Migrate from old repository
This commit is contained in:
commit
a2cb24af99
|
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
cs_collections_list: []
|
||||
cs_scenarios_list: []
|
||||
cs_parsers_list: []
|
||||
cs_postoverflows_list: []
|
||||
|
||||
cs_ban_duration: "4h"
|
||||
|
||||
cs_prometheus_enabled: false
|
||||
|
||||
cs_parsers_mywhitelists_ip: []
|
||||
cs_parsers_mywhitelists_cidr: []
|
||||
|
||||
cs_trusted_ips:
|
||||
- 127.0.0.1
|
||||
- ::1
|
||||
|
||||
cs_receiver_emails: []
|
||||
|
||||
version: latest
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
|
||||
dependencies: []
|
||||
|
||||
galaxy_info:
|
||||
role_name: crowdsec
|
||||
author: 'Pierre-Olivier Mercier <nemunaire+iac@nemunai.re>'
|
||||
description: Installs and configure crowdsec through Docker
|
||||
license: GPL-3.0-or-later
|
||||
min_ansible_version: 2.9
|
||||
platforms:
|
||||
- name: Alpine
|
||||
versions:
|
||||
- all
|
||||
- name: Debian
|
||||
versions:
|
||||
- all
|
||||
galaxy_tags: []
|
||||
|
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
- name: Ensure crowdsec directory exists
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
loop:
|
||||
- /etc/crowdsec/notifications
|
||||
- /etc/crowdsec/parsers/s02-enrich
|
||||
|
||||
- name: configure crowdsec
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "/etc/crowdsec/{{ item.dest }}"
|
||||
register: crowdsecconfig
|
||||
loop:
|
||||
- {src: "config.yaml.j2", dest: "config.yaml" }
|
||||
- {src: "profiles.yaml.j2", dest: "profiles.yaml" }
|
||||
- {src: "email.yaml.j2", dest: "notifications/email.yaml" }
|
||||
- {src: "mywhitelists.yaml.j2", dest: "parsers/s02-enrich/mywhitelists.yaml" }
|
||||
|
||||
- name: "stop crowdsec container to reload config"
|
||||
docker_container:
|
||||
name: "{{ instance_name }}"
|
||||
state: stopped
|
||||
when: crowdsecconfig is changed
|
||||
ignore_errors: yes
|
||||
|
||||
- name: "launch {{ instance_name }} container"
|
||||
docker_container:
|
||||
name: "{{ instance_name }}"
|
||||
image: "crowdsecurity/crowdsec:{{ version }}"
|
||||
pull: true
|
||||
state: started
|
||||
restart_policy: unless-stopped
|
||||
memory: 2G
|
||||
volumes:
|
||||
- /etc/crowdsec:/etc/crowdsec
|
||||
- /var/lib/crowdsec:/var/lib/crowdsec/data
|
||||
- /var/log/:/logs:ro
|
||||
mounts:
|
||||
- target: /tmp
|
||||
type: tmpfs
|
||||
tmpfs_mode: 1777
|
||||
tmpfs_size: 512M
|
||||
env:
|
||||
COLLECTIONS: "{{ cs_collections_list | join(' ') }}"
|
||||
SCENARIOS: "{% if cs_scenarios_list is defined %}{{ cs_scenarios_list | join(' ') }}{% endif %}"
|
||||
PARSERS: "{% if cs_parsers_list is defined %}{{ cs_parsers_list | join(' ') }}{% endif %}"
|
||||
POSTOVERFLOWS: "{% if cs_postoverflows_list is defined %}{{ cs_postoverflows_list | join(' ') }}{% endif %}"
|
||||
published_ports:
|
||||
- "{{ prometheus_endpoint }}:6060"
|
||||
- "{{ endpoint }}:8080"
|
||||
log_driver: syslog
|
||||
log_options:
|
||||
syslog-address: unixgram:///dev/log
|
||||
syslog-facility: daemon
|
||||
tag: "{{ instance_name }}"
|
||||
|
|
@ -0,0 +1,60 @@
|
|||
common:
|
||||
daemonize: false
|
||||
pid_dir: /var/run/
|
||||
log_media: stdout
|
||||
log_level: info
|
||||
log_dir: /logs/
|
||||
working_dir: .
|
||||
config_paths:
|
||||
config_dir: /etc/crowdsec/
|
||||
data_dir: /var/lib/crowdsec/data/
|
||||
simulation_path: /etc/crowdsec/simulation.yaml
|
||||
hub_dir: /etc/crowdsec/hub/
|
||||
index_path: /etc/crowdsec/hub/.index.json
|
||||
notification_dir: /etc/crowdsec/notifications/
|
||||
plugin_dir: /usr/local/lib/crowdsec/plugins/
|
||||
crowdsec_service:
|
||||
acquisition_path: /etc/crowdsec/acquis.yaml
|
||||
parser_routines: 1
|
||||
plugin_config:
|
||||
user: nobody
|
||||
group: nobody
|
||||
cscli:
|
||||
output: human
|
||||
db_config:
|
||||
log_level: info
|
||||
{% if database is defined %}
|
||||
type: mysql
|
||||
user: "{{ database.username }}"
|
||||
password: "{{ database.password }}"
|
||||
db_name: "{{ database.database }}"
|
||||
host: "{{ database.host }}"
|
||||
port: {{ database.port }}
|
||||
{% else %}
|
||||
type: sqlite
|
||||
db_path: /var/lib/crowdsec/data/crowdsec.db
|
||||
{% endif %}
|
||||
flush:
|
||||
max_items: 5000
|
||||
max_age: 7d
|
||||
api:
|
||||
client:
|
||||
insecure_skip_verify: false
|
||||
credentials_path: /etc/crowdsec/local_api_credentials.yaml
|
||||
server:
|
||||
log_level: info
|
||||
listen_uri: 0.0.0.0:8080
|
||||
profiles_path: /etc/crowdsec/profiles.yaml
|
||||
use_forwarded_for_headers: true
|
||||
trusted_ips: {{ cs_trusted_ips | to_json() }}# IP ranges, or IPs which can have admin API access
|
||||
online_client: # Central API credentials (to push signals and receive bad IPs)
|
||||
credentials_path: /etc/crowdsec/online_api_credentials.yaml
|
||||
#credentials_path: /etc/crowdsec/online_api_credentials.yaml
|
||||
# tls:
|
||||
# cert_file: /etc/crowdsec/ssl/cert.pem
|
||||
# key_file: /etc/crowdsec/ssl/key.pem
|
||||
prometheus:
|
||||
enabled: {{ cs_prometheus_enabled }}
|
||||
level: full
|
||||
listen_addr: 0.0.0.0
|
||||
listen_port: 6060
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
type: email # Don't change
|
||||
name: email_default # Must match the registered plugin in the profile
|
||||
|
||||
# One of "trace", "debug", "info", "warn", "error", "off"
|
||||
log_level: info
|
||||
|
||||
# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
|
||||
# group_threshold: # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
|
||||
# max_retry: # Number of attempts to relay messages to plugins in case of error
|
||||
timeout: 20s # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"
|
||||
|
||||
#-------------------------
|
||||
# plugin-specific options
|
||||
|
||||
# The following template receives a list of models.Alert objects
|
||||
# The output goes in the email message body
|
||||
format: | {{ "
|
||||
{{range . -}}
|
||||
{{$alert := . -}}
|
||||
{{range .Decisions -}}
|
||||
<html><body><p><a href=https://www.whois.com/whois/{{.Value}}>{{.Value}}</a> will get <b>{{.Type}}</b> for next <b>{{.Duration}}</b> for triggering <b>{{.Scenario}}</b> on machine <b>{{$alert.MachineID}}</b>.</p> <p><a href=https://www.shodan.io/host/{{.Value}}>Shodan</a></p></body></html>
|
||||
{{end -}}
|
||||
{{end -}}" }}
|
||||
|
||||
smtp_host: "{{ email.host }}"
|
||||
smtp_username: "{{ email.username }}"
|
||||
smtp_password: "{{ email.password }}"
|
||||
smtp_port: {{ email.port }}
|
||||
auth_type: "{{ email.auth }}" # Valid choices are "none", "crammd5", "login", "plain"
|
||||
sender_name: "CrowdSec"
|
||||
sender_email: "{{ email.from }}"
|
||||
email_subject: "CrowdSec Notification"
|
||||
receiver_emails: {{ cs_receiver_emails | to_json() }}
|
||||
# - email1@gmail.com
|
||||
# - email2@gmail.com
|
||||
|
||||
encryption_type: "{{ email.starttls }}" # One of "ssltls", "none"
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
name: crowdsecurity/whitelists
|
||||
description: "Whitelist events from my ip addresses"
|
||||
whitelist:
|
||||
reason: "my ip ranges"
|
||||
ip:
|
||||
{{ cs_parsers_mywhitelists_ip }}
|
||||
cidr:
|
||||
{{ cs_parsers_mywhitelists_cidr }}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
name: default_ip_remediation
|
||||
#debug: true
|
||||
filters:
|
||||
- Alert.Remediation == true && Alert.GetScope() == "Ip"
|
||||
decisions:
|
||||
- type: ban
|
||||
duration: {{ cs_ban_duration }}
|
||||
notifications:
|
||||
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
|
||||
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
|
||||
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
|
||||
{% if len(cs_receiver_emails) > 0 %}
|
||||
- email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
|
||||
{% endif %}
|
||||
on_success: break
|
||||
Loading…
Reference in New Issue