diff --git a/README.md b/README.md index 217c411..047f2db 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ Ansible variables from `defaults/main.yml` download: true config_path: /etc/auditbeat install_rules: true - rule_file: auditd-attack.conf + rule_file: auditd-attack.conf auditbeat_output: type: "elasticsearch" @@ -66,7 +66,7 @@ Ansible variables from `defaults/main.yml` - add_docker_metadata: ~ auditbeat_portage: package: =auditbeat-{{ auditbeat_service.version }} - getbinpkg: no + getbinpkgonly: true The `auditbeat_service.install_rules` can be changed to false if you don't want to use the rules included. diff --git a/defaults/main.yml b/defaults/main.yml index 97acb49..f170256 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,7 @@ auditbeat_service: download: true config_path: /etc/auditbeat install_rules: true - rule_file: auditd-attack.conf + rule_file: auditd-attack.conf auditbeat_output: type: "elasticsearch" @@ -23,4 +23,3 @@ auditbeat_processors: | auditbeat_portage: package: =auditbeat-{{ auditbeat_service.version }} - getbinpkg: no diff --git a/tasks/Debian.yml b/tasks/Debian.yml index f063ab7..818213d 100644 --- a/tasks/Debian.yml +++ b/tasks/Debian.yml @@ -19,3 +19,31 @@ update_cache: yes state: present tags: install + +- name: (Debian/Ubuntu) Get installed auditbeat version + command: dpkg-query --showformat='${Version}' --show auditbeat + register: installed_ab_version + failed_when: False + changed_when: False + check_mode: no + tags: install + +- name: (Debian/Ubuntu) Allow auditbeat to be upgraded + ansible.builtin.dpkg_selections: + name: auditbeat + selection: install + when: + installed_ab_version.stdout and installed_ab_version.stdout != auditbeat_service.version + tags: install + +- name: (Debian/Ubuntu) Install auditbeat apt + apt: + name: auditbeat={{ auditbeat_service.version }} + state: present + tags: install + +- name: (Debian/Ubuntu) Prevent auditbeat from being upgraded + ansible.builtin.dpkg_selections: + name: auditbeat + selection: hold + tags: install diff --git a/tasks/Gentoo.yml b/tasks/Gentoo.yml new file mode 100644 index 0000000..81cb7b2 --- /dev/null +++ b/tasks/Gentoo.yml @@ -0,0 +1,16 @@ +--- +- name: (Gentoo) Stop auditd + ansible.builtin.service: + name: auditd + state: stopped + enabled: false + when: + - ansible_facts.services['auditd'] is defined + tags: install + +- name: (Gentoo) Install auditbeat portage + community.general.portage: + package: "{{ auditbeat_portage.package }}" + getbinpkg: "{{ auditbeat_portage.getbinpkg|default(omit) }}" + getbinpkgonly: "{{ auditbeat_portage.getbinpkgonly|default(omit) }}" + tags: install diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index f101ef2..2c81bc4 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -1,4 +1,10 @@ --- +- name: (REHL/CentOS) Install dependencies + yum: + name: yum-plugin-versionlock + state: present + update_cache: yes + - name: (REHL/CentOS) Add Elasticsearch 7.X repository yum_repository: name: "elastic-7.x" @@ -8,3 +14,28 @@ state: present notify: yum-clean-metadata tags: install + +- name: (REHL/CentOS) Check if requested auditbeat release lock exists + shell: 'yum versionlock list | grep auditbeat | grep -c "{{ auditbeat_service.version }}"' + register: auditbeat_requested_release_locked + args: + warn: false + failed_when: False + changed_when: False + check_mode: False + tags: install + +- name: (REHL/CentOS) Lock auditbeat release + shell: yum versionlock delete 0:auditbeat* ; yum versionlock add auditbeat-{{ auditbeat_service.version }} + args: + warn: false + tags: install + when: + - auditbeat_requested_release_locked is defined + - auditbeat_requested_release_locked.stdout|int == 0 + +- name: (REHL/CentOS) Install auditbeat yum + yum: + name: auditbeat-{{ auditbeat_service.version }} + state: present + tags: install diff --git a/tasks/main.yml b/tasks/main.yml index 0af6a35..fb503fb 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -15,70 +15,57 @@ - import_tasks: "Debian.yml" when: ansible_os_family == "Debian" -# Following plays are Linux only specific, all Windows plays are in Windows32bit.yml and Windows64bit.yml -- name: (Linux) Collect service facts - service_facts: - when: - - ansible_os_family != "Windows" -#This is necessary, systemd won't allow auditd to be stopped and Ansible has bug when it doesn't use the service binary even if explicitly told -- name: (Linux) Stop auditd - command: - cmd: service auditd stop - warn: False - when: - - ansible_facts.services['auditd'] is defined - - ansible_os_family != "Windows" - tags: install +- import_tasks: "Gentoo.yml" + when: ansible_os_family == "Gentoo" -- name: (Linux) Remove auditd from starting on boot - command: - cmd: chkconfig auditd off - warn: False - when: - - ansible_facts.services['auditd'] is defined - - ansible_os_family != "Windows" - - ansible_os_family != "Gentoo" - tags: install +# Following plays are Linux only specific, all Windows plays are in Windows32bit.yml and Windows64bit.yml +- name: (Linux) Linux only tasks + block: + - name: (Linux) Collect service facts + service_facts: -- name: (Debian/Ubuntu) Install auditbeat apt - apt: - name: auditbeat={{ auditbeat_service.version }} - state: present - when: ansible_os_family == "Debian" - tags: install + # This is necessary, systemd won't allow auditd to be stopped and Ansible has bug when it doesn't use the service binary even if explicitly told + - name: (Linux) Stop auditd + command: + cmd: service auditd stop + warn: False + when: + - ansible_facts.services['auditd'] is defined + - ansible_os_family != "Gentoo" + tags: install -- name: (REHL/CentOS) Install auditbeat yum - yum: - name: auditbeat-{{ auditbeat_service.version }} - state: present - when: ansible_os_family == "RedHat" - tags: install + - name: (Linux) Remove auditd from starting on boot + command: + cmd: chkconfig auditd off + warn: False + when: + - ansible_facts.services['auditd'] is defined + - ansible_os_family != "Gentoo" + tags: install -# INFO: Based on where and how you generate your auditbeat portage package, you may need to change the package name -- name: (Gentoo) Install auditbeat portage - community.general.portage: - package: "{{ auditbeat_portage.package }}" - getbinpkg: "{{ auditbeat_portage.getbinpkg }}" - when: ansible_os_family == "Gentoo" - tags: install + - name: (Linux) Create auditbeat configuration file + template: + src: auditbeat.yml.j2 + dest: "{{ auditbeat_service.config_path }}/auditbeat.yml" + notify: restart-auditbeat + tags: configure -- name: (Linux) Create auditbeat configuration file - template: - src: auditbeat.yml.j2 - dest: "{{ auditbeat_service.config_path }}/auditbeat.yml" - when: ansible_os_family != "Windows" - notify: restart-auditbeat - tags: configure + - name: (Linux) Install auditing rules for auditbeat + copy: + src: files/{{ auditbeat_service.rule_file }} + dest: "{{ auditbeat_service.config_path }}/audit.rules.d/" + owner: root + group: root + mode: '0644' + tags: configure + when: + - auditbeat_service.install_rules + notify: restart-auditbeat -- name: (Linux) Install auditing rules for auditbeat - copy: - src: files/{{ auditbeat_service.rule_file }} - dest: "{{ auditbeat_service.config_path }}/audit.rules.d/" - owner: root - group: root - mode: '0644' - tags: configure + - name: (Linux) Start and enable auditbeat + ansible.builtin.service: + name: auditbeat + state: started + enabled: true when: - ansible_os_family != "Windows" - - auditbeat_service.install_rules - notify: restart-auditbeat