├── test ├── config │ ├── inventory │ ├── testkitchen.yml │ └── test.yml └── integration │ ├── custom │ └── serverspec │ │ └── default_spec.rb │ └── default │ └── serverspec │ └── default_spec.rb ├── .gitignore ├── handlers └── main.yml ├── tasks ├── pkg_url.yml ├── disable_auditd.yml ├── main.yml ├── python3_apt.yml ├── yum_install.yml ├── tsagent_setup.yml └── apt_install.yml ├── AUTHORS.md ├── Gemfile ├── CONTRIBUTING.md ├── templates └── threatstack.j2 ├── defaults └── main.yml ├── meta └── main.yml ├── LICENSE ├── README.md └── .kitchen.yml /test/config/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .kitchen/ 3 | ansible.cfg 4 | hosts 5 | *.retry 6 | Gemfile.lock 7 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | - name: restart tsagent 2 | service: name=threatstack state=restarted 3 | -------------------------------------------------------------------------------- /test/config/testkitchen.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - threatstack-ansible 6 | -------------------------------------------------------------------------------- /tasks/pkg_url.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Define package URL variable 3 | set_fact: 4 | threatstack_pkg_url: "{{ threatstack_v2_pkg_url }}" 5 | -------------------------------------------------------------------------------- /AUTHORS.md: -------------------------------------------------------------------------------- 1 | * Jameel Al-Aziz 2 | * John Baublitz 3 | * Apollo Catlin 4 | * Pete Cheslock 5 | * Michael Chmielewski 6 | * Pan Chhum 7 | * Eric Lam 8 | * Greg Malkov 9 | * Tom McLaughlin 10 | * Jonathan Nappi 11 | * Ben Patterson 12 | * John Shoenberger 13 | * Nicket Uttarwar 14 | * Aleksey Vazhnov -------------------------------------------------------------------------------- /test/config/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | vars: 5 | timestamp: "{{ lookup('pipe', 'date +%Y%m%d') }}" 6 | threatstack_deploy_key: "{{ lookup('env','API_KEY') }}" 7 | threatstack_ruleset: 8 | - 'Travis Rule Set' 9 | threatstack_hostname: 'TravisCI_{{timestamp}}' 10 | test_output: false 11 | roles: 12 | - threatstack-ansible 13 | -------------------------------------------------------------------------------- /test/integration/custom/serverspec/default_spec.rb: -------------------------------------------------------------------------------- 1 | require 'serverspec' 2 | 3 | set :backend, :exec 4 | 5 | describe package('threatstack-agent') do 6 | it { should be_installed } 7 | end 8 | 9 | describe service('threatstack') do 10 | it { should be_running } 11 | it { should be_enabled } 12 | end 13 | 14 | describe command('tsagent config --list') do 15 | its(:stdout) { should match /log.maxSize=22/ } # rubocop: disable Lint/AmbiguousRegexpLiteral 16 | end 17 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source ENV['GEM_SOURCE'] || 'https://rubygems.org' 2 | 3 | group :development, :unit_tests do 4 | gem 'rake', "13.0.1", :require => false 5 | gem 'rubocop', '= 0.61.1' 6 | end 7 | 8 | group :system_tests do 9 | gem 'serverspec', :require => false 10 | gem 'test-kitchen', :require => false 11 | gem 'kitchen-docker', :require => false 12 | gem 'kitchen-ansible', :require => false 13 | gem 'kitchen-inspec', :require => false 14 | end 15 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | Contributing to Threat Stack Agent Ansible Role 2 | ============================= 3 | 4 | We encourage anyone to provide enchancements/fixes to this repository. Simply fork, commit, and then open a PR back to the parent repository. 5 | 6 | ### What makes a good PR? 7 | 8 | * Make sure you update the README.md with any new/removed/changed values parameters. 9 | * Write tests that cover your proposed changes. 10 | * Make sure the tests documented in the [README](README.md) run as expected on all platforms. 11 | -------------------------------------------------------------------------------- /templates/threatstack.j2: -------------------------------------------------------------------------------- 1 | [threatstack] 2 | name=Threat Stack Package Repository 3 | {% if ansible_distribution == 'Amazon' %} 4 | {% if ansible_distribution_version == '2' or ansible_kernel is search("\.amzn2\.") %} 5 | baseurl={{threatstack_pkg_url}}/Amazon/2 6 | {% else %} 7 | baseurl={{threatstack_pkg_url}}/Amazon/1 8 | {% endif %} 9 | {% elif ansible_distribution == 'CentOS' %} 10 | baseurl={{threatstack_pkg_url}}/EL/{{ansible_distribution_major_version}} 11 | {% else %} 12 | baseurl={{threatstack_pkg_url}}/EL/7 13 | {% endif %} 14 | enabled=1 15 | gpgcheck=1 16 | -------------------------------------------------------------------------------- /tasks/disable_auditd.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check auditd status 3 | command: service auditd status 4 | register: auditd_status 5 | ignore_errors: true 6 | changed_when: false 7 | args: 8 | warn: no 9 | 10 | - name: Stop service auditd 11 | command: service auditd stop 12 | when: auditd_status.rc == 0 13 | ignore_errors: "{{ ansible_check_mode }}" 14 | args: 15 | warn: no 16 | 17 | - name: Disable service auditd 18 | command: systemctl disable auditd 19 | when: auditd_status.rc == 0 20 | ignore_errors: "{{ ansible_check_mode }}" 21 | args: 22 | warn: no 23 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for threatstack 3 | threatstack_url: https://app.threatstack.com 4 | threatstack_v2_pkg_url: 'https://pkg.threatstack.com/v2' 5 | threatstack_pkg_state: present 6 | threatstack_pkg_validate: yes 7 | # to set a version of the agent use threatstack-agent=X.Y.Z (Debian) or threatstack-agent-X.Y.Z (RedHat) 8 | threatstack_pkg: threatstack-agent 9 | threatstack_pkg_allow_downgrades: no 10 | threatstack_ruleset: 11 | - 'Base Rule Set' 12 | threatstack_hostname: 13 | threatstack_configure_agent: true 14 | threatstack_agent_extra_args: 15 | threatstack_agent_config_args: 16 | threatstack_agent_disable_service: false 17 | threatstack_test_mode: false -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure package URL is defined 3 | include: pkg_url.yml 4 | when: threatstack_pkg_url is undefined 5 | 6 | - name: Disable auditd service 7 | include: disable_auditd.yml 8 | when: 9 | - ansible_os_family == 'RedHat' 10 | - (ansible_distribution != 'Amazon' or ansible_kernel is search("\.amzn2\.")) 11 | 12 | - name: Run apt configure and install ThreatStack 13 | include: apt_install.yml 14 | when: ansible_os_family == 'Debian' 15 | 16 | - name: Run yum configure and install ThreatStack 17 | include: yum_install.yml 18 | when: ansible_os_family == 'RedHat' 19 | 20 | - name: agent setup 21 | include: tsagent_setup.yml 22 | when: 23 | - threatstack_configure_agent == true 24 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: Michael Chmielewski 4 | description: Ansible role to install the threatstack agent 5 | company: Threat Stack 6 | license: license (Apache) 7 | min_ansible_version: 1.6 8 | platforms: 9 | - name: EL 10 | versions: 11 | - all 12 | - 7 13 | - 8 14 | - name: Debian 15 | versions: 16 | - all 17 | - 8 18 | - 9 19 | - 10 20 | - 11 21 | - name: Amazon 22 | versions: 23 | - all 24 | - 2017.09 25 | - 2018.03 26 | - 2 27 | - name: Ubuntu 28 | versions: 29 | - all 30 | - xenial 31 | - bionic 32 | - focal 33 | - jammy 34 | categories: 35 | - cloud 36 | - cloud:ec2 37 | - monitoring 38 | - system 39 | dependencies: [] 40 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 Threat Stack 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /test/integration/default/serverspec/default_spec.rb: -------------------------------------------------------------------------------- 1 | require 'serverspec' 2 | 3 | set :backend, :exec 4 | 5 | describe package('threatstack-agent') do 6 | it { should be_installed } 7 | end 8 | 9 | describe service('threatstack') do 10 | it { should be_running } 11 | it { should be_enabled } 12 | end 13 | 14 | describe command('tsagent status') do 15 | # Sometimes due to other services, like auditd, the install would be successful, but then this service would get killed 16 | its(:stdout) { should match /UP Threat Stack Agent Daemon/ } # rubocop: disable Lint/AmbiguousRegexpLiteral 17 | its(:stdout) { should match /UP Threat Stack Backend Connection/ } # rubocop: disable Lint/AmbiguousRegexpLiteral 18 | its(:stdout) { should match /UP Threat Stack Heartbeat Service/ } # rubocop: disable Lint/AmbiguousRegexpLiteral 19 | its(:stdout) { should match /UP Threat Stack Login Collector/ } # rubocop: disable Lint/AmbiguousRegexpLiteral 20 | its(:stdout) { should match /UP Threat Stack Log Scan Service/ } # rubocop: disable Lint/AmbiguousRegexpLiteral 21 | its(:stdout) { should match /UP Threat Stack Vulnerability Scanner/ } # rubocop: disable Lint/AmbiguousRegexpLiteral 22 | its(:stdout) { should match /UP Threat Stack File Integrity Monitor/ } # rubocop: disable Lint/AmbiguousRegexpLiteral 23 | end 24 | -------------------------------------------------------------------------------- /tasks/python3_apt.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # MIT License 3 | # 4 | # Copyright (c) 2015-2022 F5, Inc. 5 | # 6 | # Permission is hereby granted, free of charge, to any person obtaining a copy 7 | # of this software and associated documentation files (the "Software"), to deal 8 | # in the Software without restriction, including without limitation the rights 9 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | # copies of the Software, and to permit persons to whom the Software is 11 | # furnished to do so, subject to the following conditions: 12 | # 13 | # The above copyright notice and this permission notice shall be included in all 14 | # copies or substantial portions of the Software. 15 | # 16 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 | # SOFTWARE. 23 | - name: apt -- Install dependencies for distributions with python3 as the default 24 | apt: 25 | name: "{{ packages }}" 26 | state: present 27 | vars: 28 | packages: 29 | - python3-apt 30 | - apt-transport-https -------------------------------------------------------------------------------- /tasks/yum_install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: yum -- Ensure agent repo is installed 3 | template: 4 | src: threatstack.j2 5 | dest: /etc/yum.repos.d/threatstack.repo 6 | owner: root 7 | group: root 8 | mode: 0644 9 | 10 | - name: yum -- Add agent repo GPG key 11 | rpm_key: 12 | key: "{{ threatstack_url }}/RPM-GPG-KEY-THREATSTACK" 13 | state: present 14 | validate_certs: "{{ threatstack_pkg_validate | bool }}" 15 | 16 | - name: yum -- Ensure latest agent is installed when no version specified 17 | set_fact: 18 | threatstack_pkg: threatstack-agent-3* 19 | when: 20 | - threatstack_pkg == 'threatstack-agent' 21 | 22 | - name: yum -- Ensure agent is installed 23 | yum: 24 | name: "{{ threatstack_pkg }}" 25 | state: "{{ threatstack_pkg_state }}" 26 | update_cache: yes 27 | when: threatstack_pkg_version is not defined 28 | 29 | - name: yum -- Ensure agent specified version is installed 30 | yum: 31 | name: "{{ threatstack_pkg }}-{{threatstack_pkg_version}}" 32 | state: "{{ threatstack_pkg_state }}" 33 | update_cache: yes 34 | allow_downgrade: "{{ threatstack_pkg_allow_downgrades | bool }}" 35 | when: threatstack_pkg_version is defined 36 | 37 | - name: yum -- Stop and disable agent if not to be configured 38 | become: yes 39 | service: 40 | name: threatstack 41 | state: stopped 42 | enabled: no 43 | when: 44 | - threatstack_agent_disable_service | bool 45 | -------------------------------------------------------------------------------- /tasks/tsagent_setup.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # agent setup 4 | 5 | - name: Get setup string 6 | set_fact: 7 | setup_string: tsagent setup --url {{ threatstack_url }} --deploy-key {{ threatstack_deploy_key }} --ruleset "{{ threatstack_ruleset | join(",") }}" --hostname "{{ threatstack_hostname | default('') }}" {{ threatstack_agent_extra_args }} 8 | 9 | - name: Get checksum of setup string 10 | set_fact: 11 | setup_checksum: "{{ setup_string | checksum }}" 12 | 13 | - name: Get agent registration status 14 | command: tsagent info 15 | check_mode: no # Cannot skip this step in check mode. 16 | register: tsagent_info_cmd 17 | changed_when: False # Info only so shouldn't be captured as a change. 18 | 19 | - name: Create file to track checksum of setup string 20 | copy: 21 | content: "{{ setup_checksum }}" 22 | dest: /opt/threatstack/etc/.setup_checksum 23 | owner: root 24 | group: root 25 | mode: 0644 26 | register: setup_file 27 | 28 | - name: Get config string 29 | set_fact: 30 | config_string: tsagent config {{ threatstack_agent_config_args }} 31 | 32 | - name: Get checksum of config string 33 | set_fact: 34 | config_checksum: "{{ config_string | checksum }}" 35 | 36 | - name: Create file to track checksum of config string 37 | copy: 38 | content: "{{ config_checksum }}" 39 | dest: /opt/threatstack/etc/.config_checksum 40 | owner: root 41 | group: root 42 | mode: 0644 43 | register: config_file 44 | when: threatstack_agent_config_args != None 45 | 46 | - name: Ensure ThreatStack is stopped 47 | service: 48 | name: threatstack 49 | state: stopped 50 | when: setup_file.changed or config_file.changed 51 | 52 | - name: Agent setup 53 | command: "{{ setup_string }}" 54 | register: setup_result 55 | changed_when: False 56 | until: setup_result is succeeded 57 | retries: 3 58 | delay: 10 59 | # We want to run setup if the setup configuration has changed, or if we detect the agent has 60 | # not completed registration (e.g., a prior, failed ansible run). 61 | when: (setup_file.changed) or (tsagent_info_cmd.stdout.find('You must register your agent') != -1) 62 | 63 | - name: Wait 5 seconds 64 | pause: 65 | seconds: 5 66 | 67 | - name: Agent config 68 | command: "{{ config_string }}" 69 | when: config_file.changed 70 | 71 | - name: Restart tsagent 72 | service: name=threatstack state=restarted 73 | when: (setup_file.changed or config_file.changed) and not threatstack_agent_disable_service | bool 74 | 75 | - name: Wait 5 seconds 76 | pause: 77 | seconds: 5 78 | when: setup_file.changed or config_file.changed 79 | 80 | - name: Get agent state 81 | command: tsagent status 82 | register: tsagent_status 83 | retries: 5 84 | delay: 2 85 | until: tsagent_status is succeeded 86 | changed_when: False 87 | when: (setup_file.changed or config_file.changed) and not threatstack_test_mode 88 | tags: 89 | - checkstate 90 | 91 | - name: Ensure agent is running and started on boot 92 | service: 93 | name: threatstack 94 | state: started 95 | enabled: yes 96 | when: not threatstack_agent_disable_service | bool 97 | -------------------------------------------------------------------------------- /tasks/apt_install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # MIT License 3 | # 4 | # Copyright (c) 2015-2022 F5, Inc. 5 | # 6 | # Permission is hereby granted, free of charge, to any person obtaining a copy 7 | # of this software and associated documentation files (the "Software"), to deal 8 | # in the Software without restriction, including without limitation the rights 9 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | # copies of the Software, and to permit persons to whom the Software is 11 | # furnished to do so, subject to the following conditions: 12 | # 13 | # The above copyright notice and this permission notice shall be included in all 14 | # copies or substantial portions of the Software. 15 | # 16 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 | # SOFTWARE. 23 | - name: apt -- Ensure agent dependencies are installed distributions with python2 as the default 24 | apt: 25 | name: "{{ packages }}" 26 | state: present 27 | vars: 28 | packages: 29 | - python-apt 30 | - apt-transport-https 31 | when: 32 | - (ansible_distribution != 'Ubuntu' or ansible_distribution_version is version('22.04', '<')) 33 | - (ansible_distribution != 'Debian' or ansible_distribution_version is version('11', '<')) 34 | 35 | # For Ubuntu 22.04+ and Debian 11+, python 3 is default, so need different packages 36 | - name: apt -- Ensure Ubuntu 22.04+ compatible dependencies are installed 37 | include_tasks: python3_apt.yml 38 | when: 39 | - ansible_distribution == 'Ubuntu' 40 | - ansible_distribution_version is version('22.04', '>=') 41 | 42 | - name: apt -- Ensure Debian 11+ compatible dependencies are installed 43 | include_tasks: python3_apt.yml 44 | when: 45 | - ansible_distribution == 'Debian' 46 | - ansible_distribution_version is version('11', '>=') 47 | 48 | - name: apt -- Add agent repository key 49 | apt_key: 50 | url: "{{ threatstack_url }}/APT-GPG-KEY-THREATSTACK" 51 | id: 6EE04BD4 52 | validate_certs: "{{ threatstack_pkg_validate | bool }}" 53 | 54 | - name: apt -- Add agent repository 55 | apt_repository: 56 | repo: "deb {{ threatstack_pkg_url }}/Ubuntu {{ ansible_distribution_release }} main" 57 | state: present 58 | update_cache: yes 59 | 60 | - name: apt -- Ensure latest agent is installed when no version specified 61 | set_fact: 62 | threatstack_pkg: threatstack-agent=3* 63 | when: 64 | - threatstack_pkg == 'threatstack-agent' 65 | 66 | - name: apt -- Ensure agent is installed 67 | apt: 68 | name: "{{ threatstack_pkg }}" 69 | state: "{{ threatstack_pkg_state }}" 70 | dpkg_options: "force-confold,force-confdef{{ ',force-downgrade' if threatstack_pkg_allow_downgrades else '' }}" 71 | when: threatstack_pkg_version is not defined 72 | 73 | - name: apt -- Ensure agent specified version is installed 74 | apt: 75 | name: "{{ threatstack_pkg }}={{threatstack_pkg_version}}" 76 | state: "{{ threatstack_pkg_state }}" 77 | when: threatstack_pkg_version is defined 78 | 79 | - name: apt -- Stop and disable agent if not to be configured 80 | become: yes 81 | service: 82 | name: threatstack 83 | state: stopped 84 | enabled: no 85 | when: 86 | - threatstack_agent_disable_service | bool 87 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Threat Stack Ansible Role 2 | ========= 3 | 4 | >>> 5 | **Threat Stack agent 1.x support is now removed** 6 | 7 | This version of the ansible role only supports Threat Stack agent 2.x or higher. For support of 1.x agent versions, please use the 4.x versions of the role. 8 | >>> 9 | 10 | [![Build Status](https://travis-ci.org/threatstack/threatstack-ansible.svg?branch=master)][travis] 11 | 12 | [travis]: https://travis-ci.org/threatstack/threatstack-ansible 13 | 14 | Ansible Role to deploy the Threat Stack server agent. 15 | 16 | [Threatstack @ Ansible Galaxy](https://galaxy.ansible.com/threatstack/threatstack-ansible/) 17 | 18 | Platforms 19 | --------- 20 | 21 | * Amazon Linux 22 | * CentOS 23 | * RedHat 24 | * Ubuntu 25 | * Debian 26 | 27 | Role Variables 28 | -------------- 29 | The following variables are available for override. 30 | 31 | | Variable | Type | Default | Required | Description | 32 | |-----------------------------------|---------|-----------------------------|-----------|---------------------------------------------------------------------------------------------------------------------------------------------------| 33 | | threatstack_deploy_key | String | | Yes | Your TS deploy key. | 34 | | threatstack_ruleset | Array | ["Base Rule Set"] | | Array of rulesets to apply to hosts. | 35 | | threatstack_pkg_url | String | Depends on version | | Location of package repo. Only change if you mirror your own. | 36 | | threatstack_pkg | String | threatstack-agent | | Name of package. Specify package version using `"threatstack-agent=X.Y.Z"` (Debian/Ubuntu) or `"threatstack-agent-X.Y.Z"` (RedHat/CentOS/Amazon). | 37 | | threatstack_pkg_version | String | | | If defined, pins specific threatstack package version 38 | | threatstack_pkg_validate | Boolean | yes | | Should packages be validated? We default to yes, but if you repackage anything you may need to change this. | 39 | | threatstack_url | String | https://app.threatstack.com | | The URL endpoint for Threat Stack. This should not change. | 40 | | threatstack_hostname | String | | | The display hostname in the Threat Stack UI. Defaults to hostname. | 41 | | threatstack_configure_agent | Boolean | true | | Set to false to not configure the host, just install the package. | 42 | | threatstack_agent_extra_args | String | | | Pass optional arguments during agent registration. | 43 | | threatstack_agent_config_args | String | | | Pass optional configuration arguments after agent registration. Must include `--set` before each argument in the setting. (Ex. `--set log.level debug --set foo bar`) | 44 | | threatstack_agent_disable_service | Boolean | false | | Make sure agent service is disabled and not running after installation | 45 | 46 | Install 47 | ---------------- 48 | Using ansible galaxy, best for ad-hoc command situations: 49 | 50 | $ ansible-galaxy install threatstack.threatstack-ansible 51 | 52 | To install into your playbook roles, use `-p ROLES_PATH` or `--path=ROLES_PATH` 53 | 54 | $ ansible-galaxy install threatstack.threatstack-ansible -p /your/project/root/roles 55 | 56 | Check out: [Advanced Control over Role Requirements Files](http://docs.ansible.com/galaxy.html#advanced-control-over-role-requirements-files) 57 | 58 | 59 | Examples 60 | ---------------- 61 | 1) Install Threat Stack agent with the default rule set and reports system hostname to threatstack. This is the most basic configuration 62 | ``` 63 | - hosts: all 64 | roles: 65 | - { role: threatstack.threatstack-ansible, threatstack_deploy_key: XXXXXXXXXXXXX} 66 | ``` 67 | 68 | 2) Install Threat Stack agent with custom security rules set and custom hostname: 69 | ``` 70 | - hosts: web-servers 71 | roles: 72 | - role: threatstack.threatstack-ansible 73 | threatstack_deploy_key: XXXXXXXXXXXXX 74 | threatstack_ruleset: 75 | - 'Base Rule Set' 76 | - 'Custom Rule Set' 77 | threatstack_hostname: dev_web01_us-east-1c 78 | ``` 79 | 80 | 3) Install the Threat Stack agent but do not configure it. __NOTE: Useful for configuring a base image to be repeatedly deployed with the agent pre-installed.__ 81 | ``` 82 | - hosts: aws-image 83 | roles: 84 | - role: threatstack.threatstack-ansible 85 | threatstack_configure_agent: false 86 | ``` 87 | 88 | 4) Install a particular version of the Threat Stack agent. Use in situations where you perform controlled rollouts of all new package versions. 89 | ``` 90 | - hosts: hosts 91 | roles: 92 | - role: threatstack.threatstack-ansible 93 | threatstack_deploy_key: XXXXXXXXXXXXX 94 | threatstack_pkg: threatstack-agent=2.0.0.0ubuntu20.0 95 | ``` 96 | 97 | Dependencies 98 | ------------ 99 | 100 | None 101 | 102 | License 103 | ------- 104 | 105 | Apache 2.0 106 | 107 | Author Information 108 | ------------------ 109 | See [AUTHORS](./AUTHORS.md) 110 | 111 | Issues 112 | ------ 113 | Use github issues for bugs in this repo. 114 | 115 | Contributing enhancements/fixes 116 | ------------------------------- 117 | See the [CONTRIBUTING document](CONTRIBUTING.md) for details. 118 | 119 | -------------------------------------------------------------------------------- /.kitchen.yml: -------------------------------------------------------------------------------- 1 | --- 2 | driver: 3 | name: docker 4 | 5 | provisioner: 6 | name: ansible_playbook 7 | require_ansible_repo: true 8 | enable_yum_epel: true 9 | playbook: test/config/testkitchen.yml 10 | hosts: localhost 11 | extra_vars: 12 | threatstack_test_mode: true 13 | threatstack_deploy_key: <%= ENV['TS_DEPLOY_KEY'] != nil ? ENV['TS_DEPLOY_KEY'] : 'ts_deploy_key' %> 14 | <% if ENV['TS_PACKAGE_VERSION'] %> 15 | threatstack_pkg: <%= ENV['TS_PACKAGE_VERSION'] %> 16 | <% end %> 17 | <% if ENV['TS_NO_CONFIG_AGENT'] %> 18 | threatstack_configure_agent: false 19 | <% end %> 20 | threatstack_agent_config_args: <%= ENV['TS_CONFIG_ARGS'] %> 21 | <% if ENV['TS_RULE_SETS'] %> 22 | threatstack_ruleset: "<%= ENV['TS_RULE_SETS'] %>" 23 | <% end %> 24 | <% if ENV['TS_URL'] %> 25 | threatstack_url: "<%= ENV['TS_URL'] %>" 26 | <% end %> 27 | 28 | # Set this to work around issues with kitchen-ansible erroring out: https://github.com/neillturner/kitchen-ansible/issues/295 29 | # If you set the `max_ssh_sessions` too high, test-kitchen will crash 30 | transport: 31 | name: docker 32 | 33 | platforms: 34 | - name: amazon-1 35 | driver_config: 36 | image: amazonlinux:1 37 | docker_platform: linux/amd64 38 | platform: amazonlinux 39 | run_command: /sbin/init 40 | privileged: true 41 | run_options: 42 | env: container=docker 43 | volume: 44 | - /sys/fs/cgroup:/sys/fs/cgroup 45 | provision_command: 46 | - yum install -y audit initscripts 47 | - sed -i 's/local_events = yes/local_events = no/g' /etc/audit/auditd.conf 48 | - chkconfig auditd on 49 | - name: amazon-2 50 | driver_config: 51 | image: amazonlinux:2 52 | docker_platform: linux/amd64 53 | platform: amazonlinux 54 | run_command: /sbin/init 55 | privileged: true 56 | run_options: 57 | env: container=docker 58 | volume: 59 | - /sys/fs/cgroup:/sys/fs/cgroup 60 | provision_command: 61 | - yum install -y audit initscripts 62 | - sed -i 's/local_events = yes/local_events = no/g' /etc/audit/auditd.conf 63 | - systemctl enable auditd.service 64 | - name: centos-7 65 | driver_config: 66 | image: centos:7 67 | docker_platform: linux/amd64 68 | run_command: /sbin/init 69 | privileged: true 70 | run_options: 71 | env: container=docker 72 | volume: 73 | - /sys/fs/cgroup:/sys/fs/cgroup 74 | provision_command: 75 | - yum install -y audit initscripts 76 | - sed -i 's/local_events = yes/local_events = no/g' /etc/audit/auditd.conf 77 | - systemctl enable auditd.service 78 | - name: centos-8 79 | driver_config: 80 | image: quay.io/centos/centos:stream8 81 | docker_platform: linux/amd64 82 | run_command: /sbin/init 83 | privileged: true 84 | run_options: 85 | env: container=docker 86 | volume: 87 | - /sys/fs/cgroup:/sys/fs/cgroup 88 | provision_command: 89 | - yum install -y audit initscripts 90 | - sed -i 's/local_events = yes/local_events = no/g' /etc/audit/auditd.conf 91 | - systemctl enable auditd.service 92 | - name: debian-8 93 | driver_config: 94 | image: debian:8 95 | docker_platform: linux/amd64 96 | run_command: /sbin/init 97 | cap_add: 98 | - SYS_ADMIN 99 | run_options: 100 | env: container=docker 101 | volume: 102 | - /sys/fs/cgroup:/sys/fs/cgroup 103 | provision_command: 104 | - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config 105 | - systemctl enable ssh.service 106 | - name: debian-9 107 | driver_config: 108 | image: debian:9 109 | run_command: /bin/systemd 110 | cap_add: 111 | - SYS_ADMIN 112 | run_options: 113 | env: container=docker 114 | volume: 115 | - /sys/fs/cgroup:/sys/fs/cgroup 116 | provision_command: 117 | - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config 118 | - systemctl enable ssh.service 119 | - name: debian-10 120 | driver_config: 121 | image: debian:10 122 | run_command: /sbin/init 123 | cap_add: 124 | - SYS_ADMIN 125 | run_options: 126 | env: container=docker 127 | volume: 128 | - /sys/fs/cgroup:/sys/fs/cgroup 129 | provision_command: 130 | - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config 131 | - systemctl enable ssh.service 132 | - name: debian-11 133 | driver_config: 134 | image: debian:11 135 | run_command: /sbin/init 136 | cap_add: 137 | - SYS_ADMIN 138 | run_options: 139 | env: container=docker 140 | volume: 141 | - /sys/fs/cgroup:/sys/fs/cgroup 142 | provision_command: 143 | - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config 144 | - systemctl enable ssh.service 145 | - name: ubuntu-16.04 146 | driver_config: 147 | image: ubuntu:16.04 148 | docker_platform: linux/amd64 149 | run_command: /sbin/init 150 | cap_add: 151 | - SYS_ADMIN 152 | run_options: 153 | env: container=docker 154 | volume: 155 | - /sys/fs/cgroup:/sys/fs/cgroup 156 | provision_command: 157 | - apt install -y wget 158 | - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config 159 | - systemctl enable ssh.service 160 | - name: ubuntu-18.04 161 | driver_config: 162 | image: ubuntu:18.04 163 | docker_platform: linux/amd64 164 | run_command: /sbin/init 165 | cap_add: 166 | - SYS_ADMIN 167 | run_options: 168 | env: container=docker 169 | volume: 170 | - /sys/fs/cgroup:/sys/fs/cgroup 171 | provision_command: 172 | - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config 173 | - systemctl enable ssh.service 174 | - name: ubuntu-20.04 175 | # provisioner: 176 | # extra_vars: 177 | driver_config: 178 | image: ubuntu:20.04 179 | docker_platform: linux/amd64 180 | run_command: /sbin/init 181 | cap_add: 182 | - SYS_ADMIN 183 | run_options: 184 | env: container=docker 185 | volume: 186 | - /sys/fs/cgroup:/sys/fs/cgroup 187 | provision_command: 188 | - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config 189 | - systemctl enable ssh.service 190 | - name: ubuntu-22.04 191 | # provisioner: 192 | # extra_vars: 193 | driver_config: 194 | image: ubuntu:20.04 195 | docker_platform: linux/amd64 196 | run_command: /sbin/init 197 | cap_add: 198 | - SYS_ADMIN 199 | run_options: 200 | env: container=docker 201 | volume: 202 | - /sys/fs/cgroup:/sys/fs/cgroup 203 | provision_command: 204 | - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config 205 | - systemctl enable ssh.service 206 | suites: 207 | - name: default 208 | - name: custom 209 | provisioner: 210 | extra_vars: 211 | threatstack_agent_config_args: "--set log.maxSize 22" 212 | --------------------------------------------------------------------------------