Skip to content

Commit

Permalink
Implement package version locking on Debian and RedHat.
Browse files Browse the repository at this point in the history
Very slightly refactor too as tasks/main.yml would have become too big with too many whens.
  • Loading branch information
gaima8 committed Jun 7, 2023
1 parent 434db56 commit 760e0fa
Show file tree
Hide file tree
Showing 6 changed files with 124 additions and 63 deletions.
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ Ansible variables from `defaults/main.yml`
download: true
config_path: /etc/auditbeat
install_rules: true
rule_file: auditd-attack.conf
rule_file: auditd-attack.conf

auditbeat_output:
type: "elasticsearch"
Expand All @@ -66,7 +66,7 @@ Ansible variables from `defaults/main.yml`
- add_docker_metadata: ~
auditbeat_portage:
package: =auditbeat-{{ auditbeat_service.version }}
getbinpkg: no
getbinpkgonly: true

The `auditbeat_service.install_rules` can be changed to false if you don't want to use the rules included.

Expand Down
3 changes: 1 addition & 2 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ auditbeat_service:
download: true
config_path: /etc/auditbeat
install_rules: true
rule_file: auditd-attack.conf
rule_file: auditd-attack.conf

auditbeat_output:
type: "elasticsearch"
Expand All @@ -23,4 +23,3 @@ auditbeat_processors: |
auditbeat_portage:
package: =auditbeat-{{ auditbeat_service.version }}
getbinpkg: no
28 changes: 28 additions & 0 deletions tasks/Debian.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,31 @@
update_cache: yes
state: present
tags: install

- name: (Debian/Ubuntu) Get installed auditbeat version
command: dpkg-query --showformat='${Version}' --show auditbeat
register: installed_ab_version
failed_when: False
changed_when: False
check_mode: no
tags: install

- name: (Debian/Ubuntu) Allow auditbeat to be upgraded
ansible.builtin.dpkg_selections:
name: auditbeat
selection: install
when:
installed_ab_version.stdout and installed_ab_version.stdout != auditbeat_service.version
tags: install

- name: (Debian/Ubuntu) Install auditbeat apt
apt:
name: auditbeat={{ auditbeat_service.version }}
state: present
tags: install

- name: (Debian/Ubuntu) Prevent auditbeat from being upgraded
ansible.builtin.dpkg_selections:
name: auditbeat
selection: hold
tags: install
16 changes: 16 additions & 0 deletions tasks/Gentoo.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
- name: (Gentoo) Stop auditd
ansible.builtin.service:
name: auditd
state: stopped
enabled: false
when:
- ansible_facts.services['auditd'] is defined
tags: install

- name: (Gentoo) Install auditbeat portage
community.general.portage:
package: "{{ auditbeat_portage.package }}"
getbinpkg: "{{ auditbeat_portage.getbinpkg|default(omit) }}"
getbinpkgonly: "{{ auditbeat_portage.getbinpkgonly|default(omit) }}"
tags: install
31 changes: 31 additions & 0 deletions tasks/RedHat.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,10 @@
---
- name: (REHL/CentOS) Install dependencies
yum:
name: yum-plugin-versionlock
state: present
update_cache: yes

- name: (REHL/CentOS) Add Elasticsearch 7.X repository
yum_repository:
name: "elastic-7.x"
Expand All @@ -8,3 +14,28 @@
state: present
notify: yum-clean-metadata
tags: install

- name: (REHL/CentOS) Check if requested auditbeat release lock exists
shell: 'yum versionlock list | grep auditbeat | grep -c "{{ auditbeat_service.version }}"'
register: auditbeat_requested_release_locked
args:
warn: false
failed_when: False
changed_when: False
check_mode: False
tags: install

- name: (REHL/CentOS) Lock auditbeat release
shell: yum versionlock delete 0:auditbeat* ; yum versionlock add auditbeat-{{ auditbeat_service.version }}
args:
warn: false
tags: install
when:
- auditbeat_requested_release_locked is defined
- auditbeat_requested_release_locked.stdout|int == 0

- name: (REHL/CentOS) Install auditbeat yum
yum:
name: auditbeat-{{ auditbeat_service.version }}
state: present
tags: install
105 changes: 46 additions & 59 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,70 +15,57 @@
- import_tasks: "Debian.yml"
when: ansible_os_family == "Debian"

# Following plays are Linux only specific, all Windows plays are in Windows32bit.yml and Windows64bit.yml
- name: (Linux) Collect service facts
service_facts:
when:
- ansible_os_family != "Windows"
#This is necessary, systemd won't allow auditd to be stopped and Ansible has bug when it doesn't use the service binary even if explicitly told
- name: (Linux) Stop auditd
command:
cmd: service auditd stop
warn: False
when:
- ansible_facts.services['auditd'] is defined
- ansible_os_family != "Windows"
tags: install
- import_tasks: "Gentoo.yml"
when: ansible_os_family == "Gentoo"

- name: (Linux) Remove auditd from starting on boot
command:
cmd: chkconfig auditd off
warn: False
when:
- ansible_facts.services['auditd'] is defined
- ansible_os_family != "Windows"
- ansible_os_family != "Gentoo"
tags: install
# Following plays are Linux only specific, all Windows plays are in Windows32bit.yml and Windows64bit.yml
- name: (Linux) Linux only tasks
block:
- name: (Linux) Collect service facts
service_facts:

- name: (Debian/Ubuntu) Install auditbeat apt
apt:
name: auditbeat={{ auditbeat_service.version }}
state: present
when: ansible_os_family == "Debian"
tags: install
# This is necessary, systemd won't allow auditd to be stopped and Ansible has bug when it doesn't use the service binary even if explicitly told
- name: (Linux) Stop auditd
command:
cmd: service auditd stop
warn: False
when:
- ansible_facts.services['auditd'] is defined
- ansible_os_family != "Gentoo"
tags: install

- name: (REHL/CentOS) Install auditbeat yum
yum:
name: auditbeat-{{ auditbeat_service.version }}
state: present
when: ansible_os_family == "RedHat"
tags: install
- name: (Linux) Remove auditd from starting on boot
command:
cmd: chkconfig auditd off
warn: False
when:
- ansible_facts.services['auditd'] is defined
- ansible_os_family != "Gentoo"
tags: install

# INFO: Based on where and how you generate your auditbeat portage package, you may need to change the package name
- name: (Gentoo) Install auditbeat portage
community.general.portage:
package: "{{ auditbeat_portage.package }}"
getbinpkg: "{{ auditbeat_portage.getbinpkg }}"
when: ansible_os_family == "Gentoo"
tags: install
- name: (Linux) Create auditbeat configuration file
template:
src: auditbeat.yml.j2
dest: "{{ auditbeat_service.config_path }}/auditbeat.yml"
notify: restart-auditbeat
tags: configure

- name: (Linux) Create auditbeat configuration file
template:
src: auditbeat.yml.j2
dest: "{{ auditbeat_service.config_path }}/auditbeat.yml"
when: ansible_os_family != "Windows"
notify: restart-auditbeat
tags: configure
- name: (Linux) Install auditing rules for auditbeat
copy:
src: files/{{ auditbeat_service.rule_file }}
dest: "{{ auditbeat_service.config_path }}/audit.rules.d/"
owner: root
group: root
mode: '0644'
tags: configure
when:
- auditbeat_service.install_rules
notify: restart-auditbeat

- name: (Linux) Install auditing rules for auditbeat
copy:
src: files/{{ auditbeat_service.rule_file }}
dest: "{{ auditbeat_service.config_path }}/audit.rules.d/"
owner: root
group: root
mode: '0644'
tags: configure
- name: (Linux) Start and enable auditbeat
ansible.builtin.service:
name: auditbeat
state: started
enabled: true
when:
- ansible_os_family != "Windows"
- auditbeat_service.install_rules
notify: restart-auditbeat

0 comments on commit 760e0fa

Please sign in to comment.