From 0aa6d5d998d83361c5979ec2c38e6a205e937c79 Mon Sep 17 00:00:00 2001
From: David Siemienas <david@siemienas.dev>
Date: Sun, 15 Dec 2024 22:51:02 +0000
Subject: [PATCH] Working?

---
 docker-compose.yml               |  2 +-
 src/data/vars/important_ips.yml  |  2 +-
 src/data/vars/service_map.yml    |  1 +
 src/playbooks/palo-gather.yml    | 35 ++++++++++++++++
 src/playbooks/palo-init.yml      | 14 ++++++-
 src/playbooks/palo-os-update.yml | 69 ++++++++++++++++++++++++++++++++
 src/playbooks/palo-update.yml    | 36 +++++++++++++++++
 src/scripts/init.sh              |  3 ++
 8 files changed, 158 insertions(+), 4 deletions(-)
 create mode 100644 src/playbooks/palo-gather.yml
 create mode 100644 src/playbooks/palo-os-update.yml
 create mode 100644 src/playbooks/palo-update.yml
 create mode 100644 src/scripts/init.sh

diff --git a/docker-compose.yml b/docker-compose.yml
index bf60713..a51ffee 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
   ansible:
-    image: ansible
+    image: ghcr.io/dsiemienas03/ccdc-ansible:latest
     user: 1001:1001
     volumes:
       - data:/home/ansible/data
diff --git a/src/data/vars/important_ips.yml b/src/data/vars/important_ips.yml
index d116013..ac1e423 100644
--- a/src/data/vars/important_ips.yml
+++ b/src/data/vars/important_ips.yml
@@ -16,5 +16,5 @@ wazuh_protocol: TCP
 
 # Remote IPS
 # remote_ip: 172.16.1.
-remote_net: 
+remote_net:
   - 172.16.1.0/24
diff --git a/src/data/vars/service_map.yml b/src/data/vars/service_map.yml
index bbc59ee..4edfcaa 100644
--- a/src/data/vars/service_map.yml
+++ b/src/data/vars/service_map.yml
@@ -64,3 +64,4 @@ wrccdc_fw:
 fw_block:
   - esx
   - dc
+  - db
diff --git a/src/playbooks/palo-gather.yml b/src/playbooks/palo-gather.yml
new file mode 100644
index 0000000..d7ee0f9
--- /dev/null
+++ b/src/playbooks/palo-gather.yml
@@ -0,0 +1,35 @@
+---
+- name: Palo initial config
+  hosts: palo
+  connection: local
+  gather_facts: true
+  # ignore_errors: true
+  roles:
+    - dsu.ccdc.palo
+  vars:
+    provider:
+      ip_address: "{{ inventory_hostname }}"
+      api_key: "{{ api_key }}"
+
+  tasks:
+    - name: Include role
+      ansible.builtin.include_role:
+        name: dsu.ccdc.palo
+        vars_from: main.yml
+    # - name: Show Facts
+    #   ansible.builtin.debug:
+    #     var: "{{update_os}}, {{logging}}"
+
+    - name: Load vars
+      ansible.builtin.include_vars:
+        dir: /home/ansible/data/vars/
+
+    - name: Gather info
+      paloaltonetworks.panos.panos_facts:
+        provider: "{{ provider }}"
+        gather_subset: vsys
+      register: info
+
+    - name: Print info
+      ansible.builtin.debug:
+        var: info
diff --git a/src/playbooks/palo-init.yml b/src/playbooks/palo-init.yml
index d1ffd75..e2ddeac 100644
--- a/src/playbooks/palo-init.yml
+++ b/src/playbooks/palo-init.yml
@@ -5,6 +5,7 @@
   # ignore_errors: true
   roles:
     - dsu.ccdc.palo
+  gather_facts: true
   vars:
     provider:
       ip_address: "{{ inventory_hostname }}"
@@ -12,11 +13,11 @@
 
     # palo_config_initial_interface: true
     # palo_config_initial_zones: true
-    # palo_config_initial_rules: true
+    palo_config_initial_rules: true
     # palo_config_logging: true
     # palo_config_initial_groups: true
     # palo_update_other: false
-    # palo_update_os: false
+    # palo_update_os: true
 
   tasks:
     - name: Include role
@@ -70,11 +71,20 @@
         dns_server_primary: "{{ local_dns }}"
         dns_server_secondary: "{{ white_dns }}"
         ntp_server_primary: "{{ white_ntp }}"
+        ntp_server_secondary: "time.cloudflare.com"
+      when: palo_config_initial_interface
 
     # Updates
+    - name: Update content
+      ansible.builtin.import_role:
+        name: dsu.ccdc.palo
+        tasks_from: content_update
+      when: palo_update_os
+
     - name: Palo OS Update
       ansible.builtin.import_role:
         name: dsu.ccdc.palo
+        # tasks_from: os_update
         tasks_from: os_update
         vars_from: main
       when: palo_update_os
diff --git a/src/playbooks/palo-os-update.yml b/src/playbooks/palo-os-update.yml
new file mode 100644
index 0000000..5107c55
--- /dev/null
+++ b/src/playbooks/palo-os-update.yml
@@ -0,0 +1,69 @@
+---
+- name: Palo initial config
+  hosts: palo
+  connection: local
+  # ignore_errors: true
+  roles:
+    - dsu.ccdc.palo
+  vars:
+    provider:
+      ip_address: "{{ inventory_hostname }}"
+      api_key: "{{ api_key }}"
+
+  tasks:
+    - name: PAN-OS_update
+      ansible.builtin.debug:
+        msg: "{{ palo_panos_version }}"
+
+    - name: Download PAN-OS update
+      paloaltonetworks.panos.panos_software:
+        provider: "{{ provider }}"
+        version: "{{ palo_panos_version }}"
+        install: true
+        restart: true
+      register: install_result
+
+    - name: Notify Reboot Handler
+      ansible.builtin.command: echo "Wait for Device Reboot"
+      notify: reboot
+      changed_when: false
+
+    - name: Pause for Restart Checks
+      ansible.builtin.pause:
+        seconds: 10
+
+    - name: Wait for Online Handler
+      ansible.builtin.meta: flush_handlers
+
+    - name: Set os_update as done
+      ansible.builtin.set_fact:
+        palo_update_os: false
+        cacheable: true
+      when: palo_update_os
+
+  handlers:
+    - name: Wait for System Information
+      paloaltonetworks.panos.panos_op:
+        provider: "{{ provider }}"
+        device_group: "{{ device_group if device_group is defined else omit }}"
+        cmd: show system info
+      register: system_info
+      until: system_info is not failed
+      retries: 100
+      delay: 10
+      listen: reboot
+
+    - name: Update System Info
+      ansible.builtin.set_fact:
+        system_info_json: "{{ system_info.stdout | from_json }}"
+      listen: reboot
+
+    - name: Update Software Version
+      ansible.builtin.set_fact:
+        sw_version: "{{ system_info_json.response.result.system['sw-version'] }}"
+      listen: reboot
+
+    - name: Display Current Software version
+      ansible.builtin.debug:
+        msg: "Current software version is: {{ sw_version }}"
+      listen: reboot
diff --git a/src/playbooks/palo-update.yml b/src/playbooks/palo-update.yml
new file mode 100644
index 0000000..658a5f8
--- /dev/null
+++ b/src/playbooks/palo-update.yml
@@ -0,0 +1,36 @@
+---
+- name: Palo initial config
+  hosts: palo
+  connection: local
+  # ignore_errors: true
+  roles:
+    - dsu.ccdc.palo
+  vars:
+    provider:
+      ip_address: "{{ inventory_hostname }}"
+      api_key: "{{ api_key }}"
+
+  tasks:
+    - name: Include role
+      ansible.builtin.include_role:
+        name: dsu.ccdc.palo
+        vars_from: main
+
+    - name: Load vars
+      ansible.builtin.include_vars:
+        dir: /home/ansible/data/vars/
+
+    - name: Palo update content
+      ansible.builtin.import_role:
+        name: dsu.ccdc.palo
+        tasks_from: content_update
+
+    - name: Palo update wildfire
+      ansible.builtin.import_role:
+        name: dsu.ccdc.palo
+        tasks_from: wildfire_update
+
+    - name: Palo update AV
+      ansible.builtin.import_role:
+        name: dsu.ccdc.palo
+        tasks_from: av_update
diff --git a/src/scripts/init.sh b/src/scripts/init.sh
new file mode 100644
index 0000000..42ed99b
--- /dev/null
+++ b/src/scripts/init.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -q -N ""
+cat ~/.ssh/id_rsa.pub
\ No newline at end of file