm in /etc/libuser.conf 228 | lineinfile: dest=/etc/libuser.conf regexp='^crypt_style' line='crypt_style = sha512' 229 | 230 | - name: Modify the System Login Banner 231 | copy: src=issue dest=/etc/issue owner=root group=root mode=0644 232 | 233 | - name: Set csh secure umask 234 | copy: src=csh.cshrc 235 | dest=/etc/csh.cshrc 236 | owner=root 237 | group=root 238 | mode=0644 239 | 240 | - name: Set bash secure umask 241 | copy: src=bashrc 242 | dest=/etc/bashrc 243 | owner=root 244 | group=root 245 | mode=0644 246 | 247 | - name: Disable CONTROL-ALT-DELETE 248 | copy: src=control-alt-delete.override 249 | dest=/etc/init/control-alt-delete.override 250 | owner=root 251 | group=root 252 | mode=0644 253 | notify: 254 | - reload init 255 | 256 | - name: Limit simultaneous Logins 257 | copy: src=limits.conf 258 | dest=/etc/security/limits.conf 259 | owner=root 260 | group=root 261 | mode=0644 262 | 263 | - name: Set new user account security 264 | copy: src=useradd 265 | dest=/etc/default/useradd 266 | owner=root 267 | group=root 268 | mode=0600 269 | 270 | - name: Enable prcess accounting 271 | service: name=psacct 272 | state=started 273 | enabled=yes 274 | 275 | ########################### 276 | # cron 277 | ########################### 278 | 279 | - name: Enable crond 280 | service: name=crond state=started enabled=yes 281 | 282 | - name: Set crond configuration. Disable email and enable syslog 283 | lineinfile: dest=/etc/sysconfig/crond regexp='^CRONDARGS' line='CRONDARGS="-m off -s"' 284 | notify: 285 | - restart crond 286 | -------------------------------------------------------------------------------- /roles/base/templates/CentOS-Base.repo.j2: -------------------------------------------------------------------------------- 1 | [base] 2 | name=CentOS-$releasever - Base 3 | baseurl=http://{{ default_repository_hostname }}/CentOS/$releasever/os/$basearch/ 4 | gpgcheck=1 5 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 6 | 7 | #released updates 8 | [updates] 9 | name=CentOS-$releasever - Updates 10 | baseurl=http://{{ default_repository_hostname }}/CentOS/$releasever/updates/$basearch/ 11 | gpgcheck=1 12 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 13 | 14 | #additional packages that may be useful 15 | [extras] 16 | name=CentOS-$releasever - Extras 17 | baseurl=http://{{ default_repository_hostname }}/CentOS/$releasever/extras/$basearch/ 18 | gpgcheck=1 19 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 20 | 21 | #additional packages that extend functionality of existing packages 22 | [centosplus] 23 | name=CentOS-$releasever - Plus 24 | baseurl=http://{{ default_repository_hostname }}/CentOS/$releasever/CentOSplus/$basearch/ 25 | gpgcheck=1 26 | enabled=0 27 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 28 | 29 | #contrib - packages by Centos Users 30 | [contrib] 31 | name=CentOS-$releasever - Contrib 32 | baseurl=http://{{ default_repository_hostname }}/CentOS/$releasever/contrib/$basearch/ 33 | gpgcheck=1 34 | enabled=0 35 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 36 | -------------------------------------------------------------------------------- /roles/base/templates/epel.repo.j2: -------------------------------------------------------------------------------- 1 | [epel] 2 | name=Extra Packages for Enterprise Linux 6 - $basearch 3 | baseurl=http://{{ epel_repository_hostname }}/epel/{{ centos_series }}/{{ centos_architecture }} 4 | failovermethod=priority 5 | enabled=1 6 | gpgcheck=1 7 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 8 | 9 | [epel-debuginfo] 10 | name=Extra Packages for Enterprise Linux 6 - $basearch - Debug 11 | baseurl=http://{{ epel_repository_hostname }}/epel/{{ centos_series }}/{{ centos_architecture }}/debug 12 | failovermethod=priority 13 | enabled=0 14 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 15 | gpgcheck=1 16 | 17 | [epel-source] 18 | name=Extra Packages for Enterprise Linux 6 - $basearch - Source 19 | baseurl=http://{{ epel_repository_hostname }}/epel/{{ centos_series }}/SRPMS 20 | failovermethod=priority 21 | enabled=0 22 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 23 | gpgcheck=1 24 | -------------------------------------------------------------------------------- /roles/base/templates/sysctl.conf.j2: -------------------------------------------------------------------------------- 1 | # Kernel sysctl configuration file for Red Hat Linux 2 | # 3 | # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and 4 | # sysctl.conf(5) for more details. 5 | 6 | # Controls IP packet forwarding 7 | net.ipv4.ip_forward = 0 8 | 9 | # Do not accept source routing 10 | net.ipv4.conf.default.accept_source_route = 0 11 | 12 | # Controls the System Request debugging functionality of the kernel 13 | kernel.sysrq = 0 14 | 15 | # Controls whether core dumps will append the PID to the core filename. 16 | # Useful for debugging multi-threaded applications. 17 | kernel.core_uses_pid = 1 18 | 19 | # Controls the default maxmimum size of a mesage queue 20 | kernel.msgmnb = 65536 21 | 22 | # Controls the maximum size of a message, in bytes 23 | kernel.msgmax = 65536 24 | 25 | # Controls the maximum shared segment size, in bytes 26 | kernel.shmmax = 68719476736 27 | 28 | # Controls the maximum number of shared memory segments, in pages 29 | kernel.shmall = 4294967296 30 | 31 | # Auto-enabled by xs-tools:install.sh 32 | net.ipv4.conf.all.arp_notify = 1 33 | 34 | ########################## 35 | ## Security settings 36 | ########################## 37 | 38 | # Restrict Core Dumps 39 | fs.suid_dumpable = 0 40 | 41 | #Enable ExecShield 42 | kernel.exec-shield = 1 43 | 44 | # Enable Randomized Virtual Memory Region Placement 45 | kernel.randomize_va_space = 2 46 | 47 | # Restrict Access to Kernel Message Buffer 48 | kernel.dmesg_restrict = 1 49 | 50 | # Disable Kernel Parameter for Sending ICMP Redirects by Default 51 | net.ipv4.conf.default.send_redirects = 0 52 | 53 | # Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces 54 | net.ipv4.conf.all.send_redirects = 0 55 | 56 | # Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces 57 | net.ipv4.conf.all.accept_source_route = 0 58 | 59 | # Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces 60 | net.ipv4.conf.all.accept_redirects = 0 61 | 62 | # Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces 63 | net.ipv4.conf.all.secure_redirects = 0 64 | 65 | # Enable Kernel Parameter to Log Martian Packets 66 | net.ipv4.conf.all.log_martians = 1 67 | 68 | # Disable Kernel Parameter for Accepting Source-Routed Packets By Default 69 | net.ipv4.conf.default.accept_redirects = 0 70 | 71 | # Disable Kernel Parameter for Accepting Secure Redirects By Default 72 | net.ipv4.conf.default.secure_redirects = 0 73 | 74 | # Disable Kernel Parameter for Accepting ICMP Redirects By Default 75 | net.ipv4.icmp_echo_ignore_broadcasts = 1 76 | 77 | # Enable Kernel Parameter to Ignore Bogus ICMP Error Responses 78 | net.ipv4.icmp_ignore_bogus_error_responses = 1 79 | 80 | # Enable Kernel Parameter to Use TCP Syncookies 81 | net.ipv4.tcp_syncookies = 1 82 | 83 | # Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces 84 | net.ipv4.conf.all.rp_filter = 1 85 | 86 | # Enable Kernel Parameter to Use Reverse Path Filtering by Default 87 | net.ipv4.conf.default.rp_filter = 1 -------------------------------------------------------------------------------- /roles/base/templates/yum.conf.j2: -------------------------------------------------------------------------------- 1 | [main] 2 | cachedir=/var/cache/yum/$basearch/$releasever 3 | keepcache=0 4 | debuglevel=2 5 | logfile=/var/log/yum.log 6 | exactarch=1 7 | obsoletes=1 8 | gpgcheck=1 9 | plugins=1 10 | installonly_limit=5 11 | bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum 12 | distroverpkg=centos-release 13 | # Don't automatically install kernels 14 | exclude=kernel* 15 | 16 | # Only keep two copies max of packages such as the kernel 17 | installonly_limit=2 18 | 19 | 20 | 21 | # This is the default, if you make this bigger yum won't see if the metadata 22 | # is newer on the remote and so you'll "gain" the bandwidth of not having to 23 | # download the new metadata and "pay" for it by yum not having correct 24 | # information. 25 | # It is esp. important, to have correct metadata, for distributions like 26 | # Fedora which don't keep old packages around. If you don't like this checking 27 | # interupting your command line usage, it's much better to have something 28 | # manually check the metadata once an hour (yum-updatesd will do this). 29 | # metadata_expire=90m 30 | 31 | # PUT YOUR REPOS HERE OR IN separate files named file.repo 32 | # in /etc/yum.repos.d 33 | -------------------------------------------------------------------------------- /roles/clamav/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Initialize antivirus database 4 | command: /usr/bin/clamav-unofficial-sigs.sh 5 | notify: Update default signatures 6 | 7 | - name: Update default signatures 8 | command: freshclam 9 | -------------------------------------------------------------------------------- /roles/clamav/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Install clamav packages 4 | yum: name={{ item }} state=installed 5 | with_items: 6 | - clamav 7 | - clamav-db 8 | - clamav-unofficial-sigs 9 | notify: 10 | - Initialize antivirus database 11 | 12 | - name: Disable clam user login 13 | user: name=clam shell=/sbin/nologin 14 | 15 | - name: Disable clam-update user login 16 | user: name=clam-update shell=/sbin/nologin 17 | 18 | - name: Set permissions on antivirus database directory 19 | file: path=/var/lib/clamav state=directory owner=clam group=clam 20 | 21 | - name: Set freshclam configuration 22 | template: src=freshclam.conf.j2 23 | dest=/etc/freshclam.conf 24 | owner=root 25 | group=root 26 | mode=0644 27 | 28 | - name: Daily clamav database update 29 | cron: name="Daily Virus DB Update" 30 | hour={{ clamav_official_db_update.hour }} 31 | minute={{ clamav_official_db_update.minute }} 32 | job="/usr/bin/freshclam" 33 | state=present 34 | 35 | - name: Daily unofficial sig update 36 | cron: name="Daily Unofficial DB Update" 37 | hour={{ clamav_unofficial_db_update.hour }} 38 | minute={{ clamav_unofficial_db_update.minute }} 39 | job="/usr/bin/clamav-unofficial-sigs.sh 2>&1 | /usr/bin/logger -p local0.info -t clam-unofficial-sigs" 40 | state=present 41 | 42 | - name: Daily clamav scan 43 | cron: name="Daily Virus Scan" 44 | hour={{ clamav_scan.hour }} 45 | minute={{ clamav_scan.minute }} 46 | job="/usr/bin/clamscan -r / --detect-pua --exclude-dir=/sys/ --exclude-dir=/proc/ --exclude-dir=/dev/ --infected 2>&1 | /usr/bin/logger -p local0.info -t clamscan" 47 | state=present 48 | 49 | ######################################### 50 | # Remove unused files and directories 51 | ######################################### 52 | 53 | - name: Remove unused clamav log and cron files 54 | file: path={{ item }} state=absent 55 | with_items: 56 | - /etc/cron.d/clamav-unofficial-sigs 57 | - /etc/cron.hourly/freshclam 58 | - /var/log/clamav 59 | - /var/log/clamav-unofficial-sigs 60 | - /etc/logrotate.d/freshclam 61 | - /etc/logrotate.d/clamav-unofficial-sigs 62 | -------------------------------------------------------------------------------- /roles/clamav/templates/freshclam.conf.j2: -------------------------------------------------------------------------------- 1 | DatabaseDirectory /var/lib/clamav 2 | LogSyslog yes 3 | DatabaseOwner clam 4 | DatabaseMirror db.us.clamav.net 5 | DatabaseMirror db.local.clamav.net 6 | LogTime yes 7 | HTTPProxyPort {{ web_proxy_port }} 8 | HTTPProxyServer {{ web_proxy_hostname }} 9 | -------------------------------------------------------------------------------- /roles/dhcp-server/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart dhcpd 4 | service: name=dhcpd state=restarted 5 | -------------------------------------------------------------------------------- /roles/dhcp-server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Install ISC dhcp server 4 | yum: name=dhcp state=installed 5 | 6 | - name: Copy dhcpd conf file 7 | template: src=dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0644 8 | notify: 9 | - restart dhcpd 10 | 11 | - name: Copy dhcpd arguments file 12 | template: src=dhcpd.j2 dest=/etc/sysconfig/dhcpd owner=root group=root mode=0644 13 | notify: 14 | - restart dhcpd 15 | 16 | - name: Set iptables configuration 17 | template: src=111_dhcp_server.j2 dest=/etc/ferm/ferm.d/111_dhcp_server owner=root group=root 18 | 19 | - name: dhcpd running 20 | service: name=dhcpd state=started enabled=yes 21 | -------------------------------------------------------------------------------- /roles/dhcp-server/templates/111_dhcp_server.j2: -------------------------------------------------------------------------------- 1 | table filter chain INPUT { 2 | # DHCP 3 | protocol udp dport 67 ACCEPT; 4 | protocol udp dport 68 ACCEPT; 5 | } 6 | -------------------------------------------------------------------------------- /roles/dhcp-server/templates/dhcpd.conf.j2: -------------------------------------------------------------------------------- 1 | # DHCP server is authoritative for all networks 2 | authoritative; 3 | 4 | # RFC3442 routes 5 | option rfc3442-classless-static-routes code 121 = array of integer 8; 6 | # MS routes 7 | option ms-classless-static-routes code 249 = array of integer 8; 8 | 9 | # Default lease time of 4 hours minutes, max 8 hour 10 | default-lease-time 21600; 11 | max-lease-time 43200; 12 | 13 | # Log to local syslog 14 | log-facility local7; 15 | 16 | ############################## 17 | # Global parameters 18 | ############################## 19 | option domain-name-servers {{ dns1_server_ip }}, {{ dns2_server_ip }}; 20 | option domain-name "{{ domain }}"; 21 | option ntp-servers {{ ntp_server_ip }}; 22 | option domain-search "{{ domain }}"; 23 | ddns-domainname "{{ domain }}"; 24 | option time-offset -18000; # Eastern Standard Time 25 | option host-name = config-option server.ddns-hostname; 26 | ddns-hostname = pick-first-value( option fqdn.hostname, 27 | option host-name, 28 | concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address))); 29 | ############################## 30 | # Subnet parameters 31 | ############################## 32 | 33 | {% for subnet in subnets %} 34 | # DHCP settings for the {{ subnet.name }} network 35 | subnet {{ subnet.address }} netmask {{ subnet.netmask }} { 36 | option routers {{ subnet.gateway }}; 37 | range {{ subnet.dhcp_start_address }} {{ subnet.dhcp_end_address }}; 38 | } 39 | 40 | {% endfor %} 41 | -------------------------------------------------------------------------------- /roles/dhcp-server/templates/dhcpd.j2: -------------------------------------------------------------------------------- 1 | DHCPDARGS="{{ dhcp_arguments }}"; 2 | -------------------------------------------------------------------------------- /roles/end/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Change iptables configuration 4 | command: /usr/sbin/ferm /etc/ferm/ferm.conf 5 | 6 | - name: Save iptables 7 | command: service iptables save 8 | 9 | - name: Restart collectd 10 | command: service collectd restart 11 | 12 | # I have many web servers so this is here to restart them at the end. Fails when nginx is not installed 13 | # but the play continues. 14 | - name: Reload nginx 15 | command: service nginx reload 16 | ignore_errors: yes 17 | -------------------------------------------------------------------------------- /roles/iptables/files/999_end: -------------------------------------------------------------------------------- 1 | table filter chain INPUT { 2 | # Block spammy netbios traffic so it isnt logged 3 | protocol tcp dport (445 139) DROP; 4 | protocol udp dport (137 138) DROP; 5 | 6 | jump LOGGING; 7 | } 8 | -------------------------------------------------------------------------------- /roles/iptables/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Restart rsyslog 4 | command: service rsyslog restart 5 | 6 | - name: Install IPv6 7 | command: /usr/sbin/ferm /etc/ferm/ferm6.conf -------------------------------------------------------------------------------- /roles/iptables/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Install ferm for easy firewall management 4 | yum: name=ferm state=installed 5 | 6 | - name: iptables is running and enabled 7 | service: name=iptables state=started enabled=yes 8 | 9 | - name: iptables6 is disabled 10 | service: name=ip6tables state=stopped enabled=no 11 | 12 | - name: Add ferm conf directory 13 | file: path=/etc/ferm owner=root group=root mode=0700 state=directory 14 | 15 | - name: Add ferm snippet directory 16 | file: path=/etc/ferm/ferm.d owner=root group=root mode=0700 state=directory 17 | 18 | - name: Set iptables base configuration 19 | template: src=ferm.conf.j2 20 | dest=/etc/ferm/ferm.conf 21 | owner=root 22 | group=root 23 | 24 | # - name: Block all IPv6 traffic 25 | # template: src=ferm6.conf.j2 dest=/etc/ferm/ferm6.conf owner=root group=root 26 | # notify: 27 | # - Install IPv6 28 | 29 | - name: Set iptables end configuration 30 | copy: src=999_end dest=/etc/ferm/ferm.d/999_end owner=root group=root 31 | -------------------------------------------------------------------------------- /roles/iptables/templates/ferm.conf.j2: -------------------------------------------------------------------------------- 1 | domain ip { 2 | table filter { 3 | chain LOGGING; 4 | chain INPUT { 5 | policy DROP; 6 | 7 | # connection tracking 8 | mod state { 9 | state INVALID DROP; 10 | state (RELATED ESTABLISHED) ACCEPT; 11 | } 12 | 13 | # allow local connections 14 | interface lo ACCEPT; 15 | 16 | # respond to ping 17 | proto icmp icmp-type echo-request ACCEPT; 18 | 19 | # remote administration from the company network 20 | # saddr {{ admin_network }}/{{ admin_network_CIDR }} proto tcp dport ssh ACCEPT; 21 | proto tcp dport ssh ACCEPT; 22 | 23 | } 24 | chain LOGGING { 25 | mod limit limit 3/min LOG log-prefix 'iptables: '; 26 | DROP; 27 | } 28 | chain FORWARD policy DROP; 29 | chain OUTPUT policy ACCEPT; 30 | } 31 | } 32 | @include 'ferm.d/'; -------------------------------------------------------------------------------- /roles/iptables/templates/ferm6.conf.j2: -------------------------------------------------------------------------------- 1 | domain ip6 table filter { 2 | chain INPUT policy DROP; 3 | chain OUTPUT policy DROP; 4 | chain FORWARD policy DROP; 5 | } -------------------------------------------------------------------------------- /roles/kickstart-server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Copy kickstart file for CentOS auto install 4 | template: src=host.cfg.j2 5 | dest={{ storage_root }}/CentOS/kickstart/{{ hostvars[item]['hostname'] }}.cfg 6 | with_items: groups['vms'] 7 | 8 | 9 | -------------------------------------------------------------------------------- /roles/kickstart-server/templates/host.cfg.j2: -------------------------------------------------------------------------------- 1 | #platform=x86, AMD64, or Intel EM64T 2 | 3 | # Install OS instead of upgrade 4 | install 5 | url --url="{{ default_repository_url }}" 6 | 7 | # Language settings 8 | lang {{ language }} 9 | timezone {{ timezone }} 10 | keyboard {{ keyboard }} 11 | 12 | # Forces the text installer to be used (saves time) 13 | text 14 | skipx 15 | firstboot --disable 16 | 17 | # Security 18 | rootpw --iscrypted {{ root_password_sha512_hash }} 19 | auth --useshadow --passalgo=sha512 20 | firewall --enabled --ssh --service=ssh 21 | selinux --enforcing 22 | user --name=admin --groups=wheel --iscrypted --password={{ admin_password_sha512_hash }} 23 | 24 | # Installation logging level 25 | logging --level=info 26 | 27 | # Network information 28 | network --bootproto=static --device=eth0 --onboot=on --ip={{ hostvars[item]['networks'][0]['ip_address'] }} --netmask={{ hostvars[item]['networks'][0]['netmask'] }} --gateway={{ hostvars[item]['default_gateway'] }} --nameserver={{ dns1_server_ip }} --hostname={{ item }} --noipv6 29 | 30 | # System bootloader configuration 31 | bootloader --location=mbr --driveorder=xvda --append="console=hvc0" 32 | zerombr 33 | clearpart --drives=xvda --all --initlabel 34 | 35 | # Disk partitioning information 36 | part /tmp --bytes-per-inode=4096 --ondisk=xvda --fstype="ext4" --size=2048 --fsoptions="nodev,nosuid,noexec" 37 | part /var --bytes-per-inode=4096 --ondisk=xvda --fstype="ext4" --size={{ hostvars[item]['partitions']['var_size'] }} --fsoptions="defaults,nodev" 38 | part /var/log --bytes-per-inode=4096 --ondisk=xvda --fstype="ext4" --size=2048 --fsoptions="defaults,nodev" 39 | part /var/log/audit --bytes-per-inode=4096 --ondisk=xvda --fstype="ext4" --size=1024 --fsoptions="defaults,nodev" 40 | part /home --bytes-per-inode=4096 --ondisk=xvda --fstype="ext4" --size={{ hostvars[item]['partitions']['home_size'] }} --fsoptions="nodev" 41 | part /boot --bytes-per-inode=4096 --ondisk=xvda --asprimary --fstype="ext2" --size=100 --fsoptions="defaults,nodev" 42 | part swap --bytes-per-inode=4096 --ondisk=xvda --asprimary --fstype="swap" --recommended 43 | part / --bytes-per-inode=4096 --ondisk=xvda --asprimary --fstype="ext4" --size=20480 44 | 45 | # Reboot after installation 46 | reboot 47 | 48 | %packages 49 | @base 50 | @server-policy 51 | %end 52 | 53 | %post 54 | # Add lines to /etc/fstab 55 | echo /tmp /var/tmp none bind 0 0 >> /etc/fstab 56 | sed -i 's%^tmpfs.*%tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid 0 0%g' /etc/fstab 57 | 58 | # Enable wheel group sudo access 59 | echo '%wheel ALL=(ALL) ALL' >> /etc/sudoers 60 | # Require root password for admin to run root commands 61 | echo 'Defaults targetpw' >> /etc/sudoers 62 | 63 | # Install xen tools automatically 64 | cd /root 65 | wget {{ xen_tools_gzip_file_url }} 66 | tar xvfz xen_tools.tar.gz 67 | /root/Linux/install.sh -n 68 | rm -rf Linux/ 69 | rm xen_tools.tar.gz 70 | 71 | reboot 72 | 73 | # Now let Ansible take over -------------------------------------------------------------------------------- /roles/mysql-server/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart mysql 4 | action: service name=mysql state=restarted enabled=yes -------------------------------------------------------------------------------- /roles/mysql-server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Install MySQL 4 | yum: name={{ item }} state=installed 5 | with_items: 6 | - mysql-server 7 | - mysql 8 | - MySQL-python 9 | 10 | - name: mysql running 11 | service: name=mysqld state=started enabled=yes 12 | 13 | # 'localhost' needs to be the last item for idempotency, see 14 | # http://ansible.cc/docs/modules.html#mysql-user 15 | - name: update mysql root password for all root accounts 16 | mysql_user: name=root host={{ item }} password='{{ mysql_root_password }}' 17 | with_items: 18 | - "{{ inventory_hostname }}" 19 | - 127.0.0.1 20 | - ::1 21 | - localhost 22 | 23 | - name: write root conf file 24 | action: template src=my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0600 25 | 26 | - name: ensure anonymous users are not in the database 27 | mysql_user: name='' host={{ item }} state=absent 28 | with_items: 29 | - localhost 30 | - "{{ inventory_hostname }}" 31 | 32 | - name: remove the test database 33 | mysql_db: name=test state=absent 34 | 35 | - name: Add databases 36 | mysql_db: name={{ item }} encoding=utf8 collation=utf8_bin state=present 37 | with_items: databases 38 | 39 | - name: add mysql users 40 | mysql_user: name={{ item.name }} 41 | host={{ item.host }} 42 | password={{ item.password }} 43 | 'priv={{ item.priv }}' 44 | state=present 45 | with_items: mysql_users 46 | 47 | - name: Set iptables configuration 48 | template: src=110_mysql_server.j2 dest=/etc/ferm/ferm.d/110_mysql_server owner=root group=root 49 | -------------------------------------------------------------------------------- /roles/mysql-server/templates/110_mysql_server.j2: -------------------------------------------------------------------------------- 1 | table filter chain INPUT { 2 | protocol tcp dport {{ mysql_tcp_port }} ACCEPT; 3 | } -------------------------------------------------------------------------------- /roles/mysql-server/templates/my.cnf.j2: -------------------------------------------------------------------------------- 1 | # Example .my.cnf file for setting the root password 2 | # Note: don't use quotes around the password, because the mysql_user module 3 | # will include them in the password but the mysql client will not 4 | 5 | [client] 6 | user=root 7 | password={{ mysql_root_password }} -------------------------------------------------------------------------------- /roles/network/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart network 4 | service: name=network state=restarted 5 | -------------------------------------------------------------------------------- /roles/network/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Set the hostname and gateway 4 | template: src=network.j2 dest=/etc/sysconfig/network 5 | 6 | - name: Copy standard DNS information 7 | template: src=resolv.j2 dest=/etc/resolv.conf 8 | 9 | - name: Copy routing table configuration file 10 | template: src=rt_tables.j2 11 | dest=/etc/iproute2/rt_tables 12 | notify: 13 | - restart network 14 | 15 | - name: Copy ethernet configuration files 16 | template: src=ifcfg-eth.j2 17 | dest=/etc/sysconfig/network-scripts/ifcfg-eth{{ item.device_id }}{{ item.vlan_id }} 18 | with_items: networks 19 | notify: 20 | - restart network 21 | 22 | - name: Copy route configuration files 23 | template: src=route-eth.j2 24 | dest=/etc/sysconfig/network-scripts/route-eth{{ item.device_id }}{{ item.vlan_id }} 25 | with_items: networks 26 | when: item.configure_advanced_networking 27 | notify: 28 | - restart network 29 | 30 | - name: Copy rule configuration files 31 | template: src=rule-eth.j2 32 | dest=/etc/sysconfig/network-scripts/rule-eth{{ item.device_id }}{{ item.vlan_id }} 33 | with_items: networks 34 | when: item.configure_advanced_networking 35 | notify: 36 | - restart network -------------------------------------------------------------------------------- /roles/network/templates/ifcfg-eth.j2: -------------------------------------------------------------------------------- 1 | # Universal properties 2 | TYPE=Ethernet 3 | DEVICE=eth{{ item.device_id }}{{ item.vlan_id }} 4 | ONBOOT=yes 5 | NM_CONTROLLED=no 6 | USERCTL=no 7 | PEERDNS=no 8 | IPV6INIT=no 9 | IPV6_AUTOCONF=no 10 | # VLAN if present 11 | {% if item.is_vlan %} 12 | VLAN=yes 13 | ONPARENT=yes 14 | {% endif %} 15 | # Static or DHCP 16 | {% if item.boot_protocol == "dhcp" %} 17 | BOOTPROTO=dhcp 18 | DHCP_HOSTNAME=`hostname` 19 | HWADDR={{ item.mac_address }} 20 | {% else %} 21 | BOOTPROTO=none 22 | IPADDR={{ item.ip_address }} 23 | PREFIX={{ item.prefix }} 24 | {% endif %} 25 | -------------------------------------------------------------------------------- /roles/network/templates/network.j2: -------------------------------------------------------------------------------- 1 | NETWORKING=yes 2 | HOSTNAME={{ inventory_hostname }} 3 | GATEWAY={{ default_gateway }} 4 | NETWORKING_IPV6=no 5 | IPV6INIT=no 6 | NOZEROCONF=yes 7 | -------------------------------------------------------------------------------- /roles/network/templates/resolv.j2: -------------------------------------------------------------------------------- 1 | search {{ domain }} 2 | nameserver {{ dns1_server_ip }} 3 | nameserver {{ dns2_server_ip }} 4 | -------------------------------------------------------------------------------- /roles/network/templates/route-eth.j2: -------------------------------------------------------------------------------- 1 | {% for subnet in subnets %} 2 | {% if subnet.name == item.subnet_name %} 3 | table {{ subnet.name }} to {{ subnet.address }}/{{ subnet.prefix }} dev eth{{item.device_id}}{{ item.vlan_id }} 4 | table {{ subnet.name }} to default via {{ subnet.gateway }} dev eth{{item.device_id}}{{ item.vlan_id }} 5 | {% endif %} 6 | {% endfor %} -------------------------------------------------------------------------------- /roles/network/templates/rt_tables.j2: -------------------------------------------------------------------------------- 1 | # 2 | # reserved values 3 | # 4 | 255 local 5 | 254 main 6 | 253 default 7 | 0 unspec 8 | # 9 | # local 10 | # 11 | #1 inr.ruhep 12 | {% for subnet in subnets %} 13 | {{ subnet.vlan_id }} {{ subnet.name }} 14 | {% endfor %} 15 | -------------------------------------------------------------------------------- /roles/network/templates/rule-eth.j2: -------------------------------------------------------------------------------- 1 | {% for subnet in subnets %} 2 | {% if subnet.name == item.subnet_name %} 3 | from {{ subnet.address }}/{{ subnet.prefix }} table {{ subnet.name }} 4 | {% endif %} 5 | {% endfor %} 6 | -------------------------------------------------------------------------------- /roles/nginx-server/files/120_web_server: -------------------------------------------------------------------------------- 1 | table filter chain INPUT { 2 | # web traffic 3 | protocol tcp dport 80 ACCEPT; 4 | } 5 | -------------------------------------------------------------------------------- /roles/nginx-server/files/collectd_nginx_server: -------------------------------------------------------------------------------- 1 | LoadPlugin nfs 2 | LoadPlugin nginx 3 | 4 | 5 | URL "http://localhost/nginx_status" 6 | -------------------------------------------------------------------------------- /roles/nginx-server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Install nginx 4 | yum: name={{ item }} state=present 5 | with_items: 6 | - nginx 7 | - collectd-nginx 8 | 9 | - name: Set iptables configuration 10 | copy: src=120_web_server dest=/etc/ferm/ferm.d/120_web_server owner=root group=root 11 | 12 | - name: Set the core nginx configuration 13 | template: src=nginx.conf.j2 14 | dest=/etc/nginx/nginx.conf 15 | 16 | - name: Copy local collectd plugins 17 | copy: src=collectd_nginx_server 18 | dest=/etc/collectd.d/collectd_nginx_server 19 | owner=root 20 | group=root 21 | 22 | - name: Make sure key services are running now 23 | service: name=nginx state=started enabled=yes -------------------------------------------------------------------------------- /roles/nginx-server/templates/nginx.conf.j2: -------------------------------------------------------------------------------- 1 | 2 | user nginx; 3 | worker_processes {{ vcpus }}; 4 | 5 | error_log /var/log/nginx/error.log warn; 6 | pid /var/run/nginx.pid; 7 | 8 | 9 | events { 10 | worker_connections 1024; 11 | use epoll; 12 | multi_accept on; 13 | } 14 | 15 | 16 | http { 17 | include /etc/nginx/mime.types; 18 | default_type application/octet-stream; 19 | 20 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 21 | '$status $body_bytes_sent "$http_referer" ' 22 | '"$http_user_agent" "$http_x_forwarded_for"'; 23 | 24 | access_log off; 25 | 26 | server_tokens off; 27 | sendfile on; 28 | tcp_nopush on; 29 | tcp_nodelay on; 30 | keepalive_timeout 30; 31 | keepalive_requests 100000; 32 | reset_timedout_connection on; 33 | client_body_timeout 10; 34 | send_timeout 2; 35 | client_max_body_size 20m; 36 | client_body_buffer_size 128k; 37 | 38 | 39 | gzip on; 40 | gzip_min_length 10240; 41 | gzip_static on; 42 | gzip_http_version 1.1; 43 | gzip_vary on; 44 | gzip_comp_level 6; 45 | gzip_proxied any; 46 | gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js; 47 | gzip_buffers 16 8k; 48 | gzip_disable "MSIE [1-6]\.(?!.*SV1)"; 49 | 50 | server { 51 | location /nginx_status { 52 | stub_status on; 53 | access_log off; 54 | # allow SOME.IP.ADD.RESS; 55 | # deny all; 56 | } 57 | } 58 | 59 | # Load config files from the /etc/nginx/conf.d directory 60 | # The default server is in conf.d/default.conf 61 | include /etc/nginx/conf.d/*.conf; 62 | } 63 | -------------------------------------------------------------------------------- /roles/ntp-client/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart ntpd 4 | service: name=ntpd state=restarted 5 | -------------------------------------------------------------------------------- /roles/ntp-client/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Set ntp configuration 4 | template: src=ntp.conf.j2 dest=/etc/ntp.conf owner=root group=root 5 | notify: 6 | - restart ntpd 7 | 8 | - name: Ensure that ntpd is running 9 | service: name=ntpd state=started enabled=yes -------------------------------------------------------------------------------- /roles/ntp-client/templates/ntp.conf.j2: -------------------------------------------------------------------------------- 1 | # For more information about this file, see the man pages 2 | # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). 3 | 4 | driftfile /var/lib/ntp/drift 5 | 6 | # Permit time synchronization with our time source, but do not 7 | # permit the source to query or modify the service on this system. 8 | restrict default kod nomodify notrap nopeer noquery 9 | restrict -6 default kod nomodify notrap nopeer noquery 10 | 11 | # Permit all access over the loopback interface. This could 12 | # be tightened as well, but to do so would effect some of 13 | # the administrative functions. 14 | restrict 127.0.0.1 15 | restrict -6 ::1 16 | 17 | # Enable public key cryptography. 18 | #crypto 19 | includefile /etc/ntp/crypto/pw 20 | 21 | # Key file containing the keys and key identifiers used when operating 22 | # with symmetric key cryptography. 23 | keys /etc/ntp/keys 24 | 25 | # local NTP server 26 | server {{ ntp_server_ip }} 27 | -------------------------------------------------------------------------------- /roles/ntp-server/files/110_ntp_server: -------------------------------------------------------------------------------- 1 | table filter chain INPUT { 2 | # NTP 3 | protocol udp dport 123 ACCEPT; 4 | } 5 | -------------------------------------------------------------------------------- /roles/ntp-server/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart ntpd 4 | service: name=ntpd state=restarted -------------------------------------------------------------------------------- /roles/ntp-server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Set ntp configuration 4 | template: src=ntp.conf.j2 dest=/etc/ntp.conf owner=root group=root 5 | notify: 6 | - restart ntpd 7 | 8 | - name: Set iptables configuration 9 | copy: src=110_ntp_server dest=/etc/ferm/ferm.d/110_ntp_server owner=root group=root 10 | -------------------------------------------------------------------------------- /roles/ntp-server/templates/ntp.conf.j2: -------------------------------------------------------------------------------- 1 | # For more information about this file, see the man pages 2 | # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). 3 | 4 | driftfile /var/lib/ntp/drift 5 | 6 | # Permit time synchronization with our time source, but do not 7 | # permit the source to query or modify the service on this system. 8 | restrict default kod nomodify notrap nopeer noquery 9 | restrict -6 default kod nomodify notrap nopeer noquery 10 | 11 | # Permit all access over the loopback interface. This could 12 | # be tightened as well, but to do so would effect some of 13 | # the administrative functions. 14 | restrict 127.0.0.1 15 | restrict -6 ::1 16 | 17 | # Hosts on local network are less restricted. 18 | {% for item in allowed_networks %} 19 | restrict {{ item.network }} mask {{ item.netmask }} nomodify notrap 20 | {% endfor %} 21 | 22 | # Use public servers from the pool.ntp.org project. 23 | # Please consider joining the pool (http://www.pool.ntp.org/join.html). 24 | server 0.centos.pool.ntp.org iburst 25 | server 1.centos.pool.ntp.org iburst 26 | server 2.centos.pool.ntp.org iburst 27 | server 3.centos.pool.ntp.org iburst 28 | 29 | # Enable public key cryptography. 30 | #crypto 31 | 32 | includefile /etc/ntp/crypto/pw 33 | 34 | # Key file containing the keys and key identifiers used when operating 35 | # with symmetric key cryptography. 36 | keys /etc/ntp/keys 37 | 38 | # Specify the key identifiers which are trusted. 39 | #trustedkey 4 8 42 40 | 41 | # Specify the key identifier to use with the ntpdc utility. 42 | #requestkey 8 43 | 44 | # Specify the key identifier to use with the ntpq utility. 45 | #controlkey 8 46 | 47 | # Enable writing of statistics records. 48 | statistics clockstats cryptostats loopstats peerstats 49 | -------------------------------------------------------------------------------- /roles/ossec-client/files/RPM-GPG-KEY.art.txt: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | Version: GnuPG v1.2.1 (GNU/Linux) 3 | 4 | mQGiBEGP+skRBACyZz7muj2OgWc9FxK+Hj7tWPnrfxEN+0PE+n8MtqH+dxwQpMTd 5 | gDpOXxJa45GM5pEwB6CFSFK7Fb/faniF9fDbm1Ga7MpBupIBYLactkoOTZMuTlGB 6 | T0O5ha4h26YLqFfQOtlEi7d0+BDDdfHRQw3o67ycgRnLgYSA79DISc3MywCgk2TR 7 | yd5sRfZAG23b4EDl+D0+oaMEAK73J7zuxf6F6V5EaxLd/w4JVB2xW0Glcn0fACOe 8 | 8FV9lzcZuo2xPpdGuyj02f/xlqvEav3XqTfFU2no61mA2pamaRNhlo+CEfGc7qde 9 | /1twfSgOYqzeCx7+aybyPo8Th41b80FT19mfkjBf6+5NbUHffRabFFh1FmcPVNBn 10 | F3FoA/95nRIzqDMItdTRitaZn02dIGNjdwllBD75bSVEvaR9O5hjBo0VMc25DB7f 11 | DM2qEO52wCQbAKw9zFC284ekZVDaK4aHYt7iobHaqJEpKHgsDut5WWuMiSLR+SsF 12 | aBHIZ9HvrKWLSUQKHU6A1Hva0P0r3GnoCMc/VCVfrLl721SjPbQzQXRvbWljIFJv 13 | Y2tldCBUdXJ0bGUgPGFkbWluQGF0b21pY3JvY2tldHR1cnRsZS5jb20+iFkEExEC 14 | ABkFAkGP+skECwcDAgMVAgMDFgIBAh4BAheAAAoJEDKpURRevSdEzcQAn1hSHqTO 15 | jwv/z/picpOnR+mgycwHAKCBex2ciyXo5xeaQ9w7OMf7Jsmon7kBDQRBj/rMEAQA 16 | 6JvRndqE4koK0e49fUkICm1X0ZEzsVg9VmUW+Zft5guCRxmGlYTmtlC7oJCToRP/ 17 | m/xH5uIevGiJycRKB0Ix+Csl6f9QuTkQ7tSTHcaIKbI3tL1x6CCBoWeTGYaOJlvk 18 | ubrmajiMFaBfopLH2firoSToDGoUvv4e7bImIHEgNr8AAwUEAND0YR9DOEZvc+Lq 19 | Ta/PQyxkdZ75o+Ty/O64E3OmO1Tuw2ciSQXCcwrbrMSE6EHHetxtGCnOdkjjjtmH 20 | AnxsxdONv/EJuQmLcoNcsigZZ4tfRdmtXgcbnOmXBgmy1ea1KvWcsmecNSAMJHwR 21 | 7vDDKzbj4mSmudzjapHeeOewFF10iEYEGBECAAYFAkGP+swACgkQMqlRFF69J0Sq 22 | nQCfa/q9Y/oY4dOTGj6MsdmRIQkKZhYAoIscjinFwTru4FVi2MIEzUUMToDK 23 | =NOIx 24 | -----END PGP PUBLIC KEY BLOCK----- 25 | -------------------------------------------------------------------------------- /roles/ossec-client/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Register client 4 | command: /var/ossec/bin/agent-auth -m {{ ossec_server_ip }} -p {{ ossec_authd_port }} 5 | 6 | - name: Restart ossec 7 | service: name=ossec-hids state=restarted 8 | -------------------------------------------------------------------------------- /roles/ossec-client/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Add atomic repository 4 | template: src=atomic.repo.j2 5 | dest=/etc/yum.repos.d/atomic.repo 6 | owner=root 7 | group=root 8 | mode=0644 9 | 10 | # https://www.atomicorp.com/RPM-GPG-KEY.art.txt 11 | - name: Add atomic GPG key 12 | copy: src=RPM-GPG-KEY.art.txt 13 | dest=/etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt 14 | owner=root 15 | group=root 16 | mode=0644 17 | 18 | - name: Install ossec agent 19 | yum: name=ossec-hids-client state=installed 20 | notify: 21 | - Register client 22 | 23 | - name: Set ossec client config 24 | template: src=ossec-agent.conf.j2 dest=/var/ossec/etc/ossec-agent.conf 25 | notify: 26 | - Restart ossec 27 | 28 | - name: Enable ossec 29 | service: name=ossec-hids state=started enabled=yes -------------------------------------------------------------------------------- /roles/ossec-client/templates/atomic.repo.j2: -------------------------------------------------------------------------------- 1 | # Name: ADFtomic Rocket Turtle RPM Repository for CentOS / Red Hat Enterprise Linux 6 - 2 | # URL: http://www.atomicrocketturtle.com/ 3 | # Note: This isn't covered by ASL support. -Scott 4 | [atomic] 5 | name = CentOS / Red Hat Enterprise Linux $releasever - atomicrocketturtle.com 6 | #mirrorlist = http://updates.atomicorp.com/channels/mirrorlist/atomic/centos-$releasever-$basearch 7 | baseurl = http://www5.atomicorp.com/channels/ossec/centos/{{ centos_series }}/{{ centos_architecture }} 8 | enabled = 1 9 | priority = 1 10 | protect = 0 11 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt 12 | gpgcheck = 1 -------------------------------------------------------------------------------- /roles/ossec-client/templates/ossec-agent.conf.j2: -------------------------------------------------------------------------------- 1 | 2 | 3 | {{ ossec_server_ip }} 4 | 5 | 6 | 7 | 8 | 9 | no 10 | yes 11 | no 12 | 4am 13 | 14 | 15 | 82800 16 | 17 | 18 | /etc 19 | /usr/local/bin 20 | /root/.ssh 21 | 22 | 23 | /usr/bin,/usr/sbin 24 | /bin,/sbin 25 | 26 | 27 | /etc/mtab 28 | /etc/mnttab 29 | /etc/hosts.deny 30 | /etc/mail/statistics 31 | /etc/random-seed 32 | /etc/adjtime 33 | /etc/httpd/logs 34 | /etc/utmpx 35 | /etc/wtmpx 36 | /etc/cups/certs 37 | 38 | 39 | 40 | /var/ossec/etc/shared/rootkit_files.txt 41 | /var/ossec/etc/shared/rootkit_trojans.txt 42 | 43 | 44 | 45 | syslog 46 | /var/log/messages 47 | 48 | 49 | 50 | syslog 51 | /var/log/iptables.log 52 | 53 | 54 | 55 | syslog 56 | /var/log/secure 57 | 58 | 59 | 60 | syslog 61 | /var/log/maillog 62 | 63 | 64 | 65 | syslog 66 | /var/log/audit/audit.log 67 | 68 | 69 | 70 | 71 | full_command 72 | /sbin/iptables -nL 73 | 74 | 75 | 76 | full_command 77 | netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort 78 | 79 | 80 | 81 | full_command 82 | last -n 5 83 | 84 | 85 | 86 | -------------------------------------------------------------------------------- /roles/ossec-server/files/RPM-GPG-KEY.art.txt: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | Version: GnuPG v1.2.1 (GNU/Linux) 3 | 4 | mQGiBEGP+skRBACyZz7muj2OgWc9FxK+Hj7tWPnrfxEN+0PE+n8MtqH+dxwQpMTd 5 | gDpOXxJa45GM5pEwB6CFSFK7Fb/faniF9fDbm1Ga7MpBupIBYLactkoOTZMuTlGB 6 | T0O5ha4h26YLqFfQOtlEi7d0+BDDdfHRQw3o67ycgRnLgYSA79DISc3MywCgk2TR 7 | yd5sRfZAG23b4EDl+D0+oaMEAK73J7zuxf6F6V5EaxLd/w4JVB2xW0Glcn0fACOe 8 | 8FV9lzcZuo2xPpdGuyj02f/xlqvEav3XqTfFU2no61mA2pamaRNhlo+CEfGc7qde 9 | /1twfSgOYqzeCx7+aybyPo8Th41b80FT19mfkjBf6+5NbUHffRabFFh1FmcPVNBn 10 | F3FoA/95nRIzqDMItdTRitaZn02dIGNjdwllBD75bSVEvaR9O5hjBo0VMc25DB7f 11 | DM2qEO52wCQbAKw9zFC284ekZVDaK4aHYt7iobHaqJEpKHgsDut5WWuMiSLR+SsF 12 | aBHIZ9HvrKWLSUQKHU6A1Hva0P0r3GnoCMc/VCVfrLl721SjPbQzQXRvbWljIFJv 13 | Y2tldCBUdXJ0bGUgPGFkbWluQGF0b21pY3JvY2tldHR1cnRsZS5jb20+iFkEExEC 14 | ABkFAkGP+skECwcDAgMVAgMDFgIBAh4BAheAAAoJEDKpURRevSdEzcQAn1hSHqTO 15 | jwv/z/picpOnR+mgycwHAKCBex2ciyXo5xeaQ9w7OMf7Jsmon7kBDQRBj/rMEAQA 16 | 6JvRndqE4koK0e49fUkICm1X0ZEzsVg9VmUW+Zft5guCRxmGlYTmtlC7oJCToRP/ 17 | m/xH5uIevGiJycRKB0Ix+Csl6f9QuTkQ7tSTHcaIKbI3tL1x6CCBoWeTGYaOJlvk 18 | ubrmajiMFaBfopLH2firoSToDGoUvv4e7bImIHEgNr8AAwUEAND0YR9DOEZvc+Lq 19 | Ta/PQyxkdZ75o+Ty/O64E3OmO1Tuw2ciSQXCcwrbrMSE6EHHetxtGCnOdkjjjtmH 20 | AnxsxdONv/EJuQmLcoNcsigZZ4tfRdmtXgcbnOmXBgmy1ea1KvWcsmecNSAMJHwR 21 | 7vDDKzbj4mSmudzjapHeeOewFF10iEYEGBECAAYFAkGP+swACgkQMqlRFF69J0Sq 22 | nQCfa/q9Y/oY4dOTGj6MsdmRIQkKZhYAoIscjinFwTru4FVi2MIEzUUMToDK 23 | =NOIx 24 | -----END PGP PUBLIC KEY BLOCK----- 25 | -------------------------------------------------------------------------------- /roles/ossec-server/files/local_rules.xml: -------------------------------------------------------------------------------- 1 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 26 | 27 | 5711 28 | 1.1.1.1 29 | Example of rule that will ignore sshd 30 | failed logins from IP 1.1.1.1. 31 | 32 | 33 | 34 | 1002 35 | comm="iptables" path="/var/log/audit/audit.log" 36 | Unknown iptables SELinux violation 37 | 38 | 39 | 40 | 42 | 52 | 58 | 59 | 60 | 61 | 62 | 63 | -------------------------------------------------------------------------------- /roles/ossec-server/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Initialize ossec 4 | command: /var/ossec/bin/ossec-control restart 5 | notify: 6 | # - Generate key 7 | # - Generate cert 8 | - Enable syslog client 9 | 10 | # - name: Generate key 11 | # command: openssl genrsa -out /var/ossec/etc/sslmanager.key 2048 12 | 13 | # - name: Generate cert 14 | # command: openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365 15 | 16 | - name: Enable syslog client 17 | command: /var/ossec/bin/ossec-control enable client-syslog 18 | 19 | - name: Restart ossec 20 | service: name=ossec-hids state=restarted 21 | -------------------------------------------------------------------------------- /roles/ossec-server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Add atomic repository 4 | template: src=atomic.repo.j2 5 | dest=/etc/yum.repos.d/atomic.repo 6 | owner=root 7 | group=root 8 | mode=0644 9 | 10 | # https://www.atomicorp.com/RPM-GPG-KEY.art.txt 11 | - name: Add atomic GPG key 12 | copy: src=RPM-GPG-KEY.art.txt 13 | dest=/etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt 14 | owner=root 15 | group=root 16 | mode=0644 17 | 18 | - name: Install ossec authd init script 19 | template: src=ossec-authd.j2 20 | dest=/etc/init.d/ossec-authd 21 | owner=root 22 | group=root 23 | mode=0755 24 | 25 | - name: Install ossec server 26 | yum: name=ossec-hids-server 27 | state=installed 28 | notify: 29 | - Initialize ossec 30 | 31 | - name: Install ossec server private SSL key 32 | copy: src=ossec.key 33 | dest=/var/ossec/etc/sslmanager.key 34 | owner=root 35 | group=root 36 | mode=0600 37 | 38 | - name: Install ossec server public SSL cert 39 | copy: src=ossec.cer 40 | dest=/var/ossec/etc/sslmanager.cert 41 | owner=root 42 | group=root 43 | mode=0644 44 | 45 | - name: Set ossec server config 46 | template: src=ossec-server.conf.j2 47 | dest=/var/ossec/etc/ossec-server.conf 48 | notify: 49 | - Restart ossec 50 | 51 | - name: Copy local rules 52 | copy: src=local_rules.xml 53 | dest=/var/ossec/rules 54 | 55 | - name: Set iptables configuration 56 | template: src=100_ossec_server.j2 57 | dest=/etc/ferm/ferm.d/100_ossec_server 58 | owner=root 59 | group=root 60 | 61 | - name: Ensure ossec server is running and enabled at start up 62 | service: name={{ item }} 63 | state=started 64 | enabled=yes 65 | with_items: 66 | - ossec-hids 67 | - ossec-authd -------------------------------------------------------------------------------- /roles/ossec-server/templates/100_ossec_server.j2: -------------------------------------------------------------------------------- 1 | table filter chain INPUT { 2 | # authd traffic 3 | protocol tcp dport {{ ossec_authd_port }} ACCEPT; 4 | 5 | # OSSEC server traffic 6 | protocol udp dport {{ 1514 }} ACCEPT; 7 | } 8 | -------------------------------------------------------------------------------- /roles/ossec-server/templates/atomic.repo.j2: -------------------------------------------------------------------------------- 1 | # Name: ADFtomic Rocket Turtle RPM Repository for CentOS / Red Hat Enterprise Linux 6 - 2 | # URL: http://www.atomicrocketturtle.com/ 3 | # Note: This isn't covered by ASL support. -Scott 4 | [atomic] 5 | name = CentOS / Red Hat Enterprise Linux $releasever - atomicrocketturtle.com 6 | #mirrorlist = http://updates.atomicorp.com/channels/mirrorlist/atomic/centos-$releasever-$basearch 7 | baseurl = http://www5.atomicorp.com/channels/ossec/centos/{{ centos_series }}/{{ centos_architecture }} 8 | enabled = 1 9 | priority = 1 10 | protect = 0 11 | gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt 12 | gpgcheck = 1 -------------------------------------------------------------------------------- /roles/ossec-server/templates/ossec-authd.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # ossec-authd Start the OSSEC-HIDS Authentication Daemon 4 | # 5 | # chkconfig: 2345 99 01 6 | # description: Provides key signing for OSSEC Clients 7 | # processname: ossec-authd 8 | # config: /var/ossec/etc/ossec.conf 9 | # pidfile: /var/run/ossec-authd.pid 10 | ### BEGIN INIT INFO 11 | # Provides: ossec-authd 12 | # Required-Start: $network $local_fs $remote_fs 13 | # Required-Stop: $network $local_fs $remote_fs 14 | # Default-Start: 2 3 4 5 15 | # Default-Stop: 0 1 6 16 | # Short-Description: Authentication Daemon for OSSEC-HIDS. 17 | # Description: Provides key signing for OSSEC Clients 18 | ### END INIT INFO 19 | 20 | # Author: Brad Lhotsky 21 | NAME=ossec-authd 22 | DAEMON=/var/ossec/bin/ossec-authd 23 | DAEMON_ARGS="-p {{ ossec_authd_port }} 2>&1 >> /var/ossec/logs/ossec-authd.log &" 24 | PIDDIR=/var/ossec/var/run 25 | SCRIPTNAME=/etc/init.d/ossec-authd 26 | 27 | . /etc/rc.d/init.d/functions 28 | 29 | getpid() { 30 | for filename in $PIDDIR/${NAME}*.pid; do 31 | pidfile=$(basename $filename) 32 | pid=$(echo $pidfile |cut -d\- -f 3 |cut -d\. -f 1) 33 | kill -0 $pid &> /dev/null 34 | RETVAL=$? 35 | if [ $RETVAL -eq 0 ]; then 36 | PIDFILE=$filename 37 | PID=$pid 38 | else 39 | rm -f $filename 40 | fi; 41 | done; 42 | } 43 | 44 | start() { 45 | echo -n $"Starting $NAME: " 46 | daemon $DAEMON $DAEMON_ARGS 47 | retval=$? 48 | if [ $retval -eq 0 ]; then 49 | echo_success 50 | echo 51 | else 52 | echo_failure 53 | echo 54 | fi 55 | return $retval 56 | } 57 | 58 | stop() { 59 | echo -n $"Stopping $NAME: " 60 | getpid 61 | killproc -p $PIDFILE $NAME 62 | retval=$? 63 | echo 64 | return $retval 65 | } 66 | 67 | restart() { 68 | stop 69 | start 70 | } 71 | 72 | case "$1" in 73 | start) 74 | start 75 | ;; 76 | stop) 77 | stop 78 | ;; 79 | status) 80 | getpid 81 | if [ -z $PIDFILE ]; then 82 | status $NAME 83 | else 84 | status -p $PIDFILE $NAME 85 | fi; 86 | ;; 87 | restart) 88 | restart 89 | ;; 90 | *) 91 | echo "Usage: $0 {start|stop|status}" 92 | exit 2 93 | ;; 94 | esac 95 | 96 | exit $? 97 | -------------------------------------------------------------------------------- /roles/ossec-server/templates/ossec-server.conf.j2: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | no 5 | {{ admin_email_address }} 6 | localhost 7 | {{ ossec_from_email_address }}@{{ domain }} 8 | no 9 | 10 | 11 | 12 | {{ log_server_ip }} 13 | {{ syslog_tcp_port }} 14 | 1 15 | default 16 | 17 | 18 | 19 | rules_config.xml 20 | pam_rules.xml 21 | sshd_rules.xml 22 | telnetd_rules.xml 23 | syslog_rules.xml 24 | arpwatch_rules.xml 25 | symantec-av_rules.xml 26 | symantec-ws_rules.xml 27 | pix_rules.xml 28 | named_rules.xml 29 | smbd_rules.xml 30 | vsftpd_rules.xml 31 | pure-ftpd_rules.xml 32 | proftpd_rules.xml 33 | ms_ftpd_rules.xml 34 | ftpd_rules.xml 35 | hordeimp_rules.xml 36 | roundcube_rules.xml 37 | wordpress_rules.xml 38 | cimserver_rules.xml 39 | vpopmail_rules.xml 40 | vmpop3d_rules.xml 41 | courier_rules.xml 42 | web_rules.xml 43 | web_appsec_rules.xml 44 | apache_rules.xml 45 | nginx_rules.xml 46 | php_rules.xml 47 | mysql_rules.xml 48 | postgresql_rules.xml 49 | ids_rules.xml 50 | squid_rules.xml 51 | firewall_rules.xml 52 | cisco-ios_rules.xml 53 | netscreenfw_rules.xml 54 | sonicwall_rules.xml 55 | postfix_rules.xml 56 | sendmail_rules.xml 57 | imapd_rules.xml 58 | mailscanner_rules.xml 59 | dovecot_rules.xml 60 | ms-exchange_rules.xml 61 | racoon_rules.xml 62 | vpn_concentrator_rules.xml 63 | spamd_rules.xml 64 | msauth_rules.xml 65 | mcafee_av_rules.xml 66 | trend-osce_rules.xml 67 | ms-se_rules.xml 68 | policy_rules.xml 69 | zeus_rules.xml 70 | solaris_bsm_rules.xml 71 | vmware_rules.xml 72 | ms_dhcp_rules.xml 73 | asterisk_rules.xml 74 | ossec_rules.xml 75 | attack_rules.xml 76 | local_rules.xml 77 | 78 | 79 | 80 | 81 | yes 82 | yes 83 | no 84 | 4am 85 | 86 | 87 | 82800 88 | 89 | 90 | /etc 91 | /usr/local/bin 92 | /root/.ssh 93 | 94 | 95 | /usr/bin,/usr/sbin 96 | /bin,/sbin 97 | 98 | 99 | /etc/mtab 100 | /etc/hosts.deny 101 | /etc/mail/statistics 102 | /etc/random-seed 103 | /etc/adjtime 104 | /etc/httpd/logs 105 | 106 | 107 | 108 | /var/ossec/etc/shared/rootkit_files.txt 109 | /var/ossec/etc/shared/rootkit_trojans.txt 110 | 111 | 112 | 113 | 127.0.0.1 114 | {% for subnet in subnets %} 115 | {{ subnet.address }}/{{ subnet.prefix }} 116 | {% endfor %} 117 | 118 | 119 | 120 | secure 121 | 122 | 123 | 124 | {{ admin_email_address }} 125 | 7 126 | 127 | 128 | 129 | 130 | 131 | 1 132 | 7 133 | 134 | 135 | 136 | host-deny 137 | host-deny.sh 138 | srcip 139 | yes 140 | 141 | 142 | 143 | firewall-drop 144 | firewall-drop.sh 145 | srcip 146 | yes 147 | 148 | 149 | 150 | disable-account 151 | disable-account.sh 152 | user 153 | yes 154 | 155 | 156 | 157 | 158 | 159 | 164 | host-deny 165 | local 166 | 6 167 | 600 168 | 169 | 170 | 171 | 175 | firewall-drop 176 | local 177 | 6 178 | 600 179 | 180 | 181 | 182 | 183 | 184 | syslog 185 | /var/log/messages 186 | 187 | 188 | 189 | syslog 190 | /var/log/iptables.log 191 | 192 | 193 | 194 | syslog 195 | /var/log/secure 196 | 197 | 198 | 199 | syslog 200 | /var/log/maillog 201 | 202 | 203 | 204 | syslog 205 | /var/log/audit/audit.log 206 | 207 | 208 | 209 | 210 | full_command 211 | /sbin/iptables -nL 212 | 213 | 214 | 215 | full_command 216 | netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort 217 | 218 | 219 | 220 | full_command 221 | last -n 5 222 | 223 | 224 | {% for item in device_clients %} 225 | 226 | syslog 227 | {{ remote_log_path }}/{{ item }}.log 228 | 229 | {% endfor %} 230 | 231 | 232 | -------------------------------------------------------------------------------- /roles/squid-server/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart squid 4 | service: name=squid state=restarted 5 | 6 | - name: reload squid 7 | service: name=squid state=reloaded -------------------------------------------------------------------------------- /roles/squid-server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Install squid server 4 | yum: name=squid state=installed 5 | 6 | - name: squid running 7 | service: name=squid state=started enabled=yes 8 | 9 | - name: Copy conf file 10 | template: src=squid.conf.j2 dest=/etc/squid/squid.conf owner=root group=root mode=0644 11 | notify: 12 | - restart squid 13 | 14 | - name: Set iptables configuration 15 | template: src=108_squid_server.j2 dest=/etc/ferm/ferm.d/108_squid_server owner=root group=root 16 | -------------------------------------------------------------------------------- /roles/squid-server/templates/108_squid_server.j2: -------------------------------------------------------------------------------- 1 | table filter chain INPUT { 2 | # squid server 3 | protocol tcp dport {{ web_proxy_port }} ACCEPT; 4 | } 5 | -------------------------------------------------------------------------------- /roles/squid-server/templates/squid.conf.j2: -------------------------------------------------------------------------------- 1 | # 2 | # Recommended minimum configuration: 3 | # 4 | acl manager proto cache_object 5 | acl localhost src 127.0.0.1/32 6 | acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 7 | 8 | # Example rule allowing access from your local networks. 9 | # Adapt to list your (internal) IP networks from where browsing 10 | # should be allowed 11 | {% for item in allowed_networks %} 12 | acl localnet src {{ item.network }}/{{ item.cidr }} 13 | {% endfor %} 14 | 15 | acl SSL_ports port 443 16 | acl Safe_ports port 80 # http 17 | acl Safe_ports port 21 # ftp 18 | acl Safe_ports port 443 # https 19 | acl Safe_ports port 70 # gopher 20 | acl Safe_ports port 210 # wais 21 | acl Safe_ports port 1025-65535 # unregistered ports 22 | acl Safe_ports port 280 # http-mgmt 23 | acl Safe_ports port 488 # gss-http 24 | acl Safe_ports port 591 # filemaker 25 | acl Safe_ports port 777 # multiling http 26 | acl CONNECT method CONNECT 27 | 28 | # 29 | # Recommended minimum Access Permission configuration: 30 | # 31 | # Only allow cachemgr access from localhost 32 | http_access allow manager localhost 33 | http_access deny manager 34 | 35 | # Deny requests to certain unsafe ports 36 | http_access deny !Safe_ports 37 | 38 | # Deny CONNECT to other than secure SSL ports 39 | http_access deny CONNECT !SSL_ports 40 | 41 | # We strongly recommend the following be uncommented to protect innocent 42 | # web applications running on the proxy server who think the only 43 | # one who can access services on "localhost" is a local user 44 | #http_access deny to_localhost 45 | 46 | # 47 | # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 48 | # 49 | 50 | # Example rule allowing access from your local networks. 51 | # Adapt localnet in the ACL section to list your (internal) IP networks 52 | # from where browsing should be allowed 53 | http_access allow localnet 54 | http_access allow localhost 55 | 56 | # And finally deny all other access to this proxy 57 | http_access deny all 58 | 59 | # Squid normally listens to port 3128 60 | http_port {{ web_proxy_port }} 61 | 62 | # We recommend you to use at least the following line. 63 | hierarchy_stoplist cgi-bin ? 64 | 65 | # Uncomment and adjust the following to add a disk cache directory. 66 | #cache_dir ufs /var/spool/squid 100 16 256 67 | 68 | # Leave coredumps in the first cache dir 69 | coredump_dir /var/spool/squid 70 | 71 | # Add any of your own refresh_pattern entries above these. 72 | refresh_pattern ^ftp: 1440 20% 10080 73 | refresh_pattern ^gopher: 1440 0% 1440 74 | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 75 | refresh_pattern . 0 20% 4320 76 | 77 | # Local settings 78 | cache_mem {{ web_proxy_cache_size }} MB 79 | cache_mgr {{ admin_email_address }} 80 | -------------------------------------------------------------------------------- /roles/ssh/files/sshd_config: -------------------------------------------------------------------------------- 1 | # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ 2 | 3 | # This is the sshd server system-wide configuration file. See 4 | # sshd_config(5) for more information. 5 | 6 | # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin 7 | 8 | # The strategy used for options in the default sshd_config shipped with 9 | # OpenSSH is to specify options with their default value where 10 | # possible, but leave them commented. Uncommented options change a 11 | # default value. 12 | 13 | Port 22 14 | AddressFamily inet 15 | ListenAddress 0.0.0.0 16 | #ListenAddress :: 17 | Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc 18 | # MACs hmac-sha2-256,hmac-sha2-512 19 | 20 | # Disable legacy (protocol version 1) support in the server for new 21 | # installations. In future the default will change to require explicit 22 | # activation of protocol 1 23 | Protocol 2 24 | 25 | # HostKey for protocol version 1 26 | #HostKey /etc/ssh/ssh_host_key 27 | # HostKeys for protocol version 2 28 | #HostKey /etc/ssh/ssh_host_rsa_key 29 | #HostKey /etc/ssh/ssh_host_dsa_key 30 | 31 | # Lifetime and size of ephemeral version 1 server key 32 | #KeyRegenerationInterval 1h 33 | #ServerKeyBits 1024 34 | 35 | # Logging 36 | # obsoletes QuietMode and FascistLogging 37 | #SyslogFacility AUTH 38 | SyslogFacility AUTHPRIV 39 | #LogLevel INFO 40 | 41 | # Authentication: 42 | 43 | #LoginGraceTime 2m 44 | PermitRootLogin no 45 | #StrictModes yes 46 | MaxAuthTries 6 47 | #MaxSessions 10 48 | 49 | #RSAAuthentication yes 50 | #PubkeyAuthentication yes 51 | #AuthorizedKeysFile .ssh/authorized_keys 52 | #AuthorizedKeysCommand none 53 | #AuthorizedKeysCommandRunAs nobody 54 | 55 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 56 | #RhostsRSAAuthentication no 57 | # similar for protocol version 2 58 | HostbasedAuthentication no 59 | # Change to yes if you don't trust ~/.ssh/known_hosts for 60 | # RhostsRSAAuthentication and HostbasedAuthentication 61 | #IgnoreUserKnownHosts no 62 | # Don't read the user's ~/.rhosts and ~/.shosts files 63 | IgnoreRhosts yes 64 | 65 | # To disable tunneled clear text passwords, change to no here! 66 | #PasswordAuthentication yes 67 | PermitEmptyPasswords no 68 | PasswordAuthentication yes 69 | 70 | # Change to no to disable s/key passwords 71 | #ChallengeResponseAuthentication yes 72 | ChallengeResponseAuthentication no 73 | 74 | # Kerberos options 75 | #KerberosAuthentication no 76 | #KerberosOrLocalPasswd yes 77 | #KerberosTicketCleanup yes 78 | #KerberosGetAFSToken no 79 | #KerberosUseKuserok yes 80 | 81 | # GSSAPI options 82 | #GSSAPIAuthentication no 83 | GSSAPIAuthentication yes 84 | #GSSAPICleanupCredentials yes 85 | GSSAPICleanupCredentials yes 86 | #GSSAPIStrictAcceptorCheck yes 87 | #GSSAPIKeyExchange no 88 | 89 | # Set this to 'yes' to enable PAM authentication, account processing, 90 | # and session processing. If this is enabled, PAM authentication will 91 | # be allowed through the ChallengeResponseAuthentication and 92 | # PasswordAuthentication. Depending on your PAM configuration, 93 | # PAM authentication via ChallengeResponseAuthentication may bypass 94 | # the setting of "PermitRootLogin without-password". 95 | # If you just want the PAM account and session checks to run without 96 | # PAM authentication, then enable this but set PasswordAuthentication 97 | # and ChallengeResponseAuthentication to 'no'. 98 | #UsePAM no 99 | UsePAM yes 100 | 101 | # Accept locale-related environment variables 102 | AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 103 | AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 104 | AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 105 | AcceptEnv XMODIFIERS 106 | 107 | #AllowAgentForwarding yes 108 | #AllowTcpForwarding yes 109 | #GatewayPorts no 110 | #X11Forwarding no 111 | X11Forwarding yes 112 | #X11DisplayOffset 10 113 | #X11UseLocalhost yes 114 | #PrintMotd yes 115 | PrintLastLog yes 116 | #TCPKeepAlive yes 117 | #UseLogin no 118 | #UsePrivilegeSeparation yes 119 | PermitUserEnvironment no 120 | #Compression delayed 121 | ClientAliveInterval 900 122 | ClientAliveCountMax 0 123 | #ShowPatchLevel no 124 | #UseDNS yes 125 | #PidFile /var/run/sshd.pid 126 | #MaxStartups 10 127 | #PermitTunnel no 128 | #ChrootDirectory none 129 | 130 | # no default banner path 131 | Banner /etc/issue 132 | 133 | # override default of no subsystems 134 | Subsystem sftp /usr/libexec/openssh/sftp-server 135 | 136 | # Example of overriding settings on a per-user basis 137 | #Match User anoncvs 138 | # X11Forwarding no 139 | # AllowTcpForwarding no 140 | # ForceCommand cvs server 141 | UseDNS no 142 | -------------------------------------------------------------------------------- /roles/ssh/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart sshd 4 | service: name=sshd state=restarted 5 | -------------------------------------------------------------------------------- /roles/ssh/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: sshd running 4 | service: name=sshd state=started enabled=yes 5 | 6 | - name: Add .ssh directory to root 7 | file: path=/home/{{ administrator_username }}/.ssh owner={{ administrator_username }} group={{ administrator_username }} mode=0700 state=directory 8 | 9 | - name: Set authorized keys 10 | authorized_key: user={{ administrator_username }} 11 | key="{{ lookup('file', '../../../keys/admin_public_key') }}" 12 | 13 | - name: Set ssh root config 14 | copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root group=root mode=0600 15 | notify: 16 | - restart sshd 17 | -------------------------------------------------------------------------------- /roles/syslog-ng-client/files/iptables.conf: -------------------------------------------------------------------------------- 1 | destination d_iptables { file("/var/log/iptables.log"); }; 2 | 3 | filter f_iptables { 4 | program(kernel) and 5 | message("iptables:"); 6 | }; 7 | 8 | log { source(s_sys); 9 | filter(f_iptables); 10 | destination(d_iptables); 11 | flags(final); 12 | }; 13 | -------------------------------------------------------------------------------- /roles/syslog-ng-client/files/iptables.logrotate: -------------------------------------------------------------------------------- 1 | /var/log/iptables.log { 2 | rotate 4 3 | weekly 4 | missingok 5 | notifempty 6 | postrotate 7 | /usr/bin/killall -HUP syslog-ng 8 | endscript 9 | } -------------------------------------------------------------------------------- /roles/syslog-ng-client/files/modules.conf: -------------------------------------------------------------------------------- 1 | ############################################################################# 2 | # 3 | # Default modules.conf file for syslog-ng which lists all modules loaded on 4 | # startup by default. This file is included by scl, but can be used by 5 | # including the file directly and avoiding scl.conf entirely. 6 | # 7 | # SCL plugins will not emit @module lines for modules listed here (but may 8 | # do so for other non-listed stuff). 9 | # 10 | 11 | # syslog-ng loads all compile-time configured modules by default, unless 12 | # autoload-compiled-modules is set to 0. 13 | # 14 | # The next line in this file sets this value to 0, and only loads a selected 15 | # set of modules as assumed by SCL. So if you don't really want control 16 | # over the modules loaded, simply don't include this file. 17 | 18 | @define autoload-compiled-modules 0 19 | @module syslogformat 20 | @module basicfuncs 21 | @module afsocket 22 | @module affile 23 | @module afprog 24 | @module afuser 25 | @module dbparser 26 | @module csvparser 27 | 28 | ### afstreams is auto-loaded by the system() source if needed 29 | #@module afstreams 30 | 31 | ### afsql is not loaded by default 32 | #@module afsql 33 | -------------------------------------------------------------------------------- /roles/syslog-ng-client/files/syslog.logrotate: -------------------------------------------------------------------------------- 1 | /var/log/cron 2 | /var/log/maillog 3 | /var/log/messages 4 | /var/log/secure 5 | /var/log/spooler 6 | /var/log/kern 7 | /var/log/lastlog 8 | { 9 | sharedscripts 10 | postrotate 11 | /usr/bin/killall -HUP syslog-ng 12 | endscript 13 | } -------------------------------------------------------------------------------- /roles/syslog-ng-client/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart syslog-ng 4 | service: name=syslog-ng state=restarted -------------------------------------------------------------------------------- /roles/syslog-ng-client/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Unistall rsyslog 4 | yum: name="rsyslog" state=absent 5 | 6 | - name: Install new syslog-ng and re-install cron 7 | yum: name={{ item }} 8 | state=installed 9 | with_items: 10 | - syslog-ng 11 | - cronie 12 | - cronie-anacron 13 | - crontabs 14 | 15 | - name: Copy log modules configuration 16 | copy: src=modules.conf dest=/etc/syslog-ng/modules.conf owner=root group=root 17 | notify: 18 | - restart syslog-ng 19 | 20 | - name: Create syslog-ng snippets directory 21 | file: path=/etc/syslog-ng/syslog-ng.d state=directory owner=root group=root 22 | 23 | - name: Copy iptables log configuration 24 | copy: src=iptables.conf dest=/etc/syslog-ng/syslog-ng.d/iptables.conf owner=root group=root 25 | notify: 26 | - restart syslog-ng 27 | 28 | - name: Set syslog-ng configuration 29 | template: src=syslog-ng.conf.j2 dest=/etc/syslog-ng/syslog-ng.conf owner=root group=root 30 | notify: 31 | - restart syslog-ng 32 | 33 | - name: Ensure syslog-ng is running 34 | service: name=syslog-ng state=started enabled=yes 35 | 36 | ########################### 37 | # Log rotation 38 | ########################### 39 | - name: Copy logrotate configuration 40 | template: src=logrotate.conf.j2 dest=/etc/logrotate.conf 41 | 42 | - name: Install syslog logrotate configuration 43 | copy: src=syslog.logrotate dest=/etc/logrotate.d/syslog owner=root group=root mode=0644 44 | 45 | - name: Install iptables logrotate configuration 46 | copy: src=iptables.logrotate dest=/etc/logrotate.d/iptables owner=root group=root mode=0644 47 | -------------------------------------------------------------------------------- /roles/syslog-ng-client/templates/logrotate.conf.j2: -------------------------------------------------------------------------------- 1 | # see "man logrotate" for details 2 | # rotate log files weekly 3 | weekly 4 | 5 | # keep 4 weeks worth of backlogs 6 | rotate 4 7 | 8 | # create new (empty) log files after rotating old ones 9 | create 10 | 11 | # use date as a suffix of the rotated file 12 | dateext 13 | 14 | # uncomment this if you want your log files compressed 15 | #compress 16 | 17 | # RPM packages drop log rotation information into this directory 18 | include /etc/logrotate.d 19 | 20 | # no packages own wtmp and btmp -- we'll rotate them here 21 | /var/log/wtmp { 22 | monthly 23 | create 0664 root utmp 24 | minsize 1M 25 | rotate 1 26 | } 27 | 28 | /var/log/btmp { 29 | missingok 30 | monthly 31 | create 0600 root utmp 32 | rotate 1 33 | } 34 | 35 | # system-specific logs may be also be configured here. 36 | -------------------------------------------------------------------------------- /roles/syslog-ng-client/templates/syslog-ng.conf.j2: -------------------------------------------------------------------------------- 1 | # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: 2 | 3 | @version:3.2 4 | include "/etc/syslog-ng/syslog-ng.d"; 5 | 6 | # syslog-ng configuration file. 7 | # 8 | # This should behave pretty much like the original syslog on RedHat. But 9 | # it could be configured a lot smarter. 10 | # 11 | # See syslog-ng(8) and syslog-ng.conf(5) for more information. 12 | # 13 | 14 | options { 15 | flush_lines (0); 16 | time_reopen (10); 17 | log_fifo_size (1000); 18 | long_hostnames (off); 19 | use_dns (yes); 20 | use_fqdn (no); 21 | create_dirs (yes); 22 | keep_hostname (yes); 23 | stats_freq(0); 24 | ts_format(iso); 25 | }; 26 | 27 | source s_sys { 28 | file ("/proc/kmsg" program_override("kernel: ")); 29 | unix-stream ("/dev/log"); 30 | internal(); 31 | # udp(ip(0.0.0.0) port(514)); 32 | }; 33 | 34 | 35 | destination d_log_server { 36 | tcp("{{ log_server_ip }}" port({{ syslog_tcp_port }}) flags(syslog-protocol) ); 37 | }; 38 | 39 | 40 | destination d_cons { file("/dev/console"); }; 41 | destination d_mesg { file("/var/log/messages"); }; 42 | destination d_auth { file("/var/log/secure"); }; 43 | destination d_mail { file("/var/log/maillog" flush_lines(10)); }; 44 | destination d_spol { file("/var/log/spooler"); }; 45 | destination d_boot { file("/var/log/boot.log"); }; 46 | destination d_cron { file("/var/log/cron"); }; 47 | destination d_kern { file("/var/log/kern"); }; 48 | destination d_mlal { usertty("*"); }; 49 | 50 | filter f_kernel { facility(kern); }; 51 | filter f_default { level(info..emerg) and 52 | not (facility(mail) 53 | or facility(authpriv) 54 | or facility(cron)); }; 55 | filter f_auth { facility(authpriv); }; 56 | filter f_mail { facility(mail); }; 57 | filter f_emergency { level(emerg); }; 58 | filter f_news { facility(uucp) or 59 | (facility(news) 60 | and level(crit..emerg)); }; 61 | filter f_boot { facility(local7); }; 62 | filter f_cron { facility(cron); }; 63 | 64 | #log { source(s_sys); filter(f_kernel); destination(d_cons); }; 65 | log { source(s_sys); filter(f_kernel); destination(d_kern); }; 66 | log { source(s_sys); filter(f_default); destination(d_mesg); }; 67 | log { source(s_sys); filter(f_auth); destination(d_auth); }; 68 | log { source(s_sys); filter(f_mail); destination(d_mail); }; 69 | log { source(s_sys); filter(f_emergency); destination(d_mlal); }; 70 | log { source(s_sys); filter(f_news); destination(d_spol); }; 71 | log { source(s_sys); filter(f_boot); destination(d_boot); }; 72 | log { source(s_sys); filter(f_cron); destination(d_cron); }; 73 | 74 | # Send all to the log server 75 | log { source(s_sys); destination(d_log_server); }; -------------------------------------------------------------------------------- /roles/syslog-ng-relay/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart syslog-ng 4 | service: name=syslog-ng state=restarted -------------------------------------------------------------------------------- /roles/syslog-ng-relay/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Create client logs directory 4 | file: path={{ remote_log_path }} state=directory owner=root group=root 5 | 6 | - name: Copy server log configuration 7 | template: src=relay.conf.j2 dest=/etc/syslog-ng/syslog-ng.d/relay.conf owner=root group=root 8 | notify: 9 | - restart syslog-ng 10 | 11 | - name: Set iptables configuration 12 | template: src=107_log_server.j2 dest=/etc/ferm/ferm.d/107_log_server owner=root group=root 13 | 14 | - name: Copy logrotate configuration 15 | template: src=syslog_server.rotate.j2 dest=/etc/logrotate.d/syslog_server -------------------------------------------------------------------------------- /roles/syslog-ng-relay/templates/107_log_server.j2: -------------------------------------------------------------------------------- 1 | table filter chain INPUT { 2 | # syslog 3 | protocol udp dport {{ syslog_udp_port }} ACCEPT; 4 | protocol tcp dport {{ syslog_tcp_port }} ACCEPT; 5 | } -------------------------------------------------------------------------------- /roles/syslog-ng-relay/templates/relay.conf.j2: -------------------------------------------------------------------------------- 1 | destination d_remote_file { file("{{ remote_log_path }}/$HOST.log"); }; 2 | 3 | source s_syslog_listener { 4 | tcp(port({{ syslog_tcp_port }}) flags(syslog-protocol) ); 5 | udp(port( {{ syslog_udp_port }} ) so_rcvbuf(2097152) flags(syslog-protocol) ); 6 | }; 7 | 8 | log { 9 | source(s_syslog_listener); 10 | destination(d_remote_file); 11 | }; 12 | 13 | log { 14 | source(s_syslog_listener); 15 | destination(d_log_server); 16 | }; 17 | -------------------------------------------------------------------------------- /roles/syslog-ng-relay/templates/syslog_server.rotate.j2: -------------------------------------------------------------------------------- 1 | {{ remote_log_path }}/*.log { 2 | missingok 3 | daily 4 | create 5 | rotate 7 6 | postrotate 7 | /usr/bin/killall -HUP syslog-ng 8 | endscript 9 | } 10 | 11 | -------------------------------------------------------------------------------- /roles/syslog-ng-server/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: restart syslog-ng 4 | service: name=syslog-ng state=restarted -------------------------------------------------------------------------------- /roles/syslog-ng-server/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Create client logs directory 4 | file: path={{ remote_log_path }} state=directory owner=root group=root 5 | 6 | - name: Create client logs archive directory 7 | file: path={{ remote_log_path }}/archive state=directory owner=root group=root 8 | 9 | - name: Copy server log configuration 10 | template: src=server.conf.j2 dest=/etc/syslog-ng/syslog-ng.d/server.conf owner=root group=root 11 | notify: 12 | - restart syslog-ng 13 | 14 | - name: Set iptables configuration 15 | template: src=107_log_server.j2 dest=/etc/ferm/ferm.d/107_log_server owner=root group=root 16 | 17 | - name: Copy logrotate configuration 18 | template: src=syslog_server.rotate.j2 dest=/etc/logrotate.d/syslog_server -------------------------------------------------------------------------------- /roles/syslog-ng-server/templates/107_log_server.j2: -------------------------------------------------------------------------------- 1 | table filter chain INPUT { 2 | # syslog 3 | protocol udp dport {{ syslog_udp_port }} ACCEPT; 4 | protocol tcp dport {{ syslog_tcp_port }} ACCEPT; 5 | } -------------------------------------------------------------------------------- /roles/syslog-ng-server/templates/server.conf.j2: -------------------------------------------------------------------------------- 1 | destination d_remote_file { file("{{ remote_log_path }}/$HOST.log"); }; 2 | destination d_ossec_alert_file { file("{{ remote_log_path }}/ossec_alerts.log"); }; 3 | 4 | filter alert_filter { 5 | host("{{ ossec_server_hostname }}") and program("ossec"); 6 | }; 7 | 8 | source s_syslog_listener { 9 | tcp(port({{ syslog_tcp_port }}) flags(syslog-protocol) ); 10 | udp(port( {{ syslog_udp_port }} ) so_rcvbuf(2097152) flags(syslog-protocol) ); 11 | }; 12 | 13 | log { 14 | source(s_syslog_listener); 15 | filter(alert_filter); 16 | destination(d_ossec_alert_file); 17 | flags(final); 18 | }; 19 | 20 | log { 21 | source(s_syslog_listener); 22 | destination(d_remote_file); 23 | }; 24 | -------------------------------------------------------------------------------- /roles/syslog-ng-server/templates/syslog_server.rotate.j2: -------------------------------------------------------------------------------- 1 | {{ remote_log_path }}/*.log { 2 | missingok 3 | daily 4 | dateext 5 | compress 6 | create 7 | rotate 90 8 | olddir archive 9 | postrotate 10 | /usr/bin/killall -HUP syslog-ng 11 | endscript 12 | } 13 | -------------------------------------------------------------------------------- /roles/vm/tasks/copy_vm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Copy VM as full Copy 4 | command: xe vm-copy vm={{ vm_model_uuid }} new-name-label={{ hostname }} sr-uuid={{ primary_sr_uuid }} 5 | register: vm 6 | delegate_to: "{{ pool_master }}" 7 | 8 | - name: Find VIF of new copy 9 | command: xe vm-vif-list vm={{ vm.stdout }} params=uuid --minimal 10 | register: vif 11 | delegate_to: "{{ pool_master }}" 12 | 13 | - name: Delete model network settings from new copy. 14 | command: xe vif-destroy uuid={{ vif.stdout }} 15 | delegate_to: "{{ pool_master }}" 16 | 17 | - name: Adding networks 18 | command: xe vif-create vm-uuid={{ vm.stdout }} network-uuid={{ item.network_uuid }} mac={{ item.mac_address }} device={{ item.device_id }} 19 | delegate_to: "{{ pool_master }}" 20 | with_items: networks 21 | 22 | - name: Set the VM RAM limits 23 | command: xe vm-memory-limits-set vm={{ vm.stdout }} static-min={{ ram }} static-max={{ ram }} dynamic-min={{ ram }} dynamic-max={{ ram }} 24 | delegate_to: "{{ pool_master }}" 25 | 26 | - name: Set the number of CPUs 27 | command: xe vm-param-set VCPUs-max={{ vcpus }} uuid={{ vm.stdout }} 28 | delegate_to: "{{ pool_master }}" 29 | 30 | - name: Launch the VM 31 | command: xe vm-start uuid={{ vm.stdout }} 32 | delegate_to: "{{ pool_master }}" 33 | -------------------------------------------------------------------------------- /roles/vm/tasks/create_vm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Prevent template from creating storage 4 | command: xe template-param-remove uuid={{ centos_template_uuid }} param-name=other-config param-key=disks 5 | ignore_errors: yes 6 | delegate_to: "{{ pool_master }}" 7 | 8 | - name: Create VM 9 | command: xe vm-install template={{ centos_template_uuid }} new-name-label="{{ hostname }}" sr-uuid={{ storage_device }} 10 | register: vm 11 | delegate_to: "{{ pool_master }}" 12 | 13 | - name: Set the repository location 14 | command: xe vm-param-set uuid={{ vm.stdout }} other-config:install-repository="{{ default_repository_url }}" 15 | delegate_to: "{{ pool_master }}" 16 | 17 | - name: Set the location of the kickstart file 18 | command: xe vm-param-set uuid={{ vm.stdout }} PV-args="ks={{ kickstart_url }}/{{ hostname }}.cfg ksdevice=eth0" 19 | delegate_to: "{{ pool_master }}" 20 | 21 | - name: Set the VM to autostart on boot 22 | command: xe vm-param-set uuid={{ vm.stdout }} other-config:auto_poweron=true 23 | delegate_to: "{{ pool_master }}" 24 | 25 | - name: Adding networks 26 | command: xe vif-create vm-uuid={{ vm.stdout }} network-uuid={{ item.network_uuid }} mac=random device={{ item.device_id }} 27 | delegate_to: "{{ pool_master }}" 28 | with_items: networks 29 | 30 | - name: Allocate VM storage 31 | command: xe vdi-create name-label="{{ hostname }} storage" sr-uuid={{ storage_device }} type=system virtual-size={{ storage }} 32 | register: disk 33 | delegate_to: "{{ pool_master }}" 34 | 35 | - name: Assign storage to VM 36 | command: xe vbd-create vdi-uuid={{ disk.stdout }} vm-uuid={{ vm.stdout }} type=Disk bootable=true device=0 37 | delegate_to: "{{ pool_master }}" 38 | 39 | - name: Allocate extra VM storage 40 | command: xe vdi-create name-label="{{ hostname }} extra storage" sr-uuid={{ primary_sr_uuid }} type=user virtual-size={{ extra_vm_storage }} sm-config:type=raw 41 | register: extra_disk 42 | when: has_extra_storage 43 | delegate_to: "{{ pool_master }}" 44 | 45 | - name: Assign extra storage to VM 46 | command: xe vbd-create vdi-uuid={{ extra_disk.stdout }} vm-uuid={{ vm.stdout }} type=Disk mode=RW device=1 47 | when: has_extra_storage 48 | delegate_to: "{{ pool_master }}" 49 | 50 | - name: Set the VM RAM limits 51 | command: xe vm-memory-limits-set vm={{ vm.stdout }} static-min={{ ram }} static-max={{ ram }} dynamic-min={{ ram }} dynamic-max={{ ram }} 52 | delegate_to: "{{ pool_master }}" 53 | 54 | - name: Set the number of CPUs 55 | command: xe vm-param-set VCPUs-max={{ vcpus }} uuid={{ vm.stdout }} 56 | delegate_to: "{{ pool_master }}" 57 | 58 | - name: Launch the VM 59 | command: xe vm-start uuid={{ vm.stdout }} 60 | delegate_to: "{{ pool_master }}" 61 | -------------------------------------------------------------------------------- /roles/vm/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Check if VM exists 4 | command: xe vm-list name-label="{{ hostname }}" 5 | register: vm_found 6 | delegate_to: "{{ pool_master }}" 7 | 8 | - include: create_vm.yml 9 | when: vm_found.stdout == "" 10 | 11 | - name: Wait for the Kickstart install to complete and the VM to reboot 12 | local_action: wait_for host={{ hostname }}.{{ domain }} port={{ ssh_port }} delay=5 timeout=1200 state=started 13 | 14 | -------------------------------------------------------------------------------- /site.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: vms 4 | user: administrator 5 | sudo: yes 6 | gather_facts: False 7 | roles: 8 | - vm 9 | - base 10 | - network 11 | - auditd 12 | - ssh 13 | - iptables 14 | - clamav 15 | - syslog-ng-client 16 | 17 | - hosts: example.sharknet.us 18 | user: administrator 19 | sudo: yes 20 | gather_facts: False 21 | roles: 22 | - ntp-client 23 | - email-client 24 | - ossec-client 25 | - syslog-ng-server 26 | - end 27 | 28 | - hosts: ossec-server.sharknet.us 29 | user: administrator 30 | sudo: yes 31 | gather_facts: False 32 | roles: 33 | - ntp-client 34 | - email-client 35 | - ossec-server 36 | - syslog-ng-relay 37 | - end 38 | --------------------------------------------------------------------------------